hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-14 23:14:59 +01:00
Code Issues Packages Projects Releases Wiki Activity
19,777 Commits 1,680 Branches 158 Tags
codeql-cli/v2.4.4
Commit Graph

19777 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Geoffrey White
7edaade175 C++: Improve QLDoc. 2020-06-17 12:11:42 +01:00
Erik Krogh Kristensen
cd111fe350 Merge pull request #3721 from asger-semmle/js/non-linear-pattern-msg 
JS: Improve alert message in js/non-linear-pattern
 2020-06-17 13:10:56 +02:00
Geoffrey White
0a9ec70c31 C++: Autoformat. 2020-06-17 11:54:50 +01:00
Erik Krogh Kristensen
b0be0eb805 fix qhelp links 2020-06-17 11:50:44 +02:00
Erik Krogh Kristensen
fa0a8c3423 add documentation examples as tests 2020-06-17 11:37:32 +02:00
Erik Krogh Kristensen
b42824640d add qhelp for js/exposure-of-private-files 2020-06-17 11:29:24 +02:00
Geoffrey White
f3e24963cb C++: Update QLDoc. 2020-06-17 10:27:34 +01:00
ubuntu
22cb45beab Merge remote-tracking branch 'upstream/master' 2020-06-17 11:13:13 +02:00
Erik Krogh Kristensen
345283fe34 add change note 2020-06-17 10:48:27 +02:00
Erik Krogh Kristensen
639907967f add home/rootdir as leaking folders 2020-06-17 10:46:42 +02:00
Erik Krogh Kristensen
6675ddae12 add more libraries that serve static files to js/exposure-of-private-files 2020-06-17 10:00:59 +02:00
Jonas Jensen
e0ba23d2c7 C++: @precision high for tainted-format-string* 
I think these queries have excellent results on lgtm.com. Many of the
results come from projects that use `sprintf` like it's a templating
engine, trusting that values from `argv` or `getenv` contain the correct
number of `%s`. I think we want to flag that.

The structure of the change note is modeled after 91af51cf46.
 2020-06-17 09:03:13 +02:00
Rasmus Lerchedahl Petersen
52898f16f5 Python: update paths after move 2020-06-17 08:34:45 +02:00
Rasmus Lerchedahl Petersen
47f5b04e87 Python: fix identical-files.json after move 
also more grouping
 2020-06-17 07:08:46 +02:00
Rasmus Lerchedahl Petersen
e192b66116 Python: move shared dataflow to experimental 2020-06-17 06:46:46 +02:00
luchua-bc
f40e27a3c5 Hardcoded AWS credentials 2020-06-17 02:46:02 +00:00
Erik Krogh Kristensen
fb5e13b456 Apply suggestions from doc review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2020-06-16 23:45:45 +02:00
Erik Krogh Kristensen
d811518a2e fixed from doc review, and add fixed example for js/biased-cryptographic-random using a secure library 2020-06-16 23:26:54 +02:00
Dave Bartolomeo
8e977dc6bf C++/C#: Move overrides of IRType::getByteSize() into leaf classes 
See https://github.com/github/codeql/pull/2272. I've added code comments in all of the places that future me will be tempted to hoist these overrides.
 2020-06-16 16:48:42 -04:00
Dave Bartolomeo
24c3110989 Merge from master 2020-06-16 16:37:38 -04:00
Erik Krogh Kristensen
210e71cd93 update expected output 2020-06-16 21:52:59 +02:00
Robert Marsh
ef940e815f C++: Add comment for false positives in swap tests 2020-06-16 11:46:14 -07:00
Robert Marsh
0c99b3644c C++: remove false negative comments in swap tests 2020-06-16 11:33:26 -07:00
Robert Marsh
1c9b6f0a48 Merge branch 'master' into ir-this-parameter-2 
Accept test changes - dataflow changes are all positive
 2020-06-16 11:28:49 -07:00
Geoffrey White
3d75d287a9 C++: Split MemberFunction.qll from Function.qll. 2020-06-16 17:40:46 +01:00
ubuntu
3104f8a37b Remove Fields in PostMessageEvent 2020-06-16 18:30:00 +02:00
Alessio Della Libera
68b2a6c848 Update javascript/ql/src/experimental/Security/CWE-020/PostMessageNoOriginCheck.ql 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-06-16 18:27:21 +02:00
Alessio Della Libera
8843522d14 Update javascript/ql/src/experimental/Security/CWE-020/PostMessageNoOriginCheck.ql 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-06-16 18:26:42 +02:00
Alessio Della Libera
72dc6510b2 Update javascript/ql/src/experimental/Security/CWE-020/PostMessageNoOriginCheck.ql 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-06-16 18:22:55 +02:00
Robert Marsh
ab327b989d Merge pull request #3713 from MathiasVP/flow-diff-test 
C++: Add test for differences between AST and IR field flow
 2020-06-16 09:09:46 -07:00
Erik Krogh Kristensen
ac1a0d9925 Merge pull request #3725 from erik-krogh/yargs-changenote 
JS: add changenote for yargs
 2020-06-16 16:28:43 +02:00
Erik Krogh Kristensen
02c825351c add change note for js/bad-code-sanitization 2020-06-16 16:25:30 +02:00
Erik Krogh Kristensen
5ce17bea60 add qhelp for js/bad-code-sanitization 2020-06-16 16:23:41 +02:00
Jonas Jensen
e5e373cff2 Merge pull request #3673 from MathiasVP/assign-op-using-swap 
C++: Add tests for taint through swap
 2020-06-16 15:43:52 +02:00
Rasmus Lerchedahl Petersen
0f77403f0e Python: small start on global flow 
need to actually have `OutNode`s
 2020-06-16 15:36:03 +02:00
Erik Krogh Kristensen
a0951f76b6 add additional taint steps when type-tracking RemoteFlowSource 2020-06-16 14:55:07 +02:00
semmle-qlci
07bff646d8 Merge pull request #3641 from asger-semmle/js/pre-call-graph-steps 
Approved by erik-krogh
 2020-06-16 13:41:55 +01:00
Erik Krogh Kristensen
cb5b946546 add changenote for yargs 2020-06-16 14:37:53 +02:00
Jonas Jensen
17737cd872 C++: Account for unreachable blocks in guards 
This restores the code I removed in 4642037dc.
 2020-06-16 14:33:12 +02:00
Rasmus Lerchedahl Petersen
f3e879a5ab Python: small test of local flow 2020-06-16 14:31:22 +02:00
Erik Krogh Kristensen
696879653a add qhelp to js/biased-cryptographic-random 2020-06-16 11:10:09 +02:00
lcartey@github.com
2978af34cd Java: Add RestTemplate as flow source. 2020-06-16 09:50:37 +01:00
lcartey@github.com
f2edc53144 Java: Add Spring RestTemplate return values to untrusted data types 
- Also improve unwrapping of lists/arrays/maps etc.
 2020-06-16 09:50:37 +01:00
lcartey@github.com
9625e82afd Java: Model Spring WebClients/RestTemplates. 2020-06-16 09:50:37 +01:00
lcartey@github.com
cd6339f5cd Java: Add Spring flow out of HttpEntity and HttpHeader 2020-06-16 09:50:36 +01:00
lcartey@github.com
93c28d4c03 Java: Add taint step to flow through Spring tainted user data class 
getters.
 2020-06-16 09:50:36 +01:00
lcartey@github.com
8678d5fc6f Java: Model untrusted user data types 
Model the datatypes that may be populated on demand from request
parameters.
 2020-06-16 09:50:36 +01:00
lcartey@github.com
8bd5f748b4 Java: SpringController - handle non-string literal produces values. 2020-06-16 09:50:36 +01:00
lcartey@github.com
0db7cead31 Java: Model taint flow through ResponseEntity. 2020-06-16 09:50:35 +01:00
lcartey@github.com
f6b2accabd Java: Model ResponseEntity.BodyBuilder 2020-06-16 09:50:35 +01:00