hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-26 11:53:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
40,697 Commits 1,692 Branches 161 Tags
codeql-cli/v2.10.0
Commit Graph

40697 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Taus
1008411594 Python: Use API graphs in Fabric model 2021-04-13 14:49:44 +00:00
Mathias Vorreiter Pedersen
d1457995dd C++: Use range analysis in Overflow.qll 2021-04-13 16:39:28 +02:00
Geoffrey White
8daca01c87 C++: Cleaner use of DataFlow::Node in exprIsSubLeftOrLess. 2021-04-13 15:13:11 +01:00
Geoffrey White
4879104568 C++: Add more dataflow cases to replace the loss. 2021-04-13 15:09:12 +01:00
Geoffrey White
b0ad927fdd C++: Remove useUsePair. 2021-04-13 15:03:06 +01:00
Taus
a404faa302 Python: Use American English in change note 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2021-04-13 15:05:44 +02:00
Taus
7825a2cdfc Python: Add change note 2021-04-13 12:48:45 +00:00
Taus
1a4845f417 Python: Restrict types a bit 
The `CallCfgNode` restrictions are familiar and useful.

Restricting `InstanceSource` to extend `LocalSourceNode` is novel, but I
think it makes sense. It will act as a good reminder to anyone extending
`InstanceSource` that the node in question is a `LocalSourceNode`, which
will be enforced by the return type of the internal type tracker anyway.
 2021-04-13 12:28:38 +00:00
Taus
f93b68d4dc Python: Get rid of _attr methods 2021-04-13 12:25:38 +00:00
Taus
98d936d8b3 Python: Tornado cleanup using API graphs 
I wasn't able to roll out API graphs as widely in Tornado as I had
hoped, since we're lacking the "def" part. This means most of the
`InstanceSource` machinery will have to stay.
 2021-04-13 12:25:38 +00:00
CodeQL CI
f341d5010d Merge pull request #5662 from asgerf/js/simpler-json-api 
Approved by erik-krogh
 2021-04-13 04:37:56 -07:00
Tom Hvitved
9b0ef2fe21 Merge pull request #5654 from hvitved/csharp/autobuilder/pwsh 
C#: First try `pwsh` and then `powershell` when calling `dotnet-install.ps1`
 2021-04-13 13:15:01 +02:00
Chris Smowton
58d198261e Merge pull request #5663 from smowton/luchua/java/sensitive-cookie-not-httponly 
Java: CWE-1004 Query to check sensitive cookies without the HttpOnly flag set w/minor corrections
 2021-04-13 12:08:53 +01:00
CodeQL CI
646639bc73 Merge pull request #5460 from erik-krogh/forgery-2 
Approved by asgerf
 2021-04-13 03:57:04 -07:00
Chris Smowton
f22b11881e Minimise stubs 
By removing all business logic from the stubs, we better test that our analysis treats them as opaque and does not rely on their internal structure
 2021-04-13 10:36:28 +01:00
Chris Smowton
45e1a61d7b Mark test as bad-but-missed 
This test ought ideally to be caught, but isn't by the current version of the query.
 2021-04-13 10:36:27 +01:00
Rasmus Lerchedahl Petersen
30fbb8f1e7 Python: clean up interface 2021-04-13 11:34:47 +02:00
Asger Feldthaus
e77117f902 JS: Autoformat 2021-04-13 10:29:14 +01:00
Asger Feldthaus
929d9da4b4 JS: Migrate to new JSON API 2021-04-13 10:29:13 +01:00
Asger Feldthaus
7c13163413 JS: Lift JSON accessors to JSONValue 2021-04-13 10:29:13 +01:00
Rasmus Lerchedahl Petersen
178cb6c90f Python: Bit too eager with the modernisation... 
Lift type restrictions to recover results.
 2021-04-13 11:26:05 +02:00
Rasmus Lerchedahl Petersen
7c0b0642c8 Python: Add imports to make code compile 2021-04-13 11:09:27 +02:00
Tom Hvitved
15c103e42d C#: Remove code duplication in BuildScripts.cs 2021-04-13 10:57:15 +02:00
Chris Smowton
dee974ff2d Make Call a subclass of ExprParent. All of its subclasses are in any case (via Expr or Stmt) 2021-04-13 09:13:47 +01:00
Marcono1234
c37dbb2e68 Java: Override getAPrimaryQlClass() for more classes 2021-04-13 08:46:01 +01:00
Mathias Vorreiter Pedersen
3cfd30ef6f Merge pull request #5629 from hvitved/cpp/remove-unique 
C++: Remove `unique` wrapper from `DataFlow::Node::getEnclosingCallable`
 2021-04-13 09:42:34 +02:00
haby0
be39883166 Change the class name and comment,Use .(CompileTimeConstantExpr).getStringValue() 2021-04-13 14:10:10 +08:00
Dave Bartolomeo
afd2f58f9f C++: Fix PR feedback 2021-04-12 18:21:05 -04:00
Dave Bartolomeo
697b2dcde8 C++: Add missing store step for single-field struct use 
We have special code to handle field flow for single-field structs, but that special case was too specific. Some `Store`s to single-field structs have no `Chi` instruction, which is the case that we handled already. However, it is possible for the `Store` to have a `Chi` instruction (e.g. for `{AllAliased}`), but still have a use of the result of the `Store` directly. We now add a `PostUpdateNode` for the result of the `Store` itself in those cases, just like we already did if the `Store` had no `Chi`.
 2021-04-12 18:11:41 -04:00
Rasmus Lerchedahl Petersen
b6bd782746 Python: Modernize via CallCfgNode 2021-04-12 23:55:59 +02:00
yoff
e4d74cf098 Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-04-12 23:47:54 +02:00
Robert Marsh
0102d68f38 Merge pull request #5658 from MathiasVP/fix-partial-def-diff-test 
C++: Fix performance in test
 2021-04-12 13:08:30 -07:00
Andrew Eisenberg
e0fcb15739 Actions: Add workflow for marking stale questions 
This PR adds a workflow for marking and closing issues as stale. Issues must be labeled as _question_. PRs are never marked as stale.
 2021-04-12 13:05:53 -07:00
Artem Smotrakov
b96b665262 Renaming in java/ql/src/experimental/Security/CWE/CWE-094 2021-04-12 21:40:49 +03:00
Mathias Vorreiter Pedersen
037e6369ce C++: Ensure all values are bound in both disjunctions. 2021-04-12 18:27:21 +02:00
luchua-bc
d7f26dfc18 Update stub classes and qldoc 2021-04-12 16:19:23 +00:00
Taus
fda750ef26 Merge pull request #5642 from tausbn/python-use-api-graphs-in-stdlib 
Python: Use API graphs in `Stdlib.qll`
 2021-04-12 18:05:38 +02:00
Chris Smowton
423ff32d04 Merge pull request #5384 from luchua-bc/java/insecure-spring-actuator-config 
Java: CWE-016 Query to detect insecure configuration of Spring Boot Actuator
 2021-04-12 17:04:47 +01:00
Taus
6d4ddc0329 Merge pull request #5614 from tausbn/python-allow-absolute-imports-from-source-directory 
Python: Allow absolute imports from source directory
 2021-04-12 18:02:00 +02:00
CodeQL CI
bc56d16c18 Merge pull request #5485 from RasmusWL/django-queryset-chains 
Approved by tausbn
 2021-04-12 08:49:31 -07:00
Tom Hvitved
dfc91b8331 C#: Simplify dotnet-install.ps1 invocation 
Using the pattern from https://docs.microsoft.com/en-us/dotnet/core/tools/dotnet-install-script.
 2021-04-12 17:33:33 +02:00
Chris Smowton
bb23866cec Add missing doc comments 2021-04-12 16:33:01 +01:00
Tom Hvitved
d35a501121 Merge pull request #5583 from lcartey/cs/restrict-jump-to-def 
C#: Exclude jump-to-def information for elements with too many locations
 2021-04-12 16:52:20 +02:00
ihsinme
a43698802f Update InsufficientControlFlowManagementWhenUsingBitOperations.ql 2021-04-12 17:36:50 +03:00
CodeQL CI
310a2c8bb3 Merge pull request #5655 from erik-krogh/cert 
Approved by esbena
 2021-04-12 07:31:04 -07:00
Chris Smowton
2656a52880 Merge pull request #5538 from luchua-bc/java/credentials-in-properties 
Java: CWE-555 Query to detect plaintext credentials in Java properties files
 2021-04-12 15:22:21 +01:00
Chris Smowton
abeefcaced Merge pull request #4947 from porcupineyhairs/DexLoading 
Java : add query to detect insecure loading of Dex File
 2021-04-12 15:22:12 +01:00
Asger Feldthaus
d2fad180f8 JS: Add test 2021-04-12 15:07:45 +01:00
Mathias Vorreiter Pedersen
5aeaab7c6d C++: As response to the review comments this commit adds a reference-to-pointer state to AddressFlow. A call to an unwrapper function now adds a pointer -> reference-to-pointer transition, and a ReferenceDereference adds a reference-to-pointer -> pointer transition. 2021-04-12 16:01:01 +02:00
ihsinme
58d5ad48d5 Update InsufficientControlFlowManagementAfterRefactoringTheCode.ql 2021-04-12 17:00:34 +03:00