hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 16:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity
58,107 Commits 1,741 Branches 165 Tags
49d510018d2c04a34ea051ee29ece452aa125e4e
Commit Graph

58107 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Wriedt Larsen
49d510018d Python: Add change-note 2023-08-29 11:11:32 +02:00
Rasmus Wriedt Larsen
0b2458d065 Python: Improve modeling of Flask jsonify 
I also tested whether `Flask.jsonify` or `Flask().jsonify` worked, but
they do not.
 2023-08-29 11:11:32 +02:00
Rasmus Wriedt Larsen
26319bfc04 Python: Fix Flask jsonify XSS regression 
The reason the result was found before, is that `jsonify(data)` was
modeled as TWO separate subclasses of `Http::Server::HttpResponse`, one
because of the implicit construction in return
(FlaskRouteHandlerReturn), and one from the `jsonify` call
(FlaskJsonifyCall). Due to the QL evaluation, we got a combination from
the two, meaning mime-type from FlaskRouteHandlerReturn and body from
FlaskJsonifyCall...
 2023-08-29 11:11:32 +02:00
Rasmus Wriedt Larsen
b36fd9fdab Python: Add jsonify XSS regression example 2023-08-29 10:38:49 +02:00
Michael Nebel
5f4861f72e Merge pull request #14069 from michaelnebel/csharp/nugetexe 
C#: Download `nuget.exe` in the dependency manager (if not present).
 2023-08-29 10:04:50 +02:00
Michael Nebel
5de8d9181d C#: Address review comments. 2023-08-29 09:33:11 +02:00
Jeroen Ketema
0d1fd88729 Merge pull request #14050 from jketema/inline-6 
Consolidate all `InlineFlowTest` libraries in the dataflow qlpack
 2023-08-29 09:30:35 +02:00
Dave Bartolomeo
3343b78015 Merge pull request #14074 from github/post-release-prep/codeql-cli-2.14.3 
Post-release preparation for codeql-cli-2.14.3
 2023-08-28 13:34:10 -04:00
github-actions[bot]
3eba77421a Post-release preparation for codeql-cli-2.14.3 2023-08-28 15:53:49 +00:00
Michael Nebel
e19c7758ed C#: Cleanup NugetPackages.cs. 2023-08-28 15:19:16 +02:00
Michael Nebel
6e4865ddd9 C#: Download nuget.exe to the source directory in case it is not installed. 2023-08-28 15:14:13 +02:00
Michael Nebel
b6c2ea520b C#: Some re-factoring of NugetPackages and logic for file downloading. 2023-08-28 15:14:13 +02:00
yoff
2e981e330b Merge pull request #14059 from RasmusWL/fix-loginjection-tests 
Python: Fix stdlib sinks in LogInjection query
 2023-08-28 14:44:51 +02:00
yoff
6e05246daa Merge pull request #13935 from yoff/python/mad-on-externals 
Python: MaD on externals
 2023-08-28 14:04:54 +02:00
Rasmus Wriedt Larsen
c807ab4216 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2023-08-28 14:04:22 +02:00
yoff
826b8e6aa5 Merge pull request #14067 from RasmusWL/modern-dataflowquerytests 
Python: Adopt tests to new `DataflowQueryTest`
 2023-08-28 13:54:34 +02:00
Michael Nebel
e7dbe9f289 Merge pull request #14028 from michaelnebel/csharp/dependencygetfiles 
C#: Improve GetFiles in the Dependency Manager.
 2023-08-28 12:53:28 +02:00
Rasmus Wriedt Larsen
38b78128c0 Merge pull request #13990 from RasmusWL/experimental-cleanup 
Python: Port old experimental points-to based queries
 2023-08-28 12:11:17 +02:00
Rasmus Wriedt Larsen
889cb7a95b Python: Adopt tests to new DataflowQueryTest 
Co-authored-by: Rasmus Lerchedahl Petersen <yoff@github.com>
 2023-08-28 11:44:01 +02:00
Rasmus Wriedt Larsen
9c44235782 Python: Modernize DataflowQueryTest.qll 
Co-authored-by: Rasmus Lerchedahl Petersen <yoff@github.com>
 2023-08-28 11:40:41 +02:00
Rasmus Wriedt Larsen
7cba6cd1d8 Python: Update .expected files 
Due to change in path-graph, and including LHS of assignments
 2023-08-28 11:33:44 +02:00
Rasmus Wriedt Larsen
0f242475f2 Merge branch 'main' into experimental-cleanup 2023-08-28 11:01:22 +02:00
Rasmus Wriedt Larsen
0dca8a5d86 Python: Remove old points-to modeling file 
Since all of this was ported already
 2023-08-28 10:40:45 +02:00
Rasmus Wriedt Larsen
39e2b133e9 Python: Fix naming 2023-08-28 10:40:33 +02:00
Alex Ford
9957e2683b Merge pull request #13313 from maikypedia/maikypedia/ldap-improper-auth 
Ruby: Add Improper LDAP Authentication query (CWE-287)
 2023-08-25 20:52:34 +01:00
Alex Ford
ae635c609f Ruby: autoformat 2023-08-25 17:11:07 +01:00
Rasmus Wriedt Larsen
bf9a0dab2a Python: Fix stdlib sinks in LogInjection query 2023-08-25 17:04:48 +02:00
Rasmus Wriedt Larsen
7852429df2 Python: Accept LogInjection .expected changes 
I don't know how this had gone unnoticed for so long, but I realized when I tried to run this query locally
 2023-08-25 17:04:40 +02:00
Shati Patel
c5612ae522 Merge pull request #14051 from github/shati-patel/mrva-results-view 
Docs: Update screenshots of variant analysis results view
 2023-08-25 15:42:49 +01:00
Mathias Vorreiter Pedersen
68bccfdb93 Merge pull request #14013 from alexet/only-taint-argv-indirections 
CPP:Only taint argv indirections
 2023-08-25 15:19:51 +01:00
Michael Nebel
02b8adf717 C#: Address review comments and some light re-factoring. 2023-08-25 15:33:54 +02:00
Maiky
ffd618d6cc Revert "Add "" and nil as sources" 
This reverts commit 664c1eba72.
 2023-08-25 15:23:55 +02:00
AlexDenisov
0fe7740dda Merge pull request #14052 from github/sashabu/swift-logging-compiler 
Swift: Route compiler diagnostics through our log.
 2023-08-25 14:47:24 +02:00
Alex Eyers-Taylor
1afcf8c8a8 Add changenotes. 2023-08-25 13:05:10 +01:00
Alex Eyers-Taylor
9f8fbf8a1a CPP: Update tests for argv change 2023-08-25 13:05:10 +01:00
Alex Eyers-Taylor
45ddb4832c CPP: Make wordexp take an indirect argument. 2023-08-25 13:05:10 +01:00
Alex Eyers-Taylor
a2f2b6c33f CPP:Only consider **argv as tainted. 2023-08-25 13:05:10 +01:00
Michael Nebel
61a523510e C#: Only use small files during file content reference analysis. 2023-08-25 14:04:52 +02:00
Michael Nebel
a81d982c90 C#: Fetch file info fewer times and make dependencies more clear. 2023-08-25 14:04:52 +02:00
Tony Torralba
6573b1f772 Merge pull request #14056 from atorralba/atorralba/java/jenkins-stapler-regenerate 
Java: Re-generate Jenkins and Stapler models
 2023-08-25 13:15:21 +02:00
Tom Hvitved
42fd9f0c54 Merge pull request #14047 from hvitved/dataflow/join-fix 
Data flow: Fix a bad join order
 2023-08-25 12:18:24 +02:00
Ian Lynagh
a7de0f96e2 Merge pull request #14049 from igfoo/igfoo/kot1.9.10 
Kotlin: We now support 1.9.10
 2023-08-25 11:11:14 +01:00
Rasmus Lerchedahl Petersen
ad49eada48 Python: Do not alter codeql-workspaces.yml 
And remove the qlpack referred to therein.
Instead we rename and duplicate the extesion file
that this qlpack pointed to.
These two extension files are kept in sync by `identical-files.json`.
 2023-08-25 11:46:41 +02:00
Tony Torralba
5367fb99d9 Manually update a couple of models affected by the nested name change 2023-08-25 11:25:40 +02:00
Mathias Vorreiter Pedersen
2fd627b460 Merge pull request #13827 from geoffw0/closuremodels 
Swift: Model withUnsafeBytes and similar closure methods
 2023-08-25 10:01:52 +01:00
Tony Torralba
50a9c31b4a Merge pull request #14055 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2023-08-25 10:04:51 +02:00
Tony Torralba
2ed01d06b4 Java: Re-generate Jenkins and Stapler models 
Re-generated the Jenkins and Stapler models to pick up the changes from github/codeql#14032
 2023-08-25 10:01:28 +02:00
github-actions[bot]
c9d64b6b4f Add changed framework coverage reports 2023-08-25 00:14:40 +00:00
Jeroen Ketema
b550c067a1 Java: Remove redundant inline expectation test imports 2023-08-25 00:18:55 +02:00
Jeroen Ketema
9d573e5544 Consolidate all InlineFlowTest libraries in the dataflow qlpack 2023-08-24 21:38:46 +02:00