hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-25 17:06:46 +01:00
Code Issues Packages Projects Releases Wiki Activity
48,840 Commits 1,717 Branches 163 Tags
codeql-cli/v2.12.0
Commit Graph

48840 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Geoffrey White
33fab08975 C++: Autoformat. 2020-06-17 15:53:05 +01:00
Dave Bartolomeo
687d6d2643 C++: Replace TRawInstruction() calls 
Replace most direct calls to `TRawInstruction()` with calls to `getInstructionTranslatedElement()` and `getInstructionTag()`, matching existing practice. One tiny RA diff in an inconsequential join order in `getInstructionVariable`.
 2020-06-17 10:52:32 -04:00
Geoffrey White
833f5b0cf3 C++: Add flow through assignment operators. 2020-06-17 15:47:37 +01:00
Geoffrey White
b9a65581ce C++: Some constructors should have dataflow instead of taint. 2020-06-17 15:47:37 +01:00
Geoffrey White
031c9b98f1 C++: General taint flow through constructors. 2020-06-17 15:47:37 +01:00
Geoffrey White
30151c99d7 C++: Remove the std::string Constructor model. 2020-06-17 15:43:58 +01:00
Rasmus Lerchedahl Petersen
8e51b2fed8 Python: refactor test for global flow 2020-06-17 16:43:11 +02:00
Geoffrey White
d565cfc58e C++: Add a test of default constructors etc. 2020-06-17 15:41:36 +01:00
Geoffrey White
c196ea24b2 C++: Add taint tests of class constructors and assignment. 2020-06-17 15:41:00 +01:00
Geoffrey White
ea9e9a7a26 C++: Add taint tests of std::string constructors and assignment. 2020-06-17 15:41:00 +01:00
Dave Bartolomeo
c1016743a5 C++: Remove instructionOrigin() 
This noopt predicate is no longer necessary. It's equivalent to `instruction = TRawInstruction(element, tag)`, which is already materialized and has a more favorable column order anyway.
 2020-06-17 10:25:59 -04:00
Rasmus Lerchedahl Petersen
71f364eef3 Python: Implement OutNode 
Also, fix test for local flow
 2020-06-17 16:24:44 +02:00
Owen Mansel-Chan
c5cb55afc6 Add a change note 2020-06-17 15:14:16 +01:00
Owen Mansel-Chan
2282def1e2 Merge pull request #180 from owen-mc/email-injection 
Move email injection query out of experimental folder
 2020-06-17 15:11:31 +01:00
Chris Smowton
1a823b21f1 PrintAst: Emit relative paths for file nodes 
This is a workaround for codeql run test not itself truncating absolute paths
when comparing against actual output.
 2020-06-17 15:03:29 +01:00
Dave Bartolomeo
e85cc0b0c6 C++: Stop caching raw IR construction predicates 
These predicates are only used within the new single IR stage, so there's no need to cache them beyond that. RA diffs are trivial. Where previously many of the predicate on `Instruction` were inline wrappers around cached predicates from `IRConstruction`, now the predicates from `IRConstruction` get inlined into the `Instruction` predicates, and the `Instruction` predicates get materialized. The net amount of work is the same, but now it's not getting cached unnecessarily.
 2020-06-17 09:47:48 -04:00
Anders Schack-Mulligen
d28b5ace63 Dataflow: Sync. 2020-06-17 15:40:48 +02:00
Anders Schack-Mulligen
10b64fc47a Dataflow: Record content type for stores. 2020-06-17 15:40:42 +02:00
Owen Mansel-Chan
49abd0b9b1 Add test using hashing 2020-06-17 14:33:53 +01:00
Chris Smowton
80b9be1004 Add simple PrintAst test 
This both checks that many common control-flow structures print as expected, and checks our unique child node numbering, which would otherwise give the same label to a file's package (its 0th child expression) and its 0th declaration.
 2020-06-17 14:25:45 +01:00
Owen Mansel-Chan
83697f62ac Address review comments on qhelp 2020-06-17 14:21:37 +01:00
Mathias Vorreiter Pedersen
01abaf373a Merge pull request #3728 from geoffw0/memberfunctions 
C++: Split MemberFunction.qll from Function.qll.
 2020-06-17 14:54:33 +02:00
Chris Smowton
bd7b7c06b5 Add AstNode.getCanonicalQlClass and use it in PrintAst 
This gives those classes satisfied by an AstNode that are considered useful for developer understanding, cf. getAQlClass which returns all satisfied classes and hides overridden ones, even if they are interesting.
 2020-06-17 13:47:23 +01:00
Jonas Jensen
a87ff80ac0 Merge pull request #3587 from rdmarsh2/ir-this-parameter-2 
C++: IR return indirections for `this`
 2020-06-17 13:27:35 +02:00
Geoffrey White
7edaade175 C++: Improve QLDoc. 2020-06-17 12:11:42 +01:00
Erik Krogh Kristensen
cd111fe350 Merge pull request #3721 from asger-semmle/js/non-linear-pattern-msg 
JS: Improve alert message in js/non-linear-pattern
 2020-06-17 13:10:56 +02:00
Geoffrey White
0a9ec70c31 C++: Autoformat. 2020-06-17 11:54:50 +01:00
Owen Mansel-Chan
3a3fbfff45 Update moved files 2020-06-17 11:36:11 +01:00
Owen Mansel-Chan
d7c6391b41 Move Gin files out of experimental 
No changes have been made to the files in this commit
 2020-06-17 11:34:09 +01:00
Erik Krogh Kristensen
b0be0eb805 fix qhelp links 2020-06-17 11:50:44 +02:00
Erik Krogh Kristensen
fa0a8c3423 add documentation examples as tests 2020-06-17 11:37:32 +02:00
Erik Krogh Kristensen
b42824640d add qhelp for js/exposure-of-private-files 2020-06-17 11:29:24 +02:00
Geoffrey White
f3e24963cb C++: Update QLDoc. 2020-06-17 10:27:34 +01:00
ubuntu
22cb45beab Merge remote-tracking branch 'upstream/master' 2020-06-17 11:13:13 +02:00
Owen Mansel-Chan
f926808c8a Address review comments 2020-06-17 10:11:41 +01:00
Erik Krogh Kristensen
345283fe34 add change note 2020-06-17 10:48:27 +02:00
Erik Krogh Kristensen
639907967f add home/rootdir as leaking folders 2020-06-17 10:46:42 +02:00
Erik Krogh Kristensen
6675ddae12 add more libraries that serve static files to js/exposure-of-private-files 2020-06-17 10:00:59 +02:00
Sauyon Lee
ed87c346cf Add tests for the ReflectedXSS HTML content type sniffing regexp 2020-06-17 00:28:03 -07:00
Sauyon Lee
95235c8415 Add change note for reflected xss regexp fixes 2020-06-17 00:28:03 -07:00
Sauyon Lee
4f3854c052 ReflectedXSS: Ignore whitespace for HTML content type detection 2020-06-17 00:28:02 -07:00
Jonas Jensen
e0ba23d2c7 C++: @precision high for tainted-format-string* 
I think these queries have excellent results on lgtm.com. Many of the
results come from projects that use `sprintf` like it's a templating
engine, trusting that values from `argv` or `getenv` contain the correct
number of `%s`. I think we want to flag that.

The structure of the change note is modeled after 91af51cf46.
 2020-06-17 09:03:13 +02:00
Rasmus Lerchedahl Petersen
52898f16f5 Python: update paths after move 2020-06-17 08:34:45 +02:00
Rasmus Lerchedahl Petersen
47f5b04e87 Python: fix identical-files.json after move 
also more grouping
 2020-06-17 07:08:46 +02:00
Rasmus Lerchedahl Petersen
e192b66116 Python: move shared dataflow to experimental 2020-06-17 06:46:46 +02:00
luchua-bc
f40e27a3c5 Hardcoded AWS credentials 2020-06-17 02:46:02 +00:00
Erik Krogh Kristensen
fb5e13b456 Apply suggestions from doc review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2020-06-16 23:45:45 +02:00
Erik Krogh Kristensen
d811518a2e fixed from doc review, and add fixed example for js/biased-cryptographic-random using a secure library 2020-06-16 23:26:54 +02:00
Dave Bartolomeo
8e977dc6bf C++/C#: Move overrides of IRType::getByteSize() into leaf classes 
See https://github.com/github/codeql/pull/2272. I've added code comments in all of the places that future me will be tempted to hoist these overrides.
 2020-06-16 16:48:42 -04:00
Dave Bartolomeo
24c3110989 Merge from master 2020-06-16 16:37:38 -04:00