codeql

mirror of https://github.com/github/codeql.git synced 2026-02-06 02:01:09 +01:00

Author	SHA1	Message	Date
Alex Ford	cfb2d7ffaf	Ruby: add shared SensitiveDataHeuristics.qll	2022-01-28 16:38:58 +00:00
Geoffrey White	af09dd8af1	C++: Fixes to gets models.	2022-01-28 16:04:23 +00:00
Geoffrey White	036e1495b8	Merge branch 'main' into getslocal	2022-01-28 15:58:13 +00:00
Ian Wright	aceeb7324c	restrict AST nodes according to string length	2022-01-28 15:06:10 +00:00
Rasmus Lerchedahl Petersen	68d18ead34	python: add change note	2022-01-28 14:00:07 +01:00
Geoffrey White	a695f02af4	C++: Add change note.	2022-01-28 12:38:27 +00:00
Tom Hvitved	82cceb0a29	C#: Mark event accessors without bodies as compiler generated	2022-01-28 13:11:34 +01:00
Tom Hvitved	682163962a	Data flow: Sync files	2022-01-28 13:01:24 +01:00
Tom Hvitved	4bf07825a1	Data flow: Reduce non-linear recursion in `SummaryComponentStack::bottom` Before: ``` [2022-01-28 09:45:34] (449s) Tuple counts for FlowSummaryImpl::Public::SummaryComponentStack::bottom_dispred#ff/2@i23#25a5eew4 after 432ms: 0 ~0% {2} r1 = SCAN FlowSummaryImpl::Public::SummaryComponentStack::length#ff#prev_delta OUTPUT In.0 'this', (In.1 - 1) 0 ~0% {2} r2 = JOIN r1 WITH FlowSummaryImpl::Public::SummaryComponentStack::drop#fff#prev ON FIRST 2 OUTPUT Rhs.2, Lhs.0 'this' 0 ~0% {2} r3 = JOIN r2 WITH FlowSummaryImpl::Public::SummaryComponentStack::head_dispred#ff#prev ON FIRST 1 OUTPUT Lhs.1 'this', Rhs.1 'result' 4171589 ~5% {2} r4 = SCAN FlowSummaryImpl::Public::SummaryComponentStack::length#ff#prev OUTPUT In.0 'this', (In.1 - 1) 4171589 ~0% {2} r5 = JOIN r4 WITH FlowSummaryImpl::Public::SummaryComponentStack::drop#fff#prev ON FIRST 2 OUTPUT Rhs.2, Lhs.0 'this' 0 ~0% {2} r6 = JOIN r5 WITH FlowSummaryImpl::Public::SummaryComponentStack::head_dispred#ff#prev_delta ON FIRST 1 OUTPUT Lhs.1 'this', Rhs.1 'result' 62238 ~0% {3} r7 = SCAN FlowSummaryImpl::Public::SummaryComponentStack::drop#fff#prev_delta OUTPUT In.2, In.0 'this', In.1 62238 ~8% {3} r8 = JOIN r7 WITH FlowSummaryImpl::Public::SummaryComponentStack::head_dispred#ff#prev ON FIRST 1 OUTPUT Lhs.1 'this', Lhs.2, Rhs.1 'result' 62238 ~5% {5} r9 = JOIN r8 WITH FlowSummaryImpl::Public::SummaryComponentStack::length#ff#prev ON FIRST 1 OUTPUT Lhs.0 'this', Lhs.1, Lhs.2 'result', Rhs.1, (Rhs.1 - 1) 10373 ~6% {5} r10 = SELECT r9 ON In.4 = In.1 10373 ~0% {2} r11 = SCAN r10 OUTPUT In.0 'this', In.2 'result' 10373 ~0% {2} r12 = r6 UNION r11 10373 ~0% {2} r13 = r3 UNION r12 10373 ~0% {2} r14 = r13 AND NOT FlowSummaryImpl::Public::SummaryComponentStack::bottom_dispred#ff#prev(Lhs.0 'this', Lhs.1 'result') return r14 ``` After: ``` [2022-01-28 09:52:48] (6s) Tuple counts for FlowSummaryImpl::Public::SummaryComponentStack::bottom#ff/2@i21#6243afwv after 5ms: 0 ~0% {2} r1 = JOIN FlowSummaryImpl::Public::SummaryComponentStack::bottom#ff#prev_delta WITH FlowSummaryImpl::Private::TConsSummaryComponentStack#fff#reorder_1_0_2#prev ON FIRST 1 OUTPUT Lhs.1 'result', Rhs.2 'this' 10373 ~3% {2} r2 = SCAN FlowSummaryImpl::Private::TConsSummaryComponentStack#fff#prev_delta OUTPUT In.1, In.2 'this' 10373 ~2% {2} r3 = JOIN r2 WITH FlowSummaryImpl::Public::SummaryComponentStack::bottom#ff#prev ON FIRST 1 OUTPUT Rhs.1 'result', Lhs.1 'this' 10373 ~2% {2} r4 = r1 UNION r3 10373 ~2% {2} r5 = r4 AND NOT FlowSummaryImpl::Public::SummaryComponentStack::bottom#ff#prev(Lhs.1 'this', Lhs.0 'result') 10373 ~0% {2} r6 = SCAN r5 OUTPUT In.1 'this', In.0 'result' return r6 ```	2022-01-28 13:00:04 +01:00
Geoffrey White	b73dc98191	C++: Exclude write to stdout etc.	2022-01-28 11:57:31 +00:00
Tom Hvitved	864b61a804	Merge pull request #7766 from hvitved/csharp/extractor/type-param-constraints C#: Make `TypeParameterConstraints` a `CachedEntity`	2022-01-28 12:39:31 +01:00
Tom Hvitved	28702dff82	Merge pull request #7779 from hvitved/csharp/initial-downgrade-scheme C#: Add initial downgrade DB scheme for use in tests	2022-01-28 12:38:07 +01:00
Nick Rolfe	8248a942ce	Ruby: enable taint checking for array-flow test	2022-01-28 11:33:59 +00:00
Nick Rolfe	c0e1384f4a	Ruby: move Array/Enumerable flow summaries to their own file	2022-01-28 11:33:59 +00:00
Nick Rolfe	6c0eb8beee	Ruby: update array flow summaries to use getConstantValue()	2022-01-28 11:33:59 +00:00
Nick Rolfe	693ff6a904	Ruby: add flow summaries for remaining Array methods	2022-01-28 11:33:59 +00:00
Nick Rolfe	030cfa36da	Ruby: add flow summaries for all remaining Enumerable methods	2022-01-28 11:33:59 +00:00
Erik Krogh Kristensen	7b925604df	update expected output	2022-01-28 12:21:33 +01:00
Rasmus Wriedt Larsen	3e71d7f9bb	Python: Add note about `/` for Django upload_to I did a test locally, something like import requests req = requests.Request( "POST", "http://127.0.0.1:8000/app/upload-test/", data={"name": "foo"}, files={"upload" : ("wat/haha\|!#$%^&", open("foo.txt", "rb"))}, ) # print(req.prepare().body.decode('ascii')) requests.session().send(req.prepare()) and the `wat/` part was stripped from the filename	2022-01-28 12:17:46 +01:00
Nick Rolfe	588e60e230	Merge pull request #7775 from github/nickrolfe/graph_test_ordering Ruby/C#: more stable graph test ordering	2022-01-28 11:16:02 +00:00
Erik Krogh Kristensen	7aa59ca233	Merge pull request #7633 from erik-krogh/CWE-300 JS: add js/http-dependency query	2022-01-28 12:10:14 +01:00
Taus	47a57e0c0a	Merge pull request #7635 from github/python/support-match Python/support match	2022-01-28 11:55:46 +01:00
yoff	74d57bbb1a	Update python/ql/lib/semmle/python/dataflow/new/internal/DataFlowPrivate.qll Co-authored-by: Taus <tausbn@github.com>	2022-01-28 11:38:29 +01:00
Rasmus Wriedt Larsen	f962d8e72c	Python: Move test to correct location	2022-01-28 11:33:21 +01:00
Arthur Baars	cada7ef1a4	Ruby: add downgrade scripts to prepare-db-upgrade.sh	2022-01-28 11:07:56 +01:00
Rasmus Lerchedahl Petersen	ab43f041c3	python: rename files	2022-01-28 11:00:17 +01:00
Erik Krogh Kristensen	b5198bdaca	apply suggestions from doc review Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>	2022-01-28 10:46:27 +01:00
Erik Krogh Kristensen	bf9bcc9600	add a js/file-system-race query	2022-01-28 09:41:12 +01:00
Erik Krogh Kristensen	179c26da9a	apply suggestions from review	2022-01-28 09:37:46 +01:00
Tony Torralba	f3e034b2be	Merge pull request #7764 from github/workflow/coverage/update Update CSV framework coverage reports	2022-01-28 09:35:54 +01:00
Harry Maclean	0428b8ee20	Split Ruby CI into multiple parallel jobs Run format, compile and db upgrade checks in parallel, along with the main tests, which run in two parallel halves.	2022-01-28 21:23:34 +13:00
Rasmus Lerchedahl Petersen	4c3c4deb34	python: Move over query and tests	2022-01-28 09:19:11 +01:00
Esben Sparre Andreasen	ee52774e90	Merge pull request #7760 from erik-krogh/CWE-184 JS: add CWE-184 to incomplete-scheme-check and bad-tag-filter	2022-01-28 09:18:41 +01:00
Tom Hvitved	ee5495ce65	C#: Add initial downgrade DB scheme for use in tests	2022-01-28 09:05:42 +01:00
Rasmus Lerchedahl Petersen	a026120c52	Python: Move configuration over and refine it The original configuration did not match sinks with sanitizers. Here it is resolved using flow state, it could also be done by using two configurations.	2022-01-28 09:00:40 +01:00
Rasmus Lerchedahl Petersen	d539920661	Python: Update list of frameworks	2022-01-28 08:58:30 +01:00
Harry Maclean	b01f81aab3	Use modified `getAPath` predicate for test	2022-01-28 19:45:52 +13:00
Harry Maclean	a1b0f02e6e	Ruby: Introduce API::getAnImmediateSubclass() class A; end class B < A; end class C < B; end In the example above, `getMember("A").getAnImmediateSubclass()` will select only uses of B, whereas `getMember("A").getASubclass()` will select uses of A, B and C. This is usually the behaviour you want.	2022-01-28 16:44:03 +13:00
github-actions[bot]	c6130ea2d4	Add changed framework coverage reports	2022-01-28 00:11:49 +00:00
Andrew Eisenberg	28461f57ef	Merge pull request #675 from github/aeisenberg/examples-groups Add new groups for examples packs	2022-01-27 09:26:15 -08:00
Dave Bartolomeo	cca74e925f	Merge pull request #7724 from github/aeisenberg/examples-groups Add new groups for examples packs	2022-01-27 12:11:26 -05:00
Rasmus Wriedt Larsen	4338c06b0d	Python: Support Django FileField.upload_to	2022-01-27 17:20:16 +01:00
Rasmus Lerchedahl Petersen	c60df7d69c	Merge branch 'main' of github.com:github/codeql into python/support-match	2022-01-27 16:45:17 +01:00
yoff	4632c14280	Merge pull request #7654 from RasmusWL/remove-old-pointsto-queries Python: Cleanup: Remove old points-to versions of queries	2022-01-27 16:39:01 +01:00
Nick Rolfe	cd5010fe11	C#: sync changes from Ruby to improve ordering of graph test output	2022-01-27 15:34:01 +00:00
Tom Hvitved	b7fb9e8b95	Merge pull request #7768 from hvitved/csharp/extractor-diagnostics-query C#: Add internal extractor diagnostics query	2022-01-27 16:33:32 +01:00
Chris Smowton	17656fc12b	Merge pull request #7771 from Dig2/main Fix typo in CodeQL-query-help-for-JavaScript	2022-01-27 15:03:35 +00:00
Mathias Vorreiter Pedersen	b3f4357dc8	Merge pull request #7742 from geoffw0/clrtxt6 C++: Upgrade cpp/cleartext-storage-buffer	2022-01-27 14:40:40 +00:00
Rasmus Lerchedahl Petersen	b93c04bb79	python: Add reverse flow in some patterns Particularly in value and literal patterns. This is getting a little bit into the guards aspect of matching. We could similarly add reverse flow in terms of sub-patterns storing to a sequence pattern, a flow step from alternatives to an-or-pattern, etc.. It does not seem too likely that sources are embedded in patterns to begin with, but for secrets perhaps? It is illustrated by the literal test. The value test still fails. I believe we miss flow in general from the static attribute.	2022-01-27 15:20:23 +01:00
Tom Hvitved	cdfe239016	C#: Guard against `AssociatedSymbol` not being an `IEventSymbol` Apply same logic as for property/indexer accessors to account for cases where the associated event cannot be determined. I have not been able to reproduce such cases locally, though we have seen reports of it happening.	2022-01-27 15:14:03 +01:00

... 142 143 144 145 146 ...

41812 Commits