hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-29 14:23:03 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,390 Commits 1,684 Branches 159 Tags
40869480e148ae616da257ddbcebdc1ce0f8add5
Commit Graph

1390 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Smowton
40869480e1 Extend context models to cover its old golang.org/x/net/context home. 2020-10-12 12:27:19 +01:00
Chris Smowton
b370a865f1 Merge pull request #370 from max-schaefer/fix-formatting-targets 
Fix escaping in Makefile targets.
 2020-10-09 10:56:07 +01:00
Max Schaefer
9db478aa03 Fix escaping in Makefile targets. 
Previously, invoking `make autoformat` would run a command of this form:

```sh
... | grep \\.go$ | ...
```

Note that the `$` is not escaped. This probably wasn't intended, even though it happens to work anyway, since the shell doesn't try to expand lone `$`s.

More problematically, invoking `make check-formatting` would run a command of this form:

```sh
... | grep \\.go| ...
```

Note that the `$` is gone, so it matches `.go` anywhere in the file name. In particular, it matches `ql/test/library-tests/semmle/go/frameworks/Protobuf/vendor/google.golang.org/protobuf/LICENSE`, which I think is responsible for the somewhat mysterious "expected 'package', found Copyright" errors we've been seeing from CI.

This PR fixes both targets to run

```sh
... | grep '\.go$' | ...
```

Because of the single quotes we only need a single backslash, and the `$` gets left alone.
 2020-10-09 09:07:24 +01:00
Chris Smowton
024e8ef715 Merge pull request #368 from sauyon/xpath-fix 
Update XPathExpressionString to match the Range pattern
 2020-10-08 09:24:04 +01:00
Sauyon Lee
43de6ea836 Update XPathExpressionString to match the Range pattern 
Fixes #367
 2020-10-07 14:29:05 -07:00
Chris Smowton
c8a2d30e39 Merge pull request #360 from smowton/smowton/feature/stack-trace-exposure 
Add stack-trace exposure query
 2020-10-07 11:08:37 +01:00
Chris Smowton
d7dcf27f57 Merge pull request #362 from smowton/smowton/admin/refactor-function-node 
Refactor DataFlow::FunctionNode as a concrete class
 2020-10-06 15:08:54 +01:00
Chris Smowton
0eb7ac94cc Add stack-trace exposure query 
This is a port of `java/stack-trace-exposure`, and does the same job: warn that a stack dump is written to an HTTP response.
 2020-10-06 14:42:59 +01:00
Chris Smowton
68bb7b02fe Refactor DataFlow::FunctionNode as a concrete class 
This makes it easier to refine FunctionNode without having to define abstract members.
 2020-10-06 14:02:57 +01:00
Chris Smowton
5bdff0f9d3 Merge pull request #363 from smowton/smowton/fix/use-realpath-for-gopath 
Autobuilder: Use fully resolved path for GOPATH
 2020-10-05 10:53:17 +01:00
Chris Smowton
6b6c862274 Autobuilder: Use fully resolved path for GOPATH 
Otherwise on systems where /tmp is a symlink (e.g. default OSX setup), GOPATH does not match the current working directory after os.Chdir'ing to that directory (os.Chdir resolves symlinks, unlike a shell's 'cd' command), which causes `dep` to fail complaining that it is being run from outside GOPATH.
 2020-10-02 17:05:47 +01:00
Chris Smowton
e8710612d8 Merge pull request #361 from smowton/smowton/admin/fix-broken-qhelp-links 
Fix OWASP broken links
 2020-10-01 14:28:30 +01:00
Chris Smowton
4af5765275 Fix OWASP broken links 2020-10-01 13:06:03 +01:00
Chris Smowton
1be34c0c90 Merge pull request #359 from smowton/smowton/fix/suspicious-regex-qhelp 
Improve variable names in example code
 2020-09-30 11:03:10 +01:00
Max Schaefer
3490d35926 Merge pull request #358 from smowton/smowton/admin/qhelp-action 
Add Action to build and upload qhelp
 2020-09-29 17:31:07 +01:00
Chris Smowton
1cfad846c8 Improve variable names in example code 
These were inherited from the JS version of the example, which concerns HTML.
 2020-09-29 16:37:06 +01:00
Chris Smowton
6b28c0705a Add Action to build and upload qhelp 2020-09-29 16:16:25 +01:00
Max Schaefer
3dde501b54 Merge pull request #356 from max-schaefer/api-cleanup 
Add and move around a few convenience predicates
 2020-09-29 08:32:53 +01:00
Max Schaefer
97fb967d5c Add a few tests. 2020-09-28 10:58:28 +01:00
Max Schaefer
56f295f741 Add a few useful shortcuts. 2020-09-25 16:58:28 +01:00
Sauyon Lee
2ba9bbfd8b Merge pull request #355 from sauyon/moddir-fix 
Improve extractor logging and a minor readability fix
 2020-09-25 05:44:35 -07:00
Sauyon Lee
7ea3b34e4b extractor: Reorganize code to be in a slightly more sensible order 2020-09-25 04:23:35 -07:00
Sauyon Lee
e158b39287 Improve extractor logging 
Co-authored-by: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2020-09-25 04:23:31 -07:00
Max Schaefer
8667b64a1c Make result variables aware of their index. 2020-09-25 10:51:32 +01:00
Chris Smowton
88c740bbbc Merge pull request #353 from gagliardetto/remove-duplicate-models 
Remove duplicate models (the end)
 2020-09-24 13:31:18 +01:00
Slavomir
4f7edb85da Fix package count 2020-09-24 12:41:14 +02:00
Slavomir
1f5da54ac9 Update change-notes/2020-09-23-stdlib.md 
Co-authored-by: Chris Smowton <smowton@github.com>
 2020-09-24 12:40:39 +02:00
Arthur Baars
575c56c426 Merge pull request #354 from github/aibaars/lgtm-go-lines-of-comment 
LGTM: add Metrics/FLinesOfComment.ql to go-lgtm-full.qls
 2020-09-24 12:22:07 +02:00
Arthur Baars
240f3ed7dc LGTM: add Metrics/FLinesOfComment.ql to go-lgtm-full.qls 2020-09-24 11:04:15 +02:00
Max Schaefer
907ae20a16 Merge pull request #350 from smowton/smowton/feature/bad-regex-escape-query 
Add query spotting probably-bad escapes in regular expressions.
 2020-09-24 09:49:16 +01:00
Slavomir
8e007623ca Improve change note 2020-09-23 18:03:11 +02:00
Slavomir
ef20f75cbe Add change note 2020-09-23 17:52:52 +02:00
Slavomir
8b397c1eff Remove this. from the generated method and interface models 2020-09-23 17:28:44 +02:00
Slavomir
539127b1d1 Remove models for methods for which there already is a models for the interface they implement. 2020-09-23 17:16:01 +02:00
Chris Smowton
59138048bb Add query spotting probably-bad escapes in regular expressions. 
Inspired by js/useless-regexp-character-escape, but much much simpler because the Go source code parser forbids unrecognised escapes and its regex engine refuses to compile \\x where x is not a character class or other special token (e.g. start-of-word).
 2020-09-23 15:07:22 +01:00
Chris Smowton
a094ddb988 Merge pull request #349 from gagliardetto/stdlib-339-340-342-346-347 
Merge #339 #340 #342 #346 #347
 2020-09-23 14:38:04 +01:00
Chris Smowton
1a3589ac06 Merge pull request #352 from smowton/smowton/feature/http-newrequest 
Add model for net/http.NewRequest
 2020-09-23 09:56:17 +01:00
Max Schaefer
6130720e00 Merge pull request #348 from max-schaefer/functioninput_entrynode 
Ensure `FunctionInput`s corresponding to results have an entry node
 2020-09-23 09:15:18 +01:00
Chris Smowton
c1fbbfb05a Add model for net/http.NewRequest noting that if the URL is tainted then the response should be considered tainted also. 2020-09-23 08:46:36 +01:00
Slavomir
364b6810ce Sort stdlib imports 2020-09-22 18:50:12 +02:00
Slavomir
a7148638aa Merge branch 'standard-lib-pt-6' into stdlib-339-340-342-346-347 2020-09-22 18:44:14 +02:00
Slavomir
61a0cfa06a Merge branch 'standard-lib-pt-4' into stdlib-339-340-342-346-347 2020-09-22 18:43:30 +02:00
Slavomir
315514085f Merge branch 'standard-lib-pt-9' into stdlib-339-340-342-346-347 2020-09-22 18:43:14 +02:00
Slavomir
0510404112 Merge branch 'standard-lib-pt-12' into stdlib-339-340-342-346-347 2020-09-22 18:42:46 +02:00
Slavomir
1a5d582750 Remove Regexp 2020-09-22 13:37:39 +02:00
Slavomir
e742525be5 Fix (*Logger).Writer() model 2020-09-22 13:35:55 +02:00
Slavomir
bff19d5a37 Move and extend Log module for package log with taint-tracking 2020-09-22 13:35:55 +02:00
Slavomir
3a7406b14c Remove redundant Read and Write method models 2020-09-22 13:33:37 +02:00
Slavomir
3abf0e8d29 Add taint-tracking for crypto/x509 package 2020-09-22 13:33:37 +02:00
Slavomir
3acb7a5311 Add taint-tracking for crypto/tls package 2020-09-22 13:33:37 +02:00