hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-29 06:12:58 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,745 Commits 1,684 Branches 159 Tags
f083e87fa159904b2cf2d89657b78dfdc87ef098
Commit Graph

33745 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Erik Krogh Kristensen
f083e87fa1 refactor the js/xss query to use three flowlabels and one configuration 2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen
87842bb8b7 add client-side-url sinks that may execute JavaScript as XSS sinks 2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen
b471fec149 split interpretsArgumentsAsURL out of interpretsArgumentsAsHTML, and use it to generalize AttributeUrlSink 2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen
2576e1f655 add utility predicate to get client-side remote-flow-sources that contain a URL query/fragment 2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen
67e6a4c716 add a isXSSSink predicate to the client-side-url-redirection sinks 2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen
fc79242674 add tests 2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen
559f03ebbc remove unnecessary module qualifier 2022-03-16 22:32:07 +01:00
Erik Krogh Kristensen
2d9d383c55 remove unused import 2022-03-16 22:32:07 +01:00
Jeroen Ketema
7a9a9d833a Merge pull request #8435 from jketema/all-the-barriers 
Add flow state versions of isBarrierIn, isBarrierOut, and isBarrierGuard
 2022-03-16 15:50:19 +01:00
Michael Nebel
68f24cda0b Merge pull request #8462 from michaelnebel/csharp/capture-models-fix-bad-join-order 
C#: Fix bad join order in returnNodeAsOutput.
 2022-03-16 15:46:17 +01:00
Dave Bartolomeo
e669ffa22e Merge pull request #8320 from jketema/structured-binding-array 
C++: Handle initialization of structured bindings via bitwise copy in extractor
 2022-03-16 09:41:31 -04:00
Michael Nebel
5f7b5ec5df C#: Fix bad join order in returnNodeAsOutput. 2022-03-16 13:44:11 +01:00
Nick Rolfe
f6681f30c6 Merge pull request #8399 from github/nickrolfe/simple_symbol_constant_value 
Ruby: implement getComponent(n) for simple and hash-key symbols
 2022-03-16 12:10:39 +00:00
Nick Rolfe
94ce578ea4 Ruby: implement getComponent(n) for simple and hash-key symbols 2022-03-16 11:43:46 +00:00
Nick Rolfe
76918238f0 Ruby: test ExprCfgNode::getConstantValue() 2022-03-16 11:21:57 +00:00
Erik Krogh Kristensen
f53df255b9 Merge pull request #8459 from erik-krogh/addSeverities 
JS: add missing @security-severity to JS queries
 2022-03-16 12:03:19 +01:00
Nick Rolfe
82ef2a12f6 Merge pull request #8164 from github/nickrolfe/escape_sequences 
Ruby: interpret string escape sequences in getConstantValue()
 2022-03-16 10:45:39 +00:00
Nick Rolfe
1a850028e7 Ruby: update date in changenote filename 2022-03-16 10:32:43 +00:00
Erik Krogh Kristensen
cd9d61c1fc Merge pull request #8450 from erik-krogh/importAs 
disallow lowercase import-as aliases
 2022-03-16 11:32:37 +01:00
Jeroen Ketema
37293141ee Merge pull request #8428 from jketema/noreturn 
C++: Handle C11 _Noreturn in DefaultOptions
 2022-03-16 11:23:23 +01:00
Erik Krogh Kristensen
d47b0a68e7 exclude tests from ql/missing-security-metadata 2022-03-16 10:40:45 +01:00
Erik Krogh Kristensen
2442beaf9a add missing severities to JS queries 2022-03-16 10:40:34 +01:00
Jeroen Ketema
d51cbe2525 C++: Update IR tests for handling of bitwise copy with explicit source 2022-03-15 23:22:37 +01:00
Jeroen Ketema
8be02b164c C++: Add IR tests exposing incorrect translation due to unhandled bitwise copy 
These tests are in addition to exisiting tests involving default copy
constructors, which suffer from the same problem, i.e., the extractor not
handling bitwise copies.
 2022-03-15 23:22:37 +01:00
Jeroen Ketema
2894bb0933 C++: Use correct change note file name format 2022-03-15 23:21:14 +01:00
Jeroen Ketema
638b2cac04 C++: Add change note on _Noreturn/noreturn in C11 2022-03-15 23:21:14 +01:00
Jeroen Ketema
1a1c34e1be C++: Handle C11 _Noreturn in DefaultOptions 2022-03-15 23:21:14 +01:00
Erik Krogh Kristensen
b45f56ac08 Merge pull request #8431 from erik-krogh/deadCode 
Delete dead code
 2022-03-15 20:09:06 +01:00
Mathias Vorreiter Pedersen
57922f56ee Merge pull request #8424 from ihsinme/ihsinme-patch-fix077 
Detection reduction on request
 2022-03-15 16:17:47 +00:00
Mathias Vorreiter Pedersen
05758181bb Merge pull request #7884 from rdmarsh2/rdmarsh2/template-implicit-copy-constructor 
C++: fix hasImplicitCopyConstructor for templates
 2022-03-15 15:32:05 +00:00
Anna Railton
a08246a2a7 Merge pull request #8448 from github/annarailton-patch-1 
Add docstring to `ExtractEndpointMapping.ql`
 2022-03-15 14:54:45 +00:00
Erik Krogh Kristensen
b0fc958b32 simplify imports 
Co-authored-by: Henry Mercer <henry.mercer@me.com>
 2022-03-15 15:10:04 +01:00
Erik Krogh Kristensen
57db7633c8 C#: make csharp import private 2022-03-15 14:59:06 +01:00
Erik Krogh Kristensen
89af50f6d5 rename all lower-case import-as statements 2022-03-15 14:40:38 +01:00
Erik Krogh Kristensen
54582438a1 QL: recognize the names defined by import as statements 2022-03-15 14:29:33 +01:00
Anna Railton
739d94e8f9 Add docstring to ExtractEndpointMapping.ql 2022-03-15 12:50:51 +00:00
Erik Krogh Kristensen
3067231b1a Merge pull request #8253 from erik-krogh/domWrite 
JS: merge hasDominatingWrite and hasDominatingAssignment
 2022-03-15 13:37:00 +01:00
Erik Krogh Kristensen
154d0171d3 Merge pull request #8438 from erik-krogh/apiDisable 
JS: add some API-nodes to js/disabling-certificate-validation
 2022-03-15 12:56:59 +01:00
Mathias Vorreiter Pedersen
9f014be7c7 Merge pull request #8447 from MathiasVP/add-missing-security-severity 
C++: Add missing `security-severity` tags
 2022-03-15 11:29:28 +00:00
Joe Farebrother
8acd8ea01f Merge pull request #8446 from joefarebrother/sensitive-logging 
Java: Add security severity to sensitive logging query
 2022-03-15 11:17:46 +00:00
Jeroen Ketema
157a36bc4f Use node variable in all disjuncts 2022-03-15 11:55:35 +01:00
Jeroen Ketema
9a0e94f389 Add flow state versions of isBarrierIn, isBarrierOut, and isBarrierGuard 2022-03-15 11:55:34 +01:00
Mathias Vorreiter Pedersen
7337ebd569 C++: Add missing 'security-severity' tags. 2022-03-15 10:54:36 +00:00
Mathias Vorreiter Pedersen
9642e59349 Merge pull request #8382 from MathiasVP/use-taint-configuration-in-three-more-queries 
C++: Use a `TaintTracking::Configuration` in three more queries
 2022-03-15 10:43:05 +00:00
Joe Farebrother
e4a16cc700 Add security severity 2022-03-15 10:42:41 +00:00
Tony Torralba
6d5414281e Merge pull request #8437 from atorralba/atorralba/missing-security-severity-query 
Added MissingSecurityMetadata query
 2022-03-15 11:42:41 +01:00
Henry Mercer
f38b498eed Merge pull request #8433 from github/henrymercer/js-atm-remove-isEffectiveSinkWithOverridingScore 
JS: Remove `isEffectiveSinkWithOverridingScore` from ML-powered libraries
 2022-03-15 10:04:30 +00:00
Tony Torralba
6f484d3d64 Merge pull request #8440 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2022-03-15 10:58:27 +01:00
Tony Torralba
fd4c9fd543 Cover a missing @tag security when @security-severity is used 2022-03-15 10:39:42 +01:00
Tony Torralba
82b2fd2d23 Exclude queries without precision 2022-03-15 10:22:10 +01:00