hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-02 00:02:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
40,697 Commits 1,684 Branches 159 Tags
codeql-cli/v2.10.0
Commit Graph

40697 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Wriedt Larsen
9c2fc1b415 Ruby: client request: getUrl => getAUrlPart 
This is a port of the same change in Python from
f8fc583af3

The description of that commit was:

> I think `getUrl` is a bit too misleading, since from the name, I would
> only ever expect ONE result for one request being made.
>
> `getAUrlPart` captures that there could be multiple results, and that
> they might not constitute a whole URl.
>
> Which is the same naming I used when I tried to model this a long time ago
> a80860cdc6/python/ql/lib/semmle/python/web/Http.qll (L102-L111)
 2022-03-22 10:53:55 +01:00
Rasmus Wriedt Larsen
311cbb4e13 Merge branch 'main' into shared-concepts-scaffolding 2022-03-22 10:36:33 +01:00
Rasmus Wriedt Larsen
414764ccee Concepts: Minor rewrite in qldoc 
As suggested by @hmac
 2022-03-22 10:33:58 +01:00
Rasmus Wriedt Larsen
e50a9421a6 JS: Update dataflow import in ConceptsImports.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-03-22 10:32:20 +01:00
Erik Krogh Kristensen
099d91ba6f update qldoc 2022-03-22 10:27:21 +01:00
Tom Hvitved
99ddfb489f Ruby: Rework getConstantValue implementation 2022-03-22 10:07:44 +01:00
Erik Krogh Kristensen
ea065b7d8a Merge pull request #8521 from erik-krogh/getRubyMoreInSync 
Ruby: sync ExponentialBackTracking.qll
 2022-03-22 09:59:20 +01:00
Erik Krogh Kristensen
90a6717932 sync ExponentialBackTracking.qll for ruby 2022-03-22 09:27:04 +01:00
Tamás Vajk
36c7e10195 Merge pull request #8519 from github/revert-8294-tamasvajk/fix/mad-adjustments 
Revert "Fix MaD workflows to be more resilient to missing files"
 2022-03-22 09:19:14 +01:00
Tamás Vajk
87e1641772 Revert "Fix MaD workflows to be more resilient to missing files" 2022-03-22 09:08:56 +01:00
Tamás Vajk
80fb021e32 Merge pull request #8294 from github/tamasvajk/fix/mad-adjustments 
Fix MaD workflows to be more resilient to missing files
 2022-03-22 09:02:37 +01:00
Rasmus Lerchedahl Petersen
f5b53083ae python: require authentication middleware 
for CSRF to be relevant
 2022-03-22 08:44:19 +01:00
Harry Maclean
99b5c580a5 Ruby: Fix captured reads in lambdas 
These were previously identified as method calls. The fix is to
recognise lambdas as a scope which can inherit variables from its
parent.
 2022-03-22 15:35:43 +13:00
Harry Maclean
c891e62a0e Ruby: Add some tests for method calls in lambdas 
This reveals a bug where we identify reads of captured variables in
lambdas as method calls. This is fixed in a followup commit.
 2022-03-22 15:33:22 +13:00
Harry Maclean
3e8bc8b0f2 Merge pull request #8224 from github/hmac/http-to-file-access 
Ruby: Add rb/http-to-file-access query
 2022-03-22 13:46:36 +13:00
Jeroen Ketema
2d9b630fa8 C++: Fix ExecTainted.ql formatting 2022-03-21 23:28:58 +01:00
Harry Maclean
b1ae548f4c Ruby: Fix doc comment formatting 2022-03-22 11:10:09 +13:00
Harry Maclean
c2d4bc50c9 Add missing file doc comment 2022-03-22 11:10:09 +13:00
Harry Maclean
91a7e9405c Share HttpToFileAccessQuery between JS and Ruby 
There's so little in this query that it may not be worth sharing, but
it's an interesting exercise in figuring out how we do it nicely.
 2022-03-22 11:10:08 +13:00
Harry Maclean
130d93dded Ruby: Make HttpToFileAccess more specific 
Only consider sources from HTTP requests, rather than any remote flow
source.
 2022-03-22 11:09:08 +13:00
Harry Maclean
fac17384c3 Ruby: Add RequestInputAccess concept 
This sits in between RemoteFlowSource and specific classes like
ParamsSource from ActionController. It represents any user-controller
input from an incoming HTTP request.

This more closely aligns our concepts with the JS library, and allows us
to specifically target sources from HTTP requests in the
HttpToFileAccess query.
 2022-03-22 11:09:08 +13:00
Harry Maclean
ff1d96c922 Ruby: Add rb/http-to-file-access query 2022-03-22 11:09:08 +13:00
Jeroen Ketema
b79eb6d10d C++: Encode string value of data flow nodes in ExecState 2022-03-21 21:29:42 +01:00
Robert Marsh
23e9963a19 Merge branch 'main' into rdmarsh2/ir-global-vars 2022-03-21 16:13:40 -04:00
Robert Marsh
32e128d207 C#: sync IR files 2022-03-21 16:01:53 -04:00
Robert Marsh
5bb6441047 C++: Fix consistency issues with aggregate inits 2022-03-21 16:01:24 -04:00
Harry Maclean
6c18e1d7ac Merge pull request #8272 from hmac/hmac/tainted-format-string 2022-03-22 08:37:47 +13:00
github-actions[bot]
a3e74efc21 Post-release preparation for codeql-cli-2.8.4 2022-03-21 19:36:47 +00:00
github-actions[bot]
9ba21923a3 Post-release preparation for codeql-cli-2.8.4 2022-03-21 19:36:39 +00:00
Rasmus Wriedt Larsen
88184ba9f5 Python: Update path-injection .expected 
AHA! This change happened because we are no longer importing all the old
deprecated implementation.
 2022-03-21 20:24:12 +01:00
Robert Marsh
a36c6f2dab C++: restrict IR generation to global vars w inits 2022-03-21 14:26:29 -04:00
Mathias Vorreiter Pedersen
aff76b7295 Merge pull request #8512 from github/fix-dead-select-clause-link 
Fix dead link in `CONTRIBUTING.md`
 2022-03-21 17:39:07 +00:00
Robert Marsh
c27dfb5120 C++: IR translation for global variable inits 2022-03-21 13:17:05 -04:00
Mathias Vorreiter Pedersen
2e55fd6be3 Update CONTRIBUTING.md 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2022-03-21 16:49:59 +00:00
Ian Lynagh
30bd1a6eb6 Merge pull request #704 from github/release-prep/2.8.4 
Release preparation for version 2.8.4
 2022-03-21 16:27:35 +00:00
Ian Lynagh
e41bbfd931 Merge pull request #8510 from github/release-prep/2.8.4 
Release preparation for version 2.8.4
codeql-cli/v2.8.4 		2022-03-21 16:27:29 +00:00
Mathias Vorreiter Pedersen
cf54006c86 Fix dead link in CONTRIBUTING.md 
cc @felicitymay.
 2022-03-21 16:05:57 +00:00
Erik Krogh Kristensen
c8385a1e80 js/xss-through-dom: filter away reads of .src that end in a URL sink 2022-03-21 16:48:59 +01:00
Rasmus Wriedt Larsen
758a81cc0f Python: Remove import of Concepts in DataFlowPrivate 
As discussed in PR review
 2022-03-21 16:22:15 +01:00
Jonathan Leitschuh
b3ee1bd313 Refactor Preconditions and add Tests 2022-03-21 11:20:05 -04:00
Rasmus Wriedt Larsen
978ef05571 Python: Add change-note 2022-03-21 16:18:40 +01:00
Ian Lynagh
1f8ce3a868 Java: Tweak release notes 2022-03-21 15:14:45 +00:00
Rasmus Wriedt Larsen
b8dee25cce Python: ReflectedXSS -> ReflectedXss for new Query file 
So we stick to the naming conventions.

This rename is OK, since the new file was only just introduced in this
PR.
 2022-03-21 16:12:38 +01:00
Arthur Baars
79cd7bf8ed Python: create semmle/python/dataflow/new/Regex.qll 2022-03-21 15:57:19 +01:00
Jonathan Leitschuh
db0879ec25 Apply suggestions from code review 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2022-03-21 10:35:13 -04:00
Rasmus Wriedt Larsen
695553ba9f Python: Deprecate old non-Query.qll dataflow defs 2022-03-21 15:03:22 +01:00
Rasmus Wriedt Larsen
db86a18791 Python: Autoformat 2022-03-21 14:53:53 +01:00
Rasmus Wriedt Larsen
0125aea91b Python: Re-introduce old dataflow configs .qll files 
and move all the old deprecated aliases to that file. We now have a
situation where all queries should work as they did before, and we just
have these new Query.qll files that contain the implementation.

(deprecation comes later)
 2022-03-21 14:53:53 +01:00
Rasmus Wriedt Larsen
1bf8fa6a3b Python: Adopt Query.qll suffix for dataflow config defs 
This commit in itself makes everything break, but should make it easy to
follow the overall changes being made.
 2022-03-21 14:53:53 +01:00
Michael Nebel
92f8a90f31 C#: Introduce a collectionType predicate. 2022-03-21 14:44:38 +01:00