hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-24 02:43:40 +01:00
Code Issues Packages Projects Releases Wiki Activity
47,078 Commits 1,693 Branches 161 Tags
codeql-cli/v2.11.6
Commit Graph

47078 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alex Ford
2a7d8bbc0a Apply suggestions from code review 
Co-authored-by: Tom Hvitved <hvitved@github.com>
 2021-06-24 19:43:35 +01:00
Arthur Baars
d4666ab099 Merge pull request #222 from github/aibaars/file-filters 
Add support for LGTM_INDEX_FILTERS environment variable
 2021-06-24 20:09:08 +02:00
Arthur Baars
e3b4e0a9a3 Add missing use statement 2021-06-24 20:00:41 +02:00
Arthur Baars
f92989350a Update autobuilder/src/main.rs 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2021-06-24 19:50:32 +02:00
Nick Rolfe
9ec503a3a5 Merge remote-tracking branch 'origin/main' into regex 2021-06-24 18:16:13 +01:00
Alex Ford
a45366e426 remove unnecessary ExprNodes prefix 2021-06-24 18:12:26 +01:00
Alex Ford
b27891b14e update ActiveRecord test output 2021-06-24 18:12:26 +01:00
Alex Ford
1f5a5181b9 StringInterpolationComponentCfgNode extends ExprNodes::StmtSequenceCfgNode 2021-06-24 18:12:26 +01:00
Alex Ford
a4a8f17a54 Update ql/src/codeql_ruby/dataflow/BarrierGuards.qll 
Co-authored-by: Tom Hvitved <hvitved@github.com>
 2021-06-24 18:12:26 +01:00
Alex Ford
9883a9b606 update SqlInjection tests 2021-06-24 18:12:26 +01:00
Alex Ford
d62f4f5bd4 Address review comments 2021-06-24 18:12:26 +01:00
Alex Ford
bc5a1b86ff Fix handling of arrays passed to ActiveRecord SQL methods 2021-06-24 18:12:26 +01:00
Alex Ford
fc8db88b66 Apply suggestions from code review 
Co-authored-by: Tom Hvitved <hvitved@github.com>
 2021-06-24 18:12:25 +01:00
Alex Ford
7415503772 update ActiveRecord test output 2021-06-24 18:12:25 +01:00
Alex Ford
12e4c9ee90 update SqlInjection tests 2021-06-24 18:12:25 +01:00
Alex Ford
734fe01867 Support named :conditions parameter to some SQL executing ActiveRecord calls 2021-06-24 18:12:25 +01:00
Alex Ford
91bde8d85d Support ActiveRecord SQL executing calls where there is a self receiver (implicit or explicit) 2021-06-24 18:12:25 +01:00
Alex Ford
5386c776b3 Implement rb/sql-injection 2021-06-24 18:12:25 +01:00
Alex Ford
957b29b5af Add more defaultAdditionalTaintSteps 2021-06-24 18:12:25 +01:00
Alex Ford
6e5665da8c Make ActiveRecord model flag more potentially dangerous SQL executions 2021-06-24 18:12:25 +01:00
Alex Ford
8761873cd1 Implement two common barrier guards 2021-06-24 18:12:25 +01:00
Alex Ford
98313d0a56 Convenience classes for wrapping some Exprs as ExprCfgNodes 2021-06-24 18:12:25 +01:00
Alex Ford
ad1d8420f3 Make BarrierGuard abstract 2021-06-24 18:12:25 +01:00
Alex Ford
adf32e973a Create Frameworks.qll to act as a container for all framework models 2021-06-24 18:12:25 +01:00
Nick Rolfe
17a59ef824 Add basic test for regex parsing 2021-06-24 18:06:08 +01:00
Arthur Baars
f69c5dc19b Merge pull request #221 from github/package-depend-on-compile-queries 
make the package job depend on compile-queries
 2021-06-24 19:03:44 +02:00
Arthur Baars
22990a938d Add support for LGTM_INDEX_FILTERS environment variable 
* re-implement autobuilder script in Rust
* add additional --include/--exclude flags based on LGTM_INDEX_FILTERS
  environment variable
 2021-06-24 18:45:31 +02:00
Tom Hvitved
7a9f9e245f C#: Handle CSV data-flow summaries with out/ref parameters 2021-06-24 18:34:25 +02:00
Nick Rolfe
51b0ffdaf8 Fix printAst to support adding edges in AstDesugar test 2021-06-24 17:14:23 +01:00
Nick Rolfe
f7e89f47fd Comment out temporarily-unused predicates 2021-06-24 17:06:41 +01:00
Chris Smowton
2acb4de2cb Merge pull request #5955 from haby0/java/JShellCodeInjection 
Java: JShell Injection
 2021-06-24 17:03:30 +01:00
Alex Ford
58e9b69ea4 make the package job depend on compile-queries 2021-06-24 16:52:22 +01:00
Rasmus Wriedt Larsen
a9469b73d9 Python: Port py/clear-text-storage-sensitive-data 2021-06-24 17:39:08 +02:00
Rasmus Wriedt Larsen
8926b3edc7 Python: Add change-note for CookieWrite 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
7017beca47 Python: Model CookieWrite for twisted 
Had to split the call to `request.cookies.append` since inline
expectation tests didn't like the expectation that contained `=` :(
 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
4606444b85 Python: Model CookieWrite for flask 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
65c526df86 Python: Model CookieWrite for tornado 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
9340d658a4 Python: Model CookieWrite for django 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
930ed0a712 Python: Minor django fixup 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
226425e831 Python: Model CookieWrite for aiohttp 2021-06-24 17:34:43 +02:00
Rasmus Wriedt Larsen
e1af1f11ee Python: Add HTTP::Server::CookieWrite concept 
along with tests, but no implementations (to ease reviewing).

---

I've put quite some thinking into what to call our concept for this.

[JS has `CookieDefinition`](581f4ed757/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll (L148-L187)), but I couldn't find a matching concept in any other languages.

We used to call this [`CookieSet`](f07a7bf8cf/python/ql/src/semmle/python/web/Http.qll (L76)) (and had a corresponding `CookieGet`).

But for headers, [Go calls this `HeaderWrite`](cd1e14ed09/ql/src/semmle/go/concepts/HTTP.qll (L97-L131)) and [JS calls this `HeaderDefinition`](581f4ed757/javascript/ql/src/semmle/javascript/frameworks/HTTP.qll (L23-L46))

I think it would be really cool if we have a naming scheme that means the name for getting the value of a header on a incoming request is obvious. I think `HeaderWrite`/`HeaderRead` fulfils this best. We could go with `HeaderSet`/`HeaderGet`, but they feel a bit too vague to me. For me, I'm so used to talking about def-use, that I would immediately go for `HeaderDefinition` and `HeaderUse`, which could work, but is kinda strange.

So in the end that means I went with `CookieWrite`, since that allows using a consistent naming scheme for the future :)
 2021-06-24 17:34:43 +02:00
Nick Rolfe
a6dd2fa0a1 Split ReDoS query into .ql and .qll, and add .qhelp 2021-06-24 16:32:45 +01:00
Arthur Baars
7574d1cad7 Merge pull request #220 from github/aibaars/update-build-yml 
Update build.yml
 2021-06-24 16:38:26 +02:00
Arthur Baars
be1d4c3d2c Address comment 2021-06-24 16:31:24 +02:00
Arthur Baars
ade36691b6 Remove unnecessary qualifier 2021-06-24 16:13:29 +02:00
Arthur Baars
dfc96de4cc Update build.yml 2021-06-24 16:09:45 +02:00
Mathias Vorreiter Pedersen
a294fb07f5 C++: Add change-note. 2021-06-24 16:01:59 +02:00
Arthur Baars
95399b2d0a Refactor ApiGraphs.qll 2021-06-24 15:58:02 +02:00
Arthur Baars
4f96834711 Add ConstantAccessCfgNode 2021-06-24 15:57:48 +02:00
Mathias Vorreiter Pedersen
af56c782bf C++: Add QLDoc. 2021-06-24 15:57:01 +02:00