hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-29 22:32:58 +01:00
Code Issues Packages Projects Releases Wiki Activity
971 Commits 1,684 Branches 159 Tags
e19f47634129e48a468fa87a794e538eabc15a85
Commit Graph

971 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Smowton
e19f476341 Add test for Sqlx 2020-07-28 14:52:10 +01:00
Chris Smowton
f5caf7e9e2 Add test for Gorm 2020-07-28 14:52:10 +01:00
Chris Smowton
a813607a76 go-restful model: Add support for ReadEntity method 2020-07-28 14:52:10 +01:00
Chris Smowton
3c4a1b90fe Add test for Go-restful 2020-07-28 14:52:10 +01:00
Chris Smowton
b96546b0f8 Improve style of library models 2020-07-28 14:40:48 +01:00
Ricter Z
bb2d5ea6b5 add some sinks in commonly-used SQL libraries 2020-07-23 16:19:42 +01:00
Chris Smowton
b9e61115f3 Merge pull request #266 from sauyon/query-tags 
Add correctness tag to MistypedExponentiation
 2020-07-22 15:27:46 +01:00
Chris Smowton
6c4a1d0a34 Merge pull request #264 from smowton/smowton/feature/printast-restrict-files 
PrintAst: improve support for restricting subsets of the AST to print
 2020-07-22 15:20:14 +01:00
Chris Smowton
f8d141f7ff PrintAst: Sort root File nodes by relative path. 
This should make graphtext output deterministic, rather than depending on the order the results interpretation step happens to see the nodes.
 2020-07-22 13:43:34 +01:00
Sauyon Lee
c9df4d81b4 Add correctness tag to MistypedExponentiation 2020-07-22 04:26:56 -07:00
Chris Smowton
c30d198f3d Switch to using top-level function declarations to filter PrintAst 
This means it's no longer possible to ask for the AST of a function literal, but this is hopefully a niche use-case that we can add if and when there is demand.
 2020-07-22 10:40:41 +01:00
Owen Mansel-Chan
3018874f69 Merge pull request #259 from gagliardetto/oauth2-fixed-state 
CWE-352: Use of constant `state` in Oauth2 flow
 2020-07-21 17:11:46 +01:00
Chris Smowton
09990f9764 Configure plugin AST printer to ignore comments and only print one file 2020-07-21 17:01:07 +01:00
Chris Smowton
b8c4004c59 PrintAst: support excluding comments 2020-07-21 17:01:07 +01:00
Chris Smowton
e0aa59ced1 PrintAst: improve support for restricting subsets of the AST to print 
* Exclude function definitions, not just their children, when excluded by configuration
* Allow excluding files
* Test both features
 2020-07-21 17:00:28 +01:00
Chris Smowton
a625a4c7d5 Merge pull request #263 from smowton/smowton/feature/order-functypeexpr-children 
PrintAst: order parameter and result declarations
 2020-07-21 15:47:26 +01:00
Andrew Eisenberg
f35343e618 Merge pull request #262 from aeisenberg/aeisenberg/print-ast 
Add the printAst contextual query
 2020-07-20 11:11:42 -07:00
Slavomir
02b5fce67e Add go.mod to CWE-352 test folder 2020-07-20 17:46:12 +03:00
Chris Smowton
ce0cc31b03 PrintAst: order parameter and result declarations 
This adds support for generally overriding the default AstNode child ordering, and uses it to sort parameter and result declarations in the context of a FuncTypeExpr in left-to-right textual order.
 2020-07-20 14:32:42 +01:00
Andrew Eisenberg
0ae1330c02 Add the printAst contextual query 
This is similar to the cpp query for printing the AST in the
context of VS Code.

This PR also includes a small refactoring to extract the
`getEncodedFile` predicate to a new `qll` file.
 2020-07-17 10:12:48 -07:00
Slavomir
27f62b0b3a Fix examples 2020-07-17 13:12:18 +03:00
Slavomir
ee2804dfb1 Improve comments 2020-07-17 11:01:25 +03:00
Slavomir
ee4356501a Apply suggestions from code review 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2020-07-16 18:36:40 +03:00
Slavomir
fb78818db7 Fix .expected 2020-07-16 18:33:35 +03:00
Slavomir
ef7198c0cb Improve query scenarios 2020-07-16 18:29:15 +03:00
Slavomir
282f7af6d9 Improve comments, naming, docs 2020-07-16 12:52:41 +03:00
Slavomir
8cc8b8ef47 Add CWE-352: CSRF because of constant oauth2 state value 2020-07-16 12:38:08 +03:00
Chris Smowton
830f83f21a Merge pull request #257 from smowton/smowton/fix/go-mod-comment-group-indices 
Extractor: assign unique indices to comment-groups in go.mod files
 2020-07-13 15:40:14 +01:00
Chris Smowton
3ab948f81c Extractor: assign unique indices to comment-groups in go.mod files 
The schema requires that (parent, index) is a key.
 2020-07-13 11:28:28 +01:00
Sauyon Lee
32510eb2d0 Merge pull request #255 from max-schaefer/alias-types 
Improve modelling of alias declarations
 2020-07-10 21:07:48 -07:00
Max Schaefer
4eac5a1d4e Add test to demonstrate that aliases have entities. 
There are, however, no corresponding types.
 2020-07-10 14:41:15 +01:00
Max Schaefer
1a8688a8f4 Extract enough information to distinguish type definitions from alias declarations. 2020-07-10 14:12:51 +01:00
Max Schaefer
4257a68c27 Include newlines in messages printed by go-gen-dbscheme. 2020-07-10 14:08:37 +01:00
Max Schaefer
9347413e77 Merge pull request #254 from smowton/smowton/admin/fix-go-autoformat 
Make the gofmt CI test actually fatal
 2020-07-10 14:01:44 +01:00
Chris Smowton
d05657ddff Make the gofmt CI test actaully fatal 
Turns out gofmt doesn't actually return 1 when it finds problems, only when it finds source files which don't compile (all of which are now excluded).

This also fixes existing overlooked inconsistencies as a result of this mistake.
 2020-07-10 11:02:50 +01:00
Max Schaefer
302eb55d23 Merge pull request #245 from smowton/smowton/feature/missing-error-check-query-conservative 
Add query searching for missing error checks on functions that return a (pointer, error) pair
 2020-07-09 15:37:32 +01:00
Chris Smowton
429a385a20 Add query searching for missing error checks on functions that return a (pointer, error) pair 2020-07-09 13:06:31 +01:00
Max Schaefer
02920abc62 Merge pull request #249 from smowton/smowton/feature/comment-group-ast-node-parents 
Make CommentGroups AST-children of Files
 2020-07-08 19:58:13 +01:00
Chris Smowton
6bf3802b3f Make CommentGroups AST-children of Files 
Previously they were roots, with children hanging off them. Now they are children of Files, and both CommentGroups and Comments can be discovered using AstNode.getAChild.

The PrintAst pass is also adapted to account for their new position.
 2020-07-08 17:49:47 +01:00
Max Schaefer
650cb5e626 Merge pull request #253 from smowton/smowton/admin/gofmt-in-ci 
Add Go autoformatting to the 'autoformat' make target and to CI
 2020-07-08 17:37:17 +01:00
Chris Smowton
ce94c68e0a Add Go autoformatting to the 'autoformat' make target and to CI 
Existing gofmt complaints are fixed, and files that specifically test queries that relate to badly formatting code are tagged as such.
 2020-07-08 14:20:19 +01:00
Max Schaefer
26eeb3c658 Merge pull request #252 from gagliardetto/patch-3 
taint-tracking: String() must return a string type
 2020-07-08 12:01:20 +01:00
Slavomir
59071732a8 taint-tracking: String() must return a string type 
Make sure that the taint-tracking class for the `String()` method checks that the result type is a string.
 2020-07-08 12:34:13 +03:00
Max Schaefer
bc778b5899 Merge pull request #243 from max-schaefer/cve-2019-11250 
Improvements to clear-text logging query
 2020-07-07 16:03:40 +01:00
Max Schaefer
3a897a9dd0 Merge pull request #247 from shati-patel/docs 
Docs: Editorial changes to library modeling topic
 2020-07-07 13:37:51 +01:00
Max Schaefer
b4c56928c4 Merge pull request #248 from max-schaefer/location-doc 
Port Location qldoc update.
 2020-07-07 13:37:36 +01:00
Max Schaefer
47a858610d Merge pull request #239 from smowton/smowton/feature/find-noreturn-user-functions 
Switch from using mustPanic to mayReturnNormally to construct a call-expression's CFG
 2020-07-07 13:37:18 +01:00
Chris Smowton
6e5ee47ade Switch from using mustPanic to mayReturnNormally to construct a call-expression's CFG 
We also use this to note that user-defined functions can only return normally if their CFG normal exit node is reachable, and annotate some well-known functions as noreturn.

For example, this will by fiat declare os.Exit noreturn (never returns normally), and will also notice that a user function `func myExit() { os.Exit(1) }` is also noreturn, because it doesn't have any control-flow edges that reach the normal return node.
 2020-07-07 11:40:06 +01:00
Max Schaefer
842860d7ca Port Location qldoc update. 
cf https://github.com/github/codeql/pull/3907
 2020-07-07 10:58:00 +01:00
Shati Patel
5ddcf92859 Editorial changes to library modeling topic 2020-07-07 10:02:33 +01:00