hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-17 15:33:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,872 Commits 1,692 Branches 160 Tags
codeql-cli/v2.8.4
Commit Graph

33872 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Wriedt Larsen
b154f034cb Python: Fix names of supported PyPI packages 2021-06-15 12:55:52 +02:00
Alex Ford
ea21c591af remove accidentally unbound variable 2021-06-15 11:39:48 +01:00
Alex Ford
c1b9952517 account for chained method calls when constructing ActiveRecord SQL queries 2021-06-15 11:39:48 +01:00
Alex Ford
f8a77b9854 format QL 2021-06-15 11:39:48 +01:00
Alex Ford
57c04266e3 rename SqlExecutingMethodCall as PotentiallyUnsafeSqlExecutingMethodCall 2021-06-15 11:39:48 +01:00
Alex Ford
2d4bb61789 limit SqlExecutingMethodCall to those that are called with a StringlikeLiteral argument 2021-06-15 11:39:48 +01:00
Alex Ford
2c15b60998 add ActiveRecord find_by_sql as an SQL executing method call 2021-06-15 11:39:48 +01:00
Alex Ford
c641d12259 add shell ActiveRecord library tests 2021-06-15 11:39:48 +01:00
Alex Ford
5b7df8578a cleanup ActiveRecord.qll 2021-06-15 11:39:48 +01:00
Alex Ford
7488d072d8 Model some SQL fragment sinks in ActiveRecord model classes 2021-06-15 11:39:48 +01:00
Alex Ford
743deee9ce add a class to represent ActiveRecord models 2021-06-15 11:39:48 +01:00
Alex Ford
7d3eaf40ff add base SqlExecution concepts 2021-06-15 11:39:48 +01:00
Tamas Vajk
255e422172 Apply code review findings 2021-06-15 11:35:10 +02:00
Rasmus Wriedt Larsen
00af18a622 Python: Autoformat 2021-06-15 11:31:38 +02:00
Rasmus Wriedt Larsen
156b10cb59 Merge branch 'main' into promote-clickhouse 2021-06-15 11:30:19 +02:00
Anders Schack-Mulligen
19305a217a Merge pull request #5374 from joefarebrother/guava-base 
Java: Model additional flow steps for the package `com.google.common.base` of the Guava framwork.
 2021-06-15 10:58:48 +02:00
Tom Hvitved
501ba4bd8a Merge pull request #6012 from hvitved/csharp/early-labels 
C#: Populate labels earlier
 2021-06-15 10:28:23 +02:00
Mathias Vorreiter Pedersen
b2e9fe79a7 C++: Add change-note. 2021-06-15 10:01:45 +02:00
Erik Krogh Kristensen
60920c1ecc require that the URL refers to graphql in some way 2021-06-15 09:53:32 +02:00
Erik Krogh Kristensen
416c986cbc add support for graphql in @actions/github 2021-06-15 09:43:11 +02:00
Asger Feldthaus
53bef94b75 JS: Extractor version bump 2021-06-15 09:34:54 +02:00
Tom Hvitved
3a37e321d5 Merge pull request #205 from github/hvitved/taint-tracking 
Initial taint-tracking library
 2021-06-15 09:30:59 +02:00
Cornelius Riemenschneider
0ebf53b9df Merge pull request #6073 from geoffw0/loc 
C++: Add lines of user code query
 2021-06-15 09:18:46 +02:00
Tom Hvitved
5a9521372b Merge pull request #206 from github/tausbn/fix-identical-files 2021-06-15 07:31:07 +02:00
jorgectf
c948970181 resolve merge conflicts 2021-06-15 01:24:04 +02:00
jorgectf
1662c5d113 resolve merge conflict 2021-06-15 01:22:11 +02:00
Mathias Vorreiter Pedersen
14a04ee453 C++: Accept more test changes. These all arise because we now transitively pull in 'semmle.code.cpp.Print' when including 'cpp'. 2021-06-14 22:02:46 +02:00
Mathias Vorreiter Pedersen
cc6ae7f8b8 Merge branch 'main' into path-sensitive-stack-variable-reachability-analysis 2021-06-14 22:02:46 +02:00
Mathias Vorreiter Pedersen
714ad105fe C++: Accept test changes. 2021-06-14 22:02:38 +02:00
Mathias Vorreiter Pedersen
79926788d1 C++: Fix non-monotonic recursion problems in 'StackVariableReachabilityWithReassignment' by using the old StackVariableReachability predicates that don't care about paths. 2021-06-14 22:00:17 +02:00
Mathias Vorreiter Pedersen
c32f72063f C++: Add path sensitivity to StackVariableReachability. 2021-06-14 21:59:13 +02:00
Shati Patel
cce8eac0a7 Merge pull request #5946 from shati-patel/vscode-custom-logs 
Docs: Describe custom log directory setting in VS Code extension
 2021-06-14 20:30:54 +01:00
Taus
2bbcbb2200 Bump submodule pointer 2021-06-14 19:04:22 +00:00
Aditya Sharad
75ed7c0568 Merge pull request #6014 from github/docs-4179-legacy-tools 
Remove docs about legacy tools
 2021-06-14 11:50:18 -07:00
Tom Hvitved
302b485f4c Merge pull request #204 from github/hvitved/cfg-nodes-perf 
Improve performance of `ExprChildMapping::reachesBasicBlock()`
 2021-06-14 20:14:17 +02:00
Taus
068b980517 Update identical-files.json 
As of https://github.com/github/codeql/pull/6063 we have now started using the shared type tracking library in Python as well. 🎉
 2021-06-14 19:01:24 +02:00
Taus
c6c9a5110a Merge pull request #6063 from tausbn/python-promote-type-tracking-library 
Python: Promote shared type tracking library
 2021-06-14 18:56:03 +02:00
Geoffrey White
d7db18213d C++: Add a generated file to the test. 2021-06-14 16:21:30 +01:00
Geoffrey White
1e1ae27974 C++: Test the new query. 2021-06-14 16:06:20 +01:00
Geoffrey White
e71264d1d2 C++: Lines of user code query. 2021-06-14 16:03:16 +01:00
Tom Hvitved
6b63e032a9 C#: Populate labels earlier 2021-06-14 15:17:33 +02:00
Rasmus Wriedt Larsen
d19bc1252b Python: limit size of extraStepForCalls predicate 
On django/django, this reduced the number of results in
`extraStepForCalls` from 201,283 to 541
 2021-06-14 15:06:42 +02:00
shati-patel
17f9aecab8 Docs: Update setting in CodeQL for VS Code 2021-06-14 13:38:06 +01:00
Rasmus Wriedt Larsen
cc311ac4cd Python: Re-introduce syntactic handling of str/bytes/unicode (again) 
This reverts commit 870389addb.
 2021-06-14 14:23:12 +02:00
Rasmus Wriedt Larsen
870389addb Revert "Python: Re-introduce syntactic handling of str/bytes/unicode" 
This reverts commit c4987e94e0.

Hoping that our new handling of builtins would solve this problem... but
it did not :|
 2021-06-14 14:22:40 +02:00
Tom Hvitved
8aa337ab01 Initial taint-tracking library 2021-06-14 14:19:34 +02:00
Rasmus Wriedt Larsen
af13064f6a Merge branch 'main' into pr/RasmusWL/5926 2021-06-14 14:17:33 +02:00
Rasmus Wriedt Larsen
4eed94a262 Python: Fix CWE tag for py/use-of-input 
So it better matches what is in `py/code-injection`. I had my doubts
about CWE-95, but after reading
https://owasp.org/www-community/attacks/Direct_Dynamic_Code_Evaluation_Eval%20Injection
I think it's fine to add CWE-95 as well 👍

Definitions are:

CWE-78: Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')

CWE-94: Improper Control of Generation of Code ('Code Injection')

CWE-95: Improper Neutralization of Directives in Dynamically Evaluated
Code ('Eval Injection')
 2021-06-14 14:08:34 +02:00
Asger Feldthaus
c58942092f JS: Add change note 2021-06-14 13:43:11 +02:00
Asger Feldthaus
bc375196d1 JS: Extract script tags with lang=tsx 2021-06-14 13:40:53 +02:00