hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-31 04:38:18 +02:00
Code Issues Packages Projects Releases Wiki Activity
29,605 Commits 1,723 Branches 164 Tags
fd23fa94a5f5e86e14ee87b8ade2b45a70440fbb
Commit Graph

29605 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Wriedt Larsen
fd23fa94a5 Python: Remove dubious fstat* modeling 
These operate on file descriptors, and not on paths. file descriptors
doesn't fit into the rest of our modeling, so I would rather remove them
than to make it look like it's properly handled.

I also did not include any of the functions that work on file
descriptors when looking through all of `os`. So this keeps everything
consistent at least ;)
 2021-11-29 14:54:02 +01:00
Rasmus Wriedt Larsen
e79b8f3e23 Python: Treat os.exec*, os.spawn*, and os.posix_spawn* as FileSystemAccess 2021-11-29 14:54:02 +01:00
Rasmus Wriedt Larsen
d2d5cce787 Python: Recognize keyword arguments for os.*spawn* calls 2021-11-29 14:54:02 +01:00
Rasmus Wriedt Larsen
14590436f9 Python: Expand tests for os.exec*, os.spawn*, and os.posix_spawn* 2021-11-29 14:54:02 +01:00
Rasmus Wriedt Larsen
50d3592ad3 Python: Add more complete tests of os module 
I went through https://docs.python.org/3.10/library/os.html in order,
and added all the functions that works on paths.

`lstat` and `statvfs` were already modeled, but did not have any tests.
 2021-11-29 14:54:02 +01:00
Rasmus Wriedt Larsen
a91208fd2c Python: Fix kwarg modeling for os.path.isdir 2021-11-29 14:54:02 +01:00
Rasmus Wriedt Larsen
36f14b31bc Python: Add explicit tests for kwargs 
I also renamed the arguments to match what the keyword argument is
called. It doesn't matter too much for these specific tests, but for the
tests I'm about to add, it makes things a lot easier to get an overview
of.

Oh, and a test failure :O
 2021-11-29 14:54:02 +01:00
Rasmus Wriedt Larsen
82602014ad Python: Minor refactor to use os.path.<func> 
Since that's the idiomatic way to use this module
 2021-11-29 14:54:02 +01:00
Michael Nebel
e476cde985 Merge pull request #7255 from michaelnebel/csharp-effecpublic-flowsummary 
C#: Only include effectively public declarations in flow summaries
 2021-11-29 12:52:26 +01:00
Michael Nebel
e1539889ef C#: Update flow summaries tests 2021-11-29 11:35:02 +01:00
Michael Nebel
e24b15bbe7 C#: Only create flow summaries for declarations that are effectively public 2021-11-29 11:34:21 +01:00
Michael Nebel
9239d4042e Merge pull request #7230 from michaelnebel/csharp-update-netcoreapp-stub 
C#: Update the Microsoft.NETCore.App stub
 2021-11-29 10:08:59 +01:00
Tom Hvitved
fdc94365b4 Merge pull request #7178 from michaelnebel/csharp-flowsummary-pp-csv 
C#: Initial implementation of csv printing in FlowSummaries test
 2021-11-29 09:59:33 +01:00
Michael Nebel
d4f3a6d4bb C#: Review comments. Keep the TContent type pribate 2021-11-26 15:38:33 +01:00
Anders Schack-Mulligen
00ee34c0a0 Merge pull request #7237 from hvitved/dataflow/consistency-config 
Data flow: Introduce `ConsistencyConfiguration` class
 2021-11-26 12:49:25 +01:00
Anders Schack-Mulligen
57fd397cb3 Merge pull request #7239 from smowton/smowton/fix/useless-comparison-surrogates 
Range analysis and useless-comparison query: don't treat all unicode surrogates as if they are U+FFFD
 2021-11-26 09:00:36 +01:00
Chris Smowton
d3a4dadc7d Merge pull request #7240 from smowton/smowton/admin/derecognise-xxe-secure-processing 
Note that FEATURE_SECURE_PROCESSING isn't a sufficient defence against XXE
 2021-11-25 19:31:06 +00:00
Henry Mercer
aa9a8a0e22 Merge pull request #7244 from github/henrymercer/atm-specify-ml-models-globs 
JS: [Internal only] Add ML models specification to ATM query pack definition
 2021-11-25 18:20:45 +00:00
Henry Mercer
29eb66d772 JS: Add ML models to .gitignore 2021-11-25 17:06:37 +00:00
Henry Mercer
2af509595b JS: Add ML models specification to ATM query pack definition 
This will allow us to resolve the ATM machine learning models that will
be distributed within this pack.
 2021-11-25 16:42:38 +00:00
Chris Smowton
7ac5791c49 Update charLiterals.expected 2021-11-25 16:13:06 +00:00
Chris Smowton
ce63549425 Apply review comments 2021-11-25 15:20:35 +00:00
Chris Smowton
db39c0b8be CharacterLiteral.getCodePointValue: fix handling of surrogates 2021-11-25 14:07:21 +00:00
Anders Schack-Mulligen
a06642944f Merge pull request #7232 from aschackmull/dataflow/perf 
Data flow: Performance tuning
 2021-11-25 15:01:01 +01:00
Tom Hvitved
dc0b0445ed Merge pull request #7185 from hvitved/csharp/ssa/consistency-queries 
C#: Enable SSA consistency queries
 2021-11-25 14:04:01 +01:00
Chris Smowton
9540beeda9 Update java/ql/test/query-tests/security/CWE-611/DocumentBuilderTests.java 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2021-11-25 12:52:08 +00:00
Chris Smowton
9eb9eb606e Note that FEATURE_SECURE_PROCESSING isn't a sufficient defence against XXE 2021-11-25 12:22:48 +00:00
Anders Schack-Mulligen
609d6011a2 Merge pull request #7229 from smowton/smowton/admin/document-xxe-sanitisation-policy 
Document XXE sanitisation policy
 2021-11-25 10:55:25 +01:00
Tom Hvitved
6cb00992e8 Data flow: Introduce ConsistencyConfiguration class 2021-11-25 10:01:47 +01:00
CodeQL CI
d3da790191 Merge pull request #6873 from erik-krogh/explicit-this 
Approved by esbena
 2021-11-24 15:23:35 -08:00
Chris Smowton
3c8f6e3c07 Merge pull request #6717 from luchua-bc/java/thread-resource-abuse 
Java: CWE-400 - Query to detect uncontrolled thread resource consumption
 2021-11-24 18:59:41 +00:00
Arthur Baars
4b3b1d2a8b Merge pull request #7222 from aibaars/ruby-ci-fix 
Ruby: fix CI jobs after removal of `.codeql-manifest.json`
 2021-11-24 17:16:52 +01:00
Erik Krogh Kristensen
1e752f305d apply the explicit this patch to new code 2021-11-24 15:26:19 +01:00
Erik Krogh Kristensen
08ce03cd93 Merge branch 'main' into explicit-this 2021-11-24 15:24:58 +01:00
Erik Krogh Kristensen
3bab8c6d1d Merge pull request #7173 from erik-krogh/getRubyInSync 
JS/PY/RB: get ReDoSUtil in sync for ruby
 2021-11-24 15:20:23 +01:00
Anders Schack-Mulligen
7ca3407c86 Dataflow: Sync. 2021-11-24 14:43:00 +01:00
Anders Schack-Mulligen
a7ec0fa900 Dataflow: Remove more disjunction-induced tuple duplication. 2021-11-24 14:39:49 +01:00
Michael Nebel
b9d0a60ce7 C#: Addressed review comments from hvitved 2021-11-24 14:35:52 +01:00
luchua-bc
b0031a0d85 Add local input test case and update qldoc 2021-11-24 13:30:50 +00:00
Tom Hvitved
1d1780b30f C#: Fix bug in getEnclosingCallable 2021-11-24 14:24:01 +01:00
Rasmus Wriedt Larsen
7dde52ced2 Merge pull request #7131 from RasmusWL/wsgiref.simple_server 
Python: Model `wsgiref.simple_server` applications
 2021-11-24 14:22:23 +01:00
Anders Schack-Mulligen
4efdcc22a2 Dataflow: Improve barrier handling. 2021-11-24 14:17:05 +01:00
Tom Hvitved
f85fa87f69 C#: Add test that illustrates problem with getEnclosingCallable 2021-11-24 13:59:29 +01:00
Rasmus Wriedt Larsen
2a5e0a3b77 Merge pull request #7145 from RasmusWL/remove-owasp-tags 
Python/Ruby: Remove owasp tags
 2021-11-24 13:56:48 +01:00
Rasmus Wriedt Larsen
e2652591a5 Python: Change perf fix PoorMansFunctionResolution 
Thanks @yoff, this leaves us with the following evaluation, which looks
very close to the one in the other fix (but with cleaner implementation)
-- both at 688k max tuples (although numbers are not exactly the same).

```
[2021-11-24 13:48:40] (14s) Tuple counts for PoorMansFunctionResolution::getSimpleMethodReferenceWithinClass#ff/2@e5f05asv after 74ms:
                      47493  ~3%     {3} r1 = JOIN Class::Class::getAMethod_dispred#ff WITH py_Classes ON FIRST 1 OUTPUT Lhs.1, 0, Lhs.0
                      47335  ~0%     {2} r2 = JOIN r1 WITH AstGenerated::Function_::getArg_dispred#fff ON FIRST 2 OUTPUT Rhs.2, Lhs.2
                      46683  ~0%     {2} r3 = JOIN r2 WITH DataFlowPublic::ParameterNode::getParameter_dispred#fb_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1
                      259968 ~4%     {2} r4 = JOIN r3 WITH LocalSources::Cached::hasLocalSource#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1
                      161985 ~0%     {3} r5 = JOIN r4 WITH Attributes::AttrRef::accesses_dispred#bff_102#join_rhs ON FIRST 1 OUTPUT Rhs.1 'result', Lhs.1, Rhs.2
                      161985 ~2%     {3} r6 = JOIN r5 WITH Attributes::AttrRead#class#f ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Lhs.0 'result'
                      688766 ~0%     {3} r7 = JOIN r6 WITH Function::Function::getName_dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1, Rhs.1 'func', Lhs.2 'result'
                      20928  ~0%     {2} r8 = JOIN r7 WITH Class::Class::getAMethod_dispred#ff ON FIRST 2 OUTPUT Lhs.1 'func', Lhs.2 'result'
                                     return r8
```
 2021-11-24 13:52:05 +01:00
Tom Hvitved
1d654d1eac C#: Restrict refReadBeforeWrite 2021-11-24 13:43:14 +01:00
Tom Hvitved
1739673202 C#: Enable SSA consistency queries 2021-11-24 13:43:14 +01:00
Chris Smowton
c74eac4930 Remove needless casts 2021-11-24 12:18:05 +00:00
Chris Smowton
cec91c4831 Update ThreadResourceAbuse.qhelp 2021-11-24 12:15:48 +00:00
Chris Smowton
5101a8e9f3 Fix qhelp test 2021-11-24 12:12:56 +00:00