hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-26 09:18:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
25,786 Commits 1,718 Branches 163 Tags
bdd135dbff40d8d015e8a8bccf95d3c9c7133cc2
Commit Graph

25786 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Smowton
bdd135dbff Spring HTTP: mark explicitly content-typed body calls as sinks 
Previously only the return from the request-handler method constituted a sink, and was filtered by the Produces annotation if any, even though a BodyBuilder could explicitly override.

These sinks are also marked as out-barriers to avoid duplicate paths when the Produces annotation is in agreement.
 2021-09-10 16:10:50 +01:00
Chris Smowton
701d0bcdca Spring content types: recognise constant content-type strings 2021-09-10 16:10:48 +01:00
Chris Smowton
4397371a50 Spring constant media types: recognise constant string versions 
Previously we only recognised the constant MediaTypes
 2021-09-10 16:10:47 +01:00
Chris Smowton
b9b34eb0ee Move Spring XSS sink definition into SpringHttp.qll 2021-09-10 16:10:45 +01:00
Chris Smowton
3b6cc97557 Sanitize Spring bodies directly associated with an XSS-safe Content-Type 2021-09-10 16:10:44 +01:00
Chris Smowton
0ebbb333ba Merge pull request #6564 from haby0/java/xxe/new 
Java: Add XXE sinks
 2021-09-10 16:04:27 +01:00
Chris Smowton
29028c5d46 Update test expectations to account for dataflow subpaths changes 2021-09-10 13:53:41 +01:00
Chris Smowton
2d03840fde Add experimental variants of java/xxe, incorporating new sinks and a version that uses local sources. 
Originally authored by @haby0, squashed to clean up a tangled commit history.
 2021-09-10 13:49:31 +01:00
Rasmus Wriedt Larsen
db78e3a7da Merge pull request #6274 from tausbn/python-api-graphs-import-star 
Python: Support `import *` in API graphs
 2021-09-10 13:25:41 +02:00
Rasmus Wriedt Larsen
b45743b562 Merge pull request #6312 from tausbn/python-deprecate-importnode 
Python: Deprecate `importNode`
 2021-09-10 13:12:56 +02:00
CodeQL CI
27f2d417c1 Merge pull request #6652 from asgerf/js/type-tracking-through-callback 
Approved by erik-krogh
 2021-09-10 04:11:14 -07:00
Tom Hvitved
649c2ce188 Merge pull request #6586 from hvitved/dataflow/stage2-precise-call-ctx-take2 
Data flow: Add precise call contexts to stage 2
 2021-09-10 11:34:35 +02:00
CodeQL CI
0673355f31 Merge pull request #6649 from rhysd/discussion-untrusted-inputs 
Approved by erik-krogh
 2021-09-10 01:44:54 -07:00
Anders Peter Fugmann
1bbadb57a2 Merge pull request #6568 from andersfugmann/andersfugmann/improve_upper_bound 
C++: Improve predicate upperBound in SimpleRangeAnalysis
 2021-09-10 09:49:48 +02:00
Tom Hvitved
296d10fe2a Data flow: Adjust callMayFlowThroughFwd pragmas 2021-09-10 09:21:24 +02:00
Anders Schack-Mulligen
3e17fdcaa3 Merge pull request #6407 from bmuskalla/charSeqSubSeq 
Java: Track taint for CharSequence#subSequence
 2021-09-10 09:01:29 +02:00
rhysd
97ed9edd32 JS: Detect untrusted inputs in 'discussion' and 'discussion_comment' payloads 2021-09-10 10:42:58 +09:00
Chris Smowton
5b8b27a2aa Merge pull request #6651 from smowton/smowton/admin/functional-interface-tests 
Add tests for functional interfaces
 2021-09-09 22:02:16 +01:00
Tamás Vajk
ad04099ac2 Merge pull request #6630 from tamasvajk/feature/interface-runtimecallable 
C# Extend runtime callables to cover interface members with default implementation
 2021-09-09 17:24:55 +02:00
Andrew Eisenberg
4c74709019 Merge pull request #6606 from github/aeisenberg/docs 
Update the docs about qlpacks
 2021-09-09 07:42:24 -07:00
Anders Schack-Mulligen
13c4b93d3d Merge pull request #6648 from aschackmull/java/func-interface 
Java: Fix FunctionalInterface.
 2021-09-09 16:14:14 +02:00
Benjamin Muskalla
9d5e48430e Merge branch 'main' into charSeqSubSeq 2021-09-09 16:04:36 +02:00
Chris Smowton
a0bf170d02 Add test for functional interfaces 2021-09-09 15:00:42 +01:00
Anders Schack-Mulligen
ec3990c619 Java: Fix FunctionalInterface. 2021-09-09 15:04:22 +02:00
Anders Schack-Mulligen
c4956a4ade Merge pull request #6376 from bmuskalla/thirdpartyapitelemtry 
Java: Introduce queries to capture information about 3rd party API usage
 2021-09-09 13:55:47 +02:00
Anders Fugmann
270dbd2bf7 C++: Revert peer review suggestion. 
The suggested change has a severe impact on row counts, as cpp does not cache
the results for `bbDominates`. Since the `getGuardedUpperBound` predicate the
cost of runtime complexity is considered higher than the benefit of this change.
 2021-09-09 13:26:42 +02:00
Anders Fugmann
6c44b0e6e7 C++: Add test case where a guarded block has two predecessors which are both in the dominance domain of the guard 2021-09-09 13:18:49 +02:00
Benjamin Muskalla
c0e65e71b4 Revert "Java: Fix external flow perofrmance with future optimiser." 
This reverts commit be1d4c04f2.
 2021-09-09 13:06:23 +02:00
Benjamin Muskalla
eef044f4d0 Add test to capture expected parameter format 2021-09-09 13:05:15 +02:00
Benjamin Muskalla
a1b7437f8d Merge branch 'main' into thirdpartyapitelemtry 2021-09-09 11:11:42 +02:00
Andrew Eisenberg
fb90bb4241 Remove outdated section 
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
 2021-09-08 10:45:50 -07:00
Andrew Eisenberg
ec5435befd Apply suggestions from code review 
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
 2021-09-08 08:13:15 -07:00
Benjamin Muskalla
96a34b6165 Fix value flow for fluent api 2021-09-08 16:12:52 +02:00
Anders Schack-Mulligen
5d58edb3b9 Merge pull request #6641 from aschackmull/dataflow/edges-fasttc 
Dataflow: Only calculate fastTC for the relevant part of edges.
 2021-09-08 15:45:46 +02:00
Benjamin Muskalla
b47507293a Minor fixes for fluent apis 2021-09-08 15:32:41 +02:00
Tamas Vajk
9ab6c29cd3 Extend runtime callables to cover interface members with default implementation 2021-09-08 15:07:49 +02:00
CodeQL CI
cd26d97dd7 Merge pull request #6549 from erik-krogh/moreDom 
Approved by asgerf
 2021-09-08 05:10:47 -07:00
Chris Smowton
5d37748973 Merge pull request #6631 from github/Claim-Java-16-support 
Claim Java 16 support
 2021-09-08 12:31:28 +01:00
Benjamin Muskalla
67eaa1b735 Fix qldoc 2021-09-08 13:08:28 +02:00
Asger Feldthaus
db1de18cc2 JS: Support transitive callback-passing 2021-09-08 13:08:16 +02:00
Asger Feldthaus
ceaf2b3727 JS: Rename FlowSteps::callback -> exploratoryCallbackStep 2021-09-08 13:08:12 +02:00
Asger Feldthaus
7c94dd94e9 JS: Add type-tracking steps through callback args 2021-09-08 13:08:05 +02:00
Asger Feldthaus
1f6df4e70d JS: Add callback type tracking test 2021-09-08 13:08:04 +02:00
Anders Schack-Mulligen
1af39f0776 Dataflow: Sync. 2021-09-08 13:02:07 +02:00
Anders Schack-Mulligen
2e9876f58f Dataflow: Only calculate fastTC for the relevant part of edges. 2021-09-08 13:01:29 +02:00
Anders Fugmann
f91bd91d02 C++: Apply suggested change from code review 2021-09-08 12:38:53 +02:00
Anders Schack-Mulligen
2b7882e6e5 Merge pull request #5032 from aschackmull/dataflow/subpaths 
Dataflow: Add subpaths query predicate.
 2021-09-08 11:52:41 +02:00
Anders Schack-Mulligen
3f5b9d0f54 Merge pull request #6637 from github/alexet/imporve-query 
Java: Fix performance issues with future versions of codeql.
 2021-09-08 11:16:19 +02:00
Anders Fugmann
e93dc0b4c4 C++: Fix comment in getGuardedUpperBound 2021-09-08 11:06:58 +02:00
alexet
81f4822b8d Java: Fix performance with future optimiser by caching a predicate 2021-09-07 16:38:40 +01:00