hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-18 11:21:07 +02:00
Code Issues Packages Projects Releases Wiki Activity
54,136 Commits 1,778 Branches 169 Tags
77ee80fd81fc511a8183ae4e4bce9dfec2b23e4e
Commit Graph

622 Commits

Author SHA1 Message Date
Kasper Svendsen
46727af948 Go: Enable warnings for implicit this receivers 2023-05-03 15:41:55 +02:00
Owen Mansel-Chan
3f645e9401 Merge pull request #13006 from kaspersv/kaspersv/go-explicit-this-receivers 
Go: Make implicit this receivers explicit
 2023-05-03 13:47:10 +01:00
Ian Lynagh
b56b843d13 Merge pull request #12987 from github/post-release-prep/codeql-cli-2.13.1 
Post-release preparation for codeql-cli-2.13.1
 2023-05-03 13:12:10 +01:00
Kasper Svendsen
e969018f99 Go: Make implicit this receivers explicit 2023-05-03 12:45:42 +02:00
github-actions[bot]
18d4af994d Post-release preparation for codeql-cli-2.13.1 2023-05-02 10:50:20 +00:00
Anders Schack-Mulligen
ca09649679 Dataflow: Forward hasLocationInfo. 2023-05-02 10:48:32 +02:00
Anders Schack-Mulligen
5927bb2030 Dataflow: Replace "extends Node" with "instanceof Node". 2023-05-02 09:48:34 +02:00
Anders Schack-Mulligen
6c8cb0dc5e Merge pull request #12930 from aschackmull/dataflow/split-typedcontent 
Dataflow: Refactor access paths to split TypedContent into an explicit pair
 2023-05-01 14:58:15 +02:00
github-actions[bot]
3bd29171fb Release preparation for version 2.13.1 2023-04-28 12:14:35 +00:00
Michael B. Gale
edfe2d7ab7 Merge pull request #12944 from github/mbg/go/html-template-sanitizers 
Go: Add `html/template` functions as sanitisers for XSS queries
 2023-04-28 12:15:57 +01:00
Michael B. Gale
5a44fae515 Go: add test for unrelated A->C data flow 2023-04-28 10:56:12 +01:00
Michael B. Gale
72b082806b Go: Update html-template-escaping-passthrough 
Modify this query to apply sanitizers only in the data flow
between untrusted inputs and passthrough conversion types.
 2023-04-27 17:14:38 +01:00
Anders Schack-Mulligen
71ae0909d8 Dataflow: Enforce type pruning in all forward stages. 2023-04-27 14:55:26 +02:00
Anders Schack-Mulligen
9140cbefc0 Dataflow: Sync. 2023-04-27 14:55:23 +02:00
Michael B. Gale
1aa1153ed6 Go: Add html/template as XSS queries sanitizer 2023-04-26 21:21:52 +01:00
Anders Schack-Mulligen
d681671356 Dataflow: Sync. 2023-04-26 14:45:07 +02:00
Michael Nebel
656d8d2451 Sync files. 2023-04-20 11:29:51 +02:00
Owen Mansel-Chan
2914480ff6 Avoid platform-specific results 
These were introduced in https://github.com/github/codeql/pull/12750 but
the relevant tests that should have caught it weren't run.
 2023-04-19 11:18:19 +01:00
Alex Ford
924ce250dd Merge pull request #12847 from github/post-release-prep/codeql-cli-2.13.0 
Post-release preparation for codeql-cli-2.13.0
 2023-04-18 14:40:40 +01:00
Tom Hvitved
f6d000eb20 Merge pull request #12805 from hvitved/remove-queries-xml 
Remove all `queries.xml` files
 2023-04-18 10:52:14 +02:00
github-actions[bot]
648f0e19ec Post-release preparation for codeql-cli-2.13.0 2023-04-17 15:39:24 +00:00
github-actions[bot]
075d063370 Release preparation for version 2.13.0 2023-04-14 13:31:30 +00:00
Owen Mansel-Chan
8a4ca7fb84 Merge pull request #10026 from pwntester/patch-2 
Go: Partial URLs should not sanitize against SSRF
 2023-04-14 13:52:11 +01:00
Owen Mansel-Chan
352866b52d Add change note 2023-04-14 12:00:38 +01:00
Owen Mansel-Chan
a42dbc5bab Fix formatting again 2023-04-14 12:00:38 +01:00
Owen Mansel-Chan
d407a689fa Fix formatting by deleting spaces no blank line 2023-04-14 12:00:38 +01:00
Owen Mansel-Chan
169bde8671 Fix formatting by deleting blank line 2023-04-14 12:00:38 +01:00
Alvaro Muñoz
8bf4b55309 Partial URLs should not sanitize against SSRF 
As an example:

```go
	urlPath := ctx.Req.URL.Path
	hash := urlPath[strings.LastIndex(urlPath, "/")+1:]
        req, _ := http.NewRequest("GET", source+hash, nil)
```
 2023-04-14 12:00:38 +01:00
Alex Eyers-Taylor
c6a482819a Bump all qlpacks major versions 2023-04-13 19:15:27 +01:00
Michael Nebel
52bc43b22b Merge pull request #12595 from michaelnebel/enhanceprovenance 
Java/C# : Enhance provenance.
 2023-04-13 14:27:53 +02:00
Alex Ford
8c46bfd051 Merge pull request #12816 from github/rc/3.9 
Merge `rc/3.9` into `main`
 2023-04-13 12:35:41 +01:00
Tom Hvitved
3cc9dec9c8 Remove all queries.xml files 2023-04-13 11:18:58 +02:00
Michael Nebel
917cf7bfee Go: Update provenance validation. 2023-04-13 09:21:05 +02:00
Michael Nebel
1d82b09ec1 Sync files. 2023-04-13 09:21:05 +02:00
Chris Smowton
d648b34037 Accept test changes 
These are caused by nodes being hidden by https://github.com/github/codeql/pull/12783
 2023-04-12 15:05:04 +01:00
Chris Smowton
7eefa43f5a Rename and document viableArgParamSpecific to make clear it is a temporary hook. 2023-04-12 14:33:46 +01:00
Chris Smowton
1706367b34 Document DataFlowCallable 2023-04-12 14:24:21 +01:00
Chris Smowton
9f4b77e851 Accept test changes 2023-04-12 14:19:06 +01:00
Chris Smowton
4d8ca3d759 Add dataflow callback to filter out receiver argument flow to Golang interface dispatch candidates. 
Other langauges stub the callback.
 2023-04-12 14:19:06 +01:00
Chris Smowton
7ffe863ba6 Remove addressed FIXME 
This was addressed by adding `getAPackageWithSummarizedCallables`
 2023-04-12 14:19:06 +01:00
Chris Smowton
985e07d902 pragma[nomagic] hasQualifiedName 
These are cheap and frequently-used, and magicking them with respect to `interpretPackage` was yielding expensive, unnecessary regex operations.
 2023-04-12 14:19:06 +01:00
Chris Smowton
0129167cc4 Convert Beego's MapGet method to MaD 2023-04-12 14:19:06 +01:00
Chris Smowton
b86f0cf268 Sort models 2023-04-12 14:19:06 +01:00
Chris Smowton
12527e406b Remove unnecessary model 
This referred to a private type
 2023-04-12 14:19:05 +01:00
Chris Smowton
2abffccded Accept test changes 2023-04-12 14:19:05 +01:00
Chris Smowton
3cea01b6c8 Fix functions with multiple models 
In some cases multiple return value outputs can be coalesced, and in others we had accidentally conflated two independent flows (e.g. Arg1 -> Arg2 | Arg3 -> Arg4 led to accidentally introducing Arg1 -> Arg4 and Arg3 -> Arg2)
 2023-04-12 14:19:05 +01:00
Chris Smowton
4a89dbc498 Revert "Remove unnecessary models" 
This reverts commit 12eaedc188487275e8cd6bed4a4318fed4d4b752.

We can't do this now, because there is nothing to guarantee an interface has actually been extracted, and therefore whether a model will get applied. Therefore explicitly modelling methods that may be interface implementations where the interface is in a different package may still make a difference to behaviour.
 2023-04-12 14:19:05 +01:00
Chris Smowton
3f6ceccbe8 US spelling 2023-04-12 14:19:05 +01:00
Chris Smowton
8c553ec0fc Autoformat go 2023-04-12 14:19:05 +01:00
Chris Smowton
ac4dcc6c4b Add ioutil usage to TaintSteps test 
It appears at present the Go standard library imports the deprecated io/ioutil package internally on some platforms but not others. Therefore I add a test explicitly using it to make the test behave more uniformly.
 2023-04-12 14:19:05 +01:00