hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-29 14:23:03 +01:00
Code Issues Packages Projects Releases Wiki Activity
652 Commits 1,684 Branches 159 Tags
005e49fe94308a4977f3addcfbe3bead2fbdccfc
Commit Graph

472 Commits

Author SHA1 Message Date
Max Schaefer
005e49fe94 Merge pull request #130 from porcupineyhairs/MongoInjection 
Golang : Add MongoDB injection support
 2020-05-13 09:43:49 +01:00
Sauyon Lee
24e939730a Merge pull request #134 from max-schaefer/fix-test-errors 
Fix frontend errors in tests
 2020-05-13 01:38:30 -07:00
Max Schaefer
89d633ac3f Merge pull request #120 from porcupineyhairs/SensitiveActionBypass 
User-controlled bypass of sensitive action
 2020-05-12 19:48:24 +01:00
Max Schaefer
d438b5ec03 Merge pull request #131 from porcupineyhairs/IO 
Model stdlib's IO package.
 2020-05-12 19:41:40 +01:00
Slavomir
84e2a5ddd2 Add experimental library: gin web framework (#117) 2020-05-12 14:27:11 +01:00
Max Schaefer
6f21b4030e Merge pull request #135 from sauyon/tempfile-test 
Add support for ioutil TempFile and TempDir
 2020-05-12 14:25:38 +01:00
Porcupiney Hairs
e51bc42bfb fix metadata 2020-05-12 17:31:24 +05:30
Max Schaefer
5dac94d24c Merge pull request #116 from gagliardetto/CWE-681 
CWE 681
 2020-05-12 11:59:08 +01:00
Slavomir
556f527193 Exclude results in test files 2020-05-12 13:12:47 +03:00
Slavomir
e5e74f34d7 Add note on why the zero is commented out in Lt32BitFlowConfig 2020-05-12 13:06:11 +03:00
Slavomir
623d5b3a97 Add comments 2020-05-12 13:00:50 +03:00
Slavomir
ea7c38c99c Remove references section from qhelp file 2020-05-12 13:00:27 +03:00
Slavomir
67a7294d10 Simplify and remove deprecated; add severity 2020-05-12 12:51:13 +03:00
Porcupiney Hairs
d0061bfd4b Golang : Add MongoDB injection support 
This PR adds support for MongoDB injection to the existing SQL injection query.
This models the official Golang MongoDB driver.

A  brief summary of changes made in this query are :

1. A `NoSQL.qll` files has been created to model a `NoSQLQueryString`.

2. An entry is added in `go.qll` by default as I find these changes may be generally useful.

3. Library tests along with there expected outputs are added.

4. Query tests are added. However, I am unable to add the expected output as qltest
can't find depstubber. However, these can be easily added. I have created a separate
codeql-go database with the same files and ran the query against the same. I can see
there should be 14 correct results added from this PR.
 2020-05-11 19:55:48 +05:30
Porcupiney Hairs
9b53ad3b3c model IO package 2020-05-11 19:39:01 +05:30
Porcupiney Hairs
c1856ba260 fix tests 2020-05-11 19:32:28 +05:30
Max Schaefer
4a7171d91e Fix frontend errors in BadRedirectCheck tests. 2020-05-11 11:45:21 +01:00
Max Schaefer
17dd99d326 Fix frontend errors in Mux tests. 2020-05-11 11:45:08 +01:00
Max Schaefer
3e830b69b5 Merge pull request #121 from porcupineyhairs/conditionBypass 
User-controlled bypass of a comparision
 2020-05-11 10:41:33 +01:00
Slavomir
5df81d3210 Apply suggestions from code review 
Co-authored-by: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2020-05-11 12:37:14 +03:00
Sauyon Lee
181c03ebf3 Add support for ioutil TempFile and TempDir 2020-05-10 18:25:55 -07:00
Porcupiney Hairs
b32ac2a47f fix tests 2020-05-11 04:51:17 +05:30
Porcupiney Hairs
4aba80b0bd include changes from review 2020-05-11 04:05:41 +05:30
Porcupiney Hairs
3d10ec7e51 remove some obvious false positives and include changes from review 2020-05-11 03:13:01 +05:30
Max Schaefer
70f87b59d2 Data flow: Support stores into nodes that are not PostUpdateNodes. 
cf https://github.com/github/codeql/pull/3312
 2020-05-06 19:43:27 +01:00
Max Schaefer
fd2e618be2 Data flow: No more summaries 
cf https://github.com/github/codeql/pull/3110
 2020-05-06 19:43:27 +01:00
Max Schaefer
968d4d9cdd Revert the join order fix from https://github.com/github/codeql/pull/2872. 
cf https://github.com/github/codeql/pull/3202
 2020-05-06 19:43:27 +01:00
Max Schaefer
f2b43f65f9 Data flow: Exclude param-param flow through identical params. 
cf https://github.com/Semmle/ql/pull/3060
 2020-05-06 19:43:27 +01:00
Max Schaefer
aabe2f2f82 Data flow: No magic in returnFlowCallableCand. 
cf https://github.com/Semmle/ql/pull/3142
 2020-05-06 19:43:27 +01:00
Max Schaefer
c9ba6dd672 Fix up hasLocationInfo predicate. 2020-05-06 19:43:27 +01:00
Max Schaefer
5cd9168e4d Data flow: Refactoring + performance improvements 
cf https://github.com/Semmle/ql/pull/2903
 2020-05-06 19:43:27 +01:00
Max Schaefer
96120e1e35 Update expected output. 2020-05-06 19:43:27 +01:00
Max Schaefer
8d10a8dd5b Fix bug in type pruning. 
cf https://github.com/Semmle/ql/pull/3020
 2020-05-06 19:43:27 +01:00
Max Schaefer
d008d2a6a8 Fix performance issue in partial paths exploration. 
cf https://github.com/Semmle/ql/pull/3021
 2020-05-06 19:43:27 +01:00
Max Schaefer
1d4a993d87 Merge pull request #132 from max-schaefer/extends-this-class 
Fix copy-pasted typo.
 2020-05-06 19:42:55 +01:00
Max Schaefer
d6a5a72c01 Fix copy-pasted typo. 2020-05-06 13:54:28 +01:00
Sauyon Lee
164149b29a Merge pull request #129 from max-schaefer/fix-argument-post-update-nodes 
Fix and improve taint-tracking through function arguments
 2020-05-06 02:57:01 -07:00
Max Schaefer
08f5451fce Address review comments. 2020-05-06 07:32:15 +01:00
Max Schaefer
9f59777cc9 Merge pull request #119 from jcreedcmu/jcreed/jump-to-def-ide 
Add queries for ide search.
 2020-05-05 15:10:58 +01:00
Jason Reed
5653889a39 Exclude IDE queries from query suites. 2020-05-05 09:22:44 -04:00
Max Schaefer
2fb3d39f61 Merge pull request #128 from sauyon/mux 
Add support for Mux library
 2020-05-05 13:57:37 +01:00
Max Schaefer
b177d58c88 Tweak test. 
The query under test isn't a `@problem` query, so we should refer to "alerts".
 2020-05-05 12:05:09 +01:00
Max Schaefer
60a6c96863 Simplify modeling of NewContent. 2020-05-05 12:05:09 +01:00
Max Schaefer
5a96b0e8ac Add two function models for handling MIME APIs. 2020-05-05 12:05:09 +01:00
Max Schaefer
be94f2b9e6 Improve and extend various standard-library function models. 2020-05-05 12:05:09 +01:00
Sauyon Lee
a841077cbe Add support for Mux library 2020-05-05 03:25:08 -07:00
Max Schaefer
54f10157b0 Update ql/src/semmle/go/frameworks/Email.qll 
Co-authored-by: Sauyon Lee <sauyon@github.com>
 2020-05-05 11:24:19 +01:00
Max Schaefer
e632c75de3 Add support for taint models involving "backwards" taint propagation from results to arguments. 2020-05-04 16:36:38 +01:00
Max Schaefer
5e8e51993e Simplify SmtpData. 2020-05-04 16:36:38 +01:00
Max Schaefer
5b0c48e332 Add taint models for fmt.Fprintf and io.WriteString. 2020-05-04 16:36:38 +01:00