hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-21 10:24:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
49,367 Commits 1,684 Branches 158 Tags
codeql-cli/v2.12.1
Commit Graph

49367 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Harry Maclean
6e60a6ff2e Apply suggestions from code review 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2022-09-28 05:51:28 +13:00
Nora Dimitrijević
cacf78838c C++: Tests (w/ FPs) from MRVA top 1000 run 2022-09-27 18:48:32 +02:00
Jami
56e3334c6d Merge pull request #10479 from jcogs33/android-service-sources 
Java: add Android service sources
 2022-09-27 12:40:18 -04:00
Andrew Eisenberg
aefd51601c Re-order query suite descriptions 
Add a pull quote and apply some suggestions from code review.
 2022-09-27 09:22:46 -07:00
Mathias Vorreiter Pedersen
549eca1b17 C++: Fix 'implicit use of this'. 2022-09-27 16:29:30 +01:00
Mathias Vorreiter Pedersen
e4305948ef C++: Fix FP on CWE-193 by blocking flow through back-edges of phi nodes. 2022-09-27 16:28:03 +01:00
Nick Rolfe
8ca1e1b2d1 Ruby: add changenote for XXE improvements 2022-09-27 16:11:41 +01:00
Jami Cogswell
7e0c61de2c switch to hasName 2022-09-27 10:45:52 -04:00
Tamas Vajk
847a64c03b Kotlin: extract call target even if it's unbound 2022-09-27 15:30:38 +02:00
Tony Torralba
be9509ceb9 Merge pull request #9199 from luchua-bc/java/unsafe-url-forward-dispatch-load 
Java: CWE-552 Query to detect unsafe resource loading in Java Spring applications
 2022-09-27 15:27:51 +02:00
Asger F
52b6dd5bec Ruby: update test expectation 2022-09-27 14:41:59 +02:00
Erik Krogh Kristensen
162edd6883 Merge pull request #10586 from erik-krogh/pyRegFix 
ReDoS: fix RegExpEscape::getValue having multiple results for some escapes
 2022-09-27 14:41:18 +02:00
Erik Krogh Kristensen
b9937269b9 Merge pull request #10584 from erik-krogh/csharp-unqueryable 
C#: deprecate/delete some unused code
 2022-09-27 14:26:59 +02:00
Tom Hvitved
335e1a8233 Address review comments 2022-09-27 13:36:52 +02:00
Tony Torralba
7ff82bbed3 Update java/ql/src/experimental/Security/CWE/CWE-552/UnsafeUrlForward.qll 2022-09-27 13:26:21 +02:00
erik-krogh
7675571daa fix RegExpEscape::getValue having multiple results for some escapes 2022-09-27 13:25:23 +02:00
Nick Rolfe
bfda08e69c Ruby: detect uses of libxml with entity substitution enabled by default 
Including uses of ActiveSupport::XmlMini with the libxml backend
 2022-09-27 11:53:43 +01:00
Nick Rolfe
7c30d333ad Ruby: move XXE tests to subdirectory 2022-09-27 11:53:43 +01:00
Tamás Vajk
9358070ae9 Merge pull request #10506 from tamasvajk/kotlin-enum-type-access 
Kotlin: Fix type access expressions in enum constructor calls
 2022-09-27 12:42:30 +02:00
Tamás Vajk
8a6d56a57d Merge pull request #10520 from tamasvajk/kotlin-fix-anonymous-object-comment 
Kotlin: Fix comment extraction for anonymous objects
 2022-09-27 12:42:05 +02:00
erik-krogh
ae6dd05249 deprecate unused class in query specific file 2022-09-27 12:40:05 +02:00
erik-krogh
d23b128457 delete unused code in an internal file 2022-09-27 12:31:58 +02:00
Mathias Vorreiter Pedersen
0c79c2836c Merge pull request #10573 from erik-krogh/cpp-unqueryable 
C: deprecate/delete some unused code
 2022-09-27 10:13:24 +01:00
Asger F
ea4ba27297 Ruby: add RbiInstantiatedType 2022-09-27 10:51:29 +02:00
Anders Schack-Mulligen
9f1bbf2bbd Merge pull request #10575 from aschackmull/dataflow/cleanup-module 
Dataflow: Minor visibility cleanup
 2022-09-27 10:10:53 +02:00
Harry Maclean
9709aa87fb Fix changenote month 2022-09-27 15:23:12 +13:00
Harry Maclean
cb8865f3ff Add missing doc 2022-09-27 11:23:08 +13:00
Harry Maclean
6803d96000 Add change note 2022-09-27 10:43:41 +13:00
Harry Maclean
49572a5218 Remove redundant import 2022-09-27 10:35:39 +13:00
Tom Hvitved
3717cb30eb Ruby: Fix two join orders 
`getExplicitVisibilityModifier`

Before
[2022-08-17 09:03:16] (186s) Tuple counts for quick_eval#ff/2@2005f7ku after 113ms:
                      39910   ~0%     {2} r1 = SCAN Method#8b49e67f::Method#ff OUTPUT 0, In.0 'this'
                      39910   ~0%     {2} r2 = STREAM DEDUP r1
                      135     ~2%     {2} r3 = JOIN r2 WITH Call#ee92d596::CallImpl::getArgumentImpl#dispred#fbb_120#join_rhs ON FIRST 2 OUTPUT Rhs.2 'result', Lhs.1 'this'
                      134     ~0%     {2} r4 = JOIN r3 WITH Method#8b49e67f::VisibilityModifier#f ON FIRST 1 OUTPUT Lhs.1 'this', Lhs.0 'result'

                      39910   ~0%     {1} r5 = SCAN Method#8b49e67f::Method#ff OUTPUT In.0 'this'
                      39910   ~0%     {1} r6 = STREAM DEDUP r5
                      39910   ~0%     {2} r7 = JOIN r6 WITH Method#8b49e67f::Method::getName#dispred#ff ON FIRST 1 OUTPUT Lhs.0 'this', Rhs.1
                      39770   ~1%     {3} r8 = JOIN r7 WITH AST#a6718388::AstNode::getEnclosingModule#dispred#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.0 'this', Lhs.1
                      1859722 ~0%     {3} r9 = JOIN r8 WITH project#Method#8b49e67f::isDeclaredIn#fff#2_10#join_rhs ON FIRST 1 OUTPUT Rhs.1 'result', Lhs.1 'this', Lhs.2
                      11757   ~0%     {4} r10 = JOIN r9 WITH Method#8b49e67f::VisibilityModifier::getMethodArgument#dispred#bf ON FIRST 1 OUTPUT Lhs.2, Lhs.1 'this', Lhs.0 'result', Rhs.1
                      24206   ~0%     {4} r11 = JOIN r10 WITH Constant#54e8b051::ConstantValue::getStringlikeValue#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.3, Rhs.1, Lhs.1 'this', Lhs.2 'result'
                      292     ~0%     {2} r12 = JOIN r11 WITH Expr#6fb2af19::Expr::getConstantValue#dispred#ff ON FIRST 2 OUTPUT Lhs.2 'this', Lhs.3 'result'

                      426     ~0%     {2} r13 = r4 UNION r12
                                      return r13

After
[2022-08-17 09:30:31] (0s) Tuple counts for quick_eval#ff/2@e014fd45 after 5ms:
                      39910 ~0%     {1} r1 = SCAN Method#8b49e67f::Method#ff OUTPUT In.0 'this'
                      39910 ~0%     {1} r2 = STREAM DEDUP r1

                      134   ~1%     {2} r3 = JOIN r2 WITH Method#8b49e67f::VisibilityModifier::getMethodArgument#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.0 'this', Rhs.1 'result'

                      37225 ~1%     {3} r4 = JOIN r2 WITH project#Method#8b49e67f::methodIsDeclaredIn#ffff ON FIRST 1 OUTPUT Rhs.1, Rhs.2, Lhs.0 'this'
                      382   ~1%     {2} r5 = JOIN r4 WITH Method#8b49e67f::modifiesIn#fff_120#join_rhs ON FIRST 2 OUTPUT Lhs.2 'this', Rhs.2 'result'

                      516   ~0%     {2} r6 = r3 UNION r5
                                    return r6

`getVisibilityModifier()`

Before
[2022-08-17 09:16:18] (1s) Tuple counts for quick_eval#ff/2@0e9b6ctl after 52ms:
                      39910   ~0%     {1} r1 = SCAN Method#8b49e67f::Method#ff OUTPUT In.0 'this'
                      39910   ~0%     {1} r2 = STREAM DEDUP r1
                      424     ~0%     {2} r3 = JOIN r2 WITH Method#8b49e67f::Method::getExplicitVisibilityModifier#dispred#ff ON FIRST 1 OUTPUT Lhs.0 'this', Rhs.1 'result'

                      34953   ~0%     {3} r4 = JOIN quick_eval#ff#shared WITH Method#8b49e67f::isDeclaredIn#fff ON FIRST 1 OUTPUT Rhs.1, Rhs.2, Lhs.0 'this'
                      2338    ~0%     {2} r5 = JOIN r4 WITH quick_eval#ff#join_rhs ON FIRST 2 OUTPUT Lhs.2 'this', Rhs.2 'result'

                      3861    ~0%     {1} r6 = SCAN Method#8b49e67f::SingletonMethod#ff OUTPUT In.0 'this'
                      3861    ~0%     {1} r7 = STREAM DEDUP r6
                      3859    ~6%     {2} r8 = JOIN r7 WITH AST#a6718388::AstNode::getEnclosingModule#dispred#ff ON FIRST 1 OUTPUT Lhs.0 'this', Rhs.1
                      3859    ~6%     {2} r9 = JOIN r8 WITH Method#8b49e67f::SingletonMethod#ff ON FIRST 1 OUTPUT Lhs.0 'this', Lhs.1

                      0       ~0%     {3} r10 = JOIN r9 WITH Method#8b49e67f::VisibilityModifier::getMethodArgument#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1 'result', Lhs.1, Lhs.0 'this'

                      3859    ~0%     {3} r11 = JOIN r9 WITH Method#8b49e67f::SingletonMethod::getName#dispred#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.0 'this', Lhs.1
                      7731    ~0%     {3} r12 = JOIN r11 WITH Constant#54e8b051::ConstantValue::getStringlikeValue#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'this', Lhs.2
                      1343055 ~1%     {3} r13 = JOIN r12 WITH Expr#6fb2af19::Expr::getConstantValue#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'this', Lhs.2
                      6546    ~2%     {3} r14 = JOIN r13 WITH Method#8b49e67f::VisibilityModifier::getMethodArgument#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1 'result', Lhs.2, Lhs.1 'this'

                      6546    ~2%     {3} r15 = r10 UNION r14
                      120     ~2%     {2} r16 = JOIN r15 WITH AST#a6718388::AstNode::getEnclosingModule#dispred#ff ON FIRST 2 OUTPUT Lhs.2 'this', Lhs.0 'result'

                      2458    ~0%     {2} r17 = r5 UNION r16
                      2882    ~0%     {2} r18 = r3 UNION r17
                                      return r18

After
[2022-08-17 09:29:42] (2s) Tuple counts for quick_eval#ff/2@77b18cdg after 5ms:
                      39910 ~0%     {1} r1 = SCAN Method#8b49e67f::Method#ff OUTPUT In.0 'this'
                      39910 ~0%     {1} r2 = STREAM DEDUP r1
                      516   ~0%     {2} r3 = JOIN r2 WITH Method#8b49e67f::Method::getExplicitVisibilityModifier#dispred#ff ON FIRST 1 OUTPUT Lhs.0 'this', Rhs.1 'result'

                      3861  ~0%     {1} r4 = SCAN Method#8b49e67f::SingletonMethod#ff OUTPUT In.0 'this'
                      3861  ~0%     {1} r5 = STREAM DEDUP r4

                      0     ~0%     {2} r6 = JOIN r5 WITH Method#8b49e67f::VisibilityModifier::getMethodArgument#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.0 'this', Rhs.1 'result'

                      516   ~0%     {2} r7 = r3 UNION r6

                      36845 ~0%     {3} r8 = JOIN quick_eval#ff#shared WITH Method#8b49e67f::isDeclaredIn#fff ON FIRST 1 OUTPUT Rhs.1, Rhs.2, Lhs.0 'this'
                      2421  ~0%     {2} r9 = JOIN r8 WITH quick_eval#ff#join_rhs ON FIRST 2 OUTPUT Lhs.2 'this', Rhs.2 'result'

                      2584  ~0%     {3} r10 = JOIN r5 WITH project#Method#8b49e67f::methodIsDeclaredIn#ffff ON FIRST 1 OUTPUT Rhs.1, Rhs.2, Lhs.0 'this'
                      39    ~0%     {2} r11 = JOIN r10 WITH Method#8b49e67f::modifiesIn#fff_120#join_rhs ON FIRST 2 OUTPUT Lhs.2 'this', Rhs.2 'result'

                      2460  ~1%     {2} r12 = r9 UNION r11
                      2976  ~0%     {2} r13 = r7 UNION r12
                                    return r13
 2022-09-27 10:29:06 +13:00
Harry Maclean
92715bac3a Attempt to fix bad join candidates 2022-09-27 10:29:06 +13:00
Harry Maclean
5cdaae7378 Update tests 2022-09-27 10:29:04 +13:00
Harry Maclean
4df7fd248e Ruby: Ensure explicit modifiers take priority 
In Ruby, "explicit" visibility modifiers override "implicit" ones. For
example, in the following:

```rb
class C

  private

  def m1
  end

  public m2
  end

  def m3
  end
  public :m3
end
```

`m1` is private whereas `m2` and `m3` are public.
 2022-09-27 10:28:23 +13:00
Harry Maclean
d90257fd50 Add change note 2022-09-27 10:22:54 +13:00
Harry Maclean
bda4cfbe5d Ruby: Update test 2022-09-27 10:22:53 +13:00
Harry Maclean
79abb36faf Ruby: Remove MethodModifier 2022-09-27 10:21:06 +13:00
Harry Maclean
97e9eab7fc Fix QL4QL error 2022-09-27 10:21:06 +13:00
Harry Maclean
d7f40c41c5 Ruby: protected_class_method does not exist 2022-09-27 10:21:06 +13:00
Harry Maclean
5e9196e51c Ruby: Add test for protected methods 2022-09-27 10:21:04 +13:00
Harry Maclean
494fb4c966 Ruby: Make room for new test cases 2022-09-27 10:18:43 +13:00
Harry Maclean
1d728b234f Ruby: Add test for protected method visibility 2022-09-27 10:16:09 +13:00
Harry Maclean
58dd521ee9 Ruby: further refactor to method visibility 2022-09-27 10:13:23 +13:00
Harry Maclean
c5f36613da Ruby: Refactor method visibility modeling 2022-09-27 10:13:21 +13:00
Harry Maclean
3beed54e35 Ruby: Fix imports in test 2022-09-27 10:09:26 +13:00
Harry Maclean
dea5036912 Ruby: Update for Http concept changes 2022-09-27 10:03:17 +13:00
Tom Hvitved
45fc62f16b Data flow: Sync files 2022-09-26 20:39:48 +02:00
Tom Hvitved
1273db5a22 Data flow: Fix bad join-order when getAReadContent has large fan-in 
Before (terminated before completion)
```
Evaluated relational algebra for predicate DataFlowImplForHttpClientLibraries#c536b619::store#5#fffff@e5ef07bh with tuple counts:
            151500     ~0%    {4} r1 = SCAN DataFlowImplCommon#4f8df883::Cached::store#4#ffff OUTPUT In.1, In.0, In.2, In.3
            150500     ~0%    {5} r2 = JOIN r1 WITH DataFlowImplCommon#4f8df883::Cached::MkTypedContent#fff_20#join_rhs ON FIRST 1 OUTPUT Lhs.1, Lhs.0, Lhs.2, Lhs.3, Rhs.1
            149500     ~0%    {5} r3 = JOIN r2 WITH num#DataFlowImplForHttpClientLibraries#c536b619::TNodeNormal#ff ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Lhs.3, Lhs.4, Rhs.1
            148500     ~0%    {5} r4 = JOIN r3 WITH num#DataFlowImplForHttpClientLibraries#c536b619::TNodeNormal#ff ON FIRST 1 OUTPUT Lhs.3, Lhs.1, Lhs.2, Lhs.4, Rhs.1
        2003849000     ~0%    {5} r5 = JOIN r4 WITH DataFlowPublic#e1781e31::ContentSet::getAReadContent#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2, Lhs.3, Lhs.4
         105066500  ~9036%    {5} r6 = JOIN r5 WITH project#DataFlowImplForHttpClientLibraries#c536b619::readSet#4#ffff ON FIRST 1 OUTPUT Lhs.3, Lhs.1, Lhs.4, Lhs.2, Rhs.1
                              return r6
```

After
```
Evaluated relational algebra for predicate DataFlowImplForHttpClientLibraries#c536b619::readProj#2#ff@302620cn with tuple counts:
        1461867  ~0%    {2} r1 = SCAN DataFlowPrivate#462ff392::Cached::TContent#f OUTPUT In.0, In.0
        3549054  ~1%    {2} r2 = JOIN r1 WITH DataFlowPublic#e1781e31::ContentSet::getAReadContent#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1
        5772824  ~5%    {2} r3 = JOIN r2 WITH project#DataFlowImplForHttpClientLibraries#c536b619::readSet#4#ffff ON FIRST 1 OUTPUT Lhs.1, Rhs.1
                        return r3

Evaluated relational algebra for predicate DataFlowImplForHttpClientLibraries#c536b619::store#5#fffff@016cd9o1 with tuple counts:
         267905  ~0%    {4} r1 = SCAN DataFlowImplCommon#4f8df883::Cached::store#4#ffff OUTPUT In.1, In.0, In.2, In.3
         267905  ~0%    {5} r2 = JOIN r1 WITH DataFlowImplCommon#4f8df883::Cached::MkTypedContent#fff_20#join_rhs ON FIRST 1 OUTPUT Lhs.1, Lhs.0, Lhs.2, Lhs.3, Rhs.1
         267905  ~0%    {5} r3 = JOIN r2 WITH num#DataFlowImplForHttpClientLibraries#c536b619::TNodeNormal#ff ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Lhs.3, Lhs.4, Rhs.1
         267905  ~0%    {5} r4 = JOIN r3 WITH num#DataFlowImplForHttpClientLibraries#c536b619::TNodeNormal#ff ON FIRST 1 OUTPUT Lhs.3, Lhs.1, Lhs.2, Lhs.4, Rhs.1
        2109240  ~0%    {5} r5 = JOIN r4 WITH DataFlowImplForHttpClientLibraries#c536b619::readProj#2#ff ON FIRST 1 OUTPUT Lhs.3, Lhs.1, Lhs.4, Lhs.2, Rhs.1
                        return r5
```
 2022-09-26 20:37:53 +02:00
erik-krogh
0f1a8a6f5b deleted unused internal code 2022-09-26 20:20:52 +02:00
erik-krogh
b83ca08854 deprecate class documented as deprecated 2022-09-26 20:09:54 +02:00
Tom Hvitved
88baf0883a Merge pull request #10358 from hvitved/ruby/dataflow/call-ctx 
Ruby: Context sensitive instance method resolution
 2022-09-26 19:55:10 +02:00