hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity
23,585 Commits 1,742 Branches 166 Tags
930ed0a712fa81db89a406423dcaf69652e4c99b
Commit Graph

23585 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Smowton
26e10f3ad5 SSRF: don't consider results of fetches we initiated to be untrustworthy 2021-06-17 11:41:03 +01:00
Chris Smowton
c63d5986cf Sanitize StringBuilder appends that follow directly from a constructor. 
Note that some of this logic ought to be incorporated into StringBuilderVar once that code can be reviewed.
 2021-06-17 11:41:03 +01:00
Chris Smowton
b5a450b881 SSRF query: add sanitizer looking for a variety of ways of prepending a sanitizing prefix, such as one that restricts the hostname a URI will refer to. 2021-06-17 11:41:03 +01:00
Chris Smowton
487c1db6ed Promote SSRF query to main query set 2021-06-17 11:41:01 +01:00
Anders Schack-Mulligen
6ca8d69b26 Merge pull request #5881 from haby0/java/UnsafeDeserialization 
Java: CWE-502 Add UnsafeDeserialization sinks
 2021-06-17 12:36:34 +02:00
Anders Schack-Mulligen
8fe2f4a554 Merge pull request #6034 from owen-mc/java/jax-rs 
Improve JAX-WS and JAX-RS models
 2021-06-17 12:35:34 +02:00
Anders Schack-Mulligen
b173b4141d Merge pull request #6096 from smowton/smowton/fix/inline-expectations-missing-prefix 
Inline expectation tests: accept // $MISSING: and // $SPURIOUS:
 2021-06-17 11:41:15 +02:00
haby0
363ad5b470 Fix error 2021-06-17 17:36:35 +08:00
Owen Mansel-Chan
945db01f56 Address review comments 2021-06-17 10:29:33 +01:00
Owen Mansel-Chan
b9bc1f978c Update style of inline expectation comments 2021-06-17 10:04:15 +01:00
Chris Smowton
558813acf7 Inline expectation tests: accept // $MISSING: and // $SPURIOUS: 
Previously there had to be a space after the $ token, unlike ordinary expectations (i.e., // $xss was already accepted)
 2021-06-17 09:44:39 +01:00
Owen Mansel-Chan
0987425f94 Reinstate failing tests with MISSING: prefix 2021-06-17 09:36:51 +01:00
Tom Hvitved
0febf5a592 Merge pull request #6094 from hvitved/dataflow/consistency-compiler-too-smart 
Data flow: Workaround for too clever compiler in consistency queries
 2021-06-17 10:23:31 +02:00
Tom Hvitved
ffb2350a54 Data flow: Fix getLocalCallContext join-order 2021-06-17 10:02:31 +02:00
Tom Hvitved
cc383e0f6a Data flow: Workaround for too clever compiler in consistency queries 2021-06-17 09:43:36 +02:00
haby0
3dd851fffb expected 2021-06-17 15:20:03 +08:00
Owen Mansel-Chan
5f82993b0b Put parameters with inline expectation comments on their own lines 2021-06-17 06:41:01 +01:00
Tom Hvitved
3f6beaf9df C#: Add tests for complex CSV flow summaries 2021-06-16 19:36:05 +02:00
Tom Hvitved
0af44a7f94 C#: Changes to Type::{getQualifier,hasQualifiedName} 2021-06-16 19:36:05 +02:00
CodeQL CI
bcafe532ac Merge pull request #5944 from RasmusWL/async-api-graph-tests 
Approved by tausbn
 2021-06-16 08:46:26 -07:00
CodeQL CI
9b84a8e146 Merge pull request #6048 from erik-krogh/graphql 
Approved by esbena
 2021-06-16 06:35:42 -07:00
Tom Hvitved
8866e6c969 C#: Always use fully qualified names in CSV data-flow summaries 2021-06-16 14:09:45 +02:00
Tom Hvitved
def3d6bac4 C#: CSV-based flow summaries 2021-06-16 14:09:45 +02:00
Owen Mansel-Chan
5d00bb23e4 Move logic for URL redirection sinks 2021-06-16 12:48:11 +01:00
yoff
0ddeb7a8c1 Merge pull request #5950 from RasmusWL/promote-clickhouse 
Python: Promote ClickHouse SQL models
 2021-06-16 13:38:41 +02:00
Taus
e647403948 Python: Avoid __main__.py files as entry points. 
According to the official documentation, the purpose of `__main__.py`
files is that their presence in a package (say, `foo`) means one can
execute the package directly using `python -m foo` (which will run the
aforementioned `foo/__main__.py` file).

In principle this means that adding `if __name__ == "__main__"` in these
files is superfluous, as they are only intended to be executed (and not
imported by some other file).

However, in practice people often _do_ include the above construct.
Here are some instances of this on LGTM.com:
https://lgtm.com/query/7521266095072095777/

In particular, 10 out of 33 files in `cpython` have this construct.

This causes some confusion in our module naming, as we usually see the
presence of `__name__ == "__main__"` as an indication that a file may
be run directly (and hence with "absolute import" semantics). However,
when run with `python -m`, the interpreter uses the usual package
semantics, and this leads to modules getting multiple names.

For this reason, I think it makes sense to simply exclude `__main__.py`
files from consideration. Note that if there is a `#!` line mentioning
the Python interpreter, then they will still be included as entry
points.
 2021-06-16 10:59:56 +00:00
Tamás Vajk
eaa69dfa5d Merge pull request #6084 from tamasvajk/feature/effective-publicness 
C#: Fix isEffectively* visibility predicates
 2021-06-16 12:52:38 +02:00
Anders Schack-Mulligen
75d5fe67ea Merge pull request #6090 from atorralba/atorralba/move-httpsurls-tests 
Java: Move/tweak some tests
 2021-06-16 12:00:55 +02:00
Tamas Vajk
28ef0e86f6 Apply code review findings 2021-06-16 10:51:52 +02:00
Tamas Vajk
c5b8acf216 Add change notes 2021-06-16 10:51:52 +02:00
Tamas Vajk
db8a777aa9 Fix isEffectively* predicates to members extracted from multiple assemblies 2021-06-16 10:51:52 +02:00
Tamas Vajk
77f8f3fa8a Adjust comments on isEffectively* 2021-06-16 10:51:52 +02:00
Tamas Vajk
eea96a5585 Fix effective publicness of protected private and protected internal 2021-06-16 10:51:52 +02:00
Tamas Vajk
f715445c7a Fix effective privateness of explicitly implemented members 2021-06-16 10:51:08 +02:00
Tamas Vajk
a24006239b C#: Add more tests to effective visibility 2021-06-16 10:50:15 +02:00
Taus
96d8fc78f8 Merge pull request #6078 from hvitved/type-tracker-caching 
Python: Move cached predicates in type tracker library to same stage
 2021-06-16 10:45:02 +02:00
Tamás Vajk
9f44bc575f Merge pull request #6089 from tamasvajk/feature/interface-member-modifier 
C#: Allow abstract modifier on interface members
 2021-06-16 10:44:43 +02:00
haby0
c1ada6d85b Merge branch 'main' into java/UnsafeDeserialization 2021-06-16 16:37:03 +08:00
Tamás Vajk
386d88ab93 Merge pull request #6085 from tamasvajk/feature/unsafe 
C#: Fix `Modifiable::isUnsafe` to handle declarations extracted from assemblies
 2021-06-16 10:30:09 +02:00
Tony Torralba
e2918d55b5 Move tests back from internal repo 2021-06-16 10:09:44 +02:00
Tamas Vajk
66835651fe C#: Allow abstract modifier on interface members 2021-06-16 09:56:36 +02:00
Tamas Vajk
dacb044790 C#: Add tests for abstract/virtual modifier of interface members 2021-06-16 09:54:34 +02:00
Asger Feldthaus
5838e54a46 JS: Sharpen recognition of string 'match' calls 2021-06-16 09:27:02 +02:00
haby0
9badd7aa27 change name 2021-06-16 11:29:37 +08:00
Taus
359bc5eff9 Python: Autoformat 2021-06-15 15:56:40 +00:00
Tamas Vajk
74c4765ab9 Add change note 2021-06-15 17:30:48 +02:00
Tamas Vajk
44b30b70da C#: Fix Modifiable::isUnsafe to handle declarations extracted from assemblies 2021-06-15 17:30:48 +02:00
Asger Feldthaus
af9cc07066 JS: Change note 2021-06-15 17:19:39 +02:00
Asger Feldthaus
9f052a2ecd JS: Add Knex model 2021-06-15 17:19:39 +02:00
CodeQL CI
847faf536d Merge pull request #6070 from asgerf/js/script-with-tsx-lang 
Approved by erik-krogh
 2021-06-15 08:17:53 -07:00