hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-17 00:14:51 +01:00
Code Issues Packages Projects Releases Wiki Activity
19,777 Commits 1,679 Branches 158 Tags
codeql-cli/v2.4.4
Commit Graph

19777 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Wriedt Larsen
87d7738b6e Python: Expand QLDoc for get[Named]ArgumentForCall 2020-05-05 09:54:54 +02:00
Erik Krogh Kristensen
4b8b0cb379 update expected output 2020-05-05 09:13:21 +02:00
Erik Krogh Kristensen
7af19559d4 add test case for location.split("?")[0] for DomBasedXss 2020-05-05 09:13:21 +02:00
Erik Krogh Kristensen
4dcf944ccd use StringSplitCall in TaintedPath 2020-05-05 09:13:21 +02:00
Erik Krogh Kristensen
22ec12b130 use split("?")[0] sanitizer is both DomBasedXSS and ClientSideUrlRedirect 2020-05-05 09:13:21 +02:00
Erik Krogh Kristensen
89f45372d1 introduce StringSplitCall and use it 2020-05-05 09:13:15 +02:00
Rasmus Wriedt Larsen
061bbb82f5 Python: Restructure getNamedArgumentForCall 
So it matches the structure of getArgumentForCall -- call.getArgByName first!
 2020-05-05 09:00:55 +02:00
Cornelius Riemenschneider
264763080e Autoformat, address review. 2020-05-05 08:52:52 +02:00
John Doe
337be9c2e0 ssti query and help updated 2020-05-05 03:58:29 +03:00
John Doe
09922e5bb4 Merge branch 'master' of github.com:monkey-junkie/codeql 2020-05-05 03:44:23 +03:00
John Doe
895aa622bf ssti updated 2020-05-05 03:37:43 +03:00
monkey-junkie
cd18842aa5 Update javascript/ql/src/experimental/Security/CWE-94/ServerSideTemplateInjection.qhelp 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-05-05 02:15:58 +03:00
monkey-junkie
a60660617f Update javascript/ql/src/experimental/Security/CWE-94/ServerSideTemplateInjection.qhelp 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-05-05 02:15:00 +03:00
Rasmus Wriedt Larsen
838106d49c Python: Refactor get[Named]ArgumentForCall 
Also fixed a bug for BoundMethodValue, as highlighted in the expected diff 👍
 2020-05-04 20:51:23 +02:00
Rasmus Wriedt Larsen
bc92c26e12 Python: Add BoundMethodValue 2020-05-04 20:51:12 +02:00
Rasmus Wriedt Larsen
96fdb7a5b6 Python: Add tests for getParameter[byName] 
These already have results for BoundMethodValue, although

1) it's a bit strange that `getParameter(-1)` has results
2) why does `Method(Function C.n, class C)` exists? this would only be relevant
if `n` was a classmethod, but it isn't. It's not a problem that it exsits per
se, but curious.
 2020-05-04 20:51:04 +02:00
Rasmus Wriedt Larsen
e9859ad96d Python: Fix getArgumentForCall when using keyword arguments 
Yikes :|
 2020-05-04 20:50:56 +02:00
Rasmus Wriedt Larsen
acb506db21 Python: Add test for getNamedArgumentForCall 
and rename the one for getArgumentForCall
 2020-05-04 20:50:32 +02:00
Rasmus Wriedt Larsen
9ec32ee1c1 Python: Add test-cases using keyword arguments 2020-05-04 20:50:19 +02:00
Rasmus Wriedt Larsen
fc0b0221f0 Python: Add test-cases for BuiltinFunction and BuiltinMethod 2020-05-04 20:50:14 +02:00
Rasmus Wriedt Larsen
f624754390 Python: Use Value in GetACAll test 
That was not possible when using the old Object-API, but in Value-API getACall
is defined on all Values.
 2020-05-04 20:50:06 +02:00
Rasmus Wriedt Larsen
06b67e0d32 Python: Modernise test/library-tests/PointsTo/calls/* 2020-05-04 20:49:57 +02:00
Rasmus Wriedt Larsen
a5289bd708 Python: Use Object in CallRefersTo test 
Since other things than FunctionObject can be called ;)
 2020-05-04 20:49:47 +02:00
Rasmus Wriedt Larsen
7b8b4af6d2 Python: Add test for call.getFunction().refersTo 
Showing that
`call.getFunction().refersTo(func)` gives different results from
`call = func.getACall()`
 2020-05-04 20:49:19 +02:00
Geoffrey White
511d7c9199 C++: Improve solution for UsingDeclarationEntry. 2020-05-04 18:01:29 +01:00
Geoffrey White
3d431607e7 C++: Combine the usings tests and add detail about classes. 2020-05-04 17:48:42 +01:00
Geoffrey White
9fc37d174e C++: Update the 'usings' tests. 2020-05-04 17:46:26 +01:00
Erik Krogh Kristensen
eb7e0d6a62 still flag single-expression files that contain a function 2020-05-04 18:37:26 +02:00
Jason Reed
c34fa840a2 Python: Use NiceLocationExpr::hasLocationInfo for ide jump-to-def 2020-05-04 11:36:54 -04:00
Jason Reed
b0f72ebb56 Python: Refactor definitions query, add queries for ide search 
This enables jump-to-definition and find-references in the VS Code
extension, for python source archives.
 2020-05-04 11:27:30 -04:00
Nick Rolfe
ae913fbf56 C++: update expected output to include field attribute 2020-05-04 16:17:59 +01:00
Calum Grant
a01ef83312 Merge pull request #3270 from hvitved/csharp/dataflow/library-field-flow 
C#: Field-sensitive summaries for library code
 2020-05-04 16:11:18 +01:00
Mathias Vorreiter Pedersen
a98135093f Merge pull request #3400 from jbj/fieldFlow-join-order 
C++: Fix fieldFlow join order
 2020-05-04 17:07:55 +02:00
Nick Rolfe
124ea86d65 C++: add test for attributes on fields 2020-05-04 15:12:49 +01:00
Tom Hvitved
c7763e69e5 C#: Add comments to LibraryCodeNode::get{Predecessor|Successor}() 2020-05-04 13:46:52 +02:00
Bt2018
3b1dad84b3 The query help builder will interpret and automatically add the reference so this isn't needed here. And one typo is corrected. 2020-05-04 07:39:45 -04:00
Bt2018
5c803b70c5 The query help builder will interpret and automatically add this reference so this isn't needed here. 2020-05-04 07:05:15 -04:00
Bt2018
a6c9c5117f Update java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2020-05-04 06:58:34 -04:00
Bt2018
a2560656d5 Update java/ql/src/experimental/CWE-532/SensitiveInfoLog.qhelp 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2020-05-04 06:57:42 -04:00
Jonas Jensen
50b0d426ee C++: Fix fieldFlow join order 
The `fieldFlow` predicate contained a fragile join that has become
ordered wrong recently, either as result of an unrelated change in the
data-flow library or as part of the stats change for the last dbscheme
change.

The minimal fix is to use `getEnclosingCallable` instead of
`getFunction` since the former uses `unique` to ensure good join
ordering in its callers. A longer-term fix should be applied to the AST
base libraries, but this will be invasive and require independent
testing.

Tuple counts on Wireshark before (cancelled after a few minutes):

    (747s) Starting to evaluate predicate DataFlowUtil::localFlowStep#ff/2@bdba82
    (848s) Tuple counts for DataFlowUtil::localFlowStep#ff:
    1766640980 ~1%        {2} r1 = JOIN DataFlowUtil::Node::getFunction_dispred#ff_10#join_rhs AS L WITH DataFlowUtil::Node::getFunction_dispred#ff_10#join_rhs AS R ON FIRST 1 OUTPUT L.<1>, R.<1>
    1327       ~0%        {2} r2 = JOIN r1 WITH project#DataFlowImplLocal::Configuration::hasFlow#fbb AS R ON FIRST 2 OUTPUT r1.<0>, r1.<1>
    9691232    ~0%        {2} r3 = DataFlowUtil::simpleLocalFlowStep#ff@staged_ext \/ r2
                          return r3

After:

    (0s) Starting to evaluate predicate DataFlowUtil::localFlowStep#ff/2@a852a0
    (0s) Tuple counts for DataFlowUtil::localFlowStep#ff:
    49017    ~4%     {3} r1 = JOIN project#DataFlowImplLocal::Configuration::hasFlow#fff AS L WITH DataFlowUtil::Node::getEnclosingCallable_dispred#ff AS R ON FIRST 1 OUTPUT L.<1>, R.<1>, R.<0>
    42359    ~0%     {2} r2 = JOIN r1 WITH DataFlowUtil::Node::getEnclosingCallable_dispred#ff AS R ON FIRST 2 OUTPUT r1.<2>, r1.<0>
    9732264  ~0%     {2} r3 = DataFlowUtil::simpleLocalFlowStep#ff@staged_ext \/ r2
                     return r3
 2020-05-04 12:14:07 +02:00
Rasmus Wriedt Larsen
16e9d76e22 Merge branch 'master' into python-keyword-only-args 2020-05-04 11:49:00 +02:00
Mithrilwoodrat
a7960c3385 Update java/ql/src/experimental/Security/CWE/CWE-1004/InsecureTomcatConfig.qhelp 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2020-05-04 17:48:41 +08:00
Jonas Jensen
2b0ad2df6f Merge pull request #3185 from github/geoffw0-patch-1 
Add details about query tagging to supported-queries.md
 2020-05-04 11:41:35 +02:00
semmle-qlci
a805a63443 Merge pull request #3357 from erik-krogh/YetAnotherPerformancePatch 
Approved by asgerf, esbena
 2020-05-04 10:05:34 +01:00
semmle-qlci
a0800cecc4 Merge pull request #3386 from erik-krogh/lessJQueryChaining 
Approved by asgerf
 2020-05-04 09:16:17 +01:00
Erik Krogh Kristensen
9a7f8d97d2 change note 2020-05-04 09:49:20 +02:00
Erik Krogh Kristensen
659d40e08d add test to make sure sanitizer is not too broad 2020-05-04 09:49:14 +02:00
Erik Krogh Kristensen
c56063f857 recognize more split("?") sanitizers 2020-05-04 09:48:50 +02:00
Erik Krogh Kristensen
291134be66 add failing test 2020-05-04 09:48:29 +02:00
Tom Hvitved
a4d933d1d6 C#: More results for cs/web/missing-x-frame-options 
Report an alert in _any_ `Web.config` file, as long as it does not have an
`X-Frame-Options` entry (as opposed to only reporting alerts when _all_
`Web.config` files lack the entry).
 2020-05-04 09:17:08 +02:00