hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 06:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,611 Commits 1,684 Branches 159 Tags
b76ff0d2336da19074e823fe1774f96fd4e234e9
Commit Graph

1611 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Owen Mansel-Chan
b76ff0d233 Merge pull request #461 from owen-mc/avoid-unused-barrier-guards-in-scope 
Move reused barrier guards into separate files
 2021-01-26 06:08:29 +00:00
Owen Mansel-Chan
bf0f0aff5e Move reused barrier guards into separate files 
This way only the barrier guards that are used will be imported.
This is important because of the comment above BarrierGuard, which
warns about the potential danger of having classes that extend
BarrierGuard in scope which are not used.
 2021-01-25 17:07:18 +00:00
Owen Mansel-Chan
e55db63184 Merge pull request #462 from owen-mc/make-path-containment-check-more-specific 
Make PathContainmentCheck more specific
 2021-01-25 16:46:33 +00:00
Owen Mansel-Chan
71d52500f7 Make PathContainmentCheck more specific 
Recent changes to Property.checkOn mean that in the code
  err == nil && <unrelated-condition>
PathContainmentCheck matches the first condition and the whole &&
expression. Originally it would have only matched the first condition,
and this commit restores that behaviour. This pattern appears 3 times in
the tests, which all still pass.
 2021-01-25 15:05:57 +00:00
Max Schaefer
bc74bcec21 Merge pull request #459 from owen-mc/update-barrier-guard-comment 
Make comment on BarrierGuard more specific
 2021-01-25 14:34:20 +00:00
Owen Mansel-Chan
f8c3fbf845 Merge pull request #454 from owen-mc/default-taint-sanitizer-guard-equality-test-guard 
Make EqualityTestGuard a default taint sanitizer guard
 2021-01-25 14:24:08 +00:00
Owen Mansel-Chan
06c6ceda50 Make comment on BarrierGuard more specific 
The problem that this comment is trying to warn about is the following:
say you have two subclasses of BarrierGuard BG1 and BG2, both of which
contain some node g. Also assume that you have a configuration C which
specifies BG1 as a barrier guard, but not BG2. Because g is contained in
both classes, you will then still get the barrier guard definition from
BG2 due to the way dynamic dispatch works in QL.
 2021-01-25 13:16:23 +00:00
Owen Mansel-Chan
8acf572283 Add change note 2021-01-22 17:38:26 +00:00
Owen Mansel-Chan
71f2ed36f2 Make EqualityTestGuard a default taint sanitizer guard 
It will apply to all configurations, not just those involving Xss.
 2021-01-22 17:38:26 +00:00
Owen Mansel-Chan
7dfe5d9f07 Merge pull request #457 from owen-mc/cleanup-avoid-code-duplication 
Reuse existing class instead of repeating it
 2021-01-21 10:56:14 +00:00
Owen Mansel-Chan
7f00ab1f08 Merge pull request #456 from owen-mc/add-guarding-function-test 
Add tests for guarding functions proxied by a variable
 2021-01-21 10:55:54 +00:00
Owen Mansel-Chan
7339f3e095 Reuse existing class instead of repeating it 
This is already done elsewhere.
 2021-01-20 16:11:33 +00:00
Owen Mansel-Chan
b623a4c8ec Add tests for guarding functions proxied by a variable 
Negation doesn't appear to be handled correctly, so one
of the lines is marked as a false positive.
 2021-01-20 14:36:53 +00:00
Owen Mansel-Chan
e2a79f400e Make use of this explicit 
It makes it easier to understand the code.
 2021-01-19 15:55:02 +00:00
Owen Mansel-Chan
903ff33b0d Add class for default taint sanitizer guards 
This allows us to specify taint sanitizer guards that apply in
all configurations.
 2021-01-18 10:51:59 +00:00
Owen Mansel-Chan
83c26a3594 Improve predicate name 
Renamed `defaultTaintSanitizer` to `isDefaultTaintSanitizer`.
 2021-01-18 10:50:26 +00:00
Owen Mansel-Chan
fbe0474d0c Merge pull request #453 from owen-mc/update-architectures 
Update Architectures.qll
 2021-01-15 16:01:52 +00:00
Owen Mansel-Chan
6219a28b13 Update Architectures.qll 2021-01-15 14:01:01 +00:00
Owen Mansel-Chan
2f9c1a6049 Merge pull request #452 from owen-mc/package-path 
Use `package()` for package paths not in the standard library
 2021-01-15 07:25:06 +00:00
Owen Mansel-Chan
5e2c066e8b Use package() for package paths not in the standard library 
This has the advantage that it deals with versioning. For example,
`package("a.io", "b")` matches "a.io/v2/b"
as well as "a.io/b".

At the same time I have created `packagePath()` predicates where they
seemed useful and tried to standardise them a bit.
 2021-01-14 17:11:23 +00:00
Owen Mansel-Chan
62052a8772 Merge pull request #449 from owen-mc/model-couchbase-gocb 
Model Couchbase Go library
 2021-01-14 17:00:05 +00:00
Owen Mansel-Chan
a6b5e8b1db Remove distinct between package paths for v1 and v2 2021-01-14 15:48:21 +00:00
Owen Mansel-Chan
5cd984f3ca Merge pull request #450 from owen-mc/misc 
Miscellaneous clean-ups
 2021-01-13 12:33:21 +00:00
Owen Mansel-Chan
b5dfef894b Add change note 2021-01-13 09:18:54 +00:00
Owen Mansel-Chan
d8105a5be0 Add tests for Couchbase v2 NoSQL queries 2021-01-13 09:18:54 +00:00
Owen Mansel-Chan
b02fc16dfc Add tests for Couchbase v1 NoSQL queries 2021-01-13 09:18:54 +00:00
Owen Mansel-Chan
2ee20b3026 Add tests for Couchbase v1 2021-01-13 09:18:54 +00:00
Owen Mansel-Chan
d2164e16d1 Switch NoSQL tests to use inline expectations 2021-01-13 09:18:54 +00:00
Owen Mansel-Chan
a5ac947d16 Model Couchbase v2 NoSQL queries 2021-01-13 09:18:54 +00:00
Owen Mansel-Chan
7fc88ad85b Model Couchbase v1 NoSQL query sinks 2021-01-13 09:18:54 +00:00
Owen Mansel-Chan
a973ce4539 Model Couchbase gocb v1 2021-01-13 09:18:54 +00:00
Owen Mansel-Chan
9a51de56de Add comment explaining \Q and \E in regex 2021-01-12 16:56:04 +00:00
Owen Mansel-Chan
9236ad752b Improve formatting and style in Gin.qll 2021-01-12 16:56:04 +00:00
Owen Mansel-Chan
71774ed2d4 Remove redundant code 
RawMessage implements Marshaler and Unmarshaler, so these methods are
covered by the two sections below
 2021-01-12 16:56:04 +00:00
Owen Mansel-Chan
57ee3a8a64 Use set literal 2021-01-12 16:56:04 +00:00
Owen Mansel-Chan
fe1f08fb12 Use existing predicate 
There already exists the predicate
implements(string pkg, string tp, string name)
which does exactly what this code does
 2021-01-12 16:55:51 +00:00
Sauyon Lee
3f1197d605 Merge pull request #448 from sauyon/autoformat 
Autoformatter update
 2021-01-12 14:29:45 +00:00
Sauyon Lee
c11028229a Bump codeql version 2021-01-12 13:15:31 +00:00
Sauyon Lee
7a4dbc6fa7 Autoformatter update 2021-01-12 13:13:15 +00:00
Chris Smowton
c79e4f7836 Merge pull request #447 from smowton/smowton/admin/git-change-note 
Add change-note for addition of `git` to the list of known interpreters for the go/command-injection query
 2021-01-12 11:33:49 +00:00
Chris Smowton
a9cff82161 Add change-note for addition of git to the list of known interpreters for the go/command-injection query. 2021-01-11 18:48:54 +00:00
Chris Smowton
45635b67c6 Merge pull request #445 from smowton/smowton/feature/git-as-shell 
Add 'git' as a possible command-interpreter, unless arguments are sanitized using "--"
 2021-01-07 15:01:25 +00:00
Chris Smowton
83cee4a334 Add 'git' as a possible command-interpreter, unless arguments are sanitized using "--" 
This is because some git flags can specify arbitrary commands to execute, but its positional arguments cannot, and "--" like in many commands instructs git to consume no further flags.
 2021-01-07 11:54:41 +00:00
Chris Smowton
2dffd3e261 Merge pull request #443 from smowton/smowton/admin/missing-change-notes-2021-01 
Add change-notes for recent PRs that were missing them
 2021-01-05 11:41:35 +00:00
Chris Smowton
e6327f502c Merge pull request #444 from smowton/smowton/admin/merge-rc-126 
Merge rc/1.26 back into `main`
 2021-01-05 11:40:34 +00:00
Chris Smowton
19921ed115 Add change-notes for recent PRs that were missing them 2021-01-05 11:39:26 +00:00
Chris Smowton
2b608e5822 Merge remote-tracking branch 'origin/rc/1.26' into HEAD 2021-01-04 15:32:15 +00:00
Sauyon Lee
ace9271cc4 Merge pull request #441 from twpayne/contributing-building-and-testing 
Docs: Add building and testing to contributing guide
 2020-12-29 11:13:37 -08:00
Tom Payne
06721ce189 Docs: Add building and testing to contributing guide 2020-12-29 00:28:17 +01:00
Sauyon Lee
2ba26f69c0 Merge pull request #440 from twpayne/regexp-anchors 
Support more regexp anchors
 2020-12-23 11:42:06 -08:00