hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-29 22:32:58 +01:00
Code Issues Packages Projects Releases Wiki Activity
405 Commits 1,684 Branches 159 Tags
cc13a5d6183979ffdc33bbb7e551efe5cc1206fb
Commit Graph

279 Commits

Author SHA1 Message Date
Sauyon Lee
cc13a5d618 OpenUrlRedirect: Expand safe URL flow configuration 
Also add some more tests
 2020-03-25 04:01:08 -07:00
Aditya Sharad
c44e5379df Experimental: Remove query precision for now. 
Address review comment.
 2020-03-24 10:57:51 -07:00
Aditya Sharad
4f32d6651c Experimental: Add sanitiser edge for request forgery. 
Consider a URL string sanitised if the hostname cannot be controlled.
This approach is used by URL redirection queries.
 2020-03-24 10:57:51 -07:00
Aditya Sharad
f984532236 Experimental: Add query for request forgery. 
Tracks the flow of tainted data from untrusted input to the URL of an HTTP request.
Ported from the corresponding query for JavaScript, though currently limited in scope.
Includes companion libraries for customisation.
 2020-03-24 10:57:51 -07:00
Aditya Sharad
d41e6a9d85 Model HTTP request functions in net/http package. 2020-03-24 10:57:51 -07:00
Aditya Sharad
b057ce8d46 Concepts: Add HTTP::ClientRequest class and module. 
Extensible model of client requests to a URL.
Ported from the CodeQL JavaScript library.
 2020-03-24 10:57:51 -07:00
intrigus-lgtm
24b3133e0c Fix error in Qldoc 2020-03-24 17:53:51 +01:00
Max Schaefer
8dda4bd97f Merge pull request #66 from intrigus-lgtm/CWE-643 
CWE-643 XPathInjection on Go
 2020-03-24 10:53:57 +00:00
Sauyon Lee
81e13473db Merge pull request #69 from max-schaefer/issue-72 
Track taint through element writes.
 2020-03-24 03:41:05 -07:00
intrigus
1f635806b3 Fix copy-paste errors, remove debugging code 2020-03-23 16:49:45 +01:00
intrigus-lgtm
9187bacd3c Apply suggestion from code review 
Use getUnderlyingType() to account for named aliases.

Co-Authored-By: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2020-03-23 16:45:56 +01:00
Max Schaefer
62b79721ea Track taint through element writes. 
This adds a taint step from `pred` to (the post-update node) of `succ` in `succ[idx] = pred` and its syntactic variants.

Unlike for structs, where partially tainted values are quite common, the theory is that arrays, maps, and slices are usually either completely tainted or completely clean.
 2020-03-23 09:15:01 +00:00
intrigus
d81c9b145e Update query help to use goxpath 2020-03-20 21:38:46 +01:00
intrigus
948b79df87 Update xpath example, use goxpath package 2020-03-20 21:38:46 +01:00
intrigus
c7ead88b91 Restructure query, add default sanitizer 2020-03-20 21:38:46 +01:00
intrigus-lgtm
ec40cf0379 Apply suggestions from review 
Co-Authored-By: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2020-03-20 21:38:02 +01:00
Max Schaefer
60fe6f4390 Add missing Qldoc for modules. 2020-03-20 17:36:08 +00:00
intrigus
d6ff6b74c5 CWE-643 XPathInjection on Go 2020-03-19 22:26:37 +01:00
Max Schaefer
f53732ec5a Merge pull request #39 from sauyon/go1.14 
Go 1.14 support
 2020-03-18 10:08:50 +00:00
Max Schaefer
0a59470640 Fix tests. (#3) 2020-03-18 02:10:24 -07:00
Max Schaefer
ad1324d2dd Add test. 2020-03-17 12:08:42 +00:00
Max Schaefer
49c5779112 Add model of go-pg/pg. 2020-03-17 12:08:42 +00:00
Sauyon Lee
e9b47298ed Merge pull request #61 from max-schaefer/better-method-sets 
Reformulate `Method.hasQualifiedName` in terms of method sets
 2020-03-17 07:46:19 -04:00
Max Schaefer
8cadc94f49 Clarify behaviour of getMethod on struct types. 2020-03-17 10:58:58 +00:00
Max Schaefer
74bcfdd01c Remove an unused and potentially confusing predicate. 2020-03-16 13:24:57 +00:00
Max Schaefer
0fc7febd1d Add another test. 2020-03-13 15:54:39 +00:00
Max Schaefer
f41151350a Merge pull request #60 from sauyon/bitwise-xor-fps 
MistypedExponentiation: Add a heuristic to reduce FPs
 2020-03-13 15:46:03 +00:00
Max Schaefer
8898858fff Add tests. 2020-03-13 14:19:27 +00:00
Max Schaefer
5175f1dcbe Take promoted methods into account when computing method sets. 2020-03-13 14:19:27 +00:00
Max Schaefer
d0c6206a6a Reformulate hasQualifiedName in terms of method sets. 2020-03-13 14:19:27 +00:00
Sauyon Lee
78ad006e68 Merge pull request #55 from max-schaefer/tainted-arithmetic 
Add new query `AllocationSizeOverflow`.
 2020-03-13 07:16:54 -07:00
Max Schaefer
39fa6052e6 Also treat second argument to make (slice capacity) as an allocation size. 2020-03-13 12:17:53 +00:00
Max Schaefer
864c85e886 Fix typo. 2020-03-13 10:27:58 +00:00
Max Schaefer
b2f1da8942 Simplify a condition. 2020-03-13 10:27:58 +00:00
Max Schaefer
d66888e651 Make query more extensible. 2020-03-13 10:27:58 +00:00
Max Schaefer
ea36d49218 Add new query AllocationSizeOverflow. 2020-03-13 10:18:51 +00:00
Sauyon Lee
630d0cef89 Address review comments 2020-03-12 09:13:52 -07:00
Sauyon Lee
6e681f829b MistypedExponentiation: Add a heuristic to reduce FPs 2020-03-12 09:13:52 -07:00
Max Schaefer
b3022c9fc8 Standardise RangeAnalysis.qll. 
This brings the library in line with our usual syntactic conventions regarding QLDoc and names. I've also made a few superficial simplifications here and there.

Overall, the code would benefit from being rewritten to make use of the data-flow graph, but that is a larger undertaking.
 2020-03-11 11:20:59 +00:00
Max Schaefer
a95b9c8e02 Rename a few files and clean up wording. 2020-03-11 11:04:42 +00:00
Max Schaefer
2fd925fe90 Autoformat. 2020-03-11 10:47:23 +00:00
Max Schaefer
f1d489f6f9 Merge pull request #51 from singleghost/master 
Add integer overflow detection support for codeql-go.
 2020-03-11 10:00:39 +00:00
Max Schaefer
a8c1731f9d Merge pull request #50 from sauyon/uintptr 
Make uintptrtype a subclass of unsignedintegertype
 2020-03-11 09:57:00 +00:00
singleghost
2aa2f608a3 Move files related to integer overflow detection under the src/experimental folder 2020-03-10 19:02:05 +08:00
Sauyon Lee
cdf3bc4fa0 Merge pull request #52 from max-schaefer/issue-48 
Improve taint-tracking through pointers and other fixes
 2020-03-09 06:36:43 -07:00
Sauyon Lee
2428efcb6d Make @uintptrtype a @unsignedintegertype 2020-03-09 04:40:02 -07:00
Sauyon Lee
5b81775670 Fix constant values test data 2020-03-09 04:40:01 -07:00
Max Schaefer
4dca00e99c Merge pull request #45 from sauyon/go-mod-libs 
Go.mod extraction libraries and tests
 2020-03-09 09:40:41 +00:00
singleghost
77ec4c913f Add integer overflow detection support for codeql-go. 
I wrote a ql library which can perform range analysis on expression and
can detect whether an arithmetic operation may overflow. I wrote this library with reference to the `SimpleRangeAnalysis.qll` for C language. I hope this helps a little bit for those who want to detect integer overflow issues in code.
 2020-03-07 21:34:38 +08:00
Max Schaefer
1be0cc57a8 Add test case from https://github.com/github/codeql-go/issues/48. 2020-03-06 17:35:50 +00:00