hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-30 23:58:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
19,777 Commits 1,673 Branches 157 Tags
codeql-cli/v2.4.4
Commit Graph

19777 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mark Shannon
2ac2233e69 Add change note for enhance visibility of security alerts and conversion to path-queries. 2018-11-22 11:01:35 +00:00
Jonas Jensen
75873bb4a6 C++: Detect non-allocating placement new 
This adds a `NewOrNewArrayExpr.getPlacementPointer` predicate and uses
it in `Alloc.qll` to detect when a `new`-expression is not an
allocation.

User-defined replacements for `operator new` may not be allocations
either, but the code continues to assume that they are. It's possible
that we want to change this assumption in the future or leave it up to
individual queries to decide on which side to err. It's hard to
statically tell whether `operator new` has been overloaded in a
particular file because it can be overloaded by a definition that is not
in scope but is only linked together with that file.
 2018-11-22 11:31:19 +01:00
Felicity Chapman
8cad0b6ef1 Update qhelp for consistency 2018-11-22 10:25:41 +00:00
Asger F
61ef6552c3 JS: handle both data() and taint() source labels 2018-11-22 09:59:31 +00:00
Jonas Jensen
a17debac3e C++: Placement-new tests for MemoryNeverFreed.ql 2018-11-22 10:48:18 +01:00
Jonas Jensen
e062851709 Merge pull request #517 from dave-bartolomeo/dave/IRFilter 
C++: Don't generate IR for functions with bad ASTs
 2018-11-22 10:02:18 +01:00
Max Schaefer
733acaccfa Merge pull request #506 from esben-semmle/js/optional-chaining-extractor-and-ql 
JS: Optional chaining support in extractor and ql
 2018-11-22 07:41:51 +00:00
Jonas Jensen
1739cab896 Merge pull request #504 from geoffw0/more-change-notes 
CPP: Change notes
 2018-11-22 08:30:20 +01:00
Jonas Jensen
220487bb32 C++: Deprecate queries using VCS.qll 
One query imported VCS.qll for no reason, so I removed the import
instead of deprecating the query.
 2018-11-22 08:21:49 +01:00
Jonas Jensen
70e9d11fd2 Merge pull request #509 from dave-bartolomeo/dave/ConditionDeclExpr 
C++: IR support for ConditionDeclExpr
 2018-11-22 08:03:14 +01:00
Dave Bartolomeo
beb9c9c054 C++: Sync identical files 2018-11-21 16:51:47 -08:00
Dave Bartolomeo
97fd7b46cc C++: Add tests for filtering bad ASTs 2018-11-21 16:39:08 -08:00
Dave Bartolomeo
7db36b2a22 C++: Skip IR translation for functions with invalid ASTs 
An slightly invalid AST can cause IR construction to generate extremely bad IR. This change provides a single place to detect invalid ASTs, and to skip IR construction for the affected functions.
 2018-11-21 16:01:19 -08:00
Dave Bartolomeo
03802ed409 C++: Allow filtering of IR creation to speed up dumps 
This change provides a mechanism by which a query can tell the IR package to only create IR for certain functions. This is mostly useful for "PrintIR.qll", which uses this feature to avoid the expense of creating IR for functions that aren't going to be printed.
 2018-11-21 16:01:12 -08:00
calum
3eae1cd500 C#: Update test outputs. 2018-11-21 17:28:48 +00:00
semmle-qlci
62db19bee7 Merge pull request #492 from geoffw0/offsetuse 
Approved by dave-bartolomeo
 2018-11-21 17:26:48 +00:00
semmle-qlci
4e72a08b8d Merge pull request #507 from esben-semmle/js/mixed-static-intance-this-access-inheritance 
Approved by xiemaisi
 2018-11-21 16:07:25 +00:00
semmle-qlci
f5d3274655 Merge pull request #508 from esben-semmle/js/indirect-global-call-with-default-arguments 
Approved by xiemaisi
 2018-11-21 16:06:46 +00:00
semmle-qlci
746b13a1bc Merge pull request #510 from xiemaisi/js/exclude-minified 
Approved by asger-semmle
 2018-11-21 16:06:22 +00:00
Jonas Jensen
a4bd586907 Merge pull request #456 from geoffw0/query-tags 
CPP: Query tags 1
 2018-11-21 16:13:23 +01:00
Geoffrey White
1b69006c20 CPP: Combine two of the Missing return statement change notes. 2018-11-21 15:09:09 +00:00
Taus
24bf2922e0 Merge pull request #515 from markshannon/python-add-metadata 
Python tests: Add missing metadata files.
 2018-11-21 15:45:32 +01:00
Taus
13d130dad0 Merge pull request #514 from markshannon/python-remove-architect-tests 
Python tests: Remove some obsolete tests.
 2018-11-21 15:45:21 +01:00
Geoffrey White
cab6f1e87c CPP: Backticks. 2018-11-21 14:39:22 +00:00
Mark Shannon
527c95cd0b Python tests: Add missing metadata files. 2018-11-21 14:39:18 +00:00
Asger F
27c9326e70 JS: address doc review 2018-11-21 14:19:14 +00:00
Mark Shannon
976fed76b9 Python tests: Remove some obsolete tests. 2018-11-21 14:18:46 +00:00
ian-semmle
366934f884 Merge pull request #350 from geoffw0/cpp-205-detail 
CPP: Add detail to the CPP-205 test
 2018-11-21 13:30:53 +00:00
Jonas Jensen
4e2d40aad8 Merge pull request #484 from geoffw0/limitedscopefile 
CPP: Fix Limitedscopefile.ql
 2018-11-21 14:30:48 +01:00
Esben Sparre Andreasen
72c4ef4d90 JS: fixup optional chaining on CallWithNonLocalAnalyzedReturnFlow 2018-11-21 14:18:14 +01:00
Geoffrey White
b4846dc995 CPP: Modify NVIHub.ql. 2018-11-21 13:11:08 +00:00
Asger F
8c7e19567b JS: fix string value of taint configuration 2018-11-21 12:35:35 +00:00
calum
69ab1ed5bd C#: Add nodes predicate to all path queries. 2018-11-21 12:35:05 +00:00
Asger F
4ae2493798 JS: rename query to Unsafe Dynamic Method Access 2018-11-21 12:34:18 +00:00
Max Schaefer
19aa12106c JavaScript: Teach AutoBuild to exclude minified files from extraction by default . 
This adds default exclusion filters for `**/*.min.js` and `**/*-min.js` to the JavaScript auto-builder, meaning that files matching these patterns will no longer be extracted,
unless they are re-included in the `.lgtm.yml` file.

Alerts in minified code aren't shown by default anyway, so we can save ourselves some work by not analyzing them in the first place.

While including minified files in the snapshot can in theory improve analysis results in non-minified files, this is likely to be rare in practice.
 2018-11-21 12:27:39 +00:00
calumgrant
1b12e845c5 Merge pull request #491 from hvitved/csharp/cfg/split-negation 
C#: Fix two bugs in Boolean CFG splitting
 2018-11-21 11:48:08 +00:00
calum
8c753d7e94 C#: Fix ReDoS query. 2018-11-21 11:15:55 +00:00
Asger F
cb832b1de9 Merge branch 'unsafe-global-object-access' of github.com:asger-semmle/ql into unsafe-global-object-access 2018-11-21 11:14:21 +00:00
Asger F
84d642612e JS: more comments 2018-11-21 11:14:13 +00:00
Max Schaefer
fa761c07bd Update javascript/ql/src/Security/CWE-094/MethodNameInjection.ql 
Co-Authored-By: asger-semmle <42069257+asger-semmle@users.noreply.github.com>
 2018-11-21 10:55:38 +00:00
Jonas Jensen
f177e348bd Merge pull request #471 from geoffw0/query-tags-2 
CPP: Query tags 2 (JSF queries)
 2018-11-21 11:43:29 +01:00
Pavel Avgustinov
5cd3a9c40d Merge pull request #500 from markshannon/python-python-security-queries-to-high 
Python: Set precision of security queries to 'high'
 2018-11-21 09:41:38 +00:00
Esben Sparre Andreasen
caea6212ed JS: use inheritance in js/mixed-static-instance-this-access 2018-11-21 09:48:37 +01:00
Esben Sparre Andreasen
01ad9ed8bc JS: address review comments 2018-11-21 09:19:20 +01:00
Dave Bartolomeo
3715215b3f C++: Add IR support for ConditionalDeclExpr 
Also fixes several places in the library that weren't handling `ConditionalDeclExpr`  correctly.
 2018-11-21 00:14:44 -08:00
Esben Sparre Andreasen
41b45352aa JS(ql): support optional chaining 2018-11-21 08:57:10 +01:00
Esben Sparre Andreasen
00587ba7b4 JS(extractor): support optional chaining 2018-11-21 08:57:10 +01:00
Dave Bartolomeo
07f9fe6ee4 C++: Add Uninitialized instruction for list-initialized variables 
This commit inserts an `Uninitialized` instruction to "initialize" a local variable when that variable is initialized with an initializer list. This ensures that there is always a definition of the whole variable before any read or write to part of that variable.

This change appears in a different form in @rdmarsh2's Chi node PR, but I needed to refactor the initialization code anyway to handle ConditionDeclExpr.
 2018-11-20 16:12:44 -08:00
Tom Hvitved
8233e34ba2 C#: Fix Boolean splitting for variables defined in a loop 2018-11-20 21:22:00 +01:00
Tom Hvitved
89d5daa137 C#: Fix Boolean splitting negation bug 2018-11-20 21:22:00 +01:00