hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-27 17:41:24 +02:00
Code Issues Packages Projects Releases Wiki Activity
31,841 Commits 1,762 Branches 168 Tags
708edf4bcbd30b142cfbbbe2df6726fc04535c6a
Commit Graph

31841 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Esben Sparre Andreasen
708edf4bcb Remove additional SQL sinks 2022-01-21 16:46:12 +00:00
Esben Sparre Andreasen
9682a33328 Remove additional path-injection sinks 2022-01-21 16:46:12 +00:00
Esben Sparre Andreasen
96d19a0c39 Add benjamin-button.md 2022-01-21 16:46:12 +00:00
Esben Sparre Andreasen
a6d4ff285f Remove pseudo-properties 2022-01-21 16:46:12 +00:00
Esben Sparre Andreasen
bc5148947f Remove 2020 sinks from SqlInjection.ql 2022-01-21 16:46:12 +00:00
Esben Sparre Andreasen
51968cd9dc Remove 2020 sinks from Xss.ql 2022-01-21 16:46:11 +00:00
Esben Sparre Andreasen
1bb276d408 Remove 2020 sinks from TaintedPath.ql 2022-01-21 16:46:11 +00:00
Henry Mercer
c41de33156 Merge pull request #7700 from github/henrymercer/js-atm-fix-xss-results-pattern 
JS: Fix copy/paste error in XSS ML-powered queries results patterns
 2022-01-21 16:18:33 +00:00
Henry Mercer
84907f91f1 JS: Fix copy/paste error in XSS ML-powered queries results patterns 
We didn’t catch this because our unit tests test only library code due
to the previous difficulty of running queries with an ML model (the ML
models in packs work should fix that), and because the end-to-end
evaluation runs separate queries that have different result patterns.

Going forward we should create unit tests for the queries themselves,
which will require using the ML model in tests. We should also be able
to catch this type of error using DCA.
 2022-01-21 15:17:52 +00:00
Mathias Vorreiter Pedersen
117795c409 Merge pull request #7682 from MathiasVP/rewrite-return-stack-allocated-memory-to-use-ir 
C++: Use the IR for `cpp/return-stack-allocated-memory`.
 2022-01-21 14:57:30 +00:00
yoff
a77a6ec864 Merge pull request #7684 from erik-krogh/patches 
small refactorizations across CodeQL
 2022-01-21 15:04:14 +01:00
Tom Hvitved
9d89cace95 Merge pull request #7643 from michaelnebel/csharp/struct-improvements 
C#: Struct (and to a minor extent anonymous types) improvements
 2022-01-21 14:51:26 +01:00
Tony Torralba
1eaa379bb7 Merge pull request #7681 from atorralba/atorralba/improve-android-implicit-intents-query 
Java: Improvements to the Android query Use of implicit PendingIntents
 2022-01-21 13:46:17 +01:00
Tony Torralba
c7e1df5689 Update java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.qhelp 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2022-01-21 11:57:11 +01:00
Erik Krogh Kristensen
a235f8f023 remove redundant inline type casts 2022-01-21 11:46:33 +01:00
Erik Krogh Kristensen
b75c316c27 fix non-us spelling 2022-01-21 11:46:33 +01:00
Erik Krogh Kristensen
f500bccbe4 add explicit this to member call 2022-01-21 11:46:33 +01:00
Erik Krogh Kristensen
ddfc3bc00f use set literals instead of big disjunctions 2022-01-21 11:46:33 +01:00
Benjamin Muskalla
830c2dc90a Merge pull request #7603 from bmuskalla/commonsIoModel 
Java: Replace Commons IO model
 2022-01-21 11:42:27 +01:00
yoff
5b9ae9cede Merge pull request #7659 from RasmusWL/move-regex-injection-files 
Python: Move regex injection configuration files
 2022-01-21 11:42:06 +01:00
Tony Torralba
0846d1f7b6 Merge pull request #7691 from atorralba/atorralba/fix-recursion-entrypointfieldstep 
Java: Fix recursion in `entrypointFieldStep`
 2022-01-21 11:37:58 +01:00
Tony Torralba
3f6e035016 Docs improvements 2022-01-21 11:37:02 +01:00
yoff
4fd0ada9a8 Merge pull request #7652 from RasmusWL/cleartext-remove-fps 
Python: Remove usernames as sensitive source for cleartext queries
 2022-01-21 11:30:40 +01:00
Tony Torralba
d22632ef78 Fix recursion in entrypointFieldStep 
When using local taint tracking to define a RemoteFlowSource, a recursion was created because entrypointFieldStep adds new RemoteFlowSources and was a local taint step. This is fixed by converting entrypointFieldStep into a defaultAdditionalTaintStep instead of a localAdditionalTaintStep, i.e. it will only affect global taint tracking from now on.
 2022-01-21 10:48:13 +01:00
CodeQL CI
b02f1c87a1 Merge pull request #7679 from erik-krogh/ql-doc-style 
Approved by esbena
 2022-01-20 23:43:44 -08:00
CodeQL CI
2287b6e549 Merge pull request #7675 from erik-krogh/move-url-sink-to-customizations 
Approved by esbena
 2022-01-20 23:43:15 -08:00
Erik Krogh Kristensen
15c1ce722a Merge pull request #7678 from erik-krogh/use-set 
JS: use more set literals
 2022-01-20 21:03:48 +01:00
Mathias Vorreiter Pedersen
bd1720f797 C++: Add change note. 2022-01-20 18:27:09 +00:00
Mathias Vorreiter Pedersen
e689f6bad2 C++: Use the IR for 'cpp/return-stack-allocated-memory'. 2022-01-20 18:22:49 +00:00
Tony Torralba
6fe0b78978 Remove PendingIntentAsField step and add SliceProviderLifecycle step 2022-01-20 16:52:07 +01:00
Erik Krogh Kristensen
2bffe56580 update expected output 2022-01-20 16:06:57 +01:00
Erik Krogh Kristensen
3155114e36 use more set literals 2022-01-20 16:06:34 +01:00
Anders Schack-Mulligen
fede7dd238 Merge pull request #7676 from aschackmull/java/instanceaccessnode 
Java: Add data flow node encapsulating instance accesses.
 2022-01-20 15:40:21 +01:00
Erik Krogh Kristensen
a77b2b0209 Merge pull request #7668 from erik-krogh/simplify-casts 
simplify expressions that could be type-casts
 2022-01-20 15:20:18 +01:00
Erik Krogh Kristensen
5780161b2c fix most issues found by ql/class-doc-style in JS 2022-01-20 15:10:16 +01:00
Alex Ford
9613ff743b Merge pull request #7611 from github/ruby/protect_from_forgery-without-exception 
Ruby: flag up `protect_from_forgery` calls without an exception strategy
 2022-01-20 13:45:30 +00:00
Tony Torralba
caab1c3332 Merge pull request #6963 from atorralba/atorralba/android-onactivityresult-source 
Android: Add the Intent parameter of the `onActivityResult` method as a source
 2022-01-20 14:27:30 +01:00
Tony Torralba
29e87b3abd Merge pull request #6975 from atorralba/atorralba/android-intent-uri-permission-manipulation 
Java: CWE-266 - Query to detect Intent URI Permission Manipulation in Android applications
 2022-01-20 14:27:02 +01:00
Geoffrey White
b230681bc8 Merge pull request #7650 from geoffw0/clrtxt3 
C++: Improve cpp/cleartext-transmission
 2022-01-20 13:21:54 +00:00
Rasmus Wriedt Larsen
f53dce3a83 Python: Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2022-01-20 14:20:15 +01:00
Anders Schack-Mulligen
43da5aabbe Java: Add dataflow node encapsulating instance accesses. 2022-01-20 14:12:33 +01:00
Erik Krogh Kristensen
7167e856fe move electron sink to the customizations file 2022-01-20 14:07:23 +01:00
Tony Torralba
62f847a82e Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2022-01-20 13:44:10 +01:00
Tony Torralba
3957ebe880 Fix bitwiseLocalTaintStep 2022-01-20 13:34:32 +01:00
Tony Torralba
265f8a3b19 Make bitwise taintsteps specific for this query 2022-01-20 13:23:56 +01:00
Tony Torralba
4e9849e19d Refactor IntentFlagsOrDataCheckedGuard to avoid footgun 2022-01-20 13:23:55 +01:00
Tony Torralba
62c21918b2 Add QLDoc to guard and sanitizer 2022-01-20 13:23:54 +01:00
Tony Torralba
58a0bcd70f Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-01-20 13:23:53 +01:00
Tony Torralba
8767d2db23 Don't capitalize the term content provider 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2022-01-20 13:23:52 +01:00
Tony Torralba
596cfd399e Improve description 2022-01-20 13:23:52 +01:00