hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-20 00:43:44 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,872 Commits 1,693 Branches 160 Tags
codeql-cli/v2.8.4
Commit Graph

33872 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tony Torralba
26c3ff2cee Move from experimental to standard 2021-05-06 09:18:49 +02:00
Tony Torralba
215118c7ea Fixes in QLDocs and imports 2021-05-06 09:18:49 +02:00
Tony Torralba
720b5d6da3 Refactored sto use CSV sink model. Also, added more sinks 2021-05-06 09:18:49 +02:00
Tony Torralba
ab62bb66f4 Consider second parameter of Node.selectNodes 2021-05-06 09:18:49 +02:00
Tony Torralba
d72dd9b861 javax.xml.xpath.XPath is an interface 2021-05-06 09:18:49 +02:00
Tony Torralba
2bb2baf6f7 Support more methods that evaluate XPath expressions 2021-05-06 09:18:49 +02:00
Tony Torralba
3705970bfd Refactored XPath.qll to remove redundant classes and restrict visibility 2021-05-06 09:18:49 +02:00
Tony Torralba
d739a8cac2 Moved configuration from XPath.qll back to XPath Injection query 2021-05-06 09:18:48 +02:00
Tony Torralba
ee269fbc69 Added missing doc comments 2021-05-06 09:18:48 +02:00
Tony Torralba
fb3e56eac8 Fix imports and stubs so that tests pass 2021-05-06 09:18:48 +02:00
Tony Torralba
a62997463f Remove unused imports; use set literals in hasName 2021-05-06 09:18:48 +02:00
Tony Torralba
ed5619498c WIP: XPath Injection promotion 2021-05-06 09:18:48 +02:00
Tony Torralba
a706046a19 Reestructured test 2021-05-06 09:17:53 +02:00
Jonathan Leitschuh
67e9f06304 [Java] Fix Kryo FP & Kryo 5 Support 
Closes #4992
 2021-05-05 17:38:34 -04:00
ihsinme
976ccda135 Update DeclarationOfVariableWithUnnecessarilyWideScope.ql 2021-05-05 23:34:21 +03:00
ihsinme
b277082462 Update DeclarationOfVariableWithUnnecessarilyWideScope.qhelp 2021-05-05 23:28:04 +03:00
Evgenii Protsenko
330eaea467 C++: SqlPqxxTainted.ql style fixes 2021-05-05 21:48:14 +03:00
Evgenii Protsenko
955d97f6be C++: Init SqlPqxxTainted.ql 2021-05-05 21:25:36 +03:00
Nick Rolfe
a0084b7732 Simplify CFG tree classes for calls 2021-05-05 17:18:44 +01:00
Nick Rolfe
569063ca73 Make YieldCallTree post-order 2021-05-05 17:14:32 +01:00
Henry Mercer
a3c57c43c8 Code Scanning selectors: Include summary metrics 2021-05-05 16:38:39 +01:00
Henry Mercer
74c9994305 Code Scanning selectors: Add alert aliases 2021-05-05 16:36:39 +01:00
Shati Patel
059a5f35fa Merge pull request #5812 from mario-campos/patch-1 
Add React Native to JavaScript frameworks docs
 2021-05-05 16:03:41 +01:00
Tony Torralba
c138ed3e4d QLDocs 2021-05-05 16:51:15 +02:00
Tony Torralba
03ce8d689f Refactored to use CSV sink model 2021-05-05 16:34:30 +02:00
Nick Rolfe
3a3586f14b Restrict type to MethodCallCfgNode 2021-05-05 14:49:24 +01:00
Arthur Baars
73b5699f32 Merge pull request #174 from github/escape_file_keys 
Escape keys for files and folders
 2021-05-05 15:02:04 +02:00
Erik Krogh Kristensen
4ac21e9f3f make the .filter step more precise 2021-05-05 14:53:09 +02:00
Nick Rolfe
c37f390efc Reserve more capacity for escaped key 2021-05-05 13:21:16 +01:00
Rasmus Wriedt Larsen
d50f22504e Python: Fix .expected 2021-05-05 14:07:15 +02:00
Nick Rolfe
99ae17de03 Avoid copying key when it doesn't need escaping 2021-05-05 12:54:23 +01:00
CodeQL CI
69cd9dfb7d Merge pull request #5826 from erik-krogh/moreLib 
Approved by esbena
 2021-05-05 04:40:49 -07:00
Felicity Chapman
8b2009cfb1 Minor updates to qhelp file 2021-05-05 12:36:29 +01:00
Nick Rolfe
b16b95e2f7 Fix type-tracking load/store steps 2021-05-05 12:12:45 +01:00
Rasmus Wriedt Larsen
668bfd3a41 Python: Support EC keygen without class-instance for cryptography 
I also added a new test to show off how what the origin ends up looking
like... I think it looks ok
 2021-05-05 12:29:55 +02:00
Erik Krogh Kristensen
ab53f3b380 add array.filter() as a taint-step 2021-05-05 12:03:14 +02:00
Erik Krogh Kristensen
e333267e69 require that the factory function is in a main module file 2021-05-05 12:00:38 +02:00
Tony Torralba
9b78cee37a Add tests 2021-05-05 11:59:57 +02:00
Tony Torralba
be50e8f30c Moved from experimental to standard 2021-05-05 11:59:49 +02:00
Tony Torralba
458b89bf5f Added Android stubs 2021-05-05 11:57:01 +02:00
Erik Krogh Kristensen
fc3f5adbbb more source code examples in PackageExports.qll 2021-05-05 11:48:41 +02:00
Erik Krogh Kristensen
28eef264e5 recognize the define(..) call in PackageExports.qll 2021-05-05 11:23:25 +02:00
Jonas Jensen
390ee3a6b8 Merge pull request #5829 from MathiasVP/reorder-get-instruction-opcode 
C++: Reorder getInstructionOpcode
 2021-05-05 11:13:15 +02:00
Erik Krogh Kristensen
3ca670146e remove outdated comment 2021-05-05 11:10:45 +02:00
Rasmus Wriedt Larsen
3ceb8bbcc6 Python: Add cryptography test for EC 
Apparently, passing in the class (without instantiating it) is allowed
 2021-05-05 10:52:57 +02:00
Rasmus Wriedt Larsen
dc4a0c1d38 Python/JS: Fix typo 2021-05-05 10:13:54 +02:00
Mathias Vorreiter Pedersen
066cdb55d7 C++: Add qldoc explaining column order. 2021-05-05 09:30:12 +02:00
Mathias Vorreiter Pedersen
f03c99ab03 Merge pull request #5835 from hmakholm/hmakholm/pr/blowup-fix 
CPP: fix semi-unused variables in WrongInDetectingAndHandlingMemoryAllocationErrors.q
 2021-05-05 08:15:37 +02:00
Henning Makholm
4964ce347b CPP: fix semi-unused variables in WrongInDetectingAndHandlingMemoryAllocationErrors.ql 
The fact that `aex` and `it` was each used in just one disjunct of the
exists() body caused the optimizer to generate perfectly horrible
code, including a pointless cartesian product between them that caused
the evaluation to blow up.

Fix it such that each variable is logically scoped. That makes the
compiler much happier.
 2021-05-05 02:31:11 +02:00
thank_you
c4a67e522c Rewrite query to take into account MongoClient and subscript expressions 
A couple of notes with these changes:

- Added TypeTracker pattern to handle subscript expressions. We've found that pymongo supports subscripts expressions when calling databases and collections. To resolve this, we implemented the TypeTracker pattern to catch those subscripts since CodeQL Python API modeling doesn't support subscript expressions.

- After some research, we've discovered that MongoEngine and Flask-MongoEngine utilize MongoClient under-the-hood. This requires us to rewrite the query so that instead of querying these libraries with specific queries, we are instead going to query for usages of MongoClient since all of the libraries we are targeting utilizes MongoClient under-the-hood.
 2021-05-04 19:29:31 -04:00