hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-10 20:21:10 +01:00
Code Issues Packages Projects Releases Wiki Activity
62,527 Commits 1,690 Branches 160 Tags
codeql-cli/v2.16.0
Commit Graph

62527 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
erik-krogh
e00c41c6e2 add change-note and bump version 2023-03-16 22:37:56 +01:00
erik-krogh
a63739915d add test confirming support for const type parameters 2023-03-16 22:37:35 +01:00
erik-krogh
2c1c41d8a3 add test confirming end-to-end support for well-typed decorators with the new TS 5.0 type ClassMethodDecoratorContext 2023-03-16 22:37:35 +01:00
erik-krogh
d47659b48e upgrade to TypeScript 5.0 beta, and unbreak things that broke 2023-03-16 22:37:35 +01:00
Maiky
37e42bb05b Missing markdown extension 2023-03-16 20:45:35 +01:00
Mathias Vorreiter Pedersen
ebab6ecc30 Merge pull request #12559 from MathiasVP/test9-range-check 2023-03-16 19:18:38 +00:00
Henry Mercer
74cc1a42d0 JS: Update for renamed com.semmle.util.diagnostics package 2023-03-16 18:19:10 +00:00
Geoffrey White
880f948763 Merge pull request #12560 from geoffw0/testcustominterp 
Swift: Add taint test for custom string interpolation.
 2023-03-16 17:44:37 +00:00
Mathias Vorreiter Pedersen
406d02253d C++: Add 'range(x)' call demonstrating missing bounds. 2023-03-16 17:08:53 +00:00
Geoffrey White
3a04e42ae0 Swift: Add taint test for string interpolation. 2023-03-16 17:04:46 +00:00
Chris Smowton
3e9924fcd2 Add change note 2023-03-16 15:35:00 +00:00
Chris Smowton
647bd44666 Go: exclude net/http.Header.Set and .Del from go/untrusted-data-to-external-api 
These functions (and doubtless many others) are write-only with respect to their receiver argument, so it doesn't really make sense to flag externally-controlled data flowing there.
 2023-03-16 15:31:35 +00:00
Ian Lynagh
f9bb0df6a2 Kotlin: Update expected PrintAst output 2023-03-16 15:20:07 +00:00
Ian Lynagh
13c2ef8c20 Java: PrintAst: Improve the ranking or callables 
We now look not only at how many parameters each callable has, but what
its full signature is. This allows us to give a consistent order to
    Test(Throwable) { ... }
    Test(String) { ... }
 2023-03-16 15:20:07 +00:00
Maiky
a229f7a832 Solve merge conflict and add a change note 2023-03-16 16:15:02 +01:00
Tom Hvitved
f35fb13723 Add change note 2023-03-16 15:18:47 +01:00
Tom Hvitved
9d3863eccc Ruby: Rely on built-in hash-flow in clear text storage query 2023-03-16 14:55:06 +01:00
Asger F
bce1f29a7e JS: Add change note 2023-03-16 14:55:00 +01:00
Asger F
86a06bde72 JS: Flag crypto operations with weak block mode 2023-03-16 14:52:52 +01:00
Asger F
e907d685f4 JS: Add crypto test with AES-ECB 2023-03-16 14:52:18 +01:00
Tom Hvitved
ae10e6e08f Ruby: Add a test that shows FP/FN for clear text logging query 2023-03-16 14:38:45 +01:00
Jeroen Ketema
66b03dbd1d Apply suggestions from code review 2023-03-16 14:29:16 +01:00
Jeroen Ketema
e7079b35bc Apply suggestions from code review 2023-03-16 14:28:17 +01:00
erik-krogh
880632f536 use Number.qll to parse hex numbers in regex parsing for Python/Java 2023-03-16 14:25:53 +01:00
Michael Nebel
3fea9e4d0b Sync files. 2023-03-16 14:12:29 +01:00
Michael Nebel
2e86bbd6cd Java: Introduce helper predicate to avoid empty predicate in IPA branch. 2023-03-16 14:11:53 +01:00
github-actions[bot]
fe4d27e8cc Release preparation for version 2.12.5 2023-03-16 12:58:50 +00:00
Geoffrey White
170fde5bc0 Swift: Add some more test cases. 2023-03-16 12:53:06 +00:00
Michael Nebel
a9e5b34ad6 Merge pull request #12200 from michaelnebel/csharp/viablestatic 
C#: Support for virtual dispatch for operators.
 2023-03-16 13:36:00 +01:00
erik-krogh
f718d78a9a avoid redundant sources 2023-03-16 13:34:01 +01:00
Mathias Vorreiter Pedersen
d02a50a504 Merge pull request #10817 from github/mathiasvp/replace-ast-with-ir-use-usedataflow 
C++: Replace AST with IR use-use dataflow
 2023-03-16 12:31:01 +00:00
Rasmus Lerchedahl Petersen
f9bffb5454 python: add change note 2023-03-16 12:55:58 +01:00
Rasmus Lerchedahl Petersen
4713ba1e12 python: more results no longer missing 
Adjusted `tracked.ql`
- no need to annotate results on line 0
  this could happen for global SSA variables
- no need to annotate scope entry definitons
  they look a bit weird, as the annotation goes on the
  line of the function definition.
 2023-03-16 12:55:58 +01:00
Rasmus Lerchedahl Petersen
2318752c14 python: add reads of captured variables to 
type tracking and the API graph.

- In `TypeTrackerSpecific.qll` we add a jump step
  - to every scope entry definition
  - from the value of any defining `DefinitionNode`
    (In our example, the definition is the class name, `Users`,
     while the assigned value is the class definition, and it is
     the latter which receives flow in this case.)
- In `LocalSources.qll` we allow scope entry definitions as local sources.
  - This feels natural enough, as they are a local source for the value, they represent.
    It is perhaps a bit funne to see an Ssa variable here,
    rather than a control flow node.
 - This is necessary in order for type tracking to see the local flow
    from the scope entry definition.
- In `ApiGraphs.qll` we no longer restrict the result of `trackUseNode`
  to be an `ExprNode`. To keep the positive formulation, we do not
  prohibit module variable nodes. Instead we restrict to the new
  `LocalSourceNodeNotModule` which avoids those cases.
 2023-03-16 12:55:58 +01:00
Rasmus Lerchedahl Petersen
7e003f63b9 python: add test for flask example 
This is a condensed versio of the user reported example
found [here](eb377d5918/app.py (L278))
The `MISSING` annotation indicates where our API graph falls short.
 2023-03-16 12:53:40 +01:00
erik-krogh
b208988675 Py: add test for problematic regex 2023-03-16 12:21:00 +01:00
erik-krogh
54ec047433 ReDoS: put an artificial limitation on the analysis in polynomial-redos for large regular expressions 2023-03-16 12:20:53 +01:00
Tom Hvitved
1d0b3d4112 Ruby: Ssa::WriteDefinition::getWriteAccess should return a CFG node 2023-03-16 11:28:24 +01:00
Chris Smowton
3ff60e076c Merge pull request #12548 from github/dependabot/github_actions/actions/setup-go-4 
Bump actions/setup-go from 3 to 4
 2023-03-16 10:21:51 +00:00
erik-krogh
8bc8342c7c Py:don't parse regular expressions in system-code 2023-03-16 10:41:30 +01:00
Erik Krogh Kristensen
be8f04a997 Merge pull request #12525 from github/dependabot/cargo/ql/serde-1.0.156 
Bump serde from 1.0.155 to 1.0.156 in /ql
 2023-03-16 10:36:11 +01:00
Erik Krogh Kristensen
48f889b055 Merge pull request #12496 from github/dependabot/cargo/ql/chrono-0.4.24 
Bump chrono from 0.4.23 to 0.4.24 in /ql
 2023-03-16 10:35:59 +01:00
Jeroen Ketema
8aa9207281 Merge remote-tracking branch 'upstream/main' into mathiasvp/replace-ast-with-ir-use-usedataflow 2023-03-16 10:28:44 +01:00
Tom Hvitved
a13b6ed230 Merge pull request #12536 from hvitved/dataflow/call-enclosing-callable-consistency-check 
Data flow: Add consistency check for `DataFlowCall::getEnclosingCallable`
 2023-03-16 10:19:42 +01:00
Geoffrey White
7feab09ea9 Swift: Specialize the additional taint step a bit more. 2023-03-16 08:57:31 +00:00
Rasmus Wriedt Larsen
b3a49ab143 Merge pull request #12467 from RasmusWL/kwargs-parameter-position-fixup 
Python/Ruby: Use new parameter position for synthetic hash-splat instead
 2023-03-16 09:52:46 +01:00
Mathias Vorreiter Pedersen
eec1e9ffcd C++: Fix change note. 2023-03-16 08:01:07 +00:00
Mathias Vorreiter Pedersen
7585a3862f Merge branch 'main' into mathiasvp/replace-ast-with-ir-use-usedataflow 2023-03-16 07:57:20 +00:00
Mathias Vorreiter Pedersen
58602927bd C++: Add change note. 2023-03-16 07:57:03 +00:00
Tom Hvitved
404ead8a18 Python: Update expected test output 2023-03-16 08:40:53 +01:00