hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-29 14:23:03 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,421 Commits 1,684 Branches 159 Tags
2818da4df936831fb9dca366e7b79cfd05f892ba
Commit Graph

1421 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Smowton
2818da4df9 Advance to latest codeql-cli release 2020-10-21 17:27:18 +01:00
Chris Smowton
9aceae8bd6 Revel: add support and tests for Render and Redirect sinks. 2020-10-20 10:00:05 +01:00
Owen Mansel-Chan
b2b8f10418 Fix stub for Revel 
Embedded fields aren't stubbed correctly
 2020-10-19 15:47:08 +01:00
Owen Mansel-Chan
4dfa9d58c0 Model Revel 2020-10-19 15:47:07 +01:00
Owen Mansel-Chan
f4f29be8ac Add ability to specify default taint sanitizers 
This allows library models to specify taint sanitizers.
 2020-10-19 15:46:33 +01:00
Owen Mansel-Chan
01ad7acb6f Remove unnecessary import 2020-10-19 15:46:33 +01:00
Owen Mansel-Chan
f49ff279b8 Merge pull request #375 from owen-mc/spew 
Model Spew logging framework
 2020-10-16 13:20:13 +01:00
Owen Mansel-Chan
b89775ac65 Update change-notes/2020-10-14-spew.md 
Co-authored-by: Chris Smowton <smowton@github.com>
 2020-10-16 10:56:27 +01:00
Chris Smowton
2b07e6a0f4 Merge pull request #324 from sauyon/tracing 
Build tracing
 2020-10-15 11:27:34 +01:00
Chris Smowton
4746789fe8 Merge pull request #224 from sauyon/no-vendor 
Skip vendor directories for go.mod extraction
 2020-10-15 11:03:26 +01:00
Sauyon Lee
e5afd1dcb6 go-extractor: clarify --mimic error message 
Co-authored-by: Chris Smowton <smowton@github.com>
 2020-10-14 09:43:10 -07:00
Sauyon Lee
25eebe95e4 autobuilder: Clarify error message 2020-10-14 09:42:12 -07:00
Sauyon Lee
3c6626c604 Don't trace through problem binaries on OS X 
See https://github.com/github/semmle-code/pull/37764
 2020-10-14 09:42:12 -07:00
Sauyon Lee
3addb962a9 Add change note for build tracing 2020-10-14 09:42:12 -07:00
Sauyon Lee
2e73f3efd1 Add change note for go.mod extraction change 
Co-authored-by: Chris Smowton <smowton@github.com>
 2020-10-14 09:25:39 -07:00
Sauyon Lee
1ba1029a13 Use comment-based tests for GoModExpr 2020-10-14 09:25:38 -07:00
Sauyon Lee
34837c10ce Fix tests for go.mod files 2020-10-14 09:25:38 -07:00
Sauyon Lee
3242df4177 Use package root directory to find go.mod files 2020-10-14 09:13:57 -07:00
Owen Mansel-Chan
8811758e44 Add change note 2020-10-14 14:49:50 +01:00
Owen Mansel-Chan
4b76966a49 Model Spew logging framework 2020-10-14 14:47:22 +01:00
Chris Smowton
b2fef01d28 Merge pull request #378 from smowton/smowton/admin/change-note-typo 
Fix changenote typo
 2020-10-14 13:33:21 +01:00
Chris Smowton
72ee460a64 Fix changenote typo 2020-10-14 13:32:26 +01:00
Chris Smowton
0afa0e75c4 Merge pull request #374 from smowton/smowton/feature/more-accurate-allocation-overflow 
Improve accuracy of allocation-size-overflow by excluding len(...) calls that never see a large operand
 2020-10-14 13:25:45 +01:00
Chris Smowton
83a7411a05 Improve accuracy of allocation-size-overflow by excluding len(...) calls that never see a large operand 
This is achieved by splitting the query into two pieces: (1) trace flow from indefinitely large object creation to len(...) calls, then (2) considering those particular len(...) calls as taint propagators, trace taint from the same sources all the way to an allocation call. This is more accurate than the previous solution, which considered any len(...) call to propagate taint, potentially confusing an array that stored a large value in one of its cells for an array which is itself of large size.
 2020-10-14 10:16:08 +01:00
Chris Smowton
59f8717ca2 Merge pull request #372 from smowton/smowton/feature/golang-x-net-context 
Extend `context` models to cover its old `golang.org/x/net/context` home.
 2020-10-13 10:33:36 +01:00
Chris Smowton
40869480e1 Extend context models to cover its old golang.org/x/net/context home. 2020-10-12 12:27:19 +01:00
Chris Smowton
b370a865f1 Merge pull request #370 from max-schaefer/fix-formatting-targets 
Fix escaping in Makefile targets.
 2020-10-09 10:56:07 +01:00
Max Schaefer
9db478aa03 Fix escaping in Makefile targets. 
Previously, invoking `make autoformat` would run a command of this form:

```sh
... | grep \\.go$ | ...
```

Note that the `$` is not escaped. This probably wasn't intended, even though it happens to work anyway, since the shell doesn't try to expand lone `$`s.

More problematically, invoking `make check-formatting` would run a command of this form:

```sh
... | grep \\.go| ...
```

Note that the `$` is gone, so it matches `.go` anywhere in the file name. In particular, it matches `ql/test/library-tests/semmle/go/frameworks/Protobuf/vendor/google.golang.org/protobuf/LICENSE`, which I think is responsible for the somewhat mysterious "expected 'package', found Copyright" errors we've been seeing from CI.

This PR fixes both targets to run

```sh
... | grep '\.go$' | ...
```

Because of the single quotes we only need a single backslash, and the `$` gets left alone.
 2020-10-09 09:07:24 +01:00
Sauyon Lee
85c92251d6 Add a new binary for tracing 2020-10-08 23:31:06 -07:00
Sauyon Lee
de0582a67f autobuilder: extract out attempted build commands 2020-10-08 23:31:05 -07:00
Sauyon Lee
cd63ea84aa extractor: revamp argument parsing 2020-10-08 23:31:05 -07:00
Sauyon Lee
2da89c6527 extractor: factor out run from autobuilder 2020-10-08 23:31:05 -07:00
Sauyon Lee
eaf5342b7d Enable Go modules while determining module directory 2020-10-08 23:31:05 -07:00
Sauyon Lee
16796529fc Add package directory as a wanted root 2020-10-08 23:31:05 -07:00
Chris Smowton
024e8ef715 Merge pull request #368 from sauyon/xpath-fix 
Update XPathExpressionString to match the Range pattern
 2020-10-08 09:24:04 +01:00
Sauyon Lee
43de6ea836 Update XPathExpressionString to match the Range pattern 
Fixes #367
 2020-10-07 14:29:05 -07:00
Chris Smowton
c8a2d30e39 Merge pull request #360 from smowton/smowton/feature/stack-trace-exposure 
Add stack-trace exposure query
 2020-10-07 11:08:37 +01:00
Chris Smowton
d7dcf27f57 Merge pull request #362 from smowton/smowton/admin/refactor-function-node 
Refactor DataFlow::FunctionNode as a concrete class
 2020-10-06 15:08:54 +01:00
Chris Smowton
0eb7ac94cc Add stack-trace exposure query 
This is a port of `java/stack-trace-exposure`, and does the same job: warn that a stack dump is written to an HTTP response.
 2020-10-06 14:42:59 +01:00
Chris Smowton
68bb7b02fe Refactor DataFlow::FunctionNode as a concrete class 
This makes it easier to refine FunctionNode without having to define abstract members.
 2020-10-06 14:02:57 +01:00
Chris Smowton
5bdff0f9d3 Merge pull request #363 from smowton/smowton/fix/use-realpath-for-gopath 
Autobuilder: Use fully resolved path for GOPATH
 2020-10-05 10:53:17 +01:00
Chris Smowton
6b6c862274 Autobuilder: Use fully resolved path for GOPATH 
Otherwise on systems where /tmp is a symlink (e.g. default OSX setup), GOPATH does not match the current working directory after os.Chdir'ing to that directory (os.Chdir resolves symlinks, unlike a shell's 'cd' command), which causes `dep` to fail complaining that it is being run from outside GOPATH.
 2020-10-02 17:05:47 +01:00
Chris Smowton
e8710612d8 Merge pull request #361 from smowton/smowton/admin/fix-broken-qhelp-links 
Fix OWASP broken links
 2020-10-01 14:28:30 +01:00
Chris Smowton
4af5765275 Fix OWASP broken links 2020-10-01 13:06:03 +01:00
Chris Smowton
1be34c0c90 Merge pull request #359 from smowton/smowton/fix/suspicious-regex-qhelp 
Improve variable names in example code
 2020-09-30 11:03:10 +01:00
Max Schaefer
3490d35926 Merge pull request #358 from smowton/smowton/admin/qhelp-action 
Add Action to build and upload qhelp
 2020-09-29 17:31:07 +01:00
Chris Smowton
1cfad846c8 Improve variable names in example code 
These were inherited from the JS version of the example, which concerns HTML.
 2020-09-29 16:37:06 +01:00
Chris Smowton
6b28c0705a Add Action to build and upload qhelp 2020-09-29 16:16:25 +01:00
Max Schaefer
3dde501b54 Merge pull request #356 from max-schaefer/api-cleanup 
Add and move around a few convenience predicates
 2020-09-29 08:32:53 +01:00
Max Schaefer
97fb967d5c Add a few tests. 2020-09-28 10:58:28 +01:00