hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-29 22:32:58 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,507 Commits 1,684 Branches 159 Tags
0ee00d86472292ba2e87764bc080c74d714b2f04
Commit Graph

1507 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Owen Mansel-Chan
0ee00d8647 Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2020-11-26 16:49:02 +00:00
Owen Mansel-Chan
bf78189e21 Make two separate queries 2020-11-26 14:59:13 +00:00
Owen Mansel-Chan
dec7967c7a Update qhelp files 2020-11-26 14:57:56 +00:00
Owen Mansel-Chan
e7697963d3 Exclude local function pointers 2020-11-26 14:57:56 +00:00
Owen Mansel-Chan
05fe388ba3 Mark hashing functions as safe 
See https://github.com/github/codeql-go-team/issues/219 for issue to
model this better
 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
d3bef7fc4f Model safe external APIs 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
4184a6ecd8 Add testing frameworks 
Add "github.com/golang/mock/gomock", several packages under
"github.com/stretchr/testify", £gotest.tools/assert",
"k8s.io/client-go/testing" and "testing"
 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
410cf49af8 Shorten function using set literal 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
18c66e84f7 Make more package paths accessible 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
171e433593 Exclude test files 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
fe5822ae3a Exclude functions in packages which have some modeled functions 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
ff542508aa Exclude sinks from common queries 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
b698276e3a Update function name to give better text output 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
50a32f47d5 First draft 2020-11-26 14:57:50 +00:00
Chris Smowton
7bbf9ed860 Merge pull request #410 from github/lgtm.com 
Merge lgtm.com into main
 2020-11-23 17:17:42 +00:00
Sauyon Lee
793d6f6053 Merge pull request #399 from sauyon/stored-xss 
Add stored XSS query
 2020-11-19 23:23:21 -08:00
Chris Smowton
93a7cc944a Merge pull request #403 from smowton/smowton/fix/type-assertion-dataflow 
Add data-flow edge `from -> to` in the context `to, ok := from.(*Type)`
 2020-11-19 16:13:55 +00:00
Chris Smowton
c93b2b709d Merge pull request #407 from smowton/smowton/fix/isunreachableincall-slowness 
Improve join order in `isUnreachableInCall`
 2020-11-19 11:22:48 +00:00
Chris Smowton
38e383858e Merge pull request #394 from smowton/smowton/feature/unsafe-unzip-symlink 
Add query checking for unpacking of symlinks without using EvalSymlinks to spot existing ones.
 2020-11-18 19:10:18 +00:00
Chris Smowton
d1f607ccd8 Improve join order in isUnreachableInCall 2020-11-18 19:06:52 +00:00
Owen Mansel-Chan
7433d448d9 Merge pull request #406 from owen-mc/update-dataflow-libs-2 
Update dataflow libs 2
 2020-11-17 21:17:52 +00:00
Chris Smowton
3d8470e1e2 Add and use TypeCastNode::getResultType 
This can differ from `getType` when a `TypeAssertExpr` returns a (result, ok) pair.
 2020-11-17 16:03:33 +00:00
Owen Mansel-Chan
ce67418cdc Update tests 
These changes match those in https://github.com/github/codeql/pull/4440
 2020-11-17 15:48:50 +00:00
Owen Mansel-Chan
d3154d0aa7 Sync dataflow libraries 
`make sync-dataflow-libraries`
 2020-11-17 15:48:50 +00:00
Owen Mansel-Chan
4bfe088c0f Update dataflow branch from master to main 2020-11-17 15:48:50 +00:00
Chris Smowton
1d850873f3 Add data-flow edge from -> to in the context to, ok := from.(*Type) 2020-11-17 10:59:59 +00:00
Chris Smowton
79c010a601 Move unsafe-unzip-symlink query into qll file and give it customization points. 2020-11-16 09:57:26 +00:00
Chris Smowton
500d78dafa Include os.Readlink as a probable sanitiser. 
A couple of projects seem to walk links one unit at a time, rather than just throwing `EvalSymlinks` at the whole potentially suspect path.
 2020-11-16 09:57:26 +00:00
Chris Smowton
2193642c6e Expand query to notice Symlink and archive iterator calls that do not directly share a loop 
We look across function-call boundaries to check there is some common enclosing loop, but false-positives are more likely if in practice there is no control-flow path from the archive iterator to the Symlink call and back.
 2020-11-16 09:57:26 +00:00
Chris Smowton
1a2c209259 Add query checking for unpacking of symlinks without using EvalSymlinks to spot existing ones. 
This is usually dangerous because (if the archive is untrusted) the intent is usually to permit within-archive symlinks, e.g. dest/a/parent -> .. -> dest/a is an acceptable link to unpack. However if EvalSymlinks is not used to take already-unpacked symlinks into account, it becomes possible to sneak tricks like dest/escapes -> dest/a/parent/.. through, which create links leading out of the archive for later abuse.
 2020-11-16 09:57:26 +00:00
Chris Smowton
43f9351094 Merge pull request #405 from igfoo/igfoo/portability 
Use more portable syntax in codeql-tools/autobuild.sh
 2020-11-13 14:59:54 +00:00
Ian Lynagh
f5223bae4c Use more portable syntax in codeql-tools/autobuild.sh 2020-11-13 14:30:04 +00:00
Sauyon Lee
7279d4090d Apply suggestions from code review 
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
 2020-11-12 21:26:53 -08:00
Sauyon Lee
f129949a38 Apply review comments 
Co-authored-by: Chris Smowton <smowton@github.com>
 2020-11-11 23:49:23 -08:00
Sauyon Lee
efddef7fa2 Add tests for stored XSS query 2020-11-11 23:13:12 -08:00
Sauyon Lee
d517125507 Add tests for SQL framework 2020-11-11 23:13:12 -08:00
Sauyon Lee
30b17d9762 Add StoredXSS query 2020-11-11 23:13:11 -08:00
Sauyon Lee
36bbf1eeb9 Improve models for database/sql 2020-11-11 22:10:16 -08:00
Chris Smowton
82a5b5f264 Merge pull request #369 from sauyon/checkdeps 
Check dependencies before skipping dependency installation
 2020-11-11 09:54:33 +00:00
Chris Smowton
04cec8b542 Merge pull request #400 from sauyon/autoformat 
Autoformat tests
 2020-11-11 09:51:50 +00:00
Nick Rolfe
c7e03cbd98 Merge pull request #398 from github/nickrolfe/getFileBySourceArchiveName 
Replace getEncodedFile with getFileBySourceArchiveName predicate
 2020-11-10 18:19:00 +00:00
Sauyon Lee
5a9b8a5465 Autoformat 2020-11-10 09:35:29 -08:00
Sauyon Lee
80c2fcdbb8 Autoformat tests 2020-11-10 09:35:16 -08:00
Nick Rolfe
17b6401c22 Replace getEncodedFile with getFileBySourceArchiveName predicate 
While also making it work with paths for databases created on Windows.
 2020-11-10 16:43:21 +00:00
Chris Smowton
235b7c0bc5 Merge pull request #395 from sauyon/regexp 
SuspiciousCharacterInRegexp: Add fix for raw string literals
 2020-11-10 12:18:38 +00:00
Sauyon Lee
0950baf4b7 Add additional tests for suspicious character in regexp regexp 2020-11-09 10:36:27 -08:00
Sauyon Lee
eb26b0abd1 SuspiciousCharacterInRegexp: Add fix for raw string literals 2020-11-09 10:10:47 -08:00
Sauyon Lee
52d253a95b Add isRaw to StringLit 2020-11-09 10:08:51 -08:00
Chris Smowton
33f43626b3 Merge pull request #396 from sauyon/remove-code-scanning 
Remove code scanning temporarily
 2020-11-09 10:58:55 +00:00
Sauyon Lee
920f7153c8 autobuilder: Add dependency check 
Sometimes build scripts succeed without installing dependencies, for
example if they are unrelated to Go or if they simply always exit
successfully. Therefore, added a check that dependencies at least
resolve before skipping dependency installation.
 2020-11-09 02:13:48 -08:00