hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-14 22:21:06 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,872 Commits 1,690 Branches 160 Tags
codeql-cli/v2.8.4
Commit Graph

33872 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alex Ford
7cc6b3a7b0 Merge pull request #224 from github/sqli-override-fp 
rb/sql-injection: fix FPs stemming from not accounting for overridden methods
 2021-06-30 17:20:14 +01:00
Taus
e4af14638b Merge pull request #6175 from yoff/python-port-ReDoS 
Python: port ReDoS queries from Javascript
 2021-06-30 16:26:07 +02:00
Chris Smowton
753c878f48 Also cover jakarta version of javax.json, and some missed methods 2021-06-30 15:04:15 +01:00
yoff
6a77b890af Merge pull request #6155 from RasmusWL/port-cleartext-queries 
Python: Port cleartext queries
 2021-06-30 15:52:34 +02:00
Taus
fc71a648c0 Merge pull request #6092 from RasmusWL/markupsafe-modeling 
Python: Add `MarkupSafe` model
 2021-06-30 15:52:10 +02:00
Anders Schack-Mulligen
d8b017e6c0 Merge pull request #6036 from atorralba/atorralba/spring-beans 
Java: Flow summaries for Spring's Bean Properties classes
 2021-06-30 15:41:24 +02:00
Anders Schack-Mulligen
b8b6f05603 Merge pull request #6187 from aschackmull/java/perf-fix-variable-getinit 
Java: Fix bad join-order.
 2021-06-30 15:39:00 +02:00
Rasmus Lerchedahl Petersen
a176e6ac30 Python: comment out temporarily unused predicate 2021-06-30 15:28:31 +02:00
Asger Feldthaus
376efaa46c JS: Change note 2021-06-30 15:10:52 +02:00
Asger Feldthaus
780453008a JS: Drive-by fixes in ComposedFunctions.qll 2021-06-30 15:07:59 +02:00
Asger Feldthaus
7e2871bfdf JS: Propagate React components through recompose HOCs 2021-06-30 15:05:28 +02:00
Rasmus Lerchedahl Petersen
45e30b0c06 Python: comment out temporarily unused predicate 2021-06-30 15:04:37 +02:00
Rasmus Lerchedahl Petersen
c306cee04e Python: mimic JS file hierarchy 2021-06-30 15:03:22 +02:00
Rasmus Lerchedahl Petersen
651f8abba0 Python: Avoid multiple results for toString 2021-06-30 14:39:49 +02:00
Rasmus Wriedt Larsen
c2708176b1 Python: Support %-style formatting for MarkupSafe 2021-06-30 14:15:41 +02:00
Rasmus Wriedt Larsen
0a4efd0e86 Python: Add %-style formatting tests for MarkupSafe 2021-06-30 14:13:59 +02:00
Rasmus Wriedt Larsen
c84658dff1 Python: Use MethodCallNode for MarkupSafe string-format 2021-06-30 13:58:09 +02:00
Rasmus Wriedt Larsen
d6e8fafdbd Python: Proper sorting in Frameworks.qll 2021-06-30 13:55:26 +02:00
Rasmus Wriedt Larsen
075953860b Merge branch 'main' into markupsafe-modeling 2021-06-30 13:55:08 +02:00
Anders Schack-Mulligen
f03d460e95 Java: Fix bad join-order. 2021-06-30 13:42:45 +02:00
Tamas Vajk
dc63f23d6b Fix review findings 2021-06-30 13:40:36 +02:00
Tamas Vajk
6a35c8c5f4 Upgrade database in coverage report jobs 2021-06-30 13:40:36 +02:00
Chris Smowton
7f556de8a0 Resolve now-fixed spurious XSS results 2021-06-30 12:04:22 +01:00
Chris Smowton
c37ecb7102 Fix existing JaxRs tests 
* Expose getContentTypeString for use by tests
* Use it to get constant arguments to @Produces annotations
* Note that text/html is xss-vulnerable (I have no idea how it ever came to expect exactly text/plain)
 2021-06-30 12:04:21 +01:00
Chris Smowton
52471b292a Add change note 2021-06-30 12:04:21 +01:00
Chris Smowton
856046ce50 Jax-RS: implement content-type tracking 
This follows content-type specifications across Variant-related functions and the ResponseBuilder class in order to sanitize or sink entities as appropriate.
 2021-06-30 12:04:21 +01:00
Chris Smowton
10714211c6 Add utility functions definining XSS-vulnerable content-types 2021-06-30 12:04:21 +01:00
Chris Smowton
450eebcd40 JaxWS: Pull out MediaType constant interpretation routine 
Also extend the routine slightly to expose multiple content types given with array notation
 2021-06-30 12:04:20 +01:00
Chris Smowton
3e7ea34054 XSS: expose extension point for defining barrier sinks 2021-06-30 12:04:20 +01:00
Tamás Vajk
10a6089739 Merge pull request #6148 from tamasvajk/feature/try-csv-source-models 
C#: Start using CSV based flow models
 2021-06-30 12:58:42 +02:00
Tony Torralba
a3e1b139c3 Fix spring stubs location 2021-06-30 12:56:45 +02:00
Tony Torralba
0bb9e464b2 Merge branch 'main' into atorralba/spring-beans 2021-06-30 12:55:10 +02:00
Rasmus Lerchedahl Petersen
72986e1e28 Python: Add some comments on the booelan sweep 
pattern
 2021-06-30 12:50:36 +02:00
Rasmus Lerchedahl Petersen
4ca0ee87f0 Merge branch 'main' of github.com:github/codeql into python-port-ReDoS 2021-06-30 12:28:54 +02:00
Rasmus Lerchedahl Petersen
52d91917aa Merge branch 'python-port-ReDoS' of github.com:yoff/codeql into python-port-ReDoS 2021-06-30 12:25:59 +02:00
Rasmus Lerchedahl Petersen
09e71cfdfd Python: update test expectations 2021-06-30 12:25:29 +02:00
Rasmus Lerchedahl Petersen
6dfbf80494 Python: Disable use of toUnicode 
until supporting CLI is released
 2021-06-30 12:21:52 +02:00
Rasmus Wriedt Larsen
e5d65992b4 Python: Use DefinitionNode instead of Assign 
Based on https://github.com/github/codeql/pull/6155#discussion_r660964666:

> Hmm... Would it be better to do this using DefinitionNode instead of
> Assign? The latter is fairly limited in what it can represent, and also
> raises questions of whether this definition is sound with regard to
> control-flow splitting.
 2021-06-30 12:08:32 +02:00
yoff
c19522e921 Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-06-30 11:49:45 +02:00
Tamas Vajk
0946ae2ae9 Fix review findings 2021-06-30 11:39:51 +02:00
Anders Schack-Mulligen
e235e151f1 Java: Fix bad magic. 2021-06-30 11:09:08 +02:00
Geoffrey White
4a8299e5d0 C++: Change note. 2021-06-30 09:21:10 +01:00
Tony Torralba
9d64cadb50 Adapt tests after applying changes from code review 2021-06-30 10:02:03 +02:00
Tony Torralba
b64b8ecec2 Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-06-30 09:52:22 +02:00
Anders Schack-Mulligen
374859efb4 Merge pull request #6156 from smowton/smowton/feature/jax-rs-content-type-sensitivity 
Jax RS XSS Tests
 2021-06-30 09:52:07 +02:00
Tamás Vajk
a0e768bb43 Merge pull request #6172 from tamasvajk/fix/csv-comment-again 
Fix CSV framework coverage commenter workflow
 2021-06-30 09:10:47 +02:00
Tom Hvitved
22dd53f245 Merge pull request #6167 from hvitved/csharp/trap-stack-preprocessor-conditions 
C#: Add active preprocessor conditions as suffix in all TRAP `.push` instructions
 2021-06-30 08:34:47 +02:00
thank_you
0be2c6b765 Add SQLEscapySanitizerCall class 2021-06-29 19:39:46 -04:00
thank_you
986f2f4302 Add SQLEscape module 2021-06-29 19:39:26 -04:00
jorgectf
d475d52c76 Add partial modeling 2021-06-30 00:59:40 +02:00