hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-24 00:16:49 +01:00
Code Issues Packages Projects Releases Wiki Activity
28,498 Commits 1,714 Branches 163 Tags
af64b319ee7188cbde16fdeff793856eef714684
Commit Graph

28498 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Erik Krogh Kristensen
af64b319ee update documentation strings 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2021-10-27 19:54:52 +02:00
Erik Krogh Kristensen
8ba545999e add change-note 2021-10-26 14:13:56 +02:00
Erik Krogh Kristensen
9c8a51bca6 cache SensitiveExpr 2021-10-26 13:47:28 +02:00
Erik Krogh Kristensen
038438edca assume that setting the secure/httpOnly flag to some unknown value is good 2021-10-26 13:47:28 +02:00
Erik Krogh Kristensen
5228196f79 fix typos and update docs 2021-10-26 13:47:21 +02:00
Erik Krogh Kristensen
311df4d2b7 add test for the cookie npm package 2021-10-26 13:46:59 +02:00
Erik Krogh Kristensen
92d59aa11c refactor most of the isSensitive predicates into a common helper predicate 2021-10-26 13:46:59 +02:00
Erik Krogh Kristensen
834d5ec6ad add session{key,id} as sensitive info 2021-10-26 13:46:59 +02:00
Erik Krogh Kristensen
1e1e549847 update tests so it's clear which cookies are insecure 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
283b8231cb add more cookie models 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
2cb3d2c53f documentation overhaul on client-exposed-cookie (and restricting it to server-side) 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
ab23ffff3d documentation overhaul for clear-text-cookie 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
f36accf3e6 only report clear-text cookies for sensitive cookies 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
53b4337795 combine test files 2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen
9193984f1b delete the experimental query library for cookie queries 2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen
6858acc6a9 port experimental cookie models to non-experimental 2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen
26a24a3895 prepare move to non-experimental 2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen
44db920f10 refactor, cleanup, and improvements in experimental cookie queries 2021-10-26 13:46:57 +02:00
Rasmus Wriedt Larsen
2b9edd7ff6 Merge pull request #6952 from github/aibaars/generate-code-scanning-query-list 
Add Ruby to generate-code-scanning-query-list.py and make the script faster
 2021-10-26 10:49:24 +02:00
Anders Schack-Mulligen
3d1b617101 Merge pull request #6959 from igfoo/igfoo/bbStmts 
Java: Make a test output a bit more readable
 2021-10-26 08:42:53 +02:00
Henry Mercer
3284953192 Merge pull request #6958 from github/henrymercer/rename-atm-query-pack 
JS: [Internal only] Rename ATM query pack for consistency with other packs
 2021-10-25 20:16:40 +01:00
Ian Lynagh
f73f418a97 Java: Make a test output a bit more readable 
Now the nodes are in index order, and the indices are aligned.
 2021-10-25 18:48:19 +01:00
Henry Mercer
7e0e35f364 Rename ATM query pack for consistency with other packs 2021-10-25 17:32:25 +01:00
Nick Rolfe
db3c99d64d Merge pull request #6954 from github/nickrolfe/ruby-labeler 
Automatically label Ruby PRs
 2021-10-25 15:44:30 +01:00
Nick Rolfe
096c207b3e Automatically label Ruby PRs 2021-10-25 15:29:20 +01:00
CodeQL CI
3fc6e2b294 Merge pull request #6941 from RasmusWL/add-missing-noinline 
Approved by tausbn
 2021-10-25 15:23:37 +01:00
CodeQL CI
b5554da496 Merge pull request #6924 from asgerf/js/skip-files-with-unsupported-encoding 
Approved by esbena
 2021-10-25 14:48:38 +01:00
Nick Rolfe
7308f75b78 Merge pull request #6951 from github/nickrolfe/remove-workspace 
Ruby: remove VS Code workspace
 2021-10-25 14:29:06 +01:00
Arthur Baars
dcf71c4f9a Ruby: update generate-code-scanning-query-list.py 2021-10-25 15:04:34 +02:00
Arthur Baars
a6ac2e73a1 Speed up generate-code-scanning-query-list.py 
Use 'codeql execute cli-server' to avoid repeated JVM startup overhead
 2021-10-25 15:03:28 +02:00
Nick Rolfe
779e24eb73 Ruby: remove VS Code workspace 2021-10-25 13:12:31 +01:00
Nick Rolfe
fb79886fe7 Merge pull request #6944 from github/dependabot/cargo/ruby/extractor/tracing-subscriber-0.3 
Update tracing-subscriber requirement from 0.2 to 0.3 in /ruby/extractor
 2021-10-25 12:50:48 +01:00
Nick Rolfe
b93be42421 Merge pull request #6943 from github/dependabot/cargo/ruby/generator/tracing-subscriber-0.3 
Update tracing-subscriber requirement from 0.2 to 0.3 in /ruby/generator
 2021-10-25 12:50:26 +01:00
Anders Schack-Mulligen
c48dd57d85 Merge pull request #6938 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2021-10-25 13:43:54 +02:00
Anders Schack-Mulligen
5709365c0f Merge pull request #6921 from igfoo/igfoo/types 
Java: Replace @type with more specific types
 2021-10-25 13:15:12 +02:00
dependabot[bot]
e9da027539 Update tracing-subscriber requirement from 0.2 to 0.3 in /ruby/extractor 
Updates the requirements on [tracing-subscriber](https://github.com/tokio-rs/tracing) to permit the latest version.
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.2.0...tracing-subscriber-0.3.0)

---
updated-dependencies:
- dependency-name: tracing-subscriber
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-10-25 10:40:34 +00:00
dependabot[bot]
4cedb43a54 Update tracing-subscriber requirement from 0.2 to 0.3 in /ruby/generator 
Updates the requirements on [tracing-subscriber](https://github.com/tokio-rs/tracing) to permit the latest version.
- [Release notes](https://github.com/tokio-rs/tracing/releases)
- [Commits](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.2.0...tracing-subscriber-0.3.0)

---
updated-dependencies:
- dependency-name: tracing-subscriber
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
 2021-10-25 10:40:28 +00:00
Arthur Baars
afc7867c98 Merge pull request #6942 from github/aibaars/patch-10 
Merge codeql-ruby into codeql
 2021-10-25 12:33:34 +02:00
github-actions[bot]
2257d0475a Add changed framework coverage reports 2021-10-25 00:09:34 +00:00
Arthur Baars
4f79398342 Merge branch 'main' of github.com:github/codeql into 'main' 
Conflicts:
	docs/codeql/query-help/codeql-cwe-coverage.rst
 2021-10-22 21:51:25 +02:00
Tom Hvitved
f020b2e437 Merge pull request #335 from github/hmac/self-flow 2021-10-22 19:14:20 +02:00
Nick Rolfe
3851a27fc1 Merge pull request #358 from github/external-control-file-path 
Add rb/path-injection query
 2021-10-22 15:38:39 +01:00
Tom Hvitved
7648815f1f Merge pull request #6936 from hvitved/csharp/delegate-conversion-join-order 
C#: Improve join-order in `defaultDelegateConversion`
 2021-10-22 15:10:20 +02:00
Tom Hvitved
61d7cdeec0 Data flow: Assign empty locations to summary nodes 2021-10-22 14:48:33 +02:00
Harry Maclean
87df3a0a99 Minor refactor 2021-10-22 11:44:38 +01:00
hubwriter
12e56ec9e6 Merge pull request #6887 from github/hubwriter/codeql-ruby-support 
Docs: Updates for Ruby support
 2021-10-22 11:21:49 +01:00
Nick Rolfe
d4cee73720 Add taint summaries for ActiveStorage::Filename 2021-10-22 11:15:42 +01:00
Henry Mercer
02b1fe27d2 Merge pull request #6907 from github/henrymercer/add-experimental-atm-libraries 
JS: [Internal only] Add experimental libraries and queries for adaptive threat modeling
 2021-10-22 11:02:09 +01:00
Harry Maclean
aa8607009b Update test fixtures 2021-10-22 10:56:34 +01:00
Harry Maclean
336bd15d2f Override isCapturedAccess for self variables 
Many `self` reads are synthesised from method calls with an implicit
`self` receiver. Synthesised nodes have no `toGenerated` result, which
the default definition of `isCapturedAccess` uses to determine if a
variable's scope matches the access's scope.

Hence we override the definition to properly identify accesses like the
call `puts` (below) as captured reads of a `self` variable defined in a
parent scope.

In other words, `puts x` is short for `self.puts x` and the `self`
refers to its value in the scope of the module `Foo`.

```ruby
module Foo
  MY_PROC = -> (x) { puts x }
end
```

We also have to update the SSA `SelfDefinition` to exclude captured
`self` variables.
 2021-10-22 10:56:34 +01:00