hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-21 01:13:43 +01:00
Code Issues Packages Projects Releases Wiki Activity
41,418 Commits 1,693 Branches 161 Tags
codeql-cli/v2.10.2
Commit Graph

41418 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
semmle-qlci
be5b343a0c Merge pull request #3564 from max-schaefer/js/reflective-argument-access 
Approved by asgerf
 2020-05-26 12:09:13 +01:00
Asger Feldthaus
75fee22f1e JS: Avoid string coercion in JSXName.getValue 2020-05-26 12:03:02 +01:00
Erik Krogh Kristensen
ad40c4b0f2 add a sanitizer guard for safe attribute string concatenations 2020-05-26 12:36:47 +02:00
Erik Krogh Kristensen
a9bea63019 recognize more HTML attribute concatenations 2020-05-26 12:36:24 +02:00
Shati Patel
bdecda22f7 Merge pull request #3538 from shati-patel/sd-86 
QL language: Clarify use of query modules
 2020-05-26 11:30:17 +01:00
Max Schaefer
a59e754403 Data flow: Remove deprecated predicates. 
cf https://github.com/github/codeql/pull/3515
 2020-05-26 11:09:35 +01:00
Max Schaefer
1f54edfe99 Add make target for synchronising data-flow libraries. 2020-05-26 11:09:07 +01:00
Shati Patel
c12fd6fba6 Add links to Go queries 2020-05-26 11:08:11 +01:00
Shati Patel
495c6715cd Update contributing guide with premigration changes 2020-05-26 11:08:11 +01:00
Shati Patel
bdfb8a337e Update style guides with premigration changes 2020-05-26 11:08:11 +01:00
semmle-qlci
4b0354c4bc Merge pull request #3555 from max-schaefer/js/require-flow 
Approved by asgerf
 2020-05-26 10:54:21 +01:00
Max Schaefer
5b0a3b9673 JavaScript: Change "Less results" to "Fewer results" in change notes. 2020-05-26 10:49:30 +01:00
Max Schaefer
abfcc42133 JavaScript: Re-alphabetise change notes. 2020-05-26 10:49:30 +01:00
Max Schaefer
215682f67c JavaScript: Add change note. 2020-05-26 10:49:30 +01:00
Max Schaefer
7ddf5ced23 JavaScript: Update expected output for unrelated tests. 2020-05-26 10:49:30 +01:00
semmle-qlci
4b56229ca0 Merge pull request #3527 from esbena/js/fastify 
Approved by asgerf
 2020-05-26 10:44:59 +01:00
Rasmus Lerchedahl Petersen
6b168de7fc Python: re, handle \Z 2020-05-26 11:42:21 +02:00
semmle-qlci
df205b617e Merge pull request #3539 from asger-semmle/js/capture-level-flow 
Approved by erik-krogh
 2020-05-26 10:42:14 +01:00
Mathias Vorreiter Pedersen
b205d36933 C++: Remove chi -> load rule from simpleLocalFlowStep and accept tests 2020-05-26 11:40:26 +02:00
Rasmus Wriedt Larsen
c78ca2616c Merge branch 'master' into python-keyword-only-args 2020-05-26 11:20:04 +02:00
Max Schaefer
63fddfc705 Merge pull request #155 from sauyon/dbscheme-binary 
Create a new entry point for generating dbschemes
 2020-05-26 10:17:39 +01:00
Rasmus Wriedt Larsen
5a18b08d13 Python: Add comment explaining kw-only default index upgrade 2020-05-26 11:15:00 +02:00
Rasmus Wriedt Larsen
a616704a56 Python: Fix typo 
Co-authored-by: Taus <tausbn@gmail.com>
 2020-05-26 11:07:49 +02:00
Max Schaefer
9d3a9d71f1 JavaScript: Add basic support for reasoning about reflective parameter accesses. 
Currently, only `arguments[c]` for a constant value `c` is supported.

This allows us to detect the prototype-pollution vulnerabilities in (old versions of) `extend`, `jquery`, and `node.extend`.
 2020-05-26 09:59:29 +01:00
Max Schaefer
a39e8b4802 JavaScript: Add test for FlowSteps::argumentPassing predicate. 2020-05-26 09:51:06 +01:00
Rasmus Wriedt Larsen
9c75a39b81 Python: Extend command-injection to handle fabric.api.execute 2020-05-26 10:22:27 +02:00
Rasmus Wriedt Larsen
e04d1ffcd2 Python: Add test for fabric.api.execute 2020-05-26 10:20:22 +02:00
Anders Schack-Mulligen
6bc9624a4c Merge pull request #3236 from luchua-bc/java-improper-url-validation 
Java: Improper url validation
 2020-05-26 09:48:44 +02:00
Mathias Vorreiter Pedersen
5fb76df44f Merge pull request #3556 from jbj/qldoc-CodeDuplication 
C++/JavaScript: Improve CodeDuplication.qll QLDoc
 2020-05-26 09:17:28 +02:00
semmle-qlci
64aefc612f Merge pull request #3554 from jbj/too-few-arguments-ambiguous 
Approved by dbartol
 2020-05-26 07:26:53 +01:00
Rasmus Lerchedahl Petersen
f1efdee194 Python: re test with \Z 2020-05-26 08:07:13 +02:00
Erik Krogh Kristensen
3f66c04e12 change note 2020-05-26 00:09:11 +02:00
Erik Krogh Kristensen
9254df1f78 sanitize optionally sanitized values 2020-05-26 00:09:11 +02:00
Erik Krogh Kristensen
8fac3a1403 add IsEmptyGuard to TaintTracking 2020-05-26 00:09:08 +02:00
Dave Bartolomeo
5c20d56134 Merge pull request #3558 from jbj/qldoc-default-objc 
C++: Properly deprecate objc.qll and default.qll
 2020-05-25 14:31:25 -04:00
Dave Bartolomeo
12688f80ce Merge pull request #3559 from jbj/vcs-remove 
C++: Remove VCS.qll and all queries using it
 2020-05-25 14:30:31 -04:00
Jonas Jensen
e28ed848a4 C++: Remove VCS.qll and all queries using it 
All these queries have been deprecated since 2018. There is
unfortunately no way to deprecate a library, but it's been years since
we populated any databases using the VCS library, so nobody should be
using it.
 2020-05-25 19:28:06 +02:00
Jonas Jensen
85df60ea65 C++: Replace import default with import cpp 
Some tests still used the old name for the top-level library.
 2020-05-25 19:07:28 +02:00
Jonas Jensen
5fc2a3de92 C++: QLDoc for default.qll and objc.qll 
These are both deprecated.
 2020-05-25 19:05:41 +02:00
Jonas Jensen
357e14b2d2 C++: QLDoc for legacy libraries in external dir 
These docs were taken from the corresponding files in JavaScript, and
parameter names were changed to match.
 2020-05-25 19:03:14 +02:00
Jonas Jensen
6fc9e1d84c C++/JavaScript: Improve CodeDuplication.qll QLDoc 
I took most of the docs from the corresponding predicates in
JavaScript's `CodeDuplication.qll`. Where JavaScript had a corresponding
predicate but didn't have QLDoc, I added new QLDoc to both.
 2020-05-25 18:59:48 +02:00
Taus
7716cff3d8 Merge pull request #3551 from RasmusWL/python-fix-upcoming-deprecation 
Python: Fix (upcoming) deprecation compiler-warnings
 2020-05-25 16:17:57 +02:00
semmle-qlci
8146073c74 Merge pull request #3553 from RasmusWL/python-fix-tainttracking-import 
Approved by tausbn
 2020-05-25 14:18:54 +01:00
semmle-qlci
6f1f926e0c Merge pull request #3552 from RasmusWL/python-fix-filename-example 
Approved by tausbn
 2020-05-25 14:17:05 +01:00
Jonas Jensen
bc09720704 Merge pull request #3479 from geoffw0/fp2762 
C++: Allow equality to block taint (security taint tracking)
 2020-05-25 15:11:10 +02:00
Jonas Jensen
3d58e6f7af Merge pull request #3515 from hvitved/dataflow/remove-deprecated 
Data flow: Remove deprecated predicates
 2020-05-25 15:08:28 +02:00
Jonas Jensen
b4c32a00d8 C++: Fix up QLDoc in TooFewArguments.qll 2020-05-25 14:49:02 +02:00
Jonas Jensen
b1edc1d255 C++: Only give alert when no def fits arg count 
The `cpp/too-few-arguments` query produced alerts for ambiguous
databases where a function had multiple possible declarations, with some
declarations having the right number of parameters and some having too
many. With this change, the query errs on the side of caution in those
cases and does not produce an alert.

This fixes false positives on racket/racket.

The new `hasDefiniteNumberOfParameters` is exactly the negation of the
old `hasZeroParamDecl`.
 2020-05-25 14:48:57 +02:00
Bt2018
2a654af983 Correct the select statement in the query 2020-05-25 08:24:38 -04:00
Rasmus Wriedt Larsen
f602f3e1c7 Python: Use proper import for semmle.python.dataflow.TaintTracking 
It was moved in 637677d515, but imports were not
updated.
 2020-05-25 13:45:49 +02:00