codeql

mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00

Author	SHA1	Message	Date
dependabot[bot]	e9a1fa9592	Bump chrono from 0.4.31 to 0.4.32 in /ql Bumps [chrono](https://github.com/chronotope/chrono) from 0.4.31 to 0.4.32. - [Release notes](https://github.com/chronotope/chrono/releases) - [Changelog](https://github.com/chronotope/chrono/blob/main/CHANGELOG.md) - [Commits](https://github.com/chronotope/chrono/compare/v0.4.31...v0.4.32) --- updated-dependencies: - dependency-name: chrono dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2024-01-23 03:12:14 +00:00
Taus	24b37ffd36	Merge pull request #15187 from github/max-schaefer/py-url-redirection Python: Add support for more URL redirect sanitisers.	2024-01-22 23:19:36 +01:00
Henry Mercer	6724dea54d	C#: Enable standalone extraction via `--build-mode`	2024-01-22 19:12:07 +00:00
Alex Eyers-Taylor	891d398c3f	CPP: Fix join ordering hints	2024-01-22 19:00:18 +00:00
erik-krogh	865df920f9	add change-notes	2024-01-22 19:30:57 +01:00
Ed Minnix	a6c977c169	Use appropriate pack for test models	2024-01-22 12:24:21 -05:00
Max Schaefer	5c43a0b1e4	Merge pull request #15356 from github/max-schaefer/automodel-void-source-candidates Automodel: Switch tests to inline expectations	2024-01-22 17:05:10 +00:00
Rasmus Wriedt Larsen	00dc55d825	Python: Add change-note	2024-01-22 17:32:33 +01:00
Rasmus Wriedt Larsen	cbed6e861d	Python: Add `html.escape` as HTML sanitizer	2024-01-22 17:32:28 +01:00
Benjamin Rodes	da10e6ca5b	Moving FlowAfterFree and UseAfterFree.qll as a general purpose lib.	2024-01-22 11:18:03 -05:00
Ed Minnix	ff6d4c6ae6	Deprecation message	2024-01-22 11:09:53 -05:00
Ed Minnix	0ff12c07c7	Convert existing mapped-property classes to directly extend `DatabaseInputSource`	2024-01-22 11:09:51 -05:00
Ed Minnix	975327648c	Remove commented-out code	2024-01-22 11:09:50 -05:00
Ed Minnix	51564200a1	Documentation for FlowSources library	2024-01-22 11:09:48 -05:00
Ed Minnix	83e66136ce	Change note	2024-01-22 11:09:46 -05:00
Ed Minnix	c530fbd9f8	C# Threat Modeling Tests	2024-01-22 11:09:45 -05:00
Ed Minnix	3c9c07ec40	Rename `SourceNode.qll` to `FlowSources.qll`	2024-01-22 11:09:43 -05:00
Ed Minnix	392eac5f9a	Refactor source node classes to use `SourceNode` superclass Refactor the existing flowsource classes to use the `SourceNode` class to specify which threat model they support.	2024-01-22 11:09:41 -05:00
Ed Minnix	d29df68c97	Introduce the `SourceNode` and `ThreatModelFlowSource` classes 1. Introduces the `SourceNode` class which allows dataflow nodes representing sources to indicate the threat model they are associated with. 2. Introduces the `ThreatModelFlowSource` class which represents a source node which respects the threat model configuration	2024-01-22 11:09:39 -05:00
Ed Minnix	ad093fde4f	Add dependency on codeql/threat-models shared library	2024-01-22 11:09:38 -05:00
Taus	d6d59377d3	Python: Fix flow through `deepcopy` Or, more generally, any copy step, as these presumably do not preserve object identity. (Arguably, `copy` could still be susceptible to interior mutability, but I think that's outside the scope of this query anyway.)	2024-01-22 15:40:30 +00:00
Benjamin Rodes	2181fcf284	Updating .expected to account for new free/deallocation sources.	2024-01-22 10:36:24 -05:00
Taus	14c958ac4d	Python: Remove mutable default sources from inside stdlib	2024-01-22 15:23:52 +00:00
Taus	411c107660	Python: Add tests for `deepcopy` FPs There are two issues with `deepcopy` here. Firstly, the `deepcopy` function itself has a mutable default value in its parameter `_nil` (set to the empty list by default). Now, this value is never actually returned from `deepcopy`, as it is only used as a sentinel, but our analysis is not clever enough to see this. Thus, it thinks that this mutable default is returned, and hence the result of any call to `deepcopy` is a potential source. To remedy this, I opted to simply exclude all sources that originate from within the standard library. It is very unlikely for any of the sources in the standard library to be legit. Secondly, `deepcopy` -- by virtue of being a function that we model as preserving values -- admits data-flow through its calls, but this is not correct for the mutable default query, as it is here the _identity_ of the default value in question that is important. Thus, we get spurious flow through `deepcopy` for this specific query.	2024-01-22 15:21:57 +00:00
Tamas Vajk	de4e3963e7	C#: Try fallback nuget restore without nuget.config	2024-01-22 15:42:06 +01:00
Tamas Vajk	7c290ee2ba	C#: Add integration test with nuget.config	2024-01-22 15:36:38 +01:00
Geoffrey White	0a8869c636	Merge pull request #15385 from geoffw0/swiftfiles Swift: Report any extracted file as successfully extracted	2024-01-22 14:24:05 +00:00
Taus	4742481070	Python: Consolidate "mutable default" tests Moves the existing tests into the `ModificationOfParameterWithDefault` subdirectory which already contained a bunch more tests. In the process, I also removed some duplicated test cases.	2024-01-22 13:50:33 +00:00
Max Schaefer	a4639c7ff9	Update qhelp to mention solution using urlparse.	2024-01-22 13:36:12 +00:00
Max Schaefer	17e3a45ad7	Apply suggestions from code review Co-authored-by: Taus <tausbn@github.com>	2024-01-22 13:36:12 +00:00
Max Schaefer	98178458d0	Python: Add support for more URL redirect sanitisers. Since some sanitisers don't handle backslashes correctly, I updated the data-flow configuration to incorporate a flow state tracking whether or not backslashes have been eliminated or converted to forward slashes.	2024-01-22 13:24:18 +00:00
Max Schaefer	99c99145a2	Rename {source,sink}Model to {source,sink}ModelCandidate.	2024-01-22 13:10:51 +00:00
Michael Nebel	1bb6f4962d	C#: Match any {digit} in the format string.	2024-01-22 14:03:37 +01:00
Geoffrey White	58c4bf5915	Merge branch 'main' into cppfiles	2024-01-22 12:24:33 +00:00
Max Schaefer	a3816d75b3	Remove redundant imports.	2024-01-22 10:54:01 +00:00
Max Schaefer	78e5a1a546	Autoformat.	2024-01-22 10:45:33 +00:00
Michael Nebel	b006b28e8a	C#: Add change note.	2024-01-22 11:28:27 +01:00
Michael Nebel	5016113a0f	C#: Add a string.Format sanitizer to url redirect and update expected test output.	2024-01-22 11:21:35 +01:00
Michael Nebel	884f3f1505	C#: Add string interpolation expression sanitizer to url redirect and update expected test output.	2024-01-22 11:21:19 +01:00
Michael Nebel	e33d5b5fb6	C#: Add some test examples for UrlRedirect using string interpolation and string.Format.	2024-01-22 09:42:23 +01:00
erik-krogh	f60c01e3a8	Py: delete import that no longer exists	2024-01-22 09:22:50 +01:00
erik-krogh	0511786a22	delete typo files from list of synchronized files	2024-01-22 09:15:27 +01:00
erik-krogh	8be7eadace	delete outdated deprecations	2024-01-22 09:11:35 +01:00
Erik Krogh Kristensen	6533269387	Merge pull request #15392 from github/dependabot/cargo/ql/regex-1.10.3 Bump regex from 1.10.2 to 1.10.3 in /ql	2024-01-22 08:29:35 +01:00
dependabot[bot]	eb1a0fece8	Bump regex from 1.10.2 to 1.10.3 in /ql Bumps [regex](https://github.com/rust-lang/regex) from 1.10.2 to 1.10.3. - [Release notes](https://github.com/rust-lang/regex/releases) - [Changelog](https://github.com/rust-lang/regex/blob/master/CHANGELOG.md) - [Commits](https://github.com/rust-lang/regex/compare/1.10.2...1.10.3) --- updated-dependencies: - dependency-name: regex dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2024-01-22 03:54:51 +00:00
Geoffrey White	a39bb8c037	Swift: Rename the query file.	2024-01-19 17:58:58 +00:00
Geoffrey White	c515ea3f8a	Swift: Change note.	2024-01-19 17:58:58 +00:00
Geoffrey White	ed602642b6	Swift: Basic test for getRelativePath.	2024-01-19 17:58:58 +00:00
Geoffrey White	8cf691a477	Swift: Add File.getRelativePath and update swift/diagnostics/successfully-extracted-files.	2024-01-19 17:58:58 +00:00
Ian Lynagh	60a59cb89e	Kotlin: Update 2.0.0 version support	2024-01-19 17:52:38 +00:00

... 3 4 5 6 7 ...

63284 Commits