hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 06:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,261 Commits 1,684 Branches 159 Tags
afede9bde56317d77a3483fdfd94ea9448329db8
Commit Graph

1261 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Slavomir
afede9bde5 Remove encoder taint-tracking for encoding/hex 2020-09-14 13:10:25 +02:00
Slavomir
96a700becb Remove encoder taint-tracking for encoding/base64 2020-09-14 13:10:25 +02:00
Slavomir
0baca5fa6c Remove encoder taint-tracking for encoding/base32 2020-09-14 13:10:25 +02:00
Slavomir
828d3863a0 Remove encoder taint-tracking for encoding/ascii85 2020-09-14 13:10:25 +02:00
Slavomir
f3a61ed65c Add MarshalFunction and UnmarshalFunction classes to EncodingXml module. 2020-09-14 13:10:25 +02:00
Slavomir
b4ff653071 Add taint-tracking for encoding/xml 2020-09-14 13:10:25 +02:00
Slavomir
e7fc3c5039 Add taint-tracking for encoding/pem 2020-09-14 13:10:25 +02:00
Slavomir
669ed91b0b Move EncodingJson to stdlib; add Escape class. 2020-09-14 13:10:25 +02:00
Slavomir
24c23ba333 Add taint-tracking for encoding/json 2020-09-14 13:10:25 +02:00
Slavomir
f5fc9494fc Remove old EncodingHex module 2020-09-14 13:10:25 +02:00
Slavomir
74fdfba85c Add taint-tracking for encoding/hex 2020-09-14 13:10:25 +02:00
Slavomir
7a42992850 Add taint-tracking for encoding/gob 2020-09-14 13:10:25 +02:00
Slavomir
57518c7e3d Add taint-tracking for encoding/csv 2020-09-14 13:10:25 +02:00
Slavomir
df55bb459f Add taint-tracking for encoding/binary 2020-09-14 13:10:25 +02:00
Slavomir
20b4826e8e Add taint-tracking for encoding/base64 2020-09-14 13:10:25 +02:00
Slavomir
7060367de5 Add taint-tracking for encoding/base32 2020-09-14 13:10:24 +02:00
Slavomir
ba78eda277 Add taint-tracking for encoding/asn1 2020-09-14 13:10:24 +02:00
Slavomir
412ba1263b Add taint-tracking for encoding/ascii85 2020-09-14 13:10:24 +02:00
Slavomir
a47842d1c3 Add taint-tracking for package encoding 2020-09-14 13:10:24 +02:00
Chris Smowton
362d210bc5 Merge pull request #330 from smowton/smowton/admin/standard-lib-pt-21-with-sanitiser 
Move `strconv` and `strings` packages' taint-tracking to stdlib, and expand them + sanitise substrings of the HTTP Authorization header
 2020-09-14 11:25:57 +01:00
Chris Smowton
b9b306aade CleartextLogging: sanitize strings.Split(authheader, ":")[0] and similar 
These can represent a username, method name or other non-sensitive component of an Authorization header. For greater precision we could split the query into one investigating Authorization headers and one investigating other sources of sensitive data that can't be sanitized by splitting this way.
 2020-09-14 09:46:14 +01:00
Slavomir
cf29f9dede Remove taint-tracking on single bytes and runes 2020-09-14 09:46:14 +01:00
Slavomir
6d3e6ded26 Fix: the Append* functions do not modify the dst slice argument. 2020-09-14 09:46:14 +01:00
Slavomir
9293bcde1d Fix ql/test/library-tests/semmle/go/frameworks/TaintSteps/TaintStep.expected: calls to strings.NewReader are a step now. 2020-09-14 09:46:14 +01:00
Slavomir
3075294cd8 Move strings module to stdlib, and add more taint-tracking classes to it. 2020-09-14 09:46:13 +01:00
Slavomir
42c7f8cc0d Add taint-tracking for strconv package; rename module StrConv to Strconv and move into stdlib 2020-09-14 09:44:25 +01:00
Max Schaefer
b8d36b936e Merge pull request #321 from gagliardetto/standard-lib-pt-14 
Add taint-tracking for packages inside `mime/*`
 2020-09-14 09:26:29 +01:00
Max Schaefer
c10942d044 Merge pull request #320 from gagliardetto/standard-lib-pt-24 
Add taint-tracking for packages inside `text/*`
 2020-09-11 15:57:14 +01:00
Max Schaefer
c889bc3dae Merge branch 'main' into standard-lib-pt-24 2020-09-11 14:09:50 +01:00
Chris Smowton
84def5f6c2 Merge pull request #327 from smowton/smowton/feature/more-post-update-nodes 
Add PostUpdateNodes for nested structs and arrays
 2020-09-11 12:47:20 +01:00
Max Schaefer
903cffe7ed Merge pull request #317 from gagliardetto/standard-lib-pt-18 
Add taint-tracking for `reflect` package
 2020-09-11 11:26:48 +01:00
Chris Smowton
650bc1d38f Add PostUpdateNodes for derferenced expressions on an access path to a field- or element-write 2020-09-11 10:46:58 +01:00
Max Schaefer
e9bf3317b5 Merge pull request #328 from owen-mc/gorm-exec 
Update GORM model
 2020-09-11 08:41:09 +01:00
Max Schaefer
3758c6b7d8 Merge pull request #329 from smowton/smowton/feature/xss-detect-more-json-encoding 
Reflected XSS query: exclude more uses of encoding/json.Marshal
 2020-09-11 08:38:30 +01:00
Owen Mansel-Chan
13e82de53d Add change note 2020-09-10 17:29:06 +01:00
Chris Smowton
405babf5af Reflected XSS query: exclude more uses of encoding/json.Marshal 
Previously we only detected these if the marshalling directly fed the request body within the same function; now it's a general sanitiser for the purposes of XSS.
 2020-09-10 16:52:06 +01:00
Owen Mansel-Chan
3af90c9fc8 Update GORM tests 2020-09-10 13:48:12 +01:00
Owen Mansel-Chan
d807e8de75 Add more methods from GORM as sinks 
Cf. https://gorm.io/docs/security.html
 2020-09-09 16:18:41 +01:00
Owen Mansel-Chan
95c1f754c6 Add alternative package locations 2020-09-09 14:52:26 +01:00
Max Schaefer
baf048f293 Merge pull request #326 from owen-mc/change-note-for-allocation-size-overflow-sanitizers 
Add change note for #296
 2020-09-08 16:53:05 +01:00
Owen Mansel-Chan
cd6020810a Add change note for #296 2020-09-08 16:32:12 +01:00
Chris Smowton
5068b8b195 Add PostUpdateNodes for nested structs and arrays 
This creates a PostUpdateNode for x in the contexts `x.field[element]`, `x.field.otherfield`, `x[element].field` and so on.

Most uses of PostUpdateNode implicitly assume its old definition, but our protobuf model benefits.
 2020-09-08 16:28:02 +01:00
Max Schaefer
65c449cff0 Merge pull request #325 from max-schaefer/revert-237 
Revert "Revert "autobuilder: Add support for GITHUB_REPOSITORY environment variable""
 2020-09-08 08:04:58 +01:00
Max Schaefer
52a659183d Merge pull request #314 from smowton/smowton/admin/bump-golang-tools 
Bump to latest version of golang.org/x/tools
 2020-09-07 16:02:55 +01:00
Max Schaefer
655e229d1e Revert "Revert "autobuilder: Add support for GITHUB_REPOSITORY environment variable"" 
This reverts commit ccfccb4828.
 2020-09-07 15:14:52 +01:00
Max Schaefer
1821cca5d2 Merge pull request #285 from smowton/protobufs 
Protobuf modelling
 2020-09-07 11:42:37 +01:00
Slavomir
25e3f75ddc Add taint-tracking for mime/quotedprintable package. 2020-09-06 17:45:09 +02:00
Slavomir
99b251d4f0 Add taint-tracking for mime/multipart 2020-09-06 17:42:57 +02:00
Slavomir
c44d426794 Add taint-tracking for mime package. 2020-09-06 17:39:41 +02:00
Slavomir
3b2e16e292 Move text/template classes to TextTemplate module inside stdlib. 2020-09-06 17:32:34 +02:00