hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-28 10:18:17 +01:00
Code Issues Packages Projects Releases Wiki Activity
3,581 Commits 1,723 Branches 164 Tags
8dcd8715b93072d5003cc9d37724ef28ad71a438
Commit Graph

3581 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Max Schaefer
8dcd8715b9 Merge pull request #889 from jcreedcmu/jcreed/tarslip 
JavaScript: Add new query for ZipSlip (CWE-022).
 2019-03-01 08:16:35 +00:00
Jason Reed
86bbb5fb18 JS: Add ZipSlip query to security suite 2019-02-28 15:46:34 -05:00
Jason Reed
c1b218a5ff JS: Documentation fixes 2019-02-28 15:46:19 -05:00
Jason Reed
c5e57dacf8 JS: Actually use fileName in examples 2019-02-28 15:46:14 -05:00
Jason Reed
674d2790b4 JS: Address review comments 2019-02-28 15:46:07 -05:00
Jason Reed
caebdd2f68 JS: Fix incorrect sample link 2019-02-28 15:46:00 -05:00
Jason Reed
2fc2a393b7 JS: Address review comments 2019-02-28 15:45:52 -05:00
Jason Reed
09b9a57783 JS: More efficient reasoning through pipe 2019-02-28 15:45:38 -05:00
Jason Reed
b0636dd410 JS: Better local flow through .pipe chaining 2019-02-28 15:45:33 -05:00
Jason Reed
23d37c7167 JS: Unbreak TaintedPath 2019-02-28 15:45:26 -05:00
Jason Reed
32d48ba98b JS: Run auto-formatter 2019-02-28 15:45:20 -05:00
Jason Reed
abd2644af7 JS: Address review comments 2019-02-28 15:45:13 -05:00
Jason Reed
baa4f08259 JS: Add new query for ZipSlip (CWE-022) 2019-02-28 15:45:08 -05:00
Geoffrey White
28304e4fde Merge pull request #1005 from jbj/dataflow-Node-cached 
C++: Cache TNode and localFlowStep
 2019-02-28 17:43:14 +00:00
Taus
f91e06b5a8 Merge pull request #1002 from markshannon/python-cherrypy 
Python: CherryPy support
 2019-02-28 18:12:20 +01:00
Mark Shannon
af2680729f Python: Fix qldoc. 2019-02-28 15:25:43 +00:00
Mark Shannon
faf9b4886d Python: Add change note for CherryPy support. 2019-02-28 15:25:41 +00:00
Mark Shannon
2df718d632 Python: Make bottle response logic consistent with other frameworks. 2019-02-28 15:25:15 +00:00
Mark Shannon
91a1cc9f0b Python: Add cherrypy handler function return values as taint sinks. 2019-02-28 15:25:13 +00:00
Mark Shannon
6c82be8bda Python: CherryPy web framework support -- requests. 2019-02-28 15:24:58 +00:00
Mark Shannon
e933ba28d5 Python: Add basic support for stdlib cookie objects. 2019-02-28 15:24:36 +00:00
Taus
b8b4216352 Merge pull request #979 from markshannon/python-falcon 
Python: Add support for falcon web API framework.
 2019-02-28 15:47:35 +01:00
Asger F
5478e0da62 Merge pull request #998 from xiemaisi/js/autobuild-file-types 
JavaScript: Make file types customisable in AutoBuild.
 2019-02-28 15:26:35 +01:00
Max Schaefer
2ecabad553 Merge pull request #1004 from asger-semmle/suffix-check-bug 
JS: Recognize '+' in suffix check
 2019-02-28 14:23:26 +00:00
Mark Shannon
1444b3976c Python: Add wsgi.environment as a kind of taint, and add suuport for env attribute of falcon request objects. 2019-02-28 13:06:11 +00:00
semmle-qlci
edba24129d Merge pull request #1003 from xiemaisi/js/fix-test 
Approved by esben-semmle
 2019-02-28 12:05:44 +00:00
Jonas Jensen
264301be66 C++: Cache TNode and localFlowStep 
These two elements weren't cached, which meant that local data flow was
recalculated in every query that used data flow. They are also cached in
the Java version of `DataFlowUtil.qll`.
 2019-02-28 11:41:51 +01:00
Asger F
8e8085ea1f JS: add test 2019-02-28 10:09:36 +00:00
Max Schaefer
c8a37297f3 Merge pull request #997 from asger-semmle/closure-promise 
JS: model of closure Promises
 2019-02-28 10:05:12 +00:00
Taus
a83f33be33 Merge pull request #1001 from markshannon/python-delete-internal-tests 
Python delete extractor tests. Duplicates of internal tests.
 2019-02-28 11:04:52 +01:00
Max Schaefer
1b5887014b Merge pull request #988 from asger-semmle/spread-taint-step 
JS: add taint step through object/array spread operators
 2019-02-28 09:58:23 +00:00
Calum Grant
c945b7793c Merge pull request #944 from hvitved/csharp/cfg/accessor-call 
C#: Improve CFG for assignments
 2019-02-28 09:34:56 +00:00
Max Schaefer
02dff4e9d9 JavaScript: Update expected test output. 2019-02-28 08:21:06 +00:00
semmle-qlci
6602b4dbda Merge pull request #992 from xiemaisi/js/socket.io 
Approved by asger-semmle
 2019-02-27 18:43:40 +00:00
Mark Shannon
9170d85155 Python: Fix falcon sources to only be source if a route is attached. 2019-02-27 16:42:31 +00:00
semmle-qlci
8e485b7972 Merge pull request #996 from xiemaisi/js/first-array-elt-in 
Approved by esben-semmle
 2019-02-27 16:19:21 +00:00
Mark Shannon
d605dfd542 Python delete extractor tests. Duplicates of internal tests. 2019-02-27 15:35:52 +00:00
Mark Shannon
f7d7b8eef2 Merge pull request #785 from taus-semmle/python-unsafe-use-of-mktemp 
Python: Add query for unsafe use of `tempfile.mktemp`.
 2019-02-27 15:01:06 +00:00
Tom Hvitved
996b0efa47 C#: Address review comments 2019-02-27 13:49:15 +01:00
Max Schaefer
9d77619afc JavaScript: Make file types customisable in AutoBuild. 
Every once in a while we encounter projects using some custom file extension for files that we could in principle extract, but since the extractor doesn't know about the extension the files are skipped.

To handle this, the legacy extractor has a `--file-type` option that one can use to specify a file type to use for all files in that particular extraction. So far, `AutoBuild` has nothing of the sort.

This PR proposes to introduce an environment variable `LGTM_INDEX_FILETYPES` to allow a similar customisation. In the fullness of time, this variable would be set through `lgtm.yml` in the usual way, but for now it is undocumented and for internal use only.

Specifically, `LGTM_INDEX_FILETYPES` is a newline-separated list of ".extension:filetype" pairs, specifying that files with the given `.extension` should be extracted as type `filetype`, where
`filetype` is one of `js`, `html`, `json`, `typescript` or `yaml`.

For example, `.jsm:js` causes all `.jsm` files to be extracted as JavaScript.

This can also be used to override default file types: for example, by specifying `.js:typescript` all JavaScript files will be extracted as TypeScript.
 2019-02-27 12:02:01 +00:00
Asger F
3d400cc57f JS: basic model of closure Promises 2019-02-27 11:58:51 +00:00
Max Schaefer
2ed37903d8 JavaScript: Include list of relevant environment variables in Javadoc for AutoBuild. 2019-02-27 11:54:59 +00:00
Mark Shannon
9e268d77d0 Python: Add responses to Falcon framework support. 2019-02-27 09:56:18 +00:00
Mark Shannon
6a48420191 Python: Basic support for falcon framework; routing and requests. 2019-02-27 09:55:52 +00:00
semmle-qlci
999e0c8b95 Merge pull request #947 from asger-semmle/string-ops-concat 
Approved by xiemaisi
 2019-02-27 09:54:46 +00:00
Mark Shannon
742c1d0fa7 Python: Add test skeleton for falcon web framework. 2019-02-27 09:53:20 +00:00
Max Schaefer
37a3085466 Merge pull request #993 from asger-semmle/getacallee 
JS: document new behavior of overriding InvokeNode.getACallee()
 2019-02-27 09:00:59 +00:00
Max Schaefer
6ecdb0edd5 JavaScript: Allow first expression in array literal to be an in expression. 2019-02-27 08:58:28 +00:00
Max Schaefer
0648d7aa09 JavaScript: Sharpen result type of getAReceivedItem. 2019-02-27 08:51:43 +00:00
semmle-qlci
d857f52c7d Merge pull request #991 from jbj/error-function-returns 
Approved by geoffw0
 2019-02-27 08:01:39 +00:00