hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-03 14:18:17 +02:00
Code Issues Packages Projects Releases Wiki Activity
85,907 Commits 1,732 Branches 164 Tags
codeql-cli/v2.24.2
Commit Graph

85907 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Geoffrey White
0790fb6324 Update cpp/change-notes/2020-11-02-unused-local-variable.md 
Co-authored-by: Jonas Jensen <jbj@github.com>
 2020-11-06 14:42:48 +00:00
yoff
45317bcec9 Update python/ql/test/library-tests/PointsTo/new/code/w_function_values.py 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2020-11-06 15:03:20 +01:00
Rasmus Wriedt Larsen
9ebe59d393 Python: Move UnsafeDeserialization configuration to own file 2020-11-06 14:27:37 +01:00
luchua-bc
450ff26694 Convert the query to a library 2020-11-06 13:25:00 +00:00
Rasmus Wriedt Larsen
d38c48d2c8 Python: Move ReflectedXSS configuration to own file 2020-11-06 14:24:31 +01:00
Rasmus Wriedt Larsen
1897a0d59a Python: Move PathInjection configuration to own file 
This one required a bit more thought, but ended up pretty nicely. Had to write
some QLDoc, but I think it turned out OK.
 2020-11-06 14:21:23 +01:00
Rasmus Wriedt Larsen
0c6bd8401a Python: Move SqlInjection configuration to own file 2020-11-06 14:09:46 +01:00
Rasmus Wriedt Larsen
6299b73a46 Python: Move CommandInjection configuration to own file 2020-11-06 14:07:06 +01:00
Rasmus Wriedt Larsen
7c04c59456 Python: Move CodeInjection configuration to own file 
This makes it easy to extend the sources/sinks of the configuration and re-run
the query from the query console on LGTM.com.

File location in `semmle.<lang>.security.dataflow.<QueryName>.qll` is matching
what we currently do in other languages (JS and C# sampled).

I did not follow the pattern in other languages for wrapping all the code in a
`module CodeInjection`, since I didn't understand the value in doing so -- I
would like confirmation from the other teams if we _should_ actually do that,
before merging.
 2020-11-06 13:58:06 +01:00
Rasmus Lerchedahl Petersen
fe186bf854 Python: Add test 2020-11-06 13:30:11 +01:00
Alvaro Muñoz
9db340c9ca add some improvements to the bean validation query 2020-11-06 13:08:45 +01:00
Asger Feldthaus
acb30e73bc JS: More precise handling of default import fallback 2020-11-06 12:04:41 +00:00
Sauyon Lee
a78c35b95e Simplify net/http ResponseBody logic 2020-11-06 11:18:46 +00:00
Sauyon Lee
8a306af77b Make HTTP::ResponseWriter handle PostUpdateNodes in getANode 2020-11-06 11:18:46 +00:00
Chris Smowton
3817ae80e5 Add support for html.Render method. 
This entails generalising Http::ResponseBody to account for any modelled function writing to a ResponseWriter.
 2020-11-06 11:04:53 +00:00
Chris Smowton
02f353eabd Add models for the read side of golang.org/x/net/html 
This covers cases where an HTML document is retrieved and then parts of its structure are output without proper escaping.
 2020-11-06 11:04:53 +00:00
Chris Smowton
03bbef7286 Add models for the read side of golang.org/x/net/html 
This covers cases where an HTML document is retrieved and then parts of its structure are output without proper escaping.
 2020-11-06 11:04:53 +00:00
Rasmus Lerchedahl Petersen
64b9e9150e Python: only show results in extracted files 2020-11-06 12:01:16 +01:00
Chris Smowton
e4aa252d6b Merge pull request #381 from sauyon/gomodfix 
Update dependencies and clean go.mod
 2020-11-06 10:14:22 +00:00
Erik Krogh Kristensen
16473fc2a4 matching a inverted char class with a char 2020-11-06 10:18:57 +01:00
Erik Krogh Kristensen
804aaf36f0 support inverted char class and dot 2020-11-06 10:18:57 +01:00
Erik Krogh Kristensen
64d680e2d3 support that an inverted char class can intersect with itself 2020-11-06 10:18:57 +01:00
Erik Krogh Kristensen
321cf09bd8 add redos support for the simplest possible inverted char class 2020-11-06 10:18:57 +01:00
Erik Krogh Kristensen
d04f3df1cd remove rendundant check 2020-11-06 10:18:57 +01:00
Asger Feldthaus
1e45bc75c4 JS: Add change note in new format 2020-11-06 09:14:03 +00:00
Asger Feldthaus
24714c41be JS: Update test output after rebase 2020-11-06 09:14:03 +00:00
Asger Feldthaus
9e25bbc4ed JS: Add support for moment-timezone as well 2020-11-06 09:13:52 +00:00
Asger Feldthaus
7bf21d80b2 JS: Shift line numbers in test file 2020-11-06 09:13:52 +00:00
Asger Feldthaus
9418c6c8fe JS: Add support for dateformat package 2020-11-06 09:13:52 +00:00
CodeQL CI
9f2eb84f2b Merge pull request #4624 from erik-krogh/concatFix 
Approved by asgerf
 2020-11-06 09:11:41 +00:00
Asger Feldthaus
39c8226fba JS: Autoformat 2020-11-06 09:06:20 +00:00
Asger Feldthaus
790526b529 JS: Some fixes and address review comments 2020-11-06 09:06:20 +00:00
Asger Feldthaus
8a3fba05e9 JS: Add steps through date-formatting functions 2020-11-06 09:06:18 +00:00
Anders Schack-Mulligen
cb77e460ae Merge pull request #4600 from porcupineyhairs/urirefactor 
Java : Refactor all instances of `java.net.URI` into TypeUri
 2020-11-06 09:35:09 +01:00
Asger Feldthaus
d07e69e529 JS: Improve handling of destructuring export declaration 2020-11-05 23:51:44 +00:00
CodeQL CI
a908e5938e Merge pull request #4574 from erik-krogh/jsdom 
Approved by asgerf
 2020-11-05 22:13:39 +00:00
Erik Krogh Kristensen
9137759d7c calculate the size of the concatenation before doing the actual concatenation in Expr.qll 2020-11-05 22:55:52 +01:00
Tom Hvitved
a3894be1c5 Merge pull request #4607 from hvitved/csharp/msbuild-mono-no-shared-compilation 
C#: Disable shared compilation when building with Mono+MSBuild
 2020-11-05 19:56:25 +01:00
Nick Rolfe
aec99746d6 Merge pull request #29 from github/aibaars/dedup 
Deduplicate and sort union members
 2020-11-05 18:00:07 +00:00
Arthur Baars
222af90790 Deduplicate and sort union members 2020-11-05 18:50:12 +01:00
Geoffrey White
c9f846e0d2 C++: Give Iterator a proper interface. 2020-11-05 16:43:50 +00:00
Geoffrey White
b5326b3937 C++: Give OperatorNewAllocationFunction, OperatorDeleteAllocationFunction proper interfaces. 2020-11-05 16:43:49 +00:00
Geoffrey White
7f54379a0c C++: Make more function models private (except a few that are used outside the library). 2020-11-05 16:43:42 +00:00
Arthur Baars
f514655231 Merge pull request #28 from github/token_classes 
Add classes for token kinds
 2020-11-05 17:27:22 +01:00
Nick Rolfe
510621f018 Don't add 'Token' prefix to token subclass names 2020-11-05 16:21:33 +00:00
Taus Brock-Nannestad
7c58b28e36 Python: Write DataFlow::update more succinctly 
This has no impact on performance, but it cleans up the code a bit,
and (hopefully) makes it more readable.
 2020-11-05 16:47:41 +01:00
Taus Brock-Nannestad
bae4acabb1 Python: Fix bad join in StrConst::isUnicode 
Also fixes a bug ("`B`" was not recognised as a bytestring prefix).

The basic idea behind this fix is that the set of possible prefixes is
fairly small, so it's easier just to precompute them, and then join
them with the entire prefix of the string in question (rather than
look at each string in isolation, get its prefix, and _then_ check
whether it looks like it's a unicode string prefix, which essentially
is what the code did before).
 2020-11-05 16:45:27 +01:00
Taus Brock-Nannestad
1251bc57f5 Python: Fix bad join in TObject::literal_instantiation 
Here, `context.appliesTo(n)` was being distributed across all of the
disjuncts, which caused poor performance.

The new helper predicate, `literal_node_class` should be fairly small,
since it only applies to a subset of `ControlFlowNode`s, and only
assigns a limited set of `ClassObjectInternal`s to these nodes.
 2020-11-05 16:40:29 +01:00
Taus Brock-Nannestad
35a63e2411 Python: Fix bad join in regex::used_as_regex 
Since the number of relevant attributes in the `re` module is fairly
small, it made sense to factor this out in a separate predicate, and
the join order also became more sensible.
 2020-11-05 16:33:59 +01:00
Taus Brock-Nannestad
035e747ad5 Python: Fix slow use of regexCapture in Builtin::strValue 
This is only _really_ expensive when there are a _lot_ of strings in
the database, but for this case, where we're always extracting the
same substring of the string, it's easier -- and faster -- to just
make a substring operation directly.
 2020-11-05 16:33:33 +01:00