hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 23:02:56 +01:00
Code Issues Packages Projects Releases Wiki Activity
2,299 Commits 1,684 Branches 159 Tags
00aae7cba52f17819c7e701478faa0966d445bbd
Commit Graph

222 Commits

Author SHA1 Message Date
Owen Mansel-Chan
88e7c44a6d Update expected test results with extra nodes 2021-12-08 15:28:28 -05:00
Sauyon Lee
afe7edc093 Fix test output 
Includes a bunch of new edges, but no new results
 2021-12-07 07:39:28 -05:00
Sauyon Lee
3ac2a50497 Update test output 2021-12-07 07:39:21 -05:00
Tony Torralba
f2017b626e Fix stubs 2021-11-22 09:15:12 +01:00
Tony Torralba
c9332cdccb Fix *Depth log levels in glog and klog 2021-11-22 09:15:01 +01:00
Tony Torralba
c886d10388 Add Log Injection query 2021-11-19 17:55:34 +01:00
Owen Mansel-Chan
7c1b7b8810 Fix strictnessOffset in isBoundFor 2021-11-02 15:09:39 +00:00
Owen Mansel-Chan
7de6e17d86 Recognise math.MaxInt and math.MaxUint 
Treat them as if we were on a 32-bit architecture.
 2021-11-02 15:09:06 +00:00
Owen Mansel-Chan
2cc0c80188 Add extra tests 2021-11-02 15:09:05 +00:00
Owen Mansel-Chan
be22373f3e Move Incorrect Integer Conversion tests to InlineFlowTest 2021-11-02 15:09:00 +00:00
Owen Mansel-Chan
109e3660f8 Split Incorrect Integer Conversion into query and lib files 
This is in preparation for changing the tests to use inline
expectations
 2021-11-02 12:43:54 +00:00
Chris Smowton
004beab750 Add a good variant of test case foo10 2021-10-29 11:07:30 +01:00
Owen Mansel-Chan
e0e1a4671a Address review comments 2021-10-28 10:10:39 +01:00
Owen Mansel-Chan
cdee44bbd1 Add barrier guard for comparison 2021-10-28 10:10:38 +01:00
Sauyon Lee
c41502de1e Fix tests for go 1.17 2021-08-19 14:02:29 -07:00
Sauyon Lee
040b166eb2 Add new style build constraints and add test for the old style 2021-08-19 14:00:04 -07:00
Owen Mansel-Chan
9634e8d7b0 Update path in qlref file 2021-08-18 11:54:04 +01:00
Owen Mansel-Chan
ca01d55297 Promote insufficient key size query 
Files were just moved - changes made in next commit
 2021-08-18 11:54:04 +01:00
Sauyon Lee
bfe6e7510d Evaluate symlinks for the dummy file 2021-04-27 08:32:21 -07:00
Sauyon Lee
d09cb7f228 Remove badpkg.go to make tests location-independent 2021-04-27 01:18:22 -07:00
Sauyon Lee
27b72b53e5 Add diagnostic queries 2021-04-27 01:18:21 -07:00
Sauyon Lee
9f85846980 Add lines of code summary query 2021-04-27 01:18:20 -07:00
Chris Smowton
e50ad90856 Elaborate comment and change-note a little 2021-04-21 12:36:43 +01:00
Sauyon Lee
50bb6187b8 Revert ReflectedXss.go to example 2021-04-20 23:27:03 -07:00
Chris Smowton
0cef5fb5d0 Add test case for map extraction 2021-04-20 14:23:29 -07:00
Chris Smowton
027a540c67 Update test expectations now that tuple-extracts not method calls are sources 2021-04-19 17:05:50 +01:00
Chris Smowton
7d258ae722 Improve net/http taint-tracking fidelity 
* Don't taint error returns from http.Request methods
* Track taint across mime/multipart.Part methods
 2021-04-19 16:05:23 +01:00
Owen Mansel-Chan
f1b6139ace Update expected results for ZipSlip to include implicit field reads 2021-03-30 10:13:22 +01:00
Sauyon Lee
68dca955a8 Rework tests and fix output 2021-03-18 10:54:32 -07:00
Sauyon Lee
23103fd8e0 Add support for 'path/filepath.WalkDir' 2021-02-19 07:59:13 -08:00
Sauyon Lee
00e5b7cdfc InsecureRNG: Select first result in fn only 2021-02-05 22:51:09 -08:00
Sauyon Lee
73dc135480 Move insecure randomness query to cwe-338 
Also give it a precision
 2021-02-02 08:04:12 +00:00
Sauyon Lee
82bd293e5c Polish insecure randomness query 2021-02-02 08:04:11 +00:00
Sauyon Lee
cfb9593af8 Move InsecureRandomness out of experimental 2021-02-01 15:54:51 +00:00
Sauyon Lee
53b468174f Make InsecureHostnameRegex check for rejecting handlers 2021-01-27 17:38:22 +00:00
Chris Smowton
83cee4a334 Add 'git' as a possible command-interpreter, unless arguments are sanitized using "--" 
This is because some git flags can specify arbitrary commands to execute, but its positional arguments cannot, and "--" like in many commands instructs git to consume no further flags.
 2021-01-07 11:54:41 +00:00
Tom Payne
9bbdf86487 Support more regexp anchors 2020-12-23 14:04:33 +01:00
Chris Smowton
3338a0b10d Merge pull request #402 from smowton/smowton/feature/zipslip-more-generous-sanitisers 
ZipSlip: redefine sources closer to their origin, and make sanitizers more generous
 2020-11-27 18:25:07 +00:00
Chris Smowton
70015b2c32 Add tests for zipslip using a utility function to check that the archive header is safe 
Note this currently contains some cases that are safe but are still flagged, because of weaknesses in the guardingFunction predicate.
 2020-11-27 15:11:57 +00:00
Chris Smowton
1eb8fff7e1 ZipSlip: redefine sources closer to their origin, and make sanitizers more generous. 
Previously we considered certain fields of `tar` or `zip` file headers to be sources, but this meant subsequent references to the same field were not considered sanitized. For example, at least some real-world projects used a pattern like `if isIllegalPathTraversal(hdr.Name) { return nil; } ... /* other code using hdr.Name */`. By associating a source with the field-read `.Name` rather than the header itself, we were unable to see that the subsequent read was guarded by the sanitizer function.

Relatedly, it is common to use some intermediary taint-propagating function, as in `clean(s string) { if strings.HasPrefix("..", filepath.Clean(filepath.Join(target, s))) ...`, in the implementation of a sanitizer. We now follow the taint propagation (locally) backwards towards the function parameter, marking the predecessor functions and ultimately the parameter `s` as sanitized in addition to the direct argument to `strings.HasPrefix`. Existing sanitizing-function logic can then sometimes lift this out into the caller too.
 2020-11-27 13:57:25 +00:00
Sauyon Lee
0bf09307cf Add StoredCommand query 2020-11-23 02:11:44 -08:00
Sauyon Lee
793d6f6053 Merge pull request #399 from sauyon/stored-xss 
Add stored XSS query
 2020-11-19 23:23:21 -08:00
Chris Smowton
38e383858e Merge pull request #394 from smowton/smowton/feature/unsafe-unzip-symlink 
Add query checking for unpacking of symlinks without using EvalSymlinks to spot existing ones.
 2020-11-18 19:10:18 +00:00
Owen Mansel-Chan
ce67418cdc Update tests 
These changes match those in https://github.com/github/codeql/pull/4440
 2020-11-17 15:48:50 +00:00
Chris Smowton
500d78dafa Include os.Readlink as a probable sanitiser. 
A couple of projects seem to walk links one unit at a time, rather than just throwing `EvalSymlinks` at the whole potentially suspect path.
 2020-11-16 09:57:26 +00:00
Chris Smowton
2193642c6e Expand query to notice Symlink and archive iterator calls that do not directly share a loop 
We look across function-call boundaries to check there is some common enclosing loop, but false-positives are more likely if in practice there is no control-flow path from the archive iterator to the Symlink call and back.
 2020-11-16 09:57:26 +00:00
Chris Smowton
1a2c209259 Add query checking for unpacking of symlinks without using EvalSymlinks to spot existing ones. 
This is usually dangerous because (if the archive is untrusted) the intent is usually to permit within-archive symlinks, e.g. dest/a/parent -> .. -> dest/a is an acceptable link to unpack. However if EvalSymlinks is not used to take already-unpacked symlinks into account, it becomes possible to sneak tricks like dest/escapes -> dest/a/parent/.. through, which create links leading out of the archive for later abuse.
 2020-11-16 09:57:26 +00:00
Sauyon Lee
efddef7fa2 Add tests for stored XSS query 2020-11-11 23:13:12 -08:00
Sauyon Lee
0950baf4b7 Add additional tests for suspicious character in regexp regexp 2020-11-09 10:36:27 -08:00
Sauyon Lee
eb26b0abd1 SuspiciousCharacterInRegexp: Add fix for raw string literals 2020-11-09 10:10:47 -08:00