hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-31 15:22:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
40,697 Commits 1,684 Branches 159 Tags
codeql-cli/v2.10.0
Commit Graph

40697 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tom Hvitved
4099d1318f Data flow: Tweak two join-orders 
Before
```
[2022-04-06 13:19:29] (96s) Tuple counts for DataFlowImpl2::Stage1::revFlowConsCand#7ad53399#ff/2@i14#aa10f2wi after 4.4s:
                      10681    ~0%     {2} r1 = SCAN DataFlowImpl2::Stage1::revFlow#7ad53399#fff#prev_delta OUTPUT In.0, In.2 'config'
                      982      ~1%     {3} r2 = JOIN r1 WITH DataFlowImpl2::readSet#7ad53399#ffff_2301#join_rhs ON FIRST 2 OUTPUT Rhs.3, Lhs.1 'config', Rhs.2
                      83691528 ~2%     {3} r3 = JOIN r2 WITH DataFlowPublic::ContentSet::getAReadContent#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.1 'config', Lhs.2, Rhs.1 'c'
                      83581763 ~2%     {3} r4 = r3 AND NOT DataFlowImpl2::Stage1::revFlowConsCand#7ad53399#ff#prev(Lhs.2 'c', Lhs.0 'config')
                      83581763 ~0%     {3} r5 = SCAN r4 OUTPUT In.2 'c', In.0 'config', In.1
                      0        ~0%     {3} r6 = JOIN r5 WITH DataFlowImpl2::Stage1::fwdFlowConsCand#7ad53399#ff ON FIRST 2 OUTPUT Lhs.2, Lhs.1 'config', Lhs.0 'c'
                      0        ~0%     {2} r7 = JOIN r6 WITH DataFlowImpl2::Stage1::fwdFlow#7ad53399#2#fff_02#join_rhs ON FIRST 2 OUTPUT Lhs.2 'c', Lhs.1 'config'
                                       return r7
```

After
```
[2022-04-06 13:44:38] (6s) Tuple counts for DataFlowImpl2::Stage1::revFlowConsCand#7ad53399#ff/2@i14#5abbf2wn after 6ms:
                      10681  ~0%     {2} r1 = SCAN DataFlowImpl2::Stage1::revFlow#7ad53399#fff#prev_delta OUTPUT In.0, In.2 'config'
                      982    ~1%     {3} r2 = JOIN r1 WITH DataFlowImpl2::readSet#7ad53399#ffff_2301#join_rhs ON FIRST 2 OUTPUT Rhs.3, Lhs.1 'config', Rhs.2
                      109765 ~0%     {3} r3 = JOIN r2 WITH DataFlowImpl2::Stage1::fwdFlowConsCandSet#7ad53399#fff#reorder_0_2_1 ON FIRST 2 OUTPUT Lhs.1 'config', Lhs.2, Rhs.2 'c'
                      0      ~0%     {3} r4 = r3 AND NOT DataFlowImpl2::Stage1::revFlowConsCand#7ad53399#ff#prev(Lhs.2 'c', Lhs.0 'config')
                      0      ~0%     {3} r5 = SCAN r4 OUTPUT In.1, In.0 'config', In.2 'c'
                      0      ~0%     {2} r6 = JOIN r5 WITH DataFlowImpl2::Stage1::fwdFlow#7ad53399#2#fff_02#join_rhs ON FIRST 2 OUTPUT Lhs.2 'c', Lhs.1 'config'
                                     return r6
```
 2022-04-06 13:52:30 +02:00
Erik Krogh Kristensen
943af17d10 Merge pull request #8619 from erik-krogh/atmSteps 
JS-ML: fix isKnownStepSrc such that it recognizes taint-steps
 2022-04-06 12:56:53 +02:00
Rasmus Wriedt Larsen
23637fd691 Merge branch 'main' into promote-xxe 2022-04-06 12:56:31 +02:00
Erik Krogh Kristensen
0435cee57f add a taint-step through URL.createObjectURL for js/xss-through-dom 2022-04-06 12:18:47 +02:00
Rasmus Wriedt Larsen
b99767ef52 Merge pull request #8668 from RasmusWL/use-instanceof 
Python: Rewrite concepts to use `extends ... instanceof ...`
 2022-04-06 12:09:12 +02:00
Erik Krogh Kristensen
b11d48e749 add files in the DOM as a source for js/xss-through-dom 2022-04-06 12:09:07 +02:00
Anders Schack-Mulligen
bbb6d08071 Merge pull request #8661 from Marcono1234/marcono1234/getMethod-public-only 
Java: Fix reflection predicate for `getMethod` having non-public method result
 2022-04-06 12:03:14 +02:00
Alvaro Muñoz Sanchez
9ccd0e564b Add QLDocs 2022-04-06 12:00:41 +02:00
Rasmus Wriedt Larsen
4d2a3b38d2 Merge pull request #8511 from RasmusWL/use-query-suffix 
Python: Use `Query.qll` suffix for dataflow configuration definitions
 2022-04-06 11:59:29 +02:00
Rasmus Wriedt Larsen
2e9505e7f2 Remove @xcorail from CODEOWNERS 
Since @xcorail didn't have write access to this repo, that caused troubles with the CODEOWNERS file.
 2022-04-06 11:48:38 +02:00
Anders Schack-Mulligen
d0b5b99e74 Merge pull request #8611 from github/smowton/doc/switch-expr-accessors 
Java: make SwitchCase.getRuleExpression/Statement more consistent
 2022-04-06 11:16:40 +02:00
Tom Hvitved
31ec2988df Merge pull request #8674 from hvitved/csharp/useless-upcast-lambda-tests 
C#: Add more tests for `cs/useless-cast-to-self`
 2022-04-06 11:11:40 +02:00
Tom Hvitved
cee527e03a Document flow through arrays in dataflow.md 2022-04-06 11:11:02 +02:00
Alvaro Muñoz Sanchez
19b8d51c0b Update CommandLineQuery 
Make TaintTracking configuration public
 2022-04-06 10:58:56 +02:00
Alvaro Muñoz Sanchez
abaa71e2c5 Update Sql Injection queries 
move java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll -> java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll
 2022-04-06 10:57:14 +02:00
Geoffrey White
6c70cb4581 Merge pull request #8672 from jketema/unused-locals 
C++: Add `cpp/unused-local-variable` test case with `switch` initializer
 2022-04-06 09:03:12 +01:00
Tom Hvitved
02b11084bc C#: Add more tests for cs/useless-cast-to-self 2022-04-06 09:36:59 +02:00
4B5F5F4B
04538d0599 Autoformated to make CodeQL happy 2022-04-06 11:59:26 +08:00
ihsinme
275b29a288 Update DangerousUseOfExceptionBlocks.expected 2022-04-05 22:48:11 +03:00
Jeroen Ketema
d19504fca2 C++: Add cpp/unused-local-variable test case with switch initializer 
This is similar to the test case with the `if` initializer, and we should
not forget about it once we support `if` initialization.
 2022-04-05 18:27:53 +02:00
Owen Mansel-Chan
603c1d518e Extend DataFlowCallable to include file scopes 
The motivation is so that getEnclosingCallable() can cope with
nodes that are not in a callable.
 2022-04-05 16:00:53 +01:00
Alex Ford
ccd7bb5e70 Merge pull request #8421 from alexrford/ruby/weak-cryptographic-algorithm 
Ruby: Add `rb/weak-cryptographic-algorithm` query
 2022-04-05 14:34:45 +01:00
Ahmed Farid
29f69bde75 Update zipslip_bad.py 2022-04-05 12:46:51 +00:00
Ahmed Farid
dfe7f532ac Update CopyFile.qll 2022-04-05 12:42:05 +00:00
Ahmed Farid
0d6d07886b Rename Zip.qll to CopyFile.qll 2022-04-05 12:37:14 +00:00
Ahmed Farid
8882bc1533 Update Frameworks.qll 2022-04-05 12:32:10 +00:00
Ahmed Farid
68bfe38529 Update Zip.qll 2022-04-05 12:31:30 +00:00
Michael Nebel
2562910b94 C#: Update Csv validation to allow sources and sink kinds to be prefixed with generated. 2022-04-05 14:25:34 +02:00
Michael Nebel
d7bf024318 Java: Add testcase for generated summary model. 2022-04-05 14:25:34 +02:00
Michael Nebel
0374f84c05 Java: Make support for generated as a part of kind. 2022-04-05 14:25:34 +02:00
Michael Nebel
3a04e9a03d Java: Update java capture models with new kind column (including tests). 2022-04-05 12:55:47 +02:00
Michael Nebel
412699f407 C#: Modify generator and update test output with updated kind column. 2022-04-05 12:51:01 +02:00
Rasmus Wriedt Larsen
5b96db26b3 Python: Rewrite concepts to use extends ... instanceof ... 
This solved performance problems experienced in
https://github.com/github/codeql/pull/8634, and this commit+PR is to
ensure we get this change in as fast as possible.
 2022-04-05 12:34:15 +02:00
Rasmus Wriedt Larsen
b7f56dd17e Python: Rewrite concepts to use extends ... instanceof ... 
This caused compilation time for `ConceptsTest.ql` to go from 1m24s to
7s
 2022-04-05 12:31:09 +02:00
Rasmus Wriedt Larsen
a7dab53ed2 Python: Add change-note 2022-04-05 11:46:49 +02:00
Rasmus Wriedt Larsen
1f285b8983 Python: Rename to XmlParsingVulnerabilityKind 
To keep up with style guide
 2022-04-05 11:07:12 +02:00
Rasmus Wriedt Larsen
ab59d5c786 Python: Rename to XmlParsing 
To follow our style guide
 2022-04-05 11:06:22 +02:00
Michael Nebel
c2920405fc C#: Add a query for detecting flow summaries that are discarded due to existing handwritten models. 2022-04-05 08:55:12 +02:00
Michael Nebel
3937714f9f C#: The CaptureSummaryModels query should only produce summary models that will not be discarded at run-time. 2022-04-05 08:55:12 +02:00
Michael Nebel
784327c183 Java/Ruby: Hardcode generated flag to false. 2022-04-05 08:55:12 +02:00
Michael Nebel
8e1fa35367 C#: Add testcase, where generated flow summary is ignored. 2022-04-05 08:55:12 +02:00
Michael Nebel
de76df3988 C#: Only use generated summaries, if no handwritten model exist for a particular dataflow callable. 2022-04-05 08:55:12 +02:00
Michael Nebel
30dc4ae788 C#: Add testcase with multiple generated flow summaries. 2022-04-05 08:55:12 +02:00
Michael Nebel
689e8f1952 C#: Small testcase with a summary flow model that is listed as generated. 2022-04-05 08:55:12 +02:00
Michael Nebel
26ad4861a3 C#: Introduce parsing of the kind field. 2022-04-05 08:55:12 +02:00
Michael Nebel
f8b094ac1f C#: Only use generated flow summaries in case no handwritten summary exists. 2022-04-05 08:55:11 +02:00
Michael Nebel
4d953da480 C#: Initial steps to allow generated as a part of the kind. 2022-04-05 08:55:11 +02:00
Michael Nebel
1f72f6c2cd Merge pull request #8559 from michaelnebel/csharp/generateflowmodelsscript 
C#: Generate Flow Models script
 2022-04-05 08:43:22 +02:00
Harry Maclean
1df1f42589 Fail workflow if files cannot be uploaded 2022-04-05 14:16:42 +12:00
Harry Maclean
5739a3b4e8 Fix typo 2022-04-05 14:14:39 +12:00