hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-29 14:23:03 +01:00
Code Issues Packages Projects Releases Wiki Activity
2,033 Commits 1,684 Branches 159 Tags
a9a0cffb016a56c00a34deca3a81baabc09aa677
Commit Graph

187 Commits

Author SHA1 Message Date
Ian Lynagh
6a86f1a91b Add getPrimaryQlClasses() 
This is a non-overridable predicate that concatenates all the
getAPrimaryQlClass() results into a comma-separated string.
 2021-08-24 13:03:24 +01:00
snoopywu
0174270a03 Add change note 2021-08-23 08:15:56 -07:00
Sauyon Lee
ab80f35451 Add change note for 1.17 2021-08-19 14:02:29 -07:00
Owen Mansel-Chan
8c97395884 Add change note 2021-08-18 11:54:05 +01:00
Chris Smowton
9ab1a8d144 Reword change note 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2021-04-21 15:28:28 +01:00
Chris Smowton
e50ad90856 Elaborate comment and change-note a little 2021-04-21 12:36:43 +01:00
Sauyon Lee
7efbcec50d Add change note 2021-04-20 23:27:03 -07:00
Chris Smowton
685f4fa2a6 Add change note 2021-04-19 16:13:16 +01:00
Owen Mansel-Chan
c192a255c5 Add change note 2021-03-30 10:13:22 +01:00
Sauyon Lee
012825323d Add change note 2021-03-18 10:54:33 -07:00
sn00py
22c3110602 Update change-notes/2021-03-16-nethttp-updated.md 
Co-authored-by: Sauyon Lee <sauyon@github.com>
 2021-03-18 23:32:23 +08:00
snoopywu
161ce91159 Add changenote for #506 2021-03-16 23:51:26 +08:00
Sauyon Lee
fc9bc68829 Add change note for go 1.16 2021-02-18 11:49:00 -08:00
Sauyon Lee
e6d11fc99e Merge pull request #475 from sauyon/yaml 
Add models for gopkg.in/yaml
 2021-02-16 15:11:47 +00:00
Chris Smowton
2be66d1d74 Merge pull request #479 from smowton/smowton/admin/add-missing-change-notes 
Add missing change notes
 2021-02-16 09:58:29 +00:00
Owen Mansel-Chan
1c6a68ae93 Merge pull request #478 from owen-mc/update-logrus-model 
Simplify Logrus model
 2021-02-16 07:35:44 +00:00
Sauyon Lee
1acbfaafcc Add models for gopkg.in/yaml 2021-02-15 18:27:09 +00:00
Chris Smowton
95008d1ccb Update change-notes/2021-02-09-html-templates.md 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2021-02-15 14:39:24 +00:00
Chris Smowton
6f5f1c4829 Add missing change notes 2021-02-15 14:07:10 +00:00
Owen Mansel-Chan
46cc9e9fa4 Add change note 2021-02-15 13:51:01 +00:00
Owen Mansel-Chan
a2c0b6ade6 Merge pull request #464 from owen-mc/list-constants-sanitizers 
List of constants sanitizer guards (switch statement in function only)
 2021-02-15 11:39:40 +00:00
Owen Mansel-Chan
1dc474650a Model zap 2021-02-11 14:35:36 +00:00
Owen Mansel-Chan
5ec25de1fc Add change note 2021-02-02 16:27:44 +00:00
Sauyon Lee
82bd293e5c Polish insecure randomness query 2021-02-02 08:04:11 +00:00
Sauyon Lee
48a52cfd2f Merge pull request #437 from sauyon/goproxy 
Model elazarl/goproxy
 2021-01-28 06:05:52 +00:00
Sauyon Lee
fb84df241a Add change note for goproxy modeling 2021-01-27 17:38:23 +00:00
Sauyon Lee
3ed9e66c7a Add gokit models 2021-01-25 08:15:14 -08:00
Owen Mansel-Chan
8acf572283 Add change note 2021-01-22 17:38:26 +00:00
Owen Mansel-Chan
b5dfef894b Add change note 2021-01-13 09:18:54 +00:00
Chris Smowton
a9cff82161 Add change-note for addition of git to the list of known interpreters for the go/command-injection query. 2021-01-11 18:48:54 +00:00
Chris Smowton
2dffd3e261 Merge pull request #443 from smowton/smowton/admin/missing-change-notes-2021-01 
Add change-notes for recent PRs that were missing them
 2021-01-05 11:41:35 +00:00
Chris Smowton
19921ed115 Add change-notes for recent PRs that were missing them 2021-01-05 11:39:26 +00:00
Chris Smowton
2b608e5822 Merge remote-tracking branch 'origin/rc/1.26' into HEAD 2021-01-04 15:32:15 +00:00
Chris Smowton
8060993b3b Merge pull request #430 from smowton/smowton/feature/model-beego-orm 
Model the Beego ORM subpackage
 2020-12-16 16:08:18 +00:00
Chris Smowton
44a63b2f94 Model the Beego ORM subpackage 2020-12-16 14:39:58 +00:00
Owen Mansel-Chan
87f2cad475 Merge pull request #427 from owen-mc/model-kubernetes-secret 
Model kubernetes SecretInterface
 2020-12-15 17:12:45 +00:00
Owen Mansel-Chan
6ca2e0e38e Add SecretInterface as source for cleartext logging query 2020-12-15 16:00:58 +00:00
Chris Smowton
8e7abbac0a Model Beego web framework 
This excludes the ORM, email and validation components, which I will follow up with seperately.
 2020-12-15 14:04:36 +00:00
Owen Mansel-Chan
e4316768ef Merge pull request #426 from owen-mc/model-k8s-io-apimachinery-pkg-runtime 
Model k8s.io/apimachinery/pkg/runtime
 2020-12-09 09:16:47 +00:00
Owen Mansel-Chan
c17f1618e0 Add change note 2020-12-09 06:45:08 +00:00
Owen Mansel-Chan
290a4dcdf4 Merge pull request #414 from owen-mc/model-evanphx-json-patch 
Model evanphx/json-patch
 2020-12-08 17:36:10 +00:00
Owen Mansel-Chan
e786fa07ee Add change note 2020-12-08 16:15:01 +00:00
Owen Mansel-Chan
8c33979425 Merge pull request #388 from owen-mc/untrusted-data-flow-to-external-api 
Untrusted data flow to external API
 2020-12-01 11:25:58 +00:00
Sauyon Lee
09d41952dc SuspiciousCharacterInRegexp: Add fix for raw string literals 2020-11-30 19:15:17 +00:00
Chris Smowton
3338a0b10d Merge pull request #402 from smowton/smowton/feature/zipslip-more-generous-sanitisers 
ZipSlip: redefine sources closer to their origin, and make sanitizers more generous
 2020-11-27 18:25:07 +00:00
Owen Mansel-Chan
7730d66d76 Apply suggestions from code review 
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
 2020-11-27 16:17:54 +00:00
Chris Smowton
1eb8fff7e1 ZipSlip: redefine sources closer to their origin, and make sanitizers more generous. 
Previously we considered certain fields of `tar` or `zip` file headers to be sources, but this meant subsequent references to the same field were not considered sanitized. For example, at least some real-world projects used a pattern like `if isIllegalPathTraversal(hdr.Name) { return nil; } ... /* other code using hdr.Name */`. By associating a source with the field-read `.Name` rather than the header itself, we were unable to see that the subsequent read was guarded by the sanitizer function.

Relatedly, it is common to use some intermediary taint-propagating function, as in `clean(s string) { if strings.HasPrefix("..", filepath.Clean(filepath.Join(target, s))) ...`, in the implementation of a sanitizer. We now follow the taint propagation (locally) backwards towards the function parameter, marking the predecessor functions and ultimately the parameter `s` as sanitized in addition to the direct argument to `strings.HasPrefix`. Existing sanitizing-function logic can then sometimes lift this out into the caller too.
 2020-11-27 13:57:25 +00:00
Sauyon Lee
0bf09307cf Add StoredCommand query 2020-11-23 02:11:44 -08:00
Chris Smowton
e241f8469b Add change notes for PRs that omitted them 2020-11-20 16:15:12 +00:00
Sauyon Lee
793d6f6053 Merge pull request #399 from sauyon/stored-xss 
Add stored XSS query
 2020-11-19 23:23:21 -08:00