hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity
63,774 Commits 1,671 Branches 157 Tags
dd39fa0bdec8334d856526718bbb74e90d37b314
Commit Graph

63774 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jeroen Ketema
dd39fa0bde C++: Support C++20 range-based for initializers 2024-02-16 15:20:14 +01:00
Jeroen Ketema
da3ff4813f Merge pull request #15612 from jketema/destructors4a 
C++: Support `constexpr if` in the IR
 2024-02-15 17:29:56 +01:00
Max Schaefer
8d4a344d47 Merge pull request #15592 from github/max-schaefer/rephrase-negative-characteristics 
Automodel: Make description of some negative characteristics more explicit.
 2024-02-15 16:20:17 +00:00
Owen Mansel-Chan
9cd13cbf37 Merge pull request #15624 from owen-mc/go/update-library-coverage-frameworks 
Add new libraries we cover to frameworks.csv
 2024-02-15 12:55:19 +00:00
Owen Mansel-Chan
6cb4773188 Add new libraries we cover to frameworks.csv 2024-02-15 12:19:49 +00:00
Erik Krogh Kristensen
7c0557269a Merge pull request #15596 from erik-krogh/url-san 
C#: Add a few more sanitizers to `cs/web/unvalidated-url-redirection`
 2024-02-15 12:09:06 +01:00
Angela P Wen
0643184a7e Merge pull request #15493 from jsoref/declare-permissions 
Declare permissions in workflows
 2024-02-15 02:52:24 -08:00
Tony Torralba
f4c9052ba9 Merge pull request #15622 from atorralba/atorralba/java/path-sanitizer-equals 
Java: Expand ExactPathSanitizer to work on the argument of 'equals' too
 2024-02-15 11:29:09 +01:00
Tamás Vajk
a5e3643faf Merge pull request #15621 from tamasvajk/buildless/cleanup 
C#: Code quality improvements (fixed log message, removed unused interface)
 2024-02-15 10:54:47 +01:00
Rasmus Wriedt Larsen
e4c30371f9 Merge pull request #13557 from am0o0/amammad-python-bombs 
Python: Decompression Bombs
 2024-02-15 10:43:12 +01:00
Tony Torralba
90a9d82b9d Java: Expand ExactPathSanitizer to work on the argument of 'equals' too 2024-02-15 10:00:24 +01:00
Harry Maclean
a9abba5859 Merge pull request #15520 from hmac/hmac-erb-raw-output-directive 
Ruby: Recognise raw Erb output as XSS sink
 2024-02-15 08:05:16 +00:00
Harry Maclean
babae65e41 Merge pull request #15488 from hmac/ruby-mad-docs 
Ruby: add docs for customizing library models with data extensions
 2024-02-15 07:58:22 +00:00
Tamas Vajk
2f1472fa48 Code quality improvements (fixed log message, removed unused interface) 2024-02-15 08:52:44 +01:00
Tamás Vajk
8aff913c3c Merge pull request #15614 from tamasvajk/buildless/razor-cleanup 
C# Only remove temp files for MVC view generation if needed
 2024-02-15 08:27:40 +01:00
Chris Smowton
7e41a895d8 Merge pull request #15618 from JLLeitschuh/patch-6 
Fix typo in NettyRequestSplitting.java
 2024-02-14 20:44:40 +00:00
Josh Soref
b58c856756 Declare permissions 
Repositories can be configured with Default access (restricted)
https://docs.github.com/en/actions/security-guides/automatic-token-authentication#permissions-for-the-github_token

Best practice says that workflows should declare the minimal permissions they require.
Without declaring permissions, paranoid forks fail miserably.
 2024-02-14 14:31:45 -05:00
Josh Soref
e468f4062f use github/codeql-action...@main 2024-02-14 14:31:31 -05:00
amammad
09d8a75844 Fix QLDoc issues 2024-02-14 23:31:22 +04:00
Jonathan Leitschuh
50056d603e Fix typo in NettyRequestSplitting.java 2024-02-14 14:03:33 -05:00
Tony Torralba
f5d9fe6b08 Merge pull request #15615 from atorralba/atorralba/go/hardcoded-credentials-test-fix 
Go: Use less confusing name for hardcoded credentials tests
 2024-02-14 17:33:43 +01:00
Tony Torralba
1202b5b429 Go: Use less confusing name for hardcoded credentials tests 
We don't want name-based heuristics to pick these variable names, but also using something like 'safeName' may mislead readers into believing the test cases are intended to be GOOD cases (i.e. safe)
 2024-02-14 17:06:05 +01:00
Tamas Vajk
12663b58f1 C# Only remove temp files for MVC view generation if needed 2024-02-14 17:00:37 +01:00
Tony Torralba
99ac640536 Merge pull request #15527 from atorralba/atorralba/go/promote-hardcoded-key 
Go: Promote `go/hardcoded-key` from experimental
 2024-02-14 16:54:03 +01:00
Rasmus Wriedt Larsen
eb401a205d Python: Fix test exclusion for stdlib Python 3.12 2024-02-14 16:53:19 +01:00
Jeroen Ketema
9ef2c83d71 Merge pull request #15611 from jketema/destructors4 
C++: For unnamed local variable declaration entries consider the name of the variable
 2024-02-14 16:18:33 +01:00
Rasmus Wriedt Larsen
59014787a1 Python: Fix DataflowQueryTest 
You're only allowed to have `result=OK` if there is a sink on that line...
 2024-02-14 15:44:40 +01:00
Rasmus Wriedt Larsen
cd596f5d05 Python: Reformat test-file 
All those newlines are not good for inline expectations
 2024-02-14 15:44:06 +01:00
Jeroen Ketema
33413129a5 C++: For unnamed local variable declaration entries consider the name of the variable 2024-02-14 15:03:04 +01:00
Ian Lynagh
c87b7b5f88 Merge pull request #15606 from igfoo/igfoo/kt2 
Kotlin: Fix build with latest 2.0.255 snapshots
 2024-02-14 14:00:50 +00:00
Rasmus Wriedt Larsen
e5bd633028 Python: Change name/id to Decompression Bomb 
The old title/id matches how we used to write queries, but I think just
using the normal conversational name is easier for everyone :)
 2024-02-14 14:54:25 +01:00
Rasmus Wriedt Larsen
69c8ef9898 Python: Use dataflow instead of taint-tracking 2024-02-14 14:52:37 +01:00
Rasmus Wriedt Larsen
ba7dd38fc9 Python: Delete duplicated file 2024-02-14 14:48:37 +01:00
Rasmus Wriedt Larsen
9ae3ea81ff Python: Remove spurious results in stdlib 2024-02-14 14:47:28 +01:00
Rasmus Wriedt Larsen
d8fd457310 Python: Use helper predicate 
Since the helper predicate had nice qldocs
 2024-02-14 14:47:28 +01:00
Rasmus Wriedt Larsen
e7772f1062 Python: Use Unit class 2024-02-14 14:47:28 +01:00
Rasmus Wriedt Larsen
ad39b8c68b Python: Accept .expected changes 2024-02-14 14:46:33 +01:00
erik-krogh
7c2465e7b7 add change-note 2024-02-14 13:53:43 +01:00
erik-krogh
a2bd45d0cb apply suggestions from code review 2024-02-14 13:50:27 +01:00
Rasmus Wriedt Larsen
9399258e3b Merge branch 'main' into amammad-python-bombs 2024-02-14 13:37:59 +01:00
Jeroen Ketema
46bc311111 C++: Support constexpr if in the IR 2024-02-14 13:37:56 +01:00
Tony Torralba
5ce35e47b9 Adjust a test case so that the key isn't considered dummy 
(len < 4)
 2024-02-14 13:06:31 +01:00
Ian Lynagh
48ea94ba23 Kotlin: Handle PsiSourceManager moving 2024-02-14 11:55:54 +00:00
Ian Lynagh
1b40b595fa Kotlin: Handle forAllMethodsWithBody being removed 
Per:
    commit 28797a31b4d9b7f5c99d162ab19fc6b46f8e529d
    Author: Alexander Udalov <alexander.udalov@jetbrains.com>
    Date:   Thu Feb 1 13:22:48 2024 +0100

    JVM: refactor JvmDefaultMode, remove/rename some entries

    [...]
    - remove forAllMethodsWithBody because its behavior is now equivalent to
      isEnabled
    [...]
 2024-02-14 11:55:54 +00:00
Óscar San José
cd00a4dacd Merge pull request #15584 from jsoref/github-only 
Limit xl runner jobs to github org
 2024-02-14 12:49:07 +01:00
Asger F
75a95ffcd1 Merge pull request #15602 from asgerf/js/block-logical-and-flow 
JS: Fix flow through &&
 2024-02-14 12:29:40 +01:00
Tony Torralba
458bbb3581 Rename fwk module 2024-02-14 12:23:27 +01:00
Tony Torralba
16284fdd20 Discard sources that are obvious dummy values 2024-02-14 12:21:52 +01:00
Tony Torralba
a76de495e0 Simplify sanitizers 
Use DataFlow::returnedWithError instead
 2024-02-14 12:21:51 +01:00
Tony Torralba
6b74cb7e75 Remove unneeded $ANYVERSION 2024-02-14 12:21:51 +01:00