hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-12 05:01:06 +01:00
Code Issues Packages Projects Releases Wiki Activity
41,418 Commits 1,690 Branches 160 Tags
codeql-cli/v2.10.2
Commit Graph

41418 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Max Schaefer
c30b1d98ea Address review comments. 2020-01-24 10:26:59 +00:00
Max Schaefer
ebea811a83 Add example queries. 2020-01-24 10:26:59 +00:00
Asger Feldthaus
7fa0fea253 TS: Address comments in guessMainFile 2020-01-24 10:11:53 +00:00
Asger Feldthaus
1f647223e0 TS: Move definition of mainStr 2020-01-24 10:02:06 +00:00
Esben Sparre Andreasen
8deefd60a7 java: fixup whitespace/tabs in test 2020-01-24 11:01:38 +01:00
Asger Feldthaus
9ed77585a7 Merge branch 'ts-monorepo-deps' of github.com:asger-semmle/ql into ts-monorepo-deps 2020-01-24 09:58:35 +00:00
Asger F
5448bffede Update javascript/extractor/lib/typescript/src/main.ts 
Co-Authored-By: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-01-24 09:58:27 +00:00
Asger Feldthaus
3ca5a3dbe4 TS: Document nodeModulesRex 2020-01-24 09:57:40 +00:00
Asger Feldthaus
804aef507f TS: Remove unneeded alias PackageLocationMap 2020-01-24 09:51:03 +00:00
Asger Feldthaus
542ce816dc TS: Simplify string equality check 2020-01-24 09:49:11 +00:00
Asger Feldthaus
fc04e06456 TS: Allow .js extensions in cross package imports 2020-01-24 09:48:43 +00:00
Jonas Jensen
6606b2e18a C++: autoformat fixup 2020-01-24 10:48:03 +01:00
Asger Feldthaus
b98db62e82 JS: Recognize req.user a cookie access 2020-01-24 09:44:20 +00:00
Geoffrey White
912260b3aa C++: Autoformat tests. 2020-01-24 09:43:58 +00:00
Max Schaefer
9507a22f48 Merge pull request #213 from sauyon/codeql-test 
Use codeql for testing and add binary cross compilation support
 2020-01-24 09:40:47 +00:00
Rasmus Wriedt Larsen
5778764a48 Python: Stop using deprecated getName in collections taint test 2020-01-24 10:32:17 +01:00
Rasmus Wriedt Larsen
3db551d6bc Python: Use variables in collection-taint test 
They are not tainted in assignment, only in use.

I also adopted an attempt at a better test-setup, where it's easy to see if
everything is the way you hoped for, instead of browsing through 100 of lines of
taint-step output :P
 2020-01-24 10:32:17 +01:00
Erik Krogh Kristensen
c0af3780c4 adjust the ReceiveNode docstrings 2020-01-24 10:06:28 +01:00
Jonas Jensen
5eeb5c6e67 C++: Use asExpr, not getConvertedResultExpression 
We designed the IR's `DataFlow::Node.asExpr` very carefully so that it's
suitable for taint tracking, but then we didn't use it in
`DefaultTaintTracking.qll`. This meant that the sources in
`ArithmeticWithExtremeValues.ql` didn't get associated with any
`Instruction` and thus didn't propagate anywhere.

With this commit, the mapping of `Expr`-based sources to IR data-flow
nodes uses `asExpr`.
 2020-01-24 09:42:26 +01:00
Tom Hvitved
cfbdf21d1b Merge pull request #2682 from calumgrant/cs/format-trap-floats 
C#: Fix outputting floats to the trap file
 2020-01-24 09:13:18 +01:00
Jonas Jensen
9a45c5570d C++: Move Load from AssignmentOperation to its LHS 
This is analogous to what was done for `CrementOperation`.
 2020-01-24 09:09:31 +01:00
Jonas Jensen
53b1068a9f C++: Unshare code between assignment types 
This commit undoes the code sharing between `TranslatedAssignExpr` (`=`)
and `TranslatedAssignOperation` (`+=`, `<<=`, ...). In the next commit,
when we change how the `Load` works on the LHS of
`TranslatedAssignOperation`, these classes will become so different that
sharing is no longer helpful.
 2020-01-24 09:04:09 +01:00
Jonas Jensen
c5950d2c9d C++: IR: Result of x in x++ is now the Load 
Previously, the `Load` would be associated with the `CrementOperation`
rather than its operand, which gave surprising results when mapping
taint sinks back to `Expr`.

The changes in `raw_ir.expected` are to add `Copy` operations on the
`x++` in code like `y = x++`. This is now needed because the result that
`x++` would otherwise have (the Load) no longer belongs to the `++`
expression. Copies are inserted to ensure that all expressions are
associated with an `Instruction` result.

The changes in `*aliased_ssa_ir.expected` appear to be just wobble.
 2020-01-24 09:02:50 +01:00
Esben Sparre Andreasen
57b3a55b48 java: sharpen java/maven/non-https-url to allow localhost URLs 2020-01-24 08:51:54 +01:00
Esben Sparre Andreasen
a5558809f4 java: add more tests for java/maven/non-https-url 2020-01-24 08:49:59 +01:00
Sauyon Lee
2bd88d5b61 Merge pull request #225 from max/impossible-interface-nil-check-robustness 
Make ImpossibleInterfaceNilCheck more robust.
 2020-01-23 16:06:03 -08:00
Sauyon Lee
3a53269a52 Merge pull request #223 from max/update-dataflow 
Add support for taint-getter/setter summaries in data flow.
 2020-01-23 16:03:05 -08:00
Grzegorz Golawski
968c18d208 Query to detect LDAP injections in Java 
Refactoring according to review comments.
 2020-01-23 22:51:10 +01:00
Erik Krogh Kristensen
2044b4bc82 changes based on review 2020-01-23 20:29:06 +01:00
yo-h
eb6f8da080 Merge pull request #2679 from aschackmull/java/remove-depr-flow-fwd-back 
Java/C++/C#: Remove the deprecated hasFlowForward/hasFlowBackward.
 2020-01-23 14:10:28 -05:00
yo-h
50320c7828 Merge pull request #2628 from aschackmull/java/no-adhoc-testclass 
Java: Replace ad-hoc TestClass detection.
 2020-01-23 14:09:11 -05:00
Geoffrey White
795afa8160 CPP: Better location for the StackVariableReachability test. 2020-01-23 17:32:07 +00:00
Geoffrey White
b693ef51e2 C++: Put a little bit of content in the StackVariableReachability test. 2020-01-23 17:25:26 +00:00
Jonas Jensen
ed3ed5f1b6 C++: Test to show lack of flow to crement operands 2020-01-23 17:42:51 +01:00
Geoffrey White
f16870f8c6 CPP: Autoformat. 2020-01-23 16:20:18 +00:00
Asger Feldthaus
852b90a6c9 TS: Be compatible with odasa/qltest 2020-01-23 16:13:53 +00:00
Calum Grant
35bc78d666 C#: Fix outputting floats to the trap file. In some locales, the extractor output invalid floating point values to the trap file. 2020-01-23 15:43:25 +00:00
Asger Feldthaus
a68bb9ffd1 JS: Ignore calls and csrf/captcha access 2020-01-23 15:32:05 +00:00
Asger Feldthaus
b1ec3e1bf2 JS: Add test and dont check predecessors 2020-01-23 14:59:03 +00:00
Jonas Jensen
33070cc16d Merge pull request #2678 from MathiasVP/union-access-global-virtual-dispatch 
C++: IR virtual dispatch through union field access
 2020-01-23 15:32:31 +01:00
Asger Feldthaus
406c6eb981 JS: Sharpen missing CSRF middleware query 2020-01-23 14:22:49 +00:00
Geoffrey White
edf2b54813 CPP: Model strndup. 2020-01-23 13:46:57 +00:00
Anders Schack-Mulligen
e7f7c7370a Java/C++/C#: Remove the deprecated hasFlowForward/hasFlowBackward. 2020-01-23 14:05:18 +01:00
Taus
0627fadbff Merge pull request #2669 from RasmusWL/python-modernise-resources 
Python: modernise Resources/ queries
 2020-01-23 13:43:33 +01:00
Taus
618a35bb7c Merge pull request #2664 from RasmusWL/python-fix-redirect-example 
Python: Remove unused variable in example for py/url-redirection
 2020-01-23 13:42:00 +01:00
Taus
d06e86f54d Merge pull request #2662 from RasmusWL/python-taint-on-eq-test 
Python: Only clear taint on constant comparison in if
 2020-01-23 13:41:40 +01:00
Taus
ef7eafa849 Merge pull request #2644 from RasmusWL/python-add-deprecated-keyword 
Python: Add deprecated keyword to deprecated functions
 2020-01-23 13:41:15 +01:00
Asger Feldthaus
dc30dcf1f8 TS: Only require SCRATCH_DIR when installing dependencies 2020-01-23 12:39:19 +00:00
Mathias Vorreiter Pedersen
5fd1c6fedb C++: Remove parameter from predicate for some tiny performance benefits 2020-01-23 13:29:48 +01:00
Jonas Jensen
8a0089a875 Merge pull request #2672 from geoffw0/qualifierflow 
CPP: Support taint flow in and out of qualifiers
 2020-01-23 13:17:17 +01:00