hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 21:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,211 Commits 1,747 Branches 166 Tags
cf3142e0834df654f01826ce3ecfb50e5fdf1142
Commit Graph

13211 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
ubuntu
cf3142e083 Updated qhelp with a third example 2020-06-10 23:09:35 +02:00
ubuntu
92f9f320f9 Added new example of an unsafe event.origin verification 2020-06-10 23:07:05 +02:00
ubuntu
ab65ec40c0 Add Codeql to detect missing 'Message.origin' validation when using postMessage API 2020-06-08 20:18:34 +02:00
Dave Bartolomeo
398678a28b Merge pull request #3637 from jbj/dispatch-global-perf 
C++: Fix data-flow dispatch perf with globals
 2020-06-08 11:19:37 -04:00
semmle-qlci
1a7570ebbe Merge pull request #3563 from RasmusWL/python-fabric-execute 
Approved by tausbn
 2020-06-08 16:00:49 +01:00
Henning Makholm
5daf1db5e5 Merge pull request #3615 from github/fix-root-defintion 
QL Specification: Fix mistake in dispatch computation
 2020-06-08 14:34:58 +02:00
Jonas Jensen
c62220e0dc C++: Fix data-flow dispatch perf with globals 
There wasn't a good join order for the "store to global var" case in the
virtual dispatch library. When a global variable had millions of
accesses but few stores to it, the `flowsFrom` predicate would join to
see all those millions of accesses before filtering down to stores only.
The solution is to pull out a `storeIntoGlobal` helper predicate that
pre-computes which accesses are stores.

To make the code clearer, I've also pulled out a repeated chunk of code
into a new `addressOfGlobal` helper predicate.

For the kamailio/kamailio project, these are the tuple counts before:

    Starting to evaluate predicate DataFlowDispatch::VirtualDispatch::DataSensitiveCall::flowsFrom#fff#cur_delta/3[3]@21a1df (iteration 3)
    Tuple counts for DataFlowDispatch::VirtualDispatch::DataSensitiveCall::flowsFrom#fff#cur_delta:
    ...
    59002      ~0%     {3} r17 = SCAN DataFlowDispatch::VirtualDispatch::DataSensitiveCall::flowsFrom#fff#prev_delta AS I OUTPUT I.<1>, true, I.<0>
    58260      ~1%     {3} r31 = JOIN r17 WITH DataFlowUtil::Node::asVariable_dispred#fb AS R ON FIRST 1 OUTPUT R.<1>, true, r17.<2>
    2536187389 ~6%     {3} r32 = JOIN r31 WITH Instruction::VariableInstruction::getASTVariable_dispred#fb_10#join_rhs AS R ON FIRST 1 OUTPUT R.<1>, true, r31.<2>
    2536187389 ~6%     {3} r33 = JOIN r32 WITH project#Instruction::VariableAddressInstruction#class#3#ff AS R ON FIRST 1 OUTPUT r32.<0>, true, r32.<2>
    58208      ~0%     {3} r34 = JOIN r33 WITH Instruction::StoreInstruction::getDestinationAddress_dispred#ff_10#join_rhs AS R ON FIRST 1 OUTPUT R.<1>, true, r33.<2>

Tuple counts after:

    Starting to evaluate predicate DataFlowDispatch::VirtualDispatch::DataSensitiveCall::flowsFrom#fff#cur_delta/3[3]@6073c5 (iteration 3)
    Tuple counts for DataFlowDispatch::VirtualDispatch::DataSensitiveCall::flowsFrom#fff#cur_delta:
    ...
    59002    ~0%     {3} r17 = SCAN DataFlowDispatch::VirtualDispatch::DataSensitiveCall::flowsFrom#fff#prev_delta AS I OUTPUT I.<1>, true, I.<0>
    58260    ~1%     {3} r23 = JOIN r17 WITH DataFlowUtil::Node::asVariable_dispred#ff AS R ON FIRST 1 OUTPUT R.<1>, true, r17.<2>
    58208    ~0%     {3} r24 = JOIN r23 WITH DataFlowDispatch::VirtualDispatch::storeIntoGlobal#ff_10#join_rhs AS R ON FIRST 1 OUTPUT R.<1>, true, r23.<2>
    58208    ~0%     {3} r25 = JOIN r24 WITH DataFlowUtil::InstructionNode#ff_10#join_rhs AS R ON FIRST 1 OUTPUT true, r24.<2>, R.<1>

Notice that the final tuple count, 58208, is the same before and after.

The kamailio/kamailio project seems to have been affected by this issue
because it has global variables to do with logging policy, and these
variables are loaded from in every place where their logging macro is
used.
 2020-06-08 11:48:40 +02:00
Anders Schack-Mulligen
8513c6981c Merge pull request #3329 from artem-smotrakov/mvel-injection 
Java: Add a query for MVEL injections
 2020-06-08 11:48:00 +02:00
Calum Grant
00078d14b9 Merge pull request #3601 from hvitved/csharp/overlapping-configs 
C#: Avoid multiple taint-tracking configurations
 2020-06-08 10:21:40 +01:00
Anders Schack-Mulligen
ad8647f345 Merge pull request #3547 from pwntester/issue_3139 
add support for java.io.StringWriter
 2020-06-08 10:02:23 +02:00
Pavel Avgustinov
7c0b8f5587 Merge pull request #3622 from aschackmull/mergeback-124 
Mergeback rc/1.24 -> master
 2020-06-08 08:38:12 +01:00
Anders Schack-Mulligen
e444bcc923 Merge pull request #3634 from Marcono1234/MagicConstants-code-style 
Fix Java code style of MagicConstants examples
 2020-06-08 09:34:48 +02:00
Anders Schack-Mulligen
be862280b2 Update java/ql/src/semmle/code/java/dataflow/internal/TaintTrackingUtil.qll 
Fix trailing whitespace
 2020-06-08 09:18:39 +02:00
Marcono1234
ad1146a23a Fix Java code style of MagicConstants examples 
- Use recommended ordering of modifiers
- Use recommended variable naming scheme
 2020-06-07 01:00:27 +02:00
Dave Bartolomeo
d4e1ee8aa7 Merge pull request #3629 from MathiasVP/remove-initialize-this-from-value-numbering 
C++: Remove TInitializeThisValueNumber from IR value numbering
 2020-06-05 15:55:20 -04:00
Henning Makholm
d2d235d7a4 Merge pull request #3476 from hmakholm/pr/module-res-update 
QL language specification: bring library path documentation up to date
 2020-06-05 18:12:35 +02:00
Henning Makholm
c2c70d7627 QL specification: typo fix 
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
 2020-06-05 18:01:21 +02:00
Artem Smotrakov
b7c3dd666c Java: Clean up MVEL injection query 2020-06-05 17:22:45 +03:00
Artem Smotrakov
2842aeee72 Java: Simplified MvelInjectionLib 2020-06-05 17:17:43 +03:00
Artem Smotrakov
4a83fb8cc1 Java: Simplified MvelInjection test 2020-06-05 17:17:43 +03:00
Artem Smotrakov
df9d10f2ac Java: Added MVELRuntime.execute() sink for MVEL injections 2020-06-05 17:17:43 +03:00
Artem Smotrakov
fa717b2d86 Java: Added template sinks for MVEL injections 2020-06-05 17:17:43 +03:00
Artem Smotrakov
8fd72659ec Java: Added JSR 223 sinks for MVEL injections 
- Updated MvelInjectionLib.qll
- Added tests and stubs for JSR 223 API
 2020-06-05 17:17:43 +03:00
Artem Smotrakov
6a6c805048 Java: Added Accessor sink for MVEL injections 2020-06-05 17:13:24 +03:00
Artem Smotrakov
12e0234d40 Java: Added CompiledAccExpression sink for MVEL injections 2020-06-05 17:13:24 +03:00
Artem Smotrakov
32ff5ad496 Java: Added CompiledExpression sink for MVEL injections 2020-06-05 17:13:24 +03:00
Artem Smotrakov
c6c4c2c99b Java: Add a query for MVEL injections 
- Added experimental/Security/CWE/CWE-094/MvelInjection.ql
- Added experimental/Security/CWE/CWE-094/MvelInjectionLib.qll
- Added a qhelp file with an example of vulnerable code
- Added tests and stubs for mvel2-2.4.7
 2020-06-05 17:13:24 +03:00
yoff
e5480e471a Merge pull request #3591 from RasmusWL/python-taintkind-fixup 
Python: Fix some problems in TaintKind useage
 2020-06-05 16:03:18 +02:00
Anders Schack-Mulligen
e4e51b5027 Merge pull request #3291 from artem-smotrakov/spel-injection 
Java: Add a query for SpEL injections
 2020-06-05 15:51:38 +02:00
Mathias Vorreiter Pedersen
7642680ab9 C++: Also remove TInitializeThisValueNumber from the AST wrapper 2020-06-05 15:26:09 +02:00
Mathias Vorreiter Pedersen
1a33a3b7e1 Merge branch 'master' into remove-initialize-this-from-value-numbering 2020-06-05 15:03:54 +02:00
Mathias Vorreiter Pedersen
d49c0f7b67 C++: Sync identical files 2020-06-05 15:01:18 +02:00
Mathias Vorreiter Pedersen
15fa7be09a C++: Remove TInitializeThisValueNumber case from IR value numbering 2020-06-05 15:01:11 +02:00
semmle-qlci
ff6936caa7 Merge pull request #3625 from erik-krogh/CVE714 
Approved by asgerf
 2020-06-05 12:21:10 +01:00
semmle-qlci
69a1e11c06 Merge pull request #3609 from erik-krogh/CredFN 
Approved by asgerf, esbena
 2020-06-05 10:49:01 +01:00
Erik Krogh Kristensen
82cf53897f TypeOfCheck -> TypeOfUndefinedSanitizer 
Co-authored-by: Asger F <asgerf@github.com>
 2020-06-05 11:35:39 +02:00
Erik Krogh Kristensen
05d7be8e23 autoformat 2020-06-05 09:59:45 +02:00
Erik Krogh Kristensen
96ca4cf7eb add missing quote 2020-06-04 19:45:24 +00:00
Erik Krogh Kristensen
815671f5d0 add sanitizer guard for typeof undefined 2020-06-04 21:32:26 +02:00
Henning Makholm
269fa3a140 comments from alexet 
Put 'the query directory of the current file` back in the description.
 2020-06-04 20:41:54 +02:00
Jonas Jensen
ad2d1d531b Merge pull request #3616 from dbartol/dbartol/sync-missing 
Allow missing files in `sync-files --latest`
 2020-06-04 16:52:44 +02:00
Rasmus Wriedt Larsen
1ff369f62d Python: Update test results for fabric.api.execute 2020-06-04 16:30:03 +02:00
semmle-qlci
22a651cb5c Merge pull request #3621 from max-schaefer/js/qltest-experimental 
Approved by asgerf, erik-krogh
 2020-06-04 14:19:17 +01:00
Dave Bartolomeo
0666a2e587 Remove usage of f-string 2020-06-04 08:48:14 -04:00
Dave Bartolomeo
e2afad91dd Merge pull request #3620 from MathiasVP/fix-missing-case-in-getkind 
C++: Fix missing case in ValueNumber::getKind
 2020-06-04 07:27:30 -04:00
Max Schaefer
9549b01e3c JavaScript: Turn on experimental language features for two tests. 
All other tests already pass with experimental features turned on, so once this is merged we can do so by default.
 2020-06-04 11:27:31 +01:00
Mathias Vorreiter Pedersen
7328429ef1 C++: Sync identical files 2020-06-04 11:31:32 +02:00
Mathias Vorreiter Pedersen
36cfe3624b C++: Add TConstantValueNumber case to ValueNumber::getKind 2020-06-04 11:31:02 +02:00
Erik Krogh Kristensen
e47770281a update change-note 
Co-authored-by: Asger F <asgerf@github.com>
 2020-06-04 11:14:25 +02:00
semmle-qlci
c806e229aa Merge pull request #3618 from aschackmull/java/typeflow-test 
Approved by aibaars
 2020-06-04 10:09:44 +01:00