hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 13:15:21 +02:00
Code Issues Packages Projects Releases Wiki Activity
45,998 Commits 1,742 Branches 166 Tags
d700fddfdd8d52a4d9782cb09e17d33e15e0adab
Commit Graph

45998 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Smowton
b6e4f472d1 Remove unnecessary import 2022-10-29 11:40:57 +01:00
Chris Smowton
6d321e0151 Add change note 2022-10-29 11:40:57 +01:00
Chris Smowton
5c66d87ed6 gofmt 2022-10-29 11:40:57 +01:00
Chris Smowton
0c6c135967 Go: exclude protobuf read steps from cleartext-logging query 
This query already treats structs differently to usual: it includes field -> whole struct taint steps, but explicitly excludes struct -> field steps. This means that a logging framework sinking an entire struct with a tainted field yields an alert, but we don't get FPs caused by writing field `x` but then reading field `y`.

However, protobuf messages have a special treatment, with taint usually associated with the whole struct and getter methods propagating that taint out. Suppressing these getter method steps specifically for the cleartext-logging query mirrors its treatment of structs in general and avoids this sort of field-mismatch FP.

On the downside we will miss same-field propagation like `m.field = password; Log(m.GetField())` if we don't have source code for the implementation of `m`. However this is hopefully unusual since the typical use of protobufs is to serialize and deserialize, rather than using the struct as a general-purpose datastructure.
 2022-10-29 11:40:57 +01:00
Chris Smowton
8266a22332 Kotlin: fix method types when an inherited method implements a collection type 
In this circumstance the compiler seems to generate a specialised version of the implementing function with its argument type replaced by the interface-implementing child class' type parameter. However it stores a back-pointer to the real declared function, which we should use as the call target.
 2022-10-29 11:29:04 +01:00
Dave Bartolomeo
85790fcade Merge pull request #10964 from smowton/smowton/admin/modernise-qlpacks 
qlpacks: libraryPathDependencies -> dependencies
 2022-10-28 16:44:22 -04:00
Chris Smowton
d9744c81b7 Merge pull request #11017 from smowton/smowton/fix/kotlin-wildcard-suppression-annotation 
Kotlin: fix wildcard suppression where the annotation applies to a parent type/argument.
 2022-10-28 18:33:07 +01:00
Ian Lynagh
84427e132e Kotlin: Move the logs test to all-platforms 2022-10-28 17:56:41 +01:00
Geoffrey White
f122005aaf Swift: Simplify out some variables. 2022-10-28 17:26:17 +01:00
Tony Torralba
2402504a4c Add missing SummaryPostUpdateNode 2022-10-28 18:24:17 +02:00
Geoffrey White
b4d939a620 Swift: Correct a comment. 2022-10-28 17:11:24 +01:00
Chris Smowton
f9e811bddf Legacy support qlpacks: continue using libraryPathDependencies; add a comment noting this is obsolete. 2022-10-28 16:47:30 +01:00
Chris Smowton
1914a114a2 Merge pull request #11018 from smowton/smowton/fix/kotlin-extension-specialisation 
Kotlin: specialise extension receivers the same as other function parameters
 2022-10-28 16:15:41 +01:00
Chris Smowton
d6e2f5f4a8 Use ?.not() to negate a nullable boolean 2022-10-28 16:13:55 +01:00
Chris Smowton
1e1c9f639c Avoid Kotlin 1.5+ function firstNotNullOfOrNull 2022-10-28 16:13:55 +01:00
Chris Smowton
24f87ac963 Kotlin: fix wildcard suppression where the annotation applies to a parent type/argument. 
In the process I also fix the missed case where suppression can be switched off using a parameterized annotation.
 2022-10-28 16:13:55 +01:00
Ian Lynagh
2796d60d79 Merge pull request #11019 from igfoo/igfoo/win_integ 
Kotlin: Get some integration tests running on Windows
 2022-10-28 16:12:15 +01:00
Chris Smowton
5ad5cdce47 Swift integration-test runner: use --additional-packs 2022-10-28 16:07:38 +01:00
Chris Smowton
ee63e60bb7 qlpacks: libraryPathDependencies -> dependencies 2022-10-28 16:07:36 +01:00
Geoffrey White
648c2d09f9 Swift: Simplify InsecureTLS.ql. 2022-10-28 15:56:03 +01:00
Tony Torralba
baf7986cfa Rework types exported through JSContext 
Better model the JSExport protocol logic
 2022-10-28 15:56:05 +02:00
Rasmus Wriedt Larsen
a04c78ab94 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-10-28 15:31:42 +02:00
Ian Lynagh
49425e6c2a Kotlin: Integration tests: Make a couple more posix-only for now 2022-10-28 13:59:36 +01:00
Geoffrey White
cf9c3afc86 Swift: Add and use AbstractFunctionDecl.hasGlobalName predicate. 2022-10-28 13:57:24 +01:00
Tamas Vajk
d745381ebe Remove unneeded consistency test output 2022-10-28 14:56:25 +02:00
Tamas Vajk
803a97df7f Kotlin: Resugar for loops with tuples as loop variables 2022-10-28 14:55:50 +02:00
Tamas Vajk
841340b266 Kotlin: Resugar for loops 2022-10-28 14:55:50 +02:00
Tamas Vajk
1e3060598f Kotlin: Add for loop tests 2022-10-28 14:55:50 +02:00
Tamás Vajk
caf9ac50d9 Merge pull request #11026 from tamasvajk/kotlin-remove-kotlin-java-eq-test 
Kotlin: Remove `javaEquivalent` consistency query
 2022-10-28 14:08:53 +02:00
Chris Smowton
366410ee9e Fix incorrect parameter ordering 2022-10-28 12:58:23 +01:00
Mathias Vorreiter Pedersen
0a3d0c4f56 Merge pull request #11031 from geoffw0/simplify 
Swift: Simplify queries using MethodDecl.hasQualifiedName
 2022-10-28 13:58:08 +02:00
Tony Torralba
48b0cc0229 Add models for JSContext and JSValue 2022-10-28 13:01:25 +02:00
Tony Torralba
81701547b2 Add taint sources for WKScriptMessage 
This is what contains externally-provided data in Webview JS-native bridges
 2022-10-28 12:58:27 +02:00
Mathias Vorreiter Pedersen
142e50008e Merge pull request #10967 from MathiasVP/fix-swift-summary 
Swift: Fix flow out of summarized callables
 2022-10-28 12:57:52 +02:00
Geoffrey White
368f37a27e Swift: And another. 2022-10-28 11:46:27 +01:00
Geoffrey White
1f3ed1cec7 Merge remote-tracking branch 'upstream/main' into simplify 2022-10-28 11:42:05 +01:00
Geoffrey White
6fca350714 Use MethodDecl.hasQualifiedName. 2022-10-28 11:41:42 +01:00
AlexDenisov
ce441ade63 Merge pull request #11028 from github/redsun82/swift-filesystem 
Swift: fix remapping
 2022-10-28 12:11:26 +02:00
Mathias Vorreiter Pedersen
062a0abceb Swift: Fix flow out of summarized callables. 2022-10-28 12:09:05 +02:00
Ian Lynagh
f387eb21eb Kotlin: Integration tests: Add a qlpack.yml 2022-10-28 10:53:45 +01:00
Ian Lynagh
382c08e3cd Kotlin: Fix some integrations tests on Windows 2022-10-28 10:53:45 +01:00
Ian Lynagh
15d5369bdd Kotlin: Run some integration tests on Windows too 2022-10-28 10:53:45 +01:00
Tamás Vajk
8bc46d5e56 Merge pull request #11025 from tamasvajk/kotlin-fix-external-location 
Kotlin: Fix external location in integration test
 2022-10-28 11:33:25 +02:00
Paolo Tranquilli
a87495226a Swift: fix remapping 
With the change to `std::filesystem` some path concatenations were
translated to appending, which is not the same. In case rhs is absolute
`lhs / rhs == rhs`, while concatenating treats `rhs` as if it was
relative. The same behaviour can be obtained in `std::filesystem` by
using `lhs / rhs.relative_path()`.
 2022-10-28 11:16:49 +02:00
Tamas Vajk
7ceadb0df0 Kotlin: Remove javaEquivalent consistency query 
The `javaEquivalent` consistency query is no longer needed, as the `diags` query is now a superset of it.
 2022-10-28 10:44:42 +02:00
Rasmus Wriedt Larsen
8628ff5e52 Merge pull request #10999 from RasmusWL/inline-fail-tag 
InlineExpectationsTest: Fail if missing `getARelevantTag`
 2022-10-28 10:35:49 +02:00
Mathias Vorreiter Pedersen
95a54f79d8 Merge pull request #10938 from geoffw0/printfprecision 
C++: Fix printf.qll bug
 2022-10-28 10:33:58 +02:00
Tamas Vajk
99880c980c Kotlin: Fix external location in integration test 2022-10-28 10:24:14 +02:00
Jeroen Ketema
4ca0838815 Merge pull request #11009 from RasmusWL/dataflow-label 
Misc: Add automatic `DataFlow Library` label
 2022-10-28 09:58:33 +02:00
Mathias Vorreiter Pedersen
22cdeec3fb Merge branch 'main' into printfprecision 2022-10-28 09:29:29 +02:00