hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 23:02:56 +01:00
Code Issues Packages Projects Releases Wiki Activity
2,351 Commits 1,684 Branches 159 Tags
99994eeeb1909b02eae85ec62cc27de33e8fec31
Commit Graph

125 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
99994eeeb1 use set literals instead of big disjunctions 2022-01-20 22:33:40 +01:00
Owen Mansel-Chan
54855113c4 Correct module name in file comment 2022-01-20 12:30:52 +00:00
Owen Mansel-Chan
4d1dcb3260 Remove first disjunct as it is a subset of second disjunct 2022-01-19 16:21:06 +00:00
Owen Mansel-Chan
84f9b74f50 t Improve documentation of Function.getACall 2022-01-18 23:44:34 +00:00
Owen Mansel-Chan
3c02403701 Do not use getACall() when we only want direct calls 
In both of these locations we do not want calls through interface methods.
 2022-01-18 23:36:14 +00:00
Owen Mansel-Chan
1aebf4ccac Merge pull request #664 from owen-mc/add-change-note-function-getacall 
Add change note for change to `Function.getACall`
 2022-01-18 18:12:29 +00:00
Owen Mansel-Chan
84116e1681 Update ql/lib/change-notes/2022-01-18-function-get-a-call.md 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-01-18 16:51:07 +00:00
Owen Mansel-Chan
fd1136a777 Add change note for change to Function.getACall 2022-01-18 16:42:57 +00:00
Tom Hvitved
429a9658e1 Merge pull request #657 from github/post-release-prep/codeql-cli-2.7.5 
Post-release preparation for codeql-cli-2.7.5
 2022-01-17 12:40:24 +01:00
Andrew Eisenberg
156588a6a7 Update change note 
Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
 2022-01-14 10:32:47 -08:00
Andrew Eisenberg
c86e96bcc2 Merge branch 'main' into post-release-prep/codeql-cli-2.7.5 2022-01-14 08:19:47 -08:00
Andrew Eisenberg
8a4120a08d Changenotes: Add changenotes for upgrades refactoring 2022-01-12 11:38:43 -08:00
github-actions[bot]
970e8e1f91 Post-release preparation for codeql-cli-2.7.5 2022-01-12 13:28:33 +00:00
Andrew Eisenberg
6ceebc7d1e Merge branch 'main' into aeisenberg/upgrades/work 2022-01-11 11:27:35 -08:00
Chris Smowton
6f598a6972 Fix formatting regex comment 2022-01-10 10:49:12 +00:00
Chris Smowton
ae5eadef28 Update ql/lib/semmle/go/frameworks/stdlib/Log.qll 
Rename class

Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2022-01-10 10:24:30 +00:00
Chris Smowton
749698759a Note that the %q format directive escapes newlines, and therefore prevents log injection 2022-01-05 16:04:20 +00:00
Chris Smowton
5760841812 Merge pull request #647 from smowton/smowton/admin/not-all-you-fmt-is-log 
Declassify fmt.Fprintf as a log sink
 2022-01-05 14:09:55 +00:00
Andrew Eisenberg
49d239f4bf Push upgrades pack into lib pack 
PR Related to https://github.com/github/semmle-code/pull/40918
Removes the upgrades pack and uses ql/lib/upgrades instead.

Also, fix malformed parameter in instruction.

Co-authored-by: Chris Smowton <smowton@github.com>
 2022-01-04 11:32:52 -08:00
github-actions[bot]
980c162fe3 Release preparation for version 2.7.5 2022-01-04 14:44:48 +00:00
Owen Mansel-Chan
daa55eaae2 Merge pull request #651 from erik-krogh/patches 
various automatic patches applied to codeql-go
 2022-01-04 11:46:20 +00:00
Dave Bartolomeo
091906d380 Merge pull request #644 from github/post-release-prep/codeql-cli-2.7.4 
Post-release preparation for codeql-cli-2.7.4
 2022-01-03 17:09:54 -05:00
github-actions[bot]
00aae7cba5 Post-release version bumps 2022-01-03 20:10:43 +00:00
Erik Krogh Kristensen
afe7ee17a0 run the use-set-literals patch 2021-12-20 17:55:19 +01:00
Erik Krogh Kristensen
d339f13629 run the non-us-language patch 2021-12-20 17:54:18 +01:00
Erik Krogh Kristensen
4459c8e7c6 run the redundant-cast patch 2021-12-20 17:53:09 +01:00
Chris Smowton
92d3da5e56 Declassify fmt.Fprintf as a log sink 
In future we could try harder to find out whether you're Fprintf'ing to stdout, a file named xyz.log etc, but for now this causes Fprintf'ing to an HTTP writer to be mistaken for log-injection rather than just XSS.
 2021-12-17 17:07:58 +00:00
Owen Mansel-Chan
da8f8e2eef Refactor to use SummarizedCallable, sourceElement and sinkElement 2021-12-16 19:35:54 +00:00
Owen Mansel-Chan
9b2f29bbcd Allow data flow through receiver for modelled methods 2021-12-16 19:35:54 +00:00
github-actions[bot]
ee6ea0f8cb Release preparation for version 2.7.4 2021-12-14 21:34:55 +00:00
Chris Smowton
f86510ee20 Update comment 2021-12-14 12:39:31 +00:00
Chris Smowton
c2b42ce091 Fix sanitization by strings.Replace[All] in go/unsafe-quoting and go/log-injection 2021-12-14 12:37:18 +00:00
Chris Smowton
9309abf8cd Merge pull request #574 from sauyon/dataflow-update 
Update dataflow libraries and add support for CSV summary flow
 2021-12-13 11:28:28 +00:00
Chris Smowton
89b2a2f9b0 Merge pull request #633 from owen-mc/database-sql-model-incorrect 
Fix incorrect type name in database/sql model
 2021-12-13 11:01:38 +00:00
Chris Smowton
559aec1d64 Merge pull request #632 from owen-mc/refactor-variadic-helper-functions-for-builtin-functions 
Refactor isVariadic helper functions
 2021-12-13 10:59:42 +00:00
Chris Smowton
08c10bf97b Merge pull request #625 from smowton/smowton/fix/minor-perf-improvements 
Improve performance: join-order AllocationSizeOverflow's source and use `matches` not `regexpFind`
 2021-12-13 10:36:02 +00:00
Owen Mansel-Chan
ce27b0da52 Fix incorrect type name in database/sql model 
This error seems to have been introduced in
36bbf1eeb9
 2021-12-12 17:47:52 -05:00
Owen Mansel-Chan
353aa8d603 Refactor isVariadic helper functions 
Store information more naturally for built-in functions.
 2021-12-12 16:56:26 -05:00
Andrew Eisenberg
3cc48fea6a Merge pull request #622 from github/post-release/v2.7.3 
Post release/v2.7.3
 2021-12-10 10:00:11 -08:00
Chris Smowton
e9e4f5a687 Improve performance: join-order AllocationSizeOverflow's source and use matches not regexpFind 
The join order fix takes 10 seconds off that predicate; the get-a-flag changes take about 25% off compared to using regexes.
 2021-12-10 12:23:50 +00:00
Chris Smowton
facda77852 Dataflow relations: narrow all dataflow nodes before taking product with Configurations 
This is particularly important for ConversionWithoutBoundsCheckConfig which has 20 configs. By paring DataFlow::Node down to only those that have a local-flow successor, or only those with an isAdditionalFlowStep for some related configuration, the result size can be significantly reduced prior to taking the product against Configuration and finally paring down using config.fullBarrier etc.

Saves about 1m20s per analysis on cockroachdb.
 2021-12-09 16:56:38 +00:00
Andrew Eisenberg
cedf55c46e Update pack dependency 2021-12-09 07:58:14 -08:00
Owen Mansel-Chan
b234ba7f26 Fix bad join order in getAFalsifiedGuard 
viableParamArg should be evaluated first.
 2021-12-08 17:33:59 -05:00
Owen Mansel-Chan
a01f90b903 Give DataFlowCallable a user-facing name (Callable), move to Scopes.qll 
I removed asFunctionNode() because it would need an import, but it
doesn't seem to be used anywhere.
 2021-12-08 11:30:39 -05:00
Owen Mansel-Chan
a6532b988f Allow implicit taint reads through more content types 2021-12-08 11:20:38 -05:00
Owen Mansel-Chan
754c838cc0 Fix accidental cartesian product 
PointerContent needs to have the PointerType specified as well
 2021-12-08 11:20:37 -05:00
Owen Mansel-Chan
d70307243c Fix bad join order in BarrierGuard.guards/2 2021-12-08 11:20:37 -05:00
Owen Mansel-Chan
1a9ea38c0b Update non-shared dataflow files to match sync 2021-12-08 11:20:36 -05:00
Owen Mansel-Chan
095fe6e4a7 Do not allow "Argument" on its own 
# Conflicts:
#	ql/test/library-tests/semmle/go/dataflow/ExternalFlow/srcs.expected
 2021-12-08 11:20:36 -05:00
Sauyon Lee
b2f62b185d Allow for Return[i] specifications 2021-12-08 11:20:36 -05:00