hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-14 06:54:48 +01:00
Code Issues Packages Projects Releases Wiki Activity
17,948 Commits 1,680 Branches 158 Tags
codeql-cli/v2.4.0
Commit Graph

17948 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
luchua-bc
5520504658 Update expected results 2020-07-28 15:41:23 +00:00
luchua-bc
a91cc9b7ec Convert the query to path-problem 2020-07-28 15:36:12 +00:00
Tom Hvitved
d39a33655f C#: Fix false-positives in cs/dereferenced-value-may-be-null 
Dereferencing an expression of a nullable type should only be reported when
the expression is not clearly non-null.
 2020-07-28 16:27:36 +02:00
Shati Patel
a79f09f1de Add basic query for Go 2020-07-28 15:25:59 +02:00
Shati Patel
8e8c43a25b Add basic query for JavaScript 2020-07-28 13:54:06 +02:00
luchua-bc
7f911f00ee Rename to insecure basic auth 2020-07-28 11:40:21 +00:00
Shati Patel
9edf1646c9 Add basic queries for C#, Java, and Python 2020-07-28 12:18:45 +02:00
Shati Patel
0f3599039f Update docs/language/learn-ql/cpp/basic-query-cpp.rst 
Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com>
 2020-07-28 11:49:17 +02:00
Tom Hvitved
ce2368de96 C#: Add tests for null-coalescing assignment 2020-07-28 11:07:47 +02:00
luchua-bc
248628b11e Enhance basic auth string search with a recursive method 2020-07-27 20:31:07 +00:00
luchua-bc
3a23451395 Enhance the query 2020-07-27 18:50:47 +00:00
Rasmus Lerchedahl Petersen
38acea633f Python: Dataflow, expand callable to classes 2020-07-27 17:58:21 +02:00
Tom Hvitved
c5a4a6be05 Merge pull request #3871 from hvitved/csharp/autobuilder/dotnet-delegate 
C#: Introduce delegate type in autobuilder
 2020-07-27 16:51:24 +02:00
Taus
f40242dc3f Merge pull request #3396 from porcupineyhairs/python-ssti 
Python : Add query to detect Server Side Template Injection
 2020-07-27 14:43:39 +02:00
Max Schaefer
91762ec274 JavaScript: Add partial model for opener. 
3.5M weekly downloads.

Note that we do not treat the first argument as a command-injection sink. While it is possible to inject commands that way, it is more likely to cause false positives where the user input is concatenated with some prefix that makes the opening heuristic decide to treat it as a URL.
 2020-07-27 11:42:32 +01:00
Max Schaefer
9aa26fa4bc JavaScript: Add model for foreground-child. 
>1M weekly downloads, so seems worth doing.
 2020-07-27 11:37:06 +01:00
Max Schaefer
2f842042ea JavaScript: Model another execa function relevant for command injection. 2020-07-27 11:34:04 +01:00
Tom Hvitved
f5c1de8a17 Merge pull request #3960 from calumgrant/cs/tag-inefficient-containskey 
C#: Fix tags typo
 2020-07-27 11:44:58 +02:00
Calum Grant
09f45ac9fe Merge pull request #3877 from calumgrant/cs/autobuilder-alerts 
C#: Make fields readonly
 2020-07-27 10:43:04 +01:00
Shati Patel
db09ca7b68 Update queries + outdated note 2020-07-27 11:42:10 +02:00
Owen Mansel-Chan
6dbed5e848 Address review comments 2020-07-27 10:19:48 +01:00
Owen Mansel-Chan
4094fa9db3 Docs: Query classification and display 
Converted from Semmle wiki
 2020-07-27 10:06:16 +01:00
ubuntu
8dee3da4fe Update .qhelp 2020-07-26 23:50:22 +02:00
ubuntu
ac7c511d86 Update .qhelp 2020-07-26 23:47:53 +02:00
ubuntu
2cec8f7e9d Update .qhelp 2020-07-26 23:23:56 +02:00
ubuntu
c469f71957 Add Codeql query to detect if cookies are sent without the flag being set 2020-07-26 22:56:36 +02:00
luchua-bc
01fb51829c Unsecure basic authentication 2020-07-24 20:35:09 +00:00
Rasmus Wriedt Larsen
e0016f6c52 Python: CG trace: Mention adding projects in README 2020-07-24 20:08:39 +02:00
Rasmus Wriedt Larsen
aca703e131 Python: CG trace: Add support for flask 2020-07-24 20:06:53 +02:00
Rasmus Wriedt Larsen
bb80635dc3 Python: CG trace: Updated README 2020-07-24 19:35:06 +02:00
Rasmus Wriedt Larsen
ecafc760e8 Python: CG trace: Improved debugging queries a bit 2020-07-24 19:34:51 +02:00
Rasmus Wriedt Larsen
2407c8b07e Python: CG trace: Better handling of builtins without __module__ 
Not 100% perfect, but better
 2020-07-24 19:13:53 +02:00
Rasmus Wriedt Larsen
9c76618d8b Python: CG trace: Make ./helper.sh show help again 2020-07-24 18:59:29 +02:00
Rasmus Wriedt Larsen
8057e11fe4 Python: CG trace: Add ./helper.sh metrics command 2020-07-24 18:38:12 +02:00
Rasmus Wriedt Larsen
779a82ee07 Python: CG trace: Minor cleanup in helper.sh 2020-07-24 18:37:48 +02:00
Rasmus Wriedt Larsen
4c689434c3 Python: CG trace: Restructure QL code 2020-07-24 17:00:13 +02:00
Rasmus Wriedt Larsen
321d5104f0 Python: CG trace: Autogenerate BytecodeExpr.qll 
Some code I had lying around, just hadn't comitted.

Not that useful since most of these have been disabled in 55404ae98 for now.
 2020-07-24 16:51:14 +02:00
Rasmus Wriedt Larsen
a7bc9544b6 Python: CG trace: Metrics, number of recorded calls not ignored 
turned out to be useful after all :P
 2020-07-24 16:49:54 +02:00
Shati Patel
bb05db5c98 Convert C/C++ article 2020-07-24 12:07:17 +02:00
Rasmus Wriedt Larsen
367a49803b Python: CG trace: handle class instantiation properly in points-to 2020-07-24 11:19:11 +02:00
Porcupiney Hairs
7a71ca3e0f fix tests. 2020-07-24 00:57:19 +05:30
Rasmus Wriedt Larsen
3ead2e3dc7 Python: CG trace: Improve performance by only logging when needed 
Seems like a 2x performance overall

wcwidth:
  - DEBUG=True 5.78 seconds
  - DEBUG=False 2.70 seconds

youtube-dl
  - DEBUG=True 238.90 seconds
  - DEBUG=False 120.70 seconds
 2020-07-23 20:14:49 +02:00
Rasmus Wriedt Larsen
c49311e69e Python: Fix JinjaSSTISinks.expected 2020-07-23 20:11:27 +02:00
Rasmus Wriedt Larsen
fbd939133e Python: CG trace: More caching 
Improves runtime of tracing youtube-dl from 296.19 seconds to 224.50 seconds.

Better, but still not that amazing :|
 2020-07-23 18:07:55 +02:00
Rasmus Wriedt Larsen
ce42221cf7 Python: CG trace: Fix some printing in helper.sh 2020-07-23 17:57:52 +02:00
Rasmus Wriedt Larsen
55404ae980 Python: CG trace: Experiment with disabling some opcodes 
Currently not supported in the QL code, so no reason to pay performance to
record them right now :P
 2020-07-23 17:39:43 +02:00
Rasmus Wriedt Larsen
14c51eb3c7 Python: CG trace: XML exporter will tell what file it wrote to 2020-07-23 17:38:54 +02:00
Rasmus Wriedt Larsen
c45cc2aa2f Python: CG trace: Add helper.sh to run tracing against real projects 2020-07-23 17:37:01 +02:00
Rasmus Wriedt Larsen
5d031d7abe Python: CG trace: Fix sorting of ExternalCallee 
Also exposed that the better_compare_for_dataclass was exposed to bad loop
variable capture :|
 2020-07-23 17:36:31 +02:00
Rasmus Wriedt Larsen
03d22fa8e3 Python: Fix filenames in qhelp 2020-07-23 17:32:01 +02:00