hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,844 Commits 1,671 Branches 157 Tags
949cfc3fbdbf15dca8cd07624128cf6f4998aa9d
Commit Graph

3419 Commits

Author SHA1 Message Date
Owen Mansel-Chan
c8b8e25fbb Convert post-update logic to IR (part 1) 2025-10-01 16:12:34 +01:00
Owen Mansel-Chan
7a515c101a Pull out post-update node logic into predicate 2025-10-01 16:12:32 +01:00
Owen Mansel-Chan
d13d7173ed Fix QLDoc typo 2025-10-01 16:12:30 +01:00
Owen Mansel-Chan
14301e0af4 Expected changes in dataflow edges 2025-10-01 16:12:28 +01:00
Owen Mansel-Chan
c20abf6d58 Line numbers change because 3 lines were added 2025-10-01 16:12:27 +01:00
Owen Mansel-Chan
521066578b Test result that was missing is now found 2025-10-01 16:12:25 +01:00
Owen Mansel-Chan
3594dba83c Make insecure randomness test more realistic 2025-10-01 16:12:24 +01:00
Owen Mansel-Chan
32de2113a6 Use _ instead of exists variable x2 2025-10-01 16:12:22 +01:00
Chris Smowton
a3eb0100a6 Optimise join order for varBlockReaches 2025-10-01 16:12:21 +01:00
Owen Mansel-Chan
9068315f03 Fix IncorrectIntegerConversion for use-use flow 
We were assuming that `sink` only had one successor, the TypeCastNode, but it
can now have an adjacent use as well.
 2025-10-01 16:12:19 +01:00
Owen Mansel-Chan
b2a9cecd69 Fix Allocation Size Overflow for use-use flow 
We have an operator expression like `x * 5`. We want to follow where the
value of the operator expression goes. We used to follow local flow from
an operand, but now there is flow from that operand to the next use of
the variable. The fix is to explicitly start local flow from the
operator expression.

There are also some expected edge changes due to use-use flow.
 2025-10-01 16:12:18 +01:00
Owen Mansel-Chan
4e04d27d32 Adjust SafeFormatArgumentSanitizer to use-use flow 
Make it sanitize the result of the call rather than the input, so that
further uses of the input are still tainted. This means that it catches
things like `log.Print(fmt.Sprintf("user %q logged in.\n", username))`
where the argument to the LoggerCall contains a StringFormatCall, but
it misses things like `log.Printf("user %q logged in.\n", username)`. So
we extract the logic into a predicate and apply it as a condition in the
sink as well.

The downside of this approach is that if there are two tainted inputs
and only one has a safe format argument then we still sanitize the
result. Hopefully this is rare.
 2025-10-01 16:12:16 +01:00
Owen Mansel-Chan
49b8b0bca3 Remove local flow step from SSA defn to SSA capture 2025-10-01 16:12:15 +01:00
Owen Mansel-Chan
b4743155f6 Include first step from SsaVariableCapture 
Without this change the test
go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.qlref
was failing.
 2025-10-01 16:12:14 +01:00
Owen Mansel-Chan
5267671b15 Clean up code in basicLocalFlowStep 
No changes in functionality.
 2025-10-01 16:12:12 +01:00
Owen Mansel-Chan
4484d5bfa9 Add missing QLDoc 2025-10-01 16:12:09 +01:00
Owen Mansel-Chan
16a11b48ad Switch to use-use dataflow. This will make post-update nodes easy to implement. 
Queries / tests that required changes:
* The CleartextLogging and MissingErrorCheck queries are updated because they assumed def-use flow
* The CommandInjection query works around the shortcomings of use-use flow by essentially reintroducing def-use flow when it applies a sanitizer
* The OpenUrlRedirect query currently just accepts its fate; the tests are updated to avoid excess sanitization while the query comments on the problem. We should choose this approach or the CommandInjection one.
 2025-10-01 16:12:07 +01:00
Owen Mansel-Chan
ff3d795a8f Merge pull request #20556 from owen-mc/go/test/safeurlflow 
Go: Add tests for SafeUrlFlow, and fix a latent bug
 2025-10-01 15:05:55 +01:00
Owen Mansel-Chan
8983ac9212 Phrase test in terms of safe URLs 2025-10-01 14:13:15 +01:00
Owen Mansel-Chan
c93852d87a Improve comments in test file 2025-10-01 11:01:58 +01:00
Owen Mansel-Chan
dd3f754cb3 Add change note. 2025-10-01 09:32:00 +01:00
Owen Mansel-Chan
a2a9575587 Add tests for safe URL flow 2025-09-30 15:05:42 +01:00
Owen Mansel-Chan
5b07e8c9c4 Fix bug in UnsafeFieldReadSanitizer 2025-09-30 12:05:06 +01:00
Owen Mansel-Chan
b5fda88bd3 Remove duplication of UnsafeFieldReadSanitizer 2025-09-30 12:04:39 +01:00
github-actions[bot]
a7a4e43991 Post-release preparation for codeql-cli-2.23.2 2025-09-29 15:10:19 +00:00
github-actions[bot]
d2130a589b Release preparation for version 2.23.2 2025-09-29 10:28:45 +00:00
Owen Mansel-Chan
18a1075e70 Merge pull request #20523 from smowton/smowton/fix/mistyped-exp-fp 
Go: mistyped-exponentiation: notice constants with likely-bitmask values
 2025-09-26 16:02:30 +01:00
Owen Mansel-Chan
f5f61193a0 Delete change note 2025-09-26 15:33:26 +01:00
Chris Smowton
9e7a5214f3 Change note 2025-09-25 15:40:26 +01:00
Chris Smowton
e9cccb46c0 Go: mistyped-exponentiation: notice constants with likely-bitmask values 2025-09-25 15:19:40 +01:00
Michael B. Gale
fd6f9cd2d5 Merge pull request #20368 from github/mbg/go/support-git-source 
Go: Support `git_source`
 2025-09-24 16:14:56 +01:00
Michael B. Gale
8c8499229d Configure git to use the certificate, if needed 2025-09-24 15:52:04 +01:00
Michael B. Gale
bc38b79c9a Convert URLs to expected format 2025-09-24 15:52:04 +01:00
Michael B. Gale
4ef8ff9a0f Append * to git_source URL if not present 
Since `GOPRIVATE` / `GONOPROXY` expect a glob pattern
 2025-09-24 15:52:03 +01:00
Michael B. Gale
a8fa1a76c4 Use git_source configurations for GOPRIVATE 2025-09-24 15:52:02 +01:00
Michael B. Gale
895399ff05 Rename proxy_configs to goproxy_servers and only store URLs 2025-09-24 15:52:01 +01:00
Michael B. Gale
23a04613c0 Set lower-case variants of HTTP_PROXY and HTTPS_PROXY 2025-09-24 15:52:00 +01:00
Michael B. Gale
711d49770f Improve logging to include proxy vars 2025-09-24 15:51:59 +01:00
Simon Friis Vindum
7d6e2060e5 Adapt all languages to changes in shared library 2025-09-22 14:18:58 +02:00
github-actions[bot]
4e8343664f Post-release preparation for codeql-cli-2.23.1 2025-09-17 10:13:40 +00:00
github-actions[bot]
02a1b1efcb Release preparation for version 2.23.1 2025-09-16 14:14:42 +00:00
Jeroen Ketema
0f5bd3799e Merge branch 'main' into go-log 2025-09-12 11:12:01 +02:00
Jeroen Ketema
3de9356141 Go: Retrofit the change log to mention Go 1.25 
This can only be a minor change (or something similar) to stay within the
semantic versioning contraints. This is because only the patch version of
the Go ql library pack was bumped during the release. Since there were no new
language features in Go 1.25, this might also be the most accurate choice here.
 2025-09-12 11:08:42 +02:00
Michael B. Gale
f4575d9d03 Merge pull request #20406 from github/dependabot/go_modules/go/extractor/extractor-dependencies-93606d20ee 
Bump golang.org/x/tools from 0.36.0 to 0.37.0 in /go/extractor in the extractor-dependencies group
 2025-09-11 13:11:28 +01:00
Owen Mansel-Chan
d9e7c89af0 Add indirect method calls 2025-09-11 11:31:28 +01:00
Owen Mansel-Chan
84e70e166e Add direct method calls 2025-09-11 11:27:56 +01:00
Owen Mansel-Chan
fa18fd2782 Add method defs 2025-09-11 11:24:53 +01:00
Owen Mansel-Chan
cbbf7c2578 Include pre-update node in output 2025-09-11 11:22:17 +01:00
dependabot[bot]
b996dc3b62 Bump golang.org/x/tools 
Bumps the extractor-dependencies group in /go/extractor with 1 update: [golang.org/x/tools](https://github.com/golang/tools).


Updates `golang.org/x/tools` from 0.36.0 to 0.37.0
- [Release notes](https://github.com/golang/tools/releases)
- [Commits](https://github.com/golang/tools/compare/v0.36.0...v0.37.0)

---
updated-dependencies:
- dependency-name: golang.org/x/tools
  dependency-version: 0.37.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: extractor-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-11 03:08:27 +00:00
dependabot[bot]
f104205538 Bump golang.org/x/mod 
Bumps the extractor-dependencies group in /go/extractor with 1 update: [golang.org/x/mod](https://github.com/golang/mod).


Updates `golang.org/x/mod` from 0.27.0 to 0.28.0
- [Commits](https://github.com/golang/mod/compare/v0.27.0...v0.28.0)

---
updated-dependencies:
- dependency-name: golang.org/x/mod
  dependency-version: 0.28.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: extractor-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
 2025-09-09 03:08:18 +00:00