hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-15 20:16:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,550 Commits 1,708 Branches 162 Tags
codeql-cli/v2.23.9
Commit Graph

84550 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Asger F
af7b4e3063 Accept flow difference due to added test cases 
New library gets FN for spread arguments in a call to splice(), which
was added to the old version in this PR:
  https://github.com/github/codeql/pull/16739
 2024-06-26 13:52:27 +02:00
Asger F
53efb5837b JS: Update some tests with provenance columns 
Only includes the changes that purely contain the new provenance columns
 2024-06-26 13:51:44 +02:00
Asger F
88edc06517 Avoid bad join in compatibleTypesCached 
This is identical to the code in Ruby and seems to prevent a bad join ordering
in a cached version of this predicate in DataFlowCommon
 2024-06-26 13:51:41 +02:00
Asger F
fc7c2c5b17 Remove unused code 2024-06-26 13:51:40 +02:00
Asger F
e67e89dd70 Implement decodeUnknownArgument/ParameterPosition 2024-06-26 13:51:39 +02:00
Asger F
3bebd709b3 Handle AnyMemberDeep and ArrayElementDeep in encodeContent 2024-06-26 13:51:38 +02:00
Asger F
6c0c67dce4 Implement encodeWith/WithoutContent 2024-06-26 13:51:37 +02:00
Asger F
b0ea81276b Implement encodeReturn 2024-06-26 13:51:36 +02:00
Asger F
5811a3c5a6 Port getMadStringFromContentSet -> encodeContent 2024-06-26 13:51:35 +02:00
Asger F
8c4e5e8876 Boilerplate implementation of default predicates from FlowSummaryImpl.qll 2024-06-26 13:51:34 +02:00
Rasmus Lerchedahl Petersen
a3076f4f72 Python: fix test expectations, add missing sanitizer 2024-06-26 13:27:32 +02:00
Anders Schack-Mulligen
9d8ee99c1c Merge pull request #16806 from aschackmull/dataflow/debug-stages 
Dataflow: Add path-problem view of intermediate stages for debug purposes.
 2024-06-26 12:53:12 +02:00
Michael Nebel
e1f65d1f8b Merge pull request #16836 from michaelnebel/csharp/bestlocation 
C#: Be more consistent when picking between locations.
 2024-06-26 12:46:50 +02:00
am0o0
361ad6be6a use abstract class for decompression flow steps 2024-06-26 12:45:31 +02:00
aegilops
f22778960b Fixed expected test results for Helmet query 2024-06-26 11:31:57 +01:00
Cornelius Riemenschneider
c4cc30fb7a Merge pull request #16839 from github/criemen/bazel-721 
Bump to bazel 7.2.1.
 2024-06-26 11:26:19 +02:00
Paolo Tranquilli
53a7d823ec Merge pull request #16841 from github/redsun82/kotlin 
Kotlin: exclude `KotlinExtractorDbScheme.kt` generated by hand
 2024-06-26 11:18:44 +02:00
Tamás Vajk
81f4786643 Merge pull request #16832 from tamasvajk/feature/update-dependencies 
C#: Update (some) nuget dependencies
 2024-06-26 11:12:26 +02:00
Michael Nebel
e258d9fa74 C#: Use the first best location from the list of locations. 2024-06-26 11:04:38 +02:00
Rasmus Lerchedahl Petersen
b261145f43 Python: fix compilation 2024-06-26 10:46:38 +02:00
Joe Farebrother
6538d22d3f Fix tornado model of httheaders.add. 2024-06-26 09:21:53 +01:00
Paolo Tranquilli
a52a412c24 Kotlin: exclude KotlinExtractorDbScheme.kt generated by hand 2024-06-26 09:05:09 +02:00
Owen Mansel-Chan
a30b34c4bd Used "fixed-version:" prefix in a test 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan
418a56d385 Replace "$THISVERSION" suffix with "fixed-version:" prefix 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan
081f32141c Accept review suggestion fixing a comment 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan
d4e8e4c943 Add QLDoc for majorVersionSuffixRegex 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan
46d0c6ff9c Use lookahead in regex to not match e.g. "/v2foo" 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan
c8a3bedf44 Move major version suffix regex into one place 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan
cb2ccef5fa Refactor suffix check 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan
c045e77d61 Fix QLDoc for interpretPackage 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan
7d11fc2c7d Fix bug in regex 
I accidentally included a `$` at the end, so it only matched a major
version suffix at the end of the package path.
 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan
a9afbfa993 Document version matching and "$THISVERSION" 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan
3e2bbd38d4 Remove "$ANYVERSION" from models 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan
47d946fb1c Make MaD package match any version without $ANYVERSION 
Note that if the package column contains major version suffix (like
"/v2") or if it ends with "$THISVERSION" (which is removed) then we
don't do any version matching.
 2024-06-26 05:01:09 +01:00
Owen Mansel-Chan
ea0db4d55e Add predicate for package path without "/v2" etc 2024-06-26 05:01:09 +01:00
Rasmus Lerchedahl Petersen
571be8be3e Python: model more loggers 2024-06-26 01:00:38 +02:00
Rasmus Lerchedahl Petersen
eb32cbe8a5 Python: codecs.open 2024-06-26 00:57:59 +02:00
Rasmus Lerchedahl Petersen
bdc48088e6 Python: MaD summary models 
Two of the generated summaries have been excluded:
 - ["re", "Member[split]", "Argument[0,pattern:]", "ReturnValue", "taint"]
   From the documentation, it is not clear why pattern should figure in the return value, as that is the part denoting split point and thus all those instances are filtered out.
   From the implementation
     Spit function: https://github.com/python/cpython/blob/3.12/Lib/re/__init__.py#L199
     _compile function being called by split: https://github.com/python/cpython/blob/3.12/Lib/re/__init__.py#L280
   We see that in case the pattern is already a compiled `Pattern`, it is returned directly from _compile and could thus be part of the return value from split. This is probably not possible to arrange for an attacker, and so an FP in practice.

 - ["urllib2", "Member[unquote]", "Argument[0,string:]", "ReturnValue", "taint"]
   urllib2 seems to be only in Python2 (e.g. https://docs.python.org/2.7/library/urllib2.html) and I cannot locate the function unquote.
 2024-06-26 00:39:30 +02:00
Ian Lynagh
f9ae44ca5c Merge pull request #16736 from igfoo/igfoo/debugLoC 
Java/Kotlin: Tag the LoC queries 'debug'
 2024-06-25 22:57:36 +01:00
Cornelius Riemenschneider
37da3e1bb3 Bump to bazel 7.2.1. 2024-06-25 21:21:39 +02:00
am0o0
656dc4e276 use abstract class for decompression sinks 2024-06-25 18:09:27 +02:00
am0o0
13f697c056 relocate the query 2024-06-25 17:31:40 +02:00
Chris Smowton
2413332553 Merge pull request #16802 from github/smowton/admin/note-java-system-requirements 
Java: document extraction system requirements
 2024-06-25 15:53:09 +01:00
Ian Lynagh
c12adbeeaa Java/Kotlin: Tag the LoC queries 'debug' 
This brings them into line with LinesOfCode.ql
 2024-06-25 15:46:10 +01:00
Michael Nebel
d18915a1e4 C#: Update expected test output. 2024-06-25 16:02:58 +02:00
Michael Nebel
e15a47d58c C#: Update the extractor to use the BestOrDefault extension method to choose between multiple locations. 2024-06-25 16:02:54 +02:00
Michael Nebel
dd65d960be C#: Introduce a Location extension method to help pick a unique location. 2024-06-25 16:02:49 +02:00
Michael Nebel
8dc95ce9b0 Merge pull request #16722 from michaelnebel/csharp/modelgensourcesink 
C#/Java: Respect manual neutrals, sources and sinks in model generation.
 2024-06-25 15:55:06 +02:00
yoff
58b6b3f601 Merge pull request #16789 from yoff/python/document-models-as-data 
python: Document MaD format
 2024-06-25 15:46:28 +02:00
Arthur Baars
306e481c5d Merge pull request #16830 from github/post-release-prep/codeql-cli-2.17.6 
Post-release preparation for codeql-cli-2.17.6
 2024-06-25 15:26:05 +02:00