codeql

mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00

Author	SHA1	Message	Date
Arthur Baars	4b3b1d2a8b	Merge pull request #7222 from aibaars/ruby-ci-fix Ruby: fix CI jobs after removal of `.codeql-manifest.json`	2021-11-24 17:16:52 +01:00
Erik Krogh Kristensen	1e752f305d	apply the explicit this patch to new code	2021-11-24 15:26:19 +01:00
Erik Krogh Kristensen	08ce03cd93	Merge branch 'main' into explicit-this	2021-11-24 15:24:58 +01:00
Erik Krogh Kristensen	3bab8c6d1d	Merge pull request #7173 from erik-krogh/getRubyInSync JS/PY/RB: get ReDoSUtil in sync for ruby	2021-11-24 15:20:23 +01:00
Rasmus Wriedt Larsen	651a76c9ce	Python: Add CWE-532 to CleartextLogging Relevant for this query: CWE-532: Insertion of Sensitive Information into Log File > While logging all information may be helpful during development > stages, it is important that logging levels be set appropriately > before a product ships so that sensitive user data and system > information are not accidentally exposed to potential attackers. See https://cwe.mitre.org/data/definitions/532.html JS also did this recently: https://github.com/github/codeql/pull/7103	2021-11-24 14:59:52 +01:00
Rasmus Wriedt Larsen	c05ffd4d00	JS/PY: Remove CWE-315 form CleartextLogging Since it is not relevant for this query: CWE-315: Cleartext Storage of Sensitive Information in a Cookie See https://cwe.mitre.org/data/definitions/315.html	2021-11-24 14:59:18 +01:00
Anders Schack-Mulligen	7ca3407c86	Dataflow: Sync.	2021-11-24 14:43:00 +01:00
Anders Schack-Mulligen	a7ec0fa900	Dataflow: Remove more disjunction-induced tuple duplication.	2021-11-24 14:39:49 +01:00
Michael Nebel	b9d0a60ce7	C#: Addressed review comments from hvitved	2021-11-24 14:35:52 +01:00
luchua-bc	b0031a0d85	Add local input test case and update qldoc	2021-11-24 13:30:50 +00:00
Tom Hvitved	1d1780b30f	C#: Fix bug in `getEnclosingCallable`	2021-11-24 14:24:01 +01:00
Rasmus Wriedt Larsen	7dde52ced2	Merge pull request #7131 from RasmusWL/wsgiref.simple_server Python: Model `wsgiref.simple_server` applications	2021-11-24 14:22:23 +01:00
Anders Schack-Mulligen	4efdcc22a2	Dataflow: Improve barrier handling.	2021-11-24 14:17:05 +01:00
Tom Hvitved	f85fa87f69	C#: Add test that illustrates problem with `getEnclosingCallable`	2021-11-24 13:59:29 +01:00
Rasmus Wriedt Larsen	2a5e0a3b77	Merge pull request #7145 from RasmusWL/remove-owasp-tags Python/Ruby: Remove owasp tags	2021-11-24 13:56:48 +01:00
Rasmus Wriedt Larsen	e2652591a5	Python: Change perf fix PoorMansFunctionResolution Thanks @yoff, this leaves us with the following evaluation, which looks very close to the one in the other fix (but with cleaner implementation) -- both at 688k max tuples (although numbers are not exactly the same). ``` [2021-11-24 13:48:40] (14s) Tuple counts for PoorMansFunctionResolution::getSimpleMethodReferenceWithinClass#ff/2@e5f05asv after 74ms: 47493 ~3% {3} r1 = JOIN Class::Class::getAMethod_dispred#ff WITH py_Classes ON FIRST 1 OUTPUT Lhs.1, 0, Lhs.0 47335 ~0% {2} r2 = JOIN r1 WITH AstGenerated::Function_::getArg_dispred#fff ON FIRST 2 OUTPUT Rhs.2, Lhs.2 46683 ~0% {2} r3 = JOIN r2 WITH DataFlowPublic::ParameterNode::getParameter_dispred#fb_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1 259968 ~4% {2} r4 = JOIN r3 WITH LocalSources::Cached::hasLocalSource#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1 161985 ~0% {3} r5 = JOIN r4 WITH Attributes::AttrRef::accesses_dispred#bff_102#join_rhs ON FIRST 1 OUTPUT Rhs.1 'result', Lhs.1, Rhs.2 161985 ~2% {3} r6 = JOIN r5 WITH Attributes::AttrRead#class#f ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Lhs.0 'result' 688766 ~0% {3} r7 = JOIN r6 WITH Function::Function::getName_dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1, Rhs.1 'func', Lhs.2 'result' 20928 ~0% {2} r8 = JOIN r7 WITH Class::Class::getAMethod_dispred#ff ON FIRST 2 OUTPUT Lhs.1 'func', Lhs.2 'result' return r8 ```	2021-11-24 13:52:05 +01:00
Rasmus Wriedt Larsen	1411804e58	Python: Allow custom `fastapi.APIRouter` subclasses	2021-11-24 13:46:38 +01:00
Tom Hvitved	1d654d1eac	C#: Restrict `refReadBeforeWrite`	2021-11-24 13:43:14 +01:00
Tom Hvitved	1739673202	C#: Enable SSA consistency queries	2021-11-24 13:43:14 +01:00
Chris Smowton	c74eac4930	Remove needless casts	2021-11-24 12:18:05 +00:00
Chris Smowton	cec91c4831	Update ThreadResourceAbuse.qhelp	2021-11-24 12:15:48 +00:00
Chris Smowton	5101a8e9f3	Fix qhelp test	2021-11-24 12:12:56 +00:00
Chris Smowton	136ecaf49a	Abbreviate qhelp example	2021-11-24 12:12:22 +00:00
Michael Nebel	c3996b00d5	C#: Update the Microsoft.NETCore.App stub	2021-11-24 13:09:06 +01:00
Chris Smowton	120f2045cd	Document XXE sanitisation policy	2021-11-24 12:03:28 +00:00
Mathias Vorreiter Pedersen	6d9cea90cb	Merge pull request #7226 from MathiasVP/shorter-ir-dataflow-paths C++: Hide some IR dataflow nodes	2021-11-24 11:13:52 +00:00
Michael Nebel	a3ca9ad27d	C#: Sync flow summary implementation files and implement specific parts for ruby and java	2021-11-24 12:09:20 +01:00
Michael Nebel	e153a65216	C#: Update flow summaries test for EntityFramework to print results in CSV syntax	2021-11-24 12:09:20 +01:00
Michael Nebel	914d3d86af	C#: Update flow summaries test to print results in CSV syntax	2021-11-24 12:09:20 +01:00
Michael Nebel	3a7d51d2ee	C#: Don't throw away ReturnKind information, when printing flow summaries. Note that any non NormalReturnKind printed summary will not be in the flow summary CSV language	2021-11-24 12:09:20 +01:00
Michael Nebel	e607c51292	C#: Initial implementation of csv printing in FlowSummaries test	2021-11-24 12:09:20 +01:00
Rasmus Wriedt Larsen	47448d9efc	Python: Apply suggestions from code review Co-authored-by: yoff <lerchedahl@gmail.com>	2021-11-24 12:02:12 +01:00
Mathias Vorreiter Pedersen	6c7a01d3d5	C++: Add some comments to the two 'flowThrough' predicates.	2021-11-24 10:50:44 +00:00
Rasmus Wriedt Larsen	d493cfdf3a	Python: Model FastAPI `FileResponse` as `FileSystemAccess` This was an oversight from our initial FastAPI modeling work.	2021-11-24 11:44:51 +01:00
yoff	f9729bccef	Merge pull request #7143 from RasmusWL/path-improvements Python: Model `posixpath` and `os.stat`	2021-11-24 11:36:06 +01:00
Anders Schack-Mulligen	a3b263ee6e	Merge pull request #7181 from bmuskalla/coverageAsDiagnostics Java: Add diagnostic query for framework coverage	2021-11-24 10:57:50 +01:00
Rasmus Wriedt Larsen	b2611fe198	Merge branch 'main' into redos-cwe-1333	2021-11-24 10:42:43 +01:00
Mathias Vorreiter Pedersen	2e7ddb479e	C++: Accept test changes.	2021-11-24 09:41:00 +00:00
Mathias Vorreiter Pedersen	4cbfc306ac	C++: Hide dataflow nodes if they're just used for flow-through for read steps or store steps.	2021-11-24 08:01:44 +00:00
Arthur Baars	133ec2e4af	Fix CI jobs	2021-11-23 22:03:01 +01:00
Erik Krogh Kristensen	87a1ccd428	Merge branch 'main' into getRubyInSync	2021-11-23 20:20:37 +01:00
luchua-bc	e56737e007	Use value step to optimize the taint step and add a test case for Apache file upload listener	2021-11-23 17:15:28 +00:00
Mathias Vorreiter Pedersen	8c9e817c0d	Merge pull request #7188 from github/redsun82/fix-operand-location C++: take IR Operand locations from definitions	2021-11-23 16:32:06 +00:00
Nick Rolfe	bb38c4d6fd	Merge pull request #6978 from github/nickrolfe/regex_injection Ruby: add regex injection query	2021-11-23 16:22:35 +00:00
Nick Rolfe	1a90b388a9	Merge remote-tracking branch 'origin/main' into nickrolfe/regex_injection	2021-11-23 15:42:05 +00:00
Paolo Tranquilli	055017de49	fix how non existing locations are accounted for	2021-11-23 15:28:16 +00:00
Paolo Tranquilli	9538ac73e4	account for non-existing locations	2021-11-23 15:28:16 +00:00
Paolo Tranquilli	d626745ab1	fix `ThisArgumentOperand` location The correct check to do to choose between using `getAnyDef` and `getUse` is to check whether the location is an instance of UknonwnLocation.	2021-11-23 15:28:16 +00:00
Paolo Tranquilli	e99a040884	implement review suggestions	2021-11-23 15:28:16 +00:00
Paolo Tranquilli	8b44d5c39e	sync files	2021-11-23 15:28:15 +00:00

... 5 6 7 8 9 ...

29908 Commits