hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-04 18:20:18 +01:00
Code Issues Packages Projects Releases Wiki Activity
57,473 Commits 1,673 Branches 157 Tags
79368c187cb7dc0fc85ee6702363e2405ace529c
Commit Graph

57473 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Robert Marsh
79368c187c Swift: fixes around DictionaryContent 2023-08-15 19:34:27 +00:00
Robert Marsh
a9f5471e76 Swift: add tests for broken dictionary flow case 2023-08-15 17:58:21 +00:00
Robert Marsh
3f0a249aea Swift: Autoformat Dictionary.qll 2023-08-11 18:42:37 +00:00
Robert Marsh
f047161741 Swift: Change note for dictionary flow 2023-08-11 17:33:45 +00:00
Robert Marsh
653a229482 Swift: QLDoc for Dicitonary.qll 2023-08-11 17:32:29 +00:00
Robert Marsh
f5fac66627 Swift: autoformat 2023-08-11 17:31:39 +00:00
Robert Marsh
d3c68c773a Swift: Add Dictionary models 2023-08-10 20:53:16 +00:00
Robert Marsh
70c2ef599a Swift: collection/tuple content for dictionary flow 2023-08-10 20:52:47 +00:00
Robert Marsh
36bdadfc36 Merge pull request #13933 from geoffw0/madtuples 
Swift: Models-as-data support for tuple content
 2023-08-10 14:17:45 -04:00
Erik Krogh Kristensen
3e2c6d69f9 Merge pull request #13940 from erik-krogh/rate-default 
JS: change the defaults in the qhelp for missing-rate-limit to something more reasonable
 2023-08-10 19:25:33 +02:00
Tom Hvitved
5a6ce293cc Merge pull request #13942 from hvitved/dataflow/variable-capture-consistency-fix 2023-08-10 16:20:28 +02:00
Tom Hvitved
9b38028e25 Data flow: Fix localWriteStep consistency query 2023-08-10 15:31:04 +02:00
Michael Nebel
f6aca58dbb Merge pull request #13885 from michaelnebel/csharp/linqforeach 
C#: LINQ recommendation queries.
 2023-08-10 14:55:11 +02:00
Mathias Vorreiter Pedersen
f9fc79b16f Merge pull request #13930 from geoffw0/uitextinput 
Swift: Flow sources for UITextInput
 2023-08-10 13:05:47 +01:00
erik-krogh
5ffce86768 change the defaults in the qhelp for missing-rate-limit to something more reasonable 2023-08-10 13:40:17 +02:00
Ian Lynagh
f377d25c23 Merge pull request #13919 from igfoo/igfoo/useFunction 
Kotlin: useFunction might return null
 2023-08-10 12:17:20 +01:00
Tom Hvitved
4e954c29a2 Merge pull request #13936 from hvitved/ruby/captured-access-fix 
Ruby: Fix bug in `isCapturedAccess`
 2023-08-10 13:15:48 +02:00
Tom Hvitved
b99b6b85ba Merge pull request #13927 from hvitved/csharp/fix-bad-join 
C#: Fix bad join order
 2023-08-10 13:04:16 +02:00
Harry Maclean
a58aa17c7a Merge pull request #13878 from hmac/splat-flow 
Ruby: Track flow from splat arguments to positional parameters
 2023-08-10 12:01:38 +01:00
Jeroen Ketema
2e338cc7b4 Merge pull request #13929 from jketema/buffer 
C++: Only consider the maximum buffer size for badly bounded write
 2023-08-10 10:40:37 +02:00
Tom Hvitved
e40f0a7350 Ruby: Fix bug in isCapturedAccess 2023-08-10 09:37:04 +02:00
Tom Hvitved
e7acf8c3a8 Ruby: Add test 2023-08-10 08:53:00 +02:00
Geoffrey White
c20a17e7b7 Swift: Update the consistency test .expecteted as well. 2023-08-09 15:47:28 +01:00
Rasmus Wriedt Larsen
51a05286fa Merge pull request #13731 from pwntester/py/aiohttp_improvements 
Python: Aiohttp improvements
 2023-08-09 16:37:20 +02:00
Geoffrey White
23f0dd5542 Swift: Support MAD tuple content flow. 2023-08-09 15:08:11 +01:00
Harry Maclean
b03f6efa60 Ruby: Refactor 2023-08-09 15:01:40 +01:00
Harry Maclean
142393b599 Ruby: Handle unknown content in splat flow 2023-08-09 15:01:40 +01:00
Harry Maclean
4239268efd Ruby: Prevent some false flow into splat params 
In cases where there are positional parameters after a splat parameter,
don't attempt to match the splat parameter to a splat argument. We need
more sophisticated modelling to handle these cases, which is future
work.
 2023-08-09 15:01:40 +01:00
Harry Maclean
6f3e2cdde3 Ruby: Add change note 2023-08-09 15:01:40 +01:00
Harry Maclean
c0baa5116f Ruby: add test for example splat arg/param matches 2023-08-09 15:01:40 +01:00
Harry Maclean
72356d1515 Ruby: track flow from *args to positional params 
This models flow in the following case:

    def foo(x, y)
      sink x # 1
      sink y # 2
    end

    args = [source 1, source 2]
    foo(*args)

We do this by introducing a SynthSplatParameterNode which accepts
content from the splat argument, if one is given at the callsite.
From this node we add read steps to each positional parameter.
 2023-08-09 15:01:40 +01:00
Jeroen Ketema
e04d30a676 C++: Update expected test changes due to the line in test2.cpp having shifted 2023-08-09 15:50:07 +02:00
Jeroen Ketema
6100425274 C++: Add change note 2023-08-09 15:47:19 +02:00
Geoffrey White
b4b2338144 Swift: Test for MAD tuple content flow. 2023-08-09 14:41:32 +01:00
Ian Lynagh
0eb6d1c76e Kotlin: useFunction might return null 2023-08-09 13:45:15 +01:00
Michael B. Gale
01ff690d51 Merge pull request #13923 from github/mbg/go/bump-go-libraries 2023-08-09 11:36:35 +01:00
Mathias Vorreiter Pedersen
da66136ded Merge pull request #13911 from MathiasVP/fix-taint-for-frontend-upgrade 
C++: Fix taint-flow in preparation for frontend upgrade
 2023-08-09 11:30:07 +01:00
Jeroen Ketema
d0e7354a1b C++: Only consider the maximum buffer size for badly bounded write 2023-08-09 12:30:00 +02:00
Jeroen Ketema
9572b9d308 C++: Add test where buffer initialized with literal is reassigned an allocation 2023-08-09 12:26:10 +02:00
Rasmus Wriedt Larsen
c0dec21546 Merge pull request #13925 from RasmusWL/fixup-script 
Misc: Fixup `accept-expected-changes-from-ci.py`
 2023-08-09 11:45:34 +02:00
Tom Hvitved
7dac819730 C#: Fix bad join order 
Before
```
Evaluated recursive predicate Stmt#3baf294a::TryStmt::getATriedElement#ff@8254eapb in 6096ms on iteration 4 (delta size: 592145).
Evaluated relational algebra for predicate Stmt#3baf294a::TryStmt::getATriedElement#ff@8254eapb on iteration 4 running pipeline standard with tuple counts:
          204507  ~0%    {2} r1 = SCAN Stmt#3baf294a::TryStmt::getATriedElement#ff#prev_delta OUTPUT In.1, In.0
          204507  ~0%    {3} r2 = JOIN r1 WITH _@callable#f_ControlFlowElement#9501aa28::ControlFlowElement::getEnclosingCallable#0#dispred#ff_10#j__#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.0, Lhs.1
        17844283  ~0%    {3} r3 = JOIN r2 WITH ControlFlowElement#9501aa28::ControlFlowElement::getEnclosingCallable#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1, Rhs.1, Lhs.2
          592145  ~0%    {2} r4 = JOIN r3 WITH Element#baf0c59e::Element::getAChild#0#dispred#ff ON FIRST 2 OUTPUT Lhs.2, Lhs.1
          592145  ~0%    {2} r5 = r4 AND NOT Stmt#3baf294a::TryStmt::getATriedElement#ff#prev(Lhs.0, Lhs.1)
                         return r5
```

After
```
Evaluated recursive predicate Stmt#3baf294a::TryStmt::getATriedElement#ff@4adecd47 in 310ms on iteration 4 (delta size: 592145).
Evaluated relational algebra for predicate Stmt#3baf294a::TryStmt::getATriedElement#ff@4adecd47 on iteration 4 running pipeline standard with tuple counts:
        204507  ~0%    {2} r1 = SCAN Stmt#3baf294a::TryStmt::getATriedElement#ff#prev_delta OUTPUT In.1, In.0
        204507  ~0%    {2} r2 = r1 AND NOT _statements_10#join_rhs#antijoin_rhs#13(Lhs.0)
        592145  ~2%    {3} r3 = JOIN r2 WITH Element#baf0c59e::Element::getAChild#0#dispred#ff ON FIRST 1 OUTPUT Lhs.0, Lhs.1, Rhs.1
        592145  ~0%    {3} r4 = JOIN r3 WITH ControlFlowElement#9501aa28::ControlFlowElement::getEnclosingCallable#0#dispred#ff ON FIRST 1 OUTPUT Lhs.2, Rhs.1, Lhs.1
        592145  ~0%    {2} r5 = JOIN r4 WITH ControlFlowElement#9501aa28::ControlFlowElement::getEnclosingCallable#0#dispred#ff ON FIRST 2 OUTPUT Lhs.2, Lhs.0
        592145  ~0%    {2} r6 = r5 AND NOT Stmt#3baf294a::TryStmt::getATriedElement#ff#prev(Lhs.0, Lhs.1)
                       return r6
```
 2023-08-09 11:28:06 +02:00
Rasmus Wriedt Larsen
69aa099ed1 Misc: Fixup accept-expected-changes-from-ci.py 
I guess there has been a rename of the URL from `/jobs/` to `/job/`, since the script has been working previously.
 2023-08-09 10:44:31 +02:00
Geoffrey White
e828d8dace Swift: Add UIKit to supported-frameworks.rst as well. 2023-08-09 09:25:43 +01:00
Geoffrey White
131b2b3e0c Swift: Change note. 2023-08-09 09:25:43 +01:00
Geoffrey White
09346c76e7 Swift: Add models. 2023-08-09 09:25:43 +01:00
Mathias Vorreiter Pedersen
499b6f35e5 C++: Also key SSA defs and uses by the base address. 2023-08-09 08:44:16 +01:00
Mathias Vorreiter Pedersen
e2feed78a0 C++: Generate SSA variables for all calls instead of just for calls to 
allocators.
 2023-08-09 08:44:10 +01:00
Michael Nebel
560b876c01 Merge pull request #13891 from felickz/csharp-hardcoded-cred-identity-fp 
cs/hardcoded-credentials - Removes false positive matches on benign Microsoft.AspNetCore.Identity properties
 2023-08-09 08:32:36 +02:00
Chad Bentz
fa23a45f9d Merge branch 'main' into csharp-hardcoded-cred-identity-fp 2023-08-08 17:48:27 -04:00
Geoffrey White
cb6aed18f3 Swift: Add tests. 2023-08-08 22:29:53 +01:00