hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-24 08:26:51 +01:00
Code Issues Packages Projects Releases Wiki Activity
26,612 Commits 1,715 Branches 163 Tags
9c9c5c09ff6cfcd4806df9908fcfff3be6232eef
Commit Graph

26612 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
yoff
9c9c5c09ff Merge pull request #6837 from RasmusWL/more-unsafe-deserialization-sinks 
Python: More unsafe deserialization sinks
 2021-10-10 14:33:53 +02:00
yoff
f6122c8a6c Merge pull request #6734 from erik-krogh/regBehind 
JS/PY: do not filter away regular expressions with lookbehinds
 2021-10-10 13:54:26 +02:00
Geoffrey White
79f13cae55 Merge pull request #6839 from geoffw0/toctoufp 
CPP: Add test cases for cpp/toctou-race-condition
 2021-10-08 16:15:00 +01:00
Cornelius Riemenschneider
84883d115d Merge pull request #6813 from adityasharad/docs/database-create-bazel 
CLI docs: Add example for creating a database using a Bazel build command
 2021-10-08 16:56:10 +02:00
Anders Schack-Mulligen
5d0e72755d Merge pull request #6770 from aschackmull/java/stream-model 
Java: Add models for java.util.stream.
 2021-10-08 15:48:50 +02:00
Geoffrey White
1c56573194 C++: Add tests. 2021-10-08 14:30:27 +01:00
Geoffrey White
dd95131630 C++: Test spacing. 2021-10-08 14:28:42 +01:00
Rasmus Wriedt Larsen
fd0c386a4c Python: Add change-note 2021-10-08 12:06:18 +02:00
Rasmus Wriedt Larsen
5e6f042f6e Python: Model pickle.Unpickler 2021-10-08 11:55:54 +02:00
Rasmus Wriedt Larsen
75b06d8a25 Python: Model dill.load 2021-10-08 11:55:54 +02:00
Rasmus Wriedt Larsen
4820be3b10 Python: Model keyword arguments to dill.loads 2021-10-08 11:55:54 +02:00
Rasmus Wriedt Larsen
9180257afe Python: Refactor Dill.qll 
So it matches the layout of all our other qll modules modeling a PyPI
package.
 2021-10-08 11:55:54 +02:00
Rasmus Wriedt Larsen
f9333fc551 Python: Expand dill tests 2021-10-08 11:55:54 +02:00
Rasmus Wriedt Larsen
42980a1ab4 Python: Model shelve.open 2021-10-08 11:55:54 +02:00
Anders Schack-Mulligen
446c738f20 Merge pull request #6790 from aschackmull/dataflow/force-precision 
Dataflow: Force high precision of certain Contents.
 2021-10-08 11:44:26 +02:00
Tom Hvitved
951df380a9 Merge pull request #6829 from hvitved/csharp/gvn-to-string-concat-range 
C#: Speedup GVN string `concat`s by pulling ranges into separate predicates
 2021-10-08 10:02:31 +02:00
Anders Schack-Mulligen
06e59f3b17 Merge pull request #6832 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2021-10-08 09:53:49 +02:00
Anders Schack-Mulligen
1bec58dee5 Dataflow: Fix more qldoc: s/accesspath/access path/. 2021-10-08 09:41:26 +02:00
github-actions[bot]
062250741a Add changed framework coverage reports 2021-10-08 00:08:55 +00:00
Rasmus Wriedt Larsen
a81d359669 Python: Model marshal.load 2021-10-07 21:27:51 +02:00
Rasmus Wriedt Larsen
1b61296ea5 Python: Model pickle.load 2021-10-07 21:25:48 +02:00
Rasmus Wriedt Larsen
27c368a444 Python: Model keyword arguments to pickle.loads 2021-10-07 21:24:12 +02:00
Rasmus Wriedt Larsen
3592b09d56 Python: Expand stdlib decoding tests 
The part about claiming there is decoding of the input to `shelve.open`
is sort of an odd one, since it's not the filename, but the contents of
the file that is decoded.

However, trying to only handle this problem through path injection is
not enough -- if a user is able to upload and access files through
`shelve.open` in a path injection safe manner, that still leads to code
execution.

So right now the best way we have of modeling this is to treat the
filename argument as being deserialized...
 2021-10-07 21:11:51 +02:00
Rasmus Wriedt Larsen
a31bf75169 Python: Refactor pickle.loads() modeling 2021-10-07 20:28:30 +02:00
Robert Marsh
2539e3247a Merge pull request #6814 from MathiasVP/fix-qldoc-in-copy-instruction 
C++/C#: Fix QLDoc of `CopyInstruction`
 2021-10-07 11:18:38 -07:00
Aditya Sharad
2ed572095c CLI docs: Address comments on Bazel example 2021-10-07 10:51:11 -07:00
Chris Smowton
9a80ab31c4 Merge pull request #6567 from luchua-bc/java/sensitive_android_file_leak 
Java: CWE-200 - Query to detect exposure of sensitive information from android file intent
 2021-10-07 15:19:39 +01:00
Chris Smowton
39640efc9b Remove no-longer-needed TaintPreservingCallables and update test expectations 2021-10-07 14:33:39 +01:00
Anders Schack-Mulligen
2b88a2aa0c Dataflow: Fix qldoc: s/accesspath/access path/. 2021-10-07 14:46:24 +02:00
Anders Schack-Mulligen
f885751107 Java: Add change note. 2021-10-07 14:42:19 +02:00
Tom Hvitved
764a987b09 C#: Speedup GVN string concats by pulling ranges into separate predicates 2021-10-07 13:51:05 +02:00
Anders Schack-Mulligen
fc69acee46 Java: Add test. 2021-10-07 13:28:02 +02:00
Chris Smowton
b7448d55ed Introduce TaintInheritingContent instead of using parts of DataFlowPrivate 2021-10-07 11:20:19 +01:00
Henry Mercer
4b069d41f6 Merge pull request #6818 from github/henrymercer/js/add-classify-files-to-library-pack 
JS: Move `ClassifyFiles.qll` to library pack
 2021-10-07 11:18:20 +01:00
CodeQL CI
a0dd3d9e75 Merge pull request #6815 from asgerf/js/adjust-security-severity-scores 
Approved by erik-krogh, esbena
 2021-10-07 02:36:19 -07:00
Dave Bartolomeo
d8d9073bc2 Merge pull request #6826 from github/aeisenberg/add-library 2021-10-06 20:18:39 -04:00
Andrew Eisenberg
e2b1f6ac50 Packaging: Add library flag to upgrades packs 
This flag was missing. It should be there. Otherwise, this
pack cannot be built.
 2021-10-06 14:29:55 -07:00
Dave Bartolomeo
0452512de2 Merge pull request #6820 from github/aeisenberg/gitignore 
Ignore .codeql folder
 2021-10-06 12:59:45 -04:00
Chris Smowton
f88c8a64a1 Copyedit 2021-10-06 17:37:21 +01:00
Chris Smowton
b33daa3d3a Update Intent model tests, and fix models where required 2021-10-06 17:09:47 +01:00
Chris Smowton
4be2347a30 Adapt to use the new shared Intent models 2021-10-06 16:15:18 +01:00
Henry Mercer
83cbc86f50 JS: Move ClassifyFiles.qll to library pack 
This allows us to use this library in packs that depend on the
`codeql/javascript-all` library pack.
 2021-10-06 16:08:06 +01:00
Andrew Eisenberg
c9c45808b4 Merge pull request #6819 from github/aeisenberg/javascript/fix-compile-errors 
Fixes compile errors by moving files
 2021-10-06 07:59:50 -07:00
Chris Smowton
91d8b3da23 Sort Intent models 2021-10-06 12:30:40 +01:00
Chris Smowton
f24e310ace Update test expectation details 2021-10-06 12:25:23 +01:00
Chris Smowton
ffdfc0549a Update comment 2021-10-06 12:17:49 +01:00
luchua-bc
987bfa6ca7 Update condition check and qldoc 2021-10-06 12:17:49 +01:00
luchua-bc
8c2fddb297 Update the condition check and use DataFlow in the ql file 2021-10-06 12:17:49 +01:00
Chris Smowton
b0e652a3af Remove AsyncTask models 2021-10-06 12:17:49 +01:00
Chris Smowton
9e0cf5a2fd Update test expectations to include subpaths 2021-10-06 12:17:49 +01:00