hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity
23,317 Commits 1,741 Branches 165 Tags
5e8f9959ef2114cd707160b2b28490590c649f32
Commit Graph

23317 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
jorgectf
5e8f9959ef Extend Sendgrid setters 2021-06-23 20:56:48 +02:00
jorgectf
9563faf918 Add Sendgrid modeling 2021-06-23 20:53:17 +02:00
jorgectf
bf1eb7238e Cover django.core.mail 2021-06-23 18:37:55 +02:00
jorgectf
8ae864827a Format ReflectedXSS.qll 2021-06-23 18:37:33 +02:00
jorgectf
355bb5c734 Format Flask.qll 2021-06-23 18:37:11 +02:00
jorgectf
eac5eba9d2 Move tests and qlref to test/ 2021-06-23 18:36:44 +02:00
jorgectf
c323fbbf3c Cover Flask-SendMail (Flask-Mail copy) 2021-06-23 17:26:14 +02:00
jorgectf
ae84df817a Extend ReflectedXSS query 2021-06-23 17:08:28 +02:00
jorgectf
4c9ecf0d9b Delete testing class-variable 2021-06-23 00:52:34 +02:00
jorgectf
7956b97ac3 Unit tests move and temporary ql 2021-06-23 00:40:05 +02:00
jorgectf
4d890ddeae Polish flask_mail tests and code 2021-06-23 00:38:58 +02:00
jorgectf
48cd5062cf Change EmailSender structure 2021-06-23 00:37:54 +02:00
thank_you
20f321e623 Remove accidental slash 2021-06-22 13:03:23 -04:00
thank_you
c3eba25b0c Add query tests 
Most of these query tests need to be cleaned up. Also, some of these query tests will fail because no user-tainted data is passing into the email bodies that are generated and sent to a victim user.
 2021-06-21 19:02:20 -04:00
thank_you
24d4415457 Create EmailClients.qll 2021-06-21 19:01:04 -04:00
Taus
87ee7849a9 Merge pull request #6077 from RasmusWL/fix-pypi-names 
Python: Fixup for names of supported PyPI packages
codeql-cli/v2.5.6 		2021-06-15 15:01:35 +02:00
yoff
b19d64f173 Merge pull request #6013 from RasmusWL/sensitive-improvements 
Python: Improve sensitive data modeling
 2021-06-15 14:45:40 +02:00
Rasmus Wriedt Larsen
b1fb68bc54 Python: Rename .qll file for mysql-connector-python support 
Just like our support for the `PyYAML` PyPI package that you import with
`import yaml` is in `Yaml.qll`.

Since this file does not provide any public predicates/modules, it
should be safe to rename it.
 2021-06-15 13:06:53 +02:00
Rasmus Wriedt Larsen
b154f034cb Python: Fix names of supported PyPI packages 2021-06-15 12:55:52 +02:00
Anders Schack-Mulligen
19305a217a Merge pull request #5374 from joefarebrother/guava-base 
Java: Model additional flow steps for the package `com.google.common.base` of the Guava framwork.
 2021-06-15 10:58:48 +02:00
Tom Hvitved
501ba4bd8a Merge pull request #6012 from hvitved/csharp/early-labels 
C#: Populate labels earlier
 2021-06-15 10:28:23 +02:00
Cornelius Riemenschneider
0ebf53b9df Merge pull request #6073 from geoffw0/loc 
C++: Add lines of user code query
 2021-06-15 09:18:46 +02:00
Shati Patel
cce8eac0a7 Merge pull request #5946 from shati-patel/vscode-custom-logs 
Docs: Describe custom log directory setting in VS Code extension
 2021-06-14 20:30:54 +01:00
Aditya Sharad
75ed7c0568 Merge pull request #6014 from github/docs-4179-legacy-tools 
Remove docs about legacy tools
 2021-06-14 11:50:18 -07:00
Taus
c6c9a5110a Merge pull request #6063 from tausbn/python-promote-type-tracking-library 
Python: Promote shared type tracking library
 2021-06-14 18:56:03 +02:00
Geoffrey White
d7db18213d C++: Add a generated file to the test. 2021-06-14 16:21:30 +01:00
Geoffrey White
1e1ae27974 C++: Test the new query. 2021-06-14 16:06:20 +01:00
Geoffrey White
e71264d1d2 C++: Lines of user code query. 2021-06-14 16:03:16 +01:00
Tom Hvitved
6b63e032a9 C#: Populate labels earlier 2021-06-14 15:17:33 +02:00
Rasmus Wriedt Larsen
d19bc1252b Python: limit size of extraStepForCalls predicate 
On django/django, this reduced the number of results in
`extraStepForCalls` from 201,283 to 541
 2021-06-14 15:06:42 +02:00
Joe Farebrother
36cb207600 Increase precision of tests to test value flow 2021-06-14 11:20:07 +01:00
CodeQL CI
02c017afec Merge pull request #6058 from RasmusWL/more-aiohttp 
Approved by yoff
 2021-06-14 02:56:59 -07:00
Felicity Chapman
60b4669813 Remove sentence about legacy tools 2021-06-14 08:41:28 +01:00
Taus
8016715fb6 Python: Add missing QLDoc 2021-06-11 20:35:58 +00:00
Taus
3869ab76d1 Python: Promote shared type tracking library 
This was slightly messier than anticipated, as I hadn't accounted for
the dozen uses of `startInAttr` in our codebase. To circumvent this,
I decided to put the type tracking implementation in the `internal`
directory, and wrap it with a file that ensures the old interface still
works.
 2021-06-11 20:20:22 +00:00
Jonas Jensen
e23b88b7f1 Merge pull request #6052 from jsinglet/jsinglet/stdtypes 
Implementation of standard C/C++ fixed width, minimum width, and maximum width types
 2021-06-11 17:03:01 +02:00
Calum Grant
85467adc5e Merge pull request #5839 from github/security-severities5 
Add security-severity scores
 2021-06-11 15:56:20 +01:00
John L. Singleton
8c6c011be2 Formatting fixes, comment moving. 2021-06-11 10:17:05 -04:00
Joe Farebrother
678597f3f9 Update CSV rows for collection flow 2021-06-11 15:08:27 +01:00
John L. Singleton
9c946a79c7 Update cpp/change-notes/2021-06-10-std-types.md 
Co-authored-by: Jonas Jensen <jbj@github.com>
 2021-06-11 09:49:44 -04:00
Rasmus Wriedt Larsen
53f7633662 Python: Model await request.post() as MultiDictProxy 
as highlight as being quite easy to do by @yoff 👍
 2021-06-11 14:53:30 +02:00
Chris Smowton
76838809bb Merge pull request #5818 from artem-smotrakov/rmi-deserialization 
Java: Unsafe RMI deserialization
 2021-06-11 13:43:07 +01:00
yoff
97486b448a Merge pull request #5999 from RasmusWL/aiohttp-modeling 
Python: Add aiohttp.web modeling
 2021-06-11 14:26:52 +02:00
Rasmus Wriedt Larsen
dee93783a2 Python: Update .expected for py/weak-sensitive-data-hashing 
Now there is a path from the _imports_ of the functions that would
return sensitive data, so we produce more alerts.

I'm not entirely happy about this "double reporting", but I'm not sure
how to get around it without either:

1. disabling the extra taint-step for calls. Not ideal since we would
   loose good sources.
2. disabling the extra sources based on function name. Not ideal since
   we would loose good sources.
3. disabling the extra sources based on function name, for those calls
   that would be handled with the extra taint-step for calls. Not ideal
   since that would require running the data-flow query initially to
   prune these out :|

So for now, I think the best approach is to accept some risk on this,
and ship to learn :)
 2021-06-11 13:56:55 +02:00
Anders Schack-Mulligen
f24565738b Merge pull request #6029 from atorralba/atorralba/tainted-key-read-steps 
Java: Add Map key-read-steps as local additional taint steps
 2021-06-11 13:14:18 +02:00
Joe Farebrother
dc19d1db35 Add change note 2021-06-11 11:41:30 +01:00
Joe Farebrother
04ffe80366 Add unit tests 2021-06-11 11:41:27 +01:00
Joe Farebrother
153e0c4ac3 Add modelling for more com.google.common.base methods 2021-06-11 11:40:37 +01:00
Rasmus Wriedt Larsen
df67028a1d Python: Model aiohttp.StreamReader 2021-06-11 12:06:53 +02:00
Tony Torralba
c828c7031f Add change note 2021-06-11 12:04:11 +02:00