hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-04 10:10:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
16,413 Commits 1,673 Branches 157 Tags
a2d12f0440762bee7c2a61d8a26e96fb7f11efc8
Commit Graph

16413 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Wriedt Larsen
a2d12f0440 Python: Update CommandInjection.expected 2020-09-30 13:00:10 +02:00
Rasmus Wriedt Larsen
b3efa28277 Merge branch 'main' into python-command-execution-modeling 2020-09-30 10:24:11 +02:00
Anders Schack-Mulligen
8d4f7e2db7 Merge pull request #4366 from joefarebrother/field-rvalue-lvalue 
Java: Make `FieldRead` and `FieldWrite` extend `RValue` and `LValue`
 2020-09-30 07:55:24 +02:00
Joe
d184aa7c06 Make FieldRead and FieldWrite extend LValue and RValue 2020-09-29 15:24:51 +01:00
yoff
60c310d1bf Merge pull request #4361 from RasmusWL/python-new-flask-perf-fix 
Python: Hotfix performance problem with flask methods
 2020-09-29 15:41:14 +02:00
CodeQL CI
d7add29dc2 Merge pull request #4359 from erik-krogh/cookieWrites 
Approved by esbena
 2020-09-29 06:32:01 -07:00
CodeQL CI
910c19e613 Merge pull request #4348 from erik-krogh/needle 
Approved by esbena
 2020-09-29 02:57:32 -07:00
Erik Krogh Kristensen
51f1f03f5f add change note for js/missing-token-validation 2020-09-29 11:56:10 +02:00
CodeQL CI
11f39a9d88 Merge pull request #4342 from erik-krogh/track-where-prop 
Approved by asgerf
 2020-09-29 02:09:53 -07:00
Rasmus Wriedt Larsen
fee279f952 Python: Hotfix performance problem with flask methods 
This improves runtime for command injection query on
https://lgtm.com/projects/g/alibaba/funcraft from +200 seconds (I did not care
to wait more) down to ~55 seconds on my machine.

This type of tracking predicate with string as additional argument apparently
causes trouble :|
 2020-09-29 11:00:57 +02:00
Erik Krogh Kristensen
89195d7ada add change note for needle 2020-09-29 10:13:48 +02:00
Erik Krogh Kristensen
52d94f6177 use getABoundCallbackParameter instead of getCallback and getParameter. 2020-09-29 10:12:46 +02:00
CodeQL CI
060c19a063 Merge pull request #4352 from erik-krogh/destructing-redirect 
Approved by esbena
 2020-09-28 12:31:42 -07:00
Erik Krogh Kristensen
e04404b713 also recognize cookie writes are leading to cookie access 2020-09-28 21:17:25 +02:00
Ian Lynagh
8a76195f04 Merge pull request #4356 from github/igfoo/front_end 
C++: accept test changes from extractor frontend upgrade
 2020-09-28 17:27:37 +01:00
Tom Hvitved
93edaa75eb Merge pull request #4309 from tamasvajk/feature/enum-value-init 
Extract constant value of enum member equal clauses
 2020-09-28 16:18:10 +02:00
CodeQL CI
75262ddace Merge pull request #4328 from erik-krogh/indirect-fix2 
Approved by esbena
 2020-09-28 04:55:19 -07:00
Jonas Jensen
165779ea09 Merge pull request #4343 from rdmarsh2/rdmarsh2/cpp/ir-construction-qldoc 
C++: Add some IR QLDoc
 2020-09-28 13:37:12 +02:00
Nick Rolfe
7609ce2d47 C++: accept test changes from extractor frontend upgrade 2020-09-28 12:23:26 +01:00
CodeQL CI
18bdc054cd Merge pull request #4347 from max-schaefer/js/handle-empty-pkgjson 
Approved by asgerf
 2020-09-28 02:42:21 -07:00
Rasmus Wriedt Larsen
6cb2ca63a6 Python: tests to show modeling is very syntactical 2020-09-28 11:23:06 +02:00
Joe Farebrother
274147c87a Merge pull request #4339 from joefarebrother/printAST-java-var-decls 
Java: Add synthetic nodes for `LocalVariableDeclExpr`s in the AST view
 2020-09-28 10:21:25 +01:00
Rasmus Wriedt Larsen
3af5c720cc Python: Add test of more indirect command injection sinks 2020-09-28 11:16:52 +02:00
Rasmus Wriedt Larsen
f7f6564189 Python: Model subprocess.Popen (and helpers) 2020-09-28 11:13:04 +02:00
Rasmus Wriedt Larsen
62dc0dd263 Python: Model os.exec* os.spawn* and os.posix_spawn* 
I also had to exclude the inline expectation tests from files outside the test
repo.
 2020-09-28 11:05:33 +02:00
Rasmus Wriedt Larsen
c440fd0c09 Python: Adjust expectations for system command executions 
I mostly did this to show my reviewers that the tests actually run and do
something ;)
 2020-09-28 11:05:33 +02:00
Rasmus Wriedt Larsen
060720aae7 Python: Add tests for all SystemCommandExecution from stdlib 
Overall idea is that `test/experimental/meta/ConceptsTest.qll` will set up
inline expectation tests for all the classes defined in `Concepts.qll`, so any
time you model a new instance of Concepts, you simply just import that
file. That makes the tests a little verbose, but allows us to share test-setup
between all the different frameworks we model.

Note that since the definitions of SystemCommandExecution subclasses are
scattered across multieple framework modeling qll files, it think it makes the
most sense to have the tests for each framework in one location.

I'm not 100% convinced about if this is the right choice or not (especially when
we want to write tests for sanitizers), but for now I'm going to try it out at
least.
 2020-09-28 11:05:32 +02:00
Tamas Vajk
a635503be0 Add test cases to UselessCastToSelf 2020-09-28 11:04:22 +02:00
Tamas Vajk
3577b27f49 Fix to not report on enum member initialization 2020-09-28 11:04:22 +02:00
Tamas Vajk
77bb1b2cd9 C#: Extract constant value of enum member equal clauses 2020-09-28 11:04:22 +02:00
Tamas Vajk
a6b62a3838 C#: Add enum init value test 2020-09-28 10:56:50 +02:00
Tamás Vajk
20c4d94ccc Merge pull request #4318 from tamasvajk/feature/pointer-cast 
C#: Add implicit cast from array to pointer
 2020-09-28 09:34:54 +02:00
Erik Krogh Kristensen
664342dd0f change SimpleParameter to Parameter in the express model to support destructuring parameters 2020-09-26 21:31:06 +02:00
Robert Marsh
713bdae77a C++: sync identical files 2020-09-25 13:54:58 -07:00
Taus
fc84286b56 Merge pull request #3830 from yoff/SharedDataflow_FieldFlow 
Python: Shared dataflow: Field flow
 2020-09-25 14:53:57 +02:00
CodeQL CI
ea5feb2b0a Merge pull request #4331 from erik-krogh/DVNA-files 
Approved by esbena
 2020-09-25 05:21:03 -07:00
Erik Krogh Kristensen
6b9aea82ca model method calls in the needle library 2020-09-25 14:13:31 +02:00
Erik Krogh Kristensen
a22ddb145b model calls to needle 2020-09-25 13:53:22 +02:00
Rasmus Lerchedahl Petersen
4621e6d8c0 Python: fix QL format 2020-09-25 13:37:39 +02:00
Rasmus Lerchedahl Petersen
88bba46698 Python: Modify tests based on review 
The extra hist in `test.py` seen in `globalStep.expected`
are due to the removal of manual filtering code.
(That code was from when dataflow had many strange things in it.)
 2020-09-25 13:35:30 +02:00
Max Schaefer
0ccbaf9e88 JavaScript: Handle empty package.json files gracefully. 2020-09-25 12:12:39 +01:00
Joe
5256c0ba39 Java: Improve PrintAst tests and rename things 
Add tests for `EnhcancedForStmt`s and `InstanceOfExpr`s.
Rename LocalVarDeclParent to SingleLocalVarDeclParent
 2020-09-25 11:31:56 +01:00
yoff
c56ff986d4 Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2020-09-25 11:56:50 +02:00
CodeQL CI
4deb43f361 Merge pull request #4323 from RasmusWL/python-new-command-injection-query 
Approved by tausbn
 2020-09-25 02:39:46 -07:00
CodeQL CI
7b1dbb4364 Merge pull request #4337 from max-schaefer/js/fix-indirect-command-injection 
Approved by asgerf
 2020-09-25 00:18:55 -07:00
Robert Marsh
1445b31864 C++: QLDoc for Operand 2020-09-24 16:34:16 -07:00
Robert Marsh
e51b9215e4 C++: QLDoc for Overlap in IR construction 2020-09-24 15:56:29 -07:00
Robert Marsh
e9b1d817c7 C++: QLDoc for VirtualVariable in IR construction 2020-09-24 15:55:57 -07:00
Erik Krogh Kristensen
b8154d41b1 type-track objects where the "$where" property has been written 2020-09-24 20:55:25 +02:00
CodeQL CI
19316930cd Merge pull request #4310 from asgerf/js/extract-xml-with-codeql 
Approved by aibaars, esbena
 2020-09-24 10:14:46 -07:00