hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-31 16:16:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
19,087 Commits 1,673 Branches 157 Tags
codeql-cli/v2.4.3
Commit Graph

19087 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Wriedt Larsen
80adbdfbc1 Python: Mark unhandled django route handlers with f-: 
That is playing more nicely with the expected usage of the inline-tests.
 2020-10-20 13:44:34 +02:00
Dave Bartolomeo
7de6415d00 Accept test diffs after merge 2020-10-20 07:40:44 -04:00
Dave Bartolomeo
ade6d10e58 Merge remote-tracking branch 'upstream/main' into work 2020-10-20 07:24:42 -04:00
Taus Brock-Nannestad
a21c29507c Python: Fix false negative 
I'm slightly suspicious of this fix -- it seems to work, but it makes
me wonder if we're potentially missing other kinds of flow, by not
handling other kinds of definitions.

Also, I feel like this should really be attached to an appropriate
post-update node of the given argument. As it is written now, the flow
will go from the argument _before_ the call, which obviously misses a
step if the argument is modified by the call. In practice, I would
expect this to be rather rare.
 2020-10-20 13:16:54 +02:00
Taus Brock-Nannestad
860cafed4d Python: Mark failing test as false negative 2020-10-20 13:11:06 +02:00
Asger Feldthaus
c91cdb5194 JS: Address review comments 2020-10-20 12:00:02 +01:00
Taus
802a725260 Merge pull request #2 from RasmusWL/python-tricky-import-ssa-filter-definition 
Python: Add test for tricky module member for type-tracking
 2020-10-20 12:51:45 +02:00
CodeQL CI
8b084ffe22 Merge pull request #4518 from asgerf/js/fix-oom 
Approved by erik-krogh
 2020-10-20 03:37:00 -07:00
Rasmus Wriedt Larsen
045a6c3cb5 Python: Add test for tricky module member for type-tracking 
Local testing shows that the `getDefinition` result for this is a `SSA filter definition`,
and not an `AssignmentDefinition`.
 2020-10-20 12:20:35 +02:00
Mathias Vorreiter Pedersen
528afc55ab Merge pull request #3788 from geoffw0/callderef 
C++: Add bcopy to models and use it.
 2020-10-20 12:15:23 +02:00
Asger Feldthaus
8779b7c1ce JS: Update expected output after rebase 2020-10-20 11:10:30 +01:00
Asger Feldthaus
aee970bee7 JS: Change note 2020-10-20 10:54:02 +01:00
Asger Feldthaus
28a73c1e18 JS: Add test case 2020-10-20 10:53:15 +01:00
Asger Feldthaus
6aac353777 JS: Update test output 2020-10-20 10:53:12 +01:00
Asger Feldthaus
50a015c73e JS: Move $() sink into separate dataflow config 2020-10-20 10:52:33 +01:00
CodeQL CI
4cc7138784 Merge pull request #4507 from erik-krogh/template 
Approved by asgerf
 2020-10-20 02:45:00 -07:00
Erik Krogh Kristensen
8c8cf4fc01 autoformat 2020-10-20 11:17:06 +02:00
Erik Krogh Kristensen
7d87699e42 add test for modern compound assignment in js/implicit-operand-conversion 2020-10-20 10:50:20 +02:00
Erik Krogh Kristensen
eb786078cb support modern compund-assignment in js/implicit-operand-conversion 2020-10-20 10:40:47 +02:00
Erik Krogh Kristensen
f47fb5ebd8 switch extends around to match @assignlogandexpr and @assignlogorexpr correctly 2020-10-20 10:38:45 +02:00
Geoffrey White
f9987cff64 C++: Update QLDoc comment. 2020-10-20 09:36:33 +01:00
Asger Feldthaus
78c85775e3 JS: Do not extend AdditionalTaintStep in the ldap library 2020-10-20 09:07:12 +01:00
Tamas Vajk
5d0c30db66 C#: Fix nullable reference type handling in type mention extraction 2020-10-20 08:23:57 +02:00
Tamas Vajk
dad5166bca C#: Print full name of type mentions in AST 2020-10-20 08:23:57 +02:00
Tamas Vajk
7929d8a982 C#: Fix generic type name location in AST 2020-10-20 08:23:56 +02:00
Tamas Vajk
037907e442 C#: Fix qualified name type mention extraction 2020-10-20 08:23:56 +02:00
Tamas Vajk
238ed2e643 C#: Make array and pointer type mentions symmetrical 2020-10-20 08:23:56 +02:00
Tamas Vajk
a87343dd69 C#: Add more type test cases to cover type mentions 2020-10-20 08:23:56 +02:00
Tamas Vajk
f0a40f6e5e C#: Fix type mention for stackalloc to span assignment 2020-10-20 08:23:56 +02:00
Tamas Vajk
7cb4d6d7a0 C#: Fix type mentions for stackalloc arrays 2020-10-20 08:23:56 +02:00
Tamas Vajk
ca6ecb3f1e C#: Extract type mention for array creation 2020-10-20 08:23:56 +02:00
Tamas Vajk
7066568813 C#: Change type access and expression order in casts for AST printing 2020-10-20 08:23:56 +02:00
Tamas Vajk
6c48eb8c12 C#: Add type mentions to AST 2020-10-20 08:23:56 +02:00
Rasmus Lerchedahl Petersen
5990241c8f Python: Support django models (with some caveats) 2020-10-20 03:20:00 +02:00
Taus
f5ec548e68 Python: Fix typo in QLDoc 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2020-10-19 23:51:38 +02:00
Rasmus Lerchedahl Petersen
d7308bddf2 Python: Add django sink with concept test 2020-10-19 21:34:55 +02:00
Dave Bartolomeo
2eaa4a4ecf Merge remote-tracking branch 'upstream/main' into work 2020-10-19 15:19:03 -04:00
Dave Bartolomeo
3587235b4f Merge pull request #4471 from github/igfoo/unnamed 
C++: Be more consistent about unnamed entities
 2020-10-19 15:18:34 -04:00
Dave Bartolomeo
d0b93df4ec Merge from main 2020-10-19 15:17:19 -04:00
Ian Lynagh
987c16ed53 Merge remote-tracking branch 'upstream/main' into igfoo/unnamed 2020-10-19 19:09:41 +01:00
Geoffrey White
a426412b4e Merge pull request #4497 from vadi2/patch-1 
Add modern C++ variant
 2020-10-19 19:09:23 +01:00
Geoffrey White
b68f98b332 C++: More use of [, ]. 2020-10-19 19:05:29 +01:00
CodeQL CI
4c5ecb4093 Merge pull request #4478 from erik-krogh/homegrownCsrf 
Approved by asgerf
 2020-10-19 11:04:10 -07:00
CodeQL CI
502faa7d1c Merge pull request #4494 from erik-krogh/callLimit 
Approved by asgerf
 2020-10-19 11:03:25 -07:00
Geoffrey White
658dbf45d2 C++: getParameter(_) is considered an anti-pattern. 2020-10-19 18:42:33 +01:00
Robert Marsh
5d9f54e797 Merge pull request #4502 from dbartol/dbartol/PrintLoadStoreTargets 
C++: Print target variable name for `Load` and `Store`, if known
 2020-10-19 13:30:39 -04:00
Dave Bartolomeo
2ba1ef9961 Merge remote-tracking branch 'upstream/main' into work 2020-10-19 13:28:59 -04:00
Geoffrey White
ddc5150080 C++: Create a module for models of things in Std. 2020-10-19 18:27:20 +01:00
Geoffrey White
3fad597bbf C++: Make function models private (except ones we anticipate users accessing). 2020-10-19 18:25:23 +01:00
Taus Brock-Nannestad
7755993dd3 Python: Add jump steps for module attribute reads. 
This is the quick-and-dirty solution, as discussed.

An even quicker-and-dirtier solution would have used
`ModuleValue::attr` and take the `getOrigin` of that as the source of
the jump step. However, this turns out to be a bad choice, since
`attr` might fail to have a value for the given attribute (for a
variety of reasons). Thus, we instead appeal to a helper predicate
that keeps track of which names are defined by which right-hand-sides
in a given module. (Observe that type tracking works correctly for `x`
in `mymodule.py`, even though `x` is never assigned a value in the
eyes of the Value API.)

This means that points-to is only used to actually figure out if the
object we're looking an attribute up on is a module or not. This is
the next thing to replace in order to eliminate the dependence on
points-to, but this will require some care to ensure that all module
lookups are handled correctly.

Only two test files needed to be changed for the tests to pass. The
first was the fixed false negative in the type tracker, and the other
was a bunch of missing flow in the regression test. I have manually
removed the `# Flow not found` annotations to make them consistent
with the output. Pay particular attention to the annotation on line
117 -- I believe it was misplaced and should have been on line 106
instead (where, indeed, we now have flow where none appeared before).
 2020-10-19 19:13:32 +02:00