hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-10 09:34:00 +02:00
Code Issues Packages Projects Releases Wiki Activity
960 Commits 1,739 Branches 164 Tags
bee94757dd2674ebe1ff953708ef75fe6fd67621
Commit Graph

269 Commits

Author SHA1 Message Date
Nick Rolfe
bee94757dd Add query test for ReDoS.ql, ported from JS 2021-06-25 12:51:35 +01:00
Nick Rolfe
6142029fdc Recognise \t as not escaping t 2021-06-25 12:46:25 +01:00
Nick Rolfe
a77e7761fd Make \h and \H character class escapes 2021-06-25 12:27:39 +01:00
Nick Rolfe
9ec503a3a5 Merge remote-tracking branch 'origin/main' into regex 2021-06-24 18:16:13 +01:00
Nick Rolfe
17a59ef824 Add basic test for regex parsing 2021-06-24 18:06:08 +01:00
Nick Rolfe
51b0ffdaf8 Fix printAst to support adding edges in AstDesugar test 2021-06-24 17:14:23 +01:00
Tom Hvitved
9438885776 Merge pull request #216 from github/hvitved/synthesis-location 
AST synthesis: Move location information into a separate predicate
 2021-06-23 16:50:17 +02:00
Alex Ford
5941eb2be4 model some ActionController user input sources (params) 2021-06-23 14:11:38 +01:00
Tom Hvitved
1dde5b8ef9 AST synthesis: Move location information into a separate predicate 2021-06-23 08:46:07 +02:00
Alex Ford
dbf1805c8b Merge pull request #196 from github/active-record-1 
Start modelling some potential SQL fragment sinks in ActiveRecord
 2021-06-22 16:05:26 +01:00
Nick Rolfe
65aa97c07c Use RegExp prefix instead of Regex, for consistency with other languages. 2021-06-18 15:56:19 +01:00
Alex Ford
214532516b try to avoid a future merge conflict 2021-06-17 14:41:51 +01:00
Alex Ford
bf43a77df5 Include some more types of expressions as possible active record SQL sink arguments 2021-06-15 12:41:42 +01:00
Alex Ford
c1b9952517 account for chained method calls when constructing ActiveRecord SQL queries 2021-06-15 11:39:48 +01:00
Alex Ford
f8a77b9854 format QL 2021-06-15 11:39:48 +01:00
Alex Ford
57c04266e3 rename SqlExecutingMethodCall as PotentiallyUnsafeSqlExecutingMethodCall 2021-06-15 11:39:48 +01:00
Alex Ford
2d4bb61789 limit SqlExecutingMethodCall to those that are called with a StringlikeLiteral argument 2021-06-15 11:39:48 +01:00
Alex Ford
c641d12259 add shell ActiveRecord library tests 2021-06-15 11:39:48 +01:00
Tom Hvitved
8860b8adf0 Merge pull request #198 from github/hvitved/desugar-compound-assignment 2021-06-10 19:39:54 +02:00
Alex Ford
f74dff560b Merge pull request #187 from github/hardcoded-credentials 
Add rb/hardcoded-credentials query
 2021-06-10 16:12:32 +01:00
Alex Ford
e26afe91b5 move rb/hardcoded-credential alert location to the source 2021-06-07 14:53:04 +01:00
Alex Ford
5d79a8cec0 account for keyword args in rb/hardcoded-credentials and simplify query 2021-06-07 14:49:49 +01:00
Tom Hvitved
962768e7c0 Disambiguate toStrings for nested synthetic local variables 2021-06-04 19:20:11 +02:00
Tom Hvitved
82fbc03889 Merge pull request #200 from github/hvitved/dataflow/call-sensitivity 
Data flow: Call-sensitive resolution of lambda/block calls
 2021-06-04 16:25:13 +02:00
Alex Ford
ec326bfcb7 Merge pull request #201 from github/perm-file-report-source 
Report rb/weak-file-permission alerts at source rather than sink and improve alert message
 2021-06-04 14:52:48 +01:00
Alex Ford
8a3ffb6dca add missing toString 2021-06-04 13:25:03 +01:00
Alex Ford
b2d36babc4 report rb/weak-file-permission alerts at source rather than sink and improve alert message 2021-06-04 13:10:18 +01:00
Tom Hvitved
61e35ddae1 Data flow: Call-sensitive resolution of lambda/block calls 2021-06-04 12:58:38 +02:00
Tom Hvitved
6678ac0347 Desugar compound assignments 2021-06-04 10:39:06 +02:00
Tom Hvitved
da9adfbab4 Improve performance of desugaring transformations 2021-06-04 10:34:00 +02:00
Tom Hvitved
57eee0368d Add CFG tests for compound assignments 2021-06-04 10:34:00 +02:00
Tom Hvitved
1007f2aaff Rename (Hash)SplatArgument to (Hash)SplatExpr and make them UnaryOperations 2021-06-04 10:04:06 +02:00
Tom Hvitved
372f8645a9 Add (hash)splat AST tests 2021-06-04 09:53:14 +02:00
Tom Hvitved
908e9ff3b5 Include desugared node in AstDesugar.ql 2021-06-03 14:46:32 +02:00
Tom Hvitved
5bafc0c708 Merge pull request #183 from github/hvitved/assign-op-desugar 
Desugar setter assignments
 2021-06-01 14:00:04 +02:00
Alex Ford
fdd4f7f616 attempt to use typetracker in rb/hardcoded-credentials 2021-06-01 12:22:04 +01:00
Alex Ford
f1303e0ced remove WIP files 2021-06-01 12:22:04 +01:00
Alex Ford
4fdd072603 WIP: HardcodedCredentials query 2021-06-01 12:22:04 +01:00
Tom Hvitved
3ffef634d7 More synthesis refactoring 
- Join `TElementReferenceSynth` and `TMethodCallSynth`.
- Move arity and setter information into `MethodCallKind`.
- Add `Synthesis::methodCall` for specifying which method calls need synthesis.
 2021-05-31 16:29:41 +02:00
Tom Hvitved
f8b99291a7 Improve desugaring of setter assignments 2021-05-26 18:41:21 +02:00
Arthur Baars
ec905e0866 Merge pull request #168 from github/aibaars/typetrack-method 
Call graph
 2021-05-26 14:19:21 +02:00
Tom Hvitved
abcabeef06 Remove *Real predicates and enable recursive desugaring 2021-05-25 21:27:39 +02:00
Tom Hvitved
3f412e4fad Desugar setter assignment operations 2021-05-25 21:27:39 +02:00
Tom Hvitved
b173cc332a Desugar setter assignments 2021-05-25 21:27:39 +02:00
Tom Hvitved
b812012b71 Add CFG setter assignment test 2021-05-25 21:27:39 +02:00
Tom Hvitved
e85677a040 Adjust locations of synthesized AST nodes 2021-05-25 21:27:34 +02:00
Arthur Baars
ce23ae33e7 Fix Scope::parentOf for HereDocBody 2021-05-25 11:27:45 +02:00
Arthur Baars
bb62564c9e Add test for heredoc with variables 2021-05-25 11:16:55 +02:00
Arthur Baars
0ccca47b01 Dataflow for implicit self argument of methods 2021-05-20 14:27:13 +02:00
Arthur Baars
eb8b2558da Add types of lambdas and methods 2021-05-20 14:27:13 +02:00