hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 06:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,621 Commits 1,684 Branches 159 Tags
f279fa17afd8950b71ca9e81ce6b8a55ebf109bd
Commit Graph

974 Commits

Author SHA1 Message Date
Owen Mansel-Chan
f279fa17af (clean-up) Move comment 2021-02-02 11:03:52 +00:00
Sauyon Lee
48a52cfd2f Merge pull request #437 from sauyon/goproxy 
Model elazarl/goproxy
 2021-01-28 06:05:52 +00:00
Chris Smowton
93aaa74c8c Merge pull request #451 from sauyon/gokit 
Add gokit models
 2021-01-27 17:47:22 +00:00
Sauyon Lee
53b468174f Make InsecureHostnameRegex check for rejecting handlers 2021-01-27 17:38:22 +00:00
Sauyon Lee
4712afae83 Add models for github.com/elazarl/goproxy 2021-01-27 17:38:02 +00:00
Sauyon Lee
b0ddf4b68b Add model for net/http.Error 2021-01-27 17:38:02 +00:00
Sauyon Lee
bf9bba79c2 Add getHeaderValue predicate to HTTP::HeaderWrite 2021-01-27 17:38:01 +00:00
Sauyon Lee
39c33c5db1 Add HTTP handler concept 2021-01-27 17:38:01 +00:00
Owen Mansel-Chan
b76ff0d233 Merge pull request #461 from owen-mc/avoid-unused-barrier-guards-in-scope 
Move reused barrier guards into separate files
 2021-01-26 06:08:29 +00:00
Owen Mansel-Chan
bf0f0aff5e Move reused barrier guards into separate files 
This way only the barrier guards that are used will be imported.
This is important because of the comment above BarrierGuard, which
warns about the potential danger of having classes that extend
BarrierGuard in scope which are not used.
 2021-01-25 17:07:18 +00:00
Sauyon Lee
3ed9e66c7a Add gokit models 2021-01-25 08:15:14 -08:00
Owen Mansel-Chan
71d52500f7 Make PathContainmentCheck more specific 
Recent changes to Property.checkOn mean that in the code
  err == nil && <unrelated-condition>
PathContainmentCheck matches the first condition and the whole &&
expression. Originally it would have only matched the first condition,
and this commit restores that behaviour. This pattern appears 3 times in
the tests, which all still pass.
 2021-01-25 15:05:57 +00:00
Max Schaefer
bc74bcec21 Merge pull request #459 from owen-mc/update-barrier-guard-comment 
Make comment on BarrierGuard more specific
 2021-01-25 14:34:20 +00:00
Owen Mansel-Chan
f8c3fbf845 Merge pull request #454 from owen-mc/default-taint-sanitizer-guard-equality-test-guard 
Make EqualityTestGuard a default taint sanitizer guard
 2021-01-25 14:24:08 +00:00
Owen Mansel-Chan
06c6ceda50 Make comment on BarrierGuard more specific 
The problem that this comment is trying to warn about is the following:
say you have two subclasses of BarrierGuard BG1 and BG2, both of which
contain some node g. Also assume that you have a configuration C which
specifies BG1 as a barrier guard, but not BG2. Because g is contained in
both classes, you will then still get the barrier guard definition from
BG2 due to the way dynamic dispatch works in QL.
 2021-01-25 13:16:23 +00:00
Owen Mansel-Chan
71f2ed36f2 Make EqualityTestGuard a default taint sanitizer guard 
It will apply to all configurations, not just those involving Xss.
 2021-01-22 17:38:26 +00:00
Owen Mansel-Chan
7339f3e095 Reuse existing class instead of repeating it 
This is already done elsewhere.
 2021-01-20 16:11:33 +00:00
Owen Mansel-Chan
e2a79f400e Make use of this explicit 
It makes it easier to understand the code.
 2021-01-19 15:55:02 +00:00
Owen Mansel-Chan
903ff33b0d Add class for default taint sanitizer guards 
This allows us to specify taint sanitizer guards that apply in
all configurations.
 2021-01-18 10:51:59 +00:00
Owen Mansel-Chan
83c26a3594 Improve predicate name 
Renamed `defaultTaintSanitizer` to `isDefaultTaintSanitizer`.
 2021-01-18 10:50:26 +00:00
Owen Mansel-Chan
6219a28b13 Update Architectures.qll 2021-01-15 14:01:01 +00:00
Owen Mansel-Chan
2f9c1a6049 Merge pull request #452 from owen-mc/package-path 
Use `package()` for package paths not in the standard library
 2021-01-15 07:25:06 +00:00
Owen Mansel-Chan
5e2c066e8b Use package() for package paths not in the standard library 
This has the advantage that it deals with versioning. For example,
`package("a.io", "b")` matches "a.io/v2/b"
as well as "a.io/b".

At the same time I have created `packagePath()` predicates where they
seemed useful and tried to standardise them a bit.
 2021-01-14 17:11:23 +00:00
Owen Mansel-Chan
62052a8772 Merge pull request #449 from owen-mc/model-couchbase-gocb 
Model Couchbase Go library
 2021-01-14 17:00:05 +00:00
Owen Mansel-Chan
a6b5e8b1db Remove distinct between package paths for v1 and v2 2021-01-14 15:48:21 +00:00
Owen Mansel-Chan
a5ac947d16 Model Couchbase v2 NoSQL queries 2021-01-13 09:18:54 +00:00
Owen Mansel-Chan
7fc88ad85b Model Couchbase v1 NoSQL query sinks 2021-01-13 09:18:54 +00:00
Owen Mansel-Chan
a973ce4539 Model Couchbase gocb v1 2021-01-13 09:18:54 +00:00
Owen Mansel-Chan
9a51de56de Add comment explaining \Q and \E in regex 2021-01-12 16:56:04 +00:00
Owen Mansel-Chan
9236ad752b Improve formatting and style in Gin.qll 2021-01-12 16:56:04 +00:00
Owen Mansel-Chan
71774ed2d4 Remove redundant code 
RawMessage implements Marshaler and Unmarshaler, so these methods are
covered by the two sections below
 2021-01-12 16:56:04 +00:00
Owen Mansel-Chan
57ee3a8a64 Use set literal 2021-01-12 16:56:04 +00:00
Owen Mansel-Chan
fe1f08fb12 Use existing predicate 
There already exists the predicate
implements(string pkg, string tp, string name)
which does exactly what this code does
 2021-01-12 16:55:51 +00:00
Sauyon Lee
7a4dbc6fa7 Autoformatter update 2021-01-12 13:13:15 +00:00
Chris Smowton
83cee4a334 Add 'git' as a possible command-interpreter, unless arguments are sanitized using "--" 
This is because some git flags can specify arbitrary commands to execute, but its positional arguments cannot, and "--" like in many commands instructs git to consume no further flags.
 2021-01-07 11:54:41 +00:00
Chris Smowton
2b608e5822 Merge remote-tracking branch 'origin/rc/1.26' into HEAD 2021-01-04 15:32:15 +00:00
Tom Payne
9bbdf86487 Support more regexp anchors 2020-12-23 14:04:33 +01:00
Owen Mansel-Chan
d184f245ed Use implements for interface methods 
This means we will find more things.
 2020-12-17 12:42:18 +00:00
Owen Mansel-Chan
dcb6cc3a7c Merge pull request #434 from owen-mc/model-kubernetes-secret 
Model Secret and SecretList from k8s.io/api/core/v1
 2020-12-16 17:17:21 +00:00
Chris Smowton
8060993b3b Merge pull request #430 from smowton/smowton/feature/model-beego-orm 
Model the Beego ORM subpackage
 2020-12-16 16:08:18 +00:00
Owen Mansel-Chan
0cb0879381 Model Secret and SecretList from k8s.io/api/core/v1 2020-12-16 16:03:48 +00:00
Chris Smowton
44a63b2f94 Model the Beego ORM subpackage 2020-12-16 14:39:58 +00:00
Owen Mansel-Chan
87f2cad475 Merge pull request #427 from owen-mc/model-kubernetes-secret 
Model kubernetes SecretInterface
 2020-12-15 17:12:45 +00:00
Owen Mansel-Chan
6ca2e0e38e Add SecretInterface as source for cleartext logging query 2020-12-15 16:00:58 +00:00
Owen Mansel-Chan
8fd055bc60 Model SecretInterface from k8s.io/client-go/kubernetes/typed/core/v1 2020-12-15 16:00:51 +00:00
Chris Smowton
8e7abbac0a Model Beego web framework 
This excludes the ORM, email and validation components, which I will follow up with seperately.
 2020-12-15 14:04:36 +00:00
Chris Smowton
8b6f229bd3 SafeUrlFlow: allow libraries to add sources 2020-12-15 14:01:59 +00:00
Jason Rogers
3a83fbd765 Refactor HTTP module 
This makes it easier to identify related classes and support future expansion.
 2020-12-14 07:16:24 -08:00
Owen Mansel-Chan
e4316768ef Merge pull request #426 from owen-mc/model-k8s-io-apimachinery-pkg-runtime 
Model k8s.io/apimachinery/pkg/runtime
 2020-12-09 09:16:47 +00:00
Owen Mansel-Chan
e5fb401d50 Model runtime 2020-12-09 06:45:08 +00:00