codeql

mirror of https://github.com/github/codeql.git synced 2026-02-11 20:51:06 +01:00

Author	SHA1	Message	Date
Rasmus Wriedt Larsen	d2efe0b84d	Python: Normalize additional taint steps for modeled classes Such that it should be next to the other class-related predicates (such as `instance()`), the class is called `AdditionalTaintStep`, and it marked private. I also moved any modeling of attributes as well, while I was at it.	2021-07-22 11:59:46 +02:00
Rasmus Wriedt Larsen	be1cad864b	Python: Resolve all `meth = obj.meth; meth()` TODOs It would probably have been easier to do this as the _first_ thing... but that's too late now 😓	2021-07-22 11:59:46 +02:00
Rasmus Wriedt Larsen	6f63c03558	Python: Model `http.cookies.Morsel` and usage in Tornado	2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen	7e09a1cbfd	Python: Model `tornado.httputil.HTTPHeaders`	2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen	7020e4132b	Python: Model BaseHTTPRequestHandler.rfile as file-like object	2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen	d388dd547e	Python: Model `HTTPMessage` from Stdlib	2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen	f3ce3933d1	Python: Add AdditionalTaintStep to type-tracking class snippet I know that the TODO about not having the tools to handling `meth = obj.meth; meth()` is outdated now that we `DataFlow::MethodCallNode`, but I'm planning to deal with that later on ;)	2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen	dac71ded9d	Python: Add Authorization modeling in Flask	2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen	133632119d	Python: Model werkzeug Headers Also removed a misleading comment link to method on wrong class :D	2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen	4d9c86a252	Python: Model Werkzeug `FileStorage.save` as FileSystemAccess	2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen	9cb4899c5c	Python: Add FileStorage modeling in Flask	2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen	09b0c300d9	Python: Rewrite werkzeug to avoid InstanceSourceApiNode InstanceSourceApiNode is a really good idea, but it just happened too soon. I can't do what I need if I have to supply an API-node. So to avoid confusion between deprecating to/from InstanceSource in those classes, I opted to do some major reorganizing as well 👍 Due to aliasing restrictions, I had to use a little trick with the `WerkzeugOld` module.	2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen	04190ea308	Python: Add file-like modeling to werkzeug FileStorage	2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen	5f5c0b11c7	Python: Refactor Werkzeugmodeling Having the additional taint step just next to the other definitions, so everything is together.	2021-07-22 10:43:18 +02:00
Rasmus Wriedt Larsen	4f4dec50f2	Python: Model ResovlerMatch in Django Like before, omitted ClassInstantiation	2021-07-22 10:43:13 +02:00
Rasmus Wriedt Larsen	6f0a622252	Python: Remove ClassInstantiation from Django UploadedFile since UploadedFile is the abstract base class, all real usage would be of one of the subclasses, so removing this to not provide a false hope that it actually works. I don't think investing the time into making this work would give any value, so that's why I didn't do it ;)	2021-07-21 16:35:09 +02:00
Rasmus Wriedt Larsen	7dc6518350	Python: Add `FileLikeObject` modeling Such that the result of `request.FILES["key"].file.read()` is tainted	2021-07-21 16:35:09 +02:00
Rasmus Wriedt Larsen	18c0d13efd	Python: Model most of UploadedFile in Django	2021-07-21 16:35:09 +02:00
Rasmus Wriedt Larsen	5ec5557203	Python: Model MultiValueDict in Django	2021-07-21 16:35:09 +02:00
Rasmus Wriedt Larsen	95e88c18b9	Python: Minor cleanup	2021-07-21 16:35:09 +02:00
Rasmus Wriedt Larsen	51b543c67c	Python: Model taint for django request methods	2021-07-21 16:35:09 +02:00
Rasmus Wriedt Larsen	bced467a88	Python: Refactor django additional step handling So it matches the new style we're using in aiohttp/twisted/...	2021-07-21 16:35:09 +02:00
Rasmus Wriedt Larsen	ce4b192caa	Python: Improve usefulness of RemoteFlowSourcesReach meta query Before, results from `dca` would look something like ## + py/meta/alerts/remote-flow-sources-reach - django/django@c2250cf_cb8f: tests/messages_tests/urls.py:38:16:38:48 reachable with taint-tracking from RemoteFlowSource - django/django@c2250cf_cb8f: tests/messages_tests/urls.py:38:9:38:12 reachable with taint-tracking from RemoteFlowSource now it should make it easier to spot _what_ it is that actually changed, since we pretty-print the node.	2021-07-21 16:35:09 +02:00
Rasmus Wriedt Larsen	6aabbf0b9a	Python: Add some alert meta queries Intended for use with dca	2021-07-21 14:53:01 +02:00
Anders Schack-Mulligen	db76b12f3f	Merge pull request #6313 from aschackmull/java/fix-csv-dispatch Java: Fix a bug in call-context-sensitve dispatch to SummarizedCallable.	2021-07-19 12:49:31 +02:00
Anders Schack-Mulligen	0b89f96055	Merge pull request #6318 from Marcono1234/patch-1 Java: Fix documentation mistake for `ProtoPom`	2021-07-19 11:25:06 +02:00
Anders Schack-Mulligen	d1f21a854a	Merge pull request #6042 from joefarebrother/spring-http [Java] Model spring `http` package	2021-07-19 11:24:41 +02:00
Taus	12f7921c92	Merge pull request #6304 from RasmusWL/more-snippets Python: Add more snippets	2021-07-19 11:23:24 +02:00
Anders Schack-Mulligen	c32a75a1b3	Merge pull request #6183 from smowton/smowton/feature/javax-json-models Add models of the jakarta/javax.json package	2021-07-19 11:19:21 +02:00
Anders Schack-Mulligen	6de31f8b59	Merge pull request #6317 from github/workflow/coverage/update Update CSV framework coverage reports	2021-07-19 10:45:22 +02:00
Rasmus Wriedt Larsen	c9087b2e1b	Python: Minor fixup to snippet Spotted by @tausbn 🎉	2021-07-19 10:19:23 +02:00
github-actions[bot]	9b7616bea4	Add changed framework coverage reports	2021-07-19 00:07:04 +00:00
Marcono1234	87d6b9ca5a	Java: Fix documentation mistake for `ProtoPom`	2021-07-18 02:49:43 +02:00
Tom Hvitved	1c68d3f4cd	Merge pull request #6309 from hvitved/csharp/dead-store-of-local-perf C#: Improve performance of `DeadStoreOfLocal.ql`	2021-07-17 10:56:35 +02:00
Tom Hvitved	25706e0812	Merge pull request #6303 from hvitved/csharp/get-qual-name-nomagic C#: Two `pragma` performance fixes	2021-07-17 07:53:35 +02:00
Robert Marsh	e0ff1d949b	Merge pull request #6315 from MathiasVP/fix-off-by-one-in-rem-expr-range-analysis C++: Fix off–by-one in range analysis for `RemExpr`.	2021-07-16 15:22:03 -07:00
Mathias Vorreiter Pedersen	39d9395bc3	C++: Fix off-by-one in range analysis for 'RemExpr'.	2021-07-16 16:35:19 +02:00
Mathias Vorreiter Pedersen	81aa115838	C++: Fix range analysis bug for 'RemExpr'.	2021-07-16 16:28:08 +02:00
Mathias Vorreiter Pedersen	dc2eea59a3	C++: Add buggy testcase with 'RemExpr'.	2021-07-16 16:27:09 +02:00
Anders Schack-Mulligen	effca4495f	Java: Fix a bug in call-context-sensitve dispatch to SummarizedCallable.	2021-07-16 14:31:29 +02:00
Anders Schack-Mulligen	68b3c28202	Merge pull request #6310 from github/workflow/coverage/update Update CSV framework coverage reports	2021-07-16 14:10:33 +02:00
CodeQL CI	9aafe8242e	Merge pull request #6271 from erik-krogh/logs Approved by asgerf	2021-07-16 03:49:22 -07:00
Anders Schack-Mulligen	ef9d09692d	Merge pull request #5796 from smowton/smowton/feature/apache-mutable-flow Java: Add synthetic fields; model Commons Lang's MutableObject type	2021-07-16 12:08:26 +02:00
Erik Krogh Kristensen	36de24aecb	use API nodes instead of type-tracking in the pino model	2021-07-16 11:32:32 +02:00
Erik Krogh Kristensen	178d3de824	Merge branch 'main' into logs	2021-07-16 11:21:25 +02:00
CodeQL CI	a02a82caac	Merge pull request #6284 from erik-krogh/qs Approved by asgerf	2021-07-16 02:11:59 -07:00
CodeQL CI	c1d0e52492	Merge pull request #6286 from erik-krogh/mkdirp Approved by asgerf	2021-07-16 02:11:07 -07:00
CodeQL CI	6c2c51a767	Merge pull request #6287 from erik-krogh/react-tooltip Approved by asgerf	2021-07-16 02:10:36 -07:00
CodeQL CI	d4fa1f7d96	Merge pull request #6295 from erik-krogh/sort-keys Approved by asgerf	2021-07-16 02:09:47 -07:00
CodeQL CI	520337577b	Merge pull request #6298 from erik-krogh/ansi-to-html Approved by asgerf	2021-07-16 02:09:03 -07:00

1 2 3 4 5 ...

24375 Commits