Robert Marsh
d6fd83dd6c
C++: move resolveCall to its own file for perf
...
This avoids a performance issue in DataFlowImpl::localFlowStep when the
DataFlow::Configuration subclasses in DefaultTaintTracking are active
in the same query as other Configuration
subclasses.
ResolveCall.qll is kept internal for the moment.
2021-09-21 16:32:09 -07:00
ihsinme
88a257fcdc
Apply suggestions from code review
...
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com >
2021-09-21 20:32:08 +03:00
Robert Marsh
d62f76afa6
Merge pull request #6133 from MathiasVP/promote-sql-pqxx
...
C++: Promote `cpp/sql-injection-via-pqxx` out of experimental
2021-09-21 10:13:57 -07:00
Robert Marsh
97c2917c16
Merge pull request #6409 from JordyZomer/main
...
cpp: Add query to detect unsigned integer to signed integer conversio…
2021-09-21 09:57:44 -07:00
Mathias Vorreiter Pedersen
478093aa89
Update cpp/ql/lib/semmle/code/cpp/models/interfaces/Sql.qll
...
Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com >
2021-09-21 17:51:24 +01:00
Mathias Vorreiter Pedersen
bd5edc7ae5
Respond to review comments.
2021-09-21 14:29:26 +01:00
Mathias Vorreiter Pedersen
dfe932d053
Add missing conjunct in PostgreSqlEscapeFunction's 'escapesSqlArgument' predicate.
2021-09-21 12:14:45 +01:00
Anders Schack-Mulligen
044623a360
Dataflow: Sync.
2021-09-20 14:58:28 +02:00
Mathias Vorreiter Pedersen
797966fd3d
C++: Change the names of the new classes and predicates to match the upcoming 'CommandExecutionFunction' class.
2021-09-20 11:49:09 +01:00
Robert Marsh
a9add04ee3
C++: remove unneed import
2021-09-17 12:17:06 -07:00
Robert Marsh
d3d708bc68
C++: QLDoc for CommandExecution model
2021-09-17 12:16:20 -07:00
Geoffrey White
e7c82d7370
C++: Accept subpaths in tests.
2021-09-17 16:14:24 +01:00
Geoffrey White
24668b2281
Merge branch 'main' into cwe139
2021-09-17 16:04:51 +01:00
Geoffrey White
51243454c8
C++: Change note.
2021-09-17 15:10:55 +01:00
Geoffrey White
90bc138049
CPP: Fix QLDoc comments.
2021-09-17 14:12:04 +01:00
Geoffrey White
a3de94e868
C++: Assign precision and severity; medium for now, since there are FPs in SAMATE Juliet.
2021-09-17 10:05:06 +01:00
ihsinme
b6bcf9fa44
Add files via upload
2021-09-16 19:18:19 +03:00
ihsinme
b393c6a285
Add files via upload
2021-09-16 19:16:54 +03:00
Anders Schack-Mulligen
236ffc8972
Merge pull request #6700 from aschackmull/dataflow/subpaths-joinorder
...
Dataflow: Fix bad joinorder in subpaths
2021-09-16 08:22:59 +02:00
Robert Marsh
c85cc1455b
C++: accept changes to new ExecTainted test
2021-09-15 11:27:13 -07:00
Robert Marsh
a3e1f54e33
C++: Refactor models to prevent IR reevaluation
2021-09-15 10:55:56 -07:00
Robert Marsh
509a3493b6
C++: support new subpaths predicate in ExecTainted
2021-09-15 10:55:56 -07:00
Robert Marsh
09ef8f639e
C++: Improve performance by restricting isSource
2021-09-15 10:55:55 -07:00
Robert Marsh
83cc098412
C++: accept test output
2021-09-15 10:55:55 -07:00
Robert Marsh
3cd08bc724
C++: autoformat Printf.qll
2021-09-15 10:55:55 -07:00
Robert Marsh
fe1f9878ba
C++: add GVN import to fix reevaluation
2021-09-15 10:55:54 -07:00
Robert Marsh
e874fbbea2
C++: Add path stitching in ExecTainted.ql
2021-09-15 10:55:54 -07:00
Robert Marsh
5dc6e13ab5
C++: use TaintTracking2 in ExecTainted.ql
2021-09-15 10:55:53 -07:00
Robert Marsh
4d2036fa26
C++: change note for cpp/command-line-injection
2021-09-15 10:55:53 -07:00
Robert Marsh
c30e7ec41a
C++: raise precision of cpp/command-line-injection
2021-09-15 10:55:53 -07:00
Robert Marsh
181eb803e1
C++: Add QLDoc for getOutputArgument
2021-09-15 10:55:52 -07:00
Robert Marsh
37c92178a5
C++: exclude int/string conversion in ExecTainted
2021-09-15 10:55:52 -07:00
Robert Marsh
5e265f45e1
C++: ExecTainted tests for int/string conversions
2021-09-15 10:55:51 -07:00
Robert Marsh
9926892c8a
C++: remove debugging predicates
2021-09-15 10:55:51 -07:00
Robert Marsh
9c478c502e
C++: add some more tests for ExecTainted
2021-09-15 10:55:50 -07:00
Robert Marsh
562c8b97ad
C++: add comment explaining concatenation logic
2021-09-15 10:55:50 -07:00
Robert Marsh
6f408f949c
C++: Refactor ExecTainted.ql to need concatenation
...
This makes ExecTainted report results only when the tainted value does
not become the start of the string which is eventually run as a shell
command. The theory is that those cases are likely to be deliberate, and
part of the expected threat model of the program (e.g. $CC in make).
This lines up better with the results I considered fixable true
positives in LGTM testing
2021-09-15 10:55:49 -07:00
Robert Marsh
8f4df8603a
C++: more tests for command injection
2021-09-15 10:55:49 -07:00
Nick Rolfe
f76ce8b33b
Merge pull request #6686 from hvitved/cpp/files-folders-drop-columns
...
C++: Drop redundant columns from `files` and `folders` relations
2021-09-15 18:33:20 +01:00
Mathias Vorreiter Pedersen
33ef634ea8
Merge pull request #6679 from andersfugmann/relax_memberMayBeVarSize
...
Improve precision on OverflowStatic query.
2021-09-15 17:24:10 +01:00
Anders Schack-Mulligen
c0fd44c909
Dataflow: Sync.
2021-09-15 16:10:54 +02:00
Geoffrey White
c4714b55a3
Merge pull request #6588 from ihsinme/ihsinme-patch-069
...
CPP: Add query for CWE-675: Duplicate Operations on Resource
2021-09-15 15:10:03 +01:00
Jonas Jensen
65f4ec403f
Merge pull request #6593 from geoffw0/samate-move
...
C++: Add test cases with SAMATE Juliet code snippets to the codeql test suite.
2021-09-15 14:18:08 +02:00
Mathias Vorreiter Pedersen
947ab8a14d
Make the QLDoc on 'getAnSqlParameter' more clear.
2021-09-15 13:15:05 +01:00
Geoffrey White
0e7afb24cf
Merge pull request #6643 from MathiasVP/add-frontend-and-extractor-diagnostic-query
...
C++: Add uninterpreted query for obtaining frontend and extraction time
2021-09-15 11:17:58 +01:00
Geoffrey White
9ad51fbc02
C++: Fix the correct test this time.
2021-09-15 11:03:09 +01:00
Jordy Zomer
0f6e845418
Merge branch 'main' of https://github.com/JordyZomer/codeql into main
2021-09-15 10:41:31 +02:00
Jordy Zomer
01a06d1f5c
Add filter and format the query
2021-09-15 10:37:40 +02:00
Anders Fugmann
e49cd83868
C++: update change note per suggestion from peer review
2021-09-15 10:31:15 +02:00
Geoffrey White
8fd848701e
C++: Fix test failure.
2021-09-14 16:38:11 +01:00
