hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-28 21:03:50 +01:00
Code Issues Packages Projects Releases Wiki Activity
40,697 Commits 1,697 Branches 161 Tags
codeql-cli/v2.10.0
Commit Graph

40697 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tamas Vajk
4f383be13b Fix new (nullability) compiler warnings 2021-03-02 09:21:24 +01:00
Tamas Vajk
71f095d6d4 Upgrade projects to .net 5 2021-03-02 09:20:31 +01:00
Aditya Sharad
dbed4a1a8b Actions: Add workflow to request docs review 
When a PR is labelled with 'ready-for-docs-review',
this workflow comments on the PR to notify the GitHub CodeQL docs team.
Runs on `pull_request_target` events so it can write comments to the PR.
Since this runs in the context of the base repo, it must not check out the PR
or use untrusted data from the event payload.

Only runs when the PR base is github/codeql, to prevent notifications from forks.
 2021-03-01 17:15:03 -08:00
luchua-bc
95d1994196 Query to check sensitive cookies without the HttpOnly flag set 2021-03-01 22:06:52 +00:00
Robert Marsh
2b382d588a C++: autoformat Operand.qll 2021-03-01 11:13:04 -08:00
Calum Grant
cee96775b8 Merge pull request #5305 from asgerf/js/tuple-type-rest-index-stats 
JS: Regenerate stats for tuple_type_rest_index
codeql-cli/v2.4.5 		2021-03-01 17:43:55 +00:00
Porcuiney Hairs
5151a528ac Include suggestions from review 2021-03-01 22:59:30 +05:30
Chris Smowton
5d2f3421d8 Add change notes 2021-03-01 16:59:20 +00:00
Chris Smowton
cdccc1a064 Remove needless typecasts 2021-03-01 16:47:34 +00:00
yoff
92128babef Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-03-01 17:39:17 +01:00
Asger Feldthaus
26924a3378 JS: Regenerate stats for tuple_type_rest_index 2021-03-01 16:30:09 +00:00
Rasmus Lerchedahl Petersen
38748f9e23 Python: restrict attention to ss.wrap_socket 2021-03-01 16:35:21 +01:00
Tamás Vajk
2ac94255b7 Merge pull request #5299 from tamasvajk/feature/limit-codescanning-csharp2 
C#: Fix codeql analysis workflow
 2021-03-01 16:20:03 +01:00
Porcuiney Hairs
14ec148272 refactor to meet experimental guidelines. 2021-03-01 18:46:33 +05:30
Chris Smowton
530b791529 Merge pull request #490 from sauyon/gomoduleauto 
Explicitly set GO111MODULE to auto
 2021-03-01 12:45:39 +00:00
Rasmus Wriedt Larsen
0874712c97 C++/Java/Python: Allow Python string prefix in InlineExpectationsTest 
I've been writing tests for crypto libraries in Python, and have wanted to write
code along the lines of

```py
md5.hash(b"some message") # $ HashInput=b"some message"
```

which didn't work before this commit, forcing me to store my text in a variable
like below. This turned out to be really annoying when dealing with more complex
examples, so therefore I'm adding this new functionality to allow this behavior.

```py
msg = b"some message"
md5.hash(msg) # $ HashInput=msg
```
 2021-03-01 13:44:28 +01:00
Arthur Baars
ce69c912fd Merge pull request #145 from github/aibaars/fix 
Fix regression in rb/unused-parameter
 2021-03-01 12:26:47 +01:00
Chris Smowton
aab9deceef Remove package from test Java file 2021-03-01 10:32:44 +00:00
Chris Smowton
c32514bf66 Sync dataflow library files 2021-03-01 10:27:28 +00:00
Chris Smowton
e6b1fe9b5f Fluent interface dataflow: support argument-output flow directly declared by the simpleLocalFlowStep relation 
This means we will treat fluent interfaces that are modelled the same as those where we determine an argument flows to an output by inspection of the function body.
 2021-03-01 10:23:38 +00:00
Chris Smowton
54caf501e7 Switch fluent-methods test to use a plain DataFlow::Configuration 
No taint edges are involved, so TaintTracking was unnecessary.
 2021-03-01 10:16:02 +00:00
Chris Smowton
fadbb32bd6 Add backward dataflow edges through fluent function invocations. 
This means that much as obj.getA().setB(...) already has a side-effect on `obj`, all three setters in obj.setA(...).setB(...).setC(...) will have a side-effect on `obj`.
 2021-03-01 10:11:28 +00:00
Tamas Vajk
1ecbbf6af3 C#: Fix codeql analysis workflow 2021-03-01 09:18:05 +01:00
Anders Schack-Mulligen
37baf77b93 Merge pull request #5273 from intrigus-lgtm/java/unify-main-method-check 
Java: Remove duplicate code.
 2021-03-01 09:05:28 +01:00
Tamás Vajk
3b56e3520c Merge pull request #5277 from tamasvajk/feature/fix-name-resolution 
Fix method name resolution issue with nullable suppression
 2021-03-01 08:47:21 +01:00
Jonas Jensen
208a374c58 Merge pull request #5256 from MathiasVP/promote-insecure-memset-query 
C++: Promote insecure removal of memset query
 2021-03-01 08:30:16 +01:00
Artem Smotrakov
15a43ffe36 Simplified returnsRemoteInvocationSerializingExporter() 2021-02-27 13:41:20 +01:00
Rasmus Wriedt Larsen
443780f27e Python/JS: Share modeling of cryptographic algorithms 
I didn't quite know where to place it for JS, so I tried my best :)

The canonical Python version might be changed in the future, but I wanted to
keep this change small.
 2021-02-27 11:39:35 +01:00
Rasmus Wriedt Larsen
010488c899 Python/JS: Update QLDoc for crypto algorithms before sharing 2021-02-27 11:38:45 +01:00
Rasmus Wriedt Larsen
646ea55944 Python/JS: Update Python copy of crypto algorithm modeling 
Now to be shared accross both languages, with sync-identical-files
 2021-02-27 11:38:45 +01:00
haby0
f795d5e0d3 update JSONP Injection ql 2021-02-27 16:25:17 +08:00
Rasmus Lerchedahl Petersen
8b68912c40 Python: Update help and add example 2021-02-26 20:19:31 +01:00
Arthur Baars
c9f86743bd Merge pull request #143 from github/aibaars/ast-test 
AST: add printAST test case
 2021-02-26 19:41:56 +01:00
Rasmus Lerchedahl Petersen
9533c92fcc Python: Clean up tests and add comment 2021-02-26 19:28:44 +01:00
Mathias Vorreiter Pedersen
d4f7fab7df Update cpp/change-notes/2021-02-24-memset-may-be-deleted.md 
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
 2021-02-26 19:17:13 +01:00
Mathias Vorreiter Pedersen
0f7256752a Update cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.qhelp 
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
 2021-02-26 19:16:28 +01:00
Arthur Baars
b2fbeee794 CFG: hide all non-AstNodes 2021-02-26 19:04:33 +01:00
Arthur Baars
5f32b822e2 Remove use of AstNodes 2021-02-26 19:03:55 +01:00
yoff
1670fa0d0e Update python/change-notes/2021-02-23-port-insecure-default-protocol.md 2021-02-26 18:39:49 +01:00
yoff
9a9bda17ed Update python/change-notes/2021-02-23-port-insecure-default-protocol.md 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-02-26 18:38:35 +01:00
Arthur Baars
dd4f297c37 Remove duplicate clause 2021-02-26 17:51:04 +01:00
Erik Krogh Kristensen
af7a188bbd add change note 2021-02-26 17:18:30 +01:00
Erik Krogh Kristensen
214aa072b9 support host for http-proxy client requests 2021-02-26 17:18:29 +01:00
Erik Krogh Kristensen
cc48172fd8 add support for events in http-proxy 2021-02-26 17:17:47 +01:00
Erik Krogh Kristensen
ede1a40a02 add ClientRequst models for http-proxy 2021-02-26 17:17:46 +01:00
CodeQL CI
b7c0d18c4a Merge pull request #5278 from erik-krogh/formData 
Approved by asgerf
 2021-02-26 08:13:41 -08:00
Rasmus Wriedt Larsen
a387496832 Python: Highlight how request.uri works in Tornado 2021-02-26 16:23:21 +01:00
Erik Krogh Kristensen
ae051af9d8 remove redundant code 2021-02-26 14:15:30 +01:00
CodeQL CI
0e70b58a41 Merge pull request #5205 from erik-krogh/ts42 
Approved by asgerf
 2021-02-26 05:06:40 -08:00
Porcupiney Hairs
42a84a18b0 JAVA : Add query to detect Apache Structs enabled DEvmode 
This query detects cases where the development mode is enabled for a
struts configuration. I can't find a CVE per se but, at present, [Github's fuzzy search](https://github.com/search?q=%3Cconstant+name%3D%22struts.devMode%22+value%3D%22true%22+%2F%3E+language%3Axml&type=Code) returns more
than 44000 results. Some of them look like they are classroom projects,
so they may be ineligible for a CVE. But we should be flagging them
anyways as setting the development on in a production system is a very
bad practice and can often lead to remote code execution.
So these should be fixed anyways.
 2021-02-26 16:30:04 +05:30