hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-22 15:36:48 +01:00
Code Issues Packages Projects Releases Wiki Activity
45,342 Commits 1,712 Branches 163 Tags
b540eb094cb5ba7aea5f795ce4751f49106920ce
Commit Graph

45342 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Taus
b540eb094c Python: Various small fixes 
- Swaps `module_reference_in_scope` and `module_name_in_scope`.
- uses `AttrRead::accesses` instead of `getObject`, etc.
- Removes an errant `none()`.
- Expands the QLDoc for some of the predicates.
 2022-11-11 14:00:36 +00:00
Taus
7f790432cc Python: More review suggestions 
I could have sworn I added all of them to the batch, but somehow these slipped through.

Co-authored-by: yoff <lerchedahl@gmail.com>
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-11-11 14:40:58 +01:00
Taus
131fc986b4 Python: Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-11-11 13:49:46 +01:00
Taus
58754982ce Python: Update type tracking tests 
No longer missing! 🎉
 2022-10-17 14:34:10 +00:00
Taus
ad13fbaeb6 Python: Add tests 
A slightly complicated test setup. I wanted to both make sure I captured
the semantics of Python and also the fact that the kinds of global flow
we expect to see are indeed present.

The code is executable, and prints out both when the execution reaches
certain files, and also what values are assigned to the various
attributes that are referenced throughout the program. These values are
validated in the test as well.

My original version used introspection to avoid referencing attributes
directly (thus enabling better error diagnostics), but unfortunately
that made it so that the model couldn't follow what was going on.

The current setup is a bit clunky (and Python's scoping rules makes it
especially so -- cf. the explicit calls to `globals` and `locals`), but
I think it does the job okay.
 2022-10-17 14:29:41 +00:00
Taus
651afaf11b Python: Hook up new implementation 
Left as its own commit, as otherwise the diff would have been very
confusing.
 2022-10-17 14:29:41 +00:00
Taus
0051ba1596 Python: Add new module resolution implementation 
A fairly complicated bit of modelling, mostly due to the quirks of
how imports are handled in Python.

A few notes:

- The handling of `__all__` is not actually needed (and perhaps not
  desirable, as it only pertains to `import *`, though it does match
  the current behaviour), but it might become useful at a later date,
  so I left it in.
- Ideally, we would represent `foo as bar` in an `import` as a
  `DefinitionNode` in the CFG. I opted _not_ to do this, as it would
  also affect points-to, and I did not want to deal with any fallout
  arising from that.
 2022-10-17 14:29:41 +00:00
Chris Smowton
eb97735568 Merge pull request #10797 from smowton/smowton/fix/byte-short-inversion 
Kotlin: fix bit-inversion operator for Byte and Short types
 2022-10-17 15:05:57 +01:00
Chris Smowton
e1c93c9284 Merge pull request #10816 from smowton/smowton/fix/kotlin-adapted-function-references 
Kotlin: extract function references using compiler-generated adapters
 2022-10-17 15:05:16 +01:00
Taus
f5b2eb94a6 Merge pull request #10783 from yoff/python/subscript-nodes 
Python: API graph improvements for subscripts
 2022-10-17 15:21:56 +02:00
Geoffrey White
0281bfedda Merge pull request #10689 from d10c/swift/cleartext-storage-nsuserdefaults 
Swift: Query for CWE-312: Exposure of sensitive information using NSUserDefaults
 2022-10-17 14:05:17 +01:00
Geoffrey White
13f9834fde Merge pull request #10780 from karimhamdanali/swift-hardcoded-key 
Swift: detect hardcoded encryption keys
 2022-10-17 14:02:31 +01:00
Arthur Baars
7af4c08055 Merge pull request #10803 from hmac/actiondispatch-response 
Ruby: Model ActionDispatch::Response
 2022-10-17 14:51:25 +02:00
Paolo Tranquilli
c3968a2166 Merge pull request #10854 from github/redsun82/swift-extract-implicit-conversions 
Swift: extract all `ImplicitConversionExpr`
 2022-10-17 13:46:10 +02:00
Chris Smowton
efd7b6e692 Use isFunction 2022-10-17 12:27:58 +01:00
Arthur Baars
f7ff2cdc0d Merge branch 'main' into actiondispatch-response 2022-10-17 13:22:17 +02:00
Paolo Tranquilli
789be9a1ad Swift: add ImplicitConversionExpr test 2022-10-17 12:57:44 +02:00
Karim Ali
bbc03a1578 add false negatives to the test case 2022-10-17 12:54:34 +02:00
Karim Ali
bb3bf64364 update example with both AES and Blowfish for better clarity 2022-10-17 12:54:34 +02:00
Karim Ali
b840a41222 fix typo in doc 2022-10-17 12:54:34 +02:00
Karim Ali
e942cfb98e fix typos in docs and in-code comments 2022-10-17 12:54:34 +02:00
Karim Ali
aef9645bd6 change use of toString() to getName() 2022-10-17 12:54:34 +02:00
Karim Ali
81e027f225 address QLDoc style comments 2022-10-17 12:54:34 +02:00
Karim Ali
d56c82ff75 add a query that detects hardcoded keys 2022-10-17 12:54:34 +02:00
Chris Smowton
be53ec9b42 Accept test changes 2022-10-17 11:48:22 +01:00
Chris Smowton
f9d65e42dd Use compiler-provided adapter functions when creating a function reference 2022-10-17 11:48:21 +01:00
Paolo Tranquilli
e4bcea708e Swift: extract all ImplicitConversionExpr 
In order to do so, `VisitorBase` was changed to allow writing one
`translate` function for an abstract class like
`ImplicitConversionExpr`.
 2022-10-17 12:47:05 +02:00
Chris Smowton
4c63237ed1 Add test checking argument <-> parameter matching, and fix superconstructor calls that were missing their argument. 2022-10-17 11:44:44 +01:00
Chris Smowton
f1fd470f49 Merge pull request #10821 from smowton/smowton/fix/kotlin-property-ref-to-sam-interface 
Kotlin SAM conversion: tolerate property refs used to implement a SAM interface
 2022-10-17 11:25:24 +01:00
Geoffrey White
2b3ab180fa Merge pull request #10077 from intrigus-lgtm/cpp/wexpand-commmand-injection 
Add query for tainted `wordexp` calls.
 2022-10-17 11:18:38 +01:00
Erik Krogh Kristensen
71135da7ff Merge pull request #10768 from erik-krogh/fixFileLoops 
JS: fix that js/file-system-race could have FPs related to loops
 2022-10-17 12:01:55 +02:00
Taus
fa2faeb77b Merge pull request #10802 from jsoref/spelling-python 
Spelling python
 2022-10-17 11:33:27 +02:00
Jeroen Ketema
720efd62b0 Merge pull request #10825 from jsoref/spelling-cpp 
Spelling cpp
 2022-10-17 10:42:53 +02:00
Rasmus Lerchedahl Petersen
2a56fb5a21 python: expand TODO 2022-10-17 10:23:55 +02:00
Rasmus Lerchedahl Petersen
c4271c1125 Python: add TODO comments 2022-10-17 10:22:47 +02:00
Erik Krogh Kristensen
122d188f1d Merge pull request #10832 from erik-krogh/passRb 
RB: add model for the `Digest` and `OpenSSL::Digest` modules
 2022-10-17 10:02:33 +02:00
Tamás Vajk
85fbf4b965 Merge pull request #10767 from tamasvajk/kotlin-prop-ref-fix 
Kotlin: adjust extracted property reference base class
 2022-10-17 09:40:03 +02:00
erik-krogh
191efdf6e0 replace getMethod("new").getReturn() with getInstance() 2022-10-17 09:35:44 +02:00
Anders Schack-Mulligen
6ef5fac239 Merge pull request #10814 from aschackmull/dataflow/synth-global 
Dataflow: Add support for synthetic global fields in MaD.
 2022-10-17 08:34:26 +02:00
Arthur Baars
dbee26ecde Merge pull request #10850 from hmac/fix-self-test 
Ruby: Update test fixture
 2022-10-17 07:23:51 +02:00
Harry Maclean
aa6c433529 Ruby: Update test fixture 
This change is due to a8fdda65fb.
 2022-10-17 09:44:32 +13:00
Harry Maclean
eddb8493d8 Apply suggestions from code review 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2022-10-17 09:34:44 +13:00
Harry Maclean
0e6322d673 Ruby: Restrict XSS header sinks 
Not all header writes are relevant to XSS. Restrict these to just
content-type and access-control-allow-origin.
 2022-10-17 09:34:44 +13:00
Harry Maclean
8ae86cf443 Ruby: Consider header writes as XSS sinks 2022-10-17 08:17:37 +13:00
Harry Maclean
545222d1e9 Ruby: Add change note 2022-10-17 08:17:37 +13:00
Harry Maclean
73ca595b56 Ruby: Model ActionDispatch::Response 2022-10-17 08:17:37 +13:00
Jeroen Ketema
45a0b66f73 C++: Fix test after spelling fixes 2022-10-15 14:23:08 +02:00
yoff
40526fdedb Update python/ql/lib/change-notes/2022-10-04-api-subscript-nodes.md 
Co-authored-by: Taus <tausbn@github.com>
 2022-10-15 08:16:19 +02:00
Arthur Baars
ae0c9b76e0 Merge pull request #10843 from aibaars/fix-self 
Ruby: fix self variables in blocks
 2022-10-15 00:48:14 +02:00
Alex Ford
2c5129e720 Merge pull request #10369 from alexrford/rb/sensitive-get-query 
Ruby: add `rb/sensitive-get-query` query
 2022-10-14 22:34:47 +01:00