codeql

mirror of https://github.com/github/codeql.git synced 2026-04-27 01:35:13 +02:00

Author	SHA1	Message	Date
yoff	b35637e1c5	Merge pull request #12858 from RasmusWL/paramiko-modeling Python: Expand modeling of `paramiko`	2023-04-25 14:04:50 +02:00
Tony Torralba	89ee2b9ace	Merge pull request #12911 from atorralba/atorralba/java/filecopyutils-file-sinks Java: Fix FileCopyUtils.copy models	2023-04-25 12:06:13 +02:00
Joe Farebrother	a9d34458de	Merge pull request #12658 from joefarebrother/csharp-sensitive-data C#: Add local filesystem writes as External Location sinks	2023-04-25 10:14:48 +01:00
Geoffrey White	2c28fae7e3	Merge pull request #12836 from geoffw0/precision Swift: Downgrade swift/unsafe-js-eval to precision medium.	2023-04-25 09:58:11 +01:00
AlexDenisov	fcbd211783	Merge pull request #12910 from github/redsun82/swift-hash-lazy-trap-names Swift: use hashing for lazy decl trap file names	2023-04-25 09:54:46 +02:00
Tom Hvitved	65835cdb92	Merge pull request #12907 from hvitved/ruby/destructured-assign-join Ruby: Fix bad join in `DestructuredAssignDesugar`	2023-04-25 08:50:27 +02:00
Owen Mansel-Chan	b47c8e8c4c	Merge pull request #12912 from owen-mc/go/fix-invalid-semver-version Go: Fix invalid SemVer version by adding "v" to the front	2023-04-24 16:47:28 +01:00
Paolo Tranquilli	14706b42fa	Swift: strip parameters from lazy function decl trap names	2023-04-24 17:04:41 +02:00
Joe Farebrother	0ebf529dc4	Add comment + use flowTo	2023-04-24 15:49:05 +01:00
Owen Mansel-Chan	1afe845ed3	Add missing "v" to semver version string Because it was missing, that function always returned +1, so we were doing the wrong thing when the Go version installed was lower than 1.16.	2023-04-24 14:31:46 +01:00
Tony Torralba	e3d93c3581	Fix FileCopyUtils models	2023-04-24 15:07:19 +02:00
Paolo Tranquilli	e84bdf5bed	Swift: use hashing for lazy decl trap file names It turns out mangled names can sometimes be too long. While this code will eventually be replaced by our own mangling, we need to use hashing to cut down the names. Module and decl names are preserved in the trap file names for debuggability.	2023-04-24 14:36:36 +02:00
Paolo Tranquilli	feb31612f5	Merge pull request #12908 from github/revert-12760-redsun82/swift-logging-compiler Revert "Swift: route compiler diagnostics through our log"	2023-04-24 14:31:18 +02:00
Paolo Tranquilli	95ef7fb3f1	Revert "Swift: route compiler diagnostics through our log"	2023-04-24 13:57:24 +02:00
Tom Hvitved	71cd973b42	Ruby: Fix bad join in `DestructuredAssignDesugar` ``` Evaluated relational algebra for predicate Synthesis#d9ff06b1::DestructuredAssignDesugar::LhsWithReceiver::getSynthKind#0#dispred#ff@0c55fb0w on iteration 4 running pipeline order_500000 with tuple counts: 0 ~0% {2} r1 = JOIN Synthesis#d9ff06b1::ConstantWriteAccessKind#ff#prev_delta WITH Constant#c70e4e0a::ScopeResolutionConstantAccess::getName#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1 0 ~0% {2} r2 = JOIN r1 WITH Constant#c70e4e0a::ScopeResolutionConstantAccess::getScopeExpr#0#dispred#ff#prev ON FIRST 1 OUTPUT Lhs.0, Lhs.1 0 ~0% {4} r3 = JOIN Call#841c84e8::MethodCall::getMethodName#0#dispred#ff#prev_delta WITH Call#841c84e8::Call::getNumberOfArguments#0#dispred#ff#prev ON FIRST 1 OUTPUT Lhs.1, false, Rhs.1, Lhs.0 0 ~0% {2} r4 = JOIN r3 WITH Synthesis#d9ff06b1::MethodCallKind#ffff#prev ON FIRST 3 OUTPUT Lhs.3, Rhs.3 0 ~0% {2} r5 = r2 UNION r4 336618 ~3% {1} r6 = SCAN Constant#c70e4e0a::ScopeResolutionConstantAccess::getScopeExpr#0#dispred#ff#prev_delta OUTPUT In.0 336618 ~0% {2} r7 = JOIN r6 WITH Constant#c70e4e0a::ScopeResolutionConstantAccess::getName#0#dispred#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.0 0 ~0% {2} r8 = JOIN r7 WITH Synthesis#d9ff06b1::ConstantWriteAccessKind#ff#prev ON FIRST 1 OUTPUT Lhs.1, Rhs.1 0 ~0% {3} r9 = SCAN Call#841c84e8::Call::getNumberOfArguments#0#dispred#ff#prev_delta OUTPUT false, In.1, In.0 0 ~0% {3} r10 = JOIN r9 WITH Synthesis#d9ff06b1::MethodCallKind#ffff#reorder_1_2_0_3#prev ON FIRST 2 OUTPUT Lhs.2, Rhs.2, Rhs.3 0 ~0% {2} r11 = JOIN r10 WITH Call#841c84e8::MethodCall::getMethodName#0#dispred#ff#prev ON FIRST 2 OUTPUT Lhs.0, Lhs.2 2119 ~2% {3} r12 = JOIN Synthesis#d9ff06b1::MethodCallKind#ffff#reorder_1_2_0_3#prev_delta WITH const_false ON FIRST 1 OUTPUT Lhs.1, Lhs.2, Lhs.3 2657005103 ~5% {3} r13 = JOIN r12 WITH Call#841c84e8::Call::getNumberOfArguments#0#dispred#ff#reorder_1_0#prev ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2 1184200 ~0% {2} r14 = JOIN r13 WITH Call#841c84e8::MethodCall::getMethodName#0#dispred#ff#prev ON FIRST 2 OUTPUT Lhs.0, Lhs.2 1184200 ~0% {2} r15 = r11 UNION r14 1184200 ~0% {2} r16 = r8 UNION r15 1184200 ~0% {2} r17 = r5 UNION r16 1184200 ~0% {2} r18 = r17 AND NOT Synthesis#d9ff06b1::DestructuredAssignDesugar::LhsWithReceiver::getSynthKind#0#dispred#ff#prev(Lhs.0, Lhs.1) return r18 ```	2023-04-24 13:44:18 +02:00
Kasper Svendsen	bfe5db20a3	Merge pull request #12891 from kaspersv/kaspersv/prevent-ruby-join-regression2 Prevent Ruby join order regression	2023-04-24 13:27:33 +02:00
Edward Minnix III	ba4d326768	Merge pull request #12902 from egregius313/egregius313/java/dataflow/refactor-integration-tests Java: Refactor Kotlin Integration tests to new DataFlow API	2023-04-24 06:51:40 -04:00
Michael Nebel	8ade7247a1	Merge pull request #12885 from michaelnebel/mergepathgraph3 Dataflow: Introduce param module for merging three path graphs.	2023-04-24 12:49:28 +02:00
Rasmus Wriedt Larsen	bfbbb5277d	Merge pull request #12888 from lcartey/mcafee-trojan-fp Update `SimpleXmlRpcServer.ql` to avoid incorrect detection as a trojan by Mcafee	2023-04-24 11:17:52 +02:00
Erik Krogh Kristensen	b0efff0110	Merge pull request #12904 from github/dependabot/cargo/ql/tracing-subscriber-0.3.17 Bump tracing-subscriber from 0.3.16 to 0.3.17 in /ql	2023-04-24 11:05:36 +02:00
Erik Krogh Kristensen	b16444dd22	Merge pull request #12903 from github/dependabot/cargo/ql/regex-1.8.1 Bump regex from 1.8.0 to 1.8.1 in /ql	2023-04-24 11:05:13 +02:00
dependabot[bot]	5e274c9664	Bump tracing-subscriber from 0.3.16 to 0.3.17 in /ql Bumps [tracing-subscriber](https://github.com/tokio-rs/tracing) from 0.3.16 to 0.3.17. - [Release notes](https://github.com/tokio-rs/tracing/releases) - [Commits](https://github.com/tokio-rs/tracing/compare/tracing-subscriber-0.3.16...tracing-subscriber-0.3.17) --- updated-dependencies: - dependency-name: tracing-subscriber dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2023-04-24 04:12:25 +00:00
dependabot[bot]	a5e919b6cb	Bump regex from 1.8.0 to 1.8.1 in /ql Bumps [regex](https://github.com/rust-lang/regex) from 1.8.0 to 1.8.1. - [Release notes](https://github.com/rust-lang/regex/releases) - [Changelog](https://github.com/rust-lang/regex/blob/master/CHANGELOG.md) - [Commits](https://github.com/rust-lang/regex/commits/1.8.1) --- updated-dependencies: - dependency-name: regex dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>	2023-04-24 04:12:06 +00:00
Ed Minnix	19e6a9a1d3	Fix version of PathGraph used	2023-04-21 19:08:56 -04:00
Ed Minnix	40aed29858	Refactor Java Integration tests to new API	2023-04-21 18:22:28 -04:00
Joe Farebrother	a4d7570788	Add more sources	2023-04-21 14:23:01 +01:00
Joe Farebrother	9881fdfe27	Convert sources to MaD	2023-04-21 14:19:17 +01:00
Erik Krogh Kristensen	4bf03e7962	Merge pull request #12897 from github/dependabot/cargo/ql/regex-1.8.0 Bump regex from 1.7.3 to 1.8.0 in /ql	2023-04-21 12:57:33 +02:00
Asger F	f3b14e13b2	Merge pull request #12841 from asgerf/rb/api-graph-class-nodes Ruby: add API node representing a module/class object	2023-04-21 10:59:51 +02:00
Michael Nebel	239a763ef9	Merge pull request #12845 from michaelnebel/csharp/xssrefactor C#: Re-factor Xss to use the new data flow API.	2023-04-21 08:55:07 +02:00
dependabot[bot]	149753c052	Bump regex from 1.7.3 to 1.8.0 in /ql Bumps [regex](https://github.com/rust-lang/regex) from 1.7.3 to 1.8.0. - [Release notes](https://github.com/rust-lang/regex/releases) - [Changelog](https://github.com/rust-lang/regex/blob/master/CHANGELOG.md) - [Commits](https://github.com/rust-lang/regex/commits) --- updated-dependencies: - dependency-name: regex dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>	2023-04-21 04:03:04 +00:00
Nora Dimitrijević	1f861fda25	Merge pull request #12736 from d10c/swift/capture-flow Swift: Closure Capture Helper APIs	2023-04-20 18:45:56 +02:00
Michael Nebel	0fdeeba46f	C#: Re-refactor Xss to use the new API.	2023-04-20 18:38:15 +02:00
Edward Minnix III	76f8d460e7	Merge pull request #12851 from egregius313/egregius313/mad/add-groovy-stubs-to-isInTestFile Java: Add `/test/` to model generator's list of ignored paths	2023-04-20 11:06:38 -04:00
Paolo Tranquilli	00436828a9	Merge pull request #12883 from github/redsun82/swift-default-output-dir Swift: aggregate default output directories	2023-04-20 16:58:31 +02:00
Kasper Svendsen	b707c8162e	Prevent Ruby join order regression	2023-04-20 15:52:32 +02:00
Paolo Tranquilli	c7378a1e5b	Merge branch 'main' into redsun82/swift-default-output-dir	2023-04-20 15:12:07 +02:00
Arthur Baars	94e0828ab9	Merge pull request #12793 from aibaars/js-yaml-extractor JavaScript: switch to shared YamlPopulator	2023-04-20 14:46:06 +02:00
Michael Nebel	aa8291e13f	Merge pull request #12870 from michaelnebel/csharp/refactordataflow6 C#: Re-factor data flow and taint tracking configurations to use the new API.	2023-04-20 14:31:20 +02:00
Kasper Svendsen	51b6da4183	Merge pull request #12875 from kaspersv/kaspersv/prevent-ruby-join-order-regression Prevent Ruby join order regression	2023-04-20 13:50:40 +02:00
Luke Cartey	9dc1ea1216	Merge branch 'main' into mcafee-trojan-fp	2023-04-20 12:34:38 +01:00
Erik Krogh Kristensen	377aa68bb3	Merge pull request #12854 from natejohnson05/js-insecure-http-parser JS - NodeJS CWE-444 InsecureHTTPParser	2023-04-20 13:09:45 +02:00
Luke Cartey	a47778c22e	Update SimpleXmlRpcServer.ql to avoid av detection This file was being flagged by McAfee as an `Exploit-Generic.src` trojan. We have attempted to report this to Mcafee without success so far. This commit therefore adjusts the file to avoid detection.	2023-04-20 11:59:18 +01:00
Michael Nebel	656d8d2451	Sync files.	2023-04-20 11:29:51 +02:00
Michael Nebel	c71278ceb7	C#: Introduce parameterized module for merging three path graphs.	2023-04-20 11:29:34 +02:00
Paolo Tranquilli	60c723e7cc	Swift: aggregate default output directories In case the extractor is run in isolation for debugging/testing, this will avoid littering the current working directory with artifacts, and instead having a single `extractor-out` directory to inspect or clean up. Also extractor logs have been nested into a `swift` directory, as the log directory provided by the `codeql` cli is actually shared between languages.	2023-04-20 09:20:11 +02:00
Jeroen Ketema	b6a7661c7e	Merge pull request #12880 from MathiasVP/use-after-free-fps C++: Add some use-after-free FP tests	2023-04-19 20:07:10 +02:00
Nate Johnson	88411ce439	Merge branch 'main' into js-insecure-http-parser	2023-04-19 13:36:24 -04:00
Mathias Vorreiter Pedersen	533e1d818b	C++: Add some use-after-free FPs.	2023-04-19 17:01:55 +01:00
Geoffrey White	7285704807	Merge pull request #12876 from geoffw0/extensiondecl Swift: Improve ExtensionDecl.toString	2023-04-19 16:41:48 +01:00

1 2 3 4 5 ...

53732 Commits