hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-26 11:53:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
40,697 Commits 1,692 Branches 161 Tags
codeql-cli/v2.10.0
Commit Graph

40697 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
haby0
1510048f7a Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-10 04:23:13 +08:00
haby0
d8165145c7 Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-10 04:22:44 +08:00
haby0
ebd38eaf3b Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-10 04:22:08 +08:00
haby0
b8c11503f0 Update java/ql/src/experimental/Security/CWE/CWE-352/JsonpInjection.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-10 04:21:49 +08:00
Dave Bartolomeo
0a86642056 C++: Refactor some side effect generation code 
This change was necessary for my upcoming changes to introduce side effect instructions for indirections of smart pointers. The code to decide which parameters have which side effects appeared in both the IPA constructor for `TTranslatedSideEffect` and in `TranslatedCall`. These two versions didn't quite agree, especially once the `SideEffectFunction` model provides its own side effects instead of the defaults.
The relevant code has now been factored out into `SideEffects.qll`. This queries the model if one exists, and provides default side effects if no model exists. This fixes at least one existing issue, where we were emitting a buffer read side effect for `*this` instead of an indirect read side effect. This accounts for all of the IR diffs in the tests.
 2021-04-09 16:14:03 -04:00
jorgectf
166385755a Polish Calls naming 2021-04-09 21:49:41 +02:00
luchua-bc
4e3791dc0d Remove LoadCredentialsConfiguration and update qldoc 2021-04-09 19:36:35 +00:00
jorgectf
208b53e4d2 Polish query file 2021-04-09 21:36:21 +02:00
jorgectf
983af32ab5 Polish qhelp examples 2021-04-09 21:36:11 +02:00
jorgectf
fa5869afe7 Polish qhelp and examples 2021-04-09 21:31:45 +02:00
jorgectf
a6b3aefb0b Add flask_mongoengine sink 2021-04-09 21:30:17 +02:00
jorgectf
0e51dbec86 Polish tests 2021-04-09 21:29:56 +02:00
Taus
720fbaf301 Python: Fix test error. 
Somehow, having to type "Node" all day long made me turn "json" into
"node"...

Also removes some bits that weren't needed after all.
 2021-04-09 19:04:49 +00:00
Mathias Vorreiter Pedersen
1510fe370d C++: Add cases for const pointer wrapper references to AddressFlow and FlowVar. 2021-04-09 20:58:05 +02:00
Arthur Baars
caef2c36c7 Merge pull request #162 from github/aibaars/modules 
Basic implementation of module resolution
 2021-04-09 20:50:54 +02:00
Mathias Vorreiter Pedersen
2329b31601 C++: Replace the new SmartPointerPartialDefinition with additional steps in AddressFlow.qll 2021-04-09 20:49:45 +02:00
Mathias Vorreiter Pedersen
a460e3ad3d Merge branch 'main' into ast-flow-smart-pointers 2021-04-09 19:41:10 +02:00
Geoffrey White
40637c18ce C++: Add change note. 2021-04-09 18:14:12 +01:00
Geoffrey White
0818c1d703 C++: Update QLDoc. 2021-04-09 18:11:48 +01:00
Taus
cc4827600b Python: Use API graphs in Stdlib.qll 
Eliminates _almost_ all of the bespoke type trackers found here. The
ones that remain do not fit easily inside the framework of API graphs
(at least, not yet), and I did not see any easy ways to clean them up.
They have, however, been rewritten to use `LocalSourceNode` internally,
which was the primary goal of this exercise.

I'm sure we could also clean up many of the inner modules given the more
lean presentation we have now, but this can wait for a different PR.
 2021-04-09 17:11:47 +00:00
luchua-bc
04b0682bbf Use isAdditionalTaintStep and make the query more readable 2021-04-09 16:14:51 +00:00
Tom Hvitved
fd8f745468 Java: Adopt shared flow summary library and refactor data-flow nodes. 2021-04-09 16:57:03 +02:00
Chris Smowton
dbcf1e1cfa Merge pull request #520 from sauyon/add-diagnosticfile 
Add a new diagnostics file class and use it for errors
 2021-04-09 15:48:57 +01:00
Arthur Baars
cdfabbc95d Make Cached module private 2021-04-09 16:47:02 +02:00
Arthur Baars
a247544fc5 Add comments 2021-04-09 16:35:23 +02:00
Shati Patel
2d618d6b92 Merge pull request #5625 from shati-patel/docs/cli-manual 
Docs: Link to CodeQL CLI manual from the sidebar
codeql-cli/v2.5.2 codeql-cli/v2.5.1 		2021-04-09 15:30:24 +01:00
Tom Hvitved
f130616369 Data flow: Make getLocalCc private again 2021-04-09 16:22:58 +02:00
Geoffrey White
3b437fe6cf C++: Replace GVN with some other libraries. 2021-04-09 15:21:42 +01:00
Taus
d2b874f217 Python: Use API graphs in PEP249 support 
Because the replacement extension point now extends `API::Node`, I
modified the `toString` method of the latter to have an empty body.
The alternative would be to require everyone to provide a `toString`
predicate for their extensions, but seeing as these will usually be
pointing to already existing API graph nodes, this seems silly.

(This may be the reason why the equivalent method in the JS libs has
such an implementation.)
 2021-04-09 14:19:00 +00:00
Jonas Jensen
e1d0bbb021 Merge pull request #5607 from MathiasVP/smart-pointer-ast-read-store-steps 
C++: read and store steps for smart pointers in AST dataflow
 2021-04-09 16:11:48 +02:00
CodeQL CI
6fd4a8afff Merge pull request #5567 from asgerf/js/sql-models 
Approved by esbena
 2021-04-09 07:11:10 -07:00
CodeQL CI
be2fe6e171 Merge pull request #5630 from erik-krogh/urlStep 
Approved by esbena
 2021-04-09 07:05:43 -07:00
CodeQL CI
8d2768b2ce Merge pull request #5634 from erik-krogh/fileSource 
Approved by asgerf
 2021-04-09 07:04:42 -07:00
Sauyon Lee
80fe7384cd Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2021-04-09 14:30:23 +01:00
Sauyon Lee
4462948cfc Add a new diagnostics file class and use it for errors 2021-04-09 14:30:23 +01:00
Anders Schack-Mulligen
701e815368 Merge pull request #5628 from hvitved/java/remove-unique 
Java: Remove `unique` wrapper from `DataFlow::Node::getEnclosingCallable()`
 2021-04-09 15:21:26 +02:00
Mathias Vorreiter Pedersen
cd310eb9d5 C++: Remove unused import. 2021-04-09 15:08:48 +02:00
Tamás Vajk
992a4df12f Merge pull request #5619 from tamasvajk/feature/fix-default-argument-value-extraction 
C# Improve default argument value extraction
 2021-04-09 14:58:35 +02:00
Mathias Vorreiter Pedersen
996cda9b97 C++: Fix incorrect test annotation. 2021-04-09 14:46:46 +02:00
Tom Hvitved
6874b8d4b3 Data flow: Prevent bad join-order in pathStep 2021-04-09 14:24:47 +02:00
Mathias Vorreiter Pedersen
80d5b17900 C++: Remove the dataflow rule for smart_ptr -> *smart_ptr. 2021-04-09 14:20:51 +02:00
Mathias Vorreiter Pedersen
cae0060a89 C++: Replace the new rules in DataFlowUtil with a dataflow model for pointer wrapper classes. 2021-04-09 14:06:58 +02:00
Taus
affdedd840 Python: Add missing builtins to API::builtin 
We were missing out on `None`, `True`, and `False` as these do not
appear as actual attributes of the `builtins` module in Python 3
(because they are elevated to the status of keywords there)

The simple solution, then, is to just always include them directly.
 2021-04-09 12:02:07 +00:00
Tamas Vajk
46197e6e69 Address review comments 2021-04-09 13:39:37 +02:00
Arthur Baars
7bc5be93ff Module: make main predicates cached 2021-04-09 13:29:27 +02:00
Tamas Vajk
351f35d9bc Revert "Java: Convert other sinks" 
This reverts commit 87d42b02c0.
 2021-04-09 13:13:49 +02:00
Tamas Vajk
87d42b02c0 Java: Convert other sinks 2021-04-09 13:13:39 +02:00
Tamas Vajk
3e53484bb3 Java: Convert Google HTTP client API parseAs sink to CSV format 2021-04-09 13:10:44 +02:00
Tamas Vajk
e544faed6d Java: Convert unsafe hostname verification sinks to CSV format 2021-04-09 13:10:44 +02:00
Tamas Vajk
17fd758df1 Java: Convert XSS sinks to CSV format 2021-04-09 13:10:44 +02:00