hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-13 19:16:46 +01:00
Code Issues Packages Projects Releases Wiki Activity
50,816 Commits 1,708 Branches 162 Tags
codeql-cli/v2.12.4
Commit Graph

50816 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Remco Vermeulen
2c42d3cca5 Extract additional taint steps 
This is done for logical cohesion. We already have the capability of
extending additional taint steps by extending
`TaintTracking::AdditionalTaintStep`.
 2020-07-22 16:04:55 +02:00
Remco Vermeulen
57e7411c0a Extract Ldap injection sanitizers to importable lib 
This includes a new abstract class that represents all the Ldap injection
santizers and can be used to add additional santizers through
extension.
 2020-07-22 16:04:55 +02:00
Remco Vermeulen
0d5f9113a3 Extract ldap injection sink into importable library 2020-07-22 16:04:55 +02:00
Rasmus Wriedt Larsen
746c577d72 Python: CG trace: Update naming and add QLDoc 2020-07-22 15:49:11 +02:00
Rasmus Wriedt Larsen
67b45164eb Python: CG trace: Partial matching of BytecodeExpr and AST not safe 2020-07-22 15:19:57 +02:00
Chris Smowton
f8d141f7ff PrintAst: Sort root File nodes by relative path. 
This should make graphtext output deterministic, rather than depending on the order the results interpretation step happens to see the nodes.
 2020-07-22 13:43:34 +01:00
Rasmus Wriedt Larsen
1e89388f2b Python: CG trace: Don't abuse example dir 2020-07-22 14:22:04 +02:00
Rasmus Wriedt Larsen
ad2e336ead Python: CG trace: Autoformat 2020-07-22 13:53:22 +02:00
Sauyon Lee
c9df4d81b4 Add correctness tag to MistypedExponentiation 2020-07-22 04:26:56 -07:00
Rasmus Wriedt Larsen
ccffa7d99d Python: CG trace: Ignore some calls for call-grahp metrics 
and provide some internal metrics as well
 2020-07-22 13:12:52 +02:00
Chris Smowton
c30d198f3d Switch to using top-level function declarations to filter PrintAst 
This means it's no longer possible to ask for the AST of a function literal, but this is hopefully a niche use-case that we can add if and when there is demand.
 2020-07-22 10:40:41 +01:00
Rasmus Wriedt Larsen
b227a7ec90 Python: CG trace: Add overall metrics query 2020-07-22 00:55:53 +02:00
Rasmus Wriedt Larsen
278ab4b883 Python: CG trace: Much improved toString for QL 2020-07-22 00:55:53 +02:00
Rasmus Wriedt Larsen
a5838b66ed Python: CG trace: Small improvements to QL code 2020-07-22 00:00:17 +02:00
Rasmus Wriedt Larsen
b86ca19264 Python: CG trace: Apply better_compare_for_dataclass to all 2020-07-21 23:37:33 +02:00
Rasmus Wriedt Larsen
9bff615fad Python: CG trace: Handle BUILD_LIST 2020-07-21 23:08:33 +02:00
Rasmus Wriedt Larsen
8c8656ccca Python: CG trace: Handle BUILD_TUPLE 2020-07-21 23:05:49 +02:00
Rasmus Wriedt Larsen
0d05d96b50 Python: CG trace: Handle CALL_FUNCTION_EX 2020-07-21 22:54:45 +02:00
Rasmus Wriedt Larsen
3539798c22 Python: CG trace: ignore with statement for now 2020-07-21 22:54:19 +02:00
Rasmus Wriedt Larsen
4843d29ad6 Python: CG trace: Cache calls seen 
This improved runtime from ~10 seconds to 1 seconds when running one of the
tests fo wcwidth
 2020-07-21 22:54:10 +02:00
Rasmus Wriedt Larsen
ebbea0cd61 Python: CG trace: Ignore IMPORT_NAME 2020-07-21 22:17:17 +02:00
Rasmus Wriedt Larsen
6830804112 Python: CG trace: More logging 2020-07-21 22:08:15 +02:00
Rasmus Wriedt Larsen
3752a25665 Python: CG trace: Handle LOAD_DEREF 2020-07-21 22:02:25 +02:00
Rasmus Wriedt Larsen
61b1d3eef3 Python: CG trace: Handle subscript 2020-07-21 21:45:53 +02:00
Rasmus Wriedt Larsen
79c2c682d7 Python: CG trace: Nicer logging 2020-07-21 21:34:20 +02:00
Rasmus Wriedt Larsen
0a7e6a9938 Python: CG trace: Avoid handling jumps for now 2020-07-21 20:07:33 +02:00
Rasmus Wriedt Larsen
4e3ae98ddf Python: CG trace: Handle list-comprehension and iteration 
Which relies on LOAD_CONST and MAKE_FUNCTION
 2020-07-21 19:54:59 +02:00
Rasmus Wriedt Larsen
58f11194a8 Python: CG trace: Refactoring 2020-07-21 19:53:05 +02:00
Rasmus Wriedt Larsen
290eb638f9 Python: CG trace: Handle SystemExit 
otherwise, with-exit would end the tracer without producing any output :|
 2020-07-21 19:40:58 +02:00
Rasmus Wriedt Larsen
296d7d1725 Python: CG trace: Allow tracing modules 
As would normally be invoked by `python -m <module-name>` now works with
`cg-trace --module <module-name>`.

This is useful for tracing invocations of `pytest`.
 2020-07-21 19:39:51 +02:00
Owen Mansel-Chan
3018874f69 Merge pull request #259 from gagliardetto/oauth2-fixed-state 
CWE-352: Use of constant `state` in Oauth2 flow
 2020-07-21 17:11:46 +01:00
Chris Smowton
09990f9764 Configure plugin AST printer to ignore comments and only print one file 2020-07-21 17:01:07 +01:00
Chris Smowton
b8c4004c59 PrintAst: support excluding comments 2020-07-21 17:01:07 +01:00
Chris Smowton
e0aa59ced1 PrintAst: improve support for restricting subsets of the AST to print 
* Exclude function definitions, not just their children, when excluded by configuration
* Allow excluding files
* Test both features
 2020-07-21 17:00:28 +01:00
Chris Smowton
a625a4c7d5 Merge pull request #263 from smowton/smowton/feature/order-functypeexpr-children 
PrintAst: order parameter and result declarations
 2020-07-21 15:47:26 +01:00
Rasmus Wriedt Larsen
91e6222662 Python: Fix SSTI query by importing UntrustedStringKind 
Without a concrete ExternalStringKind class, there will be no flow for
ExternalStringKind by default.
 2020-07-21 18:01:27 +05:30
Rasmus Wriedt Larsen
9dbd280d31 Python: Fix syntax error 2020-07-21 18:01:27 +05:30
Porcupiney Hairs
49df4169cf Python : Add query to detect Server Side Template Injection 2020-07-21 18:01:27 +05:30
Rasmus Wriedt Larsen
89e8202d11 Python: CG trace: Add some tests using classes 2020-07-21 11:16:52 +02:00
Rasmus Wriedt Larsen
eeeadad359 Python: CG trace: Don't commit examples traces all the time 2020-07-21 11:14:07 +02:00
Rasmus Wriedt Larsen
38af1930fe Python: CG trace: Rename ValidRecordedCall to IdentifiedRecordedCall 2020-07-21 10:19:47 +02:00
Raul Garcia (MSFT)
55473c65f1 Improving documentation 2020-07-20 13:54:23 -07:00
Raul Garcia (MSFT)
9d7d6b39cb Small fixes based on feedback 2020-07-20 11:14:59 -07:00
Andrew Eisenberg
f35343e618 Merge pull request #262 from aeisenberg/aeisenberg/print-ast 
Add the printAst contextual query
 2020-07-20 11:11:42 -07:00
Slavomir
02b5fce67e Add go.mod to CWE-352 test folder 2020-07-20 17:46:12 +03:00
Chris Smowton
ce0cc31b03 PrintAst: order parameter and result declarations 
This adds support for generally overriding the default AstNode child ordering, and uses it to sort parameter and result declarations in the context of a FuncTypeExpr in left-to-right textual order.
 2020-07-20 14:32:42 +01:00
Remco Vermeulen
c2733ad22e Apply grammar suggestions 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2020-07-20 14:55:00 +02:00
Rasmus Wriedt Larsen
bbfea44db0 Python: CG trace: Handle multiple calls to same func on same line 
Such as

```
one(); one()
```

Now there are no InvalidRecordedCall in the current examples.
 2020-07-20 14:54:05 +02:00
Rasmus Wriedt Larsen
cb98f4433d Python: CG trace: Handle multiple calls on one line 
Reduced number of InvalidRecordedCall from 16 to 2. This is the calls

```
one(); one()
```

since they are not distinguishable from the expression.
 2020-07-20 14:07:09 +02:00
Rasmus Wriedt Larsen
a1c1ab080b Python: CG trace: Add examples of multiple calls on one line 
There are currently 16 InvalidRecordedCall
 2020-07-20 14:03:37 +02:00