hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-18 11:21:07 +02:00
Code Issues Packages Projects Releases Wiki Activity
54,136 Commits 1,778 Branches 169 Tags
77ee80fd81fc511a8183ae4e4bce9dfec2b23e4e
Commit Graph

391 Commits

Author SHA1 Message Date
Kasper Svendsen
46727af948 Go: Enable warnings for implicit this receivers 2023-05-03 15:41:55 +02:00
Owen Mansel-Chan
3f645e9401 Merge pull request #13006 from kaspersv/kaspersv/go-explicit-this-receivers 
Go: Make implicit this receivers explicit
 2023-05-03 13:47:10 +01:00
Ian Lynagh
b56b843d13 Merge pull request #12987 from github/post-release-prep/codeql-cli-2.13.1 
Post-release preparation for codeql-cli-2.13.1
 2023-05-03 13:12:10 +01:00
Kasper Svendsen
e969018f99 Go: Make implicit this receivers explicit 2023-05-03 12:45:42 +02:00
github-actions[bot]
18d4af994d Post-release preparation for codeql-cli-2.13.1 2023-05-02 10:50:20 +00:00
Anders Schack-Mulligen
ca09649679 Dataflow: Forward hasLocationInfo. 2023-05-02 10:48:32 +02:00
Anders Schack-Mulligen
5927bb2030 Dataflow: Replace "extends Node" with "instanceof Node". 2023-05-02 09:48:34 +02:00
Anders Schack-Mulligen
6c8cb0dc5e Merge pull request #12930 from aschackmull/dataflow/split-typedcontent 
Dataflow: Refactor access paths to split TypedContent into an explicit pair
 2023-05-01 14:58:15 +02:00
github-actions[bot]
3bd29171fb Release preparation for version 2.13.1 2023-04-28 12:14:35 +00:00
Michael B. Gale
edfe2d7ab7 Merge pull request #12944 from github/mbg/go/html-template-sanitizers 
Go: Add `html/template` functions as sanitisers for XSS queries
 2023-04-28 12:15:57 +01:00
Anders Schack-Mulligen
71ae0909d8 Dataflow: Enforce type pruning in all forward stages. 2023-04-27 14:55:26 +02:00
Anders Schack-Mulligen
9140cbefc0 Dataflow: Sync. 2023-04-27 14:55:23 +02:00
Michael B. Gale
1aa1153ed6 Go: Add html/template as XSS queries sanitizer 2023-04-26 21:21:52 +01:00
Anders Schack-Mulligen
d681671356 Dataflow: Sync. 2023-04-26 14:45:07 +02:00
Michael Nebel
656d8d2451 Sync files. 2023-04-20 11:29:51 +02:00
Alex Ford
924ce250dd Merge pull request #12847 from github/post-release-prep/codeql-cli-2.13.0 
Post-release preparation for codeql-cli-2.13.0
 2023-04-18 14:40:40 +01:00
github-actions[bot]
648f0e19ec Post-release preparation for codeql-cli-2.13.0 2023-04-17 15:39:24 +00:00
github-actions[bot]
075d063370 Release preparation for version 2.13.0 2023-04-14 13:31:30 +00:00
Owen Mansel-Chan
8a4ca7fb84 Merge pull request #10026 from pwntester/patch-2 
Go: Partial URLs should not sanitize against SSRF
 2023-04-14 13:52:11 +01:00
Owen Mansel-Chan
352866b52d Add change note 2023-04-14 12:00:38 +01:00
Owen Mansel-Chan
a42dbc5bab Fix formatting again 2023-04-14 12:00:38 +01:00
Owen Mansel-Chan
d407a689fa Fix formatting by deleting spaces no blank line 2023-04-14 12:00:38 +01:00
Owen Mansel-Chan
169bde8671 Fix formatting by deleting blank line 2023-04-14 12:00:38 +01:00
Alvaro Muñoz
8bf4b55309 Partial URLs should not sanitize against SSRF 
As an example:

```go
	urlPath := ctx.Req.URL.Path
	hash := urlPath[strings.LastIndex(urlPath, "/")+1:]
        req, _ := http.NewRequest("GET", source+hash, nil)
```
 2023-04-14 12:00:38 +01:00
Alex Eyers-Taylor
c6a482819a Bump all qlpacks major versions 2023-04-13 19:15:27 +01:00
Michael Nebel
52bc43b22b Merge pull request #12595 from michaelnebel/enhanceprovenance 
Java/C# : Enhance provenance.
 2023-04-13 14:27:53 +02:00
Alex Ford
8c46bfd051 Merge pull request #12816 from github/rc/3.9 
Merge `rc/3.9` into `main`
 2023-04-13 12:35:41 +01:00
Michael Nebel
917cf7bfee Go: Update provenance validation. 2023-04-13 09:21:05 +02:00
Michael Nebel
1d82b09ec1 Sync files. 2023-04-13 09:21:05 +02:00
Chris Smowton
7eefa43f5a Rename and document viableArgParamSpecific to make clear it is a temporary hook. 2023-04-12 14:33:46 +01:00
Chris Smowton
1706367b34 Document DataFlowCallable 2023-04-12 14:24:21 +01:00
Chris Smowton
4d8ca3d759 Add dataflow callback to filter out receiver argument flow to Golang interface dispatch candidates. 
Other langauges stub the callback.
 2023-04-12 14:19:06 +01:00
Chris Smowton
7ffe863ba6 Remove addressed FIXME 
This was addressed by adding `getAPackageWithSummarizedCallables`
 2023-04-12 14:19:06 +01:00
Chris Smowton
985e07d902 pragma[nomagic] hasQualifiedName 
These are cheap and frequently-used, and magicking them with respect to `interpretPackage` was yielding expensive, unnecessary regex operations.
 2023-04-12 14:19:06 +01:00
Chris Smowton
0129167cc4 Convert Beego's MapGet method to MaD 2023-04-12 14:19:06 +01:00
Chris Smowton
b86f0cf268 Sort models 2023-04-12 14:19:06 +01:00
Chris Smowton
12527e406b Remove unnecessary model 
This referred to a private type
 2023-04-12 14:19:05 +01:00
Chris Smowton
3cea01b6c8 Fix functions with multiple models 
In some cases multiple return value outputs can be coalesced, and in others we had accidentally conflated two independent flows (e.g. Arg1 -> Arg2 | Arg3 -> Arg4 led to accidentally introducing Arg1 -> Arg4 and Arg3 -> Arg2)
 2023-04-12 14:19:05 +01:00
Chris Smowton
4a89dbc498 Revert "Remove unnecessary models" 
This reverts commit 12eaedc188487275e8cd6bed4a4318fed4d4b752.

We can't do this now, because there is nothing to guarantee an interface has actually been extracted, and therefore whether a model will get applied. Therefore explicitly modelling methods that may be interface implementations where the interface is in a different package may still make a difference to behaviour.
 2023-04-12 14:19:05 +01:00
Chris Smowton
3f6ceccbe8 US spelling 2023-04-12 14:19:05 +01:00
Chris Smowton
ed56461ed7 Remove unnecessary models 
These are inherited from Stringer, Reader, Writer and BinaryMarshaler
 2023-04-12 14:19:05 +01:00
Chris Smowton
19e8974766 Fix comment 2023-04-12 14:19:05 +01:00
Chris Smowton
1a7927d3a1 Fix x/net/html.EscapeString modelling 
This had never worked due to accidentally extending non-abstract class HtmlEscapeFunction; consequently it was neither a taint propagator in general, nor an HTML escape function. Added tests to ensure it is now behaving as intended.
 2023-04-12 14:19:04 +01:00
Chris Smowton
fa4145b5e4 Remove dead code 2023-04-12 14:19:04 +01:00
Chris Smowton
8a06ca5a43 Allow $ANYVERSION token in Go package names 2023-04-12 14:19:04 +01:00
Chris Smowton
952bc8458f Use explicit this 2023-04-12 14:19:04 +01:00
Chris Smowton
affe42b079 Use US spelling 2023-04-12 14:19:04 +01:00
Chris Smowton
aaa7f34386 Fix mixing of source and summary models 2023-04-12 14:19:04 +01:00
Chris Smowton
18d00c1116 Autoformat QL 2023-04-12 14:19:03 +01:00
Chris Smowton
8fb75f412a Consider MaD models ref whether a package should be considered an unknown external. 2023-04-12 14:19:03 +01:00