codeql

mirror of https://github.com/github/codeql.git synced 2026-01-31 07:12:57 +01:00

Author	SHA1	Message	Date
Chris Smowton	c93b2b709d	Merge pull request #407 from smowton/smowton/fix/isunreachableincall-slowness Improve join order in `isUnreachableInCall`	2020-11-19 11:22:48 +00:00
Chris Smowton	38e383858e	Merge pull request #394 from smowton/smowton/feature/unsafe-unzip-symlink Add query checking for unpacking of symlinks without using EvalSymlinks to spot existing ones.	2020-11-18 19:10:18 +00:00
Chris Smowton	d1f607ccd8	Improve join order in `isUnreachableInCall`	2020-11-18 19:06:52 +00:00
Owen Mansel-Chan	7433d448d9	Merge pull request #406 from owen-mc/update-dataflow-libs-2 Update dataflow libs 2	2020-11-17 21:17:52 +00:00
Owen Mansel-Chan	ce67418cdc	Update tests These changes match those in https://github.com/github/codeql/pull/4440	2020-11-17 15:48:50 +00:00
Owen Mansel-Chan	d3154d0aa7	Sync dataflow libraries `make sync-dataflow-libraries`	2020-11-17 15:48:50 +00:00
Owen Mansel-Chan	4bfe088c0f	Update dataflow branch from master to main	2020-11-17 15:48:50 +00:00
Chris Smowton	79c010a601	Move unsafe-unzip-symlink query into qll file and give it customization points.	2020-11-16 09:57:26 +00:00
Chris Smowton	500d78dafa	Include `os.Readlink` as a probable sanitiser. A couple of projects seem to walk links one unit at a time, rather than just throwing `EvalSymlinks` at the whole potentially suspect path.	2020-11-16 09:57:26 +00:00
Chris Smowton	2193642c6e	Expand query to notice Symlink and archive iterator calls that do not directly share a loop We look across function-call boundaries to check there is some common enclosing loop, but false-positives are more likely if in practice there is no control-flow path from the archive iterator to the Symlink call and back.	2020-11-16 09:57:26 +00:00
Chris Smowton	1a2c209259	Add query checking for unpacking of symlinks without using EvalSymlinks to spot existing ones. This is usually dangerous because (if the archive is untrusted) the intent is usually to permit within-archive symlinks, e.g. dest/a/parent -> .. -> dest/a is an acceptable link to unpack. However if EvalSymlinks is not used to take already-unpacked symlinks into account, it becomes possible to sneak tricks like dest/escapes -> dest/a/parent/.. through, which create links leading out of the archive for later abuse.	2020-11-16 09:57:26 +00:00
Chris Smowton	43f9351094	Merge pull request #405 from igfoo/igfoo/portability Use more portable syntax in codeql-tools/autobuild.sh	2020-11-13 14:59:54 +00:00
Ian Lynagh	f5223bae4c	Use more portable syntax in codeql-tools/autobuild.sh	2020-11-13 14:30:04 +00:00
Chris Smowton	82a5b5f264	Merge pull request #369 from sauyon/checkdeps Check dependencies before skipping dependency installation	2020-11-11 09:54:33 +00:00
Chris Smowton	04cec8b542	Merge pull request #400 from sauyon/autoformat Autoformat tests	2020-11-11 09:51:50 +00:00
Nick Rolfe	c7e03cbd98	Merge pull request #398 from github/nickrolfe/getFileBySourceArchiveName Replace getEncodedFile with getFileBySourceArchiveName predicate	2020-11-10 18:19:00 +00:00
Sauyon Lee	5a9b8a5465	Autoformat	2020-11-10 09:35:29 -08:00
Sauyon Lee	80c2fcdbb8	Autoformat tests	2020-11-10 09:35:16 -08:00
Nick Rolfe	17b6401c22	Replace getEncodedFile with getFileBySourceArchiveName predicate While also making it work with paths for databases created on Windows.	2020-11-10 16:43:21 +00:00
Chris Smowton	235b7c0bc5	Merge pull request #395 from sauyon/regexp SuspiciousCharacterInRegexp: Add fix for raw string literals	2020-11-10 12:18:38 +00:00
Sauyon Lee	0950baf4b7	Add additional tests for suspicious character in regexp regexp	2020-11-09 10:36:27 -08:00
Sauyon Lee	eb26b0abd1	SuspiciousCharacterInRegexp: Add fix for raw string literals	2020-11-09 10:10:47 -08:00
Sauyon Lee	52d253a95b	Add isRaw to StringLit	2020-11-09 10:08:51 -08:00
Chris Smowton	33f43626b3	Merge pull request #396 from sauyon/remove-code-scanning Remove code scanning temporarily	2020-11-09 10:58:55 +00:00
Sauyon Lee	920f7153c8	autobuilder: Add dependency check Sometimes build scripts succeed without installing dependencies, for example if they are unrelated to Go or if they simply always exit successfully. Therefore, added a check that dependencies at least resolve before skipping dependency installation.	2020-11-09 02:13:48 -08:00
Sauyon Lee	4a53bfdebf	autobuilder: Only set mod mode when go.mod exists	2020-11-09 02:13:47 -08:00
Sauyon Lee	cc0a40e712	Remove code scanning until build tracing is implemented.	2020-11-09 02:11:05 -08:00
Chris Smowton	0938437d13	Merge pull request #373 from smowton/smowton/feature/golang-x-net-html Add models for the read side of golang.org/x/net/html	2020-11-06 16:20:45 +00:00
Sauyon Lee	a78c35b95e	Simplify net/http ResponseBody logic	2020-11-06 11:18:46 +00:00
Sauyon Lee	8a306af77b	Make HTTP::ResponseWriter handle PostUpdateNodes in getANode	2020-11-06 11:18:46 +00:00
Chris Smowton	3817ae80e5	Add support for html.Render method. This entails generalising Http::ResponseBody to account for any modelled function writing to a ResponseWriter.	2020-11-06 11:04:53 +00:00
Chris Smowton	02f353eabd	Add models for the read side of golang.org/x/net/html This covers cases where an HTML document is retrieved and then parts of its structure are output without proper escaping.	2020-11-06 11:04:53 +00:00
Chris Smowton	03bbef7286	Add models for the read side of golang.org/x/net/html This covers cases where an HTML document is retrieved and then parts of its structure are output without proper escaping.	2020-11-06 11:04:53 +00:00
Chris Smowton	e4aa252d6b	Merge pull request #381 from sauyon/gomodfix Update dependencies and clean go.mod	2020-11-06 10:14:22 +00:00
Chris Smowton	582f8e444b	Merge pull request #393 from smowton/smowton/fix/cfg-assignment-underscores CFG: fix lastNode relating to assignments with underscores on the LHS	2020-11-03 14:32:57 +00:00
Chris Smowton	3b927f3b6b	CFG: fix lastNode relating to assignments with underscores on the LHS For example, "x, _ := a, b" would produce an incorrect CSV that branched to the next statement after evaluating "b", skipping the assignment to 'x'. We already had test coverage for function returns, so I'm reasonably confident this only affects parallel assigns, not destructuring ones like "x, y := f()".	2020-11-03 12:00:54 +00:00
Sauyon Lee	3c84f11d5b	Merge pull request #385 from github/sauyon-patch-1 Enable code scanning	2020-10-29 11:00:08 -07:00
Chris Smowton	cbc2443236	Merge pull request #390 from smowton/smowton/admin/links-master-to-main Docs: replace master with main and QL4E with VSCode	2020-10-29 11:06:33 +00:00
Chris Smowton	1c75c9d1e9	Docs: Master -> main and Semmle/ql -> github/codeql everywhere Also fix a reference to QL for Eclipse, and remove some incidental trailing whitespace	2020-10-29 11:04:49 +00:00
Chris Smowton	0f637c5887	Merge pull request #379 from smowton/model-revel Model Revel	2020-10-28 09:56:25 +00:00
Chris Smowton	7ddb289910	Merge pull request #389 from github/aibaars/fix-broken-links Update links in ql/docs/experimental.md	2020-10-28 09:55:21 +00:00
Arthur Baars	31cd26fded	Update links in ql/docs/experimental.md	2020-10-28 10:12:52 +01:00
Chris Smowton	0bf80641e8	Revel: mark header reads as user-controlled data	2020-10-26 12:26:37 +00:00
Chris Smowton	f0c0a890a5	Move OpenUrlRedirect customisation into the query's qll file	2020-10-26 12:25:56 +00:00
Chris Smowton	4a2c4bf1b8	Merge pull request #387 from sauyon/testing-framework Add a testing framework	2020-10-26 10:32:22 +00:00
Sauyon Lee	64ac49a618	Merge pull request #380 from sauyon/funtionmodel-shortcuts Add utility predicates to FunctionModel	2020-10-23 02:26:51 -07:00
Chris Smowton	e9278b5477	Merge pull request #386 from smowton/smowton/admin/improve-error-messages Improve error messages	2020-10-23 08:27:03 +01:00
Sauyon Lee	47f40d5f3e	Add tests for log frameworks	2020-10-22 09:18:53 -07:00
Sauyon Lee	671b427e1e	Add shared testing framework It has been modified to use `hasLocation` instead of `Location`	2020-10-22 09:18:52 -07:00
Sauyon Lee	1e034a1dd5	Add logrus to go.qll	2020-10-22 09:18:52 -07:00

1 2 3 4 5 ...

1480 Commits