Rasmus Lerchedahl Petersen
49d4b1480d
python: Do not remove ChainedConfigs12.qll
...
since it was clearly already used.
Add deprecation message instead.
2022-01-21 12:27:29 +01:00
Rasmus Lerchedahl Petersen
35c9307baa
python: rewrite NoSQLInjection to use flow state
...
This allows a bit more precision. Specifically, we could
require the sanitizer to only affect `ConvertedToDict`.
In practice, most sanitizers woudl probably fail on raw
input also, though.
2022-01-21 12:12:58 +01:00
Rasmus Lerchedahl Petersen
a5bc5373d0
python: Rewrite path injection to use flow state
...
This removes the FP cause by chaining
This PR also removes `ChainedConfigs12.qll`,
as we hope to solve future problems via flow states.
2022-01-21 09:26:48 +01:00
Tony Torralba
c09b6691e1
Merge pull request #6171 from atorralba/atorralba/promote-unsafe-certificate-trust
...
Java: Promote Unsafe certificate trust query from experimental
2022-01-20 12:07:03 +01:00
Anders Schack-Mulligen
f154530141
Merge pull request #7662 from JLLeitschuh/patch-2
...
Fix typo in FileWritable
2022-01-20 11:13:59 +01:00
Anders Schack-Mulligen
4aa2661dc1
Merge pull request #7634 from bmuskalla/refactorLangModel
...
Refactor Apache Commons Lang model
2022-01-20 11:01:25 +01:00
CodeQL CI
cfa670c123
Merge pull request #7651 from erik-krogh/CWE-471
...
Approved by asgerf, esbena
2022-01-20 01:47:39 -08:00
Benjamin Muskalla
2748bbffa3
Merge pull request #7656 from bmuskalla/excludeMainLoggingGenerator
...
Java: Exclude irrelevant rows from models
2022-01-20 10:40:51 +01:00
Michael Nebel
547f492be0
Merge pull request #7577 from michaelnebel/csharp/line-pragma
...
C#: Make support for Line span pragma
2022-01-20 09:51:57 +01:00
Jonathan Leitschuh
23548c50e1
Fix typo in FileWritable
2022-01-19 16:14:38 -05:00
Tom Hvitved
70f4efb834
Merge pull request #7646 from hvitved/csharp/roslyn-tuple-elements-workaround
...
C#: Workaround Roslyn bug in `INamedTypeSymbol.TupleElements`
2022-01-19 19:54:29 +01:00
Tony Torralba
695e77a219
Simplify isSslSocket predicate
2022-01-19 17:01:28 +01:00
Mathias Vorreiter Pedersen
40c8881575
Merge pull request #7472 from erik-krogh/redundant-aggregate
...
QL-for-QL: Add a could-be-cast query
2022-01-19 15:48:00 +00:00
Henry Mercer
58b1a6fd40
Merge pull request #7655 from github/henrymercer/bump-atm-query-pack-v0.0.6
...
JS: Bump ML-powered query packs to v0.0.6
2022-01-19 15:44:55 +00:00
Tony Torralba
e442e50e6b
Apply suggestions from code review
...
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com >
2022-01-19 16:43:48 +01:00
Tony Torralba
101ad777e3
Move things around after rebase
2022-01-19 16:43:48 +01:00
Tony Torralba
03020582af
Apply suggestions from code review
...
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com >
2022-01-19 16:43:47 +01:00
Tony Torralba
9ffc5ab183
Update java/ql/src/semmle/code/java/security/UnsafeCertTrustQuery.qll
...
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com >
2022-01-19 16:43:47 +01:00
Tony Torralba
c16181dd2f
QLDocs
2022-01-19 16:43:46 +01:00
Tony Torralba
000a544729
Decouple UnsafeCertTrust.qll to reuse the taint tracking configuration
2022-01-19 16:43:43 +01:00
Tony Torralba
1e2a956a30
Remove unused stub
2022-01-19 16:43:02 +01:00
Tony Torralba
d9e98ceacc
Consider setSslContextFactory and fix tests
2022-01-19 16:43:01 +01:00
Tony Torralba
4d207101e2
Fix QLDoc
2022-01-19 16:43:00 +01:00
Tony Torralba
999acb0021
Improve qhelp references
2022-01-19 16:43:00 +01:00
Tony Torralba
e9712f04a4
Add missing QLDoc
2022-01-19 16:42:59 +01:00
Tony Torralba
698fd64f7f
Adjust test after rebase
2022-01-19 16:42:59 +01:00
Tony Torralba
68fe3dd9f4
Fix conflicts in experimental query
2022-01-19 16:42:58 +01:00
Tony Torralba
c24520cb75
Adjust qhelp after rebase
2022-01-19 16:42:58 +01:00
Tony Torralba
5997b874de
Add change note
2022-01-19 16:42:53 +01:00
Tony Torralba
9e93aecf75
Add spurious test case
2022-01-19 16:42:06 +01:00
Tony Torralba
19d1a780ca
Generalize sanitizer using local flow
2022-01-19 16:42:05 +01:00
Tony Torralba
64518bf91a
Handle a specific pass-by-reference flow issue
2022-01-19 16:42:04 +01:00
Tony Torralba
4508945f85
Fix assumption regarding when an SSLSocket does the TLS handhsake
2022-01-19 16:42:03 +01:00
Tony Torralba
e842acf9e0
Improve qhelp
2022-01-19 16:42:03 +01:00
Tony Torralba
5d4cd70f8c
Adjusted sources and sanitizer of UnsafeCertTrust taint tracking config
2022-01-19 16:42:02 +01:00
Tony Torralba
e43fff2d30
Use InlineExpectationsTest
2022-01-19 16:42:02 +01:00
Tony Torralba
02d0fa9188
Minor changes in QLDocs and a sanitizer's type
2022-01-19 16:42:01 +01:00
Tony Torralba
4313baf622
Big refactor:
...
- Move classes and predicates to appropriate libraries
- Overhaul the endpoint identification algorithm logic to use taint tracking
- Adapt tests
2022-01-19 16:42:00 +01:00
Tony Torralba
e0f4c73aed
Move from experimental
2022-01-19 16:42:00 +01:00
Benjamin Muskalla
52406dc8df
Exclude logging sinks
...
Those sinks are too coarse grained to be exposed as sinks on any model.
2022-01-19 16:11:59 +01:00
Benjamin Muskalla
25d251c24f
Exclude main methods from models
2022-01-19 16:11:59 +01:00
Tom Hvitved
7e3f3c6e2a
Merge pull request #7515 from hvitved/csharp/extraction-mode
...
C#: Introduce extractor mode to identify DBs created with `codeql test run`
2022-01-19 16:04:57 +01:00
Chris Smowton
162b3822dd
Merge pull request #7613 from github/smowton/admin/tag-random-used-once
...
Remove security-severity tag to java/random-used-once
2022-01-19 14:43:08 +00:00
Henry Mercer
c134e6c9ef
JS: Bump ML-powered query packs to v0.0.6
2022-01-19 14:40:42 +00:00
Chris Smowton
c63fcb2c69
Add change note
2022-01-19 14:13:45 +00:00
Chris Smowton
f0645a34b9
Remove security-severity tag instead
...
This leaves the Java query in the same state as its C# cousin.
2022-01-19 14:06:40 +00:00
Erik Krogh Kristensen
cb9e14f544
add cwe-471 to js/prototype-pollution
2022-01-19 14:54:57 +01:00
Tom Hvitved
cb098df4ea
Merge pull request #7334 from github/hmac/regexp-interpolations
...
Ruby: Resolve simple string interpolations
2022-01-19 14:43:58 +01:00
Mathias Vorreiter Pedersen
dfbde23821
Merge pull request #7627 from geoffw0/nullterm5
...
C++: Fix branch related FPs in cpp/improper-null-termination.
2022-01-19 13:30:05 +00:00
Erik Krogh Kristensen
e4203a4109
add CWE-471 to the prototype-pollution queries
2022-01-19 14:26:34 +01:00