hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-05 23:26:51 +01:00
Code Issues Packages Projects Releases Wiki Activity
44,407 Commits 1,703 Branches 162 Tags
fa1ae26fab83ba4c789ed85a8dc2d7dd3481f797
Commit Graph

44407 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Harry Maclean
fa1ae26fab Add change note 2022-10-03 09:46:01 +13:00
Harry Maclean
a5998fbe4d Ruby: Model ActionController::Parameters 
Add flow summaries for methods on ActionController::Parameters,
which mostly propagate taint from receiver to return value.
 2022-10-03 09:45:59 +13:00
Harry Maclean
ba83b7c6c7 Merge pull request #10599 from hmac/hmac/actioncontroller-datastreaming 
Ruby: Model send_file
 2022-10-03 09:44:05 +13:00
Alex Ford
5c32c8badf Merge pull request #10560 from alexrford/ruby/yaml-load_file 
Ruby: treat `Psych` and `YAML` as aliases for rb/unsafe-deserialization
 2022-10-02 20:19:10 +01:00
Erik Krogh Kristensen
17e6b2af37 Merge pull request #10557 from erik-krogh/csharp-followMsg 
C#: Update the alert messages to better follow the style guide
 2022-10-01 10:47:43 +02:00
erik-krogh
e2fe63f94a autoformat 2022-09-30 23:11:43 +02:00
Tom Hvitved
292bc67125 Merge pull request #10620 from hvitved/ruby/call-graph-protected-methods 
Ruby: Account for `protected` methods in call graph
 2022-09-30 19:31:36 +02:00
Tom Hvitved
dd7458acc8 Ruby: Add more call graph tests for protected methods 2022-09-30 16:24:34 +02:00
Tom Hvitved
32d002ed60 Merge pull request #10627 from hvitved/ruby/synthesis-reduce-non-linear-rec 
Ruby: Reduce size of input predicate for non-linear recursion
 2022-09-30 15:36:21 +02:00
Tamás Vajk
5017b21579 Merge pull request #10617 from tamasvajk/kotlin-op-calls 
Kotlin: extract operator expression when operator is in method call form
 2022-09-30 15:19:03 +02:00
Arthur Baars
d54a3059b4 Merge pull request #10642 from github/aibaars-patch-2 
Run QLHelp preview for all languages
 2022-09-30 15:13:48 +02:00
erik-krogh
318718c428 update expected output 2022-09-30 14:51:41 +02:00
Asger F
6e1914ad01 Merge pull request #10375 from asgerf/rb/summarize-loads-v2 
Ruby: type-tracking and API edges through simple library callables
 2022-09-30 14:25:17 +02:00
Tamas Vajk
121a5645b8 Kotlin: extract operator expression when operator is in method call form 2022-09-30 13:48:53 +02:00
Tamas Vajk
0f9b6d4a8b Kotlin: Add test cases for operators being called by name 2022-09-30 13:46:57 +02:00
erik-krogh
7098e7b102 change more queries to start with "This " 2022-09-30 13:29:18 +02:00
Nick Rolfe
ef8ec0878a Merge pull request #10641 from github/nickrolfe/a_an 
JS/Python/Ruby: s/a HTML/an HTML/
 2022-09-30 12:17:15 +01:00
CodeQL CI
b66e5c5aee Merge pull request #10634 from yoff/python/rewrite-typetrackers 
Approved by tausbn
 2022-09-30 03:55:35 -07:00
Arthur Baars
c7b01975c1 Run QLHelp preview for all languages 2022-09-30 12:08:05 +02:00
Tamás Vajk
ee59bdab25 Merge pull request #10624 from tamasvajk/kotlin-java-fn-equivalence-remove 
Kotlin: find java-kotlin equivalent functions by erased parameter types
 2022-09-30 12:00:46 +02:00
Ian Lynagh
9be2ca2f1e Merge pull request #10630 from igfoo/igfoo/ver0 
Kotlin: Make newerThan symmetric
 2022-09-30 10:52:42 +01:00
Nick Rolfe
ed74e0aad1 JS/Python/Ruby: s/a HTML/an HTML/ 2022-09-30 10:37:52 +01:00
Henti Smith
476960e699 Merge pull request #10625 from github/henti/ql_jobrunson 
Added job.getRunsOn
 2022-09-30 10:19:14 +01:00
Erik Krogh Kristensen
06ea829537 Merge pull request #10636 from erik-krogh/fixHardcoded 
JS: recognize another kind of dummy passwords to fix an FP in hardcoded-credentials
 2022-09-30 10:42:01 +02:00
Henti Smith
074fac8f2f Ran autoformatter on Actions.qll 2022-09-30 09:24:12 +01:00
Michael Nebel
82294c1349 Merge pull request #10622 from michaelnebel/ruby/postupdateassignexpr 
Ruby: Postupdate notes for assignment expressions.
 2022-09-30 10:00:02 +02:00
Michael Nebel
c867f2ba5b Merge pull request #10594 from michaelnebel/csharp/postupdatenotes 
C#: Postupdate notes for ternary expressions.
 2022-09-30 09:56:21 +02:00
Harry Maclean
4a39bc8f47 Merge pull request #10598 from hmac/hmac/actioncontroller-metal 
Ruby: Identify ActionController::Metal controllers
 2022-09-30 13:07:03 +13:00
erik-krogh
9f2d7dfb29 update expected output 2022-09-29 22:48:41 +02:00
erik-krogh
0a5ff1b79a recognize another kind of dummy passwords to fix an FP in hardcoded-credentials 2022-09-29 21:25:40 +02:00
yoff
8ab5617b51 Merge pull request #10539 from yoff/python/improve-API-graphs 
Python: add subscript to API graphs
 2022-09-29 21:05:22 +02:00
Rasmus Lerchedahl Petersen
84ab860600 python: rewrite type tracker for ldap operations 
There are several other clean ups I would like to do in this file,
but this can wait until we promote the query.
 2022-09-29 20:32:19 +02:00
Rasmus Lerchedahl Petersen
0654e39e72 python: rewrite type tracker for compiled regexes 
we have the option to use `regex.getAValueReachingSink`
rather than `regex.asSink`, but it will likely be used as a
sink for data flow.
 2022-09-29 20:30:29 +02:00
James Fletcher
7ffbc738fb Merge pull request #10632 from jf205/lgtm-updates 
Remove a mentions of LGTM.com from the README and style guides
 2022-09-29 19:29:32 +01:00
Henry Mercer
35e9e7d233 Merge pull request #10613 from github/henrymercer/atm-update-expected-output 
ATM: Update expected test output
 2022-09-29 17:57:51 +01:00
James Fletcher
8f6de12785 Merge branch 'main' into lgtm-updates 2022-09-29 17:37:54 +01:00
james
d75b1e399d remove a few mentions of LGTM.com 2022-09-29 17:29:03 +01:00
Ian Lynagh
66a8bc5a96 Kotlin: Make newerThan symmetric 
"0.0 last-modified 0" and "0.0 last-modified 123" were giving
different comparisons depending on which way round they were.
 2022-09-29 16:55:03 +01:00
Robert Marsh
9b03e1c0b1 Merge pull request #10609 from MathiasVP/overrun-write-only-flag-overrunning-write 
C++: Make `OverrunWriteProductFlow` raise alerts on overflows
 2022-09-29 10:03:05 -04:00
Tom Hvitved
a5fbe751f1 Ruby: Reduce size of input predicate for non-linear recursion 
Before, we would be recursive in all of `MethodCall::getMethodName`:

```
Evaluated named local Synthesis#d9ff06b1::AssignOperationDesugar::SetterAssignOperation::getCallKind#ffff#shared#3@Synthesi in 9803ms on iteration 14 (size: 31006941).
Evaluated relational algebra for predicate Synthesis#d9ff06b1::AssignOperationDesugar::SetterAssignOperation::getCallKind#ffff#shared#3@Synthesi on iteration 14 running pipeline main with tuple counts:
          256419  ~1%    {2} r1 = SCAN Call#841c84e8::MethodCall::getMethodName#0#dispred#ff#prev_delta OUTPUT In.1, In.0
        31006941  ~8%    {4} r2 = JOIN r1 WITH Synthesis#d9ff06b1::MethodCallKind#ffff#prev ON FIRST 1 OUTPUT Lhs.1, Rhs.1, Rhs.2, Rhs.3
                         return r2
```

Now, we have restricted that to only the relevant method names.
 2022-09-29 15:59:11 +02:00
Asger F
ed36f1983b Python: sync TypeTracker.qll 2022-09-29 15:57:09 +02:00
Asger F
ae60b0ae6d Ruby: ensure pruning works with startInContent 2022-09-29 15:54:51 +02:00
Henti Smith
700eaf5e41 Added JobRunson 2022-09-29 14:19:02 +01:00
Mathias Vorreiter Pedersen
4e3b445515 C++: Accept test changes. 2022-09-29 13:35:23 +01:00
Mathias Vorreiter Pedersen
70837dbd93 C++: Use range analysis to properly deduce the initial 'state2' instead of traversing the AST. Also fix state-passing related to negative states. 2022-09-29 13:32:39 +01:00
Mathias Vorreiter Pedersen
6537c817ef C++: Add more CWE-199 tests that allocates memory based on the result of a SubExpr. 2022-09-29 13:31:34 +01:00
Tamas Vajk
b79c10c419 Kotlin: find java-kotlin equivalent functions by erased parameter types 2022-09-29 14:29:22 +02:00
Tamas Vajk
64c953bee0 Kotlin: add test for not found equivalent of MutableList.remove 2022-09-29 14:24:09 +02:00
Michael Nebel
dd0f19d0b0 Ruby: Update expected test output. 2022-09-29 14:12:20 +02:00
Michael Nebel
999eb19c3d Ruby: Support postupdate notes for assignment expressions. 2022-09-29 14:12:20 +02:00