hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 14:52:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
2,351 Commits 1,684 Branches 159 Tags
99994eeeb1909b02eae85ec62cc27de33e8fec31
Commit Graph

1710 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
99994eeeb1 use set literals instead of big disjunctions 2022-01-20 22:33:40 +01:00
Chris Smowton
38048399d3 Merge pull request #671 from owen-mc/misc-clean-ups 
Correct module name in file comment
 2022-01-20 14:00:46 +00:00
Owen Mansel-Chan
54855113c4 Correct module name in file comment 2022-01-20 12:30:52 +00:00
Chris Smowton
8111fbb69b Delete m 2022-01-20 10:57:11 +00:00
Owen Mansel-Chan
bfae3fdf97 Merge pull request #665 from owen-mc/update-function-get-a-call 
Update `Function.getACall()`
 2022-01-19 23:36:20 +00:00
Owen Mansel-Chan
4d1dcb3260 Remove first disjunct as it is a subset of second disjunct 2022-01-19 16:21:06 +00:00
Owen Mansel-Chan
85319b2dbf Add tests for tainted path sanitizers and sanitizer guards 2022-01-19 09:49:15 +00:00
Owen Mansel-Chan
84f9b74f50 t Improve documentation of Function.getACall 2022-01-18 23:44:34 +00:00
Owen Mansel-Chan
3c02403701 Do not use getACall() when we only want direct calls 
In both of these locations we do not want calls through interface methods.
 2022-01-18 23:36:14 +00:00
Owen Mansel-Chan
1aebf4ccac Merge pull request #664 from owen-mc/add-change-note-function-getacall 
Add change note for change to `Function.getACall`
 2022-01-18 18:12:29 +00:00
Owen Mansel-Chan
84116e1681 Update ql/lib/change-notes/2022-01-18-function-get-a-call.md 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-01-18 16:51:07 +00:00
Owen Mansel-Chan
fd1136a777 Add change note for change to Function.getACall 2022-01-18 16:42:57 +00:00
Tom Hvitved
429a9658e1 Merge pull request #657 from github/post-release-prep/codeql-cli-2.7.5 
Post-release preparation for codeql-cli-2.7.5
 2022-01-17 12:40:24 +01:00
Andrew Eisenberg
156588a6a7 Update change note 
Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
 2022-01-14 10:32:47 -08:00
Andrew Eisenberg
c86e96bcc2 Merge branch 'main' into post-release-prep/codeql-cli-2.7.5 2022-01-14 08:19:47 -08:00
Andrew Eisenberg
8a4120a08d Changenotes: Add changenotes for upgrades refactoring 2022-01-12 11:38:43 -08:00
github-actions[bot]
970e8e1f91 Post-release preparation for codeql-cli-2.7.5 2022-01-12 13:28:33 +00:00
Andrew Eisenberg
6ceebc7d1e Merge branch 'main' into aeisenberg/upgrades/work 2022-01-11 11:27:35 -08:00
Chris Smowton
6f598a6972 Fix formatting regex comment 2022-01-10 10:49:12 +00:00
Chris Smowton
ae5eadef28 Update ql/lib/semmle/go/frameworks/stdlib/Log.qll 
Rename class

Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2022-01-10 10:24:30 +00:00
Chris Smowton
749698759a Note that the %q format directive escapes newlines, and therefore prevents log injection 2022-01-05 16:04:20 +00:00
Chris Smowton
5760841812 Merge pull request #647 from smowton/smowton/admin/not-all-you-fmt-is-log 
Declassify fmt.Fprintf as a log sink
 2022-01-05 14:09:55 +00:00
Andrew Eisenberg
49d239f4bf Push upgrades pack into lib pack 
PR Related to https://github.com/github/semmle-code/pull/40918
Removes the upgrades pack and uses ql/lib/upgrades instead.

Also, fix malformed parameter in instruction.

Co-authored-by: Chris Smowton <smowton@github.com>
 2022-01-04 11:32:52 -08:00
github-actions[bot]
980c162fe3 Release preparation for version 2.7.5 2022-01-04 14:44:48 +00:00
Owen Mansel-Chan
daa55eaae2 Merge pull request #651 from erik-krogh/patches 
various automatic patches applied to codeql-go
 2022-01-04 11:46:20 +00:00
Dave Bartolomeo
171aa8bd62 Move change notes to proper location 2022-01-03 17:38:09 -05:00
Dave Bartolomeo
091906d380 Merge pull request #644 from github/post-release-prep/codeql-cli-2.7.4 
Post-release preparation for codeql-cli-2.7.4
 2022-01-03 17:09:54 -05:00
github-actions[bot]
00aae7cba5 Post-release version bumps 2022-01-03 20:10:43 +00:00
Erik Krogh Kristensen
afe7ee17a0 run the use-set-literals patch 2021-12-20 17:55:19 +01:00
Erik Krogh Kristensen
d339f13629 run the non-us-language patch 2021-12-20 17:54:18 +01:00
Erik Krogh Kristensen
4459c8e7c6 run the redundant-cast patch 2021-12-20 17:53:09 +01:00
Chris Smowton
92d3da5e56 Declassify fmt.Fprintf as a log sink 
In future we could try harder to find out whether you're Fprintf'ing to stdout, a file named xyz.log etc, but for now this causes Fprintf'ing to an HTTP writer to be mistaken for log-injection rather than just XSS.
 2021-12-17 17:07:58 +00:00
Owen Mansel-Chan
da8f8e2eef Refactor to use SummarizedCallable, sourceElement and sinkElement 2021-12-16 19:35:54 +00:00
Owen Mansel-Chan
ec3dd1e1c0 Revert "Update tests for no flow through receivers when no function body" 
This reverts commit 06f889fce6.
 2021-12-16 19:35:54 +00:00
Owen Mansel-Chan
9b2f29bbcd Allow data flow through receiver for modelled methods 2021-12-16 19:35:54 +00:00
Chris Smowton
ede57b6527 Merge pull request #637 from smowton/smowton/fix/log-injection-sanitizers 
Fix sanitization by strings.Replace[All] in go/unsafe-quoting and go/log-injection
 2021-12-16 12:28:40 +00:00
Chris Smowton
9de1532735 Add log-injection test using strings.ReplaceAll 2021-12-15 15:35:14 +00:00
github-actions[bot]
ee6ea0f8cb Release preparation for version 2.7.4 2021-12-14 21:34:55 +00:00
Dave Bartolomeo
42ecc9b1c7 Move new change notes to appropriate pack 2021-12-14 12:46:19 -05:00
Chris Smowton
f86510ee20 Update comment 2021-12-14 12:39:31 +00:00
Chris Smowton
c2b42ce091 Fix sanitization by strings.Replace[All] in go/unsafe-quoting and go/log-injection 2021-12-14 12:37:18 +00:00
Owen Mansel-Chan
6a2a8298dd Add missing tests for DatabaseSql function models 2021-12-13 14:18:46 -05:00
Chris Smowton
9309abf8cd Merge pull request #574 from sauyon/dataflow-update 
Update dataflow libraries and add support for CSV summary flow
 2021-12-13 11:28:28 +00:00
Chris Smowton
89b2a2f9b0 Merge pull request #633 from owen-mc/database-sql-model-incorrect 
Fix incorrect type name in database/sql model
 2021-12-13 11:01:38 +00:00
Chris Smowton
559aec1d64 Merge pull request #632 from owen-mc/refactor-variadic-helper-functions-for-builtin-functions 
Refactor isVariadic helper functions
 2021-12-13 10:59:42 +00:00
Chris Smowton
08c10bf97b Merge pull request #625 from smowton/smowton/fix/minor-perf-improvements 
Improve performance: join-order AllocationSizeOverflow's source and use `matches` not `regexpFind`
 2021-12-13 10:36:02 +00:00
Owen Mansel-Chan
ce27b0da52 Fix incorrect type name in database/sql model 
This error seems to have been introduced in
36bbf1eeb9
 2021-12-12 17:47:52 -05:00
Owen Mansel-Chan
353aa8d603 Refactor isVariadic helper functions 
Store information more naturally for built-in functions.
 2021-12-12 16:56:26 -05:00
Andrew Eisenberg
3cc48fea6a Merge pull request #622 from github/post-release/v2.7.3 
Post release/v2.7.3
 2021-12-10 10:00:11 -08:00
Chris Smowton
e9e4f5a687 Improve performance: join-order AllocationSizeOverflow's source and use matches not regexpFind 
The join order fix takes 10 seconds off that predicate; the get-a-flag changes take about 25% off compared to using regexes.
 2021-12-10 12:23:50 +00:00