hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
29,908 Commits 1,671 Branches 157 Tags
z80coder/ATM-feature-optimisation
Commit Graph

4539 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
e05d6e71b8 Merge pull request #6064 from tausbn/python-add-get-method-call 
Python: Add `getAMethodCall` to `LocalSourceNode`
 2021-06-22 11:16:39 +02:00
Taus
ba6ab8ff3d Python: Expand __main__.py comment 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-06-21 18:14:03 +02:00
Taus
768cab3642 Python: Address review comments 
- changes `getReceiver` to `getObject`
- fixes `calls` to avoid unwanted cross-talk
- adds some more documentation to highlight the above issue
 2021-06-21 14:57:19 +00:00
Rasmus Wriedt Larsen
1c48aca630 Merge branch 'main' into jmespath 2021-06-21 15:26:45 +02:00
CodeQL CI
565af1a879 Merge pull request #6071 from RasmusWL/fix-input-cwe 
Approved by calumgrant, tausbn
 2021-06-21 06:23:18 -07:00
Rasmus Wriedt Larsen
a7170bedb6 Python: Mention modeling of mysqlclient PyPI package 
Just for completeness in terms of what we claim support for.
 2021-06-21 15:20:08 +02:00
yoff
baf8d0a990 Merge pull request #6045 from RasmusWL/twisted 
Python: Model twisted
 2021-06-21 14:52:57 +02:00
Anders Schack-Mulligen
65ac8be5ac Java: Add defaultImplicitTaintRead and sync. 2021-06-21 14:42:47 +02:00
Anders Schack-Mulligen
80880320d5 Dataflow: Sync. 2021-06-21 14:42:47 +02:00
Anders Schack-Mulligen
9110dfaeb3 Merge pull request #6095 from hvitved/dataflow/local-cc-join 
Data flow: Fix `getLocalCallContext` join-order
 2021-06-21 12:53:38 +02:00
Rasmus Wriedt Larsen
d6ec4d30fc Python: Twisted refactor of getRequestParamIndex 2021-06-21 10:54:28 +02:00
Rasmus Wriedt Larsen
8208aebd7e Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-06-21 10:43:25 +02:00
jorgectf
b10ade17be Update HeaderDeclaration input naming 2021-06-20 00:13:59 +02:00
jorgectf
058ade4d8e Merge remote-tracking branch 'upstream/main' into jorgectf/python/jwt-queries 2021-06-18 22:21:38 +02:00
jorgectf
6565680dd6 Finish query 2021-06-18 22:16:39 +02:00
Taus
3aea270e10 Python: Autoformat 2021-06-18 18:30:27 +00:00
jorgectf
017a778a20 Polish make_response and fix extend argument 2021-06-18 20:21:11 +02:00
Taus
aeac03663f Python: Remove old ClickHouseDriver.qll 
The merge must've gone wrong some way, as this file is not supposed to
exist in `experimental` anymore.
 2021-06-18 17:41:09 +00:00
Taus
348b20ca9d Merge branch 'main' of https://github.com/github/codeql into python-a-few-minor-cleanups 2021-06-18 17:38:43 +00:00
Taus
9351688da8 Python: asCfgNode cleanup 2021-06-18 17:22:42 +00:00
Taus
c386f4a009 Python: Clean up py/insecure-protocol 
Going all the way to the AST layer seemed excessive to me, so I rewrote
it to do most of the logic at the data-flow layer. In principle this
_could_ result in more names being computed (due to splitting), but in
practice I don't expect this make a big difference.
 2021-06-18 17:22:42 +00:00
Taus
f24a9a46d9 Python: add getAnAttributeWrite 2021-06-18 17:22:42 +00:00
Taus
c78ba476cf Python: Clean up a few verbose casts 2021-06-18 17:22:42 +00:00
Calum Grant
32f6a465b0 Merge pull request #6080 from github/calumgrant/security-severities 
Update security-severity scores
 2021-06-18 09:40:40 +01:00
Tom Hvitved
eb86bceb4d Address review comments 2021-06-18 10:18:47 +02:00
jorgectf
eac5254a88 Resolve merge conflict 2021-06-18 02:12:49 +02:00
jorgectf
dcb1da338b Extend documentation 2021-06-18 02:03:56 +02:00
jorgectf
4963caf506 Rewrite frameworks modeling 2021-06-18 02:03:27 +02:00
jorgectf
066504e79e Checkout Stdlib.qll 2021-06-18 02:02:47 +02:00
jorgectf
1d7ddce8db Update .expected 2021-06-17 18:10:43 +02:00
jorgectf
9cbb7e0899 Change query objective 2021-06-17 17:53:58 +02:00
jorgectf
5704ac36db Rework LDAP framework modeling 2021-06-17 17:44:08 +02:00
jorgectf
13cfcec968 Change qhelp explanation 2021-06-17 17:43:34 +02:00
jorgectf
d34d2ed2b1 Add .qlref 2021-06-17 17:42:38 +02:00
jorgectf
eb16018446 Update .expected 2021-06-17 15:45:05 +02:00
jorgectf
4e74003cd5 Polish Concepts documentation 2021-06-17 15:44:51 +02:00
jorgectf
7e6032f5b4 Port to Decoding 2021-06-17 15:43:54 +02:00
jorgectf
8e3d5ff3f9 Rename mongoclient tests 2021-06-17 15:43:01 +02:00
jorgectf
b8e619a60c Extend qhelp references 2021-06-17 15:42:45 +02:00
Anders Schack-Mulligen
b173b4141d Merge pull request #6096 from smowton/smowton/fix/inline-expectations-missing-prefix 
Inline expectation tests: accept // $MISSING: and // $SPURIOUS:
 2021-06-17 11:41:15 +02:00
Chris Smowton
558813acf7 Inline expectation tests: accept // $MISSING: and // $SPURIOUS: 
Previously there had to be a space after the $ token, unlike ordinary expectations (i.e., // $xss was already accepted)
 2021-06-17 09:44:39 +01:00
Tom Hvitved
0febf5a592 Merge pull request #6094 from hvitved/dataflow/consistency-compiler-too-smart 
Data flow: Workaround for too clever compiler in consistency queries
 2021-06-17 10:23:31 +02:00
Tom Hvitved
ffb2350a54 Data flow: Fix getLocalCallContext join-order 2021-06-17 10:02:31 +02:00
Tom Hvitved
cc383e0f6a Data flow: Workaround for too clever compiler in consistency queries 2021-06-17 09:43:36 +02:00
jorgectf
8527ccc6d6 Update .expected 2021-06-16 23:19:14 +02:00
jorgectf
5c7229c715 Optimize Type Tracking stuff 2021-06-16 23:19:05 +02:00
jorgectf
81505fbd76 Normalize tests 2021-06-16 23:18:38 +02:00
Rasmus Wriedt Larsen
68f526da1f Python: Add change-note 2021-06-16 20:09:05 +02:00
Rasmus Wriedt Larsen
498703fc81 Python: Escaping only valid with both input/output defined 
Problematic part is

```codeql
  /** A escape from string format with `markupsafe.Markup` as the format string. */
  private class MarkupEscapeFromStringFormat extends MarkupSafeEscape, Markup::StringFormat {
    override DataFlow::Node getAnInput() {
      result in [this.getArg(_), this.getArgByName(_)] and
      not result = Markup::instance()
    }

    override DataFlow::Node getOutput() { result = this }
  }
```

since the char-pred still holds even if `getAnInput` has no results...

I will say that doing it this way feels kinda dirty, and we _could_ fix
this by including the logic in `getAnInput` in the char-pred as well.
But as I see it, that would just lead to a lot of code duplication,
which isn't very nice.
 2021-06-16 19:09:00 +02:00
Rasmus Wriedt Larsen
6539df6422 Python: Add ConceptsTest for MarkupSafe 2021-06-16 19:09:00 +02:00