43 Commits

Author	SHA1	Message	Date
Owen Mansel-Chan	c11da5bf67	Make taint tracking tests use InlineFlowTest	2023-08-10 15:49:50 +01:00
Owen Mansel-Chan	1b4fef9c21	Make HTMLTemplateEscapingPassthrough use new API ... Removed edges and nodes are mostly duplicates. They were only there originally due to multiple configurations being in scope. `DataFlow::PathNode` has union semantics for configurations. Nodes are only generated if they are reachable from a source, but this includes sources from other configurations. No alerts are lost.	2023-08-10 15:49:36 +01:00
Owen Mansel-Chan	ea1f39683d	Make DivideByZero use new API ... The extra nodes in .expected files are due to the changes from https://github.com/github/codeql/pull/13717, which are not applied to configuration classes extending DataFlow::Configuration or TaintTracking::Configuration.	2023-08-10 15:49:35 +01:00
Owen Mansel-Chan	00cc78dfe6	Make CookieWithoutHttpOnly use new API ... The extra nodes in .expected files are due to the changes from https://github.com/github/codeql/pull/13717, which are not applied to configuration classes extending DataFlow::Configuration or TaintTracking::Configuration.	2023-08-10 15:49:00 +01:00
Porcupiney Hairs	74e5c15eaa	Go : Improvements to Timing Attacks query	2023-07-31 06:30:47 +05:30
Porcupiney Hairs	dc0deb5e49	Go : Improvements to DSN Injection query	2023-07-02 17:38:01 +05:30
Owen Mansel-Chan	c0fea85380	Accept test changes	2023-06-20 13:25:49 +01:00
Jeroen Ketema	97c4f497bc	Go: Rewrite inline expectation tests to use parameterized module	2023-06-09 10:41:21 +02:00
Chris Smowton	ee64ea59e1	Merge pull request #12901 from porcupineyhairs/goDsn ... Go: Add query to detect DSN Injection.	2023-05-11 22:45:43 +01:00
Porcupiney Hairs	2c518c1fa6	Include changes from review	2023-05-12 01:59:42 +05:30
Porcupiney Hairs	d536157c1a	Go : Add query to detect potential timing attacks	2023-05-11 09:57:50 +05:30
Owen Mansel-Chan	270ba09ffb	Merge pull request #11732 from owen-mc/go/fix/model-data-flow-through-varargs ... Go: Allow data flow through varargs parameters	2023-05-11 05:26:40 +01:00
Porcupiney Hairs	ec424d7e51	Go: Add query to detect DSN Injection.	2023-05-11 03:45:29 +05:30
Michael B. Gale	5a44fae515	Go: add test for unrelated A->C data flow	2023-04-28 10:56:12 +01:00
Owen Mansel-Chan	f2368a9441	Do not use variadic sink fn in tests	2023-04-28 06:09:11 +01:00
Michael B. Gale	72b082806b	Go: Update html-template-escaping-passthrough ... Modify this query to apply sanitizers only in the data flow between untrusted inputs and passthrough conversion types.	2023-04-27 17:14:38 +01:00
Chris Smowton	d648b34037	Accept test changes ... These are caused by nodes being hidden by https://github.com/github/codeql/pull/12783	2023-04-12 15:05:04 +01:00
Chris Smowton	141d6b8d7b	Accept paths test changes	2023-04-12 14:19:04 +01:00
Chris Smowton	f36a2143f5	Accept more test changes; add some missing models	2023-04-12 14:19:00 +01:00
Chris Smowton	bfc8db90af	Accept test changes ... This is 1x path changes without result changes, and 1x expected change since the Encode function is no longer modelled using TaintTracking::FunctionModel	2023-04-12 14:19:00 +01:00
Porcupiney Hairs	e9615c57e9	Go: Add more JWT sinks ... This pull requests adds modelling for `katras/iris/v12/middleware/jwt`, `katras/jwt` and `gogf/gf-jwt` frameworks.	2023-03-31 23:11:24 +05:30
Owen Mansel-Chan	50414cc748	Make DataFlowType a singleton	2022-12-14 14:40:15 +00:00
Owen Mansel-Chan	1a65a27fde	Update test expectations ... In https://github.com/github/codeql/pull/8641, `localFlowExit` was changed to use `Stage2::readStepCand` instead of `read`, which means that the big-step relation is broken up less. This causes test result changes. Nothing is lost from the `select` clause, but some results may have fewer paths, and fewer nodes and edges are output in the test results.	2022-11-17 14:27:06 +00:00
Josh Soref	b1052992fe	spelling: against ... Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>	2022-10-11 00:23:35 -04:00
erik-krogh	d5c45056bd	fix some more style-guide violations in the alert-messages	2022-10-07 11:21:01 +02:00
erik-krogh	175d3acf4d	reword alert-message go/user-controlled-bypass to avoid using "here"	2022-09-20 22:51:35 +02:00
erik-krogh	2602a38d94	update expected test output	2022-09-20 22:51:35 +02:00
erik-krogh	26d8553f6e	ensure consistent casing of names	2022-09-09 10:34:14 +02:00
Ian Lynagh	b9a4b5ab9a	Make *.qlref non-executable	2022-08-24 16:53:16 +01:00
Rasmus Wriedt Larsen	07c22a857f	Merge pull request #9420 from RasmusWL/sync-go-inline ... Go: Sync InlineExpectationsTest	2022-06-03 11:37:13 +02:00
Chris Smowton	04422eeaee	Merge pull request #9378 from porcupineyhairs/goJwtSign ... Golang : Add query to detect JWT signing vulnerabilities	2022-06-02 20:53:03 +01:00
Chris Smowton	d5ac7190cc	Remove duplicate function	2022-06-02 17:02:54 +01:00
Porcupiney Hairs	361b7037c6	Include suggested changes from review.	2022-06-02 19:11:44 +05:30
Rasmus Wriedt Larsen	0b486ade9b	Go: Autoformat	2022-06-02 15:12:13 +02:00
Rasmus Wriedt Larsen	aadf7aefb0	Go: Use new location in hasLocationInfo	2022-06-02 15:05:58 +02:00
Rasmus Wriedt Larsen	3f857e113c	Go: Adjust hasActualResult overrides	2022-06-02 14:55:27 +02:00
Porcupiney Hairs	1ef42a11ad	Include suggested changes from review.	2022-06-02 16:04:29 +05:30
Porcupiney Hairs	ae2bc1b410	Include suggested changes from review.	2022-05-31 23:10:57 +05:30
Porcupiney Hairs	e0f74a51ac	Include suggested changes from review.	2022-05-31 17:17:54 +05:30
Porcupiney Hairs	bd1ddc177e	Golang : Add query to detect JWT signing vulnerabilities ... Supersedes github/codeql-go#705	2022-05-31 01:56:59 +05:30
Porcupiney Hairs	ae2cc378e5	Golang : Add Query To Detect PAM Authorization Bugs	2022-05-31 01:28:55 +05:30
Chuan-kai Lin	c58b5397c2	Go: delete test qhelp file ... There shouldn't be qhelp files in the ql/test tree. https://github.com/github/codeql/pull/8631#issuecomment-1087316116	2022-05-20 10:22:47 -07:00
Chuan-kai Lin	aa514fff32	codeql-go merge prep: move into go/ directory	2022-05-20 10:07:19 -07:00