hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-17 07:23:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,872 Commits 1,692 Branches 160 Tags
codeql-cli/v2.8.4
Commit Graph

33872 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Joe Farebrother
36cb207600 Increase precision of tests to test value flow 2021-06-14 11:20:07 +01:00
Tom Hvitved
b154c936c3 Improve performance of ExprChildMapping::reachesBasicBlock() 
Since all expressions are now post-order, the logic of `reachesBasicBlock` can
be simplified, and performance can be improved as well.
 2021-06-14 11:58:24 +02:00
Owen Mansel-Chan
5e89fce734 Avoid strange bug by commenting out two tests 2021-06-14 10:57:28 +01:00
CodeQL CI
02c017afec Merge pull request #6058 from RasmusWL/more-aiohttp 
Approved by yoff
 2021-06-14 02:56:59 -07:00
Owen Mansel-Chan
8cf47f12b4 Model constructors of classes implementing MultivaluedMap 2021-06-14 10:56:35 +01:00
Felicity Chapman
60b4669813 Remove sentence about legacy tools 2021-06-14 08:41:28 +01:00
luchua-bc
6a2c7d54cd Enhance the query to check more scenarios 2021-06-14 03:24:16 +00:00
Taus
6333752014 Python: Add getAMethodCall to LocalSourceNode 
This seems like something we have been missing for a while now, so I
figured it might be useful to add. It is roughly based on the JavaScript
equivalent, with one major difference: in the JavaScript libraries,
`getAMethodCall` is reserved for syntactic method calls (`obj.m(...)`)
whereas `getAMemberInvocation` is used for both this and the case where
the bound method `obj.m` is stored in a temporary variable and then
subsequently invoked in the same local scope.

It seems to me that the more general predicate is more useful, and hence
should have the simpler name. (And also we don't really work with a
notion of "invocation" in the Python libraries, so we would need a
better name for it anyway.)

I think as long as the documentation makes the behaviour clear, it
should be okay.
 2021-06-11 21:26:58 +00:00
Taus
8016715fb6 Python: Add missing QLDoc 2021-06-11 20:35:58 +00:00
Taus
3869ab76d1 Python: Promote shared type tracking library 
This was slightly messier than anticipated, as I hadn't accounted for
the dozen uses of `startInAttr` in our codebase. To circumvent this,
I decided to put the type tracking implementation in the `internal`
directory, and wrap it with a file that ensures the old interface still
works.
 2021-06-11 20:20:22 +00:00
Jonas Jensen
e23b88b7f1 Merge pull request #6052 from jsinglet/jsinglet/stdtypes 
Implementation of standard C/C++ fixed width, minimum width, and maximum width types
 2021-06-11 17:03:01 +02:00
Calum Grant
85467adc5e Merge pull request #5839 from github/security-severities5 
Add security-severity scores
 2021-06-11 15:56:20 +01:00
John L. Singleton
8c6c011be2 Formatting fixes, comment moving. 2021-06-11 10:17:05 -04:00
Joe Farebrother
678597f3f9 Update CSV rows for collection flow 2021-06-11 15:08:27 +01:00
John L. Singleton
9c946a79c7 Update cpp/change-notes/2021-06-10-std-types.md 
Co-authored-by: Jonas Jensen <jbj@github.com>
 2021-06-11 09:49:44 -04:00
Rasmus Wriedt Larsen
53f7633662 Python: Model await request.post() as MultiDictProxy 
as highlight as being quite easy to do by @yoff 👍
 2021-06-11 14:53:30 +02:00
Chris Smowton
76838809bb Merge pull request #5818 from artem-smotrakov/rmi-deserialization 
Java: Unsafe RMI deserialization
 2021-06-11 13:43:07 +01:00
yoff
97486b448a Merge pull request #5999 from RasmusWL/aiohttp-modeling 
Python: Add aiohttp.web modeling
 2021-06-11 14:26:52 +02:00
Rasmus Wriedt Larsen
dee93783a2 Python: Update .expected for py/weak-sensitive-data-hashing 
Now there is a path from the _imports_ of the functions that would
return sensitive data, so we produce more alerts.

I'm not entirely happy about this "double reporting", but I'm not sure
how to get around it without either:

1. disabling the extra taint-step for calls. Not ideal since we would
   loose good sources.
2. disabling the extra sources based on function name. Not ideal since
   we would loose good sources.
3. disabling the extra sources based on function name, for those calls
   that would be handled with the extra taint-step for calls. Not ideal
   since that would require running the data-flow query initially to
   prune these out :|

So for now, I think the best approach is to accept some risk on this,
and ship to learn :)
 2021-06-11 13:56:55 +02:00
Arthur Baars
88fb3c7097 Merge pull request #203 from github/aibaars/pack-qhelp-samples 
Query pack: include .rb and .erb sample files from queries directory
 2021-06-11 13:50:17 +02:00
Arthur Baars
909e6d5a62 Query pack: include .rb and .erb sample files from queries directory 
These are required by the qhelp files.
 2021-06-11 13:42:43 +02:00
Anders Schack-Mulligen
f24565738b Merge pull request #6029 from atorralba/atorralba/tainted-key-read-steps 
Java: Add Map key-read-steps as local additional taint steps
 2021-06-11 13:14:18 +02:00
Joe Farebrother
dc19d1db35 Add change note 2021-06-11 11:41:30 +01:00
Joe Farebrother
04ffe80366 Add unit tests 2021-06-11 11:41:27 +01:00
Joe Farebrother
153e0c4ac3 Add modelling for more com.google.common.base methods 2021-06-11 11:40:37 +01:00
Rasmus Wriedt Larsen
df67028a1d Python: Model aiohttp.StreamReader 2021-06-11 12:06:53 +02:00
Arthur Baars
78a6ed43c3 Merge pull request #202 from github/aibaars-patch-2 
HardCodedCredentials: fix query metadata comment
 2021-06-11 12:05:44 +02:00
Tony Torralba
c828c7031f Add change note 2021-06-11 12:04:11 +02:00
Rasmus Wriedt Larsen
2d31ef7016 Python: Fix last TODOs in aiohttp tests 2021-06-11 12:00:02 +02:00
Arthur Baars
661d6e8e38 HardCodedCredentials: fix query metadata comment 2021-06-11 11:59:46 +02:00
Rasmus Wriedt Larsen
64a0e3fd0a Merge branch 'main' into aiohttp-modeling 2021-06-11 11:42:24 +02:00
Rasmus Wriedt Larsen
8b8e1334cc Python: Fix syntax error 2021-06-11 11:42:14 +02:00
Rasmus Wriedt Larsen
46f7a2b572 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-06-11 11:28:11 +02:00
Rasmus Wriedt Larsen
6f29b01abc Python: Model rsa 2021-06-11 11:23:06 +02:00
Rasmus Wriedt Larsen
40714c05b7 Python: Add tests for rsa PyPI package 2021-06-11 11:17:13 +02:00
Rasmus Wriedt Larsen
3d5f379b8c Merge branch 'main' into sensitive-improvements 2021-06-11 10:48:20 +02:00
John L. Singleton
cd61fb4753 this should be abstract 2021-06-10 19:54:58 -04:00
John L. Singleton
219dc71ae6 changlog entry 2021-06-10 17:15:06 -04:00
John L. Singleton
2a01324172 more maintainable pattern for class abstractions 2021-06-10 17:09:32 -04:00
Calum Grant
a594afb828 Add security-severity metadata 2021-06-10 20:11:08 +01:00
Erik Krogh Kristensen
50d574d20d add graphql injection to the sql-injection query 2021-06-10 21:01:54 +02:00
Tom Hvitved
8860b8adf0 Merge pull request #198 from github/hvitved/desugar-compound-assignment 2021-06-10 19:39:54 +02:00
John L. Singleton
bd7c416356 comment change 2021-06-10 11:21:11 -04:00
John L. Singleton
0d3f53b013 Changes to structure per feedback of @jbj 2021-06-10 11:16:58 -04:00
Alex Ford
f74dff560b Merge pull request #187 from github/hardcoded-credentials 
Add rb/hardcoded-credentials query
 2021-06-10 16:12:32 +01:00
Taus
e7b9603c5b Merge pull request #6053 from RasmusWL/fix-tests 
Python: Fix tests
 2021-06-10 16:55:45 +02:00
Alex Ford
8839d4c584 limit additional flow steps in rb/hardcoded-credentials to string concatenation 2021-06-10 14:59:28 +01:00
Rasmus Wriedt Larsen
dd457f9641 Python: Fix tests 2021-06-10 15:58:56 +02:00
Alex Ford
fe45dadd55 set precision to high for rb/hardcoded-credentials 2021-06-10 14:52:26 +01:00
John L. Singleton
f174d7a0e0 Comment changes 2021-06-10 09:52:22 -04:00