hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-31 15:22:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
40,697 Commits 1,684 Branches 159 Tags
codeql-cli/v2.10.0
Commit Graph

40697 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Smowton
90505949c7 Generally define lower-numbered data-flow configs in terms of higher-numbered ones 
Since usually we have DataFlow3::Configurations that stand alone, DataFlow2::Configurations that depend on them, and finally DataFlow::Configurations that produce a top-level query result (for example), qll files where the reverse pattern holds will usually not be concurrently importable due to dataflow configuration recursion prevention.
 2022-04-15 09:25:40 +01:00
Chris Smowton
27d87e9300 Add TaintTracking3 2022-04-15 09:25:26 +01:00
Erik Krogh Kristensen
2e5d435bea add CWE-400, and add a reference to DoS attacks 2022-04-14 18:37:50 +02:00
Geoffrey White
8a32c17c56 C++: Fix the issue. 2022-04-14 17:03:28 +01:00
Paolo Tranquilli
24697feebc Swift: integrated template name in dataclass 2022-04-14 15:53:15 +02:00
Paolo Tranquilli
197ea5b8f3 Swift: use more @property in codegen 2022-04-14 12:28:52 +02:00
Paolo Tranquilli
71f9b25500 Swift: uses classes instead of Enum for Properties 2022-04-14 11:35:11 +02:00
Paolo Tranquilli
64496b4c97 Swift: cleanup and some docstrings for codegen 
Also added code generation and clang formatting to the pre-commit
configuration.
 2022-04-14 11:27:41 +02:00
Paolo Tranquilli
91fd83a554 Swift: dbscheme generator 
This patch introduces the basic infrastructure of the code generation
suite and the `dbscheme` generator.

Notice that the checked in `schema.yml` should reflect swift 5.6 but
might need some tweaking.

Closes https://github.com/github/codeql-c-team/issues/979
 2022-04-14 11:27:41 +02:00
Jean Helie
d094bbc06d Merge pull request #8546 from github/jhelie/enforce-unknown-incompatibiliy-with-notasink 
ML: add defensive check to ensure Unknown endpoints cannot also be NotASink
 2022-04-14 11:21:18 +02:00
Geoffrey White
2ac21d6932 C++: Use isBarrier rather than isBarrierOut (which is going away). 2022-04-14 09:21:57 +01:00
Harry Maclean
cf0611d1e7 Pass args to jq via --arg 2022-04-14 13:50:41 +12:00
Harry Maclean
a90647798e Fail workflow if COMMENT_ID fails validation 
And print an error message to STDERR.
 2022-04-14 13:21:38 +12:00
Harry Maclean
c9a5cb4bf6 Distinguish between validated and raw COMMENT_ID 2022-04-14 13:19:14 +12:00
Harry Maclean
c3f1fba985 Merge pull request #8598 from hmac/hmac/insecure-dep-resolution 
Ruby: Add rb/insecure-dependency query
 2022-04-14 02:09:44 +02:00
Erik Krogh Kristensen
4c97f68a3d remove postmessage events as source for js/resource-exhaustion 2022-04-13 23:14:42 +02:00
Erik Krogh Kristensen
51a0b6d501 remove client-side remote-flow from js/resource-exhaustion 2022-04-13 23:05:59 +02:00
Geoffrey White
27b6b99cd0 C++: Correct and improve some comments and naming. 2022-04-13 18:34:15 +01:00
Nick Rolfe
a1a7d2c088 Ruby: add changenote for rb/incomplete-sanitization 2022-04-13 17:32:38 +01:00
Nick Rolfe
fdca896614 Ruby: improve handling of [g]sub! 
rb/incomplete-sanitization has a few cases where we find flow from one
one string substitution call to another, e.g.

    a.sub(...).sub(...)

But this didn't find typical chained uses of the destructive variants,
e.g.

    a.sub!(...)
    a.sub!(...)

We now handle those cases by tracking flow from the post-update node for
the receiver of the first call.
 2022-04-13 17:19:25 +01:00
Jean Helie
1e39a9caae ML: update regression test output following fix to getAnUnknown predicate 2022-04-13 18:14:16 +02:00
Jean Helie
f87cd164ce ML: add defensive check to ensure Unknown endpoints cannot also be NotASink 2022-04-13 18:14:16 +02:00
Jean Helie
f2b813a6e7 ML: add regression test for effective sink that is also NotASink 2022-04-13 18:14:16 +02:00
Henry Mercer
6603f8ab94 Merge pull request #8734 from github/henrymercer/non-extending-subtypes-minor-fixes 
Docs: Fix typo and formatting in "Non-extending subtypes"
 2022-04-13 17:11:33 +01:00
Nick Rolfe
bbb8177176 Ruby: add rc/incomplete-sanitization query 2022-04-13 16:48:43 +01:00
Henry Mercer
54b3d4d0d7 Docs: Fix typo and formatting in "Non-extending subtypes" 
- Fix typo `select any(Foo f) would yield bar` -> `select any(Foo f).foo() would yield bar`
- Fix inline code formatting
- Change `foo_method` to `fooMethod` to follow QL style guide
 2022-04-13 16:12:42 +01:00
Geoffrey White
2ad81e63a5 C++: Change note. 2022-04-13 16:11:14 +01:00
AlexDenisov
df2cc181a0 Merge pull request #8726 from redsun82/swift-prebuilt-fetching 
Swift: fetch prebuilt swift and link against it
 2022-04-13 16:58:36 +02:00
Geoffrey White
dfd846bb7b C++: Changes to the qhelp. 2022-04-13 15:53:13 +01:00
Paolo Tranquilli
aaf9e7da2f turn off universal_binaries for now 2022-04-13 16:45:23 +02:00
Paolo Tranquilli
9e3401ce59 make self repository name parametric 
In a workspace macro we must use the exact repository name, and this
can be different when importing the workspace (it is different in
semmle-code).
 2022-04-13 16:22:27 +02:00
Paolo Tranquilli
73d5691d91 update swift package 2022-04-13 16:22:27 +02:00
Paolo Tranquilli
e68172f4b0 Swift: fetch prebuilt swift and link against it 
This is known to break linux integration in sembuild.
 2022-04-13 16:22:27 +02:00
Geoffrey White
d83aea5ea3 C++: Copy the qhelp from Javascript. 2022-04-13 15:16:01 +01:00
Geoffrey White
b149666f45 C++: Query metadata (precision is provisional, might up it to 'high' later). 2022-04-13 15:15:28 +01:00
Rasmus Wriedt Larsen
a271e17f04 Python: Move dataflow call-graph to new qll file 
Seems like all other languages use a file called `DataFlowDispatch`. I
want to introduce a setup where we have (old) points-to based approach
in one file, and can develop a type-tracking based approach in another
file, so that's the reason for the naming differing slightly.

For which predicates go in which files, I have taken mostly inspiration
from C# and Ruby.
 2022-04-13 15:56:57 +02:00
Rasmus Wriedt Larsen
3d15205084 Python: Autoformat 2022-04-13 15:36:16 +02:00
Rasmus Wriedt Larsen
ded4e9250c Python: Move IterableUnpacking to own file 2022-04-13 15:36:05 +02:00
Rasmus Wriedt Larsen
c740894408 Python: Move MatchUnpacking to own file 
I had hoped that git would be able to see this as a rename, and
therefore I haven't done autoformat
 2022-04-13 15:36:05 +02:00
AlexDenisov
058ac5bcae Merge pull request #8717 from AlexDenisov/alexdenisov/swift-ql-ci 
Swift: enable QL tests on CI
 2022-04-13 14:42:27 +02:00
Geoffrey White
be0df1662c C++: Rename the query file. 2022-04-13 13:20:02 +01:00
Geoffrey White
ffbe724040 C++: Remove unfinished parts for now. 2022-04-13 13:18:23 +01:00
Jean Helie
407a8a7715 ML: fix ATM expected tests outputs 2022-04-13 14:02:12 +02:00
Rasmus Wriedt Larsen
2e60172bfa Python: Delete old dataflow readme 2022-04-13 12:09:38 +02:00
Rasmus Wriedt Larsen
6235dc5039 Python: Handle find_library assignment to temp variable 2022-04-13 11:44:15 +02:00
Rasmus Wriedt Larsen
c87b3087be Python: Add test for Django FileField upload_to 
The output from running the test script is:

```
'rootdir/bar'
[13/Apr/2022 09:20:36] "POST /app/file-test/ HTTP/1.1" 200 2
'rootdir/bar'
[13/Apr/2022 09:20:36] "POST /app/file-test/ HTTP/1.1" 200 2
'rootdir/foo%2fbar'
[13/Apr/2022 09:20:36] "POST /app/file-test/ HTTP/1.1" 200 2
'rootdir/%2e%2e%2fbar'
[13/Apr/2022 09:20:36] "POST /app/file-test/ HTTP/1.1" 200 2
'rootdir/foo%c0%afbar'
[13/Apr/2022 09:20:36] "POST /app/file-test/ HTTP/1.1" 200 2
```

I didn't add a `.py` extension, so it wasn't extracted, since we don't
actually care about what we model in that file.
 2022-04-13 11:27:18 +02:00
Rasmus Wriedt Larsen
304713ca87 Python: Handle django v4 as well in tests 2022-04-13 11:21:44 +02:00
Paolo Tranquilli
6166f0601c Merge pull request #8727 from redsun82/bazel_workspace_rename 
Bazel: rename workspace to codeql
 2022-04-13 10:51:10 +02:00
Alex Denisov
60c6241382 Swift: run QL tests on macOS 2022-04-13 10:35:15 +02:00
Rasmus Wriedt Larsen
bdadf2b445 Python: Fix warnings 2022-04-13 10:30:59 +02:00