hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-01 07:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
42,524 Commits 1,684 Branches 159 Tags
codeql-cli/v2.10.5
Commit Graph

42524 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Arthur Baars
7e866ed376 Merge pull request #8617 from cklin/qldoc-coverage-new-language 
QLdoc check: handle new languages gracefully
 2022-03-31 10:00:36 +02:00
Rasmus Wriedt Larsen
1ea4bcc59f Python: Make XMLParsing a Decoding subclass 2022-03-31 09:52:55 +02:00
Rasmus Wriedt Larsen
35ccba2ec1 Python: Promote XMLParsing concept test 2022-03-31 09:52:55 +02:00
Rasmus Wriedt Larsen
e45288e812 Python: => XMLParsingVulnerabilityKind 
Since there are other XML vulnerabilities that are not about parsing,
this is more correct.
 2022-03-31 09:52:55 +02:00
Rasmus Wriedt Larsen
e005a5c0ab Python: Promote XMLParsing concept 2022-03-31 09:52:55 +02:00
Rasmus Wriedt Larsen
9caf4be21b Python: Add PortSwigger link to Xxe.qhelp 
I found this resource quite good myself at least :)
 2022-03-31 09:52:55 +02:00
Rasmus Wriedt Larsen
56b9c891d8 Python: Adjust XmlBomb.qhelp from JS 2022-03-31 09:52:55 +02:00
Rasmus Wriedt Larsen
b00766b054 Python: Adjust XXE qhelp 
and remove the old copy, we don't need it anymore :)
 2022-03-31 09:52:55 +02:00
Rasmus Wriedt Larsen
c365337867 Python: Delete XmlEntityInjection.ql 
Kept the test of SimpleXmlRpcServer, and kept the qhelp so it can be
used to write the new qhelp files
 2022-03-31 09:52:55 +02:00
Rasmus Wriedt Larsen
769f5691d0 Python: Add taint for StringIO and BytesIO 2022-03-31 09:52:54 +02:00
Rasmus Wriedt Larsen
57b9780428 Python: XXE: Add example of exfiltrating data through dtd-retrival 2022-03-31 09:52:54 +02:00
Rasmus Wriedt Larsen
a1d88e39a7 Python: Adjust XXE PoC for newer lxml versions 
Which doesn't raise that syntax error (at least not on my laptop)
 2022-03-31 09:52:54 +02:00
Rasmus Wriedt Larsen
91795b8577 Python: Add simple test of Xxe/XmlBomb 
Note that most of the testing happens in the framework specific tests,
with an inline-expectation test
 2022-03-31 09:52:54 +02:00
Rasmus Wriedt Larsen
e45f9d69cc Python: Adjust Xxe/XmlBomb for Python 
I changed a few QLdocs so they fit the style we have used in Python...
although I surely do regret having introduced a new style for how these
QLDocs look :D
 2022-03-31 09:52:54 +02:00
Rasmus Wriedt Larsen
65907c9762 Python: Copy Xxe/XmlBomb queries from JS 
After internal discussion, these will replace the `XmlEntityInjection`
query, so we can have separate severities on DoS and the other (more
serious) attacks.

Note: These clearly don't work, since they are verbatim copies of the JS
code, but I split it into multiple commits to clearly highlight what
changes were made.
 2022-03-31 09:52:54 +02:00
Erik Krogh Kristensen
67e1ffdd3e fix isKnownStepSrc such that it actually includes taint/dataflow-steps 2022-03-31 09:46:01 +02:00
Erik Krogh Kristensen
e038baed36 add .gitignore ignoring test dbs 2022-03-31 09:45:28 +02:00
Chuan-kai Lin
1ff0fda5d1 QLdoc check: handle new languages gracefully 2022-03-30 14:58:13 -07:00
Erik Krogh Kristensen
1218c4f4ed fix ql/name-casing, and drive-by QL-for-QL typo fix 2022-03-30 22:59:14 +02:00
Erik Krogh Kristensen
1847a5713b remove TODO 2022-03-30 22:54:01 +02:00
Erik Krogh Kristensen
7ca6426ea5 revert the Taint stage, as it caused an alert for ql/abstract-class-import 2022-03-30 22:54:01 +02:00
Erik Krogh Kristensen
7e4ab4c60b Revert "import all the frameworks that extend RegexString" 
This reverts commit 84bc9042de4e876685f8f5ffdd88893383d1cfdc.

It caused ql/abstract-class-import alerts
 2022-03-30 22:54:01 +02:00
Erik Krogh Kristensen
3b9335c051 nomagic on containsInScope 2022-03-30 22:54:01 +02:00
Erik Krogh Kristensen
5caff81ff9 import all the frameworks that extend RegexString 2022-03-30 22:54:01 +02:00
Erik Krogh Kristensen
b959705531 revert changes in MRO.qll 2022-03-30 22:54:01 +02:00
Erik Krogh Kristensen
b74852ffd6 cache a bit more (again) 2022-03-30 22:54:01 +02:00
Erik Krogh Kristensen
d9ced55e2c make private predicates private 2022-03-30 22:54:01 +02:00
Erik Krogh Kristensen
040196f40d cache more basicblock predicates 2022-03-30 22:54:01 +02:00
Erik Krogh Kristensen
79713e0ef8 a bit more caching 2022-03-30 22:54:00 +02:00
Erik Krogh Kristensen
7643aac207 revert bad nomagic 2022-03-30 22:54:00 +02:00
Erik Krogh Kristensen
35c7fa58a7 joiner order fixes 2022-03-30 22:54:00 +02:00
Erik Krogh Kristensen
88e896992e cache the remainder of the pointsto layer 2022-03-30 22:54:00 +02:00
Erik Krogh Kristensen
79da0970cc various join order fixes 2022-03-30 22:54:00 +02:00
Erik Krogh Kristensen
3e9ee887d4 fix bad mistake 2022-03-30 22:54:00 +02:00
Erik Krogh Kristensen
758a5d7a85 few join order fixes 2022-03-30 22:54:00 +02:00
Erik Krogh Kristensen
6eca4ba2d3 get around identical files by adding the ref() call somewhere else 2022-03-30 22:54:00 +02:00
Erik Krogh Kristensen
4089788629 revert caching of some large predicates that caused the DB size to increase too much 2022-03-30 22:54:00 +02:00
Erik Krogh Kristensen
0da80f90d3 rename the SSA stages to AST 2022-03-30 22:54:00 +02:00
Erik Krogh Kristensen
c9e3a62953 cached stages iteration 5 2022-03-30 22:54:00 +02:00
Erik Krogh Kristensen
a8f9a91e38 cached stages iteration 4 2022-03-30 22:54:00 +02:00
Erik Krogh Kristensen
f68357a063 cached stages iteration 3.5 2022-03-30 22:54:00 +02:00
Erik Krogh Kristensen
37a9b41e26 cached stages iteration 3 2022-03-30 22:54:00 +02:00
Erik Krogh Kristensen
60b5af215f cached stages iteration 2 2022-03-30 22:53:59 +02:00
Erik Krogh Kristensen
71eacea90b add the cached stages pattern to Python 2022-03-30 22:53:59 +02:00
Chuan-kai Lin
48015e5a2e Merge pull request #8597 from cklin/run-js-ml-tests 
JS: Fix expected test output for ATM queries
 2022-03-30 13:10:02 -07:00
Chuan-kai Lin
a8dabb238d JS: Fix expected test output for ATM queries 2022-03-30 11:35:17 -07:00
Robert Marsh
3ce7c521d1 C++: fix IR global var init for string constants 2022-03-30 14:01:59 -04:00
Robert Marsh
e01799827a C++: add test for string global var inits in IR 2022-03-30 13:38:25 -04:00
Robert Marsh
fb0a848e5a C++: fix inconsistency with global var constructor 2022-03-30 13:32:02 -04:00
Robert Marsh
9d4aac61fd C++: add IR tests for global var with constructor 2022-03-30 13:20:26 -04:00