hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-24 11:52:56 +01:00
Code Issues Packages Projects Releases Wiki Activity
48,840 Commits 1,686 Branches 158 Tags
codeql-cli/v2.12.0
Commit Graph

48840 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Lerchedahl Petersen
e3280c8a3e Python: handle TODO 
although this is not actually tested,
so we may have to adjust once we use it.
But the _very_ generic implementation is modeled on the Ruby code.
 2022-09-12 21:03:56 +02:00
intrigus
894a0f1c3b Add string to int sanitizer. 2022-09-12 21:02:18 +02:00
Rasmus Lerchedahl Petersen
78d4dc3123 Python: sync files 2022-09-12 21:01:57 +02:00
Rasmus Lerchedahl Petersen
203481ad3e Python: rearrange to minimize diff 
also fix typo
 2022-09-12 20:07:32 +02:00
Rasmus Lerchedahl Petersen
efc5cfb852 Merge branch 'main' of github.com:github/codeql into python-dataflow/flow-summaries-from-scratch 2022-09-12 19:56:16 +02:00
Arthur Baars
e07e6c9053 Merge pull request #10382 from RasmusWL/ruby-typo-fix 
Ruby: Fix typo in QLDoc
 2022-09-12 19:04:37 +02:00
Tony Torralba
f412f433bf Add thymeleaf steps 2022-09-12 17:52:38 +02:00
Erik Krogh Kristensen
bb3753a682 Merge pull request #10317 from erik-krogh/py-unqueryable 
PY: deprecate a bunch of unused code
 2022-09-12 17:44:59 +02:00
erik-krogh
ceda5f69fc recognize returning an instanceof of a class as exporting that class 2022-09-12 17:31:51 +02:00
Mathias Vorreiter Pedersen
6e4b3c242f Merge pull request #10377 from geoffw0/deprecate-pointsto 
C++: Put a warning on the PointsTo library.
 2022-09-12 16:25:40 +01:00
Andrew Eisenberg
abdc79b009 Update the example codeql-workspace.yml 
Add a better example for `registries`.
 2022-09-12 08:22:51 -07:00
Andrew Eisenberg
361dba17de Add information about the registries block in codeql-workspace.yml 2022-09-12 08:22:51 -07:00
Edward Minnix III
eadb8a3988 Merge pull request #10106 from egregius313/egregius313/android-backup-allowed 
Java: Query to detect Android backup allowed
 2022-09-12 11:14:03 -04:00
Rasmus Wriedt Larsen
41ce1c2016 Python: getStarArg gives first *args argument 
I couldn't see any reason that we should give up altogether if there are
multiple `*args` arguments. Including the first one looks like a win to
me!
 2022-09-12 17:02:31 +02:00
Mathias Vorreiter Pedersen
d2b150eaf5 C++: Fix QLDoc on the model predicates used by the new experimental use-use code. 2022-09-12 16:00:49 +01:00
Mathias Vorreiter Pedersen
bb1c088fe0 C++: Undo changes to iterator models. 2022-09-12 15:58:49 +01:00
James Fletcher
47480acba5 Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2022-09-12 15:53:54 +01:00
Paolo Tranquilli
43e5abac39 Swift: do not extract unresolved things from IfConfigDecl 
This avoids extracting things that are unresolved within an
`IfConfigDecl` instance:
* all conditions
* all inactive code blocks
This is meant to test out the hypothesis that this should solve some
extractor issues. If going through with it we should definitely change
the schema model for this.

Also, tests have not been updated and are expected to fail.
 2022-09-12 16:34:28 +02:00
Cornelius Riemenschneider
a8a7909d33 Merge pull request #10364 from github/criemen/remove-legacy-tracing-specs 
Go: Remove the legacy tracer configuration files.
 2022-09-12 15:55:12 +02:00
Tamás Vajk
4569b9585f Merge pull request #10313 from tamasvajk/kotlin-fix-vararg 
Kotlin: Fix `vararg` extraction outside of method call
 2022-09-12 15:54:50 +02:00
Tamás Vajk
ed772e54d1 Merge pull request #10328 from tamasvajk/kotlin-kfunction-fix 
Kotlin: fix `KFunctionX.invoke` extraction
 2022-09-12 15:54:33 +02:00
erik-krogh
05ef76cbca add change-note 2022-09-12 15:41:28 +02:00
erik-krogh
87fb01d55b apply another suggestion from doc review 2022-09-12 15:36:02 +02:00
Geoffrey White
842af4bf74 C++: Specifically suggest DataFlow as an alternative. 2022-09-12 14:25:45 +01:00
AlexDenisov
be21b26d46 Merge pull request #10045 from github/alexdenisov/swift-cwe-757 
Swift: CWE-757: insecure TLS configuration
 2022-09-12 15:25:15 +02:00
Erik Krogh Kristensen
818601b612 Merge pull request #10285 from erik-krogh/paramClass 
ReDoS: convert RelevantState to a class in the PrefixConstruction module
 2022-09-12 15:23:19 +02:00
Rasmus Lerchedahl Petersen
0f95992b2f Python: remove NonLibraryDataFlowCallable 
this required managing parameters and their pre-update nodes a bit
 2022-09-12 15:17:29 +02:00
Rasmus Wriedt Larsen
4296ac1ac0 Python: Allow CallNode.getArgByName for keyword args after **kwargs 2022-09-12 15:03:13 +02:00
Rasmus Wriedt Larsen
03cc4a2f7a Ruby: Fix typo in QLDoc 2022-09-12 14:35:20 +02:00
Tony Torralba
79a32f1a3e Tainting the freemarker dataModel isn't exploitable 2022-09-12 14:22:06 +02:00
AlexDenisov
568eb3a118 Update swift/ql/src/queries/Security/CWE-757/InsecureTLS.qhelp 
Co-authored-by: hubwriter <hubwriter@github.com>
 2022-09-12 14:00:29 +02:00
erik-krogh
98243118b2 recognize a list of bad strings as a sanitizer for js/prototype-polluting-assignment 2022-09-12 13:41:07 +02:00
erik-krogh
afcb767f8d Merge branch 'main' into js-followMsg 2022-09-12 13:21:16 +02:00
erik-krogh
6ec03d4738 apply suggestions from doc review 2022-09-12 13:16:39 +02:00
erik-krogh
bae4490620 add change-note 2022-09-12 12:12:18 +02:00
erik-krogh
80158f8035 fix some python uses of renamed features 2022-09-12 12:08:30 +02:00
Erik Krogh Kristensen
c9ea10b1ef revise some Python names 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-09-12 12:00:57 +02:00
Tony Torralba
dd6257c757 Add security-severity 2022-09-12 11:59:01 +02:00
Tony Torralba
409a123490 Tainting the velocity context isn't exploitable 2022-09-12 11:38:29 +02:00
Erik Krogh Kristensen
3384521fb6 Merge pull request #10357 from erik-krogh/typos 
make a shared library of the typo database
 2022-09-12 11:24:03 +02:00
Erik Krogh Kristensen
cb95e8f263 Merge pull request #10351 from erik-krogh/moreMains 
JS: find a main module in more cases
 2022-09-12 11:01:17 +02:00
Arthur Baars
7ca2e4c51f Merge pull request #9953 from aibaars/update-grammar 
Update tree-sitter-ruby
 2022-09-12 10:51:37 +02:00
Alex Ford
0da367f6e5 Ruby: address QL4QL alerts for rb/sensitive-get-query 2022-09-12 08:56:17 +01:00
Paolo Tranquilli
776df33f55 Swift: fix typos and comments in testCrypto.swift 2022-09-12 08:47:43 +02:00
Rasmus Lerchedahl Petersen
fa2da2f3ec Python: remove NonLibraryNormalCall 
it is not necessary to distinguish these calls,
so we remove the class from the hierarchy.
 2022-09-11 22:25:29 +02:00
Mathias Vorreiter Pedersen
c988547e9c C++: Accept test changes. 2022-09-11 18:31:53 +01:00
Alex Ford
f84035a65c Ruby: add rb/sensitive-get-query query 2022-09-10 17:43:15 +01:00
Rasmus Lerchedahl Petersen
895f5480c2 Python: Added recursion guard 
to ensure that the call graph seen by type tracking
does not include summary calls resolved by type tracking.

(I tried inserting a similar test into the Ruby codebase,
 and it still compiled)

To get this to compile, I had to move the resolution of summary calls
out of the data flow nodes and into the `viableCallable` predicate.
This means that we now have a potential summary call for each
cfg call node. (I tried using the base class, `DataFlowCall`, for this
but calls to `map` got identified as class calls and would no longer
be associated with a summary.)

It is possible that the "NonLIbrary"-layers the were inserted into the
hierarchy can be removed again.
 2022-09-09 22:47:47 +02:00
Geoffrey White
8ac3e10896 C++: Put a warning on the PointsTo library. 2022-09-09 18:03:23 +01:00
Andrew Eisenberg
ed66388551 Port Pack Docs changes to 3.7 
This moves the following three PRs to the 3.7 branch:

- https://github.com/github/codeql/pull/10182
- https://github.com/github/codeql/pull/10146
- https://github.com/github/codeql/pull/10105
 2022-09-09 09:33:25 -07:00