hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-11 20:51:06 +01:00
Code Issues Packages Projects Releases Wiki Activity
21,937 Commits 1,689 Branches 160 Tags
fdcc517b9fcb8917775feb5977cb050d4bfc9f94
Commit Graph

21937 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
haby0
fdcc517b9f UseOfLessTrustedSource -> ClientSuppliedIpUsedInSecurityCheck" 2021-04-30 17:43:34 +08:00
haby0
f41301f8f5 Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-30 16:55:17 +08:00
haby0
0691cac5ab Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-30 16:54:41 +08:00
haby0
8142810455 Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-30 16:54:28 +08:00
haby0
711a74c9c9 Eliminate false positives\ 2021-04-30 10:31:40 +08:00
haby0
e813257431 use hardCode 2021-04-29 21:23:52 +08:00
haby0
b0f745365d Node type restriction 2021-04-28 14:32:25 +08:00
haby0
5be9fbbc5a Remove LogOperationSink and PrintSink 2021-04-27 14:12:33 +08:00
haby0
407dcea751 add String type startsWith 2021-04-22 19:20:54 +08:00
haby0
1712d01b74 Merge branch 'UseOfLessTrustedSource' of https://github.com/haby0/codeql into UseOfLessTrustedSource 2021-04-22 19:02:23 +08:00
haby0
9b4442be8b Fix some errors 2021-04-22 19:01:55 +08:00
haby0
aaef4ef22b Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-22 18:52:55 +08:00
haby0
454324781d delete IfStmt 2021-04-22 11:59:33 +08:00
haby0
84f00c21df update IfConditionSink. 2021-04-21 15:38:41 +08:00
haby0
3e376f95c4 Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-20 19:36:16 +08:00
haby0
b1ee864ad9 Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-20 19:35:52 +08:00
haby0
9e87f4ec4e Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-20 19:35:34 +08:00
haby0
408dd31d3c Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-20 19:34:37 +08:00
haby0
9ece4dac0f Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-20 19:33:47 +08:00
haby0
d82878ac3b Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-20 19:33:06 +08:00
haby0
0b1637a409 Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-20 19:32:39 +08:00
haby0
b60bffaf83 Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-20 19:31:59 +08:00
haby0
0053158884 update qhelp file and ql comments 2021-04-20 10:58:54 +08:00
haby0
0159956fa5 Fix Modify the ql query (the qhelp part is not modified). 2021-04-19 21:03:01 +08:00
haby0
8296abcea8 Fix Modify the ql query (the qhelp part is not modified). 2021-04-19 20:59:47 +08:00
haby0
23b508c5e7 Merge remote-tracking branch 'upstream/main' into UseOfLessTrustedSource 2021-04-19 20:05:49 +08:00
Chris Smowton
36abf8733e Merge pull request #5714 from aschackmull/java/add-misc-qltests 
Java: Add a few qltests
 2021-04-19 13:00:10 +01:00
Anders Schack-Mulligen
29aec0d770 Java: Adjust expected output. 2021-04-19 13:16:46 +02:00
Anders Schack-Mulligen
c5193cf03f Apply suggestions from code review 2021-04-19 13:14:56 +02:00
Anders Schack-Mulligen
06514159be Java: Add XXE tests. 2021-04-19 10:58:21 +02:00
Anders Schack-Mulligen
daad62c4e0 Java: Add TaintedPath test. 2021-04-19 10:07:03 +02:00
Jonas Jensen
1ab75eb6f4 Merge pull request #5708 from github/fix-id-in-JsonpInjection-1 
Java: Fix id in experimental JsonpInjection.ql query
 2021-04-19 08:23:34 +02:00
yoff
118840dad4 Merge pull request #5690 from tausbn/python-disallow-post-update-nodes-as-local-source-nodes 
Python: Disallow `PostUpdateNode` as `LocalSourceNode`
 2021-04-19 06:56:11 +02:00
Mathias Vorreiter Pedersen
e36b42a03f Java: Fix invalid id in experimental query 
The invalid id broke CI here: https://github.com/github/codeql/pull/5703 (see https://github.slack.com/archives/CPSEA0G22/p1618602834224600)
 2021-04-17 09:47:15 +02:00
Shati Patel
5c2bf68a05 Merge pull request #5692 from tamasvajk/feature/doc-cs9 
Update supported C#/.NET versions
 2021-04-16 16:22:06 +01:00
Rasmus Wriedt Larsen
3c8ea167c4 Merge pull request #5668 from tausbn/python-use-api-graphs-in-fabric 
Python: Use API graphs in Fabric model
 2021-04-16 14:27:55 +02:00
Rasmus Wriedt Larsen
6ed1016bb8 Merge pull request #5669 from tausbn/python-use-api-graphs-for-invoke 
Python: Use API graphs for Invoke
 2021-04-16 14:27:19 +02:00
Taus
92b4eb7f02 Python: Cleanup and more explanation 
Goes into some detail about the intended semantics of local source nodes
and `flowsTo`.
 2021-04-16 11:54:20 +00:00
Geoffrey White
e1028a2765 Merge pull request #5667 from MathiasVP/use-range-analysis-in-overflow 
C++: Use range analysis in Overflow.qll
 2021-04-16 12:00:28 +01:00
Taus
5c79ad2412 Python: Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-04-16 11:38:29 +02:00
Taus
af0c32c01d Python: Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-04-16 11:35:12 +02:00
Anders Schack-Mulligen
605f28f741 Merge pull request #5686 from smowton/haby0/JsonHijacking 
Java: JSONP Injection w/cleanups
 2021-04-16 11:09:17 +02:00
Tamas Vajk
b0975bb3ea Update supported C#/.NET versions 2021-04-16 09:15:43 +02:00
Taus
451d36dc97 Python: Allow _some_ PostUpdateNodes 
Specifically, allow the ones arising from calls, but not reads or
writes. This should fix the tests.
 2021-04-15 21:26:12 +00:00
Taus
c9c8259ed0 Python: Disallow PostUpdateNode as LocalSourceNode 
Previously, in cases like

```python
def foo(x):
    x.bar()
    x.baz()
    x.quux()
```

we would have flow from the first `x` to each use _and_ flow from the
post-update node for each method call to each subsequent use, and all
of these would be `LocalSourceNode`s. For large functions with the above
pattern, this would lead to a quadratic blowup in `hasLocalSource`.

With this commit, only the first of these will count as a
`LocalSourceNode`, and the blowup disappears.
 2021-04-15 17:56:14 +00:00
Chris Smowton
c37994089c Revert changes to unrelated query 2021-04-15 16:24:29 +01:00
Chris Smowton
254de76078 Remove unnecessary stubs 2021-04-15 16:20:27 +01:00
haby0
dedf765542 Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjectionLib.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-15 22:59:22 +08:00
CodeQL CI
578ce1e512 Merge pull request #5683 from asgerf/js/typescript-template-literal-type-crash 
Approved by erik-krogh
 2021-04-15 05:11:11 -07:00
Mathias Vorreiter Pedersen
7fbc62358e C++: Accept test changes after making the exprMightOverFlow predicates more sound. 2021-04-15 13:57:44 +02:00