hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-05 18:50:23 +01:00
Code Issues Packages Projects Releases Wiki Activity
56,978 Commits 1,676 Branches 157 Tags
aa59741c38d40ca7f76216d9b9ea29d4c8461fc7
Commit Graph

43 Commits

Author SHA1 Message Date
Owen Mansel-Chan
374f13e0dc Revert "Go: Fix missing flow through receiver for function variable" 2023-07-20 13:31:14 +01:00
Owen Mansel-Chan
a3ba74a6a6 Cast to MethodCallNode before calling getReceiver() 
This is not required, because getReceiver is still defined on CallNode,
but is done for consistency.
 2023-07-19 11:17:38 +01:00
Jeroen Ketema
9c774ac97f Merge pull request #13426 from jketema/inline-3 
Update inline flow tests to use parameterized module
 2023-06-19 17:39:29 +02:00
Tony Torralba
8f6d2ed2f9 Adjust ZipSlip query description according to review suggestions. 2023-06-19 10:27:41 +02:00
Tony Torralba
3c4d938cf1 Apply code review suggestions. 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-19 10:20:19 +02:00
Tony Torralba
3e96fe60c5 Go/Java/JS/Python/Ruby: Update the description and qhelp of the ZipSlip query 
All filesystem operations, not just writes, with paths built from untrusted archive entry names are dangerous
 2023-06-16 08:52:44 +02:00
Jeroen Ketema
eb62df6ece Go: Rewrite InlineFlowTest as a parameterized module 2023-06-15 10:51:29 +02:00
Owen Mansel-Chan
270ba09ffb Merge pull request #11732 from owen-mc/go/fix/model-data-flow-through-varargs 
Go: Allow data flow through varargs parameters
 2023-05-11 05:26:40 +01:00
Kasper Svendsen
e969018f99 Go: Make implicit this receivers explicit 2023-05-03 12:45:42 +02:00
Owen Mansel-Chan
bc0f9030e3 use CallNode.getSyntacticArgument 2023-04-28 06:09:10 +01:00
Chris Smowton
18d00c1116 Autoformat QL 2023-04-12 14:19:03 +01:00
Chris Smowton
a673610e18 Adapt query not to depend on TaintTracking::FunctionModel 2023-04-12 14:19:01 +01:00
Owen Mansel-Chan
9ac0c57a3e Fix alert message to match style guide 2023-03-31 16:47:57 +01:00
Owen Mansel-Chan
cf89b00f47 Fix variable names in QLDocs 2023-03-31 16:47:57 +01:00
Owen Mansel-Chan
513409e082 Fix formatting of QLDocs 2023-03-31 16:47:56 +01:00
Chris Smowton
a63a4c29e2 Go: fix incorrect-integer-conversion sanitizer 
This was amended as part of https://github.com/github/codeql/pull/12186, but the conversion was inadequate because the new implementation didn't work when a sink (type conversion) led directly to a non-`localTaintStep` step, such as a store step or an interprocedural step. Here I move the sink back one step to the argument of the type
conversion and sanitize the result of the conversion instead, to ensure there is always a unique local successor to a sink.

This should eliminate unexpected extra results that resulted from https://github.com/github/codeql/pull/12186. Independently there are also *lost* results that stem from needing a higher `fieldFlowBranchLimit` that are not addressed in this PR, but raising that limit is a performance risk and so I will address this separately.
 2023-03-08 09:48:35 +00:00
Michael B. Gale
46d49cd66f Downgrade log injection precision to medium 
This is in line with the precision of this query for other languages
 2023-02-08 15:49:06 +00:00
Chris Smowton
99d3f689dc Consolidate repeated calls to matches and regexpMatch 
This is especially useful if it avoids temporary string construction, such as toLowerCase().matches(...)
 2023-02-07 19:22:49 +00:00
Tony Torralba
7a92970d89 Go: Remove omittable exists variables 2023-01-10 13:36:48 +01:00
Chris Smowton
5799287a2b go: fix bug in zip-slip example fix 2022-12-14 13:51:32 +00:00
erik-krogh
8262fbbfb5 Java/C#/GO: Use instanceof in more places 2022-12-11 18:32:19 +01:00
Arthur Baars
cf7ebe2fa8 Merge pull request #11471 from github/rc/3.8 
Merge rc/3.8 into main
 2022-11-29 12:57:34 +01:00
Felicity Chapman
a76d47681d Replace references in Qhelp files 2022-11-28 15:25:37 +01:00
Owen Mansel-Chan
f2e2c02db6 Rename predicates to avoid clashes 2022-11-17 14:27:06 +00:00
Josh Soref
0a4c724b69 spelling: implementation 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 00:23:36 -04:00
erik-krogh
d5c45056bd fix some more style-guide violations in the alert-messages 2022-10-07 11:21:01 +02:00
erik-krogh
83bedc0320 be more specific about what the source is in go/suspicious-character-in-regex, which also avoids using "here" in the alert-message 2022-09-20 22:51:35 +02:00
erik-krogh
1be14962a0 use "depends to" for a taint-tracking query 2022-09-20 22:51:35 +02:00
erik-krogh
c241185c21 avoid more instances of "this location" and "here" in alert-messages 2022-09-20 22:51:35 +02:00
erik-krogh
3cf5516df6 make the alert messages of taint-tracking queries more consistent 2022-09-20 22:51:35 +02:00
erik-krogh
e2a41cf49f fix most ql/alert-message-style-violation 2022-09-20 22:51:35 +02:00
erik-krogh
26d8553f6e ensure consistent casing of names 2022-09-09 10:34:14 +02:00
erik-krogh
33ba01927f Go: add CWE tag and @security-severity tag to go/insecure-hostkeycallback 2022-08-29 13:10:23 +02:00
erik-krogh
cc7a9ef97a rename more acronyms 2022-08-25 20:52:27 +02:00
erik-krogh
1c0f2251e2 Merge branch 'main' into msgConsis 2022-08-24 14:38:57 +02:00
erik-krogh
20625ae60d update {js/go/py}/xpath-injection to match csharp/java 2022-08-22 21:41:46 +02:00
erik-krogh
2d0a4c3d83 update {go/py}/stack-trace-exposure to match javascript 2022-08-22 21:41:46 +02:00
erik-krogh
3553f3d9b8 update {rb/py/js/go}/path-injection to match java/csharp 2022-08-22 21:41:45 +02:00
erik-krogh
e89e0eb7fb make some acronyms camelCase 2022-08-22 21:22:35 +02:00
Chris Smowton
6068f63e9e Add taint models for go 1.19's new fmt.Append functions 2022-08-19 10:29:45 +01:00
Chris Smowton
7bb0d62863 Update comparisonBarrierGuard qldoc 2022-06-21 12:12:17 +01:00
Anders Schack-Mulligen
406f5b525b Go: Deprecate and replace BarrierGuard class 2022-06-20 15:46:27 +02:00
Chuan-kai Lin
aa514fff32 codeql-go merge prep: move into go/ directory 2022-05-20 10:07:19 -07:00