hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 17:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity
48,968 Commits 1,741 Branches 165 Tags
60f9635ada43dc10fe06fddca6a4f19dd705cf69
Commit Graph

48968 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Harry Maclean
60f9635ada Ruby: Move import 2023-01-23 21:51:27 +00:00
Harry Maclean
c1207e0938 Ruby: Fix rack response tracking 
Use type tracking instead of getReturningNode, which seems to be faster
and works correctly for the cases I've tried.
 2023-01-23 21:43:04 +00:00
Harry Maclean
21ce9b448a Ruby: Attempt to fix performance of AppCandidate 
`DataFlow::MethodNode.getAReturningNode` is expensive to compute.
Instead we look for rack responses which flow to the `SynthReturnNode`.
Each method has only one of these (vs many "returning" nodes) so it is
a lot faster.
I'm not sure yet whether the results are the same.
 2023-01-23 15:25:52 +13:00
Harry Maclean
16baea22c0 Ruby: doc fix 
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2023-01-20 22:06:29 +13:00
Harry Maclean
33a1469a56 Ruby: Add change note 2023-01-12 16:29:00 +13:00
Harry Maclean
8219465389 Ruby: fix missing doc 2023-01-12 11:35:35 +13:00
Harry Maclean
0626d693f5 Ruby: Recognise rack applications 
This is a basic first step in modelling rack apps. We recognise classes
that look like rack applications and then treat the argument to `call`
in the same way that we treat `request.env` in ActionController classes.

This finds a TP in CVE-2021-43840.
 2023-01-12 11:28:31 +13:00
Edward Minnix III
ce06df3152 Merge pull request #11628 from egregius313/egregius313/android-webview-addjavascriptinterface-dataflow 
Java: Add parameters of methods annotated @JavascriptInterface as remote flow sources
 2023-01-10 12:41:52 -05:00
Paolo Tranquilli
0ad585cfe6 Merge pull request #11860 from github/redsun82/swift-clang-14 
Swift: make compilation with newer STL possible
 2023-01-10 17:17:56 +01:00
Erik Krogh Kristensen
54c780bdf9 Merge pull request #11853 from erik-krogh/assignMore 
JS: add local flow when recognizing Object.assign calls for library-inputs
 2023-01-10 17:04:29 +01:00
Tony Torralba
72a11e737d Merge pull request #11775 from atorralba/atorralba/all/omittable-exists 
All: Remove omittable exists variables
 2023-01-10 16:07:06 +01:00
erik-krogh
62b69bbd3e autoformat 2023-01-10 15:38:13 +01:00
Erik Krogh Kristensen
6623e5fbf3 Merge pull request #11852 from erik-krogh/jsInfiniteChar 
JS: recognize an infinite repetition of a char-class like regex as a char-class like regex
 2023-01-10 15:32:22 +01:00
Erik Krogh Kristensen
ce8836fb65 Update javascript/ql/lib/semmle/javascript/PackageExports.qll 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2023-01-10 15:30:44 +01:00
Erik Krogh Kristensen
9f8d10de11 Merge pull request #11851 from erik-krogh/jsFixMissingThis 
JS: fix bad join-order in js/missing-this-qualifier
 2023-01-10 15:23:25 +01:00
Paolo Tranquilli
2fb5621527 Swift: replace $(CC) with clang 
On macOS `$(CC)` points to a wrapper that requires `DEVELOPER_DIR` to be
set in the environment. Using `clang` is slightly less generic, but
that's our default any way. Even if we do set a different clang version
somewhere, the selected version of GCC would not change, and the test
is targeting that.
 2023-01-10 14:58:21 +01:00
Paolo Tranquilli
943763a026 Swift: add -Wno-pragma-once-outside-header to check 2023-01-10 14:30:35 +01:00
Paolo Tranquilli
28d79eeb77 Swift: make compilation with different STL versions possible 
Previous to this patch the code contained a workaround for the standard
defect

https://cplusplus.github.io/LWG/issue3657

where `std::filesystem::path` did not have a `std::hash` implementation.

This patch allows compiling against versions of the STL that contain the
fix to the above issue. This is done by running the compiler against
code defining `std::hash<std::filesystem::path>`: if compilation
succeeds, it means the fix is not there and we need to use the
workaround, contained in `PathHash.h.workaround`. Otherwise, the fix is
there and we use `PathHash.h.fixed` instead, which only includes the
standard headers included by `PathHash.h.workaround`, so that one is a
drop-in replacement of the other.
 2023-01-10 14:14:33 +01:00
Jeroen Ketema
1a4048d238 Merge pull request #11830 from jketema/frontend-update 
C++: Changes for frontend update
 2023-01-10 14:01:46 +01:00
erik-krogh
5c388c554c fix that the TypeTracker was unrestricted for the base-case of nonFirstLocationType 2023-01-10 13:39:50 +01:00
erik-krogh
e02b67af63 add failing test 2023-01-10 13:39:50 +01:00
Tony Torralba
50cd40ed20 Swift: Remove omittable exists variables 2023-01-10 13:39:50 +01:00
Tony Torralba
7ef8099a8b Shared: Remove omittable exists variables 2023-01-10 13:39:50 +01:00
Tony Torralba
c9d1cd97fb Ruby: Remove omittable exists variables 2023-01-10 13:39:49 +01:00
Tony Torralba
f6c3f77602 QL: Remove omittable exists variables 2023-01-10 13:37:58 +01:00
Tony Torralba
d87c8c75d6 Python: Remove omittable exists variables 2023-01-10 13:37:35 +01:00
Tony Torralba
3b6dae41cd JavaScript: Remove omittable exists variables 2023-01-10 13:37:21 +01:00
Tony Torralba
32471d326e Java: Remove omittable exists variables 2023-01-10 13:37:19 +01:00
Tony Torralba
7a92970d89 Go: Remove omittable exists variables 2023-01-10 13:36:48 +01:00
Tony Torralba
2ca0df0369 C#: Remove omittable exists variables 2023-01-10 13:36:25 +01:00
Tony Torralba
3fcc99e5cb C++: Remove omittable exists variables 2023-01-10 13:36:01 +01:00
Tony Torralba
da90ae0e8f Update java/ql/lib/semmle/code/java/dataflow/FlowSources.qll 2023-01-10 11:18:53 +01:00
Jeroen Ketema
8d46642de3 C++: Update dbscheme stats file 2023-01-10 10:41:43 +01:00
Jeroen Ketema
2fc6484162 C++: Add dbscheme upgrade and downgrade scripts 2023-01-10 10:41:43 +01:00
Jeroen Ketema
1bab950023 C++: Introduce (_Complex) _Float16 type which is needed after frontend update 2023-01-10 10:41:43 +01:00
Jeroen Ketema
282ca1094e C++: Accept test changes after improving size of _Float128 in frontend 2023-01-10 10:41:43 +01:00
Jeroen Ketema
e215c4c94c C++: Accept test changes after frontend update 
The location of a reference dereference has changed slightly.
 2023-01-10 10:41:43 +01:00
Michael Nebel
16cd148961 Merge pull request #11711 from michaelnebel/externalflowcleanup 
C#/Java: Delete deprecated ModelCsv classes and related predicates.
 2023-01-10 10:22:50 +01:00
Michael Nebel
1729319ebe Merge pull request #11804 from michaelnebel/csharp/alignqueryids 
C#: Align query IDs.
 2023-01-10 10:14:07 +01:00
Michael Nebel
18a0abdb4c Merge pull request #11740 from michaelnebel/csharp/updatestats 
C#: Update stats based on projects.
 2023-01-10 10:09:53 +01:00
Ed Minnix
293a203756 Move JavascriptInterfaceMethod to WebView.qll 2023-01-09 15:10:23 -05:00
erik-krogh
9f100ef2c6 add local flow when recognizing Object.assign calls for library-inputs 2023-01-09 17:44:11 +01:00
erik-krogh
90f9e3f825 recognize an infinite repetition of a char-class like regex as a char-class like regex 2023-01-09 17:25:08 +01:00
erik-krogh
785c21f462 fix bad join-order in js/missing-this-qualifier 2023-01-09 16:06:26 +01:00
Arthur Baars
664fdc3b2a Merge pull request #11815 from aibaars/too-many-fields 
Ruby: use record_parse_error_for_node to report extractor error
 2023-01-09 15:40:19 +01:00
Erik Krogh Kristensen
5157d4df7b Merge pull request #11581 from erik-krogh/stdin 
Rb: add stdin as source for unsafe-deserialization
 2023-01-09 13:57:47 +01:00
Chris Smowton
e9bbb5d7fa Merge pull request #11730 from smowton/smowton/admin/improve-sql-unescaped-docs 
Java: improve naming and description of SqlUnescaped.ql
 2023-01-09 12:50:27 +00:00
yoff
c01ce955ba Merge pull request #11778 from yoff/shared/inline-tests 
Shared: Inline test expectations
 2023-01-09 13:21:18 +01:00
Chris Smowton
2e26fb1171 Merge pull request #11819 from smowton/smowton/admin/port-java-autobuilder-tests 
Add Java autobuilder integration tests
 2023-01-09 12:17:39 +00:00
Chris Smowton
efe23c1da7 Note that alerts should not be re-raised 2023-01-09 10:56:13 +00:00