hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 06:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
690 Commits 1,684 Branches 159 Tags
6d93f4893356da3f6c19de453d704b0d95cf0e27
Commit Graph

690 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Max Schaefer
6d93f48933 Merge pull request #147 from owen-mc/redundant-recover 
Go: Add query for redundant calls to recover
 2020-05-19 07:14:27 +01:00
Owen Mansel-Chan
275be36e4a Update change-notes/2020-05-18-redundant-recover.md 
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
 2020-05-19 06:31:47 +01:00
Owen Mansel-Chan
23a7db5d4d Minor textual corrections 2020-05-18 17:05:49 +01:00
Owen Mansel-Chan
fbee7fe983 Add new query for redundant calls to recover 2020-05-18 16:13:46 +01:00
Sauyon Lee
e57edccdab Merge pull request #145 from max-schaefer/allocation-size-overflow-is-big 
Simplify logic in AllocationSizeOverflow query.
 2020-05-15 11:20:01 -07:00
Max Schaefer
8a8082f6ad Merge pull request #144 from max-schaefer/interface-method-implements 
Refine `Method.implements` so that interface methods only implement themselves.
 2020-05-15 17:01:28 +01:00
Max Schaefer
27cb92fb86 Use .pp() in a few tests selecting types. 2020-05-15 15:54:23 +01:00
Max Schaefer
9c7e46386f Simplify logic in AllocationSizeOverflow query. 2020-05-15 11:20:11 +01:00
Max Schaefer
d300ec6324 Refine Method.implements so that interface methods only implement themselves. 
Without this restriction, the two `m`s in the following example are considered to implement each other, even though they aren't logically related:

```go
type I interface {
  m()
}

type J interface {
  m()
}

type K struct {
  I
  J
}
```

Previously, interface methods would sometimes implement themselves and sometimes not (see changes to test output for examples).
 2020-05-15 11:09:17 +01:00
Max Schaefer
87c1bcad0a Merge pull request #143 from github/max-schaefer-patch-1 
Clarify which types have a qualified name.
 2020-05-15 08:40:13 +01:00
Max Schaefer
24d8c7ea17 Clarify which types have a qualified name. 2020-05-15 07:31:51 +01:00
Max Schaefer
d41e41812b Merge pull request #141 from sauyon/reflectedxss-fps 
ReflectedXss improvements
 2020-05-15 07:23:39 +01:00
Sauyon Lee
5e633b2c74 Add EqualityTestNode.getPolarity 2020-05-14 14:38:59 -07:00
Sauyon Lee
5e2b973ac4 Update comment in ReflectedXss test 
Co-authored-by: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2020-05-14 14:35:08 -07:00
Sauyon Lee
ee0f3c9fba Address review comments 2020-05-14 02:30:14 -07:00
Sauyon Lee
804165c9ef Fix comment in ReflectedXss nonhtmlcontenttype 
Co-authored-by: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2020-05-14 02:28:15 -07:00
Max Schaefer
1fbf552ef5 Merge pull request #140 from sauyon/depstubber-update 
Update dependency stubs
 2020-05-14 09:29:17 +01:00
Sauyon Lee
97b3ec5cfc Update dependency stubs 2020-05-13 10:07:14 -07:00
Sauyon Lee
ac55287210 Merge pull request #138 from max-schaefer/fix-tests 
Fix frontend errors in two tests and a code example
 2020-05-13 08:50:35 -07:00
Sauyon Lee
b8b9ff13f3 Merge pull request #139 from max-schaefer/cleanup-131 
Cleanup of `io` model
 2020-05-13 08:29:45 -07:00
Max Schaefer
d5fcf28e03 Add change note. 
While we didn't see any new results in the evaluation, this is a fairly substantial amount of changes, so adding a change note is probably justified.
 2020-05-13 15:55:52 +01:00
Max Schaefer
e852caea07 Cleanup of Io module. 
- Undid rename from `Io` to `IO`
  - Ensured function signatures in comments have leading `func`
  - Removed superfluous `extends Function` clauses
  - Renamed a few classes to be more consistent.
 2020-05-13 15:55:52 +01:00
Max Schaefer
41b5fc17ab Inline two single-use predicates. 
This fixes a TODO.
 2020-05-13 15:40:36 +01:00
Max Schaefer
6e58524b78 Fix a typo. 2020-05-13 15:40:31 +01:00
Max Schaefer
ec2314310e Fix code example in query. 2020-05-13 15:38:48 +01:00
Max Schaefer
ac9e39120b Fix unused variable in test. 2020-05-13 15:28:49 +01:00
Max Schaefer
e034458574 Fix MongoDB tests. 2020-05-13 15:25:54 +01:00
Sauyon Lee
83a3b6336f Add change note 2020-05-13 04:31:23 -07:00
Sauyon Lee
748dd6801e Handle HTTP response writers that are fields 2020-05-13 04:31:07 -07:00
Sauyon Lee
9e5645fa9d Add similar predicate to SsaWithFields 2020-05-13 03:56:55 -07:00
Sauyon Lee
2089cb4543 Merge pull request #133 from max-schaefer/cleanup-conditional-bypass 
Cleanup conditional-bypass query
 2020-05-13 02:31:13 -07:00
Max Schaefer
005e49fe94 Merge pull request #130 from porcupineyhairs/MongoInjection 
Golang : Add MongoDB injection support
 2020-05-13 09:43:49 +01:00
Sauyon Lee
24e939730a Merge pull request #134 from max-schaefer/fix-test-errors 
Fix frontend errors in tests
 2020-05-13 01:38:30 -07:00
Max Schaefer
89d633ac3f Merge pull request #120 from porcupineyhairs/SensitiveActionBypass 
User-controlled bypass of sensitive action
 2020-05-12 19:48:24 +01:00
Max Schaefer
d438b5ec03 Merge pull request #131 from porcupineyhairs/IO 
Model stdlib's IO package.
 2020-05-12 19:41:40 +01:00
Slavomir
84e2a5ddd2 Add experimental library: gin web framework (#117) 2020-05-12 14:27:11 +01:00
Max Schaefer
6f21b4030e Merge pull request #135 from sauyon/tempfile-test 
Add support for ioutil TempFile and TempDir
 2020-05-12 14:25:38 +01:00
Sauyon Lee
21bfaec0d3 TaintedPath: Add change note for tempfiles 2020-05-12 05:44:19 -07:00
Porcupiney Hairs
e51bc42bfb fix metadata 2020-05-12 17:31:24 +05:30
Sauyon Lee
33e4961c95 ReflectedXss: Add an equality test guard 2020-05-12 04:53:18 -07:00
Sauyon Lee
1ef06e9e40 Add getType to SsaWithFields 2020-05-12 04:52:44 -07:00
Max Schaefer
5dac94d24c Merge pull request #116 from gagliardetto/CWE-681 
CWE 681
 2020-05-12 11:59:08 +01:00
Slavomir
556f527193 Exclude results in test files 2020-05-12 13:12:47 +03:00
Slavomir
e5e74f34d7 Add note on why the zero is commented out in Lt32BitFlowConfig 2020-05-12 13:06:11 +03:00
Slavomir
623d5b3a97 Add comments 2020-05-12 13:00:50 +03:00
Slavomir
ea7c38c99c Remove references section from qhelp file 2020-05-12 13:00:27 +03:00
Slavomir
67a7294d10 Simplify and remove deprecated; add severity 2020-05-12 12:51:13 +03:00
Sauyon Lee
58e41e9302 ReflectedXss: More broadly exclude values with a constant prefix 2020-05-11 15:49:37 -07:00
Max Schaefer
a55c828fe4 Update ql/src/experimental/CWE-840/ConditionalBypass.ql 
Co-authored-by: porcupineyhairs <61983466+porcupineyhairs@users.noreply.github.com>
 2020-05-11 15:26:30 +01:00
Porcupiney Hairs
d0061bfd4b Golang : Add MongoDB injection support 
This PR adds support for MongoDB injection to the existing SQL injection query.
This models the official Golang MongoDB driver.

A  brief summary of changes made in this query are :

1. A `NoSQL.qll` files has been created to model a `NoSQLQueryString`.

2. An entry is added in `go.qll` by default as I find these changes may be generally useful.

3. Library tests along with there expected outputs are added.

4. Query tests are added. However, I am unable to add the expected output as qltest
can't find depstubber. However, these can be easily added. I have created a separate
codeql-go database with the same files and ran the query against the same. I can see
there should be 14 correct results added from this PR.
 2020-05-11 19:55:48 +05:30