hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-29 18:55:14 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,171 Commits 1,741 Branches 165 Tags
6dd9106301dcb23b6c7d3ed62e78d2819c548f21
Commit Graph

13171 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
porcupineyhairs
6dd9106301 Update XSLT.qll 2020-06-08 03:12:23 +05:30
Porcupiney Hairs
1ceb963d4c Python : Add support for detecting XSLT Injection 
This PR adds support for detecting XSLT injection in Python.
I have included the ql files as well as the tests with this.
 2020-06-07 03:05:50 +05:30
Dave Bartolomeo
d4e1ee8aa7 Merge pull request #3629 from MathiasVP/remove-initialize-this-from-value-numbering 
C++: Remove TInitializeThisValueNumber from IR value numbering
 2020-06-05 15:55:20 -04:00
Henning Makholm
d2d235d7a4 Merge pull request #3476 from hmakholm/pr/module-res-update 
QL language specification: bring library path documentation up to date
 2020-06-05 18:12:35 +02:00
Henning Makholm
c2c70d7627 QL specification: typo fix 
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
 2020-06-05 18:01:21 +02:00
yoff
e5480e471a Merge pull request #3591 from RasmusWL/python-taintkind-fixup 
Python: Fix some problems in TaintKind useage
 2020-06-05 16:03:18 +02:00
Anders Schack-Mulligen
e4e51b5027 Merge pull request #3291 from artem-smotrakov/spel-injection 
Java: Add a query for SpEL injections
 2020-06-05 15:51:38 +02:00
Mathias Vorreiter Pedersen
7642680ab9 C++: Also remove TInitializeThisValueNumber from the AST wrapper 2020-06-05 15:26:09 +02:00
Mathias Vorreiter Pedersen
1a33a3b7e1 Merge branch 'master' into remove-initialize-this-from-value-numbering 2020-06-05 15:03:54 +02:00
Mathias Vorreiter Pedersen
d49c0f7b67 C++: Sync identical files 2020-06-05 15:01:18 +02:00
Mathias Vorreiter Pedersen
15fa7be09a C++: Remove TInitializeThisValueNumber case from IR value numbering 2020-06-05 15:01:11 +02:00
semmle-qlci
ff6936caa7 Merge pull request #3625 from erik-krogh/CVE714 
Approved by asgerf
 2020-06-05 12:21:10 +01:00
semmle-qlci
69a1e11c06 Merge pull request #3609 from erik-krogh/CredFN 
Approved by asgerf, esbena
 2020-06-05 10:49:01 +01:00
Erik Krogh Kristensen
82cf53897f TypeOfCheck -> TypeOfUndefinedSanitizer 
Co-authored-by: Asger F <asgerf@github.com>
 2020-06-05 11:35:39 +02:00
Erik Krogh Kristensen
05d7be8e23 autoformat 2020-06-05 09:59:45 +02:00
Erik Krogh Kristensen
96ca4cf7eb add missing quote 2020-06-04 19:45:24 +00:00
Erik Krogh Kristensen
815671f5d0 add sanitizer guard for typeof undefined 2020-06-04 21:32:26 +02:00
Henning Makholm
269fa3a140 comments from alexet 
Put 'the query directory of the current file` back in the description.
 2020-06-04 20:41:54 +02:00
Jonas Jensen
ad2d1d531b Merge pull request #3616 from dbartol/dbartol/sync-missing 
Allow missing files in `sync-files --latest`
 2020-06-04 16:52:44 +02:00
semmle-qlci
22a651cb5c Merge pull request #3621 from max-schaefer/js/qltest-experimental 
Approved by asgerf, erik-krogh
 2020-06-04 14:19:17 +01:00
Dave Bartolomeo
0666a2e587 Remove usage of f-string 2020-06-04 08:48:14 -04:00
Dave Bartolomeo
e2afad91dd Merge pull request #3620 from MathiasVP/fix-missing-case-in-getkind 
C++: Fix missing case in ValueNumber::getKind
 2020-06-04 07:27:30 -04:00
Max Schaefer
9549b01e3c JavaScript: Turn on experimental language features for two tests. 
All other tests already pass with experimental features turned on, so once this is merged we can do so by default.
 2020-06-04 11:27:31 +01:00
Mathias Vorreiter Pedersen
7328429ef1 C++: Sync identical files 2020-06-04 11:31:32 +02:00
Mathias Vorreiter Pedersen
36cfe3624b C++: Add TConstantValueNumber case to ValueNumber::getKind 2020-06-04 11:31:02 +02:00
Erik Krogh Kristensen
e47770281a update change-note 
Co-authored-by: Asger F <asgerf@github.com>
 2020-06-04 11:14:25 +02:00
semmle-qlci
c806e229aa Merge pull request #3618 from aschackmull/java/typeflow-test 
Approved by aibaars
 2020-06-04 10:09:44 +01:00
Anders Schack-Mulligen
64225c31a6 Java: Add test case. 2020-06-04 10:31:08 +02:00
semmle-qlci
70131e6ac8 Merge pull request #3598 from asger-semmle/js/regexp-test 
Approved by esbena
 2020-06-04 09:05:21 +01:00
Mathias Vorreiter Pedersen
b48fe6ac32 Merge pull request #3123 from jbj/dataflow-indirect-args 
C++: Wire up param/arg indirections in data flow
 2020-06-04 09:38:57 +02:00
Jonas Jensen
df96f8e4e8 Merge remote-tracking branch 'upstream/master' into dataflow-indirect-args 2020-06-04 08:20:00 +02:00
yo-h
5cdc29e49a Merge pull request #3607 from aschackmull/java/array-instanceof-typeflow 
Java: Add instanceof type bounds for ArrayAccess.
 2020-06-03 15:29:37 -04:00
Dave Bartolomeo
a18eba2c4c Allow missing files in sync-files --latest 
When running `sync-files` (or `sync-identical-files`) with the `--latest` switch, if one or more of the files in a group does not exist, the script will crash. This happens all the time when I add a new group, or add a new file path in an existing group. This has bothered me for a long time, so I finally fixed it when I ran into it again today.

I've changed the script as follows:
- If _none_ of the paths in the group exist, print an error message listing the paths in the group. This happens with or without `--latest`.
- If `--latest` is specified, copy the master file to the paths of the missing files.
 2020-06-03 14:53:31 -04:00
Jonas Jensen
e292eee3d1 C++: Autoformat fixup 2020-06-03 15:48:50 +02:00
Erik Krogh Kristensen
a90c8769ee update expected output 2020-06-03 15:24:04 +02:00
Erik Krogh Kristensen
7c26efbc12 case insensitive authorization header 2020-06-03 15:23:51 +02:00
Erik Krogh Kristensen
b508ad41c8 don't have a separate fetch module 2020-06-03 15:20:06 +02:00
Erik Krogh Kristensen
46cd0143d8 Update javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2020-06-03 15:18:10 +02:00
Jonas Jensen
ad292d8fb6 C++: Accept one more test change from last commit 2020-06-03 14:51:05 +02:00
Erik Krogh Kristensen
baee47f3c6 remove mention of fetch from change-note 2020-06-03 13:56:32 +02:00
Erik Krogh Kristensen
28a1900612 treat all writes to Authorization as a CredentialsExpr 2020-06-03 13:55:49 +02:00
Erik Krogh Kristensen
6466ab19a0 Update javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-06-03 13:51:04 +02:00
Erik Krogh Kristensen
f8caec76ab move the Fetch module to ClientRequests 2020-06-03 13:37:34 +02:00
Erik Krogh Kristensen
aa463d8298 mention fetch instead of node-fetch 2020-06-03 13:33:43 +02:00
Erik Krogh Kristensen
c80baf981a simplify change-note 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-06-03 13:33:31 +02:00
Erik Krogh Kristensen
1b53cd4bd9 update docstring of FetchAuthorization 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-06-03 13:31:16 +02:00
Jonas Jensen
8f702d4b49 C++: Override toString on argument indirections 
Without this override, end users would see the string
`BufferReadSideEffect` in path explanations.
 2020-06-03 13:04:10 +02:00
Erik Krogh Kristensen
19dd472ee5 change note 2020-06-03 12:19:48 +02:00
Erik Krogh Kristensen
a1940979ba support credentials in a Buffer 2020-06-03 12:02:00 +02:00
Erik Krogh Kristensen
ba44ebe8a8 better support for browser based fetch API 2020-06-03 11:51:24 +02:00