codeql

mirror of https://github.com/github/codeql.git synced 2025-12-20 02:44:30 +01:00

Author	SHA1	Message	Date
Tony Torralba	2df30dc107	Use InlineFlowTest for local and remote flow tests	2021-10-08 11:48:35 +02:00
Anders Schack-Mulligen	446c738f20	Merge pull request #6790 from aschackmull/dataflow/force-precision Dataflow: Force high precision of certain Contents.	2021-10-08 11:44:26 +02:00
Calum Grant	958fbc7992	Merge pull request #316 from github/calumgrant/readme Update README.md	2021-10-08 10:36:07 +01:00
Alex Ford	9dedb0540e	Merge pull request #312 from github/rb/stored-xss-1 Implement `rb/stored-xss` query	2021-10-08 10:33:11 +01:00
ihsinme	d79596354e	Update cpp/ql/src/experimental/Security/CWE/CWE-1041/FindWrapperFunctions.ql Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>	2021-10-08 11:50:45 +03:00
Tom Hvitved	951df380a9	Merge pull request #6829 from hvitved/csharp/gvn-to-string-concat-range C#: Speedup GVN string `concat`s by pulling ranges into separate predicates	2021-10-08 10:02:31 +02:00
Anders Schack-Mulligen	06e59f3b17	Merge pull request #6832 from github/workflow/coverage/update Update CSV framework coverage reports	2021-10-08 09:53:49 +02:00
Anders Schack-Mulligen	1bec58dee5	Dataflow: Fix more qldoc: s/accesspath/access path/.	2021-10-08 09:41:26 +02:00
github-actions[bot]	062250741a	Add changed framework coverage reports	2021-10-08 00:08:55 +00:00
Rasmus Wriedt Larsen	a81d359669	Python: Model `marshal.load`	2021-10-07 21:27:51 +02:00
Rasmus Wriedt Larsen	1b61296ea5	Python: Model `pickle.load`	2021-10-07 21:25:48 +02:00
Rasmus Wriedt Larsen	27c368a444	Python: Model keyword arguments to `pickle.loads`	2021-10-07 21:24:12 +02:00
Rasmus Wriedt Larsen	3592b09d56	Python: Expand stdlib decoding tests The part about claiming there is decoding of the input to `shelve.open` is sort of an odd one, since it's not the filename, but the contents of the file that is decoded. However, trying to only handle this problem through path injection is not enough -- if a user is able to upload and access files through `shelve.open` in a path injection safe manner, that still leads to code execution. So right now the best way we have of modeling this is to treat the filename argument as being deserialized...	2021-10-07 21:11:51 +02:00
Alex Ford	16ab4da812	Update ql/lib/codeql/ruby/security/XSS.qll Co-authored-by: Harry Maclean <hmac@github.com>	2021-10-07 20:03:07 +01:00
Rasmus Wriedt Larsen	a31bf75169	Python: Refactor `pickle.loads()` modeling	2021-10-07 20:28:30 +02:00
Robert Marsh	2539e3247a	Merge pull request #6814 from MathiasVP/fix-qldoc-in-copy-instruction C++/C#: Fix QLDoc of `CopyInstruction`	2021-10-07 11:18:38 -07:00
Aditya Sharad	2ed572095c	CLI docs: Address comments on Bazel example	2021-10-07 10:51:11 -07:00
yoff	933412eb8d	Apply suggestions from code review Co-authored-by: Taus <tausbn@github.com>	2021-10-07 17:45:07 +02:00
Nick Rolfe	eafe22ef93	Merge remote-tracking branch 'origin/main' into nickrolfe/oj	2021-10-07 16:40:36 +01:00
Tony Torralba	91efb61e97	Use synthetic fields to improve taint precision	2021-10-07 17:03:08 +02:00
Tony Torralba	0325c07bd9	Reorganize fluent models	2021-10-07 17:03:07 +02:00
Tony Torralba	ffa77f0a76	Fix QLDoc	2021-10-07 17:03:07 +02:00
Tony Torralba	588dedc265	Add stubs	2021-10-07 17:03:05 +02:00
Tony Torralba	1a04ad98bc	Add Android Slice models	2021-10-07 17:01:16 +02:00
Arthur Baars	2a32b59840	Merge pull request #331 from github/aibaars/remove-unsafe Remove use of 'unsafe'	2021-10-07 16:58:59 +02:00
Alex Ford	de01770612	update test output	2021-10-07 15:50:35 +01:00
Arthur Baars	439d873564	Remove use of 'unsafe'	2021-10-07 16:38:29 +02:00
Alex Ford	168e67dd6d	deduplicate `string constantQualifiedName(ConstantWriteAccess)` as `string ConstantWriteAccess#getQualifiedName`	2021-10-07 15:30:36 +01:00
Alex Ford	5b38e06765	Rename `ActiveRecordModelClass#methodMayAccessField()` as `ActiveRecordModelClass#getAPotentialFieldAccessMethod()`	2021-10-07 15:30:36 +01:00
Alex Ford	3bdc680434	Drop a comment that is no longer relevant	2021-10-07 15:30:36 +01:00
Alex Ford	8262247ed7	Minor simplification of finderMethodName predicate	2021-10-07 15:30:36 +01:00
Alex Ford	eb8c48d10f	Remove some unused predicates	2021-10-07 15:30:36 +01:00
Alex Ford	c9edbd98d5	Update ql/lib/codeql/ruby/frameworks/ActiveRecord.qll Co-authored-by: Harry Maclean <hmac@github.com>	2021-10-07 15:30:36 +01:00
Alex Ford	e4fe1d5c13	check for superclass method definitions in ActiveRecordModelClass#methodMayAccessField	2021-10-07 15:30:36 +01:00
Alex Ford	fb5cfcc9b0	OrmTracking goes through or expressions	2021-10-07 15:30:36 +01:00
Alex Ford	be018cc97f	update ActionController tests	2021-10-07 15:30:36 +01:00
Alex Ford	955080234b	partial support for rails layouts	2021-10-07 15:30:36 +01:00
Alex Ford	8e1b48e607	StoredXSS.qhelp	2021-10-07 15:30:36 +01:00
Alex Ford	182a926eeb	rename some example files	2021-10-07 15:30:36 +01:00
Alex Ford	1929a95e89	format	2021-10-07 15:30:36 +01:00
Alex Ford	6065e29aba	Fix performance issues related to a x-product between `ActiveRecordModelInstantiation` and `MethodCall`	2021-10-07 15:30:36 +01:00
Alex Ford	43a49689d7	reorganize ActiveRecord field access heuristics	2021-10-07 15:30:36 +01:00
Alex Ford	8f81eaa79c	format	2021-10-07 15:30:36 +01:00
Alex Ford	b2434950d3	abstract away some ActiveRecord specific parts of XSS.qll	2021-10-07 15:30:36 +01:00
Alex Ford	6a32c0cde0	update XSS tests	2021-10-07 15:30:36 +01:00
Alex Ford	6dc3ce335b	make rb/stored-xss track ActiveRecord db accesses	2021-10-07 15:30:36 +01:00
Alex Ford	f6dd6bb00c	expand ActiveRecord modelling to cover how to access fields	2021-10-07 15:30:36 +01:00
Alex Ford	eb5f26ce06	duplicate DataFlow implementation	2021-10-07 15:30:36 +01:00
Alex Ford	a2084f813e	rb/stored-xss structure and initial implementation (FileSystemReadAccess sources)	2021-10-07 15:30:36 +01:00
Chris Smowton	9a80ab31c4	Merge pull request #6567 from luchua-bc/java/sensitive_android_file_leak Java: CWE-200 - Query to detect exposure of sensitive information from android file intent	2021-10-07 15:19:39 +01:00

... 34 35 36 37 38 ...

29908 Commits