hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-15 14:33:40 +01:00
Code Issues Packages Projects Releases Wiki Activity
47,078 Commits 1,690 Branches 160 Tags
codeql-cli/v2.11.6
Commit Graph

47078 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Michael Nebel
d70d1fbf81 C#: Add support for the use of synthetic fields in flow summary CSV. 2021-12-09 10:11:48 +01:00
Michael Nebel
a43704ab43 C#: Update dataflow/global tests based on synthetic fields. 2021-12-09 10:11:48 +01:00
Michael Nebel
063398f24d C#: Use synthetic fields for Task instead of referring to private fields. 2021-12-09 10:11:48 +01:00
Michael Nebel
60f3ff8c33 C#: Introduce type for Synthetic fields. 2021-12-09 10:11:48 +01:00
Harry Maclean
8df5aaa797 Ruby: Model private class methods 
`Module#private_class_method` takes a symbol representing the name of a
method in the current module scope and makes that module private. This
is similar to `private`, but applies only to class (singleton) methods.
Unlike `private`, it must be called with an argument, and does not
change the ambient visibility for any subsequent method definitions.

    class Foo
      def public
      end

      def private1
      end
      private_class_method :private1

      # This alternate form works because method definition
      # returns its name as a symbol:

      private_class_method def private2
      end
    end
 2021-12-09 18:15:25 +13:00
Harry Maclean
e811ba1150 Ruby: handle private module methods 
`private` can be used in both classes and modules.
 2021-12-09 18:13:29 +13:00
haby0
8bcbf8e30f rename isMybatisCollectionTypeSqlInjection 2021-12-09 09:16:33 +08:00
Taus
8517eff0f7 Python: Fix bad performance 
A few changes, all bundled together:

- We were getting a lot of magic applied to the predicates in the
  `ImportStar` module, and this was causing needless re-evaluation.
  To address this, the easiest solution was to simply cache the entire
  module.
- In order to separate this from the dataflow analysis and make it
  dependent only on control flow, `potentialImportStarBase` was changed
  to return a `ControlFlowNode`.
- `isDefinedLocally` was defined on control flow nodes, which meant we
  were duplicating a lot of tuples due to control flow splitting, to no
  actual benefit.

Finally, there was a really bad join in `isDefinedLocally` that was
fixed by separating out a helper predicate. This is a case where we
could use a three-way join, since the join between the `Scope`, the
`name` string and the `Name` is big no matter what.

If we join `scope_defines_name` with `n.getId()`, we'll get `Name`s
belonging to irrelevant scopes.

If we join `scope_defines_name` with the enclosing scope of the `Name`
`n`, then we'll get this also for `Name`s that don't share their `getId`
with the local variable defined in the scope.

If we join `n.getId()` with `n.getScope()...` then we'll get all
enclosing scopes for each `Name`.

The last of these is what we currently have. It's not terrible, but not
great either. (Though thankfully it's rare to have lots of enclosing
scopes.)
 2021-12-08 22:53:45 +00:00
Owen Mansel-Chan
b234ba7f26 Fix bad join order in getAFalsifiedGuard 
viableParamArg should be evaluated first.
 2021-12-08 17:33:59 -05:00
Owen Mansel-Chan
06f889fce6 Update tests for no flow through receivers when no function body 
This branch originally included a commit to enable flow through receivers
when there is no function body. This was dropped, to be pursued later.
 2021-12-08 16:03:18 -05:00
Owen Mansel-Chan
88e7c44a6d Update expected test results with extra nodes 2021-12-08 15:28:28 -05:00
Geoffrey White
0031ed39ec C++: Additional test cases. 2021-12-08 17:45:51 +00:00
Tom Hvitved
b49ca6a24c Merge pull request #7335 from hvitved/ruby/dataflow/hide-desugared-nodes 
Ruby: Hide desugared nodes in data-flow paths
 2021-12-08 17:39:48 +01:00
Owen Mansel-Chan
a01f90b903 Give DataFlowCallable a user-facing name (Callable), move to Scopes.qll 
I removed asFunctionNode() because it would need an import, but it
doesn't seem to be used anywhere.
 2021-12-08 11:30:39 -05:00
Owen Mansel-Chan
a6532b988f Allow implicit taint reads through more content types 2021-12-08 11:20:38 -05:00
Owen Mansel-Chan
754c838cc0 Fix accidental cartesian product 
PointerContent needs to have the PointerType specified as well
 2021-12-08 11:20:37 -05:00
Owen Mansel-Chan
d70307243c Fix bad join order in BarrierGuard.guards/2 2021-12-08 11:20:37 -05:00
Owen Mansel-Chan
1a9ea38c0b Update non-shared dataflow files to match sync 2021-12-08 11:20:36 -05:00
Owen Mansel-Chan
095fe6e4a7 Do not allow "Argument" on its own 
# Conflicts:
#	ql/test/library-tests/semmle/go/dataflow/ExternalFlow/srcs.expected
 2021-12-08 11:20:36 -05:00
Sauyon Lee
b2f62b185d Allow for Return[i] specifications 2021-12-08 11:20:36 -05:00
Owen Mansel-Chan
578a31ecd8 Keep call to defaultTaintSanitizerGuard 2021-12-08 11:20:35 -05:00
Owen Mansel-Chan
01bfbde9ae Sync dataflow libraries again 2021-12-08 11:20:35 -05:00
Owen Mansel-Chan
1a299d2e09 Update sync-dataflow-libraries target in Makefile 
The location of the dataflow libraries in codeql-go has changed
and there is a new file to be synced.
 2021-12-08 11:20:34 -05:00
Owen Mansel-Chan
16fdb9aa11 Do not test ReturnValue as input for sink 
The documentation in ExternalFlow.qll does not specify
that "ReturnValue" can be used as the input column.
 2021-12-08 11:20:34 -05:00
Owen Mansel-Chan
63b944a1b4 Another instance of getEnclosingFunction -> getRoot 2021-12-08 11:20:34 -05:00
Chris Smowton
3cf1459c4f Revert getACallee type change 2021-12-08 11:20:33 -05:00
Chris Smowton
6110506e02 Revert "Make getACallee return DataFlowCallable" 
This reverts commit b4742ccdf81bec3f872923da79953c61dea103f6.
 2021-12-08 11:20:33 -05:00
Owen Mansel-Chan
5ec0b09160 Diasble clearing content and add test for it 2021-12-08 11:20:32 -05:00
Owen Mansel-Chan
e940a53cc6 Test models of flow through fields 2021-12-08 11:20:32 -05:00
Owen Mansel-Chan
2d8fd71189 Comment on why summaryDataFlowCall is none() 2021-12-08 11:20:31 -05:00
Owen Mansel-Chan
adf3dc0c61 Move type assertion into declared type 2021-12-08 11:20:31 -05:00
Owen Mansel-Chan
9f763dd044 Move built-in models to ExternalFlow 2021-12-08 11:20:30 -05:00
Owen Mansel-Chan
d717734820 Do not allow "Argument" on its own 2021-12-08 11:20:30 -05:00
Owen Mansel-Chan
d2ca1fb2eb Address review comments #2 2021-12-08 11:20:29 -05:00
Owen Mansel-Chan
12058a2621 Fix containerStoreStep and containerReadStep 2021-12-08 11:20:29 -05:00
Owen Mansel-Chan
ab8096b717 Add tests for more content types (Element, MapKey, MapValue) 2021-12-08 11:20:28 -05:00
Owen Mansel-Chan
b7aa85b054 Address some review comments 2021-12-08 11:20:28 -05:00
Owen Mansel-Chan
f375553933 Add variadic functions test for function models 2021-12-08 11:20:27 -05:00
Owen Mansel-Chan
b75def62fe Add variadic functions test for external flow 2021-12-08 11:20:27 -05:00
Owen Mansel-Chan
d9848fe515 Add more tests for variadic functions 2021-12-08 11:20:27 -05:00
Owen Mansel-Chan
8044fb2519 Add more flow tests for external flow 2021-12-08 11:20:26 -05:00
Owen Mansel-Chan
63d997f820 (Unimportant) Fix module name for vendored stubs 
This doesn't affect the test, but does mean that you can run
`go build` to check the test would build.
 2021-12-08 11:20:26 -05:00
Owen Mansel-Chan
1929a1f7a7 Fix unrelated test in experimental 2021-12-08 11:20:25 -05:00
Owen Mansel-Chan
5e38f48b74 Autoformat 2021-12-08 11:20:25 -05:00
Owen Mansel-Chan
a3df3614a5 Convert completetest to an inline flow test 2021-12-08 11:20:24 -05:00
Owen Mansel-Chan
8f7a34f9cb Fix external flow tests 2021-12-08 11:20:24 -05:00
Owen Mansel-Chan
71bf834765 Fix incorrect assumption 
node2 doesn't have to be a PostUpdateNode
 2021-12-08 11:20:23 -05:00
Sauyon Lee
3379790686 add flow test involving CSV 2021-12-08 11:20:22 -05:00
Sauyon Lee
a632a58221 add CSV models of append 2021-12-08 11:20:22 -05:00
Sauyon Lee
070e383516 allow empty namespaces for Go 2021-12-08 11:20:21 -05:00