hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-25 20:32:58 +01:00
Code Issues Packages Projects Releases Wiki Activity
42,508 Commits 1,688 Branches 158 Tags
codeql-cli/v2.10.4
Commit Graph

42508 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jeroen Ketema
b20961a065 C++: Expose constant expressions as attribute arguments 2022-08-10 21:11:58 +02:00
Jeroen Ketema
553f1c496e C++: Update DB scheme to allow for constant expression as attribute arguments 2022-08-10 21:11:58 +02:00
Jeroen Ketema
9ae9b89529 C++: Improve accuracy of AttributeArgument.getValueText QLDoc 2022-08-10 21:11:58 +02:00
Jeroen Ketema
0e12c9d8b1 C++: Simplify this suppression for specifiers 2022-08-10 21:11:58 +02:00
Geoffrey White
d16a7754e1 Swift: Take out common code. 2022-08-10 19:04:01 +01:00
Geoffrey White
d7f50eafae Swift: Minor fixes. 2022-08-10 19:03:52 +01:00
Geoffrey White
11f45cf20c Swift: Add expectation annotations. 2022-08-10 18:53:45 +01:00
Geoffrey White
c2ee5fe258 Swift: Add inlineExpectations test. 2022-08-10 18:47:46 +01:00
Chris Smowton
cc8e9806c4 Merge pull request #10009 from smowton/smowton/java17-options 
Java: Adapt tests as required by JDK17 extractor upgrade
 2022-08-10 18:46:06 +01:00
Chris Smowton
bf24d7886a Accept test changes 2022-08-10 18:10:02 +01:00
Chris Smowton
341241cf43 Use SrcFloatingPointLiteral 2022-08-10 17:28:14 +01:00
Mathias Vorreiter Pedersen
56fddd75bb Merge pull request #10000 from geoffw0/defaulttaint 
Swift: Taint flow improvements
 2022-08-10 16:30:09 +01:00
Alex Ford
7a61f59b1e Ruby: add change note for new rb/log-injeciton query 2022-08-10 16:17:55 +01:00
Alex Ford
44c4b9ba5c Ruby: add rb/log-injection test cases 2022-08-10 16:17:37 +01:00
Alex Ford
00e290e1f1 Ruby: document rb/log-injection 2022-08-10 16:17:18 +01:00
Alex Ford
c31995764b Ruby: add rb/log-inection query 2022-08-10 16:16:54 +01:00
Geoffrey White
6ffe5fcaed Swift: Comment some other cases. 2022-08-10 15:46:32 +01:00
Geoffrey White
537caf85f2 Swift: Fix cartesian product. 2022-08-10 15:46:30 +01:00
Geoffrey White
e09e64ee85 Swift: Restrict taint flow through + to strings. 2022-08-10 15:46:28 +01:00
Geoffrey White
f3499e98a4 Swift: Move try, ! to dataflow. 2022-08-10 15:13:04 +01:00
Nora Dimitrijević
cce39fb2ce Merge pull request #9998 from d10c/use-strcpyfunction-in-bad-strncpy-size 
Use StrcpyFunction in `cpp/bad-strncpy-size`

This PR:

- Uses the [StrcpyFunction](https://github.com/github/codeql/blob/main/cpp/ql/lib/semmle/code/cpp/models/implementations/Strcpy.qll#L14) class in the [StrncpyFlippedArgs](https://github.com/github/codeql/blob/main/cpp/ql/src/Likely%20Bugs/Memory%20Management/StrncpyFlippedArgs.ql) query instead of an ad-hoc predicate for finding strcpy-like functions.
- Tests this by adding one previously unsupported strcpy-like function (`wcsxfrm_l`) to StrncpyFlippedArgs's test.cpp.
 2022-08-10 15:11:20 +02:00
Tamás Vajk
b2c22dacc2 Merge pull request #9769 from tamasvajk/fix/ctor-field-flow 
C#: Fix dataflow for default constructors
 2022-08-10 15:06:25 +02:00
Anders Schack-Mulligen
abad133ab5 Dataflow: Fix identification of source PathNodes in the presence of source-to-source flow. 2022-08-10 15:02:56 +02:00
Michael Nebel
0d83b7cbd0 C#: Add release note. 2022-08-10 14:58:22 +02:00
Anders Schack-Mulligen
cbd6d24b9c Merge pull request #9963 from intrigus-lgtm/java/model-set-properties 
Model `java.util.Properties.setProperty`
 2022-08-10 14:51:00 +02:00
Michael Nebel
da30436c44 C#: Update flow summaries test case with new summaries. 2022-08-10 14:49:20 +02:00
Michael Nebel
c3adb990a3 C#: Update SQL Injection with testcase with found vulnerability. 2022-08-10 14:49:20 +02:00
Michael Nebel
36a713510c C#: Add summary models for the FileStream constructor. 2022-08-10 14:49:20 +02:00
Michael Nebel
504160fee4 C#: Update expected file for Sql injection and Second Order sql injection (note that this is already a second order sql injection). 2022-08-10 14:49:20 +02:00
Michael Nebel
5c47ae3f98 C#: Add testcase for unsanitized filename used in Filestream. 2022-08-10 14:49:20 +02:00
Michael Nebel
1355931b50 C#: Update SecondOrder SQL Injection test case expected output with vulnerability from test case. 2022-08-10 14:49:19 +02:00
Michael Nebel
ced9ee5f5d C#: Update FlowSummaries test expected output after addition of new summaries. 2022-08-10 14:49:19 +02:00
Anders Schack-Mulligen
ecc15a1f95 Java: Remove SensitiveLoggingQuery results that flow through a source. 2022-08-10 14:28:07 +02:00
Michael Nebel
736ae4f7d6 C#: Update FlowSummaries expected output. 2022-08-10 14:23:54 +02:00
Michael Nebel
5659db73d3 C#: Update alle manually written summaries for constructors to use Argument[Qualifier] instead of ReturnValue. 2022-08-10 14:17:16 +02:00
Nora Dimitrijević
60f4049388 Re-autoformat StrncpyFlippedArgs.ql 2022-08-10 14:14:42 +02:00
Chris Smowton
2abd1f77f4 Go: implement conservative cross-thread dataflow 
Steps into captured variables are moved into jumpStep where they always should have been, and the store/load step implementation for channels is completed.

For the time being this takes a very conservative approach to identify channels that are likely connected: if there is exactly one receive site and one send site for a field, the two are presumed connected.
 2022-08-10 12:44:12 +01:00
Nora Dimitrijević
05f4f98aa0 Add change note 2022-08-10 13:42:21 +02:00
Nora Dimitrijević
8e60a4a478 Update StrncpyFlippedArgs.expected 
Add output lines for the newly implemented test case, test.cpp/test9().
 2022-08-10 13:42:21 +02:00
Nora Dimitrijević
df419003ad Use Strcpy.qll in StrncpyFlippedArgs.ql 
As a result, the query gets access to more types of strncpy-like
functions, as demonstrated by test.cpp, which now "fails" (i.e. works) for the new test
cases instroduced
in the previous commit.
 2022-08-10 13:42:21 +02:00
Nora Dimitrijević
554aea1bb8 New strcpy-variant in StrncpyFlippedArgs test 
Added wcsxfrm_l, which is not currently caught by the query,
meaning that in this case a successful
test implies missing functionality.
 2022-08-10 13:42:21 +02:00
Chris Smowton
8c32758ae5 Merge pull request #9829 from smowton/smowton/fix/kotlin-underscore-parameter-names 
Kotlin: Don't extract a name for a '_' parameter
 2022-08-10 12:28:26 +01:00
Tom Hvitved
2bb9e4859f C#: Handle dotnet exec csc.dll and the likes in the Lua tracer 2022-08-10 12:52:18 +02:00
Rasmus Wriedt Larsen
40d25cb34c Merge pull request #9849 from tausbn/python-fix-bad-essa-getInput-join 
Python: Fix bad join in ESSA `getInput`
 2022-08-10 11:45:23 +02:00
Chris Smowton
09e4c6b66b Add dataflow path-graph 2022-08-10 10:37:55 +01:00
Chris Smowton
2ca0b0c6b5 Inline qhelp overview 
A <p> at the top isn't allowed, and for some reason the inclusion is required to be a valid qhelp file.
 2022-08-10 10:37:48 +01:00
Michael Nebel
f1cc7bb60c C#: Consider FileStreams StoredFlowSources and propagate taint via StreamReader. 2022-08-10 11:08:27 +02:00
Michael Nebel
2b51e03223 C#: Add SecondOrder SQL injection example, where reading from a file. 2022-08-10 11:08:27 +02:00
Michael Nebel
1e7e49a528 C#: Add relevant stubs. 2022-08-10 11:08:27 +02:00
Michael Nebel
344770f06a C#: Update Sqlinjection test query output with new results. 2022-08-10 11:08:27 +02:00