hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-19 09:24:46 +01:00
Code Issues Packages Projects Releases Wiki Activity
66,447 Commits 1,679 Branches 158 Tags
codeql-cli/v2.17.2
Commit Graph

66447 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Ed Minnix
392eac5f9a Refactor source node classes to use SourceNode superclass 
Refactor the existing flowsource classes to use the `SourceNode` class
to specify which threat model they support.
 2024-01-22 11:09:41 -05:00
Ed Minnix
d29df68c97 Introduce the SourceNode and ThreatModelFlowSource classes 
1. Introduces the `SourceNode` class which allows dataflow nodes
   representing sources to indicate the threat model they are associated
   with.
2. Introduces the `ThreatModelFlowSource` class which represents a
   source node which respects the threat model configuration
 2024-01-22 11:09:39 -05:00
Ed Minnix
ad093fde4f Add dependency on codeql/threat-models shared library 2024-01-22 11:09:38 -05:00
Taus
d6d59377d3 Python: Fix flow through deepcopy 
Or, more generally, any copy step, as these presumably do not preserve
object identity.

(Arguably, `copy` could still be susceptible to interior mutability, but
I think that's outside the scope of this query anyway.)
 2024-01-22 15:40:30 +00:00
Benjamin Rodes
2181fcf284 Updating .expected to account for new free/deallocation sources. 2024-01-22 10:36:24 -05:00
Taus
14c958ac4d Python: Remove mutable default sources from inside stdlib 2024-01-22 15:23:52 +00:00
Taus
411c107660 Python: Add tests for deepcopy FPs 
There are two issues with `deepcopy` here. Firstly, the `deepcopy` function itself
has a mutable default value in its parameter `_nil` (set to the empty list by default).

Now, this value is never actually returned from `deepcopy`, as it is only used as a
sentinel, but our analysis is not clever enough to see this. Thus, it thinks that this
mutable default is returned, and hence the result of any call to `deepcopy` is a
potential source.

To remedy this, I opted to simply exclude all sources that originate from within the
standard library. It is very unlikely for any of the sources in the standard library
to be legit.

Secondly, `deepcopy` -- by virtue of being a function that we model as preserving
values -- admits data-flow through its calls, but this is not correct for the mutable
default query, as it is here the _identity_ of the default value in question that is
important. Thus, we get spurious flow through `deepcopy` for this specific query.
 2024-01-22 15:21:57 +00:00
Tamas Vajk
de4e3963e7 C#: Try fallback nuget restore without nuget.config 2024-01-22 15:42:06 +01:00
Tamas Vajk
7c290ee2ba C#: Add integration test with nuget.config 2024-01-22 15:36:38 +01:00
Geoffrey White
0a8869c636 Merge pull request #15385 from geoffw0/swiftfiles 
Swift: Report any extracted file as successfully extracted
 2024-01-22 14:24:05 +00:00
Taus
4742481070 Python: Consolidate "mutable default" tests 
Moves the existing tests into the `ModificationOfParameterWithDefault` subdirectory
which already contained a bunch more tests. In the process, I also removed some
duplicated test cases.
 2024-01-22 13:50:33 +00:00
Max Schaefer
a4639c7ff9 Update qhelp to mention solution using urlparse. 2024-01-22 13:36:12 +00:00
Max Schaefer
17e3a45ad7 Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2024-01-22 13:36:12 +00:00
Max Schaefer
98178458d0 Python: Add support for more URL redirect sanitisers. 
Since some sanitisers don't handle backslashes correctly, I updated the data-flow configuration to incorporate a flow state tracking whether or not backslashes have been eliminated or converted to forward slashes.
 2024-01-22 13:24:18 +00:00
Max Schaefer
99c99145a2 Rename {source,sink}Model to {source,sink}ModelCandidate. 2024-01-22 13:10:51 +00:00
Michael Nebel
1bb6f4962d C#: Match any {digit} in the format string. 2024-01-22 14:03:37 +01:00
Geoffrey White
58c4bf5915 Merge branch 'main' into cppfiles 2024-01-22 12:24:33 +00:00
Max Schaefer
a3816d75b3 Remove redundant imports. 2024-01-22 10:54:01 +00:00
Max Schaefer
78e5a1a546 Autoformat. 2024-01-22 10:45:33 +00:00
Michael Nebel
b006b28e8a C#: Add change note. 2024-01-22 11:28:27 +01:00
Michael Nebel
5016113a0f C#: Add a string.Format sanitizer to url redirect and update expected test output. 2024-01-22 11:21:35 +01:00
Michael Nebel
884f3f1505 C#: Add string interpolation expression sanitizer to url redirect and update expected test output. 2024-01-22 11:21:19 +01:00
Michael Nebel
e33d5b5fb6 C#: Add some test examples for UrlRedirect using string interpolation and string.Format. 2024-01-22 09:42:23 +01:00
erik-krogh
f60c01e3a8 Py: delete import that no longer exists 2024-01-22 09:22:50 +01:00
erik-krogh
0511786a22 delete typo files from list of synchronized files 2024-01-22 09:15:27 +01:00
erik-krogh
8be7eadace delete outdated deprecations 2024-01-22 09:11:35 +01:00
Erik Krogh Kristensen
6533269387 Merge pull request #15392 from github/dependabot/cargo/ql/regex-1.10.3 
Bump regex from 1.10.2 to 1.10.3 in /ql
 2024-01-22 08:29:35 +01:00
dependabot[bot]
eb1a0fece8 Bump regex from 1.10.2 to 1.10.3 in /ql 
Bumps [regex](https://github.com/rust-lang/regex) from 1.10.2 to 1.10.3.
- [Release notes](https://github.com/rust-lang/regex/releases)
- [Changelog](https://github.com/rust-lang/regex/blob/master/CHANGELOG.md)
- [Commits](https://github.com/rust-lang/regex/compare/1.10.2...1.10.3)

---
updated-dependencies:
- dependency-name: regex
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-01-22 03:54:51 +00:00
Geoffrey White
a39bb8c037 Swift: Rename the query file. 2024-01-19 17:58:58 +00:00
Geoffrey White
c515ea3f8a Swift: Change note. 2024-01-19 17:58:58 +00:00
Geoffrey White
ed602642b6 Swift: Basic test for getRelativePath. 2024-01-19 17:58:58 +00:00
Geoffrey White
8cf691a477 Swift: Add File.getRelativePath and update swift/diagnostics/successfully-extracted-files. 2024-01-19 17:58:58 +00:00
Ian Lynagh
60a59cb89e Kotlin: Update 2.0.0 version support 2024-01-19 17:52:38 +00:00
Geoffrey White
5127542677 C++: Rename the query file. 2024-01-19 16:31:34 +00:00
Geoffrey White
01ee61e5ea C++: Change note. 2024-01-19 15:56:54 +00:00
Geoffrey White
4691bf2cb5 C++: Be more optimistic about successfully scanned files. 2024-01-19 15:55:54 +00:00
Geoffrey White
2eba3db1cb C++: Add a test for SuccessfullyExtractedFiles.ql and friends. 2024-01-19 15:50:28 +00:00
Ian Lynagh
d40814d48a Kotlin: Add 2.0.0 beta 3 and remove beta 1 2024-01-19 13:36:55 +00:00
Chris Smowton
7e1dd38623 Merge pull request #15378 from github/smowton/admin/document-aws-lambda 
Note AWS Lambda support
 2024-01-19 12:11:28 +00:00
Chris Smowton
79928b9f76 Be consistent 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2024-01-19 10:44:36 +00:00
Chris Smowton
e999e38b43 Note AWS Lambda support 
JS/TS support is old; noting for symmetry with advertised support in Python. Golang support is new as of https://github.com/github/codeql/pull/15373
 2024-01-19 10:33:40 +00:00
Tony Torralba
7e7175f49d Merge pull request #15373 from atorralba/atorralba/go/aws-lambda-sources 
Go: Add flow sources for AWS Lambda function handlers
 2024-01-19 11:21:20 +01:00
Joe Farebrother
4de19b3ec9 Merge pull request #15039 from joefarebrother/csharp-razor-flow-page-models 
C#: Add flow steps from a PageModel to cshtml page.
 2024-01-19 10:07:25 +00:00
Tony Torralba
8d6aa281b9 Update go/ql/lib/semmle/go/frameworks/AwsLambda.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2024-01-19 10:48:34 +01:00
Pierre
51a65f9794 Merge pull request #15376 from github/sitedocs/2.15.5-2 
Regenerate 2.16.0 changelog with fixed changenote
 2024-01-19 10:43:21 +01:00
Tony Torralba
9a0fb39382 Model StartWithContext 
Co-authored-by: Chris Smowton <smowton@github.com>
 2024-01-19 09:25:35 +01:00
Tony Torralba
d3a9a5ec3f Update go/ql/lib/semmle/go/frameworks/AwsLambda.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2024-01-19 09:22:46 +01:00
Michael Nebel
24855ddc64 Merge pull request #15328 from michaelnebel/csharp/inlinearrays 
C# 12: Inline array support.
 2024-01-19 09:11:26 +01:00
Michael Nebel
cb53ca4e1f Merge pull request #15367 from michaelnebel/csharp/nullablesimpletypesanitizer 
C#: Consider nullable simple types as sanitizers.
 2024-01-19 09:09:36 +01:00
Aditya Sharad
a3c0425eb3 Merge pull request #15349 from github/remove-codeql-cli-docs 
Remove outdated CodeQL CLI docs
 2024-01-18 09:45:05 -08:00