hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-18 19:31:11 +02:00
Code Issues Packages Projects Releases Wiki Activity
33,886 Commits 1,780 Branches 169 Tags
0125aea91b0c4203caa3bdb181bc286bae569618
Commit Graph

33886 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Wriedt Larsen
0125aea91b Python: Re-introduce old dataflow configs .qll files 
and move all the old deprecated aliases to that file. We now have a
situation where all queries should work as they did before, and we just
have these new Query.qll files that contain the implementation.

(deprecation comes later)
 2022-03-21 14:53:53 +01:00
Rasmus Wriedt Larsen
1bf8fa6a3b Python: Adopt Query.qll suffix for dataflow config defs 
This commit in itself makes everything break, but should make it easy to
follow the overall changes being made.
 2022-03-21 14:53:53 +01:00
Michael Nebel
d31ef371ec Merge pull request #8391 from michaelnebel/csharp/gvn-interface 
C#: Deprecate the StructuralComparisonConfiguration interface and use sameGvn instead.
 2022-03-21 14:10:53 +01:00
Alex Ford
c891c53835 Merge pull request #8395 from alexrford/ruby/clear-text-storage 
Ruby: add `rb/clear-text-storage-sensitive-data` query
 2022-03-21 10:05:39 +00:00
CodeQL CI
b04c46f96d Merge pull request #8478 from asgerf/js/store-load-flow-context-sensitivity-bug 
Approved by erik-krogh
 2022-03-21 08:54:51 +00:00
Robert Marsh
4bf35ad188 Merge pull request #8483 from jketema/command-line-injection-test-cases-with-calls 
C++: Add additional command line injection tests
 2022-03-18 15:05:12 -04:00
Arthur Baars
beef8e29bc Merge pull request #8332 from hvitved/ruby/regexp-taint-flow 
Ruby: Use taint tracking instead of type tracking to define `regExpSource`
 2022-03-18 18:24:02 +01:00
Jeroen Ketema
d37ef1b5ca C++: Add command line injection test that currently results in a false positive 2022-03-18 16:12:09 +01:00
Arthur Baars
117fb5be7d Merge pull request #7917 from aibaars/incomplete-hostname 
Ruby: IncompleteHostnameRegExp.ql
 2022-03-18 16:00:09 +01:00
Tom Hvitved
1437aefe9d Ruby: Use taint tracking instead of type tracking to define regExpSource 2022-03-18 14:48:12 +01:00
Tom Hvitved
d97eaba070 Ruby: Add dataflow/taintracking copies for use in libraries 2022-03-18 14:48:12 +01:00
Arthur Baars
4a27928728 Ruby/JS add missing ^ in qhelp 2022-03-18 14:00:10 +01:00
Jeroen Ketema
459870ac1e C++: Add additional command line injection tests 2022-03-18 13:42:27 +01:00
Arthur Baars
431b60506e Merge remote-tracking branch 'upstream/main' into incomplete-hostname 2022-03-18 13:05:34 +01:00
Arthur Baars
6d24591416 Revert "Python: switch to shared implementation of IncompleteHostnameRegExp.ql" 
This reverts commit ce50f35dda.
 2022-03-18 13:02:55 +01:00
Chris Smowton
767453520e Merge pull request #8032 from JLLeitschuh/feat/JLL/check_os 
Java: Add Guard Classes for checking OS & unify System Property Access
 2022-03-18 11:20:36 +00:00
Asger Feldthaus
26b7edccd4 JS: Change note 2022-03-18 11:59:36 +01:00
Asger F
929419abba Merge pull request #8254 from asgerf/ruby/mad-prototype 
Ruby: initial prototype of models-as-data
 2022-03-18 10:48:33 +01:00
Mathias Vorreiter Pedersen
8bf172913e Merge pull request #8474 from hvitved/flow-state-changing-steps-should-be-in-path-explanation-alternative 
Dataflow: Flow-state changing steps should always be in path explanations
 2022-03-18 09:08:36 +00:00
Asger Feldthaus
8753632193 JS: Fix bug in reachableFromStoreBase 2022-03-17 17:30:46 +01:00
Asger Feldthaus
8c6ca6582e JS: Add test showing missing flow 2022-03-17 17:30:46 +01:00
Mathias Vorreiter Pedersen
abe30457ee Python: Accept test changes. 2022-03-17 14:03:58 +01:00
Tom Hvitved
79ea2a3a9c Data flow: Sync files 2022-03-17 14:03:58 +01:00
Tom Hvitved
4df12dc6e6 Data flow: State-changing taint steps should not be stepped over by the big step relation 2022-03-17 14:03:58 +01:00
Erik Krogh Kristensen
870521bd1e Merge pull request #8473 from erik-krogh/redundantAnyCast 
QL: expand redundant-inline-cast, and rename to redundant-cast
 2022-03-17 10:41:50 +01:00
Erik Krogh Kristensen
fe94421d32 rename redundant-inline-cast to redundant-cast 2022-03-17 10:25:40 +01:00
Erik Krogh Kristensen
86398a8c65 Merge pull request #8304 from erik-krogh/xssUrl 
JS: Refactor the XSS / Client-side-url queries
 2022-03-17 09:13:09 +01:00
Erik Krogh Kristensen
aa8b7c8679 update reference to deprecated class name 2022-03-16 22:32:54 +01:00
Erik Krogh Kristensen
6cdc38748c update expected output 2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen
d8a5947a08 simplify TaintedUrlSuffix::source() to only consider window.location based sources 2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen
b3de5d94a6 move PrefixStringSanitizer to the Query.qll file, and have it extend LabeledSanitizerGuardNode 2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen
562dce57e8 rename isXSSSink to isXssSink 2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen
f083e87fa1 refactor the js/xss query to use three flowlabels and one configuration 2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen
87842bb8b7 add client-side-url sinks that may execute JavaScript as XSS sinks 2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen
b471fec149 split interpretsArgumentsAsURL out of interpretsArgumentsAsHTML, and use it to generalize AttributeUrlSink 2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen
2576e1f655 add utility predicate to get client-side remote-flow-sources that contain a URL query/fragment 2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen
67e6a4c716 add a isXSSSink predicate to the client-side-url-redirection sinks 2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen
fc79242674 add tests 2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen
559f03ebbc remove unnecessary module qualifier 2022-03-16 22:32:07 +01:00
Erik Krogh Kristensen
2d9d383c55 remove unused import 2022-03-16 22:32:07 +01:00
Arthur Baars
1a51f0cf56 Ruby: regex: fix getGroupNumber 
non-capture groups should not have a group number
 2022-03-16 18:50:51 +01:00
Michael Nebel
138eb485c6 C#: Address review comments. 2022-03-16 16:00:48 +01:00
Jeroen Ketema
7a9a9d833a Merge pull request #8435 from jketema/all-the-barriers 
Add flow state versions of isBarrierIn, isBarrierOut, and isBarrierGuard
 2022-03-16 15:50:19 +01:00
Michael Nebel
68f24cda0b Merge pull request #8462 from michaelnebel/csharp/capture-models-fix-bad-join-order 
C#: Fix bad join order in returnNodeAsOutput.
 2022-03-16 15:46:17 +01:00
Asger Feldthaus
e1976da7f9 JS: Autoformat 2022-03-16 15:01:17 +01:00
Dave Bartolomeo
e669ffa22e Merge pull request #8320 from jketema/structured-binding-array 
C++: Handle initialization of structured bindings via bitwise copy in extractor
 2022-03-16 09:41:31 -04:00
Asger F
228570129e Merge branch 'main' into ruby/mad-prototype 2022-03-16 13:50:31 +01:00
Asger Feldthaus
e168da4c5f Shared: make a predicate private 2022-03-16 13:48:56 +01:00
Michael Nebel
5f7b5ec5df C#: Fix bad join order in returnNodeAsOutput. 2022-03-16 13:44:11 +01:00
Asger Feldthaus
8cef512234 Ruby: ensure ApiGraphs.qll imports its entry points 2022-03-16 13:40:14 +01:00