hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-26 12:52:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
6,097 Commits 1,686 Branches 158 Tags
4dfd4f1dda91348ecb4e4c349fdaf11eb4daf93a
Commit Graph

6097 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jonas Jensen
4dfd4f1dda Merge pull request #1674 from dave-bartolomeo/dave/ExternDecls2 
C++: Two IR fixes and a PrintAST workaround
 2019-08-06 13:46:04 +02:00
semmle-qlci
77eac2c980 Merge pull request #1687 from esben-semmle/js/hide-conflicting-html-attribute 
Approved by xiemaisi
 2019-08-06 11:38:33 +01:00
semmle-qlci
5de6da4ee4 Merge pull request #1697 from esben-semmle/js/fix-missing-this-in-method 
Approved by xiemaisi
 2019-08-06 11:38:11 +01:00
Calum Grant
2df05090b5 Merge pull request #1685 from hvitved/csharp/dataflow/out-flow-fix 
C#: Fix data flow for `out`/`ref` parameters
 2019-08-06 09:31:17 +01:00
Felicity Chapman
3e987732c1 Merge pull request #1698 from jf205/links 
Docs: Update ql training homepage
 2019-08-06 08:56:43 +01:00
james
6a75d64f87 docs: link update 2019-08-06 08:48:31 +01:00
semmle-qlci
0089ad471b Merge pull request #1696 from xiemaisi/js/ql4ql-fixes 
Approved by asger-semmle
 2019-08-06 08:06:06 +01:00
yh-semmle
9e4405f385 Merge pull request #1688 from aschackmull/java-cookbook/int-literal-value 
Java Cookbook: Slight improvement to the IntegerLiteral pattern.
 2019-08-05 20:37:58 -04:00
Rebecca Valentine
5fdf6a8e11 Merge pull request #1640 from markshannon/python-update-all-taint-tracking-to-use-config 
Python: Update all remaining taint-tracking queries to use configurations
 2019-08-05 14:30:30 -07:00
Rebecca Valentine
9d2061b439 Merge pull request #1669 from markshannon/python-better-handling-unknown-decorators 
Python: Treat the result of calling a missing module member as 'unknown'.
 2019-08-05 14:30:00 -07:00
yh-semmle
7e90728c67 Merge pull request #1679 from aschackmull/java/reader-taint 
Java: Adjust taint steps for Reader::read.
 2019-08-05 12:46:12 -04:00
Max Schaefer
5026a55c25 JavaScript: Fix a Cartesian product. 2019-08-05 15:42:20 +01:00
Max Schaefer
d230921b89 JavaScript: Remove two unused fields. 2019-08-05 15:41:55 +01:00
Esben Sparre Andreasen
bc2785d143 JS: add missing binding for this in BuiltinServiceCall 2019-08-05 14:10:21 +02:00
Esben Sparre Andreasen
bc296e74a1 JS: generalize internal AngularJS::BuiltinServiceCall to handle calls 2019-08-05 13:59:48 +02:00
Esben Sparre Andreasen
a652f754ee JS: rename internal AngularJS::ServiceMethodCall 2019-08-05 13:56:49 +02:00
semmle-qlci
f60af2cfba Merge pull request #1683 from asger-semmle/type-tracking-non-exp 
Approved by xiemaisi
 2019-08-05 11:06:53 +01:00
semmle-qlci
77ae2bc8b7 Merge pull request #1684 from asger-semmle/protopollution-qhelp 
Approved by xiemaisi
 2019-08-05 11:06:34 +01:00
Calum Grant
3e143093f0 Merge pull request #1475 from hvitved/csharp/remove-file 
C#: Remove unused `PasswordInConfigurationFile.config`
 2019-08-05 10:29:50 +01:00
Anders Schack-Mulligen
15c61b57f7 Java Cookbook: Slight improvement to the IntegerLiteral pattern. 2019-08-05 11:03:30 +02:00
Jonas Jensen
73d8bf38a9 Merge pull request #1680 from aschackmull/cookbook/autoformat 
Cookbook examples: Autoformat
 2019-08-05 10:24:56 +02:00
Esben Sparre Andreasen
c4eb258f5b JS: lower precision of js/conflicting-html-attribute 2019-08-05 09:22:10 +02:00
Luke Cartey
54d01bdeff Merge pull request #1648 from hvitved/csharp/unchecked-return-lambda 
C#: Fix false positives in `cs/unchecked-return-value`
 2019-08-02 21:48:38 -07:00
Tom Hvitved
4d58154ff5 C#: Fix data flow for out/ref parameters 2019-08-02 14:25:38 -07:00
Tom Hvitved
04db1bf3f4 C#: Add data flow test for methods with multiple out/ref parameters 2019-08-02 13:46:18 -07:00
Tom Hvitved
b03cf6f34e Merge pull request #1678 from calumgrant/cs/remove-analyzer-NRE 
C#: Remove compilation warning
 2019-08-02 10:38:27 -07:00
semmle-qlci
d4e39a250d Merge pull request #1667 from xiemaisi/js/more-ranges 
Approved by esben-semmle
 2019-08-02 16:46:30 +01:00
Asger F
fcc51a8407 JS: Fix lodash version in proto pollution qhelp 2019-08-02 16:42:36 +01:00
yh-semmle
251d441f6a Merge pull request #1682 from aschackmull/java/hardcoded-credentials-precision 
Java: Improve the precision of java/hardcoded-credential-api-call.
 2019-08-02 11:37:06 -04:00
Asger F
eb543c1ceb JS: Remove experimental warning from type tracking 2019-08-02 16:30:44 +01:00
Anders Schack-Mulligen
b1b1ede6b0 Java: Improve the precision of java/hardcoded-credential-api-call. 2019-08-02 16:50:58 +02:00
Anders Schack-Mulligen
59fb59d109 JavaScript: Autoformat cookbook examples. 2019-08-02 15:33:40 +02:00
Anders Schack-Mulligen
40f2cec0de C#: Autoformat cookbook examples. 2019-08-02 15:30:32 +02:00
Anders Schack-Mulligen
d6e1ba6bed CPP: Autoformat cookbook examples. 2019-08-02 15:29:20 +02:00
Anders Schack-Mulligen
9b74e9c4a4 Java: Autoformat cookbook examples. 2019-08-02 15:27:28 +02:00
Max Schaefer
3daa974255 JavaScript: Rename a test. 
The old test name would cause a compiler warning, which we don't want to include in the expected output.
 2019-08-02 14:05:57 +01:00
semmle-qlci
34cdf7c96b Merge pull request #1677 from xiemaisi/js/flow-summary-fixes 
Approved by esben-semmle
 2019-08-02 14:02:47 +01:00
semmle-qlci
635a8edacc Merge pull request #1676 from xiemaisi/js/more-tests-classification 
Approved by esben-semmle
 2019-08-02 14:02:24 +01:00
Anders Schack-Mulligen
4ffc41277a Java: Adjust taint steps for Reader::read. 2019-08-02 14:21:06 +02:00
Calum Grant
169dbf1be3 C#: Remove rule CA1022, which caused the analyzer to crash, generating a compilation warning (and possibly, instability). 2019-08-02 12:14:03 +01:00
Max Schaefer
e06ed503ec JavaScript: Make flow summaries work for non-taint configurations. 
With flow labels it often makes more sense to use a `DataFlow::Configuration` rather than a `TaintTracking::Configuration`, so flow summaries should support both.
 2019-08-02 11:45:41 +01:00
Max Schaefer
97c0c97b28 JavaScript: Classify __mocks__ and __tests_ as tests. 
These are conventions used by jest: https://jestjs.io/docs/en/manual-mocks#mocking-user-modules.
 2019-08-02 11:15:02 +01:00
Mark Shannon
4a6f385feb Python objects: Add clarify comments on callResult predicates. 2019-08-02 10:10:47 +01:00
semmle-qlci
07b97dcc07 Merge pull request #1672 from asger-semmle/flowlabel-issers 
Approved by xiemaisi
 2019-08-02 10:05:41 +01:00
semmle-qlci
bb4f00d770 Merge pull request #1015 from esben-semmle/js/cli-cli 
Approved by xiemaisi
 2019-08-02 09:57:19 +01:00
semmle-qlci
1b30a25977 Merge pull request #1668 from esben-semmle/js/ignore-mocked-callee-argument-count 
Approved by xiemaisi
 2019-08-02 09:56:52 +01:00
semmle-qlci
108e5bc431 Merge pull request #1675 from hvitved/csharp/xss-path-problem 
Approved by lukecartey
 2019-08-02 04:17:03 +01:00
Tom Hvitved
b7d6165d42 C#: Convert cs/web/xss to a path-problem 2019-08-01 15:58:57 -07:00
Dave Bartolomeo
6370391dbd C++: Add sanity test for definitions that don't dominate their uses. 2019-08-01 15:01:42 -07:00
Dave Bartolomeo
912679ef8c C++: Two IR fixes 
My original fix in https://github.com/Semmle/ql/pull/1661 fixed my minimal test case, but did not fix the original failure in a Linux snapshot. The real fix is to simply not create a `TranslatedDeclarationEntry` for an extern declaration, and have `TranslatedDeclStmt` skip any such declarations. I've added a regression test for that case (multiple extern declarations with same location in a macro expansion, with control flow between them). I did verify that it generates correct IR, and that it fixes all of the "use not dominated by definition" failures in Linux.

The underlying extractor bug, that caused the above issue also caused PrintAST to print garbage. I've worked around the bug in PrintAST.qll.

I've also fixed a bug in the control flow for `try`/`catch`, where there was missing flow from the `CatchByType` of the last handler of a `try` to the enclosing handler (or `Unwind`). Hat tip to @AndreiDiaconu1 for spotting this bug.
 2019-08-01 14:38:19 -07:00