hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-21 02:14:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
48,840 Commits 1,684 Branches 158 Tags
codeql-cli/v2.12.0
Commit Graph

48840 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
james
51c0287905 address review comments 2022-10-17 16:19:15 +01:00
Paolo Tranquilli
3a99b9845e Merge pull request #10856 from github/redsun82/swift-show-ql-class-in-collapsed-hierarchy-tests 
Swift: show QL class in generated tests on collapsed hierarchies
 2022-10-17 16:38:24 +02:00
Taus
58754982ce Python: Update type tracking tests 
No longer missing! 🎉
 2022-10-17 14:34:10 +00:00
Taus
ad13fbaeb6 Python: Add tests 
A slightly complicated test setup. I wanted to both make sure I captured
the semantics of Python and also the fact that the kinds of global flow
we expect to see are indeed present.

The code is executable, and prints out both when the execution reaches
certain files, and also what values are assigned to the various
attributes that are referenced throughout the program. These values are
validated in the test as well.

My original version used introspection to avoid referencing attributes
directly (thus enabling better error diagnostics), but unfortunately
that made it so that the model couldn't follow what was going on.

The current setup is a bit clunky (and Python's scoping rules makes it
especially so -- cf. the explicit calls to `globals` and `locals`), but
I think it does the job okay.
 2022-10-17 14:29:41 +00:00
Taus
651afaf11b Python: Hook up new implementation 
Left as its own commit, as otherwise the diff would have been very
confusing.
 2022-10-17 14:29:41 +00:00
Taus
0051ba1596 Python: Add new module resolution implementation 
A fairly complicated bit of modelling, mostly due to the quirks of
how imports are handled in Python.

A few notes:

- The handling of `__all__` is not actually needed (and perhaps not
  desirable, as it only pertains to `import *`, though it does match
  the current behaviour), but it might become useful at a later date,
  so I left it in.
- Ideally, we would represent `foo as bar` in an `import` as a
  `DefinitionNode` in the CFG. I opted _not_ to do this, as it would
  also affect points-to, and I did not want to deal with any fallout
  arising from that.
 2022-10-17 14:29:41 +00:00
Chris Smowton
eb97735568 Merge pull request #10797 from smowton/smowton/fix/byte-short-inversion 
Kotlin: fix bit-inversion operator for Byte and Short types
 2022-10-17 15:05:57 +01:00
Chris Smowton
e1c93c9284 Merge pull request #10816 from smowton/smowton/fix/kotlin-adapted-function-references 
Kotlin: extract function references using compiler-generated adapters
 2022-10-17 15:05:16 +01:00
erik-krogh
bb4bc55c6a update expected output 2022-10-17 15:52:21 +02:00
Geoffrey White
dcf254a9e3 Swift: Make QL-for-QL happy. 2022-10-17 14:23:28 +01:00
Taus
f5b2eb94a6 Merge pull request #10783 from yoff/python/subscript-nodes 
Python: API graph improvements for subscripts
 2022-10-17 15:21:56 +02:00
Tamas Vajk
21c13fb9a3 Kotlin: Exclude variables of live literals from java/field-masks-super-field 2022-10-17 15:07:44 +02:00
Geoffrey White
0281bfedda Merge pull request #10689 from d10c/swift/cleartext-storage-nsuserdefaults 
Swift: Query for CWE-312: Exposure of sensitive information using NSUserDefaults
 2022-10-17 14:05:17 +01:00
Geoffrey White
13f9834fde Merge pull request #10780 from karimhamdanali/swift-hardcoded-key 
Swift: detect hardcoded encryption keys
 2022-10-17 14:02:31 +01:00
Arthur Baars
7af4c08055 Merge pull request #10803 from hmac/actiondispatch-response 
Ruby: Model ActionDispatch::Response
 2022-10-17 14:51:25 +02:00
Geoffrey White
9767064310 Swift: Fix bug for sqlite3_prepare_v3. 2022-10-17 13:40:35 +01:00
Geoffrey White
1221cbaee7 Swift: Updated results after merge with main. 2022-10-17 13:35:46 +01:00
Geoffrey White
13018150ed Merge branch 'main' into sqlinject 2022-10-17 13:30:14 +01:00
Geoffrey White
85e164d4f6 Swift: QLDoc some stuff while we're here. 2022-10-17 13:22:44 +01:00
Tony Torralba
01a08d44bb Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2022-10-17 14:14:38 +02:00
Geoffrey White
3b9151cb24 Swift: Restore UnknownLocation.toString(), it seems helpful. 2022-10-17 13:11:22 +01:00
Paolo Tranquilli
e49268d036 Swift: show QL class in generated tests on collapsed hierarchies 
In those kinds of tests the results may have different final classes
that are not necessarily visible (or tested) solely through the string
representation. For better testing and reading of expected results,
`getQlPrimaryClasses` is added in these cases.
 2022-10-17 14:08:04 +02:00
erik-krogh
f09e3bd3ac add String#% as a printf like call 2022-10-17 13:51:43 +02:00
Geoffrey White
9c8bbe384b Swift: Add Location.toString. 2022-10-17 12:48:17 +01:00
Paolo Tranquilli
c3968a2166 Merge pull request #10854 from github/redsun82/swift-extract-implicit-conversions 
Swift: extract all `ImplicitConversionExpr`
 2022-10-17 13:46:10 +02:00
Geoffrey White
4d0c23c4da Swift: Add a test of Location.qll. 2022-10-17 12:45:26 +01:00
Chris Smowton
efd7b6e692 Use isFunction 2022-10-17 12:27:58 +01:00
Arthur Baars
f7ff2cdc0d Merge branch 'main' into actiondispatch-response 2022-10-17 13:22:17 +02:00
erik-krogh
d4919d04ba add a taint-step for format-calls 2022-10-17 13:16:38 +02:00
erik-krogh
f222cc1f3e refactor the existing taint-step for string interpolation into StringFormatters.qll 2022-10-17 13:16:38 +02:00
erik-krogh
6de1abcb0e add a returnsFormatted predicate to the printf model, similar to the JS implementation 2022-10-17 13:16:38 +02:00
erik-krogh
a2b924bbdf move model of printf style calls to StringFormatters.qll 2022-10-17 13:16:34 +02:00
Paolo Tranquilli
789be9a1ad Swift: add ImplicitConversionExpr test 2022-10-17 12:57:44 +02:00
Karim Ali
bbc03a1578 add false negatives to the test case 2022-10-17 12:54:34 +02:00
Karim Ali
bb3bf64364 update example with both AES and Blowfish for better clarity 2022-10-17 12:54:34 +02:00
Karim Ali
b840a41222 fix typo in doc 2022-10-17 12:54:34 +02:00
Karim Ali
e942cfb98e fix typos in docs and in-code comments 2022-10-17 12:54:34 +02:00
Karim Ali
aef9645bd6 change use of toString() to getName() 2022-10-17 12:54:34 +02:00
Karim Ali
81e027f225 address QLDoc style comments 2022-10-17 12:54:34 +02:00
Karim Ali
d56c82ff75 add a query that detects hardcoded keys 2022-10-17 12:54:34 +02:00
Chris Smowton
be53ec9b42 Accept test changes 2022-10-17 11:48:22 +01:00
Chris Smowton
f9d65e42dd Use compiler-provided adapter functions when creating a function reference 2022-10-17 11:48:21 +01:00
Paolo Tranquilli
e4bcea708e Swift: extract all ImplicitConversionExpr 
In order to do so, `VisitorBase` was changed to allow writing one
`translate` function for an abstract class like
`ImplicitConversionExpr`.
 2022-10-17 12:47:05 +02:00
Chris Smowton
4c63237ed1 Add test checking argument <-> parameter matching, and fix superconstructor calls that were missing their argument. 2022-10-17 11:44:44 +01:00
Chris Smowton
8553266aae Allow specialised instances of anonymous classes 2022-10-17 11:27:05 +01:00
Chris Smowton
73f5dea51e Extract private members of specialised generic classes on demand 2022-10-17 11:27:04 +01:00
Chris Smowton
f1fd470f49 Merge pull request #10821 from smowton/smowton/fix/kotlin-property-ref-to-sam-interface 
Kotlin SAM conversion: tolerate property refs used to implement a SAM interface
 2022-10-17 11:25:24 +01:00
Geoffrey White
2b3ab180fa Merge pull request #10077 from intrigus-lgtm/cpp/wexpand-commmand-injection 
Add query for tainted `wordexp` calls.
 2022-10-17 11:18:38 +01:00
erik-krogh
dbf2673a91 add returnsFormatted predicate to PrintfStyleCall (similar to JS) 2022-10-17 12:15:31 +02:00
erik-krogh
46627a737e add an AdditionalTaintStep class for Ruby 2022-10-17 12:15:30 +02:00