hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 05:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity
45,998 Commits 1,742 Branches 166 Tags
d700fddfdd8d52a4d9782cb09e17d33e15e0adab
Commit Graph

45998 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
tyage
e8b751ae17 Update javascript/ql/src/change-notes/2022-10-26-nextjs-params.md 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-10-27 10:24:08 +09:00
tyage
ac27307a2b Update javascript/ql/lib/semmle/javascript/frameworks/Next.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-10-27 10:23:59 +09:00
tyage
54050bf1b6 update test result XssWithAdditionalSources 2022-10-27 10:23:37 +09:00
Harry Maclean
bdb143cf83 Merge pull request #10913 from thiggy1342/expand-ruby-ssrf-sinks-faraday-connection-new 
Ruby: Add Faraday::Connection.new as sink for SSRF query
 2022-10-27 10:33:44 +13:00
erik-krogh
2ace10b294 bump the version of the shared pack in the QL-for-QL qlpack.yml file 2022-10-26 22:16:42 +02:00
Chris Smowton
28b6e263ec Kotlin: reintroduce pointless wildcards when a Java declaration explicitly uses them 
For example, Java code might use `HasOutVariance<? extends String>`, or `HasInVariance<? super Object>`, both of which are needless wildcards and which the Kotlin extractor would previously have refused to reintroduce due to their not specifying a larger type than their bound. However this led to inconsistency with Java extraction, which
extracts the type as it appears in source.

This seems to particularly happen with generated code, e.g. the output of the Kotlin protobuf compiler.
 2022-10-26 20:05:27 +01:00
Daniel Santos
63c71b7d09 Merge branch 'main' into main 2022-10-26 14:05:26 -05:00
Ian Lynagh
0a470b0864 Kotlin: Handle /!unknown-binary-location/... paths specially on Windows 
The standard code wants to normalise it to C:/!unknown-binary-location/...
which is particularly annoying for cross-platform test output.
 2022-10-26 19:20:32 +01:00
Henry Mercer
c1984ea35f Go: Update expected output 2022-10-26 19:11:21 +01:00
Daniel Santos
64da2cec50 removed unnecessary getACall and fixed formatting 2022-10-26 12:02:55 -05:00
Rasmus Wriedt Larsen
5e9897d150 InlineExpectationsTest: sync 2022-10-26 18:21:13 +02:00
Rasmus Wriedt Larsen
76e84ef63a InlineExpectationsTest: Fail if missing getARelevantTag 2022-10-26 18:20:37 +02:00
Rasmus Wriedt Larsen
bfe9aa1225 InlineExpectationsTest: Add test showing what happens if you leave out getARelevantTag 2022-10-26 18:00:03 +02:00
Rasmus Wriedt Larsen
b3f29b0a53 Python: Add failing ESSA use-use test 
I initially created this as a dataflow test, but then realized it could
just be an ESSA test. I cound't find any existing ESSA tests though :|
so created a new dir for it.
 2022-10-26 17:49:33 +02:00
Geoffrey White
a32b08f56a Swift: remove redundant line. 2022-10-26 16:39:33 +01:00
Geoffrey White
e981a28b0f Swift: autoformat test. 2022-10-26 16:32:52 +01:00
Henry Mercer
b0b321a16f Go: Standardise formatting 2022-10-26 16:31:08 +01:00
Henry Mercer
4bc8529490 Go: Extract locations of successfully extracted files 
Switch the successfully extracted files query to the `location, message` results format so that we get rich location information when exporting the results of this query to SARIF.  Previously the query used the `message` results format, which meant the interpreted results lacked a location.
 2022-10-26 16:28:02 +01:00
Geoffrey White
0b3408b1f6 Swift: Fix typo. 2022-10-26 16:24:25 +01:00
Geoffrey White
5d21c51deb Swift: use hasQualifiedName in UnsafeWebViewFetch.ql. 2022-10-26 16:12:29 +01:00
Geoffrey White
0d41d4e90c Swift: for consistancy, lets have a simple hasName function as well. 2022-10-26 16:11:01 +01:00
Geoffrey White
b24a27d4ae Swift: Add hasQualifiedName methods and tests. 2022-10-26 16:03:49 +01:00
Chris Smowton
fac383a3ac Merge pull request #10974 from smowton/smowton/fix/dont-translate-tochar 
Kotlin: don't try to call nonexistent `j.l.Number.toChar`
 2022-10-26 14:18:03 +01:00
Tamas Vajk
9cc7a30a75 Kotlin: do not report on unused object extension parameters 2022-10-26 15:06:51 +02:00
Tamas Vajk
fbcf7ea669 Kotlin: Add test case for unused extension parameters 2022-10-26 15:05:59 +02:00
Asger F
c9dfba344a Merge pull request #10925 from asgerf/ql/navigate-doc 
Docs: Mention new navigation commands
 2022-10-26 14:29:42 +02:00
Ian Lynagh
37c40c58d2 Merge pull request #10959 from igfoo/igfoo/diags 
Java/Kotlin: Add a diagnostics consistency query
 2022-10-26 13:07:01 +01:00
Paolo Tranquilli
521e6235b5 Swift: use std::filesystem and picoSHA2 
This replaces usages of `llvm::fs` and string manipulation with
`std::filesystem`, also replacing `std::string` with
`std::filesystem::path` where it made sense.

Moreover MD5 hashing used in macOS file remapping was replaced by
SHA256 hashing using a small header-only SHA256 C++ library with an
MIT license, https://github.com/okdshin/PicoSHA2.

File contents hashing was relocated to the newly created `file` library
for later planned reuse.
 2022-10-26 13:23:44 +02:00
Ian Lynagh
dd7ec499df Kotlin: Ignore tags when comparing versions 
We thought that 1.7.20-Beta > 1.7.20, and so tried to use 1.7.0's
extractor with 1.7.20.
 2022-10-26 12:21:55 +01:00
erik-krogh
0f9b4334cc remove some FPs in js/password-in-configuration-file 2022-10-26 11:51:56 +02:00
Paolo Tranquilli
e422a4eef9 Swift: move TargetFile to a separate lib 2022-10-26 10:54:51 +02:00
erik-krogh
21e7e27e1f push more context into load/store steps from the exploratory flow-analysis 2022-10-26 10:52:47 +02:00
Erik Krogh Kristensen
52cd200ca0 Merge pull request #10985 from asgerf/js/reaches-return-escape 
JS: Do not track returned values out of the enclosing function
 2022-10-26 10:52:11 +02:00
Tony Torralba
924995d9e1 Merge pull request #10977 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2022-10-26 09:51:17 +02:00
Asger F
414bd40c41 JS: Do not track returned values out of the enclosing function 2022-10-26 09:29:49 +02:00
Paolo Tranquilli
a3234503b8 Merge pull request #10983 from github/redsun82/swift-third-party 
Swift: move libraries from `tools` to `third_party`
 2022-10-26 08:59:50 +02:00
Mathias Vorreiter Pedersen
58b6c45d27 Merge pull request #10958 from geoffw0/comma 
C++: Fix performance issue on cpp/comma-before-misleading-indentation
 2022-10-26 08:29:18 +02:00
tyage
7a19744cf2 add change note 2022-10-26 15:17:50 +09:00
tyage
95dca7c3ed update comment 2022-10-26 15:13:59 +09:00
tyage
09f8ca8cc0 add query in comment 2022-10-26 15:13:03 +09:00
tyage
232893aafa make query parameters in ServerSideProps and next/router 
as a RemoteFlowSource
 2022-10-26 14:41:07 +09:00
Paolo Tranquilli
c8788bb5cd Swift: move libraries from tools to third_party 2022-10-26 07:05:56 +02:00
tyage
1f4fc7fc2d add params, query to test 2022-10-26 10:53:11 +09:00
tyage
06925681b0 add test for context.params 2022-10-26 10:53:11 +09:00
github-actions[bot]
5454f9a738 Add changed framework coverage reports 2022-10-26 00:20:29 +00:00
Daniel Santos
f7ace6f801 Update javascript/ql/src/experimental/Security/CWE-340/TokenBuiltFromUUID.ql 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-10-25 14:27:03 -05:00
Geoffrey White
1e8b4bdd6f Merge pull request #10973 from geoffw0/comment 
Swift: Fix UrlRemoteFlowSource name clash
 2022-10-25 18:51:51 +01:00
thiggy1342
9c1fbfd330 Merge branch 'main' into expand-ruby-ssrf-sinks-faraday-connection-new 2022-10-25 13:09:17 -04:00
Chris Smowton
004f4be5fb Kotlin: don't try to call nonexistent j.l.Number.toChar 
Previously we thought this could be callable because Kotlin's view of `j.l.Integer` inherits `k.Number` which defines `toChar`.
 2022-10-25 17:09:05 +01:00
Geoffrey White
53fa91f8ba Swift: Add comment. 2022-10-25 16:51:57 +01:00