hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-05 09:41:10 +01:00
Code Issues Packages Projects Releases Wiki Activity
41,812 Commits 1,691 Branches 159 Tags
codeql-cli/v2.10.3
Commit Graph

41812 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Wriedt Larsen
49b5d60229 Python: Use AttrRead/AttrWrite for attr read/store steps 
Note that this doesn't actually add the desired flow from setattr, due
to missing post-update note. This will be fixed in later commit.
 2022-02-03 14:58:30 +01:00
Rasmus Wriedt Larsen
5774459dfb Python: restrict AttrRead with AttrNode.isLoad() 2022-02-03 14:58:23 +01:00
Rasmus Wriedt Larsen
cf68148316 Python: Add change-note 2022-02-03 14:29:02 +01:00
Rasmus Wriedt Larsen
e2de0e61ca Python: Remove RegExpTerm from PrintAST 
Since this caused bad performance (as we had to evaluate points-to).

Fixes https://github.com/github/codeql/issues/6964

This approach was motivated by the comment on the issue from @tausbn:

> We discussed this internally in the CodeQL Python team, and have
> agreed that the best approach for now is to disable the printing of
> regex ASTs.

I tried to keep our RegExpTerm logic, but doing the fix below did not
work, and still evaluated RegExpTerm :| I guess we will just have to
revert this PR if we want it back

```diff
   TRegExpTermNode(RegExpTerm term) {
+    none() and
     exists(StrConst str | term.getRootTerm() = getParsedRegExp(str) and shouldPrint(str, _))
   }
```
 2022-02-03 14:22:14 +01:00
Arthur Baars
6525035f0a Address comments 2022-02-03 13:47:03 +01:00
Erik Krogh Kristensen
e93c46ad31 Merge pull request #7811 from erik-krogh/pyApiIpa 
Python: refactor API-graph labels to an IPA type
 2022-02-03 12:31:39 +01:00
Mathias Vorreiter Pedersen
58993e2dc6 C++: Fix re-evaluation by importing GVN. 2022-02-03 11:16:14 +00:00
Jeroen Ketema
0b9b6d7b98 Address review comments 2022-02-03 12:09:18 +01:00
Erik Krogh Kristensen
5284bbb6b3 Merge pull request #7821 from erik-krogh/upload-sarif 
QL: upload sarif as part of the QL-for-QL workflow
 2022-02-03 12:05:51 +01:00
Jeroen Ketema
4d03082f16 Ensure that O_CREAT and O_TMPFILE are unique 2022-02-03 11:24:20 +01:00
Henry Mercer
224d7a7ce0 Merge pull request #7801 from github/henrymercer/js-atm-migrate-tests 
JS: Migrate CodeQL tests for ML-powered queries
 2022-02-03 10:17:19 +00:00
Ian Wright
dca03d7b5d reinstate the AST node limit to minimize change to feature values 2022-02-03 09:45:35 +00:00
Ian Wright
d5ab119039 actually count the number of chars 2022-02-03 09:41:51 +00:00
Jeroen Ketema
e1ca5dd120 Simplify text in change note 2022-02-03 10:36:30 +01:00
Naman Jain
9809d30f00 file renaming and updated expected file 2022-02-03 09:35:17 +00:00
Naman Jain
adc8bf37fe fixed mistake in examples 2022-02-03 09:29:42 +00:00
Jeroen Ketema
5a2ce225f4 Check that all bits are set when checking for a flag 
The `O_...` macro definitions somtimes set multiple bits, while
the bits individually represent the values of different `O_...`
macros. This lead to false postives on codebases built against
Musl libc, which defines `O_TMPFILE` as `020200000` and
`O_DIRECTORY` as `0200000`.
 2022-02-03 10:29:13 +01:00
Tony Torralba
3c9b332ce0 Merge pull request #7826 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2022-02-03 09:38:53 +01:00
Tom Hvitved
6bb71f051b Merge pull request #7791 from hvitved/dataflow/inline-local-flow-star 
Data flow: Inline `local(Expr|Instruction)?(Flow|Taint)`
 2022-02-03 09:02:43 +01:00
Harry Maclean
c65ca8ff86 Model calls to constantize as code executions 
`constantize` is an ActiveSupport extension to `String` that attempts to
look up a constant with a name matching the receiver.
 2022-02-03 15:22:07 +13:00
github-actions[bot]
2a9f98cce0 Add changed framework coverage reports 2022-02-03 00:10:33 +00:00
Harry Maclean
704b58519f Ruby: Include subclasses in more API calls 
Change the behaviour of `API::getInstance()` and `API::getReturn()` to
include results on subclasses of the current API node.
 2022-02-03 11:35:59 +13:00
Chuan-kai Lin
df91ee6616 Python: adjust downgrade script location and format 2022-02-02 14:23:21 -08:00
Harry Maclean
61cd05cfc5 Ruby: Ensure TRoute and TRouteBlock are private 2022-02-03 10:55:28 +13:00
Harry Maclean
80835a5a19 Ruby: Don't expose abstract class 
Make ActionDispatch::Route into a private class
ActionDispatch::RouteImpl, defining a new class Route which exposes the
necessary public API from RouteImpl.

Also rename getHTTPMethod to getHttpMethod.
 2022-02-03 10:41:30 +13:00
Harry Maclean
a8a7c156d0 via - update tests 2022-02-03 10:40:23 +13:00
Erik Krogh Kristensen
7ef051456a upload sarif as part of the QL-for-QL workflow 2022-02-02 20:32:22 +01:00
Tom Hvitved
7b5699d058 C#: Update CIL attributes test 2022-02-02 19:25:30 +01:00
Tom Hvitved
2fe65128a0 C#: Update CIL type annotations test 2022-02-02 19:25:30 +01:00
Tom Hvitved
c4ad237a5c C#: Update expected test output 2022-02-02 19:25:30 +01:00
Tom Hvitved
516bd9f77f C#: Fix deprecation warnings 2022-02-02 19:25:30 +01:00
Tom Hvitved
09c5212ccc C#: Account for explicit interface implementations in OperatorSymbol 2022-02-02 19:25:30 +01:00
Tom Hvitved
d7eeb1fec8 C#: Use .NET 6 2022-02-02 19:25:30 +01:00
Henry Mercer
2c17437092 JS: Run ML-powered queries tests on all PRs modifying relevant files 2022-02-02 18:11:25 +00:00
Henry Mercer
a586be956e JS: Remove versions from packs we don't intend to publish 2022-02-02 18:10:57 +00:00
Geoffrey White
708da8cd62 C++: Increase the query precision to 'high'. 2022-02-02 18:03:25 +00:00
Arthur Baars
a22868ba27 Merge branch 'main' into ruby-3.1 2022-02-02 19:00:03 +01:00
Geoffrey White
4048ba0a1c C++: Fix false positives around terminal output. 2022-02-02 17:59:28 +00:00
Geoffrey White
39a2ffd438 C++: Fix false positives around 'stdin'. 2022-02-02 17:39:14 +00:00
Robin Neatherway
e3feece94e Merge pull request #680 from github/rneatherway/example-query 
Add an example query for inexhaustive switches
 2022-02-02 17:33:22 +00:00
Arthur Baars
6acf49d4da Merge pull request #7814 from aibaars/fix-ql-alerts 
Ruby: fix all QL-QL alerts
 2022-02-02 18:25:38 +01:00
Jeroen Ketema
aa4651312e Fix naming conflicts in cpp/world-writable-file-creation 2022-02-02 17:36:14 +01:00
Jeroen Ketema
f32500306a Address review comments 2022-02-02 17:24:55 +01:00
Geoffrey White
cc20969bdd C++: Add test cases based on some remaining real world FPs. 2022-02-02 16:15:59 +00:00
Tony Torralba
4f13bf8941 Merge pull request #6492 from atorralba/atorralba/android-cleartext-storage-database 
Java: Create new query Cleartext storage of sensitive information in Android databases
 2022-02-02 16:23:05 +01:00
Tony Torralba
54e8ea56e8 Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2022-02-02 15:44:26 +01:00
Jeroen Ketema
0773ab37a5 Use matches to check for 0x prefix 2022-02-02 15:26:46 +01:00
Jeroen Ketema
92d9e51d2a Extract the value of O_CREAT and O_TMPFILE from the defining macro 
There are operating systems that define `O_CREAT` with a different
value than Linux, which uses `0x40`. For example, OpenBSD uses `0x0200`.
Hence, we cannot use a hardcoded value.

Also handle `O_TMPFILE` while here.
 2022-02-02 15:16:26 +01:00
Erik Krogh Kristensen
35999a7f8f add support for fs-extra methods in insecure-temporary-file 2022-02-02 15:14:43 +01:00
Mathias Vorreiter Pedersen
1aa32b09be Merge pull request #7802 from geoffw0/clrtxt8 
C++: Recognize password struct fields.
 2022-02-02 14:10:40 +00:00