hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-23 11:22:58 +01:00
Code Issues Packages Projects Releases Wiki Activity
49,367 Commits 1,685 Branches 158 Tags
codeql-cli/v2.12.1
Commit Graph

49367 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Geoffrey White
842af4bf74 C++: Specifically suggest DataFlow as an alternative. 2022-09-12 14:25:45 +01:00
AlexDenisov
be21b26d46 Merge pull request #10045 from github/alexdenisov/swift-cwe-757 
Swift: CWE-757: insecure TLS configuration
 2022-09-12 15:25:15 +02:00
Erik Krogh Kristensen
818601b612 Merge pull request #10285 from erik-krogh/paramClass 
ReDoS: convert RelevantState to a class in the PrefixConstruction module
 2022-09-12 15:23:19 +02:00
Rasmus Lerchedahl Petersen
0f95992b2f Python: remove NonLibraryDataFlowCallable 
this required managing parameters and their pre-update nodes a bit
 2022-09-12 15:17:29 +02:00
Rasmus Wriedt Larsen
4296ac1ac0 Python: Allow CallNode.getArgByName for keyword args after **kwargs 2022-09-12 15:03:13 +02:00
Rasmus Wriedt Larsen
03cc4a2f7a Ruby: Fix typo in QLDoc 2022-09-12 14:35:20 +02:00
Tony Torralba
79a32f1a3e Tainting the freemarker dataModel isn't exploitable 2022-09-12 14:22:06 +02:00
AlexDenisov
568eb3a118 Update swift/ql/src/queries/Security/CWE-757/InsecureTLS.qhelp 
Co-authored-by: hubwriter <hubwriter@github.com>
 2022-09-12 14:00:29 +02:00
erik-krogh
98243118b2 recognize a list of bad strings as a sanitizer for js/prototype-polluting-assignment 2022-09-12 13:41:07 +02:00
erik-krogh
afcb767f8d Merge branch 'main' into js-followMsg 2022-09-12 13:21:16 +02:00
erik-krogh
6ec03d4738 apply suggestions from doc review 2022-09-12 13:16:39 +02:00
erik-krogh
bae4490620 add change-note 2022-09-12 12:12:18 +02:00
erik-krogh
80158f8035 fix some python uses of renamed features 2022-09-12 12:08:30 +02:00
Erik Krogh Kristensen
c9ea10b1ef revise some Python names 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2022-09-12 12:00:57 +02:00
Tony Torralba
dd6257c757 Add security-severity 2022-09-12 11:59:01 +02:00
Tony Torralba
409a123490 Tainting the velocity context isn't exploitable 2022-09-12 11:38:29 +02:00
Erik Krogh Kristensen
3384521fb6 Merge pull request #10357 from erik-krogh/typos 
make a shared library of the typo database
 2022-09-12 11:24:03 +02:00
Erik Krogh Kristensen
cb95e8f263 Merge pull request #10351 from erik-krogh/moreMains 
JS: find a main module in more cases
 2022-09-12 11:01:17 +02:00
Arthur Baars
7ca2e4c51f Merge pull request #9953 from aibaars/update-grammar 
Update tree-sitter-ruby
 2022-09-12 10:51:37 +02:00
Alex Ford
0da367f6e5 Ruby: address QL4QL alerts for rb/sensitive-get-query 2022-09-12 08:56:17 +01:00
Paolo Tranquilli
776df33f55 Swift: fix typos and comments in testCrypto.swift 2022-09-12 08:47:43 +02:00
Rasmus Lerchedahl Petersen
fa2da2f3ec Python: remove NonLibraryNormalCall 
it is not necessary to distinguish these calls,
so we remove the class from the hierarchy.
 2022-09-11 22:25:29 +02:00
Mathias Vorreiter Pedersen
c988547e9c C++: Accept test changes. 2022-09-11 18:31:53 +01:00
Alex Ford
f84035a65c Ruby: add rb/sensitive-get-query query 2022-09-10 17:43:15 +01:00
Rasmus Lerchedahl Petersen
895f5480c2 Python: Added recursion guard 
to ensure that the call graph seen by type tracking
does not include summary calls resolved by type tracking.

(I tried inserting a similar test into the Ruby codebase,
 and it still compiled)

To get this to compile, I had to move the resolution of summary calls
out of the data flow nodes and into the `viableCallable` predicate.
This means that we now have a potential summary call for each
cfg call node. (I tried using the base class, `DataFlowCall`, for this
but calls to `map` got identified as class calls and would no longer
be associated with a summary.)

It is possible that the "NonLIbrary"-layers the were inserted into the
hierarchy can be removed again.
 2022-09-09 22:47:47 +02:00
Geoffrey White
8ac3e10896 C++: Put a warning on the PointsTo library. 2022-09-09 18:03:23 +01:00
Andrew Eisenberg
ed66388551 Port Pack Docs changes to 3.7 
This moves the following three PRs to the 3.7 branch:

- https://github.com/github/codeql/pull/10182
- https://github.com/github/codeql/pull/10146
- https://github.com/github/codeql/pull/10105
 2022-09-09 09:33:25 -07:00
Mathias Vorreiter Pedersen
6dcfe0348b C++: Copy over the required changes to non-experimental libraries. 2022-09-09 17:26:58 +01:00
james
0e5df6c08a delete unused reusable note 2022-09-09 17:14:26 +01:00
james
869833a95a delete old note that refers to lgtm 2022-09-09 17:11:54 +01:00
Mathias Vorreiter Pedersen
5509562fe6 C++: Repair a few broken models that were incorrectly a pointer 
as tainted (instead of the pointee), or vice versa. Because of
existing dataflow pointer/pointee conflation we never noticed that,
but since this PR removes those imprecisions we now need to update
these models.
 2022-09-09 17:04:36 +01:00
Ed Minnix
817f12cae6 Updated expectations file with new message 
The warning message for the `android:allowBackup` query was updated.
This updates the message in the expectations file.
 2022-09-09 11:35:48 -04:00
james
f717dd6c0f remove link to deleted file 2022-09-09 16:10:35 +01:00
james
b3a97f742d Merge branch 'main' into download-db-vs-code 2022-09-09 16:08:08 +01:00
Ian Lynagh
c7e3051edd Merge pull request #10239 from tamasvajk/kotlin-fix-declaration-stack 
Kotlin: Fix declaration stack
 2022-09-09 16:03:31 +01:00
james
356ca78032 Merge branch 'download-db-vs-code' of github.com:jf205/ql into download-db-vs-code 2022-09-09 15:48:22 +01:00
james
fc86347b0f Add section about using the API to download dbs 2022-09-09 15:46:35 +01:00
james
faf1d0a5d9 new screenshot 2022-09-09 15:46:06 +01:00
james
49220a4f19 update info about downloading dbs in vs code 2022-09-09 15:46:06 +01:00
James Fletcher
f17f48d2b3 Merge branch 'main' into download-db-vs-code 2022-09-09 15:44:59 +01:00
Tamás Vajk
05fcbdd9e3 Merge pull request #10365 from tamasvajk/kotlin-fix-isUnspecialised-2 
Kotlin: Fix `isUnspecialised` to handle generic classes inside generic methods
 2022-09-09 16:27:19 +02:00
Edward Minnix III
08a17b355e allowBackup documentation updates 
Make error messages and descriptions clearer about application backups not being disabled, rather than focusing on `android:allowBackup` specifically.

Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2022-09-09 09:30:49 -04:00
Mathias Vorreiter Pedersen
6d313ace2d C++: Copy the new use-use flow code to experimental. 2022-09-09 14:20:10 +01:00
Rasmus Wriedt Larsen
89a331f186 Merge pull request #10359 from tausbn/python-clean-up-import-resolution 
Python: Clean up module resolution
 2022-09-09 15:09:43 +02:00
Tamas Vajk
b8b0fd8a74 Kotlin: Fix isUnspecialised to handle generic classes inside generic methods 2022-09-09 14:32:38 +02:00
Tony Torralba
569fad667a Merge pull request #10360 from atorralba/atorralba/fix-taint-implicit-reads 
Dataflow: Fix implicit reads in taint tracking when FlowStates are used
 2022-09-09 14:28:39 +02:00
erik-krogh
5010f89683 move resolveMainPath into a separate helper predicate 2022-09-09 14:26:07 +02:00
Geoffrey White
6011ae9ecc Merge branch 'main' into cleartext-perf 2022-09-09 11:40:47 +01:00
erik-krogh
6a2fa2e37d add -dev to the codeql/typos version 2022-09-09 12:33:43 +02:00
Geoffrey White
edefda9213 C++: Make QL-for-QL happy. 2022-09-09 11:26:42 +01:00