Mathias Vorreiter Pedersen
36d0903733
C++: Simplify 'getSourceVariable'.
2022-12-08 12:29:15 +00:00
Chris Smowton
49bc524fd0
Merge remote-tracking branch 'origin/rc/3.8' into smowton/admin/merge-rc38-into-main
2022-12-08 11:12:30 +00:00
Jeroen Ketema
a6bc9fd10f
Merge pull request #11591 from jketema/getenv
...
C++: Model `secure_getenv` and `_wgetenv` as local flow sources
2022-12-08 10:44:28 +01:00
Jeroen Ketema
fc49ede33d
C++: Add change note
2022-12-08 09:44:23 +01:00
Jeroen Ketema
a2dac3a41e
C++: Move remote flow sink test and also handle local and remote sinks
2022-12-08 09:36:19 +01:00
Mathias Vorreiter Pedersen
9f85175ee1
C++: Fix blowup in 'stripPointer'.
2022-12-07 22:35:37 +00:00
Mathias Vorreiter Pedersen
5ae3228928
C++: Fix TODO.
2022-12-07 22:34:10 +00:00
Mathias Vorreiter Pedersen
68f0997d87
C++: Generalize loads and stores.
2022-12-07 22:34:10 +00:00
Mathias Vorreiter Pedersen
589f7bdbcc
C++: Introduce BaseSourceVariableInstruction.
2022-12-07 22:34:03 +00:00
Mathias Vorreiter Pedersen
54c12cd715
C++: Reintroduce 'StdBasicStringIterator'.
2022-12-07 18:21:52 +00:00
Geoffrey White
1d4631e231
C++: Better solution.
2022-12-07 18:00:38 +00:00
Geoffrey White
627162b343
C++: Fix cpp/offset-use-before-range-check performance.
2022-12-07 17:32:36 +00:00
Geoffrey White
a8b8b54f8d
Update cpp/ql/src/Security/CWE/CWE-311/CleartextBufferWrite.ql
...
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com >
2022-12-07 16:44:33 +00:00
Geoffrey White
4b8575bfc3
C++: Simplify the query slightly.
2022-12-07 15:35:45 +00:00
Geoffrey White
b3d838d678
C++: Define the sources more clearly and consistently (fixes performance issue).
2022-12-07 14:45:39 +00:00
Jeroen Ketema
01d8ad98f6
C++: Model secure_getenv and _wgetenv as local flow sources
2022-12-07 13:37:12 +01:00
Jeroen Ketema
b5147bbfb0
C++: Deprecate DefaultTaintTracking and TaintTrackingImpl
2022-12-06 17:45:16 +01:00
Mathias Vorreiter Pedersen
2c500142c7
Merge pull request #11435 from jketema/rewrite-tainted-path
...
C++: Rewrite `cpp/path-injection` to not use `DefaultTaintTracking`
2022-12-06 14:54:57 +00:00
Mathias Vorreiter Pedersen
e71fbb1def
Merge pull request #11541 from MathiasVP/add-node0
...
C++: Introduce a pre-SSA `DataFlow::Node` class
2022-12-06 13:28:39 +00:00
Jeroen Ketema
995efef5da
C++: Add explanatory comment to hasFilteredFlowPath
2022-12-06 09:03:21 +01:00
Jeroen Ketema
5637d573c1
C++: Add test case that is no longer detected after latest changes
2022-12-06 08:31:22 +01:00
Jeroen Ketema
6dbc59d5b5
C++: Simplify isSink based on reviewer comments
2022-12-05 23:23:08 +01:00
Tom Hvitved
7972db68bc
C++: Update expected test output
2022-12-05 17:07:32 +01:00
Tom Hvitved
52f3a48638
Data flow: Sync files
2022-12-05 12:57:27 +01:00
Mathias Vorreiter Pedersen
c563ed3635
Merge branch 'main' into mathiasvp/replace-ast-with-ir-use-usedataflow
2022-12-05 10:27:55 +00:00
github-actions[bot]
5e35785fd0
Post-release preparation for codeql-cli-2.11.5
2022-12-02 11:37:44 +00:00
Mathias Vorreiter Pedersen
43adfe8893
C++: Fix QLDoc.
2022-12-02 11:30:46 +00:00
Mathias Vorreiter Pedersen
cef7224739
C++: Make QL-for-QL happy.
2022-12-02 10:12:25 +00:00
Mathias Vorreiter Pedersen
a245977075
C++: Change iterator models.
2022-12-02 10:11:20 +00:00
Mathias Vorreiter Pedersen
145dea0e9b
C++: Introduce a node class that exists before computing SSA.
2022-12-02 10:04:52 +00:00
github-actions[bot]
31ab22e3a0
Release preparation for version 2.11.5
2022-12-01 20:05:14 +00:00
Jeroen Ketema
3dfe18b565
C++: Introduce the coarse upper bound check from default taint tracking
2022-12-01 09:13:48 +01:00
Owen Mansel-Chan
55c4643b20
Dataflow: Sync.
2022-11-30 11:00:07 +00:00
Arthur Baars
cf7ebe2fa8
Merge pull request #11471 from github/rc/3.8
...
Merge rc/3.8 into main
2022-11-29 12:57:34 +01:00
Jeroen Ketema
d3cccca7f1
C++: Filter duplicate (source, sink)-pairs
2022-11-29 11:17:39 +01:00
Jeroen Ketema
378206ae7d
C++: Stop taint from flowing to arithmetic types
...
These are not likely to give the user much control over what can be accessed.
2022-11-29 11:15:28 +01:00
Jeroen Ketema
718663415b
C++: Stop flow from going through another source
...
Without this we get confusing results:
```
char *userAndFile = argv[2];
char *fileName = argv[1];
fopen(fileName, "wb+"); // Both argv[1] and argv[2] marked as source without
// this change.
```
While here add some more test cases.
2022-11-29 10:52:57 +01:00
Jeroen Ketema
63334764d7
C++: Rewrite cpp/path-injection to not use DefaultTaintTracking
2022-11-29 10:52:57 +01:00
Jeroen Ketema
2ef13d1df7
Merge remote-tracking branch 'upstream/main' into mathiasvp/replace-ast-with-ir-use-usedataflow
2022-11-29 10:43:01 +01:00
Tom Hvitved
f3dca95958
Merge pull request #11087 from hvitved/dataflow/summary-ctx
...
Data flow: Add summary/return context to pruning stages 2-4
2022-11-29 10:36:53 +01:00
Felicity Chapman
59b6d657cc
Apply suggestions from code review
...
Co-authored-by: hubwriter <hubwriter@github.com >
2022-11-28 15:45:05 +01:00
Felicity Chapman
c451fa8ad4
Update cpp/ql/src/Likely Bugs/RedundantNullCheckSimple.ql
...
Co-authored-by: Taus <tausbn@github.com >
2022-11-28 15:26:24 +01:00
Felicity Chapman
b5f849463b
Update QL library references
2022-11-28 15:26:24 +01:00
Felicity Chapman
5f835da838
Update HTML comment in query
2022-11-28 15:25:38 +01:00
Tom Hvitved
cde05e1190
Data flow: Sync files
2022-11-28 12:11:38 +01:00
Jeroen Ketema
53b86fd53b
Merge pull request #11428 from jketema/default-taint-tests
...
C++: Add more tests that exercise the default taint barrier implementation
2022-11-25 12:13:18 +01:00
Jeroen Ketema
4607f5990e
C++: Add more tests that exercise the default taint barrier implementation
2022-11-25 10:19:45 +01:00
Jeroen Ketema
223eeb6921
C++: Fix upper bound detection in default taint flow
2022-11-24 14:38:36 +01:00
Jeroen Ketema
6fa5fdfeb2
C++: Fix CWE-611 XXE query to work with use-use dataflow - take 2
...
This commit ensures stack allocated parsers are also handled.
2022-11-23 23:59:04 +01:00
Erik Krogh Kristensen
1eec067474
Merge pull request #11294 from erik-krogh/fileDoc
...
QL: improve the "this block-comment should have been a QLDoc"-query
2022-11-23 22:23:36 +01:00
