hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-23 02:13:41 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,550 Commits 1,693 Branches 161 Tags
codeql-cli/v2.23.9
Commit Graph

84550 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Esben Sparre Andreasen
305a249280 JS: add taint steps for fs.realpath and fs.realpathSync 2019-02-21 09:48:35 +01:00
Esben Sparre Andreasen
27cae0c190 JS: model one more 'autobind' for js/unbound-event-handler-receiver 2019-02-21 08:23:54 +01:00
Raul Garcia
143b1e576e Update .gitignore 2019-02-20 17:10:32 -08:00
Raul Garcia
fa73b8488a Update .gitignore 2019-02-20 17:10:19 -08:00
Raul Garcia
7d197692ac Adding a new rule for detecting usage of static objects that implement ICryptoTransform that would be thread-unsafe, and potentially result in incorrect cryptographic results. 2019-02-20 17:07:04 -08:00
yh-semmle
a4beb03e15 Java: respect override annotations in java/unused-parameter 2019-02-20 15:27:35 -05:00
calum
40f3b8b439 C#: Address review comments (documentation). 2019-02-20 18:00:30 +00:00
james
2cf247d739 update link in readme file 2019-02-20 16:59:40 +00:00
james
50ad8a4089 update link in vue.qll 2019-02-20 16:43:56 +00:00
semmle-qlci
f5e419e774 Merge pull request #933 from xiemaisi/js/createContextualFragment 
Approved by asger-semmle
 2019-02-20 12:42:27 +00:00
Taus
caf0bfe858 Merge pull request #951 from markshannon/python-string-tests 
Python: Add a test for handling of corner-case strings.
 2019-02-20 12:46:42 +01:00
Mark Shannon
adadd4942b Python: Remove BuiltinFunctionObject module as it is clearer and more concise to use ModuleObject::builtin(). 2019-02-20 11:23:48 +00:00
Mark Shannon
98be27a73e Python: Add 'attr' predicate as a synomnym for 'getAttribute' to help readability. 2019-02-20 11:08:44 +00:00
Geoffrey White
7b0f310856 CPP: Add query IDs to change note. 2019-02-20 10:38:49 +00:00
Mark Shannon
35fa5d8f60 Python move various theXXX() predicates into the appropriate module. 2019-02-20 10:34:08 +00:00
Mark Shannon
76d1fba9f0 Python: Add a test for handling of corner-case strings. 2019-02-20 10:26:40 +00:00
Geoffrey White
bc0387dc9a CPP: Change note. 2019-02-20 10:21:49 +00:00
Geoffrey White
d30bcb6fcf CPP: Widen allocReachedVariable slightly. 2019-02-20 10:19:57 +00:00
Geoffrey White
23ae12a763 CPP: Add test cases. 2019-02-20 10:19:57 +00:00
Geoffrey White
6a17ebbd1b CPP: Add test cases and renumber. 2019-02-20 10:09:57 +00:00
Geoffrey White
4e77f586da CPP: Fix file names. 2019-02-20 10:08:27 +00:00
Jonas Jensen
2dea0b4270 Merge pull request #879 from rdmarsh2/rdmarsh/cpp/ir-guards-edges 
C++: Add edge-based predicates to IRGuards
 2019-02-19 16:54:52 +01:00
Taus
9e1a5238ac Merge pull request #950 from markshannon/python-fix-a-couple-of-performance-issues 
Python: fix a couple of performance issues
 2019-02-19 16:15:19 +01:00
Mark Shannon
4e8e4aed3d Python: factor out helper predicate to prevent bad join-order. 2019-02-19 12:40:56 +00:00
Mark Shannon
17681d6de4 Python: factor out helper predicate to prevent bad join-order. 2019-02-19 12:21:41 +00:00
semmle-qlci
9dc624578e Merge pull request #949 from rneatherway/dbscheme-mode 
Approved by esben-semmle
 2019-02-19 10:01:59 +00:00
Robin Neatherway
88bc1be98f Add simple mode for highlighting QL dbschemes 2019-02-19 09:56:39 +00:00
semmle-qlci
62c0eea572 Merge pull request #939 from yh-semmle/java-frameworks 
Approved by pavgust
 2019-02-18 17:06:34 +00:00
Jonas Jensen
2550788598 C++: Accept test changes to getRelativePath 
After a `queries.xml` was added to the test directory,
`Container.getRelativePath` now considers source files to be relative to
the `cpp/test` directory rather than the directory of the `*.ql*` file.
This caused some benign test output changes, and it also caused an
unwanted alert for `test3.c:14` to appear in
`cpp/ql/test/query-tests/Security/CWE/CWE-190/semmle/tainted/IntegerOverflowTainted.expected`.
This alert came about because `inSystemMacroExpansion` holds for files
that don't have a relative path, but the pretend system header in
`../system_header` now does have a relative path because it's below the
`cpp/test` directory. The fix is to add another `queries.xml` just for
the directory with the affected test.
 2019-02-18 14:41:28 +01:00
Taus
1b25573cc0 Merge pull request #872 from markshannon/python-bottle 
Python: Add support for bottle framework.
 2019-02-18 12:34:44 +01:00
Jonas Jensen
9dc3b93164 Merge pull request #916 from geoffw0/largeparam 
CPP: Update severity/precision of LargeParameter.ql.
 2019-02-18 12:23:00 +01:00
calum
b0e2e436a7 C#: Fix documentation. 2019-02-18 09:37:10 +00:00
Tom Hvitved
5ce9b25ec9 C#: Improve CFG for assignments 
Write accesses in assignments, such as the access to `x` in `x = 0` are not
evaluated, so they should not have entries in the control flow graph. However,
qualifiers (and indexer arguments) should still be evaluated, for example in

```
x.Foo.Bar = 0;
```

the CFG should be `x --> x.Foo --> 0 --> x.Foo.Bar = 0` (as opposed to
`x --> x.Foo --> x.Foo.Bar --> 0 --> x.Foo.Bar = 0`, prior to this change).

A special case is assignments via acessors (properties, indexers, and event
adders), where we do want to include the access in the control flow graph,
as it represents the accessor call:

```
x.Prop = 0;
```

But instead of `x --> x.set_Prop --> 0 --> x.Prop = 0` the CFG should be
`x --> 0 --> x.set_Prop --> x.Prop = 0`, as the setter is called *after* the
assigned value has been evaluated.

An even more special case is tuple assignments via accessors:

```
(x.Prop1, y.Prop2) = (0, 1);
```

Here the CFG should be
`x --> y --> 0 --> 1 --> x.set_Prop1 --> y.set_Prop2 --> (x.Prop1, y.Prop2) = (0, 1)`.
 2019-02-16 19:19:24 +01:00
yh-semmle
ca3aaa8c75 Java: add change note for additional framework support 2019-02-15 20:01:08 -05:00
yh-semmle
64b2d331ae Java: add test for Guice framework support 2019-02-15 20:01:08 -05:00
yh-semmle
b0d9c80ccc Java: add taint steps for Protobuf framework 2019-02-15 20:01:07 -05:00
yh-semmle
fc4aa16905 Java: add remote user input for Apache Thrift framework 2019-02-15 20:01:07 -05:00
yh-semmle
751bbbf583 Java: add remote user input for Struts 2 ActionSupport 2019-02-15 20:01:06 -05:00
yh-semmle
a436369846 Java: add remote user input and taint step for Guice framework 2019-02-15 20:01:06 -05:00
Asger F
e7e29101e4 JS: add StringOps::Concatenation 2019-02-15 16:57:26 +00:00
Asger F
c115451b9d JS: Fix copy-pasta bug 2019-02-15 16:48:42 +00:00
Asger F
ab0ed66266 JS: Add EndsWith::Range 2019-02-15 16:48:15 +00:00
Asger F
2ccfd73be5 JS: Add Includes::Range 2019-02-15 16:42:41 +00:00
Asger F
56e081f7c9 JS: Add StartsWith::Range 2019-02-15 16:38:18 +00:00
Asger F
1aba111a00 JS: Use ::Range pattern for abstract classes 2019-02-15 14:28:07 +00:00
Asger F
c8823fa7cf JS: change charpred of ClosureModule to be AST-based 2019-02-15 14:28:06 +00:00
Asger F
d1607f7c47 JS: remove SourceNode supertype from ClosureNamespaceAccess 2019-02-15 14:28:06 +00:00
Asger F
8801431352 JS: elaborate qldoc for isTopLevelExpr 2019-02-15 14:28:06 +00:00
Asger F
fa34f8f414 JS: replace dataflow -> data flow 2019-02-15 14:28:06 +00:00
Asger F
701e662bc4 JS: rename more predicates for consistency 2019-02-15 14:28:06 +00:00