hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 08:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity
58,435 Commits 1,741 Branches 165 Tags
d90630aa66e8fffcaee61366e4adbf2de34a96d2
Commit Graph

58435 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Lerchedahl Petersen
d90630aa66 Python: fix query file 2023-09-28 12:34:10 +02:00
Rasmus Lerchedahl Petersen
3fb579eaff Python: add test for type tracking 2023-09-28 12:14:12 +02:00
Rasmus Lerchedahl Petersen
37a4f35650 Python: further rename 2023-09-28 11:49:42 +02:00
yoff
8156fa9a4d Apply naming suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2023-09-28 11:47:10 +02:00
Rasmus Lerchedahl Petersen
12dab88ec7 Python: rename concept 
`NoSqlQuery` -> `NoSqlExecution`
 2023-09-20 15:49:35 +02:00
Rasmus Lerchedahl Petersen
4ec8b3f02f Python: Model map_reduce 2023-09-20 15:44:12 +02:00
Rasmus Lerchedahl Petersen
7c085ecc61 Python: Add test for map_reduce 
Also log requirement for old versions of `pymongo`
 2023-09-20 15:23:18 +02:00
Rasmus Lerchedahl Petersen
30c37ca8cb Python: model §accumulator 
also slightly rearrange the modelling
 2023-09-19 22:21:14 +02:00
Rasmus Lerchedahl Petersen
5611bda7ee Python: add test for $accumulator 2023-09-19 17:04:28 +02:00
Rasmus Lerchedahl Petersen
4614b1ae9c Python: add change note 2023-09-18 14:34:03 +02:00
Rasmus Lerchedahl Petersen
a063d7d510 Python: sinks -> decodings 
Query operators that interpret JavaScript
are no longer considered sinks.
Instead they are considered decodings
and the output is the tainted dictionary.
The state changes to `DictInput` to reflect
that the user now controls a dangerous dictionary.

This fixes the spurious result and moves the error reporting
to a more logical place.
 2023-09-11 16:33:20 +02:00
Rasmus Lerchedahl Petersen
d9f63e1ed3 Python: Split modelling of query operators 
`$where` and `$function` behave quite differently.
 2023-09-11 15:54:00 +02:00
Rasmus Lerchedahl Petersen
154a36934d Python: Add test for function 2023-09-11 14:49:03 +02:00
Rasmus Lerchedahl Petersen
d91cd21204 Python: rename file 2023-09-08 13:37:54 +02:00
Rasmus Lerchedahl Petersen
b07d085157 Python: make test PoC a proper package 2023-09-07 15:04:27 +02:00
Rasmus Lerchedahl Petersen
970e881697 Python: Follow naming convention 2023-09-07 15:03:51 +02:00
Rasmus Lerchedahl Petersen
f253f9797f Python: update test expectations 2023-09-07 10:22:37 +02:00
Rasmus Lerchedahl Petersen
7edebbeaff Python: Add QLDocs 2023-09-07 10:22:37 +02:00
Rasmus Lerchedahl Petersen
c0b3245a53 Python: Enrich the NoSql concept 
This allows us to make more precise modelling
The query tests now pass.
I do wonder, if there is a cleaner approach, similar to
`TaintedObject` in JavaScript. I want the option to
get this query in the hands of the custumors before
such an investigation, though.
 2023-09-07 10:22:37 +02:00
Rasmus Lerchedahl Petersen
114984bd8c Python: Added tests based on security analysis 
currently we do not:
- recognize the pattern
   `{'author': {"$eq": author}}` as protected
- recognize arguements to `$where` (and friends)
   as vulnerable
 2023-09-07 10:22:37 +02:00
Rasmus Lerchedahl Petersen
bf8bfd91cd Python: Add inline query test 2023-09-07 10:22:30 +02:00
Rasmus Lerchedahl Petersen
19046ea417 Python: more renames 2023-09-07 09:28:30 +02:00
Rasmus Lerchedahl Petersen
087961d179 Python: Refactor to allow customizations 
Also use new DataFlow API
 2023-09-07 09:28:30 +02:00
Rasmus Lerchedahl Petersen
db0459739f Python: rename file 2023-09-07 09:28:30 +02:00
Rasmus Lerchedahl Petersen
55707d395e Python: Make things compile in their new location 
- Move NoSQL concepts to the non-experimental concepts file
- fix references
 2023-09-07 09:28:30 +02:00
Rasmus Lerchedahl Petersen
60dc1afbc0 Python: prepare to promote NoSqlInjection 
Mostly move files, preserving authourship.
This will not compile.
 2023-09-07 09:28:29 +02:00
Tom Hvitved
334502a3de Merge pull request #14153 from github/revert-14082-csharp/bump-dependencies 
Revert "C#: Bump all dependencies"
 2023-09-06 21:10:56 +02:00
Mathias Vorreiter Pedersen
12a717e3af Merge pull request #14141 from github/alexdenisov/unresolved-ast-nodes 
Swift: add queries for unresolved AST nodes
 2023-09-06 15:40:11 +01:00
Tom Hvitved
6e0ff56788 Revert "C#: Bump all dependencies" 2023-09-06 16:23:38 +02:00
Michael Nebel
a8e427ffe1 Merge pull request #14097 from michaelnebel/csharp/extractorerrormessages 
C#: Update extractor_messages relation schema.
 2023-09-06 14:01:36 +02:00
Cornelius Riemenschneider
76f1c7a4cd Merge pull request #14137 from github/dependabot/github_actions/actions/checkout-4 
Bump actions/checkout from 2 to 4
 2023-09-06 13:13:30 +02:00
Cornelius Riemenschneider
79d210f7bd Update .github/workflows/ruby-build.yml 
Co-authored-by: Arthur Baars <aibaars@github.com>
 2023-09-06 12:19:46 +02:00
Tom Hvitved
3a9c34c3c6 Merge pull request #14132 from hvitved/csharp/data-flow-property-write 
C#: Fix logic for flow into property writes
 2023-09-06 08:49:53 +02:00
Erik Krogh Kristensen
a11db7a80a Merge pull request #14148 from github/dependabot/cargo/ql/chrono-0.4.29 
Bump chrono from 0.4.28 to 0.4.29 in /ql
 2023-09-06 07:25:13 +02:00
dependabot[bot]
7f73c59304 Bump chrono from 0.4.28 to 0.4.29 in /ql 
Bumps [chrono](https://github.com/chronotope/chrono) from 0.4.28 to 0.4.29.
- [Release notes](https://github.com/chronotope/chrono/releases)
- [Changelog](https://github.com/chronotope/chrono/blob/main/CHANGELOG.md)
- [Commits](https://github.com/chronotope/chrono/compare/v0.4.28...v0.4.29)

---
updated-dependencies:
- dependency-name: chrono
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-09-06 03:58:08 +00:00
Mathias Vorreiter Pedersen
570b08e2e9 Merge pull request #14143 from alexet/global-from-unreachble 
CPP: Handle globals flowing into "UnreacheachedInstruction"
 2023-09-05 16:58:55 +01:00
Michael Nebel
b5d4987c0a C#: Add upgrade and downgrade scripts. 2023-09-05 15:32:09 +02:00
Michael Nebel
880da69d16 C#: Update extractor_messages relation schema. 2023-09-05 15:19:32 +02:00
Tamás Vajk
97f09e106e Merge pull request #14101 from tamasvajk/csharp/recursive-generics 
C#: Exclude base type extraction of recursive generics
 2023-09-05 14:24:51 +02:00
Alex Denisov
35e949945d Swift: add queries for unresolved AST nodes 2023-09-05 13:29:11 +02:00
Alex Eyers-Taylor
3db384ddc3 CPP: Handle globals flowing into "UnreacheachedInstruction" 2023-09-05 11:50:32 +01:00
dependabot[bot]
03771ffad2 Bump actions/checkout from 2 to 4 
Bumps [actions/checkout](https://github.com/actions/checkout) from 2 to 4.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/v2...v4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-09-05 12:17:54 +02:00
Tom Hvitved
cb8922034c Merge pull request #14133 from hvitved/ruby/flow-test-path-graph-fixes 
Ruby: Use proper `PathGraph` module in inline flow tests
 2023-09-05 10:33:07 +02:00
Tamas Vajk
bf96e688ff Fix review findings 2023-09-05 10:19:41 +02:00
Rasmus Wriedt Larsen
49f5d38956 Merge pull request #14068 from RasmusWL/dataflow-config-refactor 
Python: Use new dataflow API
 2023-09-04 21:04:10 +02:00
Tom Hvitved
a2912cd72b Ruby: Use proper PathGraph module in inline flow tests 
Gets rid of
```
PathNode is incompatible with PathNode (the type of the edge relation).
```
warnings.
 2023-09-04 20:27:34 +02:00
Tom Hvitved
4a1163b38c Merge pull request #14109 from hvitved/ruby/hide-desugared-assignments-in-dataflow 2023-09-04 19:59:33 +02:00
Tom Hvitved
55aedbc46c C#: Fix logic for flow into property writes 2023-09-04 15:42:50 +02:00
Kasper Svendsen
ecee427c72 Merge pull request #14117 from kaspersv/delete-unnecessary-test 
Java: Delete java test query which fails to compile
 2023-09-04 15:28:57 +02:00
Alex Ford
0325c87ccb Merge pull request #13825 from boveus/add-cwe-208 
Ruby: Add Unsafe HMAC Comparison Query.
 2023-09-04 14:10:12 +01:00