hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
21,517 Commits 1,671 Branches 157 Tags
sauyon/java-spring-stringutils
Commit Graph

101 Commits

Author SHA1 Message Date
Tom Hvitved
d4ce42ac4f Merge pull request #5416 from hvitved/csharp/rework-summaries 
C#: Rework flow summary implementation
 2021-03-26 09:47:15 +01:00
Tom Hvitved
b94c189946 C#: Remove VulnerablePackage.ql query 2021-03-25 09:50:24 +01:00
Tom Hvitved
6d6150d051 C#: Change some data-flow toString()s 2021-03-23 16:42:58 +01:00
Tamas Vajk
3e0245a7fc Fix test case for RuntimeChecksBypass 2021-03-04 12:47:21 +01:00
Tamas Vajk
cb4ed90c5c Fix failing tests 2021-03-03 16:58:48 +01:00
Tom Hvitved
d53faa86dc C#: Restrict FormatInvalid.ql and UncontrolledFormatString.ql to calls with insertions 2020-12-18 10:53:11 +01:00
Tom Hvitved
6a55a22f18 Merge pull request #4781 from hvitved/csharp/persisten-cookie-tests 
C#: Add tests for `PersistentCookie.ql`
 2020-12-07 11:37:16 +01:00
Tom Hvitved
5d73566859 C#: Add tests for PersistentCookie.ql 2020-12-04 17:14:00 +01:00
Tamas Vajk
d55fbc8a05 Add test cases for safe API calls 2020-12-04 13:26:53 +01:00
Tamas Vajk
24670160c2 Address code review findings 2020-12-04 13:26:53 +01:00
Tamas Vajk
cd5c1f06ee C#: Add queries to check untrusted data flow to external APIs 2020-12-04 13:26:53 +01:00
Tom Hvitved
5d1a5920c7 C#: Reimplement flow-summary compilation 2020-10-14 14:15:34 +02:00
Faten Healy
c35a5d120a C#: Increasing required size of RSA key to 2048 2020-09-22 11:09:49 +02:00
Tom Hvitved
795c5784b0 C#: Precise data flow for collections 2020-06-26 13:40:05 +02:00
Tom Hvitved
54677189de C#: Introduce RemoteFlowSink class 2020-03-25 20:05:39 +01:00
Tom Hvitved
7ac25d2439 C#: Add more tests for cs/information-exposure-through-exception 2020-03-25 14:33:49 +01:00
Tom Hvitved
fc74a482a4 C#: More XPath injection sinks 2020-03-19 14:13:35 +01:00
Tom Hvitved
4b3cf72c1c C#: Teach XPath injection query about XPathNavigator 2020-03-19 13:38:16 +01:00
Tom Hvitved
7f0181ccff C#: Add XPathNavigator test for cs/xml/xpath-injection 2020-03-19 13:37:03 +01:00
Tom Hvitved
78380f5d59 Merge pull request #2658 from calumgrant/cs/serialization-check-bypass-type 
C#: Fix cs/serialization-check-bypass
 2020-02-12 10:26:01 +01:00
Calum Grant
803cb3f4d1 C#: Address review comment 
- Flow from expressions with a value is excluded.
 2020-02-10 16:02:29 +00:00
Calum Grant
7caae01ad1 C#: Exclude fields that are created 2020-01-29 15:47:12 +00:00
Calum Grant
3d460aeb44 C#: ZipSlip query reports alert at source 2020-01-21 15:17:06 +00:00
Calum Grant
41b4d70504 C#: Refactor, improve documentation and add tests for cs/serialization-check-bypass 2020-01-03 18:46:39 +00:00
Tom Hvitved
abcb6b8aab C#: Type-based pruning for data flow 2019-12-10 15:48:48 +01:00
Tom Hvitved
78ddb37a8c C#: Track type information in data flow 
This commit adds type information to data flow paths, by mapping node types onto
the smaller set of GVN types, and implementing `ppReprType()`.

The effect is a mere change in `DataFlow::PathNode::toString()`; no type-based
pruning is done yet.
 2019-12-10 15:46:28 +01:00
Calum Grant
59ce8842bb Merge branch 'master' of git.semmle.com:Semmle/ql into ASPNetPagesValidateRequest 
# Conflicts:
#	change-notes/1.24/analysis-csharp.md
 2019-12-05 15:58:47 +00:00
Calum Grant
30a2620a8c C#: Tidy up docs, query metadata and add tests. 2019-11-29 10:31:58 +00:00
Calum Grant
d001c3c2d2 C#: Restructure files. 2019-11-27 17:29:53 +00:00
Calum Grant
c906a8238d C#: Edit qhelp for cs/insecure-request-validation-mode 2019-11-27 16:37:37 +00:00
Tom Hvitved
795959ef8d C#: Update expected test output 2019-11-25 13:41:12 +01:00
Paulino Calderon
85eda8c978 Brings security tests from other PRs 2019-11-19 13:04:19 -05:00
Tom Hvitved
46bc804562 Merge pull request #2286 from calumgrant/cs/windows-tests 
C#: Make qltests pass on all platforms
 2019-11-13 16:21:08 +01:00
Calum Grant
d64c244257 C#: Fix test for AspLine. 2019-11-08 15:48:56 +00:00
Tom Hvitved
eb990525d7 C#: Add precision tags to UnsafeDeserialization[UntrustedInput].ql 2019-10-28 14:19:40 +01:00
Tom Hvitved
4ac32c4b12 C#: Fix more tests 2019-10-24 13:00:14 +02:00
Geoffrey White
0427b1eb3f C#: Fix more tests. 2019-10-23 18:20:44 +01:00
Raul Garcia (MSFT)
cb8dcf7db2 Publishing queries to the OSS Semmle repository 2019-10-22 09:55:39 +01:00
Tom Hvitved
09e4e7901a C#: Update expected test output 2019-09-18 13:36:15 +02:00
Anders Schack-Mulligen
6299625b3d C#: Adjust qltest expected output. 2019-09-12 11:00:49 +02:00
Tom Hvitved
c5d9d74c0a C#: Nested field flow 2019-08-23 09:25:05 +02:00
Tom Hvitved
6749bbd438 C#: Make use of extra data flow copies 2019-08-07 10:41:43 +02:00
Tom Hvitved
b7d6165d42 C#: Convert cs/web/xss to a path-problem 2019-08-01 15:58:57 -07:00
Tom Hvitved
949b3601d0 C#: Address review comments 2019-05-15 14:10:42 +02:00
Tom Hvitved
c6a471e4b6 C#: Adopt shared data flow implementation 
- General refactoring to fit with the shared data flow implementation.
- Move CFG splitting logic into `ControlFlowReachability.qll`.
- Replace `isAdditionalFlowStepIntoCall()` with `TaintedParameterNode`.
- Redefine `ReturnNode` to be the actual values that are returned, which should
  yield better path information.
- No longer consider overrides in CIL calls.
 2019-05-06 14:54:11 +02:00
Tom Hvitved
b48576d7b9 C#: Address review comments 2019-03-10 15:45:31 +01:00
Tom Hvitved
8959d528a1 Merge remote-tracking branch 'upstream/rc/1.20' into csharp/dataflow/performance 2019-03-10 15:07:18 +01:00
Tom Hvitved
e6f7632d4c C#: Introduce data flow return nodes 
Before this change,

```
flowOutOfCallableStep(CallNode call, ReturnNode ret, OutNode out, CallContext cc)
```

would compute all combinations of call sites `call` and returned expressions `ret`
up front.

Now, we instead introduce explicit return nodes, so each callable has exactly
one return node (as well as one for each `out`/`ref` parameter). There is then
local flow from a returned expression to the relevant return node, and
`flowOutOfCallableStep()` computes combinations of call sites and return nodes.

Not only does this result in better performance, it also makes `flowOutOfCallableStep()`
symmetric to `flowIntoCallableStep()`, where each argument is mapped to a parameter,
and not to all reads of that parameter.
 2019-03-07 12:16:06 +01:00
Tom Hvitved
440809623b C#: Fix whitespaces 2019-03-06 08:15:46 +01:00
calum
15341965e0 C#: Update cs/use-of-vulnerable-package to detect CVE-2019-0657 2019-02-21 11:48:48 +00:00