hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-22 01:43:41 +01:00
Code Issues Packages Projects Releases Wiki Activity
40,697 Commits 1,692 Branches 161 Tags
codeql-cli/v2.10.0
Commit Graph

40697 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Smowton
26e10f3ad5 SSRF: don't consider results of fetches we initiated to be untrustworthy 2021-06-17 11:41:03 +01:00
Chris Smowton
c63d5986cf Sanitize StringBuilder appends that follow directly from a constructor. 
Note that some of this logic ought to be incorporated into StringBuilderVar once that code can be reviewed.
 2021-06-17 11:41:03 +01:00
Chris Smowton
b5a450b881 SSRF query: add sanitizer looking for a variety of ways of prepending a sanitizing prefix, such as one that restricts the hostname a URI will refer to. 2021-06-17 11:41:03 +01:00
Chris Smowton
487c1db6ed Promote SSRF query to main query set 2021-06-17 11:41:01 +01:00
Anders Schack-Mulligen
6ca8d69b26 Merge pull request #5881 from haby0/java/UnsafeDeserialization 
Java: CWE-502 Add UnsafeDeserialization sinks
 2021-06-17 12:36:34 +02:00
Anders Schack-Mulligen
8fe2f4a554 Merge pull request #6034 from owen-mc/java/jax-rs 
Improve JAX-WS and JAX-RS models
 2021-06-17 12:35:34 +02:00
Anders Schack-Mulligen
b173b4141d Merge pull request #6096 from smowton/smowton/fix/inline-expectations-missing-prefix 
Inline expectation tests: accept // $MISSING: and // $SPURIOUS:
 2021-06-17 11:41:15 +02:00
haby0
363ad5b470 Fix error 2021-06-17 17:36:35 +08:00
Owen Mansel-Chan
945db01f56 Address review comments 2021-06-17 10:29:33 +01:00
Owen Mansel-Chan
b9bc1f978c Update style of inline expectation comments 2021-06-17 10:04:15 +01:00
Tom Hvitved
41ed9f3e1b Data flow: Fix inconsistencies 2021-06-17 10:48:32 +02:00
Chris Smowton
558813acf7 Inline expectation tests: accept // $MISSING: and // $SPURIOUS: 
Previously there had to be a space after the $ token, unlike ordinary expectations (i.e., // $xss was already accepted)
 2021-06-17 09:44:39 +01:00
Owen Mansel-Chan
0987425f94 Reinstate failing tests with MISSING: prefix 2021-06-17 09:36:51 +01:00
Tom Hvitved
00e544189e Data flow: Add consistency queries 2021-06-17 10:26:56 +02:00
Tom Hvitved
ad54f2e1f4 Bump codeql submodule 2021-06-17 10:24:19 +02:00
Tom Hvitved
0febf5a592 Merge pull request #6094 from hvitved/dataflow/consistency-compiler-too-smart 
Data flow: Workaround for too clever compiler in consistency queries
 2021-06-17 10:23:31 +02:00
edvraa
ac777d237d autoformat 2021-06-17 09:23:26 +01:00
edvraa
0456d4793a Fix path tracking 2021-06-17 09:23:26 +01:00
edvraa
4576b16f30 Use dataflow gettype 2021-06-17 09:23:26 +01:00
edvraa
062acedd49 Unify and make getValueForFieldWrite private 2021-06-17 09:23:26 +01:00
edvraa
236b623f60 Get rid of NetHttpCookieTrackingConfiguration 2021-06-17 09:23:26 +01:00
edvraa
031a79b8f5 Gorilla Store Save sink 2021-06-17 09:23:26 +01:00
edvraa
8110c3d059 Use HasFlow 2021-06-17 09:23:26 +01:00
edvraa
d60d18a8d0 Stay on dataflow level 2021-06-17 09:23:26 +01:00
edvraa
ed8d025bdf Dedicated types 2021-06-17 09:23:26 +01:00
edvraa
cba4f0448e Use package 2021-06-17 09:23:26 +01:00
edvraa
167496edff Use MethodCallNode and hasQualifiedName 2021-06-17 09:23:26 +01:00
edvraa
5929f66efb No need for Function f 2021-06-17 09:23:26 +01:00
edvraa
06c328c5aa Fix comment 2021-06-17 09:23:26 +01:00
edvraa
3ac1b4ba0b Use CallNode 2021-06-17 09:23:26 +01:00
edvraa
d06f4ca21e Fix argumnt nr 2021-06-17 09:23:26 +01:00
edvraa
9224a315f1 inline isGinContextCookieFlow 2021-06-17 09:23:26 +01:00
edvraa
4d397d9974 Fix tests 2021-06-17 09:23:26 +01:00
edvraa
5349c98ae1 Comments 2021-06-17 09:23:26 +01:00
edvraa
0b9959e4ef Default stub 2021-06-17 09:23:26 +01:00
edvraa
d32fa19c12 reformat 2021-06-17 09:23:26 +01:00
edvraa
4eb4787692 simplify expressions 2021-06-17 09:23:26 +01:00
edvraa
f537c479c9 path tracking 2021-06-17 09:23:26 +01:00
edvraa
253abc55d9 get rid of AuthCookieNameConfiguration 2021-06-17 09:23:26 +01:00
edvraa
9c0b83fd34 Use getAPredecessor 2021-06-17 09:23:26 +01:00
edvraa
ff06815db1 Code review 2021-06-17 09:23:26 +01:00
edvraa
cbaad2efb9 Sensitive cookie without HttpOnly 2021-06-17 09:23:26 +01:00
ihsinme
1cabaec0c3 Update cpp/ql/src/experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.qhelp 
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
 2021-06-17 11:09:36 +03:00
Tom Hvitved
ffb2350a54 Data flow: Fix getLocalCallContext join-order 2021-06-17 10:02:31 +02:00
Tom Hvitved
cc383e0f6a Data flow: Workaround for too clever compiler in consistency queries 2021-06-17 09:43:36 +02:00
ihsinme
bf65044a0d Update test.c 2021-06-17 10:42:25 +03:00
haby0
3dd851fffb expected 2021-06-17 15:20:03 +08:00
Owen Mansel-Chan
5f82993b0b Put parameters with inline expectation comments on their own lines 2021-06-17 06:41:01 +01:00
jorgectf
8527ccc6d6 Update .expected 2021-06-16 23:19:14 +02:00
jorgectf
5c7229c715 Optimize Type Tracking stuff 2021-06-16 23:19:05 +02:00