hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 12:46:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
943 Commits 1,673 Branches 157 Tags
0238c19085fda8b1bb9bb38632156e99eeeda27e
Commit Graph

628 Commits

Author SHA1 Message Date
Alex Ford
0238c19085 remove TODO 2021-06-23 14:11:38 +01:00
Alex Ford
5941eb2be4 model some ActionController user input sources (params) 2021-06-23 14:11:38 +01:00
Alex Ford
9227f3a0c3 Add RemoteFlowSources.qll 2021-06-23 14:11:38 +01:00
Alex Ford
dbf1805c8b Merge pull request #196 from github/active-record-1 
Start modelling some potential SQL fragment sinks in ActiveRecord
 2021-06-22 16:05:26 +01:00
Arthur Baars
f7eee915da Remove ad-hoc queries 2021-06-22 15:35:30 +02:00
Tom Hvitved
992d8faa06 Bump codeql submodule 2021-06-21 16:06:45 +02:00
Tom Hvitved
abe5e3d953 Merge pull request #210 from github/hvitved/dataflow/consistency 
Data flow: Add consistency queries
 2021-06-21 14:42:55 +02:00
Nick Rolfe
35eb4a3af4 Merge pull request #214 from github/regexp_naming 
Use RegExp prefix instead of Regex, for consistency with other languages.
 2021-06-21 11:06:19 +01:00
Nick Rolfe
65aa97c07c Use RegExp prefix instead of Regex, for consistency with other languages. 2021-06-18 15:56:19 +01:00
Tom Hvitved
7cc02e6d00 Add Ssa::WriteDefinition::assigns/1 predicate 2021-06-18 10:42:32 +02:00
Alex Ford
7439ab5635 remove recvCls field from ActiveRecordModelClassMethodCall 2021-06-17 14:42:42 +01:00
Alex Ford
214532516b try to avoid a future merge conflict 2021-06-17 14:41:51 +01:00
Alex Ford
762656ee60 Add QLDoc to ActiveRecord.qll 2021-06-17 14:41:51 +01:00
Alex Ford
12a0af1d28 Tidy up PotentiallyUnsafeSqlExecutingMethodCall characteristic predicate 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2021-06-17 14:39:40 +01:00
Tom Hvitved
41ed9f3e1b Data flow: Fix inconsistencies 2021-06-17 10:48:32 +02:00
Tom Hvitved
00e544189e Data flow: Add consistency queries 2021-06-17 10:26:56 +02:00
Tom Hvitved
84d79ccae9 Bump codeql submodule 2021-06-16 11:55:38 +02:00
Alex Ford
bf43a77df5 Include some more types of expressions as possible active record SQL sink arguments 2021-06-15 12:41:42 +01:00
Alex Ford
ea21c591af remove accidentally unbound variable 2021-06-15 11:39:48 +01:00
Alex Ford
c1b9952517 account for chained method calls when constructing ActiveRecord SQL queries 2021-06-15 11:39:48 +01:00
Alex Ford
f8a77b9854 format QL 2021-06-15 11:39:48 +01:00
Alex Ford
57c04266e3 rename SqlExecutingMethodCall as PotentiallyUnsafeSqlExecutingMethodCall 2021-06-15 11:39:48 +01:00
Alex Ford
2d4bb61789 limit SqlExecutingMethodCall to those that are called with a StringlikeLiteral argument 2021-06-15 11:39:48 +01:00
Alex Ford
2c15b60998 add ActiveRecord find_by_sql as an SQL executing method call 2021-06-15 11:39:48 +01:00
Alex Ford
c641d12259 add shell ActiveRecord library tests 2021-06-15 11:39:48 +01:00
Alex Ford
5b7df8578a cleanup ActiveRecord.qll 2021-06-15 11:39:48 +01:00
Alex Ford
7488d072d8 Model some SQL fragment sinks in ActiveRecord model classes 2021-06-15 11:39:48 +01:00
Alex Ford
743deee9ce add a class to represent ActiveRecord models 2021-06-15 11:39:48 +01:00
Alex Ford
7d3eaf40ff add base SqlExecution concepts 2021-06-15 11:39:48 +01:00
Tom Hvitved
3a37e321d5 Merge pull request #205 from github/hvitved/taint-tracking 
Initial taint-tracking library
 2021-06-15 09:30:59 +02:00
Tom Hvitved
8aa337ab01 Initial taint-tracking library 2021-06-14 14:19:34 +02:00
Tom Hvitved
b154c936c3 Improve performance of ExprChildMapping::reachesBasicBlock() 
Since all expressions are now post-order, the logic of `reachesBasicBlock` can
be simplified, and performance can be improved as well.
 2021-06-14 11:58:24 +02:00
Arthur Baars
661d6e8e38 HardCodedCredentials: fix query metadata comment 2021-06-11 11:59:46 +02:00
Tom Hvitved
8860b8adf0 Merge pull request #198 from github/hvitved/desugar-compound-assignment 2021-06-10 19:39:54 +02:00
Alex Ford
f74dff560b Merge pull request #187 from github/hardcoded-credentials 
Add rb/hardcoded-credentials query
 2021-06-10 16:12:32 +01:00
Alex Ford
8839d4c584 limit additional flow steps in rb/hardcoded-credentials to string concatenation 2021-06-10 14:59:28 +01:00
Alex Ford
fe45dadd55 set precision to high for rb/hardcoded-credentials 2021-06-10 14:52:26 +01:00
Alex Ford
e26afe91b5 move rb/hardcoded-credential alert location to the source 2021-06-07 14:53:04 +01:00
Alex Ford
5d79a8cec0 account for keyword args in rb/hardcoded-credentials and simplify query 2021-06-07 14:49:49 +01:00
Tom Hvitved
962768e7c0 Disambiguate toStrings for nested synthetic local variables 2021-06-04 19:20:11 +02:00
Tom Hvitved
82fbc03889 Merge pull request #200 from github/hvitved/dataflow/call-sensitivity 
Data flow: Call-sensitive resolution of lambda/block calls
 2021-06-04 16:25:13 +02:00
Alex Ford
ec326bfcb7 Merge pull request #201 from github/perm-file-report-source 
Report rb/weak-file-permission alerts at source rather than sink and improve alert message
 2021-06-04 14:52:48 +01:00
Alex Ford
8a3ffb6dca add missing toString 2021-06-04 13:25:03 +01:00
Alex Ford
b2d36babc4 report rb/weak-file-permission alerts at source rather than sink and improve alert message 2021-06-04 13:10:18 +01:00
Nick Rolfe
523a0b1f12 Merge pull request #197 from github/upgrade-pack 2021-06-04 13:03:39 +01:00
Tom Hvitved
61e35ddae1 Data flow: Call-sensitive resolution of lambda/block calls 2021-06-04 12:58:38 +02:00
Tom Hvitved
77146e4e04 Data flow: Reduce caching 
These predicates are now cached in the shared implementation.
 2021-06-04 12:53:47 +02:00
Tom Hvitved
f9eecfb59f Bump codeql submodule 2021-06-04 12:52:05 +02:00
Tom Hvitved
6678ac0347 Desugar compound assignments 2021-06-04 10:39:06 +02:00
Tom Hvitved
da9adfbab4 Improve performance of desugaring transformations 2021-06-04 10:34:00 +02:00