hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-30 03:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity
24,271 Commits 1,741 Branches 165 Tags
bbcbcefedcbff4cfd7a16cbfa904b42462f1ee88
Commit Graph

24271 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Anders Schack-Mulligen
0ccb213ec5 Dataflow: Sync. 2021-07-14 10:36:09 +02:00
Anders Schack-Mulligen
dbe1ca928b Dataflow: Simplify call context checks. 2021-07-14 10:36:09 +02:00
Anders Schack-Mulligen
c95e78546c Dataflow: Refactor 2021-07-14 10:36:09 +02:00
CodeQL CI
f6f7020388 Merge pull request #6250 from erik-krogh/python-redos-unicode 
Approved by RasmusWL
 2021-07-14 01:09:26 -07:00
CodeQL CI
436168aa4f Merge pull request #6267 from erik-krogh/read-pkg 
Approved by asgerf
 2021-07-14 01:01:33 -07:00
Anders Schack-Mulligen
8dc1f28c68 Merge pull request #6272 from hvitved/dataflow/flow-summary-impl-cached 
Data flow: Use cached predicates from DataFlowImplCommon in `FlowSummaryImpl.qll`
 2021-07-14 09:12:23 +02:00
Sauyon Lee
51211c0394 Add stubs 2021-07-13 10:29:02 -07:00
Sauyon Lee
c2c7fee8df Fix tests 2021-07-13 10:29:02 -07:00
Sauyon Lee
b01e6d49fb Add generated tests 2021-07-13 10:29:01 -07:00
Sauyon Lee
b807757863 Model Spring web.multipart 2021-07-13 10:29:01 -07:00
Robert Marsh
25dd29b24f Merge pull request #6158 from MathiasVP/call-ctx-for-function-ptr-resolution 
C++: Resolve function pointer calls using call contexts
 2021-07-13 10:00:44 -07:00
Chris Smowton
1044049e72 Simplify getInput 2021-07-13 16:36:26 +01:00
Chris Smowton
98b85a481c Improve inline-expectation style 2021-07-13 16:36:08 +01:00
Chris Smowton
a11021991a Improve method documentation 2021-07-13 16:35:44 +01:00
Chris Smowton
b5492056d8 Remove superfluous parens 2021-07-13 16:35:22 +01:00
Chris Smowton
97694bc9a1 Report error even if interpretElement resolves to a non-Callable Element 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-07-13 16:16:01 +01:00
CodeQL CI
f9b539e5b9 Merge pull request #6253 from asgerf/js/more-precise-capture-steps 
Approved by erik-krogh
 2021-07-13 07:42:07 -07:00
Erik Krogh Kristensen
086c9c8156 remove redundant getACall() 
Co-authored-by: Asger F <asgerf@github.com>
 2021-07-13 16:32:14 +02:00
Tom Hvitved
7e9d87055d Data flow: Sync 2021-07-13 16:15:00 +02:00
Tom Hvitved
febebed15e Data flow: Use cached predicates from DataFlowImplCommon in FlowSummaryImpl.qll 2021-07-13 16:15:00 +02:00
Anders Schack-Mulligen
9388983e41 Java: Add missing stub. 2021-07-13 15:26:37 +02:00
Anders Schack-Mulligen
0f6f020766 Java: Fix models. 2021-07-13 15:23:19 +02:00
Taus
6aec7f2c49 Merge pull request #6264 from RasmusWL/customization-files-for-path-problems 
Python: Provide proper source/sink customization for most path queries
 2021-07-13 15:09:33 +02:00
CodeQL CI
48ec223727 Merge pull request #6212 from asgerf/js/typescript-4.3.5 
Approved by esbena
 2021-07-13 05:45:09 -07:00
CodeQL CI
9d59cba644 Merge pull request #6262 from erik-krogh/slash 
Approved by asgerf
 2021-07-13 05:44:55 -07:00
CodeQL CI
c87fe95d52 Merge pull request #6258 from erik-krogh/case 
Approved by asgerf
 2021-07-13 05:44:49 -07:00
CodeQL CI
b34f444c88 Merge pull request #6254 from erik-krogh/json2csv 
Approved by asgerf
 2021-07-13 05:44:36 -07:00
Rasmus Wriedt Larsen
6f8969a55e Python: Add change-note 2021-07-13 14:39:44 +02:00
Rasmus Wriedt Larsen
9ed61e7663 Python: Port py/polynomial-redos to use proper source/sink customization 
I noticed the configuration/customization files are in the `performance`
folder in JS, but I just kept them in place, since that seems correct to
me.
 2021-07-13 14:39:44 +02:00
Taus
693a479bf6 Merge branch 'main' into python-add-typetrackingnode 2021-07-13 14:13:21 +02:00
Rasmus Wriedt Larsen
cea2f82be9 Python: Port py/path-injection to use proper source/sink customization 2021-07-13 14:09:02 +02:00
Rasmus Wriedt Larsen
bf214ac3bb Python: Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2021-07-13 13:41:26 +02:00
Tom Hvitved
cb1b227c87 Merge pull request #6270 from hvitved/csharp/standalone-nuget-restore 
C#: Skip `dotnet restore` in standalone extraction when `nuget_restore: false` is set
 2021-07-13 13:36:40 +02:00
Rasmus Wriedt Larsen
1a59c9b64a Merge pull request #6204 from tausbn/python-ensmallen-localsourcenode 
Python: Clean up `LocalSourceNode` charpred
 2021-07-13 13:27:38 +02:00
Robin Neatherway
fc38960795 Split up metric information across the doc 2021-07-13 11:25:15 +01:00
Mathias Vorreiter Pedersen
1ed027e0d1 Merge pull request #6266 from erik-krogh/mootools-doc 
JS: add missing qldoc in MooTools.qll
 2021-07-13 10:39:21 +02:00
Anders Schack-Mulligen
be96647f78 Merge pull request #6256 from hvitved/dataflow/summary-node-type-join-order 
Data flow: Fix bad join-orders in `summaryNodeType`
 2021-07-13 10:24:30 +02:00
Erik Krogh Kristensen
07bc5856db add the cwd option from read-pkg as sink for path-injection 2021-07-12 23:43:15 +02:00
Erik Krogh Kristensen
cadbdcff0a add missing qldoc in MooTools.qll 2021-07-12 23:20:51 +02:00
Robert Marsh
61ee4af66c Merge pull request #6159 from MathiasVP/more-effective-barriers-in-bounded-predicate 
C++: More effective barriers in the `bounded` predicate for CWE-190
 2021-07-12 11:59:37 -07:00
Mathias Vorreiter Pedersen
7da7ec60d9 C++: Inline predicates from 'Bounded.qll'. 2021-07-12 19:09:33 +02:00
Robin Neatherway
2c14c982d8 Apply suggestions from code review 
Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
 2021-07-12 17:34:52 +01:00
Taus
1decf23785 Python: Fix bad join order for sensitive data 
Not the prettiest of solutions, but it does the job. Basically, we were
calculating (and re-calculating) the same big relation between strings
and regexes and then checking whether the latter matched the former.

This resulted in tuple counts like the following:

```
[2021-07-12 16:09:24] (12s) Tuple counts for SensitiveDataSources::SensitiveDataModeling::SensitiveVariableAssignment#class#ff#shared/4@7489c6:
4918074 ~0%     {4} r1 = JOIN SensitiveDataHeuristics::HeuristicNames::maybeSensitiveRegexp#ff WITH Flow::NameNode::getId_dispred#ff CARTESIAN PRODUCT OUTPUT Lhs.0 'arg0', Lhs.1 'arg1', Rhs.0, Rhs.1 'arg3'
2654    ~0%     {4} r2 = JOIN r1 WITH PRIMITIVE regexpMatch#bb ON Lhs.3 'arg3',Lhs.1 'arg1'
                return r2
```
(The above being just the bit that handles `DefinitionNode` in
`SensitiveVariableAssignment`, and taking 12 seconds to evaluate.)

By applying a bit of manual inlining and magic, this becomes somewhat
more manageable:

```
[2021-07-12 15:59:44] (1s) Tuple counts for SensitiveDataSources::SensitiveDataModeling::sensitiveString#ff/2@8830e2:
27671  ~2%      {3} r1 = JOIN SensitiveDataHeuristics::HeuristicNames::maybeSensitiveRegexp#ff WITH SensitiveDataSources::SensitiveDataModeling::sensitiveParameterName#f CARTESIAN PRODUCT OUTPUT Lhs.0 'classification', Lhs.1, Rhs.0

334012 ~2%      {3} r2 = JOIN SensitiveDataHeuristics::HeuristicNames::maybeSensitiveRegexp#ff WITH SensitiveDataSources::SensitiveDataModeling::sensitiveName#f CARTESIAN PRODUCT OUTPUT Lhs.0 'classification', Lhs.1, Rhs.0

361683 ~11%     {3} r3 = r1 UNION r2

154644 ~0%      {3} r4 = JOIN SensitiveDataHeuristics::HeuristicNames::maybeSensitiveRegexp#ff WITH SensitiveDataSources::SensitiveDataModeling::sensitiveFunctionName#f CARTESIAN PRODUCT OUTPUT Lhs.0 'classification', Lhs.1, Rhs.0

149198 ~1%      {3} r5 = JOIN SensitiveDataHeuristics::HeuristicNames::maybeSensitiveRegexp#ff WITH SensitiveDataSources::SensitiveDataModeling::sensitiveStrConst#f CARTESIAN PRODUCT OUTPUT Lhs.0 'classification', Lhs.1, Rhs.0

124257 ~5%      {3} r6 = JOIN SensitiveDataHeuristics::HeuristicNames::maybeSensitiveRegexp#ff WITH SensitiveDataSources::SensitiveDataModeling::sensitiveAttributeName#f CARTESIAN PRODUCT OUTPUT Lhs.0 'classification', Lhs.1, Rhs.0

273455 ~21%     {3} r7 = r5 UNION r6
428099 ~30%     {3} r8 = r4 UNION r7
789782 ~78%     {3} r9 = r3 UNION r8
1121   ~77%     {3} r10 = JOIN r9 WITH PRIMITIVE regexpMatch#bb ON Lhs.2 'result',Lhs.1
1121   ~70%     {2} r11 = SCAN r10 OUTPUT In.0 'classification', In.2 'result'
                return r11
```
(The above being the total for all the sensitive names we care about,
taking only 1.2 seconds to evaluate.)

Incidentally, you may wonder why this has _fewer_ results than before.
The answer is control flow splitting -- every sensitively-named
`DefinitionNode` would have been matched in isolation previously. By
pre-matching on just the names of these, we can subsequently join
against those names that are known to be sensitive, which is a much
faster operation.

(We also get the benefit of deduplicating the strings that are matched,
before actually performing the match, so if, say, an attribute name and
a variable name are identical, then we'll only match them once.)

We also exclude all docstrings as relevant string constants, as these
presumably don't actually flow anywhere.
 2021-07-12 16:10:49 +00:00
Mathias Vorreiter Pedersen
4fc60aedc6 C++: Relax the restrictions on when '%' is a barrier and accept test changes. 2021-07-12 17:39:12 +02:00
Mathias Vorreiter Pedersen
a6f1f8d3b6 C++: Add testcases demonstrating FPs from real code. 2021-07-12 17:39:12 +02:00
Mathias Vorreiter Pedersen
6a11aa7f2a Merge pull request #6154 from MathiasVP/more-random-sources-in-uncontrolled-arithmetic 
C++: Add more random sources in `cpp/uncontrolled-arithmetic`
 2021-07-12 17:37:44 +02:00
Robin Neatherway
5d849a9f9d Add docs for summary type queries 2021-07-12 16:26:21 +01:00
Mathias Vorreiter Pedersen
768b3c84c9 C++: Fix a bug that slipped into fd477383b0. 2021-07-12 17:13:21 +02:00
Erik Krogh Kristensen
899e54fbc9 add support for the slash library 2021-07-12 16:36:54 +02:00
Taus
a73e382dfe Python: Prevent bad join in hashlib model 
I'm not entirely sure what triggered this bad join order, but some
combination of the use of abstract classes and the exclusion of `new`
caused this to go really wrong:

```
WeakSensitiveDataHashing.ql-15:Stdlib::Stdlib::HashlibDataPassedToHashClass#class#ffff ......... 15.5s
```

with the following tuple counts:
```
[2021-07-12 13:20:15] (16s) Tuple counts for Stdlib::Stdlib::HashlibDataPassedToHashClass#class#ffff/4@217901:
148810  ~3%        {3} r1 = JOIN DataFlowPublic::CallCfgNode#class#ff#shared WITH project#DataFlowPublic::CallCfgNode::getArg_dispred#fff ON FIRST 1 OUTPUT "hashlib", Lhs.1 'node', Lhs.0 'this'
148810  ~4%        {3} r2 = JOIN r1 WITH ApiGraphs::API::Impl::MkModuleImport#ff@staged_ext ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'node', Lhs.2 'this'
7589310 ~486%      {4} r3 = JOIN r2 WITH ApiGraphs::API::Impl::edge#2#fff@staged_ext ON FIRST 1 OUTPUT Lhs.1 'node', Lhs.2 'this', Rhs.1, InverseAppend("getMember(\"","\")",Rhs.1)
6994070 ~490%      {4} r4 = SELECT r3 ON In.3 != "new"
6994070 ~4503%     {2} r5 = SCAN r4 OUTPUT In.1 'this', In.0 'node'

22      ~4%        {3} r6 = JOIN DataFlowPublic::CallCfgNode#class#ff#shared WITH project#DataFlowPublic::CallCfgNode::getArgByName_dispred#fff ON FIRST 1 OUTPUT "hashlib", Lhs.1 'node', Lhs.0 'this'
22      ~0%        {3} r7 = JOIN r6 WITH ApiGraphs::API::Impl::MkModuleImport#ff@staged_ext ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'node', Lhs.2 'this'
1122    ~437%      {4} r8 = JOIN r7 WITH ApiGraphs::API::Impl::edge#2#fff@staged_ext ON FIRST 1 OUTPUT Lhs.1 'node', Lhs.2 'this', Rhs.1, InverseAppend("getMember(\"","\")",Rhs.1)
1034    ~460%      {4} r9 = SELECT r8 ON In.3 != "new"
1034    ~4549%     {2} r10 = SCAN r9 OUTPUT In.1 'this', In.0 'node'

6995104 ~4503%     {2} r11 = r5 UNION r10
5213851 ~4683%     {3} r12 = JOIN r11 WITH ApiGraphs::API::Node::getACall_dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1 'hashClass', Lhs.1 'node', Lhs.0 'this'
6478480 ~4646%     {6} r13 = JOIN r12 WITH ApiGraphs::API::Impl::edge#2#fff_201#join_rhs ON FIRST 1 OUTPUT "hashlib", Rhs.1, Lhs.1 'node', Lhs.2 'this', Lhs.0 'hashClass', Rhs.2
1410    ~4693%     {5} r14 = JOIN r13 WITH ApiGraphs::API::Impl::MkModuleImport#ff@staged_ext ON FIRST 2 OUTPUT Lhs.2 'node', Lhs.3 'this', Lhs.4 'hashClass', Lhs.5, InverseAppend("getMember(\"","\")",Lhs.5)
1222    ~4540%     {5} r15 = SELECT r14 ON In.4 'hashName' != "new"
1222    ~4540%     {4} r16 = SCAN r15 OUTPUT In.1 'this', In.4 'hashName', In.2 'hashClass', In.0 'node'
```

By factoring out the insides, the biggest iteration now looks like

```
[2021-07-12 14:17:36] (0s) Tuple counts for Stdlib::Stdlib::HashlibDataPassedToHashClass#class#ffff/4@85bb21:
148810 ~0%     {2} r1 = JOIN DataFlowPublic::CallCfgNode#class#ff#shared WITH project#DataFlowPublic::CallCfgNode::getArg_dispred#fff ON FIRST 1 OUTPUT Lhs.1 'node', Lhs.0 'this'
148810 ~0%     {2} r2 = JOIN r1 WITH Stdlib::Stdlib::hashlibMember#ff#nonempty CARTESIAN PRODUCT OUTPUT Lhs.1 'this', Lhs.0 'node'

22     ~0%     {2} r3 = JOIN DataFlowPublic::CallCfgNode#class#ff#shared WITH project#DataFlowPublic::CallCfgNode::getArgByName_dispred#fff ON FIRST 1 OUTPUT Lhs.1 'node', Lhs.0 'this'
22     ~0%     {2} r4 = JOIN r3 WITH Stdlib::Stdlib::hashlibMember#ff#nonempty CARTESIAN PRODUCT OUTPUT Lhs.1 'this', Lhs.0 'node'

148832 ~0%     {2} r5 = r2 UNION r4
110933 ~2%     {3} r6 = JOIN r5 WITH ApiGraphs::API::Node::getACall_dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1 'hashClass', Lhs.1 'node', Lhs.0 'this'
26     ~0%     {4} r7 = JOIN r6 WITH Stdlib::Stdlib::hashlibMember#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.2 'this', Rhs.1 'hashName', Lhs.0 'hashClass', Lhs.1 'node'
               return r7
```

(The tuple counts themselves are not directly comparable.)
 2021-07-12 14:22:21 +00:00