hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-26 11:53:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
48,840 Commits 1,692 Branches 161 Tags
codeql-cli/v2.12.0
Commit Graph

48840 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
haby0
363ad5b470 Fix error 2021-06-17 17:36:35 +08:00
Owen Mansel-Chan
945db01f56 Address review comments 2021-06-17 10:29:33 +01:00
Owen Mansel-Chan
b9bc1f978c Update style of inline expectation comments 2021-06-17 10:04:15 +01:00
Tom Hvitved
41ed9f3e1b Data flow: Fix inconsistencies 2021-06-17 10:48:32 +02:00
Chris Smowton
558813acf7 Inline expectation tests: accept // $MISSING: and // $SPURIOUS: 
Previously there had to be a space after the $ token, unlike ordinary expectations (i.e., // $xss was already accepted)
 2021-06-17 09:44:39 +01:00
Owen Mansel-Chan
0987425f94 Reinstate failing tests with MISSING: prefix 2021-06-17 09:36:51 +01:00
Tom Hvitved
00e544189e Data flow: Add consistency queries 2021-06-17 10:26:56 +02:00
Tom Hvitved
ad54f2e1f4 Bump codeql submodule 2021-06-17 10:24:19 +02:00
Tom Hvitved
0febf5a592 Merge pull request #6094 from hvitved/dataflow/consistency-compiler-too-smart 
Data flow: Workaround for too clever compiler in consistency queries
 2021-06-17 10:23:31 +02:00
edvraa
ac777d237d autoformat 2021-06-17 09:23:26 +01:00
edvraa
0456d4793a Fix path tracking 2021-06-17 09:23:26 +01:00
edvraa
4576b16f30 Use dataflow gettype 2021-06-17 09:23:26 +01:00
edvraa
062acedd49 Unify and make getValueForFieldWrite private 2021-06-17 09:23:26 +01:00
edvraa
236b623f60 Get rid of NetHttpCookieTrackingConfiguration 2021-06-17 09:23:26 +01:00
edvraa
031a79b8f5 Gorilla Store Save sink 2021-06-17 09:23:26 +01:00
edvraa
8110c3d059 Use HasFlow 2021-06-17 09:23:26 +01:00
edvraa
d60d18a8d0 Stay on dataflow level 2021-06-17 09:23:26 +01:00
edvraa
ed8d025bdf Dedicated types 2021-06-17 09:23:26 +01:00
edvraa
cba4f0448e Use package 2021-06-17 09:23:26 +01:00
edvraa
167496edff Use MethodCallNode and hasQualifiedName 2021-06-17 09:23:26 +01:00
edvraa
5929f66efb No need for Function f 2021-06-17 09:23:26 +01:00
edvraa
06c328c5aa Fix comment 2021-06-17 09:23:26 +01:00
edvraa
3ac1b4ba0b Use CallNode 2021-06-17 09:23:26 +01:00
edvraa
d06f4ca21e Fix argumnt nr 2021-06-17 09:23:26 +01:00
edvraa
9224a315f1 inline isGinContextCookieFlow 2021-06-17 09:23:26 +01:00
edvraa
4d397d9974 Fix tests 2021-06-17 09:23:26 +01:00
edvraa
5349c98ae1 Comments 2021-06-17 09:23:26 +01:00
edvraa
0b9959e4ef Default stub 2021-06-17 09:23:26 +01:00
edvraa
d32fa19c12 reformat 2021-06-17 09:23:26 +01:00
edvraa
4eb4787692 simplify expressions 2021-06-17 09:23:26 +01:00
edvraa
f537c479c9 path tracking 2021-06-17 09:23:26 +01:00
edvraa
253abc55d9 get rid of AuthCookieNameConfiguration 2021-06-17 09:23:26 +01:00
edvraa
9c0b83fd34 Use getAPredecessor 2021-06-17 09:23:26 +01:00
edvraa
ff06815db1 Code review 2021-06-17 09:23:26 +01:00
edvraa
cbaad2efb9 Sensitive cookie without HttpOnly 2021-06-17 09:23:26 +01:00
ihsinme
1cabaec0c3 Update cpp/ql/src/experimental/Security/CWE/CWE-561/FindIncorrectlyUsedSwitch.qhelp 
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
 2021-06-17 11:09:36 +03:00
Tom Hvitved
ffb2350a54 Data flow: Fix getLocalCallContext join-order 2021-06-17 10:02:31 +02:00
Tom Hvitved
cc383e0f6a Data flow: Workaround for too clever compiler in consistency queries 2021-06-17 09:43:36 +02:00
ihsinme
bf65044a0d Update test.c 2021-06-17 10:42:25 +03:00
haby0
3dd851fffb expected 2021-06-17 15:20:03 +08:00
Owen Mansel-Chan
5f82993b0b Put parameters with inline expectation comments on their own lines 2021-06-17 06:41:01 +01:00
jorgectf
8527ccc6d6 Update .expected 2021-06-16 23:19:14 +02:00
jorgectf
5c7229c715 Optimize Type Tracking stuff 2021-06-16 23:19:05 +02:00
jorgectf
81505fbd76 Normalize tests 2021-06-16 23:18:38 +02:00
Rasmus Wriedt Larsen
68f526da1f Python: Add change-note 2021-06-16 20:09:05 +02:00
Tom Hvitved
3f6beaf9df C#: Add tests for complex CSV flow summaries 2021-06-16 19:36:05 +02:00
Tom Hvitved
0af44a7f94 C#: Changes to Type::{getQualifier,hasQualifiedName} 2021-06-16 19:36:05 +02:00
Rasmus Wriedt Larsen
498703fc81 Python: Escaping only valid with both input/output defined 
Problematic part is

```codeql
  /** A escape from string format with `markupsafe.Markup` as the format string. */
  private class MarkupEscapeFromStringFormat extends MarkupSafeEscape, Markup::StringFormat {
    override DataFlow::Node getAnInput() {
      result in [this.getArg(_), this.getArgByName(_)] and
      not result = Markup::instance()
    }

    override DataFlow::Node getOutput() { result = this }
  }
```

since the char-pred still holds even if `getAnInput` has no results...

I will say that doing it this way feels kinda dirty, and we _could_ fix
this by including the logic in `getAnInput` in the char-pred as well.
But as I see it, that would just lead to a lot of code duplication,
which isn't very nice.
 2021-06-16 19:09:00 +02:00
Rasmus Wriedt Larsen
6539df6422 Python: Add ConceptsTest for MarkupSafe 2021-06-16 19:09:00 +02:00
Rasmus Wriedt Larsen
14de3bffb7 Python: Model MarkupSafe PyPI package 
Since expectation tests had so many changes from ConceptsTest, I'm going
to do the changes for that on in a separate commit. The important part
is the changes to taint-tracking, which is highlighted in this commit.
 2021-06-16 19:09:00 +02:00