hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-27 22:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
21,651 Commits 1,673 Branches 157 Tags
codeql-cli/v2.5.2
Commit Graph

21651 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
yoff
1670fa0d0e Update python/change-notes/2021-02-23-port-insecure-default-protocol.md 2021-02-26 18:39:49 +01:00
yoff
9a9bda17ed Update python/change-notes/2021-02-23-port-insecure-default-protocol.md 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-02-26 18:38:35 +01:00
Erik Krogh Kristensen
af7a188bbd add change note 2021-02-26 17:18:30 +01:00
Erik Krogh Kristensen
214aa072b9 support host for http-proxy client requests 2021-02-26 17:18:29 +01:00
Erik Krogh Kristensen
cc48172fd8 add support for events in http-proxy 2021-02-26 17:17:47 +01:00
Erik Krogh Kristensen
ede1a40a02 add ClientRequst models for http-proxy 2021-02-26 17:17:46 +01:00
CodeQL CI
b7c0d18c4a Merge pull request #5278 from erik-krogh/formData 
Approved by asgerf
 2021-02-26 08:13:41 -08:00
Rasmus Wriedt Larsen
a387496832 Python: Highlight how request.uri works in Tornado 2021-02-26 16:23:21 +01:00
Erik Krogh Kristensen
ae051af9d8 remove redundant code 2021-02-26 14:15:30 +01:00
CodeQL CI
0e70b58a41 Merge pull request #5205 from erik-krogh/ts42 
Approved by asgerf
 2021-02-26 05:06:40 -08:00
Porcupiney Hairs
42a84a18b0 JAVA : Add query to detect Apache Structs enabled DEvmode 
This query detects cases where the development mode is enabled for a
struts configuration. I can't find a CVE per se but, at present, [Github's fuzzy search](https://github.com/search?q=%3Cconstant+name%3D%22struts.devMode%22+value%3D%22true%22+%2F%3E+language%3Axml&type=Code) returns more
than 44000 results. Some of them look like they are classroom projects,
so they may be ineligible for a CVE. But we should be flagging them
anyways as setting the development on in a production system is a very
bad practice and can often lead to remote code execution.
So these should be fixed anyways.
 2021-02-26 16:30:04 +05:30
Porcupiney Hairs
602f63ad45 [Java] Add QL for detecting Spring View Manipulation Vulnerabilities. 2021-02-26 16:29:18 +05:30
Tom Hvitved
ac67c67ad7 Merge pull request #4998 from hvitved/csharp/shared-base-pre-ssa 
C#: Use shared SSA implementation for `{Pre,Base}Ssa`
 2021-02-26 11:29:07 +01:00
Rasmus Wriedt Larsen
b43533ce8d Python: Ensure old dataflow queries are not used 
There seems to have been some cases where the old ones have been picked up
instead of the new ones. At least I spotted _one_ case where this happened, in
an internal actions run.

I'm not sure how to actual debug this, so just removing all the tags that could
make these queries to become picked up :|
 2021-02-26 11:22:23 +01:00
yoff
7f7320ae4c Update python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-02-26 10:56:48 +01:00
Erik Krogh Kristensen
c59e6fef80 add model for form-data 2021-02-26 10:54:46 +01:00
Erik Krogh Kristensen
00cfc77fc0 Revert "fix file lookup for exclude patterns" 
This reverts commit 74630b0fd8.
 2021-02-26 10:28:20 +01:00
Erik Krogh Kristensen
4ec3289ecc update relation name in .stats file 2021-02-26 10:26:08 +01:00
Erik Krogh Kristensen
bd19d5a93c remove is_abstract_signature.ql 2021-02-26 10:24:40 +01:00
Erik Krogh Kristensen
1cac692b1d Update javascript/ql/src/semmle/javascript/TypeScript.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2021-02-26 10:23:01 +01:00
Mathias Vorreiter Pedersen
42d2a673c7 C++: Respond to review comments. 2021-02-26 10:06:05 +01:00
Tamas Vajk
b3d6d0c12b Fix method name resolution issue with nullable suppression 2021-02-26 09:48:37 +01:00
Mathias Vorreiter Pedersen
4e4ffbd790 Update cpp/change-notes/2021-02-24-memset-may-be-deleted.md 
Co-authored-by: Jonas Jensen <jbj@github.com>
 2021-02-26 09:48:21 +01:00
Rasmus Lerchedahl Petersen
311149ab4f Python: fix spelling 2021-02-26 09:44:24 +01:00
Mathias Vorreiter Pedersen
72daf2eef9 C++: Make the tests more realistic by actually using the local variable for something. Otherwise it looks like a zero-initialization of a buffer, which the query now tries to exclude. 2021-02-26 09:19:05 +01:00
yoff
a067adbaf3 Update python/ql/test/query-tests/Security/CWE-327-py2/options 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-02-26 08:53:20 +01:00
Tamás Vajk
ce69e3ae66 Merge pull request #5263 from tamasvajk/feature/fix-file-move 
C#: Fix potentially concurrent file moves
 2021-02-26 08:27:42 +01:00
Tamás Vajk
8241a9c2f1 Merge pull request #5264 from tamasvajk/feature/more-known-enums 
C#: Add more well-known enum underlying types
 2021-02-26 08:20:14 +01:00
Marcono1234
53dc2ce9b6 Java: Use .inc.qhelp extension for included help files 2021-02-26 00:43:51 +01:00
Marcono1234
e21cbe82a9 Update Java documentation links to Java 11 
Where possible update Java documentation links to Java 11.
Additionally update some other links to use HTTPS.
 2021-02-26 00:43:51 +01:00
yoff
e3b3825ab0 Merge pull request #5151 from RasmusWL/django-get-redirect-url 
Python: Model get_redirect_url in django
 2021-02-25 23:07:33 +01:00
Robert Marsh
290b1c624e C++: cache the IR stage Operand class 2021-02-25 13:10:39 -08:00
intrigus
141f057f7b Java: Remove duplicate code. 2021-02-25 21:29:26 +01:00
Mathias Vorreiter Pedersen
faadcd913e C++: Exclude memsets that clear a variable that has no other uses. 2021-02-25 21:27:12 +01:00
Geoffrey White
0c4a5f5e2a Merge pull request #5266 from geoffw0/isis 
JS: Fix 'is, is' and 'is is'.
 2021-02-25 18:55:41 +00:00
Mathias Vorreiter Pedersen
2777ca445e Update cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2021-02-25 19:49:58 +01:00
Dave Bartolomeo
2e02625f22 C++: Summary metrics queries 
This is a first attempt at implementing, for C++, the set of summary queries that we expect all languages to implement to help diagnose extraction failures and build configuration problems. See the spec in [this document](https://docs.google.com/document/d/1V3zpkj0OGh8GEUVwACRx7fiafE5zklujAftZaYUyf9s/edit?usp=sharing). The five queries are:

- Total number of source files (including .c/.cpp and header files)
- Total number of lines of text across all text files
- Total number of lines of code across all text files
- Number of lines of text in each source file
- Number of lines of code in each source file

I've added some simple unit tests that cover all five of these.
 2021-02-25 12:53:39 -05:00
Mathias Vorreiter Pedersen
9e7c9d0ea0 C++: Respond to review comments. Relax the escaping requirements on the local variable being used in memset. 2021-02-25 18:22:48 +01:00
Marcono1234
fa189ded9d Java: Add Class and Interface.isPackageProtected() 2021-02-25 18:21:18 +01:00
CodeQL CI
1bd12e6fdf Merge pull request #5199 from asgerf/js/vue-router 
Approved by erik-krogh
 2021-02-25 07:32:57 -08:00
Tamás Vajk
505d04b13e Merge pull request #5102 from luchua-bc/java/main-method-in-servlet 
Java: CWE-489 Query to detect main() method in servlets
 2021-02-25 16:05:06 +01:00
Mathias Vorreiter Pedersen
3f26b2940d Update cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.ql 
Co-authored-by: Jonas Jensen <jbj@github.com>
 2021-02-25 15:48:48 +01:00
Geoffrey White
0e071b7b79 JS: Fix 'is, is' and 'is is'. 2021-02-25 14:16:25 +00:00
Tamas Vajk
3e651f14fd C#: Add more well-known enum underlying types 2021-02-25 14:57:23 +01:00
Rasmus Wriedt Larsen
81b29316e1 Merge pull request #4737 from yoff/python-dataflow-add-cast-nodes 
Python: Force read- and store steps to add nodes.
 2021-02-25 14:28:54 +01:00
Tamás Vajk
9ae22cbebd Merge pull request #5189 from tamasvajk/feature/refactor-3 
C#: Split 'Context' class between CIL and source extraction
 2021-02-25 14:28:25 +01:00
Bas van Schaik
5ecd2317b0 Merge pull request #5212 from github/sj-patch-1 
Include @xcorail (GHSL) in code reviews for `experimental` queries
 2021-02-25 12:58:12 +00:00
Taus
d326d40d71 Merge pull request #5252 from RasmusWL/test-cleanup 
Python: Minor cleanup of test setup
 2021-02-25 13:33:10 +01:00
Mathias Vorreiter Pedersen
d33209388d C++: Fix test annotations. Also exclude static locals from the query and add a testcase for this. 2021-02-25 13:25:11 +01:00
Taus
01d581ecf3 Merge pull request #5250 from tausbn/python-port-re-security-queries 
Python: Port URL sanitisation queries to API graphs
 2021-02-25 13:13:55 +01:00