hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-01 00:27:24 +01:00
Code Issues Packages Projects Releases Wiki Activity
19,777 Commits 1,673 Branches 157 Tags
codeql-cli/v2.4.4
Commit Graph

19777 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Max Schaefer
9a64224344 JavaScript: Cache portal computation. 2019-01-09 09:09:58 +00:00
Max Schaefer
2295353b56 JavaScript: Add ImportFromCSV to javascript.qll. 2019-01-09 09:09:58 +00:00
Max Schaefer
94242b3b94 JavaScript: Exclude step summary query from flow-summaries suite. 
In its current form, this query produces way too many results.
 2019-01-09 09:09:58 +00:00
Max Schaefer
fae419c5d2 JavaScript: Add guide to using summaries. 2019-01-09 09:09:58 +00:00
Max Schaefer
8e36c60326 JavaScript: Add a few examples that cause cyclic portals. 2019-01-09 09:09:58 +00:00
Max Schaefer
132570940a JavaScript: Add support for annotation comments specifying additional sources and sinks. 2019-01-09 09:09:58 +00:00
Max Schaefer
bdf29d010a JavaScript: Allow summary details to be omitted. 
If a summary does not specify a configuration, it is taken to apply to all configurations without custom sanitisers/barriers.

If a source summary does not specify a flow label, `data` is assumed.

If a sink summary does not specify a flow label, both `data` and `taint` are assumed.

Flow step summaries cannot omit flow labels.

Note that the standard extraction queries always provide explicit configurations and flow labels, and hence do not exercise this functionality.
 2019-01-09 09:09:58 +00:00
Max Schaefer
7c87c43511 JavaScript: Import flow summaries through external predicates. 2019-01-09 09:09:58 +00:00
Max Schaefer
90ad8e3858 JavaScript: Import flow summaries from CSV data. 2019-01-09 09:09:58 +00:00
Max Schaefer
f4fed3657d JavaScript: Add flow summary extraction queries. 2019-01-09 09:09:58 +00:00
Max Schaefer
6d893d4be7 JavaScript: Allow additional sources, sinks and steps to specify flow labels. 2019-01-09 09:09:57 +00:00
Max Schaefer
98a763ae4b JavaScript: Add QL library for modelling portals between npm packages. 2019-01-09 09:06:55 +00:00
Max Schaefer
7e7899faba JavaScript: Add predicate DataFlow::Node.getTopLevel(). 2019-01-09 09:05:11 +00:00
Max Schaefer
3e56e9eaf9 JavaScript: Add predicate AbstractCallable.getDefinition. 2019-01-09 09:05:09 +00:00
semmle-qlci
688647491e Merge pull request #727 from xiemaisi/js/restructure-sourcenode 
Approved by esben-semmle
 2019-01-09 08:01:26 +00:00
yh-semmle
b8f53b5c6a Merge pull request #733 from aschackmull/java/remove-old-dataflow 
Java: Remove old dataflow library.
 2019-01-08 14:59:27 -05:00
yh-semmle
d4f2a07a77 Merge pull request #732 from aschackmull/java/conditional-bypass-precision 
Java: Reduce precision of java/user-controlled-bypass.
 2019-01-08 14:58:58 -05:00
yh-semmle
b0364e3592 Merge pull request #729 from aschackmull/java/intmulttolong 
Java: Restrict attention to integral types in IntMultToLong.
 2019-01-08 14:40:22 -05:00
yh-semmle
a09394da1b Merge pull request #730 from aschackmull/java/gcd 
Java: Switch to built-in gcd.
 2019-01-08 14:38:05 -05:00
Robert Marsh
c39de75d3d C++: change in-predicate comment formatting 2019-01-08 09:34:29 -08:00
Robert Marsh
af8a3f2522 C++: expand a comment 2019-01-08 09:34:28 -08:00
Robert Marsh
0040a2d123 C++: respond to further PR comments 2019-01-08 09:34:28 -08:00
Robert Marsh
8c9c316e1b C++: performance and termination fixes 2019-01-08 09:34:27 -08:00
Robert Marsh
567eee1114 C++: allow phi nodes to self-bound 2019-01-08 09:34:27 -08:00
Robert Marsh
b2cd9a29f2 C++: add test for false comparisons 2019-01-08 09:34:26 -08:00
Robert Marsh
2f8ca8802b C++: switch to using ValueNumbers as bounds 
This reduces the number of bounds computed, and will simplify use of the
library. The resulting locations in the tests may be slightly strange,
because the example `Instruction` for a `ValueNumber` is the first
appearing in the IR, regardless of source order, and may not be the most
closely related `Instruction` to the bounded value. I think that's worth
doing for the performance and usability benefits.
 2019-01-08 09:34:26 -08:00
Robert Marsh
89148a9ec7 C++: respond to further PR comments 2019-01-08 09:34:26 -08:00
Robert Marsh
ae4ffd9166 C++: respond to PR comments, add some TODOs 2019-01-08 09:34:25 -08:00
Robert Marsh
fe32aea31f C++: fix/add comments 2019-01-08 09:34:25 -08:00
Robert Marsh
ed68f9150a C++: Initial implementation of new range analysis 2019-01-08 09:34:23 -08:00
Robert Marsh
a06a20dbab C++: move SimpleRangeAnalysis tests 2019-01-08 09:34:23 -08:00
Jonas Jensen
1be91b5df5 C++: Use IPA for Pos and Spec 
This is cleaner than extending `int` and working with magic numbers.
Performance appears to be unaffected.
 2019-01-08 16:23:11 +01:00
Anders Schack-Mulligen
0a9222b772 Java: Add change note. 2019-01-08 15:50:14 +01:00
Anders Schack-Mulligen
51f5198404 Java: Remove old dataflow library. 2019-01-08 13:52:24 +01:00
Asger F
45a5d0ee3a JS: autoformat 2019-01-08 12:30:07 +00:00
Asger F
6816f33a3d JS: Handle case-insensitive lodash imports 2019-01-08 12:29:28 +00:00
Jonas Jensen
dba3351d2c C++: Update comments based on PR feedback 2019-01-08 13:29:03 +01:00
Anders Schack-Mulligen
ab44e5603c Java: Reduce precision of java/user-controlled-bypass. 2019-01-08 13:07:34 +01:00
Anders Schack-Mulligen
06e48ca19f Java: Update test. 2019-01-08 11:57:54 +01:00
Max Schaefer
8951eaead3 JavaScript: Improve caching of getACallee and related predicates. 2019-01-08 09:42:44 +00:00
Max Schaefer
627583fffa JavaScript: Refactor UselessConditional for performance. 2019-01-08 09:40:49 +00:00
Anders Schack-Mulligen
9530eb6cdb Java: Switch to built-in gcd. 2019-01-08 10:07:51 +01:00
Max Schaefer
de429752d1 JavaScript: Restructure implementation of DataFlow::SourceNode. 
It now uses a facade pattern similar to `InvokeNode`: the range of the class is defined by an abstract class `DataFlow::SourceNode::Range`, while the actual behaviour is defined by the (no longer abstract) `SourceNode` class itself.

Clients that want to add new source nodes need to extend `DataFlow::SourceNode::Range`, those that want to refine the behaviour of existing source nodes should extend `DataFlow::SourceNode` itself.

While this is technically a breaking API change, I think separating the two aspects in this way is cleaner and makes it easier to use, and improves performance as well.
 2019-01-08 08:01:20 +00:00
semmle-qlci
8b8b352439 Merge pull request #715 from xiemaisi/js/autoformat 
Approved by asger-semmle
 2019-01-07 22:09:05 +00:00
Raul Garcia
18bb6696e0 Fixing conditional only issue. 
I changed  to detect any logical operation usage (i.e. !, ==), but I kept usage in a conditional directly as a separate detection condition. I found no false positives on the projects you shared with me previously.
 2019-01-07 10:44:11 -08:00
yh-semmle
0b19f41093 Merge pull request #728 from aschackmull/java/qltest-qlpath 
Java: Add .qlpath to the test dir.
 2019-01-07 11:34:45 -05:00
Taus Brock-Nannestad
f9c6b0eedc Add change note for 1.20 2019-01-07 15:35:19 +01:00
Taus Brock-Nannestad
9ac50186f6 Add a few more insecure versions 2019-01-07 15:24:15 +01:00
Taus Brock-Nannestad
1af503ab84 Address documentation comments. 2019-01-07 15:24:15 +01:00
Taus Brock-Nannestad
46973f4305 Support from ssl import PROTOCOL_.... 2019-01-07 15:24:15 +01:00