codeql

mirror of https://github.com/github/codeql.git synced 2026-02-11 12:41:06 +01:00

Author	SHA1	Message	Date
Rasmus Wriedt Larsen	c05ffd4d00	JS/PY: Remove CWE-315 form CleartextLogging Since it is not relevant for this query: CWE-315: Cleartext Storage of Sensitive Information in a Cookie See https://cwe.mitre.org/data/definitions/315.html	2021-11-24 14:59:18 +01:00
Rasmus Wriedt Larsen	7dde52ced2	Merge pull request #7131 from RasmusWL/wsgiref.simple_server Python: Model `wsgiref.simple_server` applications	2021-11-24 14:22:23 +01:00
Rasmus Wriedt Larsen	2a5e0a3b77	Merge pull request #7145 from RasmusWL/remove-owasp-tags Python/Ruby: Remove owasp tags	2021-11-24 13:56:48 +01:00
Rasmus Wriedt Larsen	e2652591a5	Python: Change perf fix PoorMansFunctionResolution Thanks @yoff, this leaves us with the following evaluation, which looks very close to the one in the other fix (but with cleaner implementation) -- both at 688k max tuples (although numbers are not exactly the same). ``` [2021-11-24 13:48:40] (14s) Tuple counts for PoorMansFunctionResolution::getSimpleMethodReferenceWithinClass#ff/2@e5f05asv after 74ms: 47493 ~3% {3} r1 = JOIN Class::Class::getAMethod_dispred#ff WITH py_Classes ON FIRST 1 OUTPUT Lhs.1, 0, Lhs.0 47335 ~0% {2} r2 = JOIN r1 WITH AstGenerated::Function_::getArg_dispred#fff ON FIRST 2 OUTPUT Rhs.2, Lhs.2 46683 ~0% {2} r3 = JOIN r2 WITH DataFlowPublic::ParameterNode::getParameter_dispred#fb_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1 259968 ~4% {2} r4 = JOIN r3 WITH LocalSources::Cached::hasLocalSource#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1 161985 ~0% {3} r5 = JOIN r4 WITH Attributes::AttrRef::accesses_dispred#bff_102#join_rhs ON FIRST 1 OUTPUT Rhs.1 'result', Lhs.1, Rhs.2 161985 ~2% {3} r6 = JOIN r5 WITH Attributes::AttrRead#class#f ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Lhs.0 'result' 688766 ~0% {3} r7 = JOIN r6 WITH Function::Function::getName_dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1, Rhs.1 'func', Lhs.2 'result' 20928 ~0% {2} r8 = JOIN r7 WITH Class::Class::getAMethod_dispred#ff ON FIRST 2 OUTPUT Lhs.1 'func', Lhs.2 'result' return r8 ```	2021-11-24 13:52:05 +01:00
Mathias Vorreiter Pedersen	6d9cea90cb	Merge pull request #7226 from MathiasVP/shorter-ir-dataflow-paths C++: Hide some IR dataflow nodes	2021-11-24 11:13:52 +00:00
Rasmus Wriedt Larsen	47448d9efc	Python: Apply suggestions from code review Co-authored-by: yoff <lerchedahl@gmail.com>	2021-11-24 12:02:12 +01:00
Mathias Vorreiter Pedersen	6c7a01d3d5	C++: Add some comments to the two 'flowThrough' predicates.	2021-11-24 10:50:44 +00:00
yoff	f9729bccef	Merge pull request #7143 from RasmusWL/path-improvements Python: Model `posixpath` and `os.stat`	2021-11-24 11:36:06 +01:00
Anders Schack-Mulligen	a3b263ee6e	Merge pull request #7181 from bmuskalla/coverageAsDiagnostics Java: Add diagnostic query for framework coverage	2021-11-24 10:57:50 +01:00
Mathias Vorreiter Pedersen	2e7ddb479e	C++: Accept test changes.	2021-11-24 09:41:00 +00:00
Mathias Vorreiter Pedersen	4cbfc306ac	C++: Hide dataflow nodes if they're just used for flow-through for read steps or store steps.	2021-11-24 08:01:44 +00:00
Mathias Vorreiter Pedersen	8c9e817c0d	Merge pull request #7188 from github/redsun82/fix-operand-location C++: take IR Operand locations from definitions	2021-11-23 16:32:06 +00:00
Nick Rolfe	bb38c4d6fd	Merge pull request #6978 from github/nickrolfe/regex_injection Ruby: add regex injection query	2021-11-23 16:22:35 +00:00
Nick Rolfe	1a90b388a9	Merge remote-tracking branch 'origin/main' into nickrolfe/regex_injection	2021-11-23 15:42:05 +00:00
Paolo Tranquilli	055017de49	fix how non existing locations are accounted for	2021-11-23 15:28:16 +00:00
Paolo Tranquilli	9538ac73e4	account for non-existing locations	2021-11-23 15:28:16 +00:00
Paolo Tranquilli	d626745ab1	fix `ThisArgumentOperand` location The correct check to do to choose between using `getAnyDef` and `getUse` is to check whether the location is an instance of UknonwnLocation.	2021-11-23 15:28:16 +00:00
Paolo Tranquilli	e99a040884	implement review suggestions	2021-11-23 15:28:16 +00:00
Paolo Tranquilli	8b44d5c39e	sync files	2021-11-23 15:28:15 +00:00
Paolo Tranquilli	30805d964c	add `ThisArgumentOperand` special case	2021-11-23 15:28:15 +00:00
Paolo Tranquilli	9b818a04f2	sync	2021-11-23 15:28:15 +00:00
Paolo Tranquilli	0bb11fa371	fix PrintAST test run The refactored shouldDumpFunction was now rejecting functions without a location. This is fixed now.	2021-11-23 15:28:15 +00:00
Paolo Tranquilli	0547e4ccf2	update further test with new locations	2021-11-23 15:28:15 +00:00
Paolo Tranquilli	d4e80c664e	replace shouldDump -> shouldDumpLocation	2021-11-23 15:28:15 +00:00
Paolo Tranquilli	4498657384	Apply suggestions from code review Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>	2021-11-23 15:28:15 +00:00
Paolo Tranquilli	28806fe5f4	update test results after operand location changes	2021-11-23 15:28:15 +00:00
Paolo Tranquilli	6072ccd81d	auto-format	2021-11-23 15:28:15 +00:00
Paolo Tranquilli	0ff9520575	...and syncing files again	2021-11-23 15:28:15 +00:00
Paolo Tranquilli	b5165e3692	C++: more fine-grained Operand location change Only RegisterOperands need the change, with the notable exception of ThisArgumentOperand.	2021-11-23 15:28:15 +00:00
Paolo Tranquilli	5202f963dd	C++: sync Operand source	2021-11-23 15:28:15 +00:00
Paolo Tranquilli	74c0197544	C++: take IR Operand locations from definitions Previously Operand's getLocation would take it from the Operand use. This lead to slightly confusing query results, where for example an issue related to a call argument would highlight the function part of the call instead of the parameter.	2021-11-23 15:28:15 +00:00
Tom Hvitved	83d204d7a8	Merge pull request #7218 from hvitved/ssa/fix-consistency-tests Ruby: Fix SSA consistency tests + CFG bug	2021-11-23 16:24:41 +01:00
Tom Hvitved	4d918b5e5f	Ruby: Fix CFG splitting logic for `ensure` blocks with loops	2021-11-23 15:21:43 +01:00
Geoffrey White	3e1164f82e	Merge pull request #7109 from MathiasVP/remove-reference-to-as-load C++: Don't interpret 'ReferenceToInstruction' as a load	2021-11-23 13:56:22 +00:00
Alex Ford	055641e684	Merge pull request #7062 from github/ruby/rails-csrf Ruby: Add `rb/csrf-protection-disabled` query	2021-11-23 13:46:42 +00:00
Taus	8cccee6eba	Merge pull request #6972 from yoff/python/promote-redos Python: Promote ReDoS queries	2021-11-23 14:02:09 +01:00
Tom Hvitved	0bd587b395	Shared SSA: Sync files	2021-11-23 13:30:37 +01:00
Tom Hvitved	e185e9080c	Shared SSA: Fix consistency tests	2021-11-23 13:30:23 +01:00
Nick Rolfe	e5f473052d	Ruby: add Regexp.{compile,quote} to regex injection test	2021-11-23 11:05:41 +00:00
Tom Hvitved	9d072a12ed	Merge pull request #7098 from github/ruby/desugar-for-1 Ruby: Desugar `for` loops as calls to `each`	2021-11-23 11:35:49 +01:00
Mathias Vorreiter Pedersen	672485ae38	Merge branch 'main' into remove-reference-to-as-load	2021-11-23 10:24:17 +00:00
James Fletcher	21aff99637	Merge pull request #7215 from github/jf205-patch-1 Fix link formatting	2021-11-23 10:03:40 +00:00
Tom Hvitved	dcca5d28bb	Merge pull request #7172 from hvitved/ruby/ensure-split-cp Ruby: Remove CP in `EnsureSplitImpl::exit/3`	2021-11-23 11:02:23 +01:00
Benjamin Muskalla	50518b5622	Fix sum of rows	2021-11-23 10:42:24 +01:00
James Fletcher	b8e8ddf9ae	fix link	2021-11-23 08:38:39 +00:00
Anders Schack-Mulligen	a68b55b099	Merge pull request #7208 from hvitved/ruby/restrict-use-use Ruby: Restrict use-use flow	2021-11-23 09:33:43 +01:00
Henry Mercer	245edd41ff	Merge pull request #7186 from github/henrymercer/rename-available-models-predicate JS: [Internal only] Rename the available ML models external predicate	2021-11-22 18:26:46 +00:00
Nick Rolfe	13459c8afc	Ruby: add Regexp.compile as sink for regexp injection query	2021-11-22 17:43:55 +00:00
Nick Rolfe	4b42c4447b	Ruby: handle Regexp.quote wherever we handle Regexp.escape	2021-11-22 17:12:01 +00:00
Nick Rolfe	5b11cfe006	Ruby: fix up import path	2021-11-22 17:10:46 +00:00

1 2 3 4 5 ...

29533 Commits