hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,894 Commits 1,672 Branches 157 Tags
tausbn/python-add-support-for-template-string-literals
Commit Graph

992 Commits

Author SHA1 Message Date
Owen Mansel-Chan
b2a9cecd69 Fix Allocation Size Overflow for use-use flow 
We have an operator expression like `x * 5`. We want to follow where the
value of the operator expression goes. We used to follow local flow from
an operand, but now there is flow from that operand to the next use of
the variable. The fix is to explicitly start local flow from the
operator expression.

There are also some expected edge changes due to use-use flow.
 2025-10-01 16:12:18 +01:00
Owen Mansel-Chan
16a11b48ad Switch to use-use dataflow. This will make post-update nodes easy to implement. 
Queries / tests that required changes:
* The CleartextLogging and MissingErrorCheck queries are updated because they assumed def-use flow
* The CommandInjection query works around the shortcomings of use-use flow by essentially reintroducing def-use flow when it applies a sanitizer
* The OpenUrlRedirect query currently just accepts its fate; the tests are updated to avoid excess sanitization while the query comments on the problem. We should choose this approach or the CommandInjection one.
 2025-10-01 16:12:07 +01:00
Owen Mansel-Chan
ff3d795a8f Merge pull request #20556 from owen-mc/go/test/safeurlflow 
Go: Add tests for SafeUrlFlow, and fix a latent bug
 2025-10-01 15:05:55 +01:00
Owen Mansel-Chan
8983ac9212 Phrase test in terms of safe URLs 2025-10-01 14:13:15 +01:00
Owen Mansel-Chan
c93852d87a Improve comments in test file 2025-10-01 11:01:58 +01:00
Owen Mansel-Chan
a2a9575587 Add tests for safe URL flow 2025-09-30 15:05:42 +01:00
Chris Smowton
e9cccb46c0 Go: mistyped-exponentiation: notice constants with likely-bitmask values 2025-09-25 15:19:40 +01:00
Owen Mansel-Chan
d9e7c89af0 Add indirect method calls 2025-09-11 11:31:28 +01:00
Owen Mansel-Chan
84e70e166e Add direct method calls 2025-09-11 11:27:56 +01:00
Owen Mansel-Chan
fa18fd2782 Add method defs 2025-09-11 11:24:53 +01:00
Owen Mansel-Chan
cbbf7c2578 Include pre-update node in output 2025-09-11 11:22:17 +01:00
Arthur Baars
5d3ec35e29 Remove non-breaking spaces from code 2025-09-05 09:41:15 +02:00
Owen Mansel-Chan
2a45b28e5f Merge pull request #20064 from Kwstubbs/go-path-separator 
Update Go Path Injection Sanitizer and Sink
 2025-09-03 16:45:15 +01:00
Kevin Stubbings
b4b848a25c Fix tests and simplify sanitizer 2025-07-21 21:53:35 +00:00
Kevin Stubbings
f86152d3bd Add sanitizer changes and fix test 2025-07-16 21:27:33 +00:00
Kevin Stubbings
504ae0f35a Update go path sanitizers and sinks 2025-07-16 06:12:45 +00:00
Chris Smowton
c8eefb7c5c Golang: Mark filepath.IsLocal as a tainted-path sanitizer guard 2025-07-15 14:47:17 +01:00
Owen Mansel-Chan
990043ce86 Add net/http.Head and net/http.Client.Head as client requests 
They were previously deliberately excluded.
 2025-07-08 14:31:48 +01:00
Owen Mansel-Chan
d437a096f1 Test more client request URL sinks 2025-07-08 13:20:04 +01:00
Owen Mansel-Chan
0788a90d88 Convert RequestForgery test to inline expectations 2025-07-04 16:56:05 +01:00
Owen Mansel-Chan
d10b9e665c Fix linter warnings in Request Forgery tests 2025-07-04 16:55:09 +01:00
Owen Mansel-Chan
0f07ab58cf Merge pull request #19654 from owen-mc/go/fix-definedtype-getbasetype 
Go: fix `DefinedType.getBaseType`
 2025-06-26 00:19:19 +01:00
Owen Mansel-Chan
d7b1d7bef4 Merge pull request #19677 from owen-mc/go/better-class-names-and-helpers 
Go: Improve two class names and add some helper predicates
 2025-06-26 00:17:32 +01:00
Nora Dimitrijević
cf92b0e91b Go: convert IncorrectIntegerConversion test to .qlref 2025-06-24 14:57:48 +02:00
Nora Dimitrijević
76a3306c63 Go: convert UncontrolledAllocationSize test to .qlref 2025-06-24 14:57:44 +02:00
Owen Mansel-Chan
ef5e605cc4 Merge pull request #19386 from owen-mc/go/promote/html-template-escaping-bypass-xss 
Go: promote `html-template-escaping-bypass-xss`
 2025-06-06 12:36:27 +01:00
Owen Mansel-Chan
75d9b298b2 Test helper predicates for TypeSpec 2025-06-05 10:52:01 +01:00
Owen Mansel-Chan
8b9cc99158 Test helper predicates for FieldDecl 2025-06-05 10:35:34 +01:00
Owen Mansel-Chan
e7e4286233 Merge pull request #19561 from owen-mc/go/mad/bigquery-sql-injection-sink 
Go: Add BigQuery as a sink for SQLi queries #2
 2025-06-04 11:36:18 +01:00
Owen Mansel-Chan
b2f310cda7 Add change note 2025-06-03 15:36:03 +01:00
Owen Mansel-Chan
4711feb344 Add test for DefinedType.getBaseType 2025-06-03 14:50:05 +01:00
Owen Mansel-Chan
681f9af710 Fix MethodTypes test 2025-06-03 14:50:00 +01:00
Owen Mansel-Chan
164cfaf3e7 Merge pull request #19532 from owen-mc/go/make-test-version-independent 
Go: Make type param test independent of standard library version
 2025-05-28 11:30:13 +01:00
Owen Mansel-Chan
66bbaf2dc8 Add tests for cloud.google.com/go/bigquery.Client.Query 2025-05-22 15:16:12 +01:00
Owen Mansel-Chan
d39e7c2066 Added named import to definitions test 
This makes the test slightly more thorough.
 2025-05-20 13:13:21 +01:00
Owen Mansel-Chan
f6f6a5ccc6 Only list type params in test files 
This will make the test results not depend on the version of the
standard library being used, which means we don't have to update it with
each new release.
 2025-05-20 02:25:24 +01:00
Owen Mansel-Chan
7da1ade835 Add tests for extracting tuples in f(g(...)) 2025-05-13 15:54:05 +01:00
Owen Mansel-Chan
b06491125e Expand test for Extract Tuple Instruction 2025-05-13 15:48:29 +01:00
Owen Mansel-Chan
e6c19b0cbd Modernize tests 2025-05-01 15:40:14 +01:00
Owen Mansel-Chan
cba0bec3c6 Rename files 2025-05-01 15:40:12 +01:00
Owen Mansel-Chan
cbdbb0310b Tidy up test (remove duplicated main) 2025-05-01 15:40:06 +01:00
Owen Mansel-Chan
4e5a865337 Manually fix copilot's mistakes and get query working 2025-05-01 15:40:04 +01:00
Owen Mansel-Chan
c2ebdf5266 Change query id to go/html-template-escaping-bypass-xss 2025-05-01 15:39:20 +01:00
Owen Mansel-Chan
1926ffd450 Convert XSS tests to use inline expectations 2025-05-01 15:39:19 +01:00
Owen Mansel-Chan
1530ac123c Update path in qlref and update test results 2025-05-01 15:39:17 +01:00
Owen Mansel-Chan
5bce70f78c Move files out of experimental (no changes) 2025-05-01 15:39:15 +01:00
Owen Mansel-Chan
b6053e3f91 Merge pull request #19076 from owen-mc/go/update-depstubber-files 
Go: update files generated by depstubber
 2025-04-09 11:44:20 +01:00
Owen Mansel-Chan
ecd09edf64 Add stubs for gogf/gf and uptrace/bun 2025-04-02 14:17:40 +01:00
Owen Mansel-Chan
1687042c3b Add Bun models and tests 2025-04-02 14:17:39 +01:00
Owen Mansel-Chan
ddb7da4c13 Add gogf models and tests 2025-04-02 14:17:37 +01:00