hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-17 04:56:58 +01:00
Code Issues Packages Projects Releases Wiki Activity
85,368 Commits 1,714 Branches 162 Tags
codeql-cli/v2.24.0
Commit Graph

85368 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Asger F
9ee7599aeb JS: Move AngularJSTemplateUrlSink to ClientSideUrlRedirection query 
This is not perfect but at least we can be consistent about keeping URLs-that-lead-to-xss in the same query
 2024-08-16 14:37:13 +02:00
Geoffrey White
0088ece3ea Revert "Swift: Fix two of the qhelps by slightly modifying the sample code instead." 
This reverts commit 2d19d6f61e.
 2024-08-16 13:24:03 +01:00
Asger F
699d3a0a0a JS: Update a RegExp injection test 
RegExpInjection does not use client-side sources, but one of its tests was using postMessage events
as the taint source. Updating the test to use a different taint source.
 2024-08-16 14:20:34 +02:00
Geoffrey White
2d19d6f61e Swift: Fix two of the qhelps by slightly modifying the sample code instead. 2024-08-16 12:57:32 +01:00
Simon Friis Vindum
07800ea7ef Merge branch 'main' into uncontrolled-allocation-size-docs 2024-08-16 13:10:08 +02:00
Simon Friis Vindum
5548304432 C++: Grammar improvements to query help text 2024-08-16 13:08:34 +02:00
Owen Mansel-Chan
2d2afb17ad Convert gocb nosql-injection sinks to MaD 2024-08-16 11:19:15 +01:00
Owen Mansel-Chan
ec9d88b364 Convert mongodb nosql-injection sinks to MaD 2024-08-16 11:19:13 +01:00
Owen Mansel-Chan
86e9f15929 Accept MaD sinks with kind nosql-injection 2024-08-16 11:19:12 +01:00
Owen Mansel-Chan
ced000ae46 Add Argument.getACorrespondingSyntacticArgument 2024-08-16 11:19:09 +01:00
Owen Mansel-Chan
652dd88c36 Convert database/sql/driver sql-injection sinks to MaD 2024-08-16 11:19:06 +01:00
Owen Mansel-Chan
c7859ecebf Improve SQL tests 
Separate the tests for Squirrel and database/sql. Add tests for
database/sql/driver.
 2024-08-16 11:19:04 +01:00
Owen Mansel-Chan
501bb3eb56 Convert database/sql sql-injection sinks to MaD 2024-08-16 11:19:03 +01:00
Owen Mansel-Chan
ad213579a1 Convert Beego orm sql-injection sinks to MaD 2024-08-16 11:19:01 +01:00
Owen Mansel-Chan
e1bdc7f5a7 Update Beego orm tests 2024-08-16 11:19:00 +01:00
Owen Mansel-Chan
3eb5b2669b Convert Bun sql-injection sinks to MaD 2024-08-16 11:18:58 +01:00
Owen Mansel-Chan
3b2b7d7d1c Convert Xorm sql-injection sinks to MaD 2024-08-16 11:18:57 +01:00
Owen Mansel-Chan
ba310417a8 Convert Gorm sql-injection sinks to MaD 2024-08-16 11:18:55 +01:00
Owen Mansel-Chan
7ad63fc3e6 Convert sqlx sql-injection sinks to MaD 2024-08-16 11:18:54 +01:00
Owen Mansel-Chan
db559f75b6 Convert gogf/gf sql-injection sinks to MaD 2024-08-16 11:18:52 +01:00
Owen Mansel-Chan
ce0cb12c29 Upgrade and convert gorqlite sql-injection sinks to MaD 2024-08-16 11:18:51 +01:00
Owen Mansel-Chan
06f86dd22f Convert squirrel sql-injection sinks to MaD (non-existent methods removed) 
Various non-existent methods were modeled, and I couldn't find any
evidence that they used to exist. They aren't in the stubs or tests. I
have removed them.
 2024-08-16 11:18:49 +01:00
Owen Mansel-Chan
0acb29d3dd Update frameworks.csv 2024-08-16 11:15:13 +01:00
Chris Smowton
f7d8c210e5 Merge pull request #17239 from smowton/smowton/admin/camel-test 
Java: add test for Apache Camel dead-code analysis
 2024-08-16 11:00:30 +01:00
Geoffrey White
0126fbcb8f Swift: Clear the language for Swift code snippets that are rendering incorrectly. 2024-08-16 10:56:46 +01:00
Rasmus Wriedt Larsen
d6af999c2d Merge pull request #17234 from github/felicitymay-patch-1 
Update CookieInjection.ql to remove period from @name
 2024-08-16 11:26:16 +02:00
Asger F
467256d465 JS: Add change note 2024-08-16 11:06:59 +02:00
Asger F
2d264052b3 JS: Treat browser message events as client-side sources 2024-08-16 11:02:12 +02:00
Rasmus Wriedt Larsen
25fc5f3803 Merge pull request #17209 from RasmusWL/threat-models-stdin 
ThreatModels: Add `stdin` kind
 2024-08-16 11:01:33 +02:00
Paolo Tranquilli
0e3c867cb9 Toy rust program listing definitions of a cargo project 2024-08-16 10:37:49 +02:00
Rasmus Wriedt Larsen
c3d8efc43d Merge branch 'main' into stdin3 2024-08-16 09:54:45 +02:00
Asger F
7dcdad066f Update javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.qll 2024-08-16 09:44:53 +02:00
Anders Schack-Mulligen
ae013ba01a Merge pull request #17235 from aschackmull/dataflow/fix-missing-subpaths 
Dataflow: Fix missing subpaths due to type strengthening.
 2024-08-16 08:41:35 +02:00
Anders Schack-Mulligen
51c43a7440 Java: Accept expected changes. 2024-08-16 07:01:35 +02:00
Kristen Newbury
81787a159e Add QL docs to helmet model 2024-08-15 16:32:37 -04:00
Kristen Newbury
e84dda4fa6 Update JS helmet model structure 2024-08-15 16:08:48 -04:00
Anders Schack-Mulligen
86708c9ff8 Dataflow: Fix missing subpaths due to type strengthening. 2024-08-15 18:57:10 +02:00
Chris Smowton
0b56bf98f3 Java: add test for Apache Camel dead-code analysis 
This exercises code that detects Camel entry-points and marks them as live.
 2024-08-15 17:26:38 +01:00
Tom Hvitved
fb7b89f309 Merge pull request #17237 from aschackmull/java/fix-merge-conflict 
Java: Fix expected files following semantic merge conflict.
 2024-08-15 17:25:03 +02:00
Rasmus Wriedt Larsen
7a446231b6 C#: Accept benign test changes 2024-08-15 16:20:00 +02:00
Anders Schack-Mulligen
e77c3dfda1 Java: Fix expected files following https://github.com/github/codeql/pull/17233 and https://github.com/github/codeql/pull/17224. 2024-08-15 15:45:37 +02:00
Rasmus Wriedt Larsen
78770bcd1b Docs: Mention new stdin threat-model 2024-08-15 15:45:21 +02:00
Rasmus Wriedt Larsen
1e7eae58f4 Java: Add change-note 2024-08-15 15:45:20 +02:00
Rasmus Wriedt Larsen
ebafe65ac2 C#: Fixup test expectations from using stdin 2024-08-15 15:45:20 +02:00
Rasmus Wriedt Larsen
43b61dd2aa C#: Support stdin in LocalFlowSource 2024-08-15 15:45:20 +02:00
Rasmus Wriedt Larsen
fee38b3781 Java: Fixup test 2024-08-15 15:37:35 +02:00
Rasmus Wriedt Larsen
1e12c11adc Java: Model System.in as stdin threat-model 2024-08-15 15:37:35 +02:00
Rasmus Wriedt Larsen
7395223410 C#: Model System.Console reads as stdin threat-model 2024-08-15 15:36:28 +02:00
Rasmus Wriedt Larsen
157d0b7f37 ThreatModels: Add stdin kind 
None of the current local subgroups precisely captures stdin, so
although it's much like both commandargs and file, a separate kind seems
better.
 2024-08-15 15:36:28 +02:00
Anders Schack-Mulligen
7d61d9282c Merge pull request #17233 from aschackmull/dataflow/match-summarylabel 
Dataflow: Fix missing join on summaryLabel.
 2024-08-15 14:55:38 +02:00