hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 14:52:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,201 Commits 1,684 Branches 159 Tags
cfba0896f0725726210366eee05adaebf206eefe
Commit Graph

875 Commits

Author SHA1 Message Date
Chris Smowton
cfba0896f0 Improve code style 
No behavioural changes
 2020-09-04 17:05:32 +01:00
Chris Smowton
fb85ccb2a5 Look through implicit deref operations when propagating taint down a chain of field- and element-access instructions. 
This enables us to use PostUpdateNode properly. Also introduce a test showing a case where this doesn't work, because the underlying variable doesn't have a post-update node.
 2020-09-04 17:03:52 +01:00
Chris Smowton
3635d7d007 Introduce and use writeComponent 2020-09-04 17:03:52 +01:00
Chris Smowton
2a863fbbe7 Abbreviate protobuf package names 2020-09-04 17:03:52 +01:00
Chris Smowton
18ed6bd1ee Add missing qldoc 2020-09-04 17:03:52 +01:00
Chris Smowton
90915284ba Move getUnderlyingNode into Protobuf.qll 
This is its only user for now.
 2020-09-04 17:03:52 +01:00
Chris Smowton
59f9c6073d Introduce instruction type for component access 
This is the union of a field-access and an element-access instruction
 2020-09-04 17:03:52 +01:00
Chris Smowton
455cf0c502 Add support and tests for protobuf messages with map fields 2020-09-04 17:03:52 +01:00
Chris Smowton
b2d4e2692f Taint underlying aggregates of protobuf messages when an element is written 
For example, writing to a[b].c[d] taints 'a'.
 2020-09-04 17:03:52 +01:00
Chris Smowton
3d82308e07 Introduce common base class for ElementReadNode and FieldReadNode 2020-09-04 17:03:52 +01:00
Chris Smowton
56f6e67671 Protobufs: improve comment and code style 
No functional changes
 2020-09-04 15:14:49 +01:00
Chris Smowton
65dc6272d1 Remove prototype tests 
I don't think we need these when we have the end-to-end taintFlows test.
 2020-09-04 15:14:49 +01:00
Chris Smowton
b639b6ec6a Remove redundant copies of the generated protoc output 2020-09-04 15:14:49 +01:00
Chris Smowton
8058d096d2 Model and test UnmarshalOptions.Unmarshal 
Support for UnmarshalOptions.UnmarshalState is dropped for now as too hard to model.
 2020-09-04 15:14:49 +01:00
Chris Smowton
c2ff2df403 Add test showing false-negative for MarshalState 2020-09-04 15:14:49 +01:00
Chris Smowton
42d6250b8d Add modern-API variants of tests 2020-09-04 15:14:49 +01:00
Chris Smowton
8682eb9dec Add tests showing imprecision of our current implementation 2020-09-04 15:14:49 +01:00
Chris Smowton
a832342ecb Add test for unmarshalling submessages 2020-09-04 15:14:49 +01:00
Chris Smowton
596204f79d Add (currently-failing) expectations for submessage tainting 2020-09-04 15:14:49 +01:00
Chris Smowton
c9296abe25 Restrict tainting from field-writes to Message types 2020-09-04 15:14:49 +01:00
Chris Smowton
95798590ce Implement MarshalState method 
Currently relies on blanket field-write propagation.
 2020-09-04 15:14:49 +01:00
Chris Smowton
c34fc3c9ad Add tests for MarshalAppend and MarshalState 
The MarshalState test doesn't work yet, because we don't know to read taint from the Message field of the input or write it to the Buf field of the output
 2020-09-04 15:14:49 +01:00
Chris Smowton
2ca6157836 Protobuf: support both legacy and modern APIs 2020-09-04 15:14:49 +01:00
Chris Smowton
df0238a352 Fix proto.Clone method 
This is top-level, not a member.
 2020-09-04 15:14:49 +01:00
Chris Smowton
e76c07d77b Temporarily taint all structs from field writes 
This should be either refined to just Message types, or else a macro taint step should be added conducting taint from field-write-of-argument to Marshal's result.

On the read-side we're currently fine: the bytes are tainted, so the object is tainted, so the field reads are tainted.
 2020-09-04 15:14:49 +01:00
Chris Smowton
19e1dacced WIP: add more (manual) protobuf models, and a test that checks various taint-flow cases 
Only some of the cases are currently working.
 2020-09-04 15:14:49 +01:00
Sauyon Lee
4ff325aa13 --wip-- [skip ci] 2020-09-04 15:14:49 +01:00
Chris Smowton
b487799f69 Oauth2 state query: avoid duplicate paths by excluding variable references as sources 2020-09-02 17:40:53 +01:00
Chris Smowton
6fea8abd82 Oauth2 state query: improve code style 
No behavioural changes intended.
 2020-09-02 15:06:23 +01:00
Chris Smowton
2f175e365e Oauth2 state query: remove unnecessary isSource overload 2020-09-02 15:05:22 +01:00
Chris Smowton
8f99972833 OAuth2 CSRF query: improve documentation 2020-09-02 15:05:22 +01:00
Chris Smowton
0ba42f7f87 OAuth2 state query: set precision 2020-09-02 15:05:22 +01:00
Chris Smowton
406ea741f4 Improve comment style 2020-09-02 15:05:22 +01:00
Chris Smowton
faf43efb60 Promote OAuth2 constant-state query to mainline 2020-09-02 15:05:22 +01:00
Chris Smowton
0ee7bbbaa7 Extend oauth2 tests 2020-09-02 15:05:21 +01:00
Chris Smowton
f61c62d2d8 Generalise isReturnedWithError 
It now recognises any function returning an Error alongside other return values
 2020-09-02 15:05:21 +01:00
Chris Smowton
9e4ee0accf OAuth2 constant state query: trace local URLs across reference operations and Sprintf calls 2020-09-02 15:05:21 +01:00
Chris Smowton
050a823397 OAuth2 exclusion: hide cases that clearly target an out-of-band process or private HTTP server 2020-09-02 15:05:21 +01:00
Chris Smowton
bcb65157e6 Oauth2-state query: treat log calls the same as stdout printers 
These presumably get to the user somehow, and in conjunction with stdin use are enough to identify use of oauth at the terminal.
 2020-09-02 15:05:21 +01:00
Chris Smowton
3d877fc67d Oauth2 state: note bufio.NewScanner is also a sign of probable terminal-interactive use 2020-09-02 15:05:21 +01:00
Chris Smowton
6fee4f382f Constant-oauth2-state: exclude strings returned alongside an error value 
For example, getState() { ... return "", someError } is commonly seen in the wild.
 2020-09-02 15:05:21 +01:00
Slavomir
386005d361 Add path and path/filepath packages to stdlib 2020-09-01 13:09:41 +02:00
Max Schaefer
2fe8fb9d83 Fix frontend errors in test. 2020-08-28 12:01:33 +01:00
Max Schaefer
031a48ecd3 Merge pull request #296 from owen-mc/allocation-size-overflow-improve-sanitizers-easy 
Add new sanitizer guard to Allocation size overflow query
 2020-08-28 07:44:45 +01:00
Max Schaefer
b4550f244b Merge pull request #313 from github/rc/1.25 
Merge rc/1.25 into main
 2020-08-27 14:27:26 +01:00
Sauyon Lee
0de8ac3b87 Merge pull request #305 from max-schaefer/consistency-queries 
Enable consistency queries in tests
 2020-08-25 01:01:11 -07:00
Max Schaefer
76f3bd63ac Merge pull request #306 from max-schaefer/fix-stringops-magic 
Prevent misoptimisation in `StringOps`.
 2020-08-25 08:45:54 +01:00
Max Schaefer
b72c4f958c Fix tests for ExprHasNoEffect on non-Linux systems. 2020-08-25 08:05:19 +01:00
Max Schaefer
4c82ad6064 Apply suggestions from code review 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2020-08-25 07:37:11 +01:00
Max Schaefer
bdcb1f233c Prevent misoptimisation in StringOps. 2020-08-24 20:11:23 +01:00