hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-01 07:42:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
42,524 Commits 1,684 Branches 159 Tags
codeql-cli/v2.10.5
Commit Graph

42524 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Smowton
19cd97e426 Java: Clarify the meaning of getRuleExpression/Statement 2022-03-30 17:58:11 +01:00
Ian Lynagh
46c27dd20f Merge pull request #8514 from github/post-release-prep/codeql-cli-2.8.4 
Post-release preparation for codeql-cli-2.8.4
 2022-03-30 16:36:14 +01:00
Ian Lynagh
e9acb4f8e8 Merge pull request #706 from github/post-release-prep/codeql-cli-2.8.4 
Post-release preparation for codeql-cli-2.8.4
 2022-03-30 16:35:29 +01:00
Nick Rolfe
fa1bb82701 Merge pull request #8610 from github/nickrolfe/re-fix-location-join-order 
Ruby: undo accidental revert of #8538
 2022-03-30 16:31:52 +01:00
Nick Rolfe
10b75bff76 Ruby: undo accidental revert of 13be9919 2022-03-30 16:02:12 +01:00
Chris Smowton
9675f34cf5 Merge pull request #8257 from luchua-bc/java/insecure-webview-resource-response 
Java: CWE-200 Query to detect insecure WebResourceResponse implementation
 2022-03-30 15:56:27 +01:00
haby0
1e6893e230 Update python/ql/src/experimental/semmle/python/security/injection/CsvInjection.qll 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-03-30 22:54:30 +08:00
Arthur Baars
031d183bdf Merge pull request #8532 from aibaars/regex-refactor-2 
JS/Ruby/Python: rename RegExpTreeView.qll to ReDoSUtilSpecific.qll
 2022-03-30 16:38:47 +02:00
Robert Marsh
417b0b5353 C++: accept test changes for updated extractor 2022-03-30 10:23:17 -04:00
Owen Mansel-Chan
79e6f7876b Merge pull request #710 from owen-mc/delete-consistency 
Delete unused file DataFlowImplConsistency
 2022-03-30 15:15:55 +01:00
Michael Nebel
8238c99199 C#: Only include APIs that has a proper namespace. 2022-03-30 15:22:32 +02:00
Michael Nebel
5c13391580 C#: Add test cases for operators. 2022-03-30 15:09:44 +02:00
Michael Nebel
04960fc0c6 C#: Filter out explicit and implicit conversion operators, when creating summaries. 2022-03-30 15:09:26 +02:00
Michael Nebel
8b08ddf7ad C#: Use callables qualified name instead of name, when printing summary like information. 2022-03-30 15:05:57 +02:00
Michael Nebel
4163078ecc C#: The qualified name of the operator should use the function name instead of the displayed name. 2022-03-30 15:05:03 +02:00
Tom Hvitved
3c50987b9b Merge pull request #8590 from hvitved/ruby/rc-perf-picks 
Ruby: Cherry pick performance fixes onto `rc/3.5`
 2022-03-30 14:48:33 +02:00
Sebastian Bauersfeld
a3c3a7fe0d Python: Identify alternative body argument in invocations of Response constructor. 2022-03-30 19:34:54 +07:00
Dave Bartolomeo
70c44734e6 Merge pull request #8445 from dbartol/dbartol/ir-range/semantic-scratch 
Sign, Modulus, and Range analysis for C++ using sharable semantic layer
 2022-03-30 07:08:09 -04:00
haby0
8f2013c32e Simplify StartsWithCheck 2022-03-30 19:04:03 +08:00
Dave Bartolomeo
e2396a5e03 Remove PrintIR tests for range analysis 
These were only used for debugging, and don't actually make good tests.
 2022-03-30 06:45:28 -04:00
Dave Bartolomeo
19789fa738 Merge remote-tracking branch 'upstream/main' into semantic-scratch 2022-03-30 06:39:14 -04:00
Nick Rolfe
a274af2b16 Merge pull request #7985 from github/nickrolfe/constant_regexp 
Ruby: separate constant propagation of regexps from strings
 2022-03-30 11:37:33 +01:00
Owen Mansel-Chan
8a3a58ca76 Delete unused file DataFlowImplConsistency 2022-03-30 11:03:46 +01:00
ihsinme
b95094235c Apply suggestions from code review 
Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
 2022-03-30 10:51:38 +03:00
4B5F5F4B
9ab773422a refactor some code, and add access_ok cases 2022-03-30 12:25:32 +08:00
Harry Maclean
167bda2d4e Ruby: Add QLDoc for InsecureDependencyQuery.qll 2022-03-30 13:50:12 +13:00
Harry Maclean
d13bbbaf35 Ruby: Add change note for rb/insecure-dependency 2022-03-30 13:39:35 +13:00
Harry Maclean
37cedda63a Ruby: Add InsecureDependencyResolution query 
This query looks for places in a Gemfile where URLs with insecure
protocols (HTTP or FTP) are specified.
 2022-03-30 13:39:15 +13:00
Marcono1234
a93b4ed0f2 Java: Make JumpStmt a proper superclass 2022-03-30 00:30:27 +02:00
Erik Krogh Kristensen
48ef3b106f fix mistake in inlining 2022-03-29 23:39:22 +02:00
Erik Krogh Kristensen
090c5c39f6 add explicit this 2022-03-29 22:44:03 +02:00
Erik Krogh Kristensen
cebba05b8b rename getAClassReferenceStep to getAClassReferenceRec 2022-03-29 22:44:03 +02:00
Erik Krogh Kristensen
be6c122b27 improve the join order of getAClassReference 2022-03-29 22:44:02 +02:00
Erik Krogh Kristensen
979fa2386a autoformat 2022-03-29 22:38:23 +02:00
Robert Marsh
9442be1a27 Autoformat 2022-03-29 16:23:57 -04:00
Porcupiney Hairs
92033047a5 Python : Add query to detect PAM authorization bypass 
Using only a call to `pam_authenticate` to check the validity of a login can
lead to authorization bypass vulnerabilities. A `pam_authenticate` only
verifies the credentials of a user. It does not check if a user has an
appropriate authorization to actually login. This means a user with a
expired login or a password can still access the system.

This PR includes a qhelp describing the issue, a query which detects instances where a call to
`pam_acc_mgmt` does not follow a call to `pam_authenticate` and it's
corresponding tests.

This PR has multiple detections. Some of the public one I can find are :
* [CVE-2022-0860](https://nvd.nist.gov/vuln/detail/CVE-2022-0860) found
in [cobbler/cobbler](https://www.github.com/cobbler/cobbler)
* [fredhutch/motuz](https://www.huntr.dev/bounties/d46f91ca-b8ef-4b67-a79a-2420c4c6d52b/)
 2022-03-30 00:47:58 +05:30
Robert Marsh
8d21c8b7c5 Merge pull request #8423 from 4B5F5F4B/main 
[CPP][Linux Kernel]Add ql to detect CVE-2017-5123
 2022-03-29 15:10:15 -04:00
luchua-bc
fa2a6a7da3 Remove unnecessary taint step and update qldoc 2022-03-29 17:52:49 +00:00
Jeroen Ketema
e5ac492b62 Merge pull request #8593 from jketema/pointless-options 
C++: Remove debugging options from library tests
 2022-03-29 17:55:47 +02:00
Jeroen Ketema
d1857a9e37 C++: Remove debugging options from library tests 2022-03-29 17:24:18 +02:00
Geoffrey White
e04298d532 C++: Delete experimental PrivateData.qll. 2022-03-29 15:26:46 +01:00
Asger Feldthaus
8bb58a3222 Merge branch 'js/decorated-method-or-class' of github.com:asgerf/codeql into js/decorated-method-or-class 2022-03-29 16:13:54 +02:00
Asger Feldthaus
75a84378ac JS: Do not generate def-nodes for decorated parameters 2022-03-29 16:13:45 +02:00
Asger Feldthaus
ca145f21b0 JS: Add test showing why parameter-sinks wont actually work well in JS 2022-03-29 16:06:53 +02:00
Geoffrey White
cf5c6baadd C++: More test cases for salary. 2022-03-29 15:05:27 +01:00
Asger Feldthaus
3bcfca421f JS: Add test case for decorated parameter sinks 2022-03-29 15:55:43 +02:00
Geoffrey White
0e3e145e53 C++: Add CWE-359 tag to cpp/cleartext-transmission. 2022-03-29 14:44:06 +01:00
Asger F
6e630cccc2 Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-03-29 15:41:20 +02:00
Michael Nebel
db7abb429f C#: Remove unneeded exists. 2022-03-29 14:59:32 +02:00
Michael Nebel
6be41b0c29 C#/Java: Address review comments. 2022-03-29 14:52:57 +02:00