hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity
25,670 Commits 1,742 Branches 166 Tags
cd26d97dd7447132450087e6349285dc8a0ffe43
Commit Graph

25670 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Fosstars
c80a1da483 Don't consider copyOf() and clone() in ArrayUpdate 2021-08-25 12:11:34 +02:00
Tom Hvitved
ab2bc38789 C#: Use shared logic in NodeGraph.ql test 2021-08-25 11:35:12 +02:00
Tom Hvitved
d405284d36 C#: Make CFG library shared 2021-08-25 11:35:11 +02:00
Asger Feldthaus
87843a3794 JS: Autoformatttt 2021-08-25 10:37:37 +02:00
Tom Hvitved
01f7fdfea5 C#: Update call-context data-flow tests 2021-08-25 10:34:53 +02:00
Erik Krogh Kristensen
c664d7cfb3 add a getMaybePromisifiedCall method in API graphs, and use it to model child_process 2021-08-25 10:27:09 +02:00
Rasmus Wriedt Larsen
605bd19306 Python: Add CWE-328 to py/weak-sensitive-data-hashing 
Reading over the description at https://cwe.mitre.org/data/definitions/328.html:

> The product uses a hashing algorithm that produces a hash value that can be used to determine the original input, or to find an input that can produce the same hash, more efficiently than brute force techniques.

For the data that does not require computationally expensive hashing, that will be the exactly problems that this query finds 👍 (that is, MD5, SHA1)
 2021-08-25 10:19:22 +02:00
Jonas Jensen
abdf993e47 Merge pull request #6537 from andersfugmann/implicit_downcast_involving_references 
Implicit downcast involving references
 2021-08-25 09:45:32 +02:00
Anders Peter Fugmann
67a267d971 Update cpp/change-notes/2021-08-24-implicit-downcast-from-bitfield.md 
Co-authored-by: Jonas Jensen <jbj@github.com>
 2021-08-25 08:58:44 +02:00
Andrew Eisenberg
e23df94748 Packaging: Fix identical files script 2021-08-24 16:12:43 -07:00
Andrew Eisenberg
8f73c6968a Merge pull request #6542 from github/aeisenberg/pack/move-external 
Java: Move the ExternalArtifact.qll module to the library pack
 2021-08-24 16:07:26 -07:00
yo-h
2b4635c4e0 Merge pull request #6539 from smowton/smowton/admin/downgrade-sql-unescaped 
Downgrade precision of java/concatenated-sql-query
 2021-08-24 17:22:01 -04:00
Andrew Eisenberg
3660c64328 Packaging: Rafactor Python core libraries 
Extract the external facing `qll` files into the codeql/python-all
query pack.
 2021-08-24 13:23:45 -07:00
Andrew Eisenberg
7f3066cd64 Java: Move the ExternalArtifact.qll module to the library pack 2021-08-24 13:01:02 -07:00
Chris Smowton
2689c13bde Merge pull request #6485 from Marcono1234/marcono1234/field-initializer-fix 
Java: Fix Field.getInitializer() matching non-initializer assignments
 2021-08-24 20:52:02 +01:00
Geoffrey White
8f38ab0116 Merge pull request #6540 from jbj/ctime-weaken-claims 
C++:Lower potentially-dangerous-function precision
 2021-08-24 17:01:23 +01:00
Jonas Jensen
19ee64d9ad C++:Lower potentially-dangerous-function precision 
There have been multiple reports of false positives from this query over
time. Now that it has `@security-severity 10.0`, these false positives
look even worse.

The query looks purely for calls to functions with certain names, not
at whether the calls happen in a dangerous context. To justify a higher
precision, the query should only flag calls that happen in a thread or
another non-reentrant context.
 2021-08-24 17:14:42 +02:00
yoff
2f5ed03798 Merge pull request #6323 from RasmusWL/sec-test-layout 
Python: Restructure security tests to contain query name
 2021-08-24 16:50:08 +02:00
Chris Smowton
5a2dfda09e Add test for field initializers 2021-08-24 14:04:45 +01:00
Marcono1234
c8d98ae649 Java: Fix Field.getInitializer() matching non-initializer assignments 2021-08-24 14:04:44 +01:00
Asger Feldthaus
8a564cc64b JS: Fix qldoc 2021-08-24 14:31:00 +02:00
Asger F
8f8a46848d Update javascript/ql/src/semmle/javascript/frameworks/Templating.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2021-08-24 14:16:41 +02:00
CodeQL CI
c66a34be9c Merge pull request #6533 from erik-krogh/cwdPath 
Approved by asgerf
 2021-08-24 13:10:38 +01:00
CodeQL CI
c0e8680c81 Merge pull request #6534 from erik-krogh/fallbackEntry 
Approved by asgerf
 2021-08-24 11:38:25 +01:00
Erik Krogh Kristensen
99d7e8b953 add change note 2021-08-24 12:35:20 +02:00
Chris Smowton
7f73efe3e1 Downgrade precision of java/concatenated-sql-query 2021-08-24 10:46:01 +01:00
Rasmus Wriedt Larsen
ca341bde08 Merge pull request #5612 from jty-team/jty/python/nosqlInjection 
Python: CWE-943 - Add NoSQL injection query
 2021-08-24 11:29:25 +02:00
Anders Fugmann
6b66f5dbb4 C++: Add change note for implicit downcasting involving references 2021-08-24 10:26:25 +02:00
Anders Fugmann
6d4b7c828c C++: Remove superfluous 'and any()' 2021-08-24 09:37:39 +02:00
Ian Lynagh
43355feaeb Merge pull request #6536 from github/igfoo/getPrimaryQlClasses 
All languages: Add getPrimaryQlClasses()
 2021-08-23 19:49:37 +01:00
Geoffrey White
bc9994774a Merge pull request #6515 from MathiasVP/clarify-initialization-vs-assignment-in-docs 
C++: Clarify difference between 'Initializer' and 'Assignment'.
 2021-08-23 18:00:36 +01:00
Ian Lynagh
1e06808105 Update cpp/change-notes/2021-08-23-getPrimaryQlClasses.md 
Co-authored-by: Jonas Jensen <jbj@github.com>
 2021-08-23 16:52:07 +01:00
Chris Smowton
57d44b8a40 Merge pull request #6538 from atorralba/atorralba/fix-test-generator-qlpack 
Java: Adapt test generator to new qlpack name
 2021-08-23 15:57:38 +01:00
Ian Lynagh
a9db1c52e5 All languages: Add getPrimaryQlClasses() 
This is a non-overridable predicate that concatenates all the
getAPrimaryQlClass() results into a comma-separated string.
 2021-08-23 15:49:10 +01:00
Shati Patel
2a51abdee3 Merge pull request #6523 from shati-patel/vscode-docs 
Docs: Minor tweaks to VS Code docs (query history + viewing results)
 2021-08-23 15:06:09 +01:00
Tony Torralba
1ee2f6f207 Adapt test generator to new package name 2021-08-23 16:05:13 +02:00
Erik Krogh Kristensen
38477d7d2e Merge pull request #6462 from erik-krogh/repeat 
JS: support more regular expressions in js/incomplete-multi-character-sanitization
 2021-08-23 15:39:31 +02:00
Shati Patel
1dc18c4f9c Update docs/codeql/codeql-for-visual-studio-code/analyzing-your-projects.rst 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2021-08-23 14:37:51 +01:00
yoff
0c0f335b1c Merge pull request #6508 from github/RasmusWL-patch-1 
Python: Update comment for RegExpTreeView isExcluded
 2021-08-23 15:07:29 +02:00
Anders Fugmann
c04ba7b724 C++: Revert benign change of return type from 'unsigned int' to 'int' in testcase, and add 'GOOD' annotation to the testcase 2021-08-23 14:58:43 +02:00
Anders Fugmann
9324d8f348 C++: Fix case where implicit downcasts were not detected when using reference 2021-08-23 14:44:49 +02:00
Anders Fugmann
8939a9b2c1 C++: Add tests for implicit downcast involving references 2021-08-23 14:42:36 +02:00
Chris Smowton
0210d85ce8 Merge pull request #6499 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2021-08-23 11:26:36 +01:00
shati-patel
e1ae531b62 Docs: Auto-update copyright year 2021-08-23 11:11:31 +01:00
Chris Smowton
4cfa0f66a8 Merge pull request #6526 from github/aeisenberg/pack/java-default 
Packaging: Migrate default.qll
 2021-08-23 11:05:00 +01:00
yoff
467aa647da Merge pull request #6507 from tausbn/python-prevent-polynomial-redos-explosion 
Python: Prevent explosion in poly-ReDoS query
 2021-08-23 11:48:14 +02:00
Rasmus Lerchedahl Petersen
34d7772a0d Python: Move constraints into pranch charpreds 
For sequences and alternations, we require at least one child.
Otherwise, we wish to represent the term differently.
This avoids multiple representations.
 2021-08-23 11:44:00 +02:00
Erik Krogh Kristensen
5fe6671cc5 making it more explicit what character class matching is used for 2021-08-23 08:30:50 +02:00
Erik Krogh Kristensen
5d232bbfce recognize more src folders when "main" in package.json points to a compiled output 2021-08-23 08:09:01 +02:00
Erik Krogh Kristensen
32ac8778bd add the cwd option to shell executions as a sink to js/path-injection 2021-08-23 07:32:05 +02:00