hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-23 02:13:41 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,919 Commits 1,693 Branches 161 Tags
924e445ce991ca4d4e5a7de66408a58a4026ea2e
Commit Graph

676 Commits

Author SHA1 Message Date
Slavomir
f261f34f57 Add query to detect CORS misconfiguration 2021-05-22 18:14:13 +02:00
Slavomir
5578afa189 Regenerate using latest codemill generator. 2021-04-30 15:39:09 +01:00
Slavomir
36396df271 HttpResponseBody: Move .getAPredecessor*() to the test query. 2021-04-30 15:39:09 +01:00
Slavomir
78b403f42e Stub alternative HTTP::ResponseBody model implementation 2021-04-30 15:39:09 +01:00
Sauyon Lee
bfe6e7510d Evaluate symlinks for the dummy file 2021-04-27 08:32:21 -07:00
Sauyon Lee
d09cb7f228 Remove badpkg.go to make tests location-independent 2021-04-27 01:18:22 -07:00
Sauyon Lee
27b72b53e5 Add diagnostic queries 2021-04-27 01:18:21 -07:00
Sauyon Lee
9f85846980 Add lines of code summary query 2021-04-27 01:18:20 -07:00
Sauyon Lee
b808c187cf Add test with curly braces in filename 2021-04-21 21:14:41 -07:00
Chris Smowton
06c958e61f Extractor: tolerate curly braces in struct field tags, directory names 
These previously produced malformed TRAP. I have checked the other uses of GlobalID and don't see any others that should require escaping.
 2021-04-21 21:14:39 -07:00
Chris Smowton
e50ad90856 Elaborate comment and change-note a little 2021-04-21 12:36:43 +01:00
Chris Smowton
a152eec9f2 Add test for ExtractTupleElementInstruction.getResultType() 2021-04-21 12:33:51 +01:00
Sauyon Lee
50bb6187b8 Revert ReflectedXss.go to example 2021-04-20 23:27:03 -07:00
Sauyon Lee
ba2da6d9a9 Add test exercising channel data flow 2021-04-20 14:23:31 -07:00
Chris Smowton
0cef5fb5d0 Add test case for map extraction 2021-04-20 14:23:29 -07:00
Chris Smowton
027a540c67 Update test expectations now that tuple-extracts not method calls are sources 2021-04-19 17:05:50 +01:00
Chris Smowton
7d258ae722 Improve net/http taint-tracking fidelity 
* Don't taint error returns from http.Request methods
* Track taint across mime/multipart.Part methods
 2021-04-19 16:05:23 +01:00
Slavomir
8e839f376e Put all tests file in to the CleverGo folder instead of having dedicated folders for each test. 2021-04-09 08:38:37 +01:00
Slavomir
4ae5bdbbec Improve naming of files and elements. 2021-04-09 08:38:37 +01:00
Slavomir
7ea0434514 Move clevergo framework to experimental 2021-04-09 08:38:37 +01:00
Slavomir
3915305361 Refactor and improve HTTP:ResponseBody models and tests 2021-04-09 08:38:37 +01:00
Slavomir
7edf739602 Model HTTP::HeaderWrite; regenerate stubs 2021-04-09 08:38:37 +01:00
Slavomir
0fe7050e7e Add models for HTTP::ResponseBody 2021-04-09 08:38:36 +01:00
Slavomir
c53d8d3e56 Add http redirect model 2021-04-09 08:38:36 +01:00
Slavomir
1de7196060 Regenerate dep stubs 2021-04-09 08:38:36 +01:00
Slavomir
0c1ae62ce9 Use //go:generate depstubber --vendor --auto 2021-04-09 08:38:36 +01:00
Slavomir
54abdf1a95 Regenerate tests 2021-04-09 08:38:36 +01:00
Slavomir
dfbad0edb9 Regenerate code implementing the code review feedback 2021-04-09 08:38:36 +01:00
Slavomir
6d9b7d3240 Add web framework: clevergo 2021-04-09 08:38:35 +01:00
Slavomir
541c411086 Add isSanitizer predicate to FlowConfFromUntrustedToTemplateExecutionCall, and a test for it 2021-04-08 14:24:35 +01:00
Slavomir
e2b7c035ad Use only one instance of TaintTracking. 2021-04-08 14:24:35 +01:00
Slavomir
280ffdf060 Fix test 2021-04-08 14:24:35 +01:00
Slavomir
cc31cd2fe2 Fix test 2021-04-08 14:24:35 +01:00
Slavomir
0bb5ef6af2 Fix test 2021-04-08 14:24:35 +01:00
Slavomir
7e9f23ab8e Refactor flow logic to ensure untrusted flows to conversion, and conversion flows to template-exec. 2021-04-08 14:24:35 +01:00
Slavomir
ad91e4abcb Remove DummySource 2021-04-08 14:24:35 +01:00
Slavomir
49894341a8 Add CWE-79: HTML template escaping passthrough 2021-04-08 14:24:35 +01:00
Chris Smowton
c742a131de Remove filename containing hiragana 
Good test, but unfortunately it turns out our ODASA build under Windows can't cope -- we get `make: *** No rule to make target 'language-packs/go/ql/test/library-tests/semmle/go/Files/�.go', needed by 'target/general/go-tools/output/tools/tokenizer.jar'.  Stop.`

Evidently our windows Actions build *does* work, so this is possible in principle, but let's not delay this PR finding out the exact reasons why right now.
 2021-04-01 08:57:15 +01:00
Sauyon Lee
7e3e2f9adf Add file tests 2021-03-31 02:01:26 -07:00
Owen Mansel-Chan
770c770a8f Add tests for promoted methods 
We need implicit field reads for calls to promoted methods.
False negative flags have been added to make this pass on main.
 2021-03-30 10:13:29 +01:00
Sauyon Lee
e1b4867a19 Refactor embedded field calculation to expose access chain 
This allows us to reuse the embedded field calculation in the
logic for generating implicit field selection nodes.
 2021-03-30 10:13:23 +01:00
Owen Mansel-Chan
f1b6139ace Update expected results for ZipSlip to include implicit field reads 2021-03-30 10:13:22 +01:00
Owen Mansel-Chan
2d3caf48c1 Add implicit field reads for promoted fields 
This may not work when the embedded fields are pointer types, as
we don't have anything corresponding to MkImplicitDeref
 2021-03-30 10:13:21 +01:00
Chris Smowton
244f66c358 Make diagnostics test platform-neutral 2021-03-25 14:44:18 +00:00
Sauyon Lee
394feb03f1 Add tests for extractor diagnostics 2021-03-19 04:34:16 -07:00
Sauyon Lee
68dca955a8 Rework tests and fix output 2021-03-18 10:54:32 -07:00
Sauyon Lee
96d2777431 Add models for Revel raw templates 2021-03-18 10:51:14 -07:00
Sauyon Lee
8438b893ec Add HTML tracing capability 2021-03-18 10:51:12 -07:00
Sauyon Lee
db20119267 Remove now-unnecessary bindingset annotations 2021-03-10 08:58:45 -08:00
Sauyon Lee
8ad1010860 Restrict 'package' to real package paths 2021-03-10 08:58:41 -08:00