hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-26 20:03:51 +01:00
Code Issues Packages Projects Releases Wiki Activity
40,697 Commits 1,694 Branches 161 Tags
codeql-cli/v2.10.0
Commit Graph

40697 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Slavomir
b42d21f740 Improve comments and naming. 2021-04-08 14:24:35 +01:00
Slavomir
d5355eb6b4 Cleanup 2021-04-08 14:24:35 +01:00
Slavomir
cc31cd2fe2 Fix test 2021-04-08 14:24:35 +01:00
Slavomir
0bb5ef6af2 Fix test 2021-04-08 14:24:35 +01:00
Slavomir
7b4a748793 Remove DummySource 2021-04-08 14:24:35 +01:00
Slavomir
7e9f23ab8e Refactor flow logic to ensure untrusted flows to conversion, and conversion flows to template-exec. 2021-04-08 14:24:35 +01:00
Slavomir
963631dedf Improve naming. 2021-04-08 14:24:35 +01:00
Slavomir
687e556df6 Fixes from code review 2021-04-08 14:24:35 +01:00
Slavomir
ad91e4abcb Remove DummySource 2021-04-08 14:24:35 +01:00
Slavomir
63d51205c9 Apply suggestions from code review 
Co-authored-by: Sauyon Lee <sauyon@github.com>
 2021-04-08 14:24:35 +01:00
Slavomir
49894341a8 Add CWE-79: HTML template escaping passthrough 2021-04-08 14:24:35 +01:00
Arthur Baars
ceb2eb21d8 Address comments 2021-04-08 15:11:57 +02:00
Tamas Vajk
e5160929eb Remove ODASA reference from make_stubs.py 2021-04-08 15:04:02 +02:00
Erik Krogh Kristensen
30ba69d991 treat "files" in a package.json as main modules, if "main" is not present 2021-04-08 14:42:12 +02:00
Tom Hvitved
036e181bc1 C#: Improve performance of Dispatch::SimpleTypeDataFlow::getASourceType() 2021-04-08 14:27:28 +02:00
Tom Hvitved
716568ebd1 Merge pull request #5623 from hvitved/csharp/enclosing 
C#: Compute enclosing callable as a transitive closure
 2021-04-08 14:20:09 +02:00
Tom Hvitved
9820116734 Merge pull request #5603 from hvitved/csharp/dataflow/no-unique 
C#: Remove `unique` wrappers from `DataFlow::Node::get(EnclosingCallable|ControlFlowNode)`
 2021-04-08 14:19:34 +02:00
Asger Feldthaus
52a2260dc7 JS: Rename change note file 2021-04-08 12:52:23 +01:00
Rasmus Wriedt Larsen
c738f387b1 Merge pull request #5624 from tausbn/python-make-callcfgnode-a-localsourcenode 
Python: Improve `CallCfgNode` interface
 2021-04-08 13:38:24 +02:00
haby0
1da48ed4d1 Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-08 19:22:14 +08:00
haby0
bfbfe7af13 Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-08 19:21:58 +08:00
haby0
21004006d6 Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-08 19:17:04 +08:00
Taus
cf5f760ecd Merge pull request #5582 from RasmusWL/all-tuple 
Python: Add support for `__all__` assigned to tuple
 2021-04-08 13:03:27 +02:00
Rasmus Wriedt Larsen
83477439a1 Python: Make django views/fields/forms class modeling extensible 
This also requires that we make this part of the modeling public, which I guess
is step we want to take eventually anyway!

I'm not quite sure whether the modules `Django::Views` and `Django::Forms` are
actually helpful, or whether we should just have their modules available as
`Django::View`, `Django::Form`, and `Django::Field`...
 2021-04-08 12:45:37 +02:00
Rasmus Wriedt Larsen
b7483a5394 Python: Add modeledSubclassRef for Django views/fields/forms 2021-04-08 12:45:36 +02:00
Rasmus Wriedt Larsen
322bdcb703 Python: Port Django view modeling to API graphs 2021-04-08 12:45:35 +02:00
Rasmus Wriedt Larsen
8ce5c46e05 Python: Minor refactor 
modName/clsName _is_ shorter, but also looks way worse :D
 2021-04-08 12:45:34 +02:00
Tamas Vajk
a790eb8110 Fix for unconstrained generic types 2021-04-08 12:20:01 +02:00
Tamas Vajk
a8cbdc92b9 Add more test cases 2021-04-08 12:17:19 +02:00
Tamas Vajk
551a7ce9e5 Fix expression value of struct default argument values 2021-04-08 12:14:53 +02:00
Tamas Vajk
c069c3384e Fix tests 2021-04-08 12:07:36 +02:00
Tamas Vajk
cb9a9db356 C# Improve default argument value extraction 2021-04-08 12:07:22 +02:00
Tamas Vajk
2ac1e60406 C#: Add parameter default value tests 2021-04-08 12:04:18 +02:00
haby0
86ef2588f1 Restore @Component annotation 2021-04-08 17:55:29 +08:00
Jonas Jensen
51bab81f56 Merge pull request #5622 from MathiasVP/inline-is-before 
C++: Inline Location::isBefore
 2021-04-08 11:24:33 +02:00
haby0
3f0a3266aa [Java] CWE-348: Use of less trusted source 2021-04-08 17:14:03 +08:00
Erik Krogh Kristensen
99dd5330c2 add taint-step for URL construction in js/request-forgery 2021-04-08 11:10:33 +02:00
Geoffrey White
517fd23ca5 C++: Correct and add to test cases. 2021-04-08 09:48:38 +01:00
CodeQL CI
a9527fd913 Merge pull request #5621 from erik-krogh/shellSink 
Approved by esbena
 2021-04-08 09:47:45 +01:00
Tom Hvitved
2faf52b6bd Java: Remove unique wrapper from DataFlow::Node::getEnclosingCallable()` 2021-04-08 10:07:19 +02:00
jorgectf
33423eaef3 Optimize calls 2021-04-08 00:31:53 +02:00
jorgectf
7e456494ef Set up taint config and custom sink 2021-04-08 00:20:04 +02:00
jorgectf
8ca6e84268 Refactor Calls to use ApiGraphs 2021-04-08 00:19:46 +02:00
jorgectf
aa7763b3d2 Set up Concepts 2021-04-08 00:19:14 +02:00
jorgectf
db1f54a5f3 Polish query file 2021-04-08 00:19:00 +02:00
Dilan
675de07c3e autoformat ql 2021-04-07 15:04:18 -07:00
thank_you
83f28bfdda Catch any keyword argument passed to MongoEngine's objects method 
After some research, we discovered that any keyword argument passed to the objects method will result in NoSQL injection. This includes scenarios where we have the following:

objects(name_of_model_attribute=unsanitized_user_input)
 2021-04-07 16:45:48 -04:00
thank_you
719c30bd92 Fix file name and adjust where the test points to 2021-04-07 16:42:51 -04:00
ihsinme
ed34c96357 Update InsufficientControlFlowManagementWhenUsingBitOperations.ql 2021-04-07 21:40:49 +03:00
ihsinme
eb9b41acab Apply suggestions from code review 
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
 2021-04-07 21:31:12 +03:00