hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-25 20:32:58 +01:00
Code Issues Packages Projects Releases Wiki Activity
42,524 Commits 1,688 Branches 158 Tags
codeql-cli/v2.10.5
Commit Graph

42524 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
thiggy1342
2f1cfa816f Add annotate arguments as sqli sink 2022-07-07 19:23:06 +00:00
Raul Garcia
f8994d04d6 Clean up 2022-07-07 11:49:05 -07:00
REDMOND\brodes
4379aa4398 Adding Initializer in condition as an occurance of isDef 2022-07-07 10:32:36 -04:00
Raul Garcia
01da877d0e Moving the new query to experimental. It was added to the wrong folder initially. 2022-07-06 14:07:14 -07:00
Jeroen Ketema
0b471c2007 C++: Improve LossyFunctionResultCast join order 
Before on wireshark:
```
Tuple counts for #select#ff@eca61bf2:
        180100  ~2%    {2} r1 = SCAN Type::Type::getUnderlyingType#dispred#f0820431#ff OUTPUT In.1, In.0
            84  ~2%    {2} r2 = JOIN r1 WITH project#Type::FloatingPointType#class#2e8eb3ef#fffff ON FIRST 1 OUTPUT Lhs.1, Rhs.0
          2021  ~0%    {2} r3 = JOIN r2 WITH Function::Function::getType#dispred#f0820431#fb_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1
          2437  ~0%    {2} r4 = JOIN r3 WITH Call::FunctionCall::getTarget#dispred#f0820431#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1, Rhs.1
          2150  ~0%    {2} r5 = r4 AND NOT LossyFunctionResultCast::whiteListWrapped#377b528a#f(Lhs.1)
          2150  ~0%    {2} r6 = SCAN r5 OUTPUT In.1, In.0
           313  ~0%    {3} r7 = JOIN r6 WITH exprconv ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.0
           313  ~0%    {3} r8 = JOIN r7 WITH Cast::Conversion#class#1f33e835#b ON FIRST 1 OUTPUT Lhs.0, Lhs.1, Lhs.2
           148  ~3%    {2} r9 = JOIN r8 WITH Expr::Expr::isCompilerGenerated#f0820431#b ON FIRST 1 OUTPUT Lhs.2, Lhs.1
           148  ~1%    {3} r10 = JOIN r9 WITH Expr::Expr::getActualType#dispred#f0820431#bf ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.0
            21  ~0%    {3} r11 = JOIN r10 WITH Type::IntegralType#class#2e8eb3ef#ff ON FIRST 1 OUTPUT Lhs.1, Lhs.2, Lhs.0
            21  ~0%    {3} r12 = JOIN r11 WITH Element::ElementBase::toString#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Rhs.1
            21  ~0%    {2} r13 = JOIN r12 WITH Element::ElementBase::toString#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.1, ("Return value of type " ++ Lhs.2 ++ " is implicitly converted to " ++ Rhs.1 ++ " here.")
                       return r13
```

After:
```
Tuple counts for #select#ff@a5a185eg:
          20  ~0%    {2} r1 = SCAN project#Type::FloatingPointType#class#2e8eb3ef#fffff OUTPUT In.0, In.0
          20  ~0%    {2} r2 = JOIN r1 WITH project#Type::FloatingPointType#class#2e8eb3ef#fffff ON FIRST 1 OUTPUT Lhs.1, Lhs.0
          84  ~2%    {2} r3 = JOIN r2 WITH Type::Type::getUnderlyingType#dispred#f0820431#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1
        2021  ~0%    {2} r4 = JOIN r3 WITH Function::Function::getType#dispred#f0820431#fb_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1
        2437  ~0%    {2} r5 = JOIN r4 WITH Call::FunctionCall::getTarget#dispred#f0820431#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1, Rhs.1
        2150  ~0%    {2} r6 = r5 AND NOT LossyFunctionResultCast::whiteListWrapped#377b528a#f(Lhs.1)
        2150  ~0%    {2} r7 = SCAN r6 OUTPUT In.1, In.0
         313  ~0%    {3} r8 = JOIN r7 WITH exprconv ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.0
         313  ~0%    {3} r9 = JOIN r8 WITH Cast::Conversion#class#1f33e835#b ON FIRST 1 OUTPUT Lhs.0, Lhs.1, Lhs.2
         148  ~3%    {2} r10 = JOIN r9 WITH Expr::Expr::isCompilerGenerated#f0820431#b ON FIRST 1 OUTPUT Lhs.2, Lhs.1
         148  ~1%    {3} r11 = JOIN r10 WITH Expr::Expr::getActualType#dispred#f0820431#bf ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.0
          21  ~0%    {3} r12 = JOIN r11 WITH Type::IntegralType#class#2e8eb3ef#ff ON FIRST 1 OUTPUT Lhs.1, Lhs.2, Lhs.0
          21  ~0%    {3} r13 = JOIN r12 WITH Element::ElementBase::toString#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Rhs.1
          21  ~0%    {2} r14 = JOIN r13 WITH Element::ElementBase::toString#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.1, ("Return value of type " ++ Lhs.2 ++ " is implicitly converted to " ++ Rhs.1 ++ " here.")
                     return r14
```
 2022-07-06 21:53:12 +02:00
Jeroen Ketema
7d6fb7f91a C++: Rename LossyFunctionResultCast tests to be correctly named 2022-07-06 21:52:13 +02:00
REDMOND\brodes
74ff579dbc Fixing logic bug with LogicalAndExpr 2022-07-06 15:19:36 -04:00
Raul Garcia
dd1a9a22e3 Update UnsafeUsageOfClientSideEncryptionVersion.qhelp 2022-07-05 13:58:38 -07:00
Raul Garcia
f5c6b45014 Update UnsafeUsageOfClientSideEncryptionVersion.qhelp 2022-07-05 13:58:11 -07:00
Raul Garcia
56060e0610 Update csharp/ql/src/experimental/Security Features/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.qhelp 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2022-07-05 13:57:28 -07:00
ihsinme
8967f57bbc Update DangerousUseMbtowc.ql 2022-07-04 11:17:12 +03:00
ihsinme
4e28887689 Create test3.cpp 2022-07-04 11:13:07 +03:00
ihsinme
1ce42dcd30 Create test2.cpp 2022-07-04 11:12:34 +03:00
ihsinme
6d800de377 Create test1.cpp 2022-07-04 11:11:49 +03:00
ihsinme
f53adca108 Update DangerousUseMbtowc.ql 2022-07-04 11:10:02 +03:00
Mathias Vorreiter Pedersen
3bacb18315 Merge pull request #9770 from MathiasVP/nomagic-use-in-own-init 
C++: Add `nomagic` to `VariableAccessInInitializer`
 2022-07-02 16:35:45 +01:00
Chris Smowton
4d45a2ca87 Merge pull request #9775 from smowton/smowton/fix/accessors-respect-private-member-exclusion 
Kotlin: don't extract private setters of external classes
 2022-07-02 10:27:06 +01:00
Raul Garcia
e43e5810cf New queries to detect unsafe client side encryption in Azure Storage 2022-07-01 17:08:35 -07:00
Mathias Vorreiter Pedersen
e98bdbf73f Merge pull request #9773 from geoffw0/stringlengthconflation4 
Swift: More improvements to swift/string-length-conflation
 2022-07-01 17:46:04 +01:00
Geoffrey White
e38254c05e Swift: Fix typo. 2022-07-01 17:00:36 +01:00
Shyam Mehta
39f885413f Change log 2022-07-01 11:34:56 -04:00
Ian Lynagh
1730ec22d9 Kotlin: Extract an ErrorType if we fail to correctly extract a type 2022-07-01 16:33:43 +01:00
smehta23
391dd5b38d Update java/ql/src/Security/CWE/CWE-023/PartialPathTraversalGood.java 
Co-authored-by: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
 2022-07-01 10:55:58 -04:00
smehta23
ebe48ec30a Update java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.qhelp 
Co-authored-by: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
 2022-07-01 10:53:43 -04:00
smehta23
48e16e52b5 Update java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.qhelp 
Co-authored-by: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
 2022-07-01 10:52:41 -04:00
Shyam Mehta
1a41d4c379 Add CVE number 2022-07-01 10:51:33 -04:00
Chris Smowton
b499ba5aa8 Kotlin: don't extract private setters of external classes 
Previously these would get extracted unlike other private methods even if the class was a standard library or other external class. This could cause inconsistencies because if we also compiled the class from source we could end up deciding different names for the property's setter: setXyz$private when seen from source, and setXyz without a
suffix when seen as an external .class file. Avoiding extracting these functions from the external perspective both restores consistency with other kinds of method and avoids these consistency problems.
 2022-07-01 15:44:17 +01:00
Shyam Mehta
300a14c35c Add ESAPI reference 2022-07-01 10:43:59 -04:00
Paolo Tranquilli
c393c9b03e Revert "Fix change note check to accept changes to itself" 
This reverts commit 2dca78295d.
 2022-07-01 16:41:09 +02:00
smehta23
209a21655a Update java/ql/src/Security/CWE/CWE-023/PartialPathTraversalGood.java 
Co-authored-by: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
 2022-07-01 10:40:38 -04:00
smehta23
c6f2f61bfb Update java/ql/src/Security/CWE/CWE-023/PartialPathTraversalBad.java 
Co-authored-by: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
 2022-07-01 10:39:46 -04:00
Paolo Tranquilli
2dca78295d Fix change note check to accept changes to itself 
The file is not removed from the triggers, as we still want to check
that the workflow file itself is correct.
 2022-07-01 16:35:30 +02:00
Paolo Tranquilli
e88cc31468 Swift: disable change note checking for now 2022-07-01 16:16:21 +02:00
Paolo Tranquilli
563d27333a Merge pull request #9772 from github/redsun82/swift-extraction 
Swift: extract ImportDecl and ModuleDecl
 2022-07-01 16:14:23 +02:00
Geoffrey White
34ffd1aac5 Swift: Support String.Index and flow through * /. 2022-07-01 14:59:50 +01:00
Geoffrey White
d60d2457c2 Swift: Add String.Index.init as a source as as well. 2022-07-01 14:59:50 +01:00
Geoffrey White
bc03f6959c Swift: Detect String -> NSString results. 2022-07-01 14:59:50 +01:00
Geoffrey White
a306f312cd Swift: Add a test of converting Range to NSRange. 2022-07-01 14:59:50 +01:00
Geoffrey White
416977dc50 Swift: Add test cases for removeFirst, removeLast. 2022-07-01 14:59:50 +01:00
Paolo Tranquilli
8addc06799 Swift: add integration test for multiple modules 2022-07-01 15:59:36 +02:00
Paolo Tranquilli
227dad8bf5 Merge main into redsun82/swift-extraction 2022-07-01 15:56:23 +02:00
Paolo Tranquilli
7a1c3800e6 Merge pull request #9771 from github/redsun82/swift-integration-test-runner 
Swift: locally run integration tests
 2022-07-01 15:54:27 +02:00
Paolo Tranquilli
e575bab9d6 Revert unwanted committed files 2022-07-01 15:45:28 +02:00
Paolo Tranquilli
f9143f7855 Swift: fix extraction of empty files 2022-07-01 15:43:16 +02:00
Chris Smowton
4c6a9772af Merge pull request #9768 from smowton/smowton/fix/internal-method-name-mangling 
Kotlin: Mangle names of internal functions to match JVM symbols
 2022-07-01 14:33:32 +01:00
Paolo Tranquilli
3a975174c3 Swift: extract ImportDecl and ModuleDecl 
As `ASTMangler` crashes when called on `ModuleDecl`, we simply use
its name.

This might probably not work reliably in a scenario where multiple
modules are compiled with the same name (like `main`), but this is left
for future work. At the moment this cannot create DB inconsistencies.
 2022-07-01 15:29:30 +02:00
Paolo Tranquilli
7a7440a115 Swift: move createEntry to SwiftDispatcher 2022-07-01 15:22:44 +02:00
Paolo Tranquilli
24da81fdb0 Swift: disable integration tests on macOS for now 
Also, add swift workflow to code owned by the C team
 2022-07-01 15:00:05 +02:00
Paolo Tranquilli
901e066355 Swift: locally run integration tests 
Minimal recreations of internal `integration-tests-runner.py` and
`create_database_utils.py` are provided to be able to run the
integration tests on the codeql repository with a released codeql CLI.

For the moment we skip the database checks by default, as we are still
producing inconsistent results.
 2022-07-01 15:00:05 +02:00
CodeQL CI
5b5a52fa25 Merge pull request #9551 from yoff/python/port-tarslip 
Approved by RasmusWL
 2022-07-01 12:58:25 +01:00