hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 12:45:27 +02:00
Code Issues Packages Projects Releases Wiki Activity
20,690 Commits 1,741 Branches 166 Tags
6508a223c33271c1a06e653b5fa3f02bf19faafa
Commit Graph

20690 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Asger Feldthaus
24199a5499 JS: Add query for resource exhaustion from deep object handling 2021-03-02 12:39:04 +00:00
Asger Feldthaus
b978359803 JS: Add schema validation as TaintedObject sanitizer 2021-03-02 12:39:04 +00:00
Tamas Vajk
fa2f345611 Revert "Simplify MissingCallTarget for calli" 
This reverts commit 3b82abd7c7.
 2021-03-02 12:58:42 +01:00
Erik Krogh Kristensen
55985c969b add change note 2021-03-02 12:25:50 +01:00
Erik Krogh Kristensen
ecccb8a409 only flag React elements in ClientSideUrlRedirect if it's a HTML element, or known link class 2021-03-02 12:25:50 +01:00
Erik Krogh Kristensen
36049f05f8 update Next.js xss example such that the attack is viable 2021-03-02 12:25:50 +01:00
Erik Krogh Kristensen
1f02594ccc rename and move getAPropertyNameInterpretedAsJavaScriptUrl 2021-03-02 12:25:50 +01:00
Erik Krogh Kristensen
5b5baced9a add support for replace in Next.js router 2021-03-02 12:25:49 +01:00
Erik Krogh Kristensen
97032f8627 add ClientSideUrlRedirect sink for Next.js routers 2021-03-02 12:25:49 +01:00
Erik Krogh Kristensen
a79c30a818 support NextJS API endpoints 2021-03-02 12:25:49 +01:00
Erik Krogh Kristensen
0e7e3e6178 support Next.js pages that export React components 2021-03-02 12:25:49 +01:00
Erik Krogh Kristensen
1fdbbb682d support Next.js page request/response objects 2021-03-02 12:25:49 +01:00
Erik Krogh Kristensen
a5cf024c9f add support for getServerSideProps in Next.js 2021-03-02 12:25:49 +01:00
Erik Krogh Kristensen
af262a035d add support for getInitialProps in Next.js 2021-03-02 12:25:49 +01:00
Erik Krogh Kristensen
d63fcaf7f1 add step from getStaticProps to the component render function 2021-03-02 12:25:49 +01:00
Erik Krogh Kristensen
9d7bb57d8a add parameter values from Next as a RemoteFlowSource 2021-03-02 12:25:49 +01:00
Erik Krogh Kristensen
41a0c0b55e support React links in js/client-side-unvalidated-url-redirection 2021-03-02 12:25:49 +01:00
Francis Alexander
4384f78595 Play stubs improvements, cleanup and return values 2021-03-02 16:50:16 +05:30
CodeQL CI
79839d2304 Merge pull request #5267 from erik-krogh/httpProxy 
Approved by asgerf
 2021-03-02 02:46:50 -08:00
Owen Mansel-Chan
6460ce3f83 Add @codeql-go as code owners for the shared data-flow library files 2021-03-02 10:39:47 +00:00
Anders Schack-Mulligen
b0fa8dfeae Merge pull request #4214 from porcupineyhairs/springViewManipulation 
[Java] Add QL for detecting Spring View Manipulation Vulnerabilities.
 2021-03-02 11:31:42 +01:00
CodeQL CI
2957131853 Merge pull request #5258 from erik-krogh/nextPerf 
Approved by asgerf
 2021-03-02 02:04:20 -08:00
CodeQL CI
9ea8f8201c Merge pull request #5265 from erik-krogh/cacheRemote 
Approved by asgerf
 2021-03-02 02:03:09 -08:00
Anders Schack-Mulligen
394c82d564 Apply suggestions from code review 
Adjust qldoc.
 2021-03-02 10:17:07 +01:00
Tamas Vajk
faf69d65da Fix merge error 2021-03-02 09:23:15 +01:00
Tamas Vajk
3b82abd7c7 Simplify MissingCallTarget for calli 2021-03-02 09:21:24 +01:00
Tamas Vajk
7ae640ce16 Fix OS specific tests 2021-03-02 09:21:24 +01:00
Tamas Vajk
f2e667173c C#: Add calli IL opcode extraction 2021-03-02 09:21:24 +01:00
Tamas Vajk
17109a36ce Fix extraction error due to missing DLL 2021-03-02 09:21:24 +01:00
Tamas Vajk
6205ec233c Fix more failing tests 2021-03-02 09:21:24 +01:00
Tamas Vajk
2b1c6faefd Fix failing test 2021-03-02 09:21:24 +01:00
Tamas Vajk
4f383be13b Fix new (nullability) compiler warnings 2021-03-02 09:21:24 +01:00
Tamas Vajk
71f095d6d4 Upgrade projects to .net 5 2021-03-02 09:20:31 +01:00
Aditya Sharad
dbed4a1a8b Actions: Add workflow to request docs review 
When a PR is labelled with 'ready-for-docs-review',
this workflow comments on the PR to notify the GitHub CodeQL docs team.
Runs on `pull_request_target` events so it can write comments to the PR.
Since this runs in the context of the base repo, it must not check out the PR
or use untrusted data from the event payload.

Only runs when the PR base is github/codeql, to prevent notifications from forks.
 2021-03-01 17:15:03 -08:00
Robert Marsh
2b382d588a C++: autoformat Operand.qll 2021-03-01 11:13:04 -08:00
Calum Grant
cee96775b8 Merge pull request #5305 from asgerf/js/tuple-type-rest-index-stats 
JS: Regenerate stats for tuple_type_rest_index
codeql-cli/v2.4.5 		2021-03-01 17:43:55 +00:00
Porcuiney Hairs
5151a528ac Include suggestions from review 2021-03-01 22:59:30 +05:30
Chris Smowton
5d2f3421d8 Add change notes 2021-03-01 16:59:20 +00:00
Chris Smowton
cdccc1a064 Remove needless typecasts 2021-03-01 16:47:34 +00:00
Asger Feldthaus
26924a3378 JS: Regenerate stats for tuple_type_rest_index 2021-03-01 16:30:09 +00:00
Tamás Vajk
2ac94255b7 Merge pull request #5299 from tamasvajk/feature/limit-codescanning-csharp2 
C#: Fix codeql analysis workflow
 2021-03-01 16:20:03 +01:00
Porcuiney Hairs
14ec148272 refactor to meet experimental guidelines. 2021-03-01 18:46:33 +05:30
Rasmus Wriedt Larsen
0874712c97 C++/Java/Python: Allow Python string prefix in InlineExpectationsTest 
I've been writing tests for crypto libraries in Python, and have wanted to write
code along the lines of

```py
md5.hash(b"some message") # $ HashInput=b"some message"
```

which didn't work before this commit, forcing me to store my text in a variable
like below. This turned out to be really annoying when dealing with more complex
examples, so therefore I'm adding this new functionality to allow this behavior.

```py
msg = b"some message"
md5.hash(msg) # $ HashInput=msg
```
 2021-03-01 13:44:28 +01:00
Chris Smowton
aab9deceef Remove package from test Java file 2021-03-01 10:32:44 +00:00
Chris Smowton
c32514bf66 Sync dataflow library files 2021-03-01 10:27:28 +00:00
Chris Smowton
e6b1fe9b5f Fluent interface dataflow: support argument-output flow directly declared by the simpleLocalFlowStep relation 
This means we will treat fluent interfaces that are modelled the same as those where we determine an argument flows to an output by inspection of the function body.
 2021-03-01 10:23:38 +00:00
Chris Smowton
54caf501e7 Switch fluent-methods test to use a plain DataFlow::Configuration 
No taint edges are involved, so TaintTracking was unnecessary.
 2021-03-01 10:16:02 +00:00
Chris Smowton
fadbb32bd6 Add backward dataflow edges through fluent function invocations. 
This means that much as obj.getA().setB(...) already has a side-effect on `obj`, all three setters in obj.setA(...).setB(...).setC(...) will have a side-effect on `obj`.
 2021-03-01 10:11:28 +00:00
Tamas Vajk
1ecbbf6af3 C#: Fix codeql analysis workflow 2021-03-01 09:18:05 +01:00
Anders Schack-Mulligen
37baf77b93 Merge pull request #5273 from intrigus-lgtm/java/unify-main-method-check 
Java: Remove duplicate code.
 2021-03-01 09:05:28 +01:00