hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 05:05:12 +02:00
Code Issues Packages Projects Releases Wiki Activity
23,650 Commits 1,741 Branches 166 Tags
dc2cb9bd621ef4e6db5b8b6c49119f3ec9f2abbc
Commit Graph

23650 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Smowton
a665d5d111 Improve RequestForgery.qhelp recommendation 2021-06-17 11:41:05 +01:00
Chris Smowton
0d9a6e2b61 Update java/ql/src/semmle/code/java/security/RequestForgery.qll 
SpringRestTemplateUrlMethods -> SpringRestTemplateUrlMethod
 2021-06-17 11:41:05 +01:00
Chris Smowton
fb2989c16b Copyedit comments and function names 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-06-17 11:41:04 +01:00
Chris Smowton
960a903185 Java SSRF query: document RequestForgeryAdditionalTaintStep and use Unit not string for a supertype. 2021-06-17 11:41:04 +01:00
Chris Smowton
575198a0e4 Java SSRF query: Server Side -> Server-Side everywhere. 2021-06-17 11:41:04 +01:00
Chris Smowton
7899e17f3a Java SSRF query: move RequestForgery qll file into semmle/code hierarchy 
This makes it importable by people wishing to extend the query.
 2021-06-17 11:41:04 +01:00
Chris Smowton
532a10bfdf Java SSRF query: Provide hook for custom taint-propagating steps; make all default sinks/sanitizers/steps private. 2021-06-17 11:41:04 +01:00
Chris Smowton
5bdd9da27a Java SSRF query: credit original author 2021-06-17 11:41:04 +01:00
Chris Smowton
e8613367e8 Java SSRF query: copyedit qhelp 2021-06-17 11:41:04 +01:00
Chris Smowton
3333e7d186 Java SSRF query: sanitize primitives 
Even 'char' isn't a realistic vector for an exploit, unless somebody is copying out a string char by char.
 2021-06-17 11:41:04 +01:00
Chris Smowton
93a9f471ce Add change note 2021-06-17 11:41:04 +01:00
Chris Smowton
77904d9597 Remove failing test 
The case where something might be exactly a constant is general across all queries, and not handled yet, particularly in the case where the result of `getParameter("uri")` might have changed between the check and the use.
 2021-06-17 11:41:04 +01:00
Chris Smowton
6933d06a46 Add exactly the string '/' as a sanitizing prefix. 
Usually this is ignored for suspicion that it could be taken for a protocol specifier, but on balance the context `(something) + "/" + tainted()` is more likely to be taken for a user-controlled location within a host the user does not control.
 2021-06-17 11:41:03 +01:00
Chris Smowton
bc43b6d760 Fix typo 2021-06-17 11:41:03 +01:00
Chris Smowton
e6249eed79 Add doc comments 2021-06-17 11:41:03 +01:00
Chris Smowton
26e10f3ad5 SSRF: don't consider results of fetches we initiated to be untrustworthy 2021-06-17 11:41:03 +01:00
Chris Smowton
c63d5986cf Sanitize StringBuilder appends that follow directly from a constructor. 
Note that some of this logic ought to be incorporated into StringBuilderVar once that code can be reviewed.
 2021-06-17 11:41:03 +01:00
Chris Smowton
b5a450b881 SSRF query: add sanitizer looking for a variety of ways of prepending a sanitizing prefix, such as one that restricts the hostname a URI will refer to. 2021-06-17 11:41:03 +01:00
Chris Smowton
487c1db6ed Promote SSRF query to main query set 2021-06-17 11:41:01 +01:00
Anders Schack-Mulligen
6ca8d69b26 Merge pull request #5881 from haby0/java/UnsafeDeserialization 
Java: CWE-502 Add UnsafeDeserialization sinks
 2021-06-17 12:36:34 +02:00
Anders Schack-Mulligen
8fe2f4a554 Merge pull request #6034 from owen-mc/java/jax-rs 
Improve JAX-WS and JAX-RS models
 2021-06-17 12:35:34 +02:00
Anders Schack-Mulligen
b173b4141d Merge pull request #6096 from smowton/smowton/fix/inline-expectations-missing-prefix 
Inline expectation tests: accept // $MISSING: and // $SPURIOUS:
 2021-06-17 11:41:15 +02:00
haby0
363ad5b470 Fix error 2021-06-17 17:36:35 +08:00
Owen Mansel-Chan
945db01f56 Address review comments 2021-06-17 10:29:33 +01:00
Owen Mansel-Chan
b9bc1f978c Update style of inline expectation comments 2021-06-17 10:04:15 +01:00
Chris Smowton
558813acf7 Inline expectation tests: accept // $MISSING: and // $SPURIOUS: 
Previously there had to be a space after the $ token, unlike ordinary expectations (i.e., // $xss was already accepted)
 2021-06-17 09:44:39 +01:00
Owen Mansel-Chan
0987425f94 Reinstate failing tests with MISSING: prefix 2021-06-17 09:36:51 +01:00
Tom Hvitved
0febf5a592 Merge pull request #6094 from hvitved/dataflow/consistency-compiler-too-smart 
Data flow: Workaround for too clever compiler in consistency queries
 2021-06-17 10:23:31 +02:00
Tom Hvitved
ffb2350a54 Data flow: Fix getLocalCallContext join-order 2021-06-17 10:02:31 +02:00
Tom Hvitved
cc383e0f6a Data flow: Workaround for too clever compiler in consistency queries 2021-06-17 09:43:36 +02:00
haby0
3dd851fffb expected 2021-06-17 15:20:03 +08:00
Owen Mansel-Chan
5f82993b0b Put parameters with inline expectation comments on their own lines 2021-06-17 06:41:01 +01:00
Tom Hvitved
3f6beaf9df C#: Add tests for complex CSV flow summaries 2021-06-16 19:36:05 +02:00
Tom Hvitved
0af44a7f94 C#: Changes to Type::{getQualifier,hasQualifiedName} 2021-06-16 19:36:05 +02:00
CodeQL CI
bcafe532ac Merge pull request #5944 from RasmusWL/async-api-graph-tests 
Approved by tausbn
 2021-06-16 08:46:26 -07:00
CodeQL CI
9b84a8e146 Merge pull request #6048 from erik-krogh/graphql 
Approved by esbena
 2021-06-16 06:35:42 -07:00
Tom Hvitved
8866e6c969 C#: Always use fully qualified names in CSV data-flow summaries 2021-06-16 14:09:45 +02:00
Tom Hvitved
def3d6bac4 C#: CSV-based flow summaries 2021-06-16 14:09:45 +02:00
Owen Mansel-Chan
5d00bb23e4 Move logic for URL redirection sinks 2021-06-16 12:48:11 +01:00
yoff
0ddeb7a8c1 Merge pull request #5950 from RasmusWL/promote-clickhouse 
Python: Promote ClickHouse SQL models
 2021-06-16 13:38:41 +02:00
Taus
e647403948 Python: Avoid __main__.py files as entry points. 
According to the official documentation, the purpose of `__main__.py`
files is that their presence in a package (say, `foo`) means one can
execute the package directly using `python -m foo` (which will run the
aforementioned `foo/__main__.py` file).

In principle this means that adding `if __name__ == "__main__"` in these
files is superfluous, as they are only intended to be executed (and not
imported by some other file).

However, in practice people often _do_ include the above construct.
Here are some instances of this on LGTM.com:
https://lgtm.com/query/7521266095072095777/

In particular, 10 out of 33 files in `cpython` have this construct.

This causes some confusion in our module naming, as we usually see the
presence of `__name__ == "__main__"` as an indication that a file may
be run directly (and hence with "absolute import" semantics). However,
when run with `python -m`, the interpreter uses the usual package
semantics, and this leads to modules getting multiple names.

For this reason, I think it makes sense to simply exclude `__main__.py`
files from consideration. Note that if there is a `#!` line mentioning
the Python interpreter, then they will still be included as entry
points.
 2021-06-16 10:59:56 +00:00
Tamás Vajk
eaa69dfa5d Merge pull request #6084 from tamasvajk/feature/effective-publicness 
C#: Fix isEffectively* visibility predicates
 2021-06-16 12:52:38 +02:00
Anders Schack-Mulligen
75d5fe67ea Merge pull request #6090 from atorralba/atorralba/move-httpsurls-tests 
Java: Move/tweak some tests
 2021-06-16 12:00:55 +02:00
Tamas Vajk
28ef0e86f6 Apply code review findings 2021-06-16 10:51:52 +02:00
Tamas Vajk
c5b8acf216 Add change notes 2021-06-16 10:51:52 +02:00
Tamas Vajk
db8a777aa9 Fix isEffectively* predicates to members extracted from multiple assemblies 2021-06-16 10:51:52 +02:00
Tamas Vajk
77f8f3fa8a Adjust comments on isEffectively* 2021-06-16 10:51:52 +02:00
Tamas Vajk
eea96a5585 Fix effective publicness of protected private and protected internal 2021-06-16 10:51:52 +02:00
Tamas Vajk
f715445c7a Fix effective privateness of explicitly implemented members 2021-06-16 10:51:08 +02:00
Tamas Vajk
a24006239b C#: Add more tests to effective visibility 2021-06-16 10:50:15 +02:00