Mathias Vorreiter Pedersen
f499f8e946
Merge pull request #9029 from redsun82/swift-codeowners
...
Swift: set @github/codeql-c as owner
2022-05-04 11:34:51 +01:00
Tony Torralba
2d3b15f936
Add more taint models
2022-05-04 12:32:59 +02:00
Michael Nebel
5f1a176a02
Java: Sync CaptureModels implementation to only allow at most two reads and two stores.
2022-05-04 12:29:57 +02:00
Michael Nebel
a488d6b80c
C#: Add an initial flow state to the model generator.
2022-05-04 12:27:34 +02:00
Tony Torralba
8601137602
Fix bad join order by moving WebViewRef::getAnAccess from callsites into predicates
2022-05-04 11:58:47 +02:00
Owen Mansel-Chan
570d3f47c4
Use os.Stat instead of os.File.Stat
2022-05-04 10:11:53 +01:00
Erik Krogh Kristensen
4b9c9b0c8d
move most of asyncpg test into SqlInjection after moving MaD sql-injection sink
2022-05-04 10:59:02 +02:00
Erik Krogh Kristensen
a812d4dd34
move the MaD sql-injection sink to SqlInjectionCustomizations.qll
2022-05-04 10:59:02 +02:00
Erik Krogh Kristensen
571fc3e73b
Revert "deprecate SqlConstruction"
...
This reverts commit c0eca0d09a
2022-05-04 10:59:02 +02:00
Erik Krogh Kristensen
1062aae21c
add test that the foo.bar package syntax works
2022-05-04 10:58:59 +02:00
Tony Torralba
3b1210eacb
Update java/ql/lib/semmle/code/java/security/UnsafeAndroidAccess.qll
...
Co-authored-by: Chris Smowton <smowton@github.com >
2022-05-04 10:53:31 +02:00
Tony Torralba
192017635a
Update java/ql/src/change-notes/2022-03-24-unsafe-android-access-improvements.md
...
Co-authored-by: Chris Smowton <smowton@github.com >
2022-05-04 10:53:31 +02:00
Tony Torralba
49259a6575
Remove everything related to WebView CSV models
...
This reverts commit c6c72eb.
2022-05-04 10:53:31 +02:00
Tony Torralba
dce11f3984
Removed unnecessary imports
2022-05-04 10:53:30 +02:00
Tony Torralba
f5e72e6e33
Remove getUnderlyingExpr
2022-05-04 10:53:30 +02:00
Tony Torralba
7ba5a032ce
Add tests and stubs for the new sources and flow steps
2022-05-04 10:53:30 +02:00
Tony Torralba
b678467e9d
Move things around
2022-05-04 10:53:30 +02:00
Tony Torralba
d68311e26d
Consider implicit this accesses in WebViewRef
2022-05-04 10:53:30 +02:00
Tony Torralba
51dfebf4c9
Apply suggestions from code review
...
Co-authored-by: Chris Smowton <smowton@github.com >
2022-05-04 10:53:29 +02:00
Tony Torralba
b9859fe165
Add change note
2022-05-04 10:53:29 +02:00
Tony Torralba
91bdb4299f
Improvements to UnsafeAndroidAccess
2022-05-04 10:53:29 +02:00
Tony Torralba
b876431950
Merge pull request #8706 from luchua-bc/java/unsafe-get-resource
...
Java: CWE-552 Add sources and sinks to to detect unsafe getResource calls in Java EE applications
2022-05-04 10:12:28 +02:00
Tom Hvitved
74e99302d6
Address review comments
2022-05-04 09:57:59 +02:00
Tom Hvitved
ac3bfa1788
Data flow: Mention expectsContent in dataflow.md
2022-05-04 09:57:59 +02:00
Tom Hvitved
da72ba46d4
Data flow: Add stub expectsContent for all languages
2022-05-04 09:57:59 +02:00
Tom Hvitved
6e2e8440eb
Data flow: Sync files
2022-05-04 09:57:59 +02:00
Tom Hvitved
a50f18ab50
Data flow: Introduce expectsContent
2022-05-04 09:57:58 +02:00
bananabr
2e2d4c6e1f
updated tests to consider document.getSelection()
2022-05-03 21:03:35 -05:00
Erik Krogh Kristensen
ead978187d
adjust the source-type for remote-flow from MaD
2022-05-03 22:53:41 +02:00
Robert Marsh
de68107a0e
C++: restrict global variable IR generation
2022-05-03 16:50:53 -04:00
Erik Krogh Kristensen
8ffc05c84b
count both named and positional arguments in the WithArity filter
2022-05-03 21:21:57 +02:00
Daniel Santos
880e3e1885
Update javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
...
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com >
2022-05-03 11:38:32 -05:00
Daniel Santos
4cd6dcc4d0
Update javascript/ql/lib/change-notes/2022-04-30-xss-selection-source.md
...
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com >
2022-05-03 11:37:45 -05:00
Daniel Santos
d52980573a
Update javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll
...
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com >
2022-05-03 11:37:26 -05:00
Paolo Tranquilli
b7cdc4ae1f
Swift: set @github/codeql-c as owner
2022-05-03 17:41:23 +02:00
Geoffrey White
5aa862acfd
C++: Fixup after merge.
2022-05-03 16:12:42 +01:00
Geoffrey White
fd5b4dfff2
Merge branch 'main' into xxe4
2022-05-03 16:08:54 +01:00
Mathias Vorreiter Pedersen
b8fd07c0ac
Merge pull request #9018 from geoffw0/xxe5
...
C++: Support libxml2 in the XXE query
2022-05-03 16:00:52 +01:00
Michael Nebel
b8ec2254e8
C#: Update unit tests (looks like new NFloat operator has been introduced).
2022-05-03 16:36:32 +02:00
Michael Nebel
94b046c554
C#: Upgrade dotnet to 6.0.202.
2022-05-03 16:36:32 +02:00
Joe Farebrother
f65f833b11
Merge pull request #9020 from joefarebrother/predictable-seed
...
Java: Add CWE-377 tag to java/predictable-seed
2022-05-03 15:13:58 +01:00
Tony Torralba
02822c6284
Merge pull request #9013 from atorralba/atorralba/private-externalflow-imports
...
Java: Make more ExternalFlow imports private
2022-05-03 16:02:09 +02:00
Owen Mansel-Chan
22ccbbaae8
Run go mod tidy -e if go.mod exists
2022-05-03 14:57:13 +01:00
Tony Torralba
cf55f180c4
Add change note
2022-05-03 15:46:17 +02:00
Tony Torralba
7b3a803d19
Add flow step from startActivity to getIntent
2022-05-03 15:46:17 +02:00
Tony Torralba
9c92454fa7
Merge pull request #8872 from atorralba/atorralba/android-widget-flowstep
...
Java: Add Editable.toString flow step
2022-05-03 15:27:52 +02:00
Joe Farebrother
61f13817cf
Add change note
2022-05-03 14:27:47 +01:00
Geoffrey White
d5be11bf14
C++: Address review comments.
2022-05-03 14:08:19 +01:00
Rasmus Wriedt Larsen
a7b43f7356
Ruby: Accept changes to TypeTracker tests
...
Since this is not using inline-expectation-tests, I'm not entirely sure
whether these changes are OK or not, so hope to get someone else to
signoff on that.
2022-05-03 14:59:06 +02:00
Rasmus Wriedt Larsen
6cacf7b9a6
Ruby: isLocalSourceNode needs SynthReturnNode
2022-05-03 14:43:57 +02:00
