hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-16 16:04:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
17,948 Commits 1,679 Branches 158 Tags
codeql-cli/v2.4.0
Commit Graph

17948 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
semmle-qlci
6f1f926e0c Merge pull request #3552 from RasmusWL/python-fix-filename-example 
Approved by tausbn
 2020-05-25 14:17:05 +01:00
Jonas Jensen
bc09720704 Merge pull request #3479 from geoffw0/fp2762 
C++: Allow equality to block taint (security taint tracking)
 2020-05-25 15:11:10 +02:00
Jonas Jensen
3d58e6f7af Merge pull request #3515 from hvitved/dataflow/remove-deprecated 
Data flow: Remove deprecated predicates
 2020-05-25 15:08:28 +02:00
Jonas Jensen
b4c32a00d8 C++: Fix up QLDoc in TooFewArguments.qll 2020-05-25 14:49:02 +02:00
Jonas Jensen
b1edc1d255 C++: Only give alert when no def fits arg count 
The `cpp/too-few-arguments` query produced alerts for ambiguous
databases where a function had multiple possible declarations, with some
declarations having the right number of parameters and some having too
many. With this change, the query errs on the side of caution in those
cases and does not produce an alert.

This fixes false positives on racket/racket.

The new `hasDefiniteNumberOfParameters` is exactly the negation of the
old `hasZeroParamDecl`.
 2020-05-25 14:48:57 +02:00
Bt2018
2a654af983 Correct the select statement in the query 2020-05-25 08:24:38 -04:00
Rasmus Wriedt Larsen
f602f3e1c7 Python: Use proper import for semmle.python.dataflow.TaintTracking 
It was moved in 637677d515, but imports were not
updated.
 2020-05-25 13:45:49 +02:00
Rasmus Wriedt Larsen
74167923bc Python: Fix filename example 
I got my eyes on this one since it was using a deprecated method, BUT it was
also doing the thing, since File.getName() is the same as
File.getAbsolutePath(), and that doesn't match the description :\
 2020-05-25 13:17:32 +02:00
Rasmus Wriedt Larsen
6ce1b9f7fa Python: Fix use of StrConst.strValue() 2020-05-25 13:12:56 +02:00
Anders Schack-Mulligen
0d75c6a5f1 Merge pull request #3506 from ggolawski/spring-actuators-fix 
Fixes FPs in SpringBootActuators query
 2020-05-25 13:09:56 +02:00
semmle-qlci
ac1a338390 Merge pull request #3407 from RasmusWL/python-add-BoundMethodValue-v2 
Approved by tausbn
 2020-05-25 12:00:45 +01:00
Rasmus Wriedt Larsen
32c8dd0491 Python: Fix (upcoming) deprecation compiler-warnings 
In a near-future release overriding a deprecated predicate without making as
deprecated would give a compiler warning.

Not fixing the XML one. [I can see that this shouldn't be reported
anymore](https://github.com/github/codeql/pull/3520#issuecomment-631552943), and
it's not safe to remove since it was only marked as deprecated in
e6425bb4cf.
 2020-05-25 11:05:30 +02:00
Taus
a2308771a3 Merge pull request #3489 from yoff/DeprecateObject 
Python: Modernise `py/missing-equals`.
 2020-05-25 10:56:16 +02:00
Rasmus Wriedt Larsen
49d7e12acd Python: Remove unnecessary restriction from getNamedArgumentForCall 
As agreed in https://github.com/github/codeql/pull/3407
 2020-05-25 10:17:37 +02:00
Rasmus Wriedt Larsen
4fc3cae646 Python: Add test for how arguments to *args and **kwargs are handled 2020-05-25 10:16:10 +02:00
Rasmus Wriedt Larsen
87ee6ae101 Python: Add a bit of docs to CallableObjectInternal 
As requested :)
 2020-05-25 09:53:28 +02:00
Rasmus Wriedt Larsen
9e0d57c610 Python: Fix grammar in QLDoc 
Co-authored-by: Taus <tausbn@gmail.com>
 2020-05-25 09:47:01 +02:00
Rasmus Lerchedahl Petersen
3e712be431 Python: Modernise 2020-05-25 09:00:34 +02:00
Rasmus Lerchedahl Petersen
712513916c Python: Address review 2020-05-25 07:44:00 +02:00
Max Schaefer
573fdaa424 JavaScript: Track require through local data flow. 2020-05-24 20:00:10 +01:00
luchua-bc
6d1ba3f899 Java: CWE-273 Unsafe certificate trust 2020-05-24 16:43:15 +00:00
Robert Marsh
1fa1bd5e36 C#: fix compilation error in IR 2020-05-22 16:08:11 -07:00
Robert Marsh
b4a947ddf1 C++: add getIRVariable for this temp variables 2020-05-22 15:43:34 -07:00
Robert Marsh
8a53dc882d C++: treat this as a parameter in IR 2020-05-22 15:35:34 -07:00
Dave Bartolomeo
df834ac031 C++: Fix duplicate result types 
In a couple of cases, we use `glval<unknown>` as the result type of an instruction because we can't come up with anything better. Two examples are the result of `VariableAddress[#ellipsis]`, and the address of the temp variable that holds the lvalue result of the conditional operator in `(a ? b : c) = y`. In both cases, we call `getTypeForGLValue(any(UnknownType t))`, but that would have multiple results because `result.hasType(any(UnknownType t), true)` also holds for `CppFunctionGLValueType`. I tightened the result type to ensure we get the right one.
 2020-05-22 16:20:33 -04:00
Shati Patel
e990f1b53d Merge pull request #3546 from aschackmull/java/tutorial-bug-fix 
Java: Fix bug in tutorial.
 2020-05-22 17:23:58 +01:00
Alvaro Muñoz
0b20785cce add support for java.io.StringWriter 2020-05-22 18:13:28 +02:00
semmle-qlci
b9ecf1a304 Merge pull request #3447 from erik-krogh/LibCmdInjection 
Approved by asgerf, mchammer01
 2020-05-22 17:10:57 +01:00
Anders Schack-Mulligen
6228e7670b Java: Fix bug in tutorial. 2020-05-22 14:44:24 +02:00
Esben Sparre Andreasen
e172d55ecb Update javascript/ql/test/query-tests/Security/CWE-020/IncompleteUrlSchemeCheck.js 
Co-authored-by: Asger F <asgerf@github.com>
 2020-05-22 13:33:34 +02:00
Asger Feldthaus
823ed3bbdf JS: Wrap node --version call in retry loop 2020-05-22 10:40:16 +01:00
Asger Feldthaus
6f0356b229 Revert "JS: Remove timeout for node --version check" 
This reverts commit ec7c9489dc.
 2020-05-22 10:40:07 +01:00
James Fletcher
9259dca40d Merge pull request #3540 from github/jf205-patch-2 
Link README.md to CodeQL for Go repo
 2020-05-22 10:29:55 +01:00
Shati Patel
cf13992552 Merge pull request #3544 from shati-patel/code-typo 
CodeQL docs: Fix error in code snippet [cherry-pick]
 2020-05-22 08:42:41 +01:00
syang-ng
ca8c3dabda fix an error in the code snippet of the documentation about global-data-flow-java 2020-05-22 08:00:52 +01:00
Shati Patel
8c1e4d49ca Merge pull request #3537 from syang-ng/master 
fix an error in the code snippet of the documentation about global-data-flow-java
 2020-05-21 19:43:51 +01:00
James Fletcher
49d4c76f2f Update README.md 2020-05-21 16:37:44 +01:00
Asger Feldthaus
75be3b7ecb JS: Add test case for missed captured flow 2020-05-21 16:14:13 +01:00
Shati Patel
c021dcd1e8 Ql language: Clarify use of query modules 2020-05-21 15:30:40 +01:00
syang-ng
184209d1eb fix an error in the code snippet of the documentation about global-data-flow-java 2020-05-21 22:00:15 +08:00
Geoffrey White
0f4723aee4 Merge pull request #3520 from dbartol/github/codeql-c-analysis-team/79 
C++: Mark deprecated overrides as deprecated
 2020-05-21 14:55:39 +01:00
Erik Krogh Kristensen
b79b25ef87 correct cwe-78 to cwe-078 2020-05-21 12:38:44 +00:00
Erik Krogh Kristensen
b297837969 Apply suggestions from doc review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2020-05-21 14:32:02 +02:00
Esben Sparre Andreasen
b31f83a5af JS: fixup expected output 2020-05-21 13:47:16 +02:00
Esben Sparre Andreasen
e588e59f9b JS: fixup 2020-05-21 13:42:28 +02:00
Esben Sparre Andreasen
c400b45cd6 JS: make the Fastify model support isUserControlledObject 2020-05-21 13:42:28 +02:00
Esben Sparre Andreasen
894033df8a JS: de-boilerplate the fastify model: address expr/dataflow comments 2020-05-21 13:42:28 +02:00
Esben Sparre Andreasen
74fc33e2a8 JS: make the qldoc check happy 2020-05-21 13:42:27 +02:00
Esben Sparre Andreasen
a76c70d2d7 JS: model fastify 2020-05-21 13:42:27 +02:00
James Fletcher
e0e9535f08 Merge pull request #3530 from jf205/sd-109 
CodeQL docs: refine two article titles
 2020-05-21 08:55:10 +01:00