hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-18 19:31:11 +02:00
Code Issues Packages Projects Releases Wiki Activity
22,205 Commits 1,780 Branches 169 Tags
ff2b6b9737b608c1d99752ba4a2df521863eb5ef
Commit Graph

22205 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Taus
ff2b6b9737 Python: Correctly locate stores to built-ins 2021-05-12 18:07:18 +00:00
Taus
3d30efed11 Python: Add exec as a shared built-in 
This is _slightly_ wrong, since `exec` isn't a built-in function in
Python 2. It should be harmless, however, since `exec` is a keyword,
and so cannot be redefined anyway.
 2021-05-12 11:07:16 +00:00
Taus
5c7e73d485 Python: Add exception types 2021-05-12 09:53:09 +00:00
Taus
07a70af344 Python: Limit set of globals that may be built-ins 
I am very tempted to leave out the constants, or at the very least
`False`, `True`, and `None`, as these have _many_ occurrences in the
average codebase, and are not terribly useful at the API-graph level.

If we really do want to capture "nodes that refer to such and such
constant", then I think a better solution would be to create classes
extending `DataFlow::Node` to facilitate this.
 2021-05-12 08:19:35 +00:00
Shati Patel
d288b9216e Merge pull request #5790 from github/cklin-find-the-thief-conditions-sync 
Fix inconsistency in the find-the-thief exercise
 2021-04-28 17:16:58 +01:00
CodeQL CI
9c5ad44e27 Merge pull request #5782 from erik-krogh/domFP 
Approved by esbena
 2021-04-28 09:12:00 -07:00
yoff
73521e22de Merge pull request #5791 from tausbn/python-limit-absolute-imports 
Python: Limit absolute imports
 2021-04-28 16:22:08 +02:00
Erik Krogh Kristensen
d5450f1df6 use isWildcardLike in MetacharEscapeSanitizer 2021-04-28 11:46:50 +02:00
Erik Krogh Kristensen
d07c71c99d unlimited repetition of a wildcard is also a wildcard 2021-04-28 11:46:35 +02:00
Erik Krogh Kristensen
160fa148f1 move InfiniteRepetitionQuantifier to Regexp.qll 2021-04-28 11:39:28 +02:00
Erik Krogh Kristensen
e60628d463 add global replacements using inverted char classes as a sanitizer for DOM based XSS 2021-04-28 11:29:30 +02:00
Tamás Vajk
310baab73f Merge pull request #5740 from tamasvajk/feature/diag 
C#: Add extraction error diagnostic query
 2021-04-28 08:46:35 +02:00
Taus
4ae3a23089 Python: Limit absolute imports 
Limits the behaviour of github/codeql#5614 in two ways:

First, we only consider files that are contained in the source archive.
This prevents unnecessary computation involving files in e.g. the
standard library.

Secondly, we ignore any relative imports (e.g. `from .foo import ...`),
as these only work inside packages anyway.

This fixes an observed performance regression on projects that include
`google-cloud-sdk` as part of their source code.
 2021-04-27 21:47:38 +00:00
CodeQL CI
2b9fb79b1d Merge pull request #5786 from erik-krogh/anser 
Approved by esbena
 2021-04-27 14:40:48 -07:00
Chuan-kai Lin
c27363cea5 Fix inconsistencies in information about the thief 
The find-the-thief exercise is inconsistent.  The first part lists 10 answered questions about the thief, but later discussion silently adds a new question as question 8, so there are a total of 11 answered questions.

This commit updates the first list of answered questions so that it matches later discussions and the sample solution.
 2021-04-27 13:57:16 -07:00
Mathias Vorreiter Pedersen
0f141edbc3 Merge pull request #5737 from dbartol/dbartol/smart-pointers/work 
C++: IR Alias Analysis for smart pointers
 2021-04-27 21:40:14 +02:00
Tom Hvitved
37377644c9 Merge pull request #5781 from hvitved/java/predictable-seed-df6 
Java: Use separate data-flow copy for `PredictableSeedFlowConfiguration`
 2021-04-27 19:01:55 +02:00
Andrew Eisenberg
c6db90e9b7 Merge pull request #5775 from aeisenberg/aeisenberg/codeql-action-main 
Actions: Use the main branch of the codeql action
 2021-04-27 09:36:33 -07:00
Tamás Vajk
4cc88662e2 Merge pull request #5557 from tamasvajk/feature/java-sinks-csv 
Java: convert sinks to CSV
 2021-04-27 15:58:09 +02:00
Erik Krogh Kristensen
9178f4b1c5 add support for the anser library 2021-04-27 15:57:17 +02:00
Tamas Vajk
51e08d4940 Fix error severity 2021-04-27 15:47:16 +02:00
Tamas Vajk
5b79094f34 Fix naming in HTTPS URL check 2021-04-27 14:59:52 +02:00
yoff
0509a12790 Merge pull request #5770 from tausbn/python-small-api-graph-fix 
Python: Use only `TApiNode` in `API::Impl`
 2021-04-27 14:06:09 +02:00
Geoffrey White
afa89256c5 Merge pull request #5780 from MathiasVP/cleanup-missingGuard-predicates-after-range-analysis-fix 
C++: Cleanup missingGuardAgainstOverflow
 2021-04-27 12:56:10 +01:00
Chris Smowton
64a2320be7 Merge pull request #5757 from smowton/smowton/admin/fix-dead-qhelp-links 
Fix all dead qhelp links
 2021-04-27 12:17:08 +01:00
Tom Hvitved
2e266c7ddd Merge pull request #5756 from hvitved/csharp/string-builder-fluent 
C#: Add missing `StringBuilder` flow summaries
 2021-04-27 11:24:56 +02:00
Tom Hvitved
fb606112fa Merge pull request #5754 from hvitved/csharp/guards/performance 
C#: Improve performance of guards library
 2021-04-27 10:53:01 +02:00
Tamas Vajk
e08b629cb5 Add documentation for URL opening sinks 2021-04-27 10:32:41 +02:00
Tom Hvitved
017beb6786 Java: Use separate data-flow copy for PredictableSeedFlowConfiguration 2021-04-27 10:07:33 +02:00
CodeQL CI
79ed94b22c Merge pull request #5779 from erik-krogh/updateJSAndTSVersionDoc 
Approved by esbena
 2021-04-27 00:51:58 -07:00
Mathias Vorreiter Pedersen
04a785b9fb C++: Accept test changes. 2021-04-27 09:43:27 +02:00
Mathias Vorreiter Pedersen
a41e9055c5 C++: Delete the fix that was introduced in bb447d7174. This is no longer needed after #5678. 2021-04-27 09:43:02 +02:00
Mathias Vorreiter Pedersen
05d693e3bb C++: Also include the assignment versions in exprThatCanOverflow. 2021-04-27 09:41:13 +02:00
Rasmus Wriedt Larsen
37db21d269 Merge pull request #5284 from yoff/python-port-insecure-protocol 
Python: port py/insecure-protocol
 2021-04-27 09:30:18 +02:00
Erik Krogh Kristensen
0b322a3143 update JS/TS versions to reflect supported versions 2021-04-27 08:53:15 +02:00
Andrew Eisenberg
0e53ad33f6 Actions: Add permissions block to code scanning workflow 2021-04-26 10:53:29 -07:00
Geoffrey White
0e7eeb3051 Merge pull request #5678 from MathiasVP/sound-expr-might-overflow-predicate 
C++: Make exprMightOverflowPositively sound for unanalyzable expressions
 2021-04-26 17:38:23 +01:00
Andrew Eisenberg
3670c729c0 Actions: Use the main branch of the codeql action 
This commit switches to the bleeding edge, main branch of the
codeql action. This helps us test the action before merging all
of the new changes into main, which occurs roughly once a week.

If there are commits that introduce bugs in codeql-action, then
we will be more likely to catch it before releasing to the world
if we are using it in this extension.
 2021-04-26 08:43:28 -07:00
Taus
3889c8afec Python: Use only TApiNode in API::Impl 
This ensures that changes to `API::Node` does not invalidate the cached
`module Impl`. At present, I don't expect this to have any effect (as
the `Node` class is also fairly static, though not explicitly cached),
but I can imagine us making some of the `Node` methods have
user-extensible behaviour, in which case we definitely do not want this
to result in reevaluation of `API::Impl`.
 2021-04-26 13:10:15 +00:00
Shati Patel
a09c12acfe Merge pull request #5537 from alexet/ambig-super 
Docs: Update the language specification for changes to super.
 2021-04-26 13:34:50 +01:00
Chris Smowton
d717fc7b1f Use Microsoft archive of vijaysk's blog 2021-04-26 10:13:04 +01:00
Tom Hvitved
824c243268 C#: Add change note 2021-04-26 10:50:17 +02:00
Mathias Vorreiter Pedersen
772d5eacca C++: Add change note. 2021-04-26 09:55:32 +02:00
Chris Smowton
78b9682a4e Fix dead links in JS externs too 2021-04-23 15:46:48 +01:00
Tamás Vajk
a7030c7fed Merge pull request #5308 from tamasvajk/feature/flow-sources-sinks 
C#: Add Console.Read* to local flow sources
codeql-cli/v2.5.3 codeql-cli/v2.5.4 		2021-04-23 16:36:16 +02:00
Tamás Vajk
c3058f4744 Merge pull request #5749 from tamasvajk/feature/fix-fromsource 
C#: Adjust 'fromSource' to hold only on files passed to the compiler as a source file
 2021-04-23 16:35:40 +02:00
Chris Smowton
455b840712 Fix all dead qhelp links 
For those documents with no obvious new home I've pointed the links to the Internet Archive.
 2021-04-23 15:20:21 +01:00
Tom Hvitved
004450b201 C#: Add missing StringBuilder flow summaries 2021-04-23 16:17:49 +02:00
Mathias Vorreiter Pedersen
86822f6c61 C++: Exclude pointer results from cpp/integer-overflow-tainted. 2021-04-23 16:01:53 +02:00
Mathias Vorreiter Pedersen
3cf4f1f956 C++: Accept test changes. 2021-04-23 16:00:23 +02:00