codeql

mirror of https://github.com/github/codeql.git synced 2026-01-30 14:52:57 +01:00

Author	SHA1	Message	Date
monkey-junkie	d81ec15990	Update DivideByZeroBad.go	2021-01-03 00:54:42 +03:00
Your Name	4b36a62834	divide by zero rule	2021-01-03 00:51:34 +03:00
Sauyon Lee	ace9271cc4	Merge pull request #441 from twpayne/contributing-building-and-testing Docs: Add building and testing to contributing guide	2020-12-29 11:13:37 -08:00
Tom Payne	06721ce189	Docs: Add building and testing to contributing guide	2020-12-29 00:28:17 +01:00
Sauyon Lee	2ba26f69c0	Merge pull request #440 from twpayne/regexp-anchors Support more regexp anchors	2020-12-23 11:42:06 -08:00
Tom Payne	9bbdf86487	Support more regexp anchors	2020-12-23 14:04:33 +01:00
Chris Smowton	5647a47bd4	Merge pull request #436 from sauyon/InVisionApp/main Refactor HTTP tests	2020-12-18 12:08:46 +00:00
Jason Rogers	baa169cc77	Refactored HTTP tests This will align test location with the library.	2020-12-17 08:10:06 -08:00
Owen Mansel-Chan	e3d0ccabae	Merge pull request #435 from owen-mc/use-implements-where-possible Use `implements` for interface methods	2020-12-17 16:02:14 +00:00
Owen Mansel-Chan	d184f245ed	Use `implements` for interface methods This means we will find more things.	2020-12-17 12:42:18 +00:00
Owen Mansel-Chan	dcb6cc3a7c	Merge pull request #434 from owen-mc/model-kubernetes-secret Model Secret and SecretList from k8s.io/api/core/v1	2020-12-16 17:17:21 +00:00
Chris Smowton	8060993b3b	Merge pull request #430 from smowton/smowton/feature/model-beego-orm Model the Beego ORM subpackage	2020-12-16 16:08:18 +00:00
Owen Mansel-Chan	0cb0879381	Model Secret and SecretList from k8s.io/api/core/v1	2020-12-16 16:03:48 +00:00
Chris Smowton	44a63b2f94	Model the Beego ORM subpackage	2020-12-16 14:39:58 +00:00
Owen Mansel-Chan	87f2cad475	Merge pull request #427 from owen-mc/model-kubernetes-secret Model kubernetes SecretInterface	2020-12-15 17:12:45 +00:00
Chris Smowton	de93b59245	Merge pull request #419 from smowton/smowton/feature/model-beego Model Beego web framework	2020-12-15 16:15:59 +00:00
Owen Mansel-Chan	0980a50627	Remove erroneous import from stub	2020-12-15 16:00:58 +00:00
Owen Mansel-Chan	676ca529b5	Add tests	2020-12-15 16:00:58 +00:00
Owen Mansel-Chan	6ca2e0e38e	Add SecretInterface as source for cleartext logging query	2020-12-15 16:00:58 +00:00
Owen Mansel-Chan	8fd055bc60	Model SecretInterface from k8s.io/client-go/kubernetes/typed/core/v1	2020-12-15 16:00:51 +00:00
Chris Smowton	8e7abbac0a	Model Beego web framework This excludes the ORM, email and validation components, which I will follow up with seperately.	2020-12-15 14:04:36 +00:00
Chris Smowton	8b6f229bd3	SafeUrlFlow: allow libraries to add sources	2020-12-15 14:01:59 +00:00
Sauyon Lee	3617a801db	Merge pull request #429 from sauyon/smowton/admin/refactor-http-module Refactor HTTP module	2020-12-14 09:25:43 -08:00
Jason Rogers	3a83fbd765	Refactor HTTP module This makes it easier to identify related classes and support future expansion.	2020-12-14 07:16:24 -08:00
Owen Mansel-Chan	e4316768ef	Merge pull request #426 from owen-mc/model-k8s-io-apimachinery-pkg-runtime Model k8s.io/apimachinery/pkg/runtime	2020-12-09 09:16:47 +00:00
Owen Mansel-Chan	c17f1618e0	Add change note	2020-12-09 06:45:08 +00:00
Owen Mansel-Chan	4d3eb47784	Fix stubbing Depstubber can only stub one package at a time. We have to do some manual editing to make a stubbed package use another stubbed package.	2020-12-09 06:45:08 +00:00
Owen Mansel-Chan	e5fb401d50	Model runtime	2020-12-09 06:45:08 +00:00
Owen Mansel-Chan	290a4dcdf4	Merge pull request #414 from owen-mc/model-evanphx-json-patch Model evanphx/json-patch	2020-12-08 17:36:10 +00:00
Owen Mansel-Chan	0b50ee7755	Change to Inline Expectations Test	2020-12-08 16:38:13 +00:00
Owen Mansel-Chan	e786fa07ee	Add change note	2020-12-08 16:15:01 +00:00
Owen Mansel-Chan	5ebd637ca7	Model evanphx/json-patch	2020-12-08 16:15:01 +00:00
Chris Smowton	6b8003b0f2	Merge pull request #420 from smowton/smowton/admin/upgrade-codeql-240-and-autoformat Upgrade CI toolchain to CodeQL 2.4.0	2020-12-07 14:16:19 +00:00
Chris Smowton	563f74bd45	Upgrade CI toolchain to CodeQL 2.4.0 Also reformat code (the autoformatter has changed slightly)	2020-12-07 12:35:07 +00:00
Chris Smowton	a794e05c74	Merge pull request #417 from smowton/smowton/fix/reduce-symlink-loop-finding-cost Unsafe-unzip-symlinks: reduce cost of `getAnEnclosingLoop`	2020-12-03 12:21:38 +00:00
Chris Smowton	c1669d732b	Unsafe-unzip-symlinks: reduce cost of `getAnEnclosingLoop` This used to get the closest enclosing loops of all expressions; now it is restricted to those surrounding interesting expressions.	2020-12-02 14:33:38 +00:00
Chris Smowton	f9fc01bd73	Merge pull request #415 from smowton/smowton/feature/errorf-returns-non-nil Note that `fmt.Errorf` returns non-nil	2020-12-01 12:04:23 +00:00
Owen Mansel-Chan	8c33979425	Merge pull request #388 from owen-mc/untrusted-data-flow-to-external-api Untrusted data flow to external API	2020-12-01 11:25:58 +00:00
Chris Smowton	5d17b27770	Note that `fmt.Errorf` returns non-nil This enables recognising more guarding functions that return nil/non-nil conditional on a barrier guard.	2020-11-30 19:10:58 +00:00
Chris Smowton	3338a0b10d	Merge pull request #402 from smowton/smowton/feature/zipslip-more-generous-sanitisers ZipSlip: redefine sources closer to their origin, and make sanitizers more generous	2020-11-27 18:25:07 +00:00
Owen Mansel-Chan	bfbf102408	Remove restriction on void and boolean-returning methods When the taint was in the receiver, we were excluding methods which return nothing or a boolean.	2020-11-27 16:51:24 +00:00
Owen Mansel-Chan	7730d66d76	Apply suggestions from code review Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>	2020-11-27 16:17:54 +00:00
Chris Smowton	70015b2c32	Add tests for zipslip using a utility function to check that the archive header is safe Note this currently contains some cases that are safe but are still flagged, because of weaknesses in the guardingFunction predicate.	2020-11-27 15:11:57 +00:00
Sauyon Lee	627241aaa5	Merge pull request #401 from sauyon/stored-command Add stored command query	2020-11-27 06:37:02 -08:00
Chris Smowton	1eb8fff7e1	ZipSlip: redefine sources closer to their origin, and make sanitizers more generous. Previously we considered certain fields of `tar` or `zip` file headers to be sources, but this meant subsequent references to the same field were not considered sanitized. For example, at least some real-world projects used a pattern like `if isIllegalPathTraversal(hdr.Name) { return nil; } ... /* other code using hdr.Name */`. By associating a source with the field-read `.Name` rather than the header itself, we were unable to see that the subsequent read was guarded by the sanitizer function. Relatedly, it is common to use some intermediary taint-propagating function, as in `clean(s string) { if strings.HasPrefix("..", filepath.Clean(filepath.Join(target, s))) ...`, in the implementation of a sanitizer. We now follow the taint propagation (locally) backwards towards the function parameter, marking the predecessor functions and ultimately the parameter `s` as sanitized in addition to the direct argument to `strings.HasPrefix`. Existing sanitizing-function logic can then sometimes lift this out into the caller too.	2020-11-27 13:57:25 +00:00
Chris Smowton	f775adf306	Merge pull request #404 from smowton/smowton/feature/improved-guarding-function Recognise many more guarding functions	2020-11-27 13:56:31 +00:00
Chris Smowton	c6f14de065	Merge pull request #413 from smowton/smowton/admin/document-cond-root-etc Clarify naming and add documentation around `hasSemantics` and cousins	2020-11-26 16:59:07 +00:00
Owen Mansel-Chan	0ee00d8647	Apply suggestions from code review Co-authored-by: Chris Smowton <smowton@github.com>	2020-11-26 16:49:02 +00:00
Owen Mansel-Chan	bf78189e21	Make two separate queries	2020-11-26 14:59:13 +00:00
Owen Mansel-Chan	dec7967c7a	Update qhelp files	2020-11-26 14:57:56 +00:00

1 2 3 4 5 ...

1558 Commits