Commit Graph

41418 Commits

Author SHA1 Message Date
Asger Feldthaus
4f53a1ab40 JS: Cache ClassNode::Range 2021-04-23 13:15:35 +01:00
Asger Feldthaus
d0b8b32345 JS: Add change notes 2021-04-23 13:15:35 +01:00
Asger Feldthaus
671e968936 JS: Model NestJS 2021-04-23 13:15:35 +01:00
Anders Schack-Mulligen
bc8c55836a Merge pull request #5743 from aschackmull/java/flow-summary-tweaks
Java/C#: Move a couple of flow summary tweaks to the shared implementation.
2021-04-23 13:46:04 +02:00
Tamas Vajk
1b4c3c7415 Fix code review findings 2021-04-23 13:44:34 +02:00
Tamás Vajk
819be43ce7 Fix alphabetical order of supported frameworks 2021-04-23 13:41:59 +02:00
Tamas Vajk
b4bd7af9c8 Add change note 2021-04-23 13:40:12 +02:00
Tamas Vajk
e3f10c0e32 Cleanup DiagnosticError classes 2021-04-23 13:37:42 +02:00
Rasmus Wriedt Larsen
deb3db3f95 Python: Add non-alert data for extractor diagnostics
This is basically just a port of the C++/JS queries added in:

- https://github.com/github/codeql/pull/5414 (C++)
- https://github.com/github/codeql/pull/5656 (JS)

SyntaxError should capture all errors we have information about. At least in
`python/ql/src/semmlecode.python.dbscheme` the only match for `error` is
`py_syntax_error_versioned` (which `SyntaxError` is based on).
2021-04-23 13:29:44 +02:00
Rasmus Wriedt Larsen
354dee1b09 Python: Add non-alert data for lines of code
`py/summary/lines-of-code` is just a port of the C++/JS queries added in:

- https://github.com/github/codeql/pull/5271 (C++)
- https://github.com/github/codeql/pull/5304 (JS)

We are the first to implement the `lines-of-user-code` query, so nothing to
compare with in other languages -- but it makes a lot of sense to do for Python 👍
2021-04-23 13:22:18 +02:00
Asger Feldthaus
109d1ad27f JS: Model fs.promises 2021-04-23 11:59:48 +01:00
Asger Feldthaus
822d4525af JS: Drive-by change in LogInjection 2021-04-23 11:59:48 +01:00
Asger Feldthaus
ad12f383d9 JS: Reduce reliance on RouteHandler in Express model 2021-04-23 11:59:48 +01:00
Tamás Vajk
43dc9bbc94 Merge pull request #5744 from tamasvajk/feature/java-loc
Java: Introduce LoC summary metric query
2021-04-23 11:39:42 +02:00
Mathias Vorreiter Pedersen
e6077127be C++: Only unary and binary arithmetic operations and left shifts are now
reported as overflowing when we cannot analyze them.
2021-04-23 11:13:34 +02:00
Tom Hvitved
956507b5fa C#: Add guards stress test 2021-04-23 10:25:31 +02:00
yoff
1954c0ba84 Apply suggestions from code review
Co-authored-by: Taus <tausbn@github.com>
2021-04-23 10:20:18 +02:00
Tom Hvitved
4c597dd467 C#: Improve performance of guards library 2021-04-23 10:09:43 +02:00
Jonas Jensen
6de5b3021e C++: Replace Jira ticket reference with GH issue 2021-04-23 09:58:39 +02:00
Jonas Jensen
6e059ea002 C++: Remove reference to obsolete issue CPP-383 2021-04-23 09:58:15 +02:00
Shati Patel
96a4d91a6c Merge pull request #5731 from shati-patel/docs/unbind-pragmas
Docs: New "directional binding" pragmas
2021-04-23 08:37:02 +01:00
intrigus
98dcd4e52b Java: Tighten definition of sink. 2021-04-23 00:14:48 +02:00
CodeQL CI
635fb4c25a Merge pull request #5685 from erik-krogh/markdownIt
Approved by asgerf
2021-04-22 14:55:31 -07:00
intrigus
a385b30c29 Java: Factor common expr into class. 2021-04-22 23:51:27 +02:00
intrigus-lgtm
958e2fab05 Apply suggestions from code review
Co-authored-by: Chris Smowton <smowton@github.com>
2021-04-22 23:36:17 +02:00
Dave Bartolomeo
3b04bedee0 Stub out additional bits of Alias model for C# 2021-04-22 17:19:00 -04:00
Dave Bartolomeo
5d0a4cae90 C++: Add {AllAliased} side effects for smart pointers
Smart pointer constructors, assignments, and `reset()` can actually have fairly large side effects, especially with custom deleters, destructors for objects being destroyed, and so on. I've re-introduced `{AllAliased}` side effects for these functions. There was no immediate effect on analysis results.
2021-04-22 16:51:36 -04:00
Taus
3e4ff9e472 Merge pull request #5742 from RasmusWL/django-3.2
Python: Add support for new features in Django 3.2
2021-04-22 17:39:02 +02:00
Rasmus Wriedt Larsen
f9383a31bf Python: Fix BrokenCryptoAlgorithm.qhelp 2021-04-22 15:58:28 +02:00
Rasmus Wriedt Larsen
222c087e8c Python: Remove type-tracking performance workaround
Since we shouldn't need it anymore (yay)
2021-04-22 15:31:49 +02:00
Rasmus Wriedt Larsen
b82209964a Python: Add change-note for new weak crypto queries 2021-04-22 15:23:42 +02:00
Rasmus Wriedt Larsen
fc1a6d0e32 Python: Say salting is not part of py/weak-sensitive-data-hashing 2021-04-22 15:23:41 +02:00
Rasmus Wriedt Larsen
ac83c695ad Python: Add py/weak-sensitive-data-hashing query 2021-04-22 15:23:41 +02:00
Rasmus Wriedt Larsen
499adc26a3 Python: Extend SensitiveDataSource tests
Now it contains all the sort of things we actually support 👍
2021-04-22 15:23:40 +02:00
Rasmus Wriedt Larsen
794a86a6b0 Python: Add SensitiveDataSource 2021-04-22 15:23:39 +02:00
Rasmus Wriedt Larsen
56c409737d Python: Port py/weak-cryptographic-algorithm
The other query (py/weak-sensitive-data-hashing) is added in future commit
2021-04-22 15:23:38 +02:00
Rasmus Wriedt Larsen
59edd18c34 Python: Move framework test-files out of experimental
This PR was rebased on newest main, but was written a long time ago when all the
framework test-files were still in experimental. I have not re-written my local
git-history, since there are MANY updates to those files (and I dare not risk
it).
2021-04-22 15:23:37 +02:00
Rasmus Wriedt Larsen
1616975e06 Python: Model hashlib from standard library 2021-04-22 15:23:37 +02:00
Rasmus Lerchedahl Petersen
5a4e661e60 Merge branch 'main' of github.com:github/codeql into python-support-pathlib 2021-04-22 15:04:21 +02:00
CodeQL CI
bdb41423e2 Merge pull request #5748 from asgerf/js/rate-limiting-fixes
Approved by erik-krogh
2021-04-22 05:56:50 -07:00
Rasmus Wriedt Larsen
7ffbfa8043 Python: Expand stdlib md5 tests with keyword-arguments 2021-04-22 14:51:20 +02:00
Rasmus Wriedt Larsen
fa88f22453 Python: Model hashing operations in cryptography package 2021-04-22 14:51:20 +02:00
Rasmus Wriedt Larsen
c5f826580b Python: Model encrypt/decrypt in cryptography package
I introduced a InternalTypeTracking module, since the type-tracking code got so
verbose, that it was impossible to get an overview of the relevant predicates.
(this means the "first" type-tracking predicate that is usually private, cannot
be marked private anymore, since it needs to be exposed in the private module.
2021-04-22 14:51:19 +02:00
Rasmus Wriedt Larsen
bf6f5074c2 Python: Port cryptodome tests to crypto
I don't know if this is really a smart test-setup... I feel a bit stupid when
doing this xD
2021-04-22 14:51:19 +02:00
Rasmus Wriedt Larsen
f8254381f3 Python: Add MISSING: CryptographicOperationAlgorithm annotations
For RSA it's unclear what the algorithm name should even be. Signatures based on
RSA private keys with PSS scheme is ok, but with pkcs#1 v1.5 they are
weak/vulnerable. So clearly just putting RSA as the algorithm name is not enough
information...

and that problem is also why I wanted to do this commit separetely (to call
extra atten to this).
2021-04-22 14:51:18 +02:00
Rasmus Wriedt Larsen
23140dfb76 Python: Add CryptographicOperation modeling for Cryptodome 2021-04-22 14:51:17 +02:00
Rasmus Wriedt Larsen
1b2ed9d99a Python: Align cryptodome tests 2021-04-22 14:51:16 +02:00
Rasmus Wriedt Larsen
2c0df8e656 Python: Add MD5 tests 2021-04-22 14:51:16 +02:00
Rasmus Wriedt Larsen
a8de2aba3b Python: Move CryptoAlgorithms implementation 2021-04-22 14:51:15 +02:00
Rasmus Wriedt Larsen
65c8d9605e Python: Add CryptographicOperation Concept
I considered using `getInput` like in JS, but things like signature verification
has multiple inputs (message and signature).

Using getAnInput also aligns better with Decoding/Encoding.
2021-04-22 14:51:14 +02:00