hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-29 14:23:03 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,366 Commits 1,684 Branches 159 Tags
88c740bbbcdafdc930d6feb8abc5215e7dde86ef
Commit Graph

117 Commits

Author SHA1 Message Date
Chris Smowton
88c740bbbc Merge pull request #353 from gagliardetto/remove-duplicate-models 
Remove duplicate models (the end)
 2020-09-24 13:31:18 +01:00
Slavomir
4f7edb85da Fix package count 2020-09-24 12:41:14 +02:00
Slavomir
1f5da54ac9 Update change-notes/2020-09-23-stdlib.md 
Co-authored-by: Chris Smowton <smowton@github.com>
 2020-09-24 12:40:39 +02:00
Slavomir
8e007623ca Improve change note 2020-09-23 18:03:11 +02:00
Slavomir
ef20f75cbe Add change note 2020-09-23 17:52:52 +02:00
Chris Smowton
59138048bb Add query spotting probably-bad escapes in regular expressions. 
Inspired by js/useless-regexp-character-escape, but much much simpler because the Go source code parser forbids unrecognised escapes and its regex engine refuses to compile \\x where x is not a character class or other special token (e.g. start-of-word).
 2020-09-23 15:07:22 +01:00
Chris Smowton
397282f41a Add models for the Echo framework 2020-09-21 17:35:40 +01:00
Chris Smowton
1bf366c1e3 Add models for the Chi web framework 
This is mostly simple as the framework uses ordinary net/http methods and ordinary Go contexts for most purposes.
 2020-09-16 09:14:23 +01:00
Max Schaefer
e9bf3317b5 Merge pull request #328 from owen-mc/gorm-exec 
Update GORM model
 2020-09-11 08:41:09 +01:00
Owen Mansel-Chan
13e82de53d Add change note 2020-09-10 17:29:06 +01:00
Chris Smowton
405babf5af Reflected XSS query: exclude more uses of encoding/json.Marshal 
Previously we only detected these if the marshalling directly fed the request body within the same function; now it's a general sanitiser for the purposes of XSS.
 2020-09-10 16:52:06 +01:00
Owen Mansel-Chan
cd6020810a Add change note for #296 2020-09-08 16:32:12 +01:00
Chris Smowton
faf43efb60 Promote OAuth2 constant-state query to mainline 2020-09-02 15:05:22 +01:00
Max Schaefer
b4550f244b Merge pull request #313 from github/rc/1.25 
Merge rc/1.25 into main
 2020-08-27 14:27:26 +01:00
Owen Mansel-Chan
7fd5e7e978 Add change note for https://github.com/github/codeql-go/pull/277 2020-08-26 10:54:18 +01:00
Owen Mansel-Chan
ad6c94e8f9 Add change note for https://github.com/github/codeql-go/pull/251 2020-08-26 07:58:19 +01:00
Owen Mansel-Chan
210208b003 Add change note for https://github.com/github/codeql-go/pull/226 2020-08-26 07:46:56 +01:00
Owen Mansel-Chan
d4a377b7cc Add change note for https://github.com/github/codeql-go/pull/107 
The model for websocket was included in another change note
 2020-08-26 07:21:05 +01:00
Owen Mansel-Chan
944b69066e Add change note for github/codeql-go#125 2020-08-26 07:20:24 +01:00
Owen Mansel-Chan
dc99a62dca Add change note for Gin framework 
This was originally put in too early because the Gin framework was
accidentally not added to the default includes.

This reverts commit 41e98d6afc.
 2020-08-25 10:29:42 +01:00
Max Schaefer
42c1116ac7 Merge pull request #303 from github/rc/1.25 
Merge rc/1.25 into main
 2020-08-24 17:22:56 +01:00
Owen Mansel-Chan
caf77e2a44 Merge pull request #298 from smowton/smowton/admin/changenote-blank-lines 
Remove blank lines from changenote
 2020-08-20 16:05:29 +01:00
Chris Smowton
cc2a153c57 Remove blank lines from changenote 2020-08-20 11:45:29 +01:00
Owen Mansel-Chan
41e98d6afc Remove change note so it isn't accidentally put into this release 2020-08-20 10:27:51 +01:00
Owen Mansel-Chan
53cc3621ad Change date on Gin change note 
The Gin model wasn't added to the default imports
till 2020-08-19
 2020-08-20 10:27:41 +01:00
Max Schaefer
fe6cf8c625 Merge pull request #275 from owen-mc/incorrect-integer-conversion 
Incorrect integer conversion
 2020-08-13 20:19:47 +01:00
Owen Mansel-Chan
97bbdca8a3 Extend negativeLengthCheck query to unsigned integers 
Like return values from len and cap, unsigned integers are never negative
 2020-08-11 10:48:03 +01:00
Owen Mansel-Chan
681ca9065a Add change note 2020-08-10 11:04:25 +01:00
Max Schaefer
b057cbee7b Merge pull request #256 from smowton/smowton/admin/cwe-327-cleanup 
Polish CWE-327 (weak TLS config) query
 2020-08-03 10:28:53 +01:00
Max Schaefer
2134757ebf Merge pull request #261 from smowton/smowton/admin/cleanup-cwe-322 
Polish CWE-322: detect and exclude cases where host-checking is optional
 2020-07-30 10:38:57 +01:00
Chris Smowton
f162a5be94 Promote CWE-322 out of experimental status 2020-07-29 14:43:47 +01:00
Chris Smowton
026dc5c97f Add changelog notes regarding added library support 2020-07-28 14:57:14 +01:00
Chris Smowton
718c4e8531 Add change note for insecure-TLS query 2020-07-28 11:55:58 +01:00
Max Schaefer
302eb55d23 Merge pull request #245 from smowton/smowton/feature/missing-error-check-query-conservative 
Add query searching for missing error checks on functions that return a (pointer, error) pair
 2020-07-09 15:37:32 +01:00
Chris Smowton
429a385a20 Add query searching for missing error checks on functions that return a (pointer, error) pair 2020-07-09 13:06:31 +01:00
Max Schaefer
bc778b5899 Merge pull request #243 from max-schaefer/cve-2019-11250 
Improvements to clear-text logging query
 2020-07-07 16:03:40 +01:00
Chris Smowton
5b34c05916 UnreachableStatement: tolerate more harmless unreachable return statements 
The Golang compiler isn't particularly good at spotting paths that don't need a return statement due to a dominating noreturn statement (e.g. os.Exit(1)), so dead return statements are common. We already tried to tolerate some instances of this pattern; this additionally allows 'true' and 'false' literals, and anything of type 'error'.

The carte-blanche for error values aims to accommodate the pattern "abort(); return whateverErrorWouldOtherwiseBeAppropriate();", which is probably preferable to "return nil", a misleading no-error indication.
 2020-07-06 17:02:26 +01:00
Max Schaefer
b83076853f Add change note. 2020-07-02 12:03:43 +01:00
Max Schaefer
f74a94e382 Merge pull request #170 from sauyon/tracing 
Extract more dependency ASTs
 2020-07-01 14:25:52 +01:00
Max Schaefer
76f482682c Merge pull request #182 from owen-mc/gin-framework 
Move model for Gin framework out of experimental
 2020-06-26 20:26:48 +01:00
Max Schaefer
91ca2bb434 Merge pull request #231 from max-schaefer/taint-through-range 
Propagate taint through `range` statements
 2020-06-26 19:58:53 +01:00
Max Schaefer
66ec160f64 Add change note. 2020-06-26 11:20:45 +01:00
Max Schaefer
3bf934d64b Add change note. 2020-06-25 22:23:49 +01:00
Sauyon Lee
9e8d386f3c Clarify change note 2020-06-24 23:29:55 -07:00
Sauyon Lee
de2f407c69 Add change note for more dependency AST extraction 2020-06-24 23:29:50 -07:00
Max Schaefer
1f68a32cdc Add change note. 2020-06-22 09:22:47 +01:00
Max Schaefer
2df8c275e0 Fix field lookup in cyclic structs. 2020-06-19 08:16:09 +01:00
Max Schaefer
7c2358c1d0 Merge pull request #181 from sauyon/reflectedxss-fps 
ReflectedXSS refinement
 2020-06-18 11:14:13 +01:00
Owen Mansel-Chan
c5cb55afc6 Add a change note 2020-06-17 15:14:16 +01:00
Sauyon Lee
95235c8415 Add change note for reflected xss regexp fixes 2020-06-17 00:28:03 -07:00