hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-31 08:06:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
60,929 Commits 1,673 Branches 157 Tags
codeql-cli/v2.15.3
Commit Graph

60929 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Joe Farebrother
20d42dfd7d Add tests for webforms case 2023-09-15 10:25:26 +01:00
Joe Farebrother
2edd73eb60 Fix typos in filepath + metadata, add severity 2023-09-15 10:25:26 +01:00
Joe Farebrother
251f875304 Fix filenme typo 2023-09-15 10:25:26 +01:00
Joe Farebrother
5d1289672b Add IDOR query 2023-09-15 10:25:26 +01:00
Joe Farebrother
a510a7b4c0 Add insecure direct object reference definitions and factor out those from missing access control 2023-09-15 10:25:26 +01:00
Mathias Vorreiter Pedersen
6c7833f28c Merge pull request #14223 from MathiasVP/add-explicit-dereferenced-by-operation-base-case-predicate 
C++: Add a `directDereferencedByOperation` predicate
 2023-09-15 10:19:26 +01:00
Tom Hvitved
14561c414b Merge pull request #14225 from hvitved/ruby/fix-bad-join 
Ruby: Fix a bad join
 2023-09-15 10:59:24 +02:00
Tamas Vajk
d725bd9169 C#: Generate source file with implicit usings in Standalone 2023-09-15 10:52:57 +02:00
Chris Smowton
c5001a86f6 Fix test expectations 2023-09-14 20:45:54 +01:00
Tom Hvitved
c83a29c27f Ruby: Fix a bad join 
Before
```
Evaluated relational algebra for predicate Sinatra#e09174a3::Sinatra::ErbLocalsAccessSummary#fff@22c05bb6 with tuple counts:
          212957   ~2195%    {1} r1 = JOIN _Constant#54e8b051::ConstantValue::getStringlikeValue#0#dispred#ff_Expr#6fb2af19::Expr::getConstantV__#shared WITH Expr#6fb2af19::Pair::getKey#0#dispred#ff_1#join_rhs ON FIRST 1 OUTPUT Lhs.1
        43862468   ~6045%    {2} r2 = JOIN r1 WITH Call#841c84e8::MethodCall::getMethodName#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.0
        43862468   ~6581%    {2} r3 = JOIN r2 WITH AST#a6718388::AstNode::getLocation#0#dispred#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.1
        43844886  ~40661%    {2} r4 = JOIN r3 WITH locations_default ON FIRST 1 OUTPUT Rhs.1, Lhs.1
           15004   ~8295%    {3} r5 = JOIN r4 WITH project#Sinatra#e09174a3::Sinatra::ErbLocalsHashSyntheticGlobal#ffff_201#join_rhs ON FIRST 1 OUTPUT Rhs.2, Lhs.1, Rhs.1
           15004   ~8890%    {3} r6 = SCAN r5 OUTPUT ("sinatra_erb_locals_access()" ++ In.0 ++ "#" ++ In.1), In.2, In.1
                             return r6
```

After
```
Evaluated relational algebra for predicate Sinatra#e09174a3::Sinatra::ErbLocalsAccessSummary#fff@f6249cga with tuple counts:
         10237       ~0%    {3} r1 = JOIN locations_default_10#join_rhs WITH project#Sinatra#e09174a3::Sinatra::ErbLocalsHashSyntheticGlobal#ffff_201#join_rhs ON FIRST 1 OUTPUT Lhs.1, Rhs.1, Rhs.2
          4015       ~5%    {3} r2 = JOIN r1 WITH AST#a6718388::AstNode::getLocation#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2
           825      ~96%    {3} r3 = JOIN r2 WITH Call#841c84e8::MethodCall::getMethodName#0#dispred#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2
           940       ~0%    {4} r4 = JOIN r3 WITH Constant#54e8b051::ConstantValue::getStringlikeValue#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2, Lhs.0
        325402       ~0%    {4} r5 = JOIN r4 WITH Expr#6fb2af19::Expr::getConstantValue#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2, Lhs.3
        231819  ~133147%    {3} r6 = JOIN r5 WITH Expr#6fb2af19::Pair::getKey#0#dispred#ff_1#join_rhs ON FIRST 1 OUTPUT Lhs.2, Lhs.3, Lhs.1
        231819  ~138805%    {3} r7 = SCAN r6 OUTPUT ("sinatra_erb_locals_access()" ++ In.0 ++ "#" ++ In.1), In.2, In.1
                            return r7
```
 2023-09-14 21:34:17 +02:00
Harry Maclean
5706bc6205 Ruby: Model GraphQL InputObject arguments 2023-09-14 19:02:39 +01:00
Ian Lynagh
730480360e Merge pull request #14221 from igfoo/igfoo/gradle_seq 
Kotlin: Add more tests to the "gradle sequential" set
 2023-09-14 18:39:11 +01:00
Robert Marsh
eddca7f3f6 Swift: autoformat for for-in changes 2023-09-14 16:48:19 +00:00
Chris Smowton
5f6a40b9e8 Note Kotlin test no longer has CFG dead-ends if ErrorExpr participates in the CFG 2023-09-14 17:42:00 +01:00
Chris Smowton
d9f7180b5c Add missing diagnostic expectations 2023-09-14 17:42:00 +01:00
Chris Smowton
8f940c311a Update expectations and add expected diagnostics 2023-09-14 17:42:00 +01:00
Chris Smowton
a1a7640427 Give ErrorExpr default control flow 
This prevents a CFG dead-end because of one ErrorExpr
 2023-09-14 17:42:00 +01:00
Chris Smowton
b1e128b5c1 Pretty-print a ClassInstanceExpr without a bound constructor nicely 2023-09-14 17:42:00 +01:00
Chris Smowton
9670f20bd7 Add test for method reference whose LHS has unknown type 
This can happen when imports or source classes are missing.
 2023-09-14 17:42:00 +01:00
Chris Smowton
6ea7b195db Add test for a module declaration made in a file named other than module-info.java 
This triggers a weird corner case in our extractor, which used to throw a null pointer exception.
 2023-09-14 17:42:00 +01:00
Chris Smowton
c47ba000d6 Add test exercising the case of a missing type used as an interface 
This induces the TypeEnter phase to create an ErrorType with a parameter, which in turn used to cause a stack overflow in comparing the TypeWrapper objects involved.

Note the output remains somewhat broken, exposing an <any> type, but at least the overflow is resolved.
 2023-09-14 17:42:00 +01:00
Chris Smowton
4b5651bde9 Add test for Java extracting ErrorType 2023-09-14 17:42:00 +01:00
Chris Smowton
c0f8973749 Add test for extracting a Java AST with an error expression 
Also note that ErrorExpr can occur outside upgrade/downgrade scripts
 2023-09-14 17:42:00 +01:00
Chuan-kai Lin
264e57fc59 Merge pull request #14222 from github/mergeback-codeql-cli-2.14.5 
Custom post-release preparation for codeql-cli-2.14.5
 2023-09-14 09:40:11 -07:00
Robert Marsh
ab7cd5254a Swift: update dataflow test for nil coalescing 2023-09-14 16:28:00 +00:00
Mathias Vorreiter Pedersen
8aeb9b9ae0 Merge pull request #14219 from MathiasVP/fix-phi-flow-2 
C++: Fix `phi`->`phi` flow
 2023-09-14 17:22:51 +01:00
Robert Marsh
9a5fa42dbe Swift: CFG for nil coalescing operator 2023-09-14 16:16:30 +00:00
Mathias Vorreiter Pedersen
b18de9e641 C++: Add a named base case predicate for 'dereferencedByOperation' that can be used in queries. 2023-09-14 17:12:58 +01:00
Ian Lynagh
e5ac7620e3 Kotlin: Add more tests to the "gradle sequential" set 2023-09-14 15:44:32 +01:00
AlexDenisov
ff7ff6dcfa Merge pull request #14201 from MathiasVP/add-ast-consistency-query 
C++: Add AST consistency query
 2023-09-14 16:34:20 +02:00
Robert Marsh
56b646a74c Merge branch 'main' into rdmarsh2/swift/for-in 2023-09-14 14:14:06 +00:00
Robert Marsh
55546fe61c Merge pull request #14205 from rdmarsh2/rdmarsh2/swift/unify-array-collection-content 
Swift: Unify `ArrayContent` and `CollectionContent`
 2023-09-14 10:08:37 -04:00
Tom Hvitved
c0e600c515 Merge pull request #12672 from hvitved/ruby/implicit-array-reads-at-sinks 
Ruby: Allow for implicit array reads at all sinks during taint tracking
 2023-09-14 15:39:37 +02:00
Tom Hvitved
61bfc4ec09 Merge pull request #14204 from hvitved/ruby/simplify-viable-callable 
Ruby: Simplify `viableSourceCallableNonInit`
 2023-09-14 15:36:47 +02:00
Robert Marsh
dd01da4938 Swift: AST and CFG tests for nil coalescing 2023-09-14 13:26:41 +00:00
Ian Lynagh
52d924924b Kotlin: Extract LighterAST comments as well as PSI comments 2023-09-14 14:24:52 +01:00
Mathias Vorreiter Pedersen
6ce7a56b41 Merge pull request #14190 from github/alexdenisov/await-inconsistencies 
Swift: fix CFG for identity expressions (await, dot_self, parent)
 2023-09-14 14:15:31 +01:00
Harry Maclean
5411123b8a Ruby: Fix GraphQL test 2023-09-14 14:14:26 +01:00
Robert Marsh
62953cb250 Swift: document "ArrayElement" case in MaD 
Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
 2023-09-14 09:11:35 -04:00
Robert Marsh
6ad78eba05 Swift: ArrayContent aliased to CollectionContent 2023-09-14 13:08:36 +00:00
Mathias Vorreiter Pedersen
b0566af938 C++: Accept test changes. 2023-09-14 14:04:12 +01:00
Mathias Vorreiter Pedersen
36b7b6cffe C++: Fix phi-phi flow. 2023-09-14 14:02:03 +01:00
Mathias Vorreiter Pedersen
2a55034e55 C++: Add failing test. 2023-09-14 14:01:48 +01:00
Michael Nebel
e577fb68bd C#: Add integration test for dotnet dotnet. 2023-09-14 14:59:49 +02:00
Michael Nebel
8768b9e3dd C#: Fix tracer issue with dotnet dotnet. 2023-09-14 14:49:57 +02:00
Erik Krogh Kristensen
7e7852eff6 Merge pull request #13641 from erik-krogh/multi-char 
JS/RB: write qhelp for `incomplete-multi-character-sanitization`
 2023-09-14 14:48:30 +02:00
Harry Maclean
57ae1ee3e9 Ruby: Add test for GraphQL remote flow sources 2023-09-14 13:46:52 +01:00
Harry Maclean
1526fff085 Ruby: Add missing doc comments 2023-09-14 13:46:37 +01:00
Alex Eyers-Taylor
d79a2c7674 CPP:Make __is_trivial a builtin operation. 2023-09-14 12:50:36 +01:00
Harry Maclean
20f1a74202 Ruby: Restrict GraphQL remote flow sources 
Previously we considered any splat parameter in a graphql resolver to be
a remote flow source. Now we limit that to reads of the parameter which
yield scalar types (e.g. String), as defined by the GraphQL schema.

This should reduce GraphQL false positives.
 2023-09-14 12:14:56 +01:00