hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
53,240 Commits 1,672 Branches 157 Tags
d48adbd1751d22f887352e8c9c76e217cb15444e
Commit Graph

53240 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ed Minnix
d48adbd175 Refactor JsonpInjection 2023-04-12 20:37:35 -04:00
Ed Minnix
8cb5e78832 Refactor XXE files 2023-04-12 20:37:35 -04:00
Ed Minnix
4c80ff03de Refactor UnvalidatedCors 2023-04-12 20:37:35 -04:00
Ed Minnix
d254d91f57 Refactor Injection queries 2023-04-12 20:37:35 -04:00
Ed Minnix
7002ed5303 Refactor InsecureRmiJmxEnvironmentConfiguration 2023-04-12 20:37:35 -04:00
Ed Minnix
6e4e1e52c0 Refactor NFEAndroidDoS 2023-04-12 20:37:35 -04:00
Ed Minnix
94768f425f Refactor HashWithoutSalt 2023-04-12 20:37:35 -04:00
Ed Minnix
cb7391177d Refactor MyBatis queries 2023-04-12 20:37:35 -04:00
Ed Minnix
d528c8461f Refactor XQueryInjection.ql 2023-04-12 20:37:35 -04:00
Ed Minnix
e7cbd493d7 Refactor FilePathInjection 2023-04-12 20:37:35 -04:00
Ed Minnix
47c5db03ab Refactor OpenStream.ql 2023-04-12 20:37:34 -04:00
Ed Minnix
5bd9aae072 Refactor Log4jJndiInjection.ql 2023-04-12 20:37:34 -04:00
Chris Smowton
d049b112a9 Merge pull request #12750 from smowton/smowton/admin/add-dataflow-viableParamArgSpecific-hook 
Go: mass-convert taint-flow models to models-as-data format (with `viableParamArgSpecific` hook)
 2023-04-12 17:11:18 +01:00
Chris Smowton
d648b34037 Accept test changes 
These are caused by nodes being hidden by https://github.com/github/codeql/pull/12783
 2023-04-12 15:05:04 +01:00
Mathias Vorreiter Pedersen
566513e927 Merge pull request #12800 from MathiasVP/fix-joins-in-constant-array-overflow 
C++: Fix joins in `cpp/constant-array-overflow`
 2023-04-12 14:57:17 +01:00
Chris Smowton
7eefa43f5a Rename and document viableArgParamSpecific to make clear it is a temporary hook. 2023-04-12 14:33:46 +01:00
Chris Smowton
1706367b34 Document DataFlowCallable 2023-04-12 14:24:21 +01:00
Chris Smowton
9f4b77e851 Accept test changes 2023-04-12 14:19:06 +01:00
Chris Smowton
4d8ca3d759 Add dataflow callback to filter out receiver argument flow to Golang interface dispatch candidates. 
Other langauges stub the callback.
 2023-04-12 14:19:06 +01:00
Chris Smowton
7ffe863ba6 Remove addressed FIXME 
This was addressed by adding `getAPackageWithSummarizedCallables`
 2023-04-12 14:19:06 +01:00
Chris Smowton
985e07d902 pragma[nomagic] hasQualifiedName 
These are cheap and frequently-used, and magicking them with respect to `interpretPackage` was yielding expensive, unnecessary regex operations.
 2023-04-12 14:19:06 +01:00
Chris Smowton
0129167cc4 Convert Beego's MapGet method to MaD 2023-04-12 14:19:06 +01:00
Chris Smowton
b86f0cf268 Sort models 2023-04-12 14:19:06 +01:00
Chris Smowton
12527e406b Remove unnecessary model 
This referred to a private type
 2023-04-12 14:19:05 +01:00
Chris Smowton
2abffccded Accept test changes 2023-04-12 14:19:05 +01:00
Chris Smowton
3cea01b6c8 Fix functions with multiple models 
In some cases multiple return value outputs can be coalesced, and in others we had accidentally conflated two independent flows (e.g. Arg1 -> Arg2 | Arg3 -> Arg4 led to accidentally introducing Arg1 -> Arg4 and Arg3 -> Arg2)
 2023-04-12 14:19:05 +01:00
Chris Smowton
4a89dbc498 Revert "Remove unnecessary models" 
This reverts commit 12eaedc188487275e8cd6bed4a4318fed4d4b752.

We can't do this now, because there is nothing to guarantee an interface has actually been extracted, and therefore whether a model will get applied. Therefore explicitly modelling methods that may be interface implementations where the interface is in a different package may still make a difference to behaviour.
 2023-04-12 14:19:05 +01:00
Chris Smowton
3f6ceccbe8 US spelling 2023-04-12 14:19:05 +01:00
Chris Smowton
8c553ec0fc Autoformat go 2023-04-12 14:19:05 +01:00
Chris Smowton
ac4dcc6c4b Add ioutil usage to TaintSteps test 
It appears at present the Go standard library imports the deprecated io/ioutil package internally on some platforms but not others. Therefore I add a test explicitly using it to make the test behave more uniformly.
 2023-04-12 14:19:05 +01:00
Chris Smowton
3c48609635 Accept test changes 2023-04-12 14:19:05 +01:00
Chris Smowton
ed56461ed7 Remove unnecessary models 
These are inherited from Stringer, Reader, Writer and BinaryMarshaler
 2023-04-12 14:19:05 +01:00
Chris Smowton
19e8974766 Fix comment 2023-04-12 14:19:05 +01:00
Chris Smowton
140505222f Update test expectations 2023-04-12 14:19:04 +01:00
Chris Smowton
1a7927d3a1 Fix x/net/html.EscapeString modelling 
This had never worked due to accidentally extending non-abstract class HtmlEscapeFunction; consequently it was neither a taint propagator in general, nor an HTML escape function. Added tests to ensure it is now behaving as intended.
 2023-04-12 14:19:04 +01:00
Chris Smowton
fa4145b5e4 Remove dead code 2023-04-12 14:19:04 +01:00
Chris Smowton
141d6b8d7b Accept paths test changes 2023-04-12 14:19:04 +01:00
Chris Smowton
8a06ca5a43 Allow $ANYVERSION token in Go package names 2023-04-12 14:19:04 +01:00
Chris Smowton
477341dd3b Remove unnecessary variable 2023-04-12 14:19:04 +01:00
Chris Smowton
952bc8458f Use explicit this 2023-04-12 14:19:04 +01:00
Chris Smowton
affe42b079 Use US spelling 2023-04-12 14:19:04 +01:00
Chris Smowton
aaa7f34386 Fix mixing of source and summary models 2023-04-12 14:19:04 +01:00
Chris Smowton
18d00c1116 Autoformat QL 2023-04-12 14:19:03 +01:00
Chris Smowton
54d08e11ca Autoformat Go 2023-04-12 14:19:03 +01:00
Chris Smowton
6b9b4c8da0 Remove binary file 2023-04-12 14:19:03 +01:00
Chris Smowton
8fb75f412a Consider MaD models ref whether a package should be considered an unknown external. 2023-04-12 14:19:03 +01:00
Chris Smowton
9447dfd636 Combine net/http models 2023-04-12 14:19:03 +01:00
Chris Smowton
0d306e6189 Restore versioning to one more protobuf model 2023-04-12 14:19:03 +01:00
Chris Smowton
2658a47f21 Remove another protobuf instance now handled in Protobuf.qll 2023-04-12 14:19:03 +01:00
Chris Smowton
a16d56258f Clean up protobuf models 2023-04-12 14:19:03 +01:00