hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-12 05:01:06 +01:00
Code Issues Packages Projects Releases Wiki Activity
8,320 Commits 1,690 Branches 160 Tags
8476bc7d42e9a201813d84d4be58baa146d3caed
Commit Graph

8320 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Wriedt Larsen
8476bc7d42 Python: correctly handle flask.make_response 
Fixes https://github.com/Semmle/ql/issues/1572

Adjust mock so it's more aligned with what the flask code actually does. Tests
were passing before, even though we didn't handle the case in real code :\
 2019-11-11 17:24:36 +01:00
Rasmus Wriedt Larsen
002190f8db Python: Autoformat flask library 2019-11-11 17:18:26 +01:00
Rasmus Wriedt Larsen
a9d43a2c49 Python: Modernise flask library 2019-11-11 17:18:26 +01:00
Rasmus Wriedt Larsen
edfcf39137 Python: Add flask tests from internal repo 2019-11-11 17:18:26 +01:00
Jonas Jensen
ec79bfacf8 Merge pull request #2249 from geoffw0/tlsperf 
CPP: TlsSettingsMisconfiguration.ql performance and cleanup
 2019-11-11 16:47:53 +01:00
Jonas Jensen
f2a9876c2a Merge pull request #2003 from geoffw0/formatarg 
CPP: WrongTypeFormatArguments.ql Fix
 2019-11-11 16:07:37 +01:00
Jonas Jensen
d9bdb2cd4e Merge pull request #2274 from geoffw0/oddsends 
CPP: Clean up new queries and libraries
 2019-11-11 16:05:20 +01:00
Taus
e576395c90 Merge pull request #2241 from RasmusWL/python-always-legacy-conf 
Python: Always enable legacy taint tracking configuration
 2019-11-11 16:00:04 +01:00
James Fletcher
c33d28542e Merge pull request #2294 from felicitymay/1.22-mergeback-master 
1.22 mergeback master
 2019-11-11 14:14:09 +00:00
Geoffrey White
e77fefaf9e Merge pull request #2295 from jbj/self-comparison-templates 
C++: Suppress PointlessSelfComparison.ql on templates
 2019-11-11 14:12:55 +00:00
Felicity Chapman
37c78bf1ea Fix poor conflict resolution in training slides 2019-11-11 13:11:28 +00:00
Jonas Jensen
97cc0ebc8c C++: Suppress PointlessSelfComparison on templates 
It's a bit crude to suppress all results in instantiations, but we're
already using this kind of suppression in `PointlessComparison.ql`
(without the `Self`) because there is no convenient alternative. It
means we lose some good results but also suppress a new false positive
in Boost that surfaced after we added support for non-type template
parameters.
 2019-11-11 14:00:00 +01:00
Jonas Jensen
281d512178 C++: Add tests for self-comparison template FP 2019-11-11 13:52:22 +01:00
Felicity Chapman
b3c3677cbf Merge branch 'rc/1.22' into 1.22-mergeback-master 
Conflicts resolved in favour of master:
	docs/language/learn-ql/cpp/conversions-classes.rst
	docs/language/learn-ql/cpp/function-classes.rst
	docs/language/learn-ql/cpp/introduce-libraries-cpp.rst
	docs/language/learn-ql/csharp/ql-for-csharp.rst
	docs/language/learn-ql/javascript/introduce-libraries-ts.rst
	docs/language/learn-ql/python/introduce-libraries-python.rst
	docs/language/ql-training/cpp/bad-overflow-guard.rst
	docs/language/ql-training/cpp/control-flow-cpp.rst
	docs/language/ql-training/cpp/global-data-flow-cpp.rst
	docs/language/ql-training/cpp/intro-ql-cpp.rst
	docs/language/ql-training/cpp/program-representation-cpp.rst
	docs/language/ql-training/cpp/snprintf.rst
	docs/language/ql-training/index.rst
	docs/language/ql-training/java/global-data-flow-java.rst
	docs/language/ql-training/java/intro-ql-java.rst
	docs/language/ql-training/java/program-representation-java.rst
	docs/language/ql-training/java/query-injection-java.rst
 2019-11-11 10:18:43 +00:00
Rasmus Wriedt Larsen
9151a7e433 Python: Always enable legacy taint tracking configuration 
If the legacy configuration is only enabled if there are no other
configurations, defining a configuration in an imported library can lead to
unwanted results. For example, code that uses `any(MyTaintKind t).taints(node)`
would *stop* working, if it did not define its own configuration. (this actually
happened to us)

We performed a dist-compare to ensure there is not a performance deg ration by
doing this. Results at https://git.semmle.com/gist/rasmuswl/a1eca07f3a92f5f65ee78d733e5d260e

Tests that were affected by this:

- RockPaperScissors + Simple: new edges because no configuration was defined for
  SqlInjectionTaint or CommandInjectionTaint
- CleartextLogging + CleartextStorage: new edges because no configuration was
  defined before, AND duplicate deges.
- TestNode: new edges because no configuration was defined before

- PathInjection: Duplicate edges
- TarSlip: Duplicate edges
- CommandInjection: Duplicate edges
- ReflectedXss: Duplicate edges
- SqlInjection: Duplicate edges
- CodeInjection: Duplicate edges
- StackTraceExposure: Duplicate edges
- UnsafeDeserialization: Duplicate edges
- UrlRedirect: Duplicate edges
 2019-11-11 11:17:21 +01:00
Anders Schack-Mulligen
b0fecbce28 Merge pull request #2230 from yh-semmle/java-move-cwe502-lib 
Java: move `UnsafeDeserialization.qll` to standard library location
 2019-11-11 10:44:52 +01:00
Felicity Chapman
c4f958d396 Merge pull request #2263 from sauyon/master 
Update links to OWASP cheat sheet
 2019-11-11 08:51:52 +00:00
James Fletcher
aa05908d19 Merge pull request #2287 from felicitymay/1.22/support-codeql 
1.22: Update for support info for CodeQL term change
 2019-11-09 22:07:34 +00:00
Felicity Chapman
25eb1d0cc9 Update for CodeQL term change and port nav changes 2019-11-09 14:36:35 +00:00
Jonas Jensen
f3e691b5ec Merge pull request #2075 from zlaski-semmle/zlaski/cpp434 
[CPP-434] Detect signed overflow checks
 2019-11-09 09:57:23 +01:00
Robert Marsh
b812a0338d Merge pull request #2268 from dave-bartolomeo/dbartol/StringLiteralAlias 
C++/C#: Treat string literals like read-only global variables for alias purposes
 2019-11-08 12:43:57 -08:00
Dave Bartolomeo
c365b2f2f0 Merge from master 
Resolve conflicts in test output
 2019-11-08 10:42:29 -07:00
Dave Bartolomeo
2b89139d5f Merge pull request #2269 from rdmarsh2/rdmarsh/cpp/uninit-string-initializers 
C++: uninit instr for string literal initializers
 2019-11-08 10:33:57 -07:00
Geoffrey White
58b6fc6bbf CPP: Autoformat. 2019-11-08 16:06:23 +00:00
Taus
7527f13443 Merge pull request #2283 from RasmusWL/python-fix-python2-specific-tests 
Python: fix python2 specific tests
 2019-11-08 17:03:54 +01:00
Geoffrey White
983a970c36 CPP: Autoformat. 2019-11-08 15:59:04 +00:00
Geoffrey White
d434f909a5 CPP: Correct change note. 2019-11-08 15:10:44 +00:00
Geoffrey White
b4fb98dc7c CPP: Fix comments. 2019-11-08 15:10:13 +00:00
Geoffrey White
821d5061a7 CPP: Correct the tests. 2019-11-08 15:10:13 +00:00
Geoffrey White
73b55f019d CPP: Autoformat. 2019-11-08 15:10:13 +00:00
Geoffrey White
0063fa2974 CPP: Change note. 2019-11-08 15:10:13 +00:00
Geoffrey White
cd3bccf73a CPP: Fix FPs. 2019-11-08 15:09:46 +00:00
Geoffrey White
1cf4449314 CPP: Test for NonConstantFormat with multiple definitons. 2019-11-08 15:09:45 +00:00
Geoffrey White
144cda7dd9 CPP: Test for WrongTypeFormatArguments with multiple definitions. 2019-11-08 15:09:45 +00:00
semmle-qlci
9986de87c4 Merge pull request #2284 from shati-patel/ql-codeql-1 
Approved by jf205
 2019-11-08 14:37:26 +00:00
semmle-qlci
d9c7549dbe Merge pull request #2279 from max-schaefer/js/touchstone-files 
Approved by asger-semmle
 2019-11-08 14:33:23 +00:00
shati-patel
fe654a9c99 update to match support page 2019-11-08 14:32:59 +00:00
shati-patel
3f51260fb4 Docs: Update sidebar 2019-11-08 14:04:44 +00:00
Esben Sparre Andreasen
9b346b1d52 Merge pull request #2260 from max-schaefer/js/_min 
JavaScript: Classify files with names ending in `_min` as minified.
 2019-11-08 13:52:33 +01:00
Rasmus Wriedt Larsen
358964b1e2 Python: Accept changes in Python 2 specific six tests 
We don't use a locked-down version of six, so some internal things probably
changed from the version used last time, and the versoin I have installed.

Long term fix would be to use a specific version of six for tests!
 2019-11-08 13:49:52 +01:00
Rasmus Wriedt Larsen
6c259e5608 Python: Temporarily accept changes in Python 2 specific MRO tests 
Due to internal PR#35123 we now actually run the tests under
`python/ql/test/2/...`

These seems like a regression, since the tests state that N is ok, but A and J
should not be allowed.

For now we can accept them, so we don't block all other Python PRs
 2019-11-08 13:48:21 +01:00
Rasmus Wriedt Larsen
89a13213e2 Python: Accept changes in Python 2 specific tests 
Due to internal PR#35123 we now actually run the tests under
`python/ql/test/2/...`

Since we haven't done this in a while, test output has changed a bit. These
changes look perfectly fine.
 2019-11-08 13:48:14 +01:00
semmle-qlci
867ed16777 Merge pull request #2276 from asger-semmle/inclusion-test 
Approved by max-schaefer
 2019-11-08 10:57:11 +00:00
Max Schaefer
d7831d2680 JavaScript: Short-circuit bad-header check on empty files. 2019-11-08 10:30:53 +00:00
Felicity Chapman
8ed0d726ee Merge pull request #2280 from jf205/codeql-homepage-links 
docs: update banner links
 2019-11-08 10:06:27 +00:00
james
0554de06a1 docs: update banner links 2019-11-08 09:32:20 +00:00
Max Schaefer
e8510fe71a TypeScript: Skip Touchstone files. 2019-11-08 09:17:05 +00:00
Dave Bartolomeo
17f76c2516 C++: Fix merge conflicts 2019-11-07 22:02:15 -07:00
Ziemowit Laski
4ea8569081 [CPP-434] Squelch query alerts if ALL files were compiled 
with `-fwrapv` or `-fno-strict-overflow`
 2019-11-07 16:40:03 -08:00
Robert Marsh
f483ec152b Merge branch 'master' of github.com:Semmle/ql into rdmarsh/cpp/uninit-string-initializers 2019-11-07 14:36:58 -08:00