codeql

mirror of https://github.com/github/codeql.git synced 2026-02-04 09:11:08 +01:00

Author	SHA1	Message	Date
Geoffrey White	9faa825304	C++: Add support for libxml2 in the query.	2022-05-03 11:19:13 +01:00
Tom Hvitved	e9c8f979f9	Data flow: Sync files	2022-05-03 11:46:51 +02:00
Tom Hvitved	2b4fde74bb	Data flow: Speedup `subpaths` predicate Before ``` [2022-05-02 15:47:16] (1280s) Tuple counts for DataFlowImpl::Subpaths::subpaths#656de156#ffff/4@c5f3dclb after 3m22s: 8389013 ~4% {5} r1 = JOIN DataFlowImpl::Subpaths::subpaths#656de156#ffff#shared WITH DataFlowImpl::PathNode::getASuccessor#dispred#f0820431#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1 'arg', Lhs.1, Lhs.2, Lhs.3, Lhs.4 'out' 6689751 ~0% {4} r2 = JOIN r1 WITH DataFlowImpl::Subpaths::subpaths03#656de156#ffffff_034512#join_rhs ON FIRST 4 OUTPUT Rhs.4, Lhs.4 'out', Lhs.0 'arg', Rhs.5 'ret' 1513839768 ~1% {5} r3 = JOIN r2 WITH DataFlowImpl::PathNodeImpl::getNodeEx#dispred#f0820431#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1 'out', Lhs.2 'arg', Lhs.3 'ret', Rhs.1 'par', Lhs.3 'ret' 1513839768 ~1% {5} r4 = r3 AND NOT DataFlowImpl::PathNodeImpl::isHidden#dispred#f0820431#f(Lhs.4 'ret') 1513839768 ~5% {4} r5 = SCAN r4 OUTPUT In.1 'arg', In.3 'par', In.0 'out', In.4 'ret' 1513839768 ~2% {4} r6 = JOIN r2 WITH DataFlowImpl::PathNodeImpl::getNodeEx#dispred#f0820431#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.3 'ret', Lhs.1 'out', Lhs.2 'arg', Rhs.1 'par' 0 ~0% {5} r7 = JOIN r6 WITH boundedFastTC(DataFlowImpl::Subpaths::localStepToHidden#656de156#ff_10#higher_order_body,DataFlowImpl::Subpaths::subpaths#656de156#ffff#higher_order_body) ON FIRST 1 OUTPUT Lhs.1 'out', Lhs.2 'arg', Lhs.0, Lhs.3 'par', Rhs.1 'ret' 0 ~0% {5} r8 = r7 AND NOT DataFlowImpl::PathNodeImpl::isHidden#dispred#f0820431#f(Lhs.4 'ret') 0 ~0% {4} r9 = SCAN r8 OUTPUT In.1 'arg', In.3 'par', In.0 'out', In.4 'ret' 1513839768 ~5% {4} r10 = r5 UNION r9 6689751 ~0% {4} r11 = JOIN r10 WITH DataFlowImpl::PathNode::getASuccessor#dispred#f0820431#ff ON FIRST 2 OUTPUT Lhs.0 'arg', Lhs.1 'par', Lhs.3 'ret', Lhs.2 'out' return r11 ``` After ``` [2022-05-03 11:44:10] (969s) Tuple counts for DataFlowImpl::Subpaths::subpaths#656de156#ffff/4@b26b969r after 11.8s: 8372525 ~0% {3} r1 = JOIN DataFlowImpl::PathNode::getASuccessor#dispred#f0820431#ff_10#join_rhs WITH DataFlowImpl::PathNodeImpl::getNodeEx#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.1 'arg', Rhs.1, Rhs.0 6673799 ~6% {9} r2 = JOIN r1 WITH DataFlowImpl::Subpaths::subpaths03#656de156#fffffffff ON FIRST 2 OUTPUT Rhs.3, Rhs.4, Rhs.5, Rhs.7, Rhs.6, Rhs.8, Lhs.2 'par', Lhs.0 'arg', Rhs.2 'ret' 6637884 ~0% {5} r3 = JOIN r2 WITH project#DataFlowImpl::pathNode#656de156#ffffffff_1234560#join_rhs ON FIRST 6 OUTPUT Lhs.6 'par', Lhs.7 'arg', Lhs.8 'ret', Rhs.6 'out', Lhs.8 'ret' 6637884 ~0% {4} r4 = JOIN r2 WITH project#DataFlowImpl::pathNode#656de156#ffffffff_1234560#join_rhs ON FIRST 6 OUTPUT Rhs.6 'out', Lhs.6 'par', Lhs.7 'arg', Lhs.8 'ret' 51867 ~0% {5} r5 = JOIN r4 WITH DataFlowImpl::PathNodeMid::projectToSink#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.1 'par', Lhs.2 'arg', Lhs.3 'ret', Rhs.1 'out', Lhs.3 'ret' 6689751 ~0% {5} r6 = r3 UNION r5 6689751 ~0% {5} r7 = r6 AND NOT DataFlowImpl::PathNodeImpl::isHidden#dispred#f0820431#f(Lhs.4 'ret') 6689751 ~0% {4} r8 = SCAN r7 OUTPUT In.1 'arg', In.0 'par', In.4 'ret', In.3 'out' 6637884 ~0% {4} r9 = JOIN r2 WITH project#DataFlowImpl::pathNode#656de156#ffffffff_1234560#join_rhs ON FIRST 6 OUTPUT Lhs.8 'ret', Lhs.6 'par', Lhs.7 'arg', Rhs.6 'out' 51867 ~0% {4} r10 = JOIN r4 WITH DataFlowImpl::PathNodeMid::projectToSink#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.3 'ret', Lhs.1 'par', Lhs.2 'arg', Rhs.1 'out' 6689751 ~0% {4} r11 = r9 UNION r10 0 ~0% {5} r12 = JOIN r11 WITH boundedFastTC(DataFlowImpl::Subpaths::localStepToHidden#656de156#ff_10#higher_order_body,DataFlowImpl::Subpaths::subpaths#656de156#ffff#higher_order_body) ON FIRST 1 OUTPUT Lhs.1 'par', Lhs.2 'arg', Lhs.0, Lhs.3 'out', Rhs.1 'ret' 0 ~0% {5} r13 = r12 AND NOT DataFlowImpl::PathNodeImpl::isHidden#dispred#f0820431#f(Lhs.4 'ret') 0 ~0% {4} r14 = SCAN r13 OUTPUT In.1 'arg', In.0 'par', In.4 'ret', In.3 'out' 6689751 ~0% {4} r15 = r8 UNION r14 return r15 ```	2022-05-03 11:45:28 +02:00
Anders Schack-Mulligen	249f771fad	Merge pull request #8952 from cklin/fix-ql-comments-syntax Fix syntax errors in QL comments	2022-05-03 11:15:56 +02:00
Jeroen Ketema	904ff1a569	Merge pull request #8943 from jbj/remove-gvn-imports C++: Remove import order workarounds	2022-05-03 11:01:02 +02:00
Nick Rolfe	00bf352b50	Ruby: fix some flow summary join orders The flow summaries that are implemented with an abstract base class restricting the method name, and child classes using that method name, had unfortunate join orders: r1 = JOIN Call::MethodCall::getMethodName#dispred#f0820431#ff WITH Call::MethodCall::getMethodName#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.0, (Lhs.1 ++ "_arg"), Rhs.1	2022-05-03 09:58:40 +01:00
mc	58a2677cf7	Merge pull request #8860 from github/jf205-patch-1 Fix broken link in analyzing-databases-with-the-codeql-cli.rst	2022-05-03 09:56:49 +01:00
Mathias Vorreiter Pedersen	73886b1040	Merge pull request #8948 from geoffw0/xxe3 C++: Add support for SAXParser to the CWE-611 XXE query.	2022-05-03 09:42:10 +01:00
Tony Torralba	c66e583aea	Make more ExternalFlow imports private	2022-05-03 10:31:29 +02:00
Arthur Baars	19e4d34581	Update ruby/ql/lib/change-notes/2022-04-30-update-grammar.md Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>	2022-05-03 10:08:29 +02:00
Erik Krogh Kristensen	806dacb0e3	Merge pull request #8989 from erik-krogh/mentionAll JS/RB: have `ApiGraphModelsSpecific.qll` mention all the required predicates	2022-05-03 09:42:41 +02:00
Tony Torralba	5c574906fe	Merge pull request #9010 from github/workflow/coverage/update Update CSV framework coverage reports	2022-05-03 09:23:53 +02:00
github-actions[bot]	433beaf637	Add changed framework coverage reports	2022-05-03 00:15:34 +00:00
Daniel Santos	fddb465260	Update javascript/ql/lib/semmle/javascript/security/dataflow/XssThroughDomCustomizations.qll Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2022-05-02 14:00:45 -05:00
Robert Marsh	ffd2cd7f40	C++: cleanup some implicit `this` usage	2022-05-02 12:38:04 -04:00
Robert Marsh	7993cba457	C++: fix global vars accesses in global vars	2022-05-02 12:27:10 -04:00
Robert Marsh	b5a2a2e8c2	C++: test for global var access in a global var	2022-05-02 12:07:01 -04:00
Tony Torralba	de8b5f927b	Adjust test expectations	2022-05-02 16:55:11 +02:00
Tony Torralba	29b430e49b	Make commits private	2022-05-02 16:55:01 +02:00
Anders Schack-Mulligen	86516b157b	Merge pull request #8884 from JLLeitschuh/feat/JLL/additional-file-taint-flow Java: Add additional `File` taint value flow models	2022-05-02 16:30:45 +02:00
Tony Torralba	9a35aba465	Add change notes	2022-05-02 15:45:44 +02:00
Tony Torralba	1cf4b60769	Simplify non-https-url query	2022-05-02 15:43:07 +02:00
Tony Torralba	8602a6f6c9	Add models for OkHttp and Retrofit	2022-05-02 15:42:15 +02:00
Rasmus Wriedt Larsen	7e1be3172e	Python: Add change-note	2022-05-02 14:24:13 +02:00
Rasmus Wriedt Larsen	de4390cdf6	Python: Improve Flask `request.files` handling even more	2022-05-02 14:19:45 +02:00
Rasmus Wriedt Larsen	fb0133d276	Python: Fix Flask `request.files` modeling	2022-05-02 14:14:58 +02:00
Rasmus Wriedt Larsen	0c62916af5	Python: Highlight problem with Flask `request.files` modeling	2022-05-02 14:14:53 +02:00
Erik Krogh Kristensen	c0eca0d09a	deprecate SqlConstruction	2022-05-02 12:58:21 +02:00
Erik Krogh Kristensen	6c67e51ec3	add test for the .Call token	2022-05-02 12:58:21 +02:00
Erik Krogh Kristensen	9c3d45a16a	last test of taint steps	2022-05-02 12:58:21 +02:00
Erik Krogh Kristensen	894252dfa7	third test of taint steps	2022-05-02 12:58:21 +02:00
Erik Krogh Kristensen	0f1e070d82	second test of taint steps	2022-05-02 12:58:21 +02:00
Erik Krogh Kristensen	649df1dd31	simple taint-flow test	2022-05-02 12:58:21 +02:00
Erik Krogh Kristensen	a8790412dd	add support for the Argument[any] and Argument[any-named] tokens	2022-05-02 12:58:21 +02:00
Erik Krogh Kristensen	b1fa7f86a8	add support for the any argument tokens	2022-05-02 12:58:15 +02:00
Erik Krogh Kristensen	413d182bcf	add support for named parameters	2022-05-02 12:56:44 +02:00
Erik Krogh Kristensen	c1d3738fb8	fix API-graphs such that the first parameter is the first non-self parameter	2022-05-02 12:52:02 +02:00
Erik Krogh Kristensen	547047ef19	add self parameters to API-graphs, and add support for self parameters in MaD	2022-05-02 12:50:31 +02:00
Erik Krogh Kristensen	dc38aa8a96	add support for the Method[name] token	2022-05-02 12:50:29 +02:00
Erik Krogh Kristensen	ea01bcf5ec	have the Instance token be an alias for Subclass.ReturnValue	2022-05-02 12:45:21 +02:00
Erik Krogh Kristensen	46acce0ad4	add support for the Subclass token	2022-05-02 12:45:21 +02:00
Erik Krogh Kristensen	a02e812de8	add test for the Instance token	2022-05-02 12:45:21 +02:00
Erik Krogh Kristensen	682cab3737	add test for awaited	2022-05-02 12:45:21 +02:00
Erik Krogh Kristensen	48408ca45d	Add TODO list	2022-05-02 12:45:21 +02:00
Erik Krogh Kristensen	8d60336396	add tests for callsite filters	2022-05-02 12:45:21 +02:00
Erik Krogh Kristensen	20992af037	add test for parameter syntax	2022-05-02 12:45:21 +02:00
Erik Krogh Kristensen	35b143a1a5	add tests for argument syntax	2022-05-02 12:45:21 +02:00
Erik Krogh Kristensen	86a9bc6aca	add test for keyword arguments	2022-05-02 12:45:21 +02:00
Erik Krogh Kristensen	d4b882519a	convert most of the asyncpg model to MaD	2022-05-02 12:45:21 +02:00
Erik Krogh Kristensen	1c2c9159a9	initial MaD implementation for Python	2022-05-02 12:45:19 +02:00

... 226 227 228 229 230 ...

49367 Commits