hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 06:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
2,474 Commits 1,684 Branches 159 Tags
63d1663eb2be02e4eff5fc271401f21a621cd8e5
Commit Graph

818 Commits

Author SHA1 Message Date
Owen Mansel-Chan
62489e1afd Fix viableCallable for function variables 2022-04-21 11:32:08 +01:00
Owen Mansel-Chan
69c9099a24 Look for callees through function variables 2022-04-21 11:32:07 +01:00
Owen Mansel-Chan
373017ab9d Add tests for callees through function variables 2022-04-21 11:32:07 +01:00
Owen Mansel-Chan
f9f21e9891 Integer conversion should ignore type assertions 2022-04-12 10:58:07 +01:00
Owen Mansel-Chan
880afea959 Pretty-print empty interface without double space 2022-04-08 06:09:56 +01:00
Chris Smowton
e8084233b8 Treat path.Clean and filepath.Clean alike re: tainted path sanitization 2022-03-08 16:42:59 +00:00
Chris Smowton
106ee5b8a2 Merge pull request #696 from asgerf/asgerf/dot-separated-access-paths 
Go: Switch to dot-separated access paths in summary specs
 2022-02-22 15:34:27 +00:00
Owen Mansel-Chan
980c27423a Merge pull request #681 from owen-mc/new-query/wrapped-error-always-nil 
Add query "Wrapped error always nil"
 2022-02-22 12:42:16 +00:00
Owen Mansel-Chan
0cd5e520aa Update expected alert message 2022-02-22 11:14:19 +00:00
Asger Feldthaus
cb38df5980 Go: rewrite access paths to dot-style 2022-02-21 14:56:54 +01:00
Asger Feldthaus
620bdf22c2 Go: add new sink to completetest.ql as well 2022-02-11 09:44:27 +01:00
Asger Feldthaus
66545dbe41 Go: fix parsing of n1..n2 in parseConstantOrRange 2022-02-11 08:35:18 +01:00
Asger Feldthaus
a26bfb0926 Go: add test with Argument[0..2] spec 2022-02-11 08:34:31 +01:00
Owen Mansel-Chan
9b61ed9578 Add query "Wrapped error always nil" 2022-02-10 13:25:19 +00:00
Chris Smowton
de2ed83b55 Note that filepath.Clean("/" + e) is a sanitizer against path traversal attacks. 2022-01-28 19:32:58 +00:00
Andrew Eisenberg
9e0580da32 Add new groups for examples packs 
Will make it easier to avoid publishing them.
 2022-01-26 14:47:46 -08:00
Chris Smowton
8111fbb69b Delete m 2022-01-20 10:57:11 +00:00
Owen Mansel-Chan
85319b2dbf Add tests for tainted path sanitizers and sanitizer guards 2022-01-19 09:49:15 +00:00
Chris Smowton
749698759a Note that the %q format directive escapes newlines, and therefore prevents log injection 2022-01-05 16:04:20 +00:00
Chris Smowton
5760841812 Merge pull request #647 from smowton/smowton/admin/not-all-you-fmt-is-log 
Declassify fmt.Fprintf as a log sink
 2022-01-05 14:09:55 +00:00
Erik Krogh Kristensen
afe7ee17a0 run the use-set-literals patch 2021-12-20 17:55:19 +01:00
Chris Smowton
92d3da5e56 Declassify fmt.Fprintf as a log sink 
In future we could try harder to find out whether you're Fprintf'ing to stdout, a file named xyz.log etc, but for now this causes Fprintf'ing to an HTTP writer to be mistaken for log-injection rather than just XSS.
 2021-12-17 17:07:58 +00:00
Owen Mansel-Chan
ec3dd1e1c0 Revert "Update tests for no flow through receivers when no function body" 
This reverts commit 06f889fce6.
 2021-12-16 19:35:54 +00:00
Chris Smowton
ede57b6527 Merge pull request #637 from smowton/smowton/fix/log-injection-sanitizers 
Fix sanitization by strings.Replace[All] in go/unsafe-quoting and go/log-injection
 2021-12-16 12:28:40 +00:00
Chris Smowton
9de1532735 Add log-injection test using strings.ReplaceAll 2021-12-15 15:35:14 +00:00
Chris Smowton
c2b42ce091 Fix sanitization by strings.Replace[All] in go/unsafe-quoting and go/log-injection 2021-12-14 12:37:18 +00:00
Owen Mansel-Chan
6a2a8298dd Add missing tests for DatabaseSql function models 2021-12-13 14:18:46 -05:00
Chris Smowton
9309abf8cd Merge pull request #574 from sauyon/dataflow-update 
Update dataflow libraries and add support for CSV summary flow
 2021-12-13 11:28:28 +00:00
Andrew Eisenberg
3cc48fea6a Merge pull request #622 from github/post-release/v2.7.3 
Post release/v2.7.3
 2021-12-10 10:00:11 -08:00
Owen Mansel-Chan
06f889fce6 Update tests for no flow through receivers when no function body 
This branch originally included a commit to enable flow through receivers
when there is no function body. This was dropped, to be pursued later.
 2021-12-08 16:03:18 -05:00
Owen Mansel-Chan
88e7c44a6d Update expected test results with extra nodes 2021-12-08 15:28:28 -05:00
Owen Mansel-Chan
16fdb9aa11 Do not test ReturnValue as input for sink 
The documentation in ExternalFlow.qll does not specify
that "ReturnValue" can be used as the input column.
 2021-12-08 11:20:34 -05:00
Chris Smowton
3cf1459c4f Revert getACallee type change 2021-12-08 11:20:33 -05:00
Owen Mansel-Chan
5ec0b09160 Diasble clearing content and add test for it 2021-12-08 11:20:32 -05:00
Owen Mansel-Chan
e940a53cc6 Test models of flow through fields 2021-12-08 11:20:32 -05:00
Owen Mansel-Chan
d717734820 Do not allow "Argument" on its own 2021-12-08 11:20:30 -05:00
Owen Mansel-Chan
12058a2621 Fix containerStoreStep and containerReadStep 2021-12-08 11:20:29 -05:00
Owen Mansel-Chan
ab8096b717 Add tests for more content types (Element, MapKey, MapValue) 2021-12-08 11:20:28 -05:00
Owen Mansel-Chan
f375553933 Add variadic functions test for function models 2021-12-08 11:20:27 -05:00
Owen Mansel-Chan
b75def62fe Add variadic functions test for external flow 2021-12-08 11:20:27 -05:00
Owen Mansel-Chan
d9848fe515 Add more tests for variadic functions 2021-12-08 11:20:27 -05:00
Owen Mansel-Chan
8044fb2519 Add more flow tests for external flow 2021-12-08 11:20:26 -05:00
Owen Mansel-Chan
63d997f820 (Unimportant) Fix module name for vendored stubs 
This doesn't affect the test, but does mean that you can run
`go build` to check the test would build.
 2021-12-08 11:20:26 -05:00
Owen Mansel-Chan
1929a1f7a7 Fix unrelated test in experimental 2021-12-08 11:20:25 -05:00
Owen Mansel-Chan
5e38f48b74 Autoformat 2021-12-08 11:20:25 -05:00
Owen Mansel-Chan
a3df3614a5 Convert completetest to an inline flow test 2021-12-08 11:20:24 -05:00
Owen Mansel-Chan
8f7a34f9cb Fix external flow tests 2021-12-08 11:20:24 -05:00
Sauyon Lee
3379790686 add flow test involving CSV 2021-12-08 11:20:22 -05:00
Owen Mansel-Chan
038f951e9f Fix containerStoreStep 
Update some comments as well, and change a variable name
 2021-12-08 11:20:20 -05:00
Owen Mansel-Chan
be6501d8e4 Add tests for data and taint flow through arrays and var args 2021-12-08 11:20:20 -05:00