hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 23:02:56 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,527 Commits 1,684 Branches 159 Tags
e5fb401d5045e8aeb494412d475df61c3701cb85
Commit Graph

1527 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Owen Mansel-Chan
e5fb401d50 Model runtime 2020-12-09 06:45:08 +00:00
Chris Smowton
6b8003b0f2 Merge pull request #420 from smowton/smowton/admin/upgrade-codeql-240-and-autoformat 
Upgrade CI toolchain to CodeQL 2.4.0
 2020-12-07 14:16:19 +00:00
Chris Smowton
563f74bd45 Upgrade CI toolchain to CodeQL 2.4.0 
Also reformat code (the autoformatter has changed slightly)
 2020-12-07 12:35:07 +00:00
Chris Smowton
a794e05c74 Merge pull request #417 from smowton/smowton/fix/reduce-symlink-loop-finding-cost 
Unsafe-unzip-symlinks: reduce cost of `getAnEnclosingLoop`
 2020-12-03 12:21:38 +00:00
Chris Smowton
c1669d732b Unsafe-unzip-symlinks: reduce cost of getAnEnclosingLoop 
This used to get the closest enclosing loops of all expressions; now it is restricted to those surrounding interesting expressions.
 2020-12-02 14:33:38 +00:00
Chris Smowton
f9fc01bd73 Merge pull request #415 from smowton/smowton/feature/errorf-returns-non-nil 
Note that `fmt.Errorf` returns non-nil
 2020-12-01 12:04:23 +00:00
Owen Mansel-Chan
8c33979425 Merge pull request #388 from owen-mc/untrusted-data-flow-to-external-api 
Untrusted data flow to external API
 2020-12-01 11:25:58 +00:00
Chris Smowton
5d17b27770 Note that fmt.Errorf returns non-nil 
This enables recognising more guarding functions that return nil/non-nil conditional on a barrier guard.
 2020-11-30 19:10:58 +00:00
Chris Smowton
3338a0b10d Merge pull request #402 from smowton/smowton/feature/zipslip-more-generous-sanitisers 
ZipSlip: redefine sources closer to their origin, and make sanitizers more generous
 2020-11-27 18:25:07 +00:00
Owen Mansel-Chan
bfbf102408 Remove restriction on void and boolean-returning methods 
When the taint was in the receiver, we were excluding methods which
return nothing or a boolean.
 2020-11-27 16:51:24 +00:00
Owen Mansel-Chan
7730d66d76 Apply suggestions from code review 
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
 2020-11-27 16:17:54 +00:00
Chris Smowton
70015b2c32 Add tests for zipslip using a utility function to check that the archive header is safe 
Note this currently contains some cases that are safe but are still flagged, because of weaknesses in the guardingFunction predicate.
 2020-11-27 15:11:57 +00:00
Sauyon Lee
627241aaa5 Merge pull request #401 from sauyon/stored-command 
Add stored command query
 2020-11-27 06:37:02 -08:00
Chris Smowton
1eb8fff7e1 ZipSlip: redefine sources closer to their origin, and make sanitizers more generous. 
Previously we considered certain fields of `tar` or `zip` file headers to be sources, but this meant subsequent references to the same field were not considered sanitized. For example, at least some real-world projects used a pattern like `if isIllegalPathTraversal(hdr.Name) { return nil; } ... /* other code using hdr.Name */`. By associating a source with the field-read `.Name` rather than the header itself, we were unable to see that the subsequent read was guarded by the sanitizer function.

Relatedly, it is common to use some intermediary taint-propagating function, as in `clean(s string) { if strings.HasPrefix("..", filepath.Clean(filepath.Join(target, s))) ...`, in the implementation of a sanitizer. We now follow the taint propagation (locally) backwards towards the function parameter, marking the predecessor functions and ultimately the parameter `s` as sanitized in addition to the direct argument to `strings.HasPrefix`. Existing sanitizing-function logic can then sometimes lift this out into the caller too.
 2020-11-27 13:57:25 +00:00
Chris Smowton
f775adf306 Merge pull request #404 from smowton/smowton/feature/improved-guarding-function 
Recognise many more guarding functions
 2020-11-27 13:56:31 +00:00
Chris Smowton
c6f14de065 Merge pull request #413 from smowton/smowton/admin/document-cond-root-etc 
Clarify naming and add documentation around `hasSemantics` and cousins
 2020-11-26 16:59:07 +00:00
Owen Mansel-Chan
0ee00d8647 Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2020-11-26 16:49:02 +00:00
Owen Mansel-Chan
bf78189e21 Make two separate queries 2020-11-26 14:59:13 +00:00
Owen Mansel-Chan
dec7967c7a Update qhelp files 2020-11-26 14:57:56 +00:00
Owen Mansel-Chan
e7697963d3 Exclude local function pointers 2020-11-26 14:57:56 +00:00
Owen Mansel-Chan
05fe388ba3 Mark hashing functions as safe 
See https://github.com/github/codeql-go-team/issues/219 for issue to
model this better
 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
d3bef7fc4f Model safe external APIs 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
4184a6ecd8 Add testing frameworks 
Add "github.com/golang/mock/gomock", several packages under
"github.com/stretchr/testify", £gotest.tools/assert",
"k8s.io/client-go/testing" and "testing"
 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
410cf49af8 Shorten function using set literal 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
18c66e84f7 Make more package paths accessible 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
171e433593 Exclude test files 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
fe5822ae3a Exclude functions in packages which have some modeled functions 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
ff542508aa Exclude sinks from common queries 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
b698276e3a Update function name to give better text output 2020-11-26 14:57:55 +00:00
Owen Mansel-Chan
50a32f47d5 First draft 2020-11-26 14:57:50 +00:00
Chris Smowton
fb814e949d Clarify naming and add documentation around hasSemantics and cousins 2020-11-26 13:34:58 +00:00
Chris Smowton
2377337564 Treat functions that directly return a BarrierGuard like BarrierGuards themselves 2020-11-26 13:27:53 +00:00
Chris Smowton
387a13f22a Add support for barrier guards in functions that indicate success by returning nil 
Typically these are returning a nil error when sanitization succeeds.
 2020-11-24 12:39:05 +00:00
Chris Smowton
7bbf9ed860 Merge pull request #410 from github/lgtm.com 
Merge lgtm.com into main
 2020-11-23 17:17:42 +00:00
Sauyon Lee
0bf09307cf Add StoredCommand query 2020-11-23 02:11:44 -08:00
Sauyon Lee
793d6f6053 Merge pull request #399 from sauyon/stored-xss 
Add stored XSS query
 2020-11-19 23:23:21 -08:00
Chris Smowton
93a7cc944a Merge pull request #403 from smowton/smowton/fix/type-assertion-dataflow 
Add data-flow edge `from -> to` in the context `to, ok := from.(*Type)`
 2020-11-19 16:13:55 +00:00
Chris Smowton
c93b2b709d Merge pull request #407 from smowton/smowton/fix/isunreachableincall-slowness 
Improve join order in `isUnreachableInCall`
 2020-11-19 11:22:48 +00:00
Chris Smowton
38e383858e Merge pull request #394 from smowton/smowton/feature/unsafe-unzip-symlink 
Add query checking for unpacking of symlinks without using EvalSymlinks to spot existing ones.
 2020-11-18 19:10:18 +00:00
Chris Smowton
d1f607ccd8 Improve join order in isUnreachableInCall 2020-11-18 19:06:52 +00:00
Owen Mansel-Chan
7433d448d9 Merge pull request #406 from owen-mc/update-dataflow-libs-2 
Update dataflow libs 2
 2020-11-17 21:17:52 +00:00
Chris Smowton
3d8470e1e2 Add and use TypeCastNode::getResultType 
This can differ from `getType` when a `TypeAssertExpr` returns a (result, ok) pair.
 2020-11-17 16:03:33 +00:00
Owen Mansel-Chan
ce67418cdc Update tests 
These changes match those in https://github.com/github/codeql/pull/4440
 2020-11-17 15:48:50 +00:00
Owen Mansel-Chan
d3154d0aa7 Sync dataflow libraries 
`make sync-dataflow-libraries`
 2020-11-17 15:48:50 +00:00
Owen Mansel-Chan
4bfe088c0f Update dataflow branch from master to main 2020-11-17 15:48:50 +00:00
Chris Smowton
1d850873f3 Add data-flow edge from -> to in the context to, ok := from.(*Type) 2020-11-17 10:59:59 +00:00
Chris Smowton
79c010a601 Move unsafe-unzip-symlink query into qll file and give it customization points. 2020-11-16 09:57:26 +00:00
Chris Smowton
500d78dafa Include os.Readlink as a probable sanitiser. 
A couple of projects seem to walk links one unit at a time, rather than just throwing `EvalSymlinks` at the whole potentially suspect path.
 2020-11-16 09:57:26 +00:00
Chris Smowton
2193642c6e Expand query to notice Symlink and archive iterator calls that do not directly share a loop 
We look across function-call boundaries to check there is some common enclosing loop, but false-positives are more likely if in practice there is no control-flow path from the archive iterator to the Symlink call and back.
 2020-11-16 09:57:26 +00:00
Chris Smowton
1a2c209259 Add query checking for unpacking of symlinks without using EvalSymlinks to spot existing ones. 
This is usually dangerous because (if the archive is untrusted) the intent is usually to permit within-archive symlinks, e.g. dest/a/parent -> .. -> dest/a is an acceptable link to unpack. However if EvalSymlinks is not used to take already-unpacked symlinks into account, it becomes possible to sneak tricks like dest/escapes -> dest/a/parent/.. through, which create links leading out of the archive for later abuse.
 2020-11-16 09:57:26 +00:00