hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-16 20:46:49 +01:00
Code Issues Packages Projects Releases Wiki Activity
48,840 Commits 1,714 Branches 162 Tags
codeql-cli/v2.12.0
Commit Graph

48840 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Robert Marsh
a94826dc81 C++: common superclass for Remote/LocalFlowSource 2020-11-16 18:05:17 +01:00
Robert Marsh
31d3e94cec C++: Grammar/style fixes from code review 
Co-authored-by: Jonas Jensen <jbj@github.com>
 2020-11-16 18:03:44 +01:00
Robert Marsh
74e05c111e C++: add local flow sources 2020-11-16 18:02:19 +01:00
Rasmus Lerchedahl Petersen
27b4c67b9f Python: Start of tests for captured variables 2020-11-16 17:25:39 +01:00
Tamas Vajk
8bef5f417e C#: Upgrade Roslyn dependencies to 3.8.0 2020-11-16 16:44:14 +01:00
Mathias Vorreiter Pedersen
4a7f9100e4 C++: Respond to review comments. 2020-11-16 15:30:42 +01:00
Nick Rolfe
505d5c04d8 Merge pull request #31 from github/aibaars/drop-classes 
Simplify generated QL classes
 2020-11-16 14:16:02 +00:00
Mathias Vorreiter Pedersen
27aab4062a C++/C#: Sync identical files. 2020-11-16 15:05:59 +01:00
Mathias Vorreiter Pedersen
088d5863fc C++: Implement IR post-dominance predicates. 2020-11-16 15:04:40 +01:00
Mathias Vorreiter Pedersen
10a9f7ba13 Update cpp/change-notes/2020-11-12-unsafe-use-of-this.md 
Co-authored-by: hubwriter <hubwriter@github.com>
 2020-11-16 12:28:57 +01:00
Anders Schack-Mulligen
4be731d2ab Java: Adjust reference to static method and add test. 2020-11-16 11:47:58 +01:00
Anders Schack-Mulligen
80ee92ae97 Java: Add support for FastJson in unsafe deserialization. 2020-11-16 11:47:58 +01:00
Mathias Vorreiter Pedersen
020af1c88c C++: Add qhelp. 2020-11-16 11:21:18 +01:00
Geoffrey White
4b8f338139 C++: Autoformat. 2020-11-16 10:19:06 +00:00
Chris Smowton
79c010a601 Move unsafe-unzip-symlink query into qll file and give it customization points. 2020-11-16 09:57:26 +00:00
Chris Smowton
500d78dafa Include os.Readlink as a probable sanitiser. 
A couple of projects seem to walk links one unit at a time, rather than just throwing `EvalSymlinks` at the whole potentially suspect path.
 2020-11-16 09:57:26 +00:00
Chris Smowton
2193642c6e Expand query to notice Symlink and archive iterator calls that do not directly share a loop 
We look across function-call boundaries to check there is some common enclosing loop, but false-positives are more likely if in practice there is no control-flow path from the archive iterator to the Symlink call and back.
 2020-11-16 09:57:26 +00:00
Chris Smowton
1a2c209259 Add query checking for unpacking of symlinks without using EvalSymlinks to spot existing ones. 
This is usually dangerous because (if the archive is untrusted) the intent is usually to permit within-archive symlinks, e.g. dest/a/parent -> .. -> dest/a is an acceptable link to unpack. However if EvalSymlinks is not used to take already-unpacked symlinks into account, it becomes possible to sneak tricks like dest/escapes -> dest/a/parent/.. through, which create links leading out of the archive for later abuse.
 2020-11-16 09:57:26 +00:00
CodeQL CI
09cfb24afa Merge pull request #4648 from erik-krogh/regexpParse 
Approved by asgerf
 2020-11-16 08:20:40 +00:00
CodeQL CI
13edc3713d Merge pull request #4638 from erik-krogh/jwt 
Approved by asgerf
 2020-11-16 08:19:58 +00:00
Anders Schack-Mulligen
3dbd48063c Dataflow: Add Unit type for all languages. 2020-11-16 09:02:44 +01:00
james
45a3024440 Merge branch 'codeql-docs-reorg-2' of github.com:github/codeql into codeql-docs-reorg-2 2020-11-15 08:35:51 +00:00
james
8262435d4b further changes following review 2020-11-15 08:33:52 +00:00
James Fletcher
a4a47bf88d Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2020-11-15 08:31:40 +00:00
Robert Marsh
525aeb6551 C++: autoformat 2020-11-13 16:14:07 -08:00
Robert Marsh
29eacbd28b Merge branch 'main' into rdmarsh/cpp/use-taint-configuration-dtt 
Update for submodule bump
 2020-11-13 12:22:41 -08:00
Erik Krogh Kristensen
a49b99b18c autoformat 2020-11-13 20:06:17 +01:00
Erik Krogh Kristensen
affb11b0e3 changes based on review 2020-11-13 19:46:37 +01:00
Erik Krogh Kristensen
2f4fcc2f5e Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2020-11-13 18:03:07 +01:00
james
52d6503fe0 fix link to cli manual 2020-11-13 16:54:05 +00:00
Chris Smowton
43f9351094 Merge pull request #405 from igfoo/igfoo/portability 
Use more portable syntax in codeql-tools/autobuild.sh
 2020-11-13 14:59:54 +00:00
Mathias Vorreiter Pedersen
0a6a22562b C++: Respond to more review comments. 
- Remove post-dominance requirement. It was really just hiding good
  results.
- Fix test annotations. Turns out Clang and GCC's 'undefined behavior'
  warning didn't align with the C++ standard.
 2020-11-13 15:44:33 +01:00
Geoffrey White
dfcb0ae7c2 C++: Autoformat. 2020-11-13 14:39:33 +00:00
Ian Lynagh
f5223bae4c Use more portable syntax in codeql-tools/autobuild.sh 2020-11-13 14:30:04 +00:00
Anders Schack-Mulligen
9e45f10c5d Dataflow: Remove headUsesContent. 2020-11-13 15:12:39 +01:00
Anders Schack-Mulligen
e0a6a485df Dataflow: Sync. 2020-11-13 15:12:16 +01:00
Anders Schack-Mulligen
d324cd1844 Dataflow: Some qldoc. 2020-11-13 15:09:30 +01:00
Anders Schack-Mulligen
293429f821 Dataflow: Make a bunch of the interface predicates private. 2020-11-13 15:09:30 +01:00
Anders Schack-Mulligen
d028e6b334 Dataflow: Change some headUsesContent to getHead. 2020-11-13 15:09:30 +01:00
Anders Schack-Mulligen
aa66b9bb48 Dataflow: Align more predicates. 2020-11-13 15:09:30 +01:00
Anders Schack-Mulligen
6e6e5d6414 Dataflow: Renamings. 2020-11-13 15:09:29 +01:00
Anders Schack-Mulligen
786edbf045 Dataflow: Align on parameterMayFlowThrough. 
This actually provides a decent pruning improvement in stages 3 and 4.
 2020-11-13 15:09:29 +01:00
Anders Schack-Mulligen
15bf1b1026 Dataflow: Rename some stage 1 predicates. 2020-11-13 15:09:29 +01:00
Anders Schack-Mulligen
af54afa24b Dataflow: Add stage statistics. 2020-11-13 15:09:29 +01:00
Anders Schack-Mulligen
8b5e452728 Dataflow: Improve cons-cand relation. 
Post-recursion we can filter the forward cons-candidates to only include
those that met a read step, and similarly restrict the reverse flow
cons-candidates to those that met a store step.
 2020-11-13 15:09:29 +01:00
Anders Schack-Mulligen
e4fb41507b Dataflow: Reshuffle some predicates. 2020-11-13 15:09:29 +01:00
Anders Schack-Mulligen
5a1c0e9ec4 Dataflow: Get rid of early filter. 
This constructs a few more tuples in Stage3::fwdFlow0, which are then
filtered in Stage3::fwdFlow. This is cleaner and appears faster.
 2020-11-13 15:09:29 +01:00
Anders Schack-Mulligen
3e18e02d2c Dataflow: Refactor step predicate in fwdFlowRead. 2020-11-13 15:09:29 +01:00
Anders Schack-Mulligen
c5a2c261dc Dataflow: Refactor forward store step relation. 2020-11-13 15:09:29 +01:00
Anders Schack-Mulligen
b6f1ab6429 Dataflow: Refactor step relation in revFlowStore. 2020-11-13 15:09:29 +01:00