hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
83,294 Commits 1,671 Branches 157 Tags
aa3000df1310b332ba1c84afec3bacb0aeb4dbbd
Commit Graph

83294 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Owen Mansel-Chan
203952fa47 Convert post-update logic to IR (part 2) 
Note that we don't create post-update nodes for method receivers if the
call to the method is indirect, via a function variable. We could aim to
do this in future.
 2025-10-01 16:12:35 +01:00
Owen Mansel-Chan
c8b8e25fbb Convert post-update logic to IR (part 1) 2025-10-01 16:12:34 +01:00
Owen Mansel-Chan
7a515c101a Pull out post-update node logic into predicate 2025-10-01 16:12:32 +01:00
Owen Mansel-Chan
d13d7173ed Fix QLDoc typo 2025-10-01 16:12:30 +01:00
Owen Mansel-Chan
14301e0af4 Expected changes in dataflow edges 2025-10-01 16:12:28 +01:00
Owen Mansel-Chan
c20abf6d58 Line numbers change because 3 lines were added 2025-10-01 16:12:27 +01:00
Owen Mansel-Chan
521066578b Test result that was missing is now found 2025-10-01 16:12:25 +01:00
Owen Mansel-Chan
3594dba83c Make insecure randomness test more realistic 2025-10-01 16:12:24 +01:00
Owen Mansel-Chan
32de2113a6 Use _ instead of exists variable x2 2025-10-01 16:12:22 +01:00
Chris Smowton
a3eb0100a6 Optimise join order for varBlockReaches 2025-10-01 16:12:21 +01:00
Owen Mansel-Chan
9068315f03 Fix IncorrectIntegerConversion for use-use flow 
We were assuming that `sink` only had one successor, the TypeCastNode, but it
can now have an adjacent use as well.
 2025-10-01 16:12:19 +01:00
Owen Mansel-Chan
b2a9cecd69 Fix Allocation Size Overflow for use-use flow 
We have an operator expression like `x * 5`. We want to follow where the
value of the operator expression goes. We used to follow local flow from
an operand, but now there is flow from that operand to the next use of
the variable. The fix is to explicitly start local flow from the
operator expression.

There are also some expected edge changes due to use-use flow.
 2025-10-01 16:12:18 +01:00
Owen Mansel-Chan
4e04d27d32 Adjust SafeFormatArgumentSanitizer to use-use flow 
Make it sanitize the result of the call rather than the input, so that
further uses of the input are still tainted. This means that it catches
things like `log.Print(fmt.Sprintf("user %q logged in.\n", username))`
where the argument to the LoggerCall contains a StringFormatCall, but
it misses things like `log.Printf("user %q logged in.\n", username)`. So
we extract the logic into a predicate and apply it as a condition in the
sink as well.

The downside of this approach is that if there are two tainted inputs
and only one has a safe format argument then we still sanitize the
result. Hopefully this is rare.
 2025-10-01 16:12:16 +01:00
Owen Mansel-Chan
49b8b0bca3 Remove local flow step from SSA defn to SSA capture 2025-10-01 16:12:15 +01:00
Owen Mansel-Chan
b4743155f6 Include first step from SsaVariableCapture 
Without this change the test
go/ql/test/query-tests/InconsistentCode/UnhandledCloseWritableHandle/UnhandledCloseWritableHandle.qlref
was failing.
 2025-10-01 16:12:14 +01:00
Owen Mansel-Chan
5267671b15 Clean up code in basicLocalFlowStep 
No changes in functionality.
 2025-10-01 16:12:12 +01:00
Owen Mansel-Chan
4484d5bfa9 Add missing QLDoc 2025-10-01 16:12:09 +01:00
Owen Mansel-Chan
16a11b48ad Switch to use-use dataflow. This will make post-update nodes easy to implement. 
Queries / tests that required changes:
* The CleartextLogging and MissingErrorCheck queries are updated because they assumed def-use flow
* The CommandInjection query works around the shortcomings of use-use flow by essentially reintroducing def-use flow when it applies a sanitizer
* The OpenUrlRedirect query currently just accepts its fate; the tests are updated to avoid excess sanitization while the query comments on the problem. We should choose this approach or the CommandInjection one.
 2025-10-01 16:12:07 +01:00
Simon Friis Vindum
1408c245e0 Merge pull request #20557 from paldepind/rust/type-inference-delete-predicates 
Rust: Remove member predicates on `Type`
 2025-10-01 16:48:41 +02:00
Owen Mansel-Chan
ff3d795a8f Merge pull request #20556 from owen-mc/go/test/safeurlflow 
Go: Add tests for SafeUrlFlow, and fix a latent bug
 2025-10-01 15:05:55 +01:00
Geoffrey White
f96a42c075 Merge pull request #20561 from geoffw0/basicquery 
Rust: Add Basic query for Rust code doc
 2025-10-01 14:20:11 +01:00
Owen Mansel-Chan
8983ac9212 Phrase test in terms of safe URLs 2025-10-01 14:13:15 +01:00
Tom Hvitved
dd3debc2d5 Address review comments 2025-10-01 14:41:28 +02:00
Anders Schack-Mulligen
a1028d604c Guards: Improve performance for uniqueValue. 2025-10-01 14:08:37 +02:00
Mathias Vorreiter Pedersen
b0e9238ddf Merge branch 'main' into use-shared-guards-library 2025-10-01 11:59:17 +01:00
Geoffrey White
b02c19b5bf Rust: Slightly cleaner screenshots. 2025-10-01 11:59:08 +01:00
Geoffrey White
936702a0e5 Rust: Update graphics. 2025-10-01 11:49:54 +01:00
Mathias Vorreiter Pedersen
353ee8baa0 C++: Port a test from the experimental directory to show that it works in the non-experimental "new" range analysis. 2025-10-01 11:33:47 +01:00
Chris Smowton
f5ae5bed47 Merge pull request #20560 from smowton/smowton/fix/start-in-constructor-fp 
Java: note that classes with entirely private constructors can't be subclassed
 2025-10-01 11:16:50 +01:00
Geoffrey White
2c7291d27e Rust: Fix toctree bug. 2025-10-01 11:12:29 +01:00
Ben Ahmady
513dcf1cb4 Merge branch 'main' into basicquery 2025-10-01 11:02:19 +01:00
Owen Mansel-Chan
c93852d87a Improve comments in test file 2025-10-01 11:01:58 +01:00
Simon Friis Vindum
daf0cf1c1b Rust: Rename predicates 2025-10-01 11:43:51 +02:00
Owen Mansel-Chan
dd3f754cb3 Add change note. 2025-10-01 09:32:00 +01:00
Simon Friis Vindum
a359a24c9e Merge pull request #20559 from paldepind/rust/string-add-ref 
Rust: Add taint model for add on `String`
 2025-10-01 09:38:54 +02:00
Geoffrey White
372b5870b1 Merge pull request #20554 from geoffw0/docs1 
Rust: Consistency fix for reusables/extractors.rst.
 2025-09-30 17:41:05 +01:00
Geoffrey White
92122fef58 Rust: statement -> expression. 2025-09-30 15:48:26 +01:00
Geoffrey White
d9955ce93c Merge pull request #20503 from geoffw0/cookie 
Rust: New query rust/insecure-cookie
 2025-09-30 15:26:37 +01:00
Tom Hvitved
537e7a8ec3 Rust: Fix formatting 2025-09-30 16:24:38 +02:00
Tom Hvitved
701cff3ca4 Rust: Macro call resolution 2025-09-30 16:21:02 +02:00
Owen Mansel-Chan
a2a9575587 Add tests for safe URL flow 2025-09-30 15:05:42 +01:00
Simon Friis Vindum
19871a2653 Rust: Accept test changes 2025-09-30 15:26:30 +02:00
Geoffrey White
771d9345b5 Merge branch 'main' into basicquery 2025-09-30 14:19:00 +01:00
Mathias Vorreiter Pedersen
ca53a8e787 C++: Update QLDoc. 2025-09-30 14:15:55 +01:00
Mathias Vorreiter Pedersen
1b2bd30a29 Update cpp/ql/lib/semmle/code/cpp/controlflow/IRGuards.qll 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2025-09-30 14:14:19 +01:00
Chris Smowton
f88daff45f Java: note that classes with entirely private constructors can't be subclassed 2025-09-30 13:57:44 +01:00
Simon Friis Vindum
49efd574a0 Rust: Add taint model for add on String 2025-09-30 14:48:03 +02:00
Idriss Riouak
fa8cbeeb44 Merge pull request #20546 from github/idrissrio/ql-constant 
Java: Fix false positives in evaluation-to-constant query for ErrorType
 2025-09-30 14:24:28 +02:00
Simon Friis Vindum
c878af2b9d Rust: Remove member predicates on Type 2025-09-30 13:28:33 +02:00
Owen Mansel-Chan
5b07e8c9c4 Fix bug in UnsafeFieldReadSanitizer 2025-09-30 12:05:06 +01:00