hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-25 13:16:33 +01:00
Code Issues Packages Projects Releases Wiki Activity
26,405 Commits 1,673 Branches 157 Tags
remove-javascript
Commit Graph

26405 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Anders Schack-Mulligen
605f28f741 Merge pull request #5686 from smowton/haby0/JsonHijacking 
Java: JSONP Injection w/cleanups
 2021-04-16 11:09:17 +02:00
Tom Hvitved
946fcf1c82 C#: Speedup DispatchMethodOrAccessorCall::getAViableOverrider() 
In addition to improved performance, the analysis no longer applies a closed-world
assumption to type parameters. That is, if the type of a receiver is a type parameter,
then the call may target any method of a compatible receiver type, not just the
types that actually instantiate the type parameter.
 2021-04-16 10:43:17 +02:00
Tamas Vajk
b0975bb3ea Update supported C#/.NET versions 2021-04-16 09:15:43 +02:00
Rasmus Lerchedahl Petersen
a8280f9b12 Python: update test expectation 2021-04-16 08:25:29 +02:00
Rasmus Lerchedahl Petersen
0678745677 Python: refactor based on review suggestion 2021-04-16 08:22:00 +02:00
Rasmus Lerchedahl Petersen
341dbcef2e Python: simplify code following review suggestion 
also standardise on camelCase.
 2021-04-16 07:41:00 +02:00
Rasmus Lerchedahl Petersen
8aa6b1a87c Python: use standard tracking construction 2021-04-16 07:36:04 +02:00
Taus
451d36dc97 Python: Allow _some_ PostUpdateNodes 
Specifically, allow the ones arising from calls, but not reads or
writes. This should fix the tests.
 2021-04-15 21:26:12 +00:00
edvraa
a412581556 reintroduce UnsafeDeserializer 2021-04-15 22:32:42 +03:00
thank_you
a854fb8f8b Add documentation and refactor code 2021-04-15 15:22:15 -04:00
edvraa
3aedd2c1f4 Use TaintTracking2 2021-04-15 22:12:01 +03:00
Taus
c9c8259ed0 Python: Disallow PostUpdateNode as LocalSourceNode 
Previously, in cases like

```python
def foo(x):
    x.bar()
    x.baz()
    x.quux()
```

we would have flow from the first `x` to each use _and_ flow from the
post-update node for each method call to each subsequent use, and all
of these would be `LocalSourceNode`s. For large functions with the above
pattern, this would lead to a quadratic blowup in `hasLocalSource`.

With this commit, only the first of these will count as a
`LocalSourceNode`, and the blowup disappears.
 2021-04-15 17:56:14 +00:00
Andrew Eisenberg
5d827b6fc8 Actions: Change staleness calculation 
Calculate staleness on issues that have the
`Stale` label. Leave all other issues untouched.
 2021-04-15 10:14:13 -07:00
Rasmus Wriedt Larsen
3e7dc12246 Python: Port taint tests to use inline expectations 
The meat of this PR is described in the new python/ql/test/experimental/meta/InlineTaintTest.qll file:

> Defines a InlineExpectationsTest for checking whether any arguments in
> `ensure_tainted` and `ensure_not_tainted` calls are tainted.
>
> Also defines query predicates to ensure that:
> - if any arguments to `ensure_not_tainted` are tainted, their annotation is marked with `SPURIOUS`.
> - if any arguments to `ensure_tainted` are not tainted, their annotation is marked with `MISSING`.
>
> The functionality of this module is tested in `ql/test/experimental/meta/inline-taint-test-demo`.
 2021-04-15 18:00:33 +02:00
Chris Smowton
c37994089c Revert changes to unrelated query 2021-04-15 16:24:29 +01:00
Chris Smowton
254de76078 Remove unnecessary stubs 2021-04-15 16:20:27 +01:00
haby0
dedf765542 Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-15 22:59:22 +08:00
Rasmus Lerchedahl Petersen
42ae5f4f7d Python: support / from the right 
Will also support both operands being paths
 2021-04-15 16:07:35 +02:00
edvraa
773556e5e0 Use hasFlow where path is not needed 2021-04-15 16:27:09 +03:00
edvraa
1581a27d3d Simplify getTarget check 2021-04-15 16:24:36 +03:00
Rasmus Wriedt Larsen
b359205d17 Python: Add taint tests for .get() in flask 2021-04-15 14:53:44 +02:00
CodeQL CI
578ce1e512 Merge pull request #5683 from asgerf/js/typescript-template-literal-type-crash 
Approved by erik-krogh
 2021-04-15 05:11:11 -07:00
Mathias Vorreiter Pedersen
7fbc62358e C++: Accept test changes after making the exprMightOverFlow predicates more sound. 2021-04-15 13:57:44 +02:00
haby0
0e183ab4a4 Finish comment 2021-04-15 19:49:06 +08:00
Chris Smowton
fa36ba901a Merge pull request #5471 from artem-smotrakov/el-injection 
Java: Query for detecting Jakarta Expression Language injections
 2021-04-15 12:39:34 +01:00
haby0
d269a7e717 CWE-598 reduction 2021-04-15 19:33:15 +08:00
haby0
216f204438 delete FilterClass 2021-04-15 19:28:25 +08:00
haby0
583d0889e2 delete tomcat-embed-core stub, update the ServletGetMethod class 2021-04-15 17:40:51 +08:00
haby0
5d05e4d224 Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-15 17:28:53 +08:00
Tom Hvitved
0f24db8759 C#: Improve performance of SsaImpl::CallGraph::SimpleDelegateAnalysis 2021-04-15 11:25:27 +02:00
Asger Feldthaus
f8570bb293 JS: Update TRAP 2021-04-15 10:16:46 +01:00
Rasmus Lerchedahl Petersen
d361d999b7 Python: add some path returning functions 
that were only listed as file sytem accesses.
 2021-04-15 10:55:09 +02:00
Rasmus Lerchedahl Petersen
02e41d8018 Python: update annotations 
This because `resolve` accesses the file system,
I am open to not include that fact in the modelling.
 2021-04-15 10:49:22 +02:00
Rasmus Lerchedahl Petersen
3eb1813584 Python: update test expectations 2021-04-15 10:47:49 +02:00
Asger Feldthaus
cb736c8c82 JS: Change note 2021-04-15 09:37:57 +01:00
Tom Hvitved
972cc47f67 Merge pull request #5673 from hvitved/csharp/customizations 
C#: Add `Customizations.qll`
 2021-04-15 10:24:29 +02:00
Asger Feldthaus
b4a2a9db25 JS: Fix extraction of non-substitution template literal types 2021-04-15 09:23:45 +01:00
Chris Smowton
bd3b3178ba Fix documentation of Modifier.qll 2021-04-15 09:16:51 +01:00
Rasmus Lerchedahl Petersen
c9b2c7885e Python: add changenote 2021-04-15 10:14:35 +02:00
Rasmus Lerchedahl Petersen
52a9040d73 Python update tests 2021-04-15 09:46:53 +02:00
Rasmus Lerchedahl Petersen
2387dc640c Python: Attempts at modelling pathlib-Paths 2021-04-15 09:40:23 +02:00
Rasmus Lerchedahl Petersen
8489403051 Python: Add some tests for pathlib 2021-04-15 09:40:23 +02:00
haby0
b3bdf89fc2 rm VerificationMethodFlowConfig, use springframework-5.2.3 stub 2021-04-15 10:25:40 +08:00
Thank You
f1e71e21ed Add SqlAlchemy module 2021-04-14 22:00:25 -04:00
CodeQL CI
4be183c7f6 Merge pull request #5675 from erik-krogh/libXss 
Approved by esbena
 2021-04-14 14:34:23 -07:00
edvraa
b027fddc7e Remove redundant check 2021-04-15 00:14:09 +03:00
edvraa
3a9d1f46fd Hide implementation details 2021-04-15 00:09:19 +03:00
edvraa
a4fd70aa3d Use don't care expression 2021-04-14 23:35:38 +03:00
ihsinme
b30ae3980c Update InsufficientControlFlowManagementAfterRefactoringTheCode.ql 2021-04-14 20:48:20 +03:00
Robert Marsh
fe57876fd8 Merge pull request #5643 from dbartol/smart-pointers/side-effect-refactor 
C++: Refactor some side effect generation code
 2021-04-14 09:59:41 -07:00