hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 04:39:29 +02:00
Code Issues Packages Projects Releases Wiki Activity
53,274 Commits 1,741 Branches 166 Tags
8c46bfd05153d462bbd1056d83e0958a38772ba6
Commit Graph

53274 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alex Ford
8c46bfd051 Merge pull request #12816 from github/rc/3.9 
Merge `rc/3.9` into `main`
 2023-04-13 12:35:41 +01:00
Tony Torralba
4c6df3fdb9 Merge pull request #12813 from atorralba/atorralba/java/sensitive-expr-fix-and-tests 
Java: Add tests for SensitiveActions and fix getCommonSensitiveInfoRegex
 2023-04-13 13:13:37 +02:00
Taus
6968de2ccc Merge pull request #12796 from github/tausbn/python-clarify-version-data 
Python: Clarify version data
 2023-04-13 13:05:10 +02:00
Michael Nebel
72e0235718 Merge pull request #12723 from michaelnebel/csharp/refactordataflow2 
C#: Re-factor queries to use the new API.
 2023-04-13 12:32:22 +02:00
Tony Torralba
d7feaf4098 Merge pull request #12685 from atorralba/atorralba/java/command-injection-mad 
Java: Add command-injection sink kind and refactor command injection queries
 2023-04-13 11:38:14 +02:00
Michael Nebel
2d2d32a3f6 Merge pull request #12732 from michaelnebel/csharp/refactorunittests 
C#: Re-factor data flow unit tests to use the new API.
 2023-04-13 11:30:44 +02:00
Henry Mercer
afd577ca9d Merge pull request #12814 from github/henrymercer/remove-legacy-atm-checks 
ATM: Remove legacy model integration PR checks
 2023-04-13 10:17:28 +01:00
Tony Torralba
4f2ffccc20 Improve change note 2023-04-13 11:14:57 +02:00
Henry Mercer
94f996f23f ATM: Remove legacy model integration PR checks 2023-04-13 10:00:52 +01:00
Tony Torralba
99b0624e8b Add change note 2023-04-13 10:35:59 +02:00
Tony Torralba
485709a133 Fix getCommonSensitiveInfoRegex 2023-04-13 10:33:03 +02:00
Tony Torralba
84971c8687 Add SensitiveActions tests 2023-04-13 10:32:23 +02:00
Erik Krogh Kristensen
9853241425 Merge pull request #12810 from asgerf/ql/missing-noinline-cached 
QL: Don't warn about cached predicates possibly being inlined
 2023-04-13 10:16:15 +02:00
Michael Nebel
3a316f17cc C#: Re-factor SqlInjection to use the new API. 2023-04-13 10:08:40 +02:00
Michael Nebel
60a0917ced C#: Re-factor ResourceInjection to use the new API. 2023-04-13 10:08:40 +02:00
Michael Nebel
80e8b6928d C#: Re-factor RegexInjection to use the new API. 2023-04-13 10:08:40 +02:00
Michael Nebel
377b2d7515 C#: Re-factor ReDoS to use the new API. 2023-04-13 10:08:40 +02:00
Michael Nebel
8d17a45dd0 C#: Re-factor MissingXmlValidation to use the new API. 2023-04-13 10:08:40 +02:00
Michael Nebel
8e3bfda7be C#: Re-factor LogForging to use the new API. 2023-04-13 10:08:40 +02:00
Michael Nebel
8284487407 C#: Explicitly add QL Doc for the LdapInjectionConfig predicates. 2023-04-13 10:08:40 +02:00
Michael Nebel
73cd7519a2 C#: Re-factor LdapInjection to use the new API. 2023-04-13 10:08:40 +02:00
Michael Nebel
91150af11e C#: Re-factor HardcodedConnectionString to use the new API. 2023-04-13 10:08:39 +02:00
Michael Nebel
3bda0b9e8c C#: Re-factor HardcodedCredentials to use the new API. 2023-04-13 10:08:39 +02:00
Michael Nebel
d94b11b001 C#: Re-factor ExtertalApisQuery to use the new API. 2023-04-13 10:08:39 +02:00
Asger F
2f82f4338a QL: Dont ask me to inline cached predicates 2023-04-12 20:33:21 +02:00
Chris Smowton
d049b112a9 Merge pull request #12750 from smowton/smowton/admin/add-dataflow-viableParamArgSpecific-hook 
Go: mass-convert taint-flow models to models-as-data format (with `viableParamArgSpecific` hook)
 2023-04-12 17:11:18 +01:00
Chris Smowton
d648b34037 Accept test changes 
These are caused by nodes being hidden by https://github.com/github/codeql/pull/12783
 2023-04-12 15:05:04 +01:00
Mathias Vorreiter Pedersen
566513e927 Merge pull request #12800 from MathiasVP/fix-joins-in-constant-array-overflow 
C++: Fix joins in `cpp/constant-array-overflow`
 2023-04-12 14:57:17 +01:00
Chris Smowton
7eefa43f5a Rename and document viableArgParamSpecific to make clear it is a temporary hook. 2023-04-12 14:33:46 +01:00
Chris Smowton
1706367b34 Document DataFlowCallable 2023-04-12 14:24:21 +01:00
Chris Smowton
9f4b77e851 Accept test changes 2023-04-12 14:19:06 +01:00
Chris Smowton
4d8ca3d759 Add dataflow callback to filter out receiver argument flow to Golang interface dispatch candidates. 
Other langauges stub the callback.
 2023-04-12 14:19:06 +01:00
Chris Smowton
7ffe863ba6 Remove addressed FIXME 
This was addressed by adding `getAPackageWithSummarizedCallables`
 2023-04-12 14:19:06 +01:00
Chris Smowton
985e07d902 pragma[nomagic] hasQualifiedName 
These are cheap and frequently-used, and magicking them with respect to `interpretPackage` was yielding expensive, unnecessary regex operations.
 2023-04-12 14:19:06 +01:00
Chris Smowton
0129167cc4 Convert Beego's MapGet method to MaD 2023-04-12 14:19:06 +01:00
Chris Smowton
b86f0cf268 Sort models 2023-04-12 14:19:06 +01:00
Chris Smowton
12527e406b Remove unnecessary model 
This referred to a private type
 2023-04-12 14:19:05 +01:00
Chris Smowton
2abffccded Accept test changes 2023-04-12 14:19:05 +01:00
Chris Smowton
3cea01b6c8 Fix functions with multiple models 
In some cases multiple return value outputs can be coalesced, and in others we had accidentally conflated two independent flows (e.g. Arg1 -> Arg2 | Arg3 -> Arg4 led to accidentally introducing Arg1 -> Arg4 and Arg3 -> Arg2)
 2023-04-12 14:19:05 +01:00
Chris Smowton
4a89dbc498 Revert "Remove unnecessary models" 
This reverts commit 12eaedc188487275e8cd6bed4a4318fed4d4b752.

We can't do this now, because there is nothing to guarantee an interface has actually been extracted, and therefore whether a model will get applied. Therefore explicitly modelling methods that may be interface implementations where the interface is in a different package may still make a difference to behaviour.
 2023-04-12 14:19:05 +01:00
Chris Smowton
3f6ceccbe8 US spelling 2023-04-12 14:19:05 +01:00
Chris Smowton
8c553ec0fc Autoformat go 2023-04-12 14:19:05 +01:00
Chris Smowton
ac4dcc6c4b Add ioutil usage to TaintSteps test 
It appears at present the Go standard library imports the deprecated io/ioutil package internally on some platforms but not others. Therefore I add a test explicitly using it to make the test behave more uniformly.
 2023-04-12 14:19:05 +01:00
Chris Smowton
3c48609635 Accept test changes 2023-04-12 14:19:05 +01:00
Chris Smowton
ed56461ed7 Remove unnecessary models 
These are inherited from Stringer, Reader, Writer and BinaryMarshaler
 2023-04-12 14:19:05 +01:00
Chris Smowton
19e8974766 Fix comment 2023-04-12 14:19:05 +01:00
Chris Smowton
140505222f Update test expectations 2023-04-12 14:19:04 +01:00
Chris Smowton
1a7927d3a1 Fix x/net/html.EscapeString modelling 
This had never worked due to accidentally extending non-abstract class HtmlEscapeFunction; consequently it was neither a taint propagator in general, nor an HTML escape function. Added tests to ensure it is now behaving as intended.
 2023-04-12 14:19:04 +01:00
Chris Smowton
fa4145b5e4 Remove dead code 2023-04-12 14:19:04 +01:00
Chris Smowton
141d6b8d7b Accept paths test changes 2023-04-12 14:19:04 +01:00