hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-21 06:57:09 +01:00
Code Issues Packages Projects Releases Wiki Activity
23,399 Commits 1,712 Branches 163 Tags
bc43b6d76078668bf807ea0cc9056d07a9ac1fbd
Commit Graph

23399 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Smowton
bc43b6d760 Fix typo 2021-06-17 11:41:03 +01:00
Chris Smowton
e6249eed79 Add doc comments 2021-06-17 11:41:03 +01:00
Chris Smowton
26e10f3ad5 SSRF: don't consider results of fetches we initiated to be untrustworthy 2021-06-17 11:41:03 +01:00
Chris Smowton
c63d5986cf Sanitize StringBuilder appends that follow directly from a constructor. 
Note that some of this logic ought to be incorporated into StringBuilderVar once that code can be reviewed.
 2021-06-17 11:41:03 +01:00
Chris Smowton
b5a450b881 SSRF query: add sanitizer looking for a variety of ways of prepending a sanitizing prefix, such as one that restricts the hostname a URI will refer to. 2021-06-17 11:41:03 +01:00
Chris Smowton
487c1db6ed Promote SSRF query to main query set 2021-06-17 11:41:01 +01:00
Anders Schack-Mulligen
6ca8d69b26 Merge pull request #5881 from haby0/java/UnsafeDeserialization 
Java: CWE-502 Add UnsafeDeserialization sinks
 2021-06-17 12:36:34 +02:00
Anders Schack-Mulligen
8fe2f4a554 Merge pull request #6034 from owen-mc/java/jax-rs 
Improve JAX-WS and JAX-RS models
 2021-06-17 12:35:34 +02:00
Anders Schack-Mulligen
b173b4141d Merge pull request #6096 from smowton/smowton/fix/inline-expectations-missing-prefix 
Inline expectation tests: accept // $MISSING: and // $SPURIOUS:
 2021-06-17 11:41:15 +02:00
haby0
363ad5b470 Fix error 2021-06-17 17:36:35 +08:00
Owen Mansel-Chan
945db01f56 Address review comments 2021-06-17 10:29:33 +01:00
Owen Mansel-Chan
b9bc1f978c Update style of inline expectation comments 2021-06-17 10:04:15 +01:00
Chris Smowton
558813acf7 Inline expectation tests: accept // $MISSING: and // $SPURIOUS: 
Previously there had to be a space after the $ token, unlike ordinary expectations (i.e., // $xss was already accepted)
 2021-06-17 09:44:39 +01:00
Owen Mansel-Chan
0987425f94 Reinstate failing tests with MISSING: prefix 2021-06-17 09:36:51 +01:00
Tom Hvitved
0febf5a592 Merge pull request #6094 from hvitved/dataflow/consistency-compiler-too-smart 
Data flow: Workaround for too clever compiler in consistency queries
 2021-06-17 10:23:31 +02:00
Tom Hvitved
cc383e0f6a Data flow: Workaround for too clever compiler in consistency queries 2021-06-17 09:43:36 +02:00
haby0
3dd851fffb expected 2021-06-17 15:20:03 +08:00
Owen Mansel-Chan
5f82993b0b Put parameters with inline expectation comments on their own lines 2021-06-17 06:41:01 +01:00
CodeQL CI
bcafe532ac Merge pull request #5944 from RasmusWL/async-api-graph-tests 
Approved by tausbn
 2021-06-16 08:46:26 -07:00
CodeQL CI
9b84a8e146 Merge pull request #6048 from erik-krogh/graphql 
Approved by esbena
 2021-06-16 06:35:42 -07:00
Owen Mansel-Chan
5d00bb23e4 Move logic for URL redirection sinks 2021-06-16 12:48:11 +01:00
yoff
0ddeb7a8c1 Merge pull request #5950 from RasmusWL/promote-clickhouse 
Python: Promote ClickHouse SQL models
 2021-06-16 13:38:41 +02:00
Tamás Vajk
eaa69dfa5d Merge pull request #6084 from tamasvajk/feature/effective-publicness 
C#: Fix isEffectively* visibility predicates
 2021-06-16 12:52:38 +02:00
Anders Schack-Mulligen
75d5fe67ea Merge pull request #6090 from atorralba/atorralba/move-httpsurls-tests 
Java: Move/tweak some tests
 2021-06-16 12:00:55 +02:00
Tamas Vajk
28ef0e86f6 Apply code review findings 2021-06-16 10:51:52 +02:00
Tamas Vajk
c5b8acf216 Add change notes 2021-06-16 10:51:52 +02:00
Tamas Vajk
db8a777aa9 Fix isEffectively* predicates to members extracted from multiple assemblies 2021-06-16 10:51:52 +02:00
Tamas Vajk
77f8f3fa8a Adjust comments on isEffectively* 2021-06-16 10:51:52 +02:00
Tamas Vajk
eea96a5585 Fix effective publicness of protected private and protected internal 2021-06-16 10:51:52 +02:00
Tamas Vajk
f715445c7a Fix effective privateness of explicitly implemented members 2021-06-16 10:51:08 +02:00
Tamas Vajk
a24006239b C#: Add more tests to effective visibility 2021-06-16 10:50:15 +02:00
Taus
96d8fc78f8 Merge pull request #6078 from hvitved/type-tracker-caching 
Python: Move cached predicates in type tracker library to same stage
 2021-06-16 10:45:02 +02:00
Tamás Vajk
9f44bc575f Merge pull request #6089 from tamasvajk/feature/interface-member-modifier 
C#: Allow abstract modifier on interface members
 2021-06-16 10:44:43 +02:00
haby0
c1ada6d85b Merge branch 'main' into java/UnsafeDeserialization 2021-06-16 16:37:03 +08:00
Tamás Vajk
386d88ab93 Merge pull request #6085 from tamasvajk/feature/unsafe 
C#: Fix `Modifiable::isUnsafe` to handle declarations extracted from assemblies
 2021-06-16 10:30:09 +02:00
Tony Torralba
e2918d55b5 Move tests back from internal repo 2021-06-16 10:09:44 +02:00
Tamas Vajk
66835651fe C#: Allow abstract modifier on interface members 2021-06-16 09:56:36 +02:00
Tamas Vajk
dacb044790 C#: Add tests for abstract/virtual modifier of interface members 2021-06-16 09:54:34 +02:00
haby0
9badd7aa27 change name 2021-06-16 11:29:37 +08:00
Tamas Vajk
74c4765ab9 Add change note 2021-06-15 17:30:48 +02:00
Tamas Vajk
44b30b70da C#: Fix Modifiable::isUnsafe to handle declarations extracted from assemblies 2021-06-15 17:30:48 +02:00
CodeQL CI
847faf536d Merge pull request #6070 from asgerf/js/script-with-tsx-lang 
Approved by erik-krogh
 2021-06-15 08:17:53 -07:00
Taus
87ee7849a9 Merge pull request #6077 from RasmusWL/fix-pypi-names 
Python: Fixup for names of supported PyPI packages
codeql-cli/v2.5.6 		2021-06-15 15:01:35 +02:00
yoff
b19d64f173 Merge pull request #6013 from RasmusWL/sensitive-improvements 
Python: Improve sensitive data modeling
 2021-06-15 14:45:40 +02:00
Tom Hvitved
c03ee32f02 Python: Move cached predicates in type tracker library to same stage 2021-06-15 13:42:43 +02:00
Rasmus Wriedt Larsen
b1fb68bc54 Python: Rename .qll file for mysql-connector-python support 
Just like our support for the `PyYAML` PyPI package that you import with
`import yaml` is in `Yaml.qll`.

Since this file does not provide any public predicates/modules, it
should be safe to rename it.
 2021-06-15 13:06:53 +02:00
Rasmus Wriedt Larsen
b154f034cb Python: Fix names of supported PyPI packages 2021-06-15 12:55:52 +02:00
Rasmus Wriedt Larsen
00af18a622 Python: Autoformat 2021-06-15 11:31:38 +02:00
Rasmus Wriedt Larsen
156b10cb59 Merge branch 'main' into promote-clickhouse 2021-06-15 11:30:19 +02:00
Anders Schack-Mulligen
19305a217a Merge pull request #5374 from joefarebrother/guava-base 
Java: Model additional flow steps for the package `com.google.common.base` of the Guava framwork.
 2021-06-15 10:58:48 +02:00