codeql

mirror of https://github.com/github/codeql.git synced 2026-04-12 02:24:00 +02:00

Author	SHA1	Message	Date
Harry Maclean	64a8cedaa7	Generalise the concept of a Kernel method call	2021-09-17 17:02:17 +01:00
Harry Maclean	599dc28ffa	Add another test for shell interpretation	2021-09-17 17:02:17 +01:00
Harry Maclean	f8359767bc	Exclude non-shell interpreted args Update the CommandInjection query to only consider sinks where the argument is interpreted by a shell. If the argument is passed directly to a subprocess then it's not vulnerable to shell injection.	2021-09-17 17:02:17 +01:00
Harry Maclean	c8e9a592f0	Update CLI injection tests Cover more cases, like sinks after (but not guarded by) barrier guards.	2021-09-17 17:02:17 +01:00
Harry Maclean	d046fb0591	Separate open3 pipeline methods These have a slightly different structure than the other open3 methods.	2021-09-17 17:02:17 +01:00
Harry Maclean	174ba25c66	Update SystemCommandExecution to new pattern The new pattern is to use the new instanceof keyword in the class definition, instead of constraining the "superclass" via a member field.	2021-09-17 17:02:17 +01:00
Harry Maclean	cbc14ccda9	Make KernelSystemCall more specific Test that calls to`system` on modules other than `Kernel` are excluded, such as in this example: module Foo def self.system(*args); end end # This is not a call to Kernel.system Foo.system("bar")	2021-09-17 17:02:17 +01:00
Harry Maclean	fb23a2e3bf	Add SubshellHeredocExecution This is a form of command execution: result = <<`EOF` echo foo bar #{baz} EOF	2021-09-17 17:02:17 +01:00
Harry Maclean	799ef4e4c9	Add barrier guards for CLI injection	2021-09-17 17:02:17 +01:00
Harry Maclean	4ecc78effc	Kernel#system -> Kernel.system	2021-09-17 17:02:17 +01:00
Harry Maclean	8f65d78cb5	Add Shellwords.escape as CLI injection sanitizer	2021-09-17 17:02:17 +01:00
Harry Maclean	fe8fc0697b	Add qhelp for CLI Injection query	2021-09-17 17:02:17 +01:00
Harry Maclean	4a0d7c528a	Add top-level CLI injection query and tests	2021-09-17 17:02:17 +01:00
Harry Maclean	8440fe2ba9	Add CommandInjection dataflow config	2021-09-17 17:02:17 +01:00
Harry Maclean	a8f0bce1d1	Add SystemCommandExecution concept A SystemCommandExecution is a method call or builtin that executes a system command, either directly or via a subshell.	2021-09-17 17:02:17 +01:00
Tom Hvitved	1fd91ab9bd	Merge pull request #295 from github/hvitved/remove-numlines No longer create redundant `numlines` relation	2021-09-16 13:21:20 +02:00
Tom Hvitved	464b50231b	DB upgrade script	2021-09-16 12:57:32 +02:00
Tom Hvitved	fd04baa9fe	No longer create redundant `numlines` relation	2021-09-16 11:43:13 +02:00
Tom Hvitved	d3a1d0a62a	Merge pull request #294 from github/bump-codeql Bump `codeql` submodule	2021-09-15 16:24:04 +02:00
Tom Hvitved	9e67382f06	Bump `codeql` submodule	2021-09-15 14:59:42 +02:00
Harry Maclean	12723f0f13	Merge pull request #288 from github/hmac-barrier-guard-checks Make barrier guards more specific	2021-09-14 16:16:20 +01:00
Tom Hvitved	f4e2c30d86	Merge pull request #291 from github/hvitved/regexp-multiples Speedup `RegExp::multiples`	2021-09-14 14:22:20 +02:00
Tom Hvitved	8ac3dc29e0	Speedup `RegExp::multiples` Use regexps to perform matching to avoid constructing sub strings.	2021-09-14 13:58:24 +02:00
Harry Maclean	4763312e55	Merge `ConditionBlock` and `BarrierGuard`	2021-09-14 11:11:12 +01:00
Harry Maclean	6f32401e5c	Add `unless x !=` test to barrier guards This tests that the following call to `foo bar` is guarded: unless bar != "bar" foo bar end	2021-09-13 11:58:17 +01:00
Harry Maclean	800e18349f	Add != to StringConstCompare This means we treat != comparisons against strings as taint tracking guards: if foo != "A" foo # still tainted else foo # not tainted, because we know foo == "A" end	2021-09-10 16:42:45 +01:00
Harry Maclean	8f36b0d7fe	Simplify guard in SQL injection tests We don't (yet) properly sanitize taint in cases like this foo = "A" unless foo == "B" So for now, use a simpler guard in the SQL injection test. We can resurrect the old, more idiomatic guard when we can support it.	2021-09-10 16:27:57 +01:00
Harry Maclean	56983565fe	Update ReDoS length guard Changes to barrier guards in a previous commit mean we need to update this guard to match.	2021-09-10 16:21:17 +01:00
Nick Rolfe	b51e741439	Merge pull request #289 from github/rust_warnings Fix 'unused borrow that must be used' warnings.	2021-09-09 17:27:05 +01:00
Nick Rolfe	cf72bada3d	Fix 'unused borrow that must be used' warnings. I don't remember seeing this warning before upgrading to Rust 1.55	2021-09-09 17:03:10 +01:00
Nick Rolfe	6dbf6d7e82	Merge pull request #278 from github/aibaars/revert-hotfix Revert "Use hotfixed version of `codeql/suite-helpers` with workaround for bug in released CLI"	2021-09-09 11:21:20 +01:00
Harry Maclean	b4c29425ea	Make barrier guards more specific Following examples from the other libraries, this change introduces a member predicate `checks(CfgNode expr, boolean branch)` to `BarrierGuard`, which holds if the guard validates `expr` for a particular value of `branch`, which represents the value of the condition in the guard. For example, in the following guard... if foo == "foo" do_something foo else do_something_else foo end ...the variable `foo` is validated when the condition `foo == "foo"` is true. We also introduce the concept that a guard "controls" a code block based on the value of `branch`. In the example above, the "then" branch of the if statement is controlled when `branch` is true. The else branch is not controlled because `foo` can take (almost) any value in that branch. Based on these concepts, we define a guarded node to be a read of a validated variable in a controlled block. In the above example, the `foo` in `do_something foo` is guarded, but the `foo` in `do_something_else foo` is not.	2021-09-09 11:04:52 +01:00
Nick Rolfe	a62aa2b1b2	Merge pull request #269 from github/polynomial_redos Polynomial ReDoS query	2021-09-07 18:31:04 +01:00
Nick Rolfe	414362db8d	Rename .qll to match our naming scheme for other dataflow queries.	2021-09-07 17:38:08 +01:00
Nick Rolfe	7666d856b7	Merge remote-tracking branch 'origin/main' into polynomial_redos	2021-09-07 17:35:07 +01:00
Nick Rolfe	4d5928ae5a	Add @security-severity tag	2021-09-07 12:15:44 +01:00
Nick Rolfe	8fbe5c0adf	Merge pull request #261 from github/getPrimaryQlClasses Implement getPrimaryQlClasses	2021-09-07 12:02:15 +01:00
Tom Hvitved	8ce7fdc59a	Merge pull request #284 from github/hvitved/instanceof-test Use `instanceof` base classes	2021-09-07 13:01:43 +02:00
Nick Rolfe	060060bc0b	Merge remote-tracking branch 'origin/main' into getPrimaryQlClasses	2021-09-06 19:34:34 +01:00
Tom Hvitved	3594794875	Use `instanceof` base classes in range patterns	2021-09-06 16:15:52 +02:00
Tom Hvitved	9b3b9a731f	Move `instanceof` check from charpred in `CfgScope`	2021-09-06 10:31:16 +02:00
Calum Grant	51d729a086	Merge pull request #282 from github/add-coc Create CODE_OF_CONDUCT.md	2021-09-03 14:25:44 +01:00
Harry Maclean	36d5fda400	Merge pull request #260 from github/hmac-url-redirect Add URLRedirect query	2021-09-03 13:36:54 +01:00
Pierre	12c1f43ceb	Create CODE_OF_CONDUCT.md Add COC based on the latest template.	2021-09-03 14:27:04 +02:00
Harry Maclean	87253032e2	Add a query for URL redirect vulnerabilities This query finds instances of CWE-601: Redirection to Untrusted Site. The structure is copied from a query of the same name in the Python library. We add customisations specific to `ActionController`.	2021-09-03 13:17:14 +01:00
Calum Grant	799c0ff252	Merge pull request #281 from github/add-license Add LICENSE	2021-09-03 13:14:15 +01:00
Pierre	bc85a1b825	Add LICENSE file Required step for open-sourcing. This uses the same license at `codeql-ruby`.	2021-09-03 13:10:54 +02:00
Nick Rolfe	47e5a8fd09	Add test for polynomial ReDoS query	2021-09-02 17:57:56 +01:00
Nick Rolfe	cbe23661ed	Rename exponential ReDoS test directory	2021-09-02 17:57:56 +01:00
Nick Rolfe	d62b41bdf4	Add query for polynomial ReDoS	2021-09-02 17:57:56 +01:00

1 2 3 4 5 ...

1218 Commits