hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-06 19:20:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
19,777 Commits 1,675 Branches 157 Tags
codeql-cli/v2.4.4
Commit Graph

19777 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mathias Vorreiter Pedersen
53da751b15 C++: Accept tests 2020-09-18 17:12:27 +02:00
Mathias Vorreiter Pedersen
b6b17fe95e C++: Add a read and store step that replace ArrayContent with FieldContent when we realize that the target of a store is a field. 2020-09-18 17:12:09 +02:00
Joe
9baf2b9eff Fix cartesian product 2020-09-18 15:42:03 +01:00
Tom Hvitved
dff9f8264b Merge pull request #4296 from hvitved/csharp/useless-upcast-nomagic 
C#: Avoid bad magic in `UselessUpcast.ql`
 2020-09-18 16:24:20 +02:00
Joe
abb1731be7 Java: Simplify the implementation of ExecTainted 2020-09-18 15:21:03 +01:00
Anders Schack-Mulligen
b3bf570fb7 Merge pull request #4301 from lcartey/java/update-cwe-claims 
Java: Update some CWE claims
 2020-09-18 16:08:40 +02:00
Joe
3cc38feebc Fix a couple of typos in QLDoc comments 2020-09-18 14:51:38 +01:00
Mathias Vorreiter Pedersen
b4edbe4773 Merge pull request #4298 from MathiasVP/field-conflation-with-array-content 
C++: Add test demonstrating field conflation after merging #4230
 2020-09-18 15:16:33 +02:00
Anders Schack-Mulligen
4f9d2f118d Merge pull request #4288 from joefarebrother/printAST-java 
Java: Add a container node for Imports in the PrintAst view
 2020-09-18 14:17:26 +02:00
Tom Hvitved
aac2e0ebfb C#: Avoid bad magic in RuntimeChecksBypass.ql 
Before:

```
[2020-09-18 14:03:57] (2587s) Tuple counts for RuntimeChecksBypass::uncheckedWrite#bbf#antijoin_rhs#1:
                      1270       ~8%     {2} r1 = SCAN RuntimeChecksBypass::uncheckedWrite#bbf#shared AS I OUTPUT I.<1>, I.<0>
                      188197390  ~0%     {3} r2 = JOIN r1 WITH #Callable::Callable::calls_dispred#bfPlus AS R ON FIRST 1 OUTPUT R.<1>, r1.<1>, r1.<0>
                      2425784042 ~1%     {3} r3 = JOIN r2 WITH Expr::Expr::getEnclosingCallable_dispred#ff_10#join_rhs AS R ON FIRST 1 OUTPUT r2.<1>, R.<1>, r2.<2>
                      58         ~9%     {2} r4 = JOIN r3 WITH project#RuntimeChecksBypass::checkedWrite#bfff AS R ON FIRST 2 OUTPUT r3.<0>, r3.<2>
                                         return r4
```

After:

```
[2020-09-18 14:08:48] (5s) Tuple counts for RuntimeChecksBypass::uncheckedWrite#fff#antijoin_rhs:
                      24704473 ~2%      {2} r1 = SCAN DataFlowPublic::localExprFlow#ff AS I OUTPUT I.<1>, I.<0>
                      23784154 ~6%      {4} r2 = JOIN r1 WITH Expr::Expr::getEnclosingCallable_dispred#ff AS R ON FIRST 1 OUTPUT r1.<1>, 28, R.<0>, R.<1>
                      201391   ~2%      {2} r3 = JOIN r2 WITH expressions AS R ON FIRST 2 OUTPUT r2.<2>, r2.<3>
                      23784154 ~0%      {3} r4 = JOIN r1 WITH Expr::Expr::getEnclosingCallable_dispred#ff AS R ON FIRST 1 OUTPUT r1.<1>, R.<0>, R.<1>
                      1065242  ~20%     {2} r5 = JOIN r4 WITH expr_value AS R ON FIRST 1 OUTPUT r4.<1>, r4.<2>
                      1266633  ~16%     {2} r6 = r3 \/ r5
                                        return r6
```
 2020-09-18 14:15:30 +02:00
Jonas Jensen
6463a94258 Merge pull request #4297 from github/igfoo/compileTimeConstantInt 
C++: Improve `compileTimeConstantInt`
 2020-09-18 13:58:16 +02:00
lcartey@github.com
2c6f587ee9 Java: Add coverage claim for CWE 193 (off by one) 2020-09-18 12:51:24 +01:00
lcartey@github.com
39200566c3 Java: Update CWE claims for XXE. 
This matches the claims in the C# equivalent.
 2020-09-18 12:30:52 +01:00
Mathias Vorreiter Pedersen
b40941b89c C++: Add test demonstrating field conflation after merging #4230 2020-09-18 13:23:23 +02:00
Tom Hvitved
4090859207 C#: Avoid bad magic in UselessUpcast.ql 2020-09-18 12:14:52 +02:00
Joe
3258134098 Java: Remove superfluous conjunct 2020-09-18 10:41:06 +01:00
lcartey@github.com
32f43a84be Java: Add CWE 564 (SQL Injection: Hibernate) 2020-09-18 10:20:21 +01:00
Jonas Jensen
c67605f15c Merge pull request #4230 from MathiasVP/mathiasvp/array-field-flow 
C++: Replace `field -> object` taint rule with `ArrayContent` dataflow
 2020-09-18 10:56:51 +02:00
Mathias Vorreiter Pedersen
8c615ece8a Merge pull request #4292 from MathiasVP/mathiasvp/cache-simpleLocalFlowStep 
C++: Cache simpleLocalFlowStep instead of simpleInstructionLocalFlowStep
 2020-09-18 10:18:21 +02:00
Mathias Vorreiter Pedersen
3ef6e8a580 Merge pull request #4283 from geoffw0/stringstream4 
C++: Model getline
 2020-09-18 10:17:47 +02:00
Erik Krogh Kristensen
0b16f81f8b improve performance by using RouteHandlerCandidate 2020-09-18 09:29:13 +02:00
Erik Krogh Kristensen
b4e75bf567 update expected output 2020-09-18 09:29:13 +02:00
Erik Krogh Kristensen
1f95311342 further loosen the RouteHandlerCandidate heuristic 2020-09-18 09:29:13 +02:00
Erik Krogh Kristensen
3eaa56ed60 support containers with decorated route handlers 2020-09-18 09:29:08 +02:00
Erik Krogh Kristensen
c087e94d47 add additional indirect route-handler steps 2020-09-18 09:26:33 +02:00
Erik Krogh Kristensen
02c1d689e4 support indirect route-handlers for NodeJS 2020-09-18 09:26:33 +02:00
Erik Krogh Kristensen
dafcd59148 add another indirect route-handler test 2020-09-18 09:26:33 +02:00
Erik Krogh Kristensen
43e5c0212c add basic support for indirect route handlers 2020-09-18 09:26:33 +02:00
Robert Marsh
3a83cc71fe C++: use qualifier flow in more models 2020-09-17 18:03:02 -07:00
Robert Marsh
556ace004f C++: use qualifiers in string constructor model 2020-09-17 17:39:50 -07:00
Robert Marsh
6b7b64d7be C++: IR data and taint flow through qualifiers 2020-09-17 17:10:11 -07:00
Robert Marsh
f73ff988e0 C++: improve cast and ptr handling in taint test 2020-09-17 16:55:36 -07:00
Mathias Vorreiter Pedersen
c6ff805a07 C++: Cache simpleLocalFlowStep instead of simpleInstructionLocalFlowStep 2020-09-17 21:13:02 +02:00
Robert Marsh
3d07ba9d0b Merge pull request #4290 from MathiasVP/mathiasvp/fix-join-order-in-single-field-flow 
C++: Fix bad join order introduced by #4270
 2020-09-17 14:52:59 -04:00
Mathias Vorreiter Pedersen
8e1d9e0996 C++: Fix bad join order introduced by #4270 2020-09-17 19:23:01 +02:00
Joe
9c643ec1cd Java: Fix formatting 2020-09-17 17:46:05 +01:00
Joe
69fd579dfd Java: Fix QLDoc 2020-09-17 17:37:16 +01:00
Joe
2da6234317 Java: Fix QLDoc 2020-09-17 17:31:24 +01:00
Joe
6d0df7cb3a Java: Add a container node for Imports in the PrintAst view 2020-09-17 17:29:36 +01:00
Joe
810baad63f Java: Fix formatting 2020-09-17 17:13:55 +01:00
Joe
fcfc836720 Java: Add tests for ExecTainted 2020-09-17 16:47:55 +01:00
Joe
b6cf1cce20 Java: Make the equivalent changes to ExecTaintedLocal 2020-09-17 15:53:04 +01:00
Joe
6bfc0afaeb Java: Improve the ExecTainted query 2020-09-17 15:39:35 +01:00
Ian Lynagh
c7b6374e55 C++: Improve compileTimeConstantInt 
It is possible for the frontend to make
    (bool)e
where e has a constant value 0, but the (implicit) cast has no constant
value. This was causing us to not understand assume(0) correctly.

Now compileTimeConstantInt will handle casts itself if necessary.
 2020-09-17 14:51:50 +01:00
Geoffrey White
5cc11f1c44 C++: Additional model for 'this' flow through chains. 2020-09-17 14:12:30 +01:00
Geoffrey White
73399cb5f7 C++: Model GetLine. 2020-09-17 14:05:43 +01:00
Geoffrey White
2c15e6f934 C++: Add test cases. 2020-09-17 13:43:07 +01:00
Mathias Vorreiter Pedersen
63afe1da78 Merge pull request #4276 from geoffw0/stringstream3 
C++: More stringstream models.
 2020-09-17 14:19:52 +02:00
Taus Brock-Nannestad
f93c44a688 Python: Fix typo 2020-09-17 13:26:55 +02:00
Taus Brock-Nannestad
1d462ae156 Python: Fix misnamed variable. 2020-09-17 13:22:27 +02:00