hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-23 02:13:41 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,872 Commits 1,693 Branches 161 Tags
codeql-cli/v2.8.4
Commit Graph

33872 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Smowton
54caf501e7 Switch fluent-methods test to use a plain DataFlow::Configuration 
No taint edges are involved, so TaintTracking was unnecessary.
 2021-03-01 10:16:02 +00:00
Chris Smowton
fadbb32bd6 Add backward dataflow edges through fluent function invocations. 
This means that much as obj.getA().setB(...) already has a side-effect on `obj`, all three setters in obj.setA(...).setB(...).setC(...) will have a side-effect on `obj`.
 2021-03-01 10:11:28 +00:00
Tamas Vajk
1ecbbf6af3 C#: Fix codeql analysis workflow 2021-03-01 09:18:05 +01:00
Anders Schack-Mulligen
37baf77b93 Merge pull request #5273 from intrigus-lgtm/java/unify-main-method-check 
Java: Remove duplicate code.
 2021-03-01 09:05:28 +01:00
Tamás Vajk
3b56e3520c Merge pull request #5277 from tamasvajk/feature/fix-name-resolution 
Fix method name resolution issue with nullable suppression
 2021-03-01 08:47:21 +01:00
Jonas Jensen
208a374c58 Merge pull request #5256 from MathiasVP/promote-insecure-memset-query 
C++: Promote insecure removal of memset query
 2021-03-01 08:30:16 +01:00
Artem Smotrakov
15a43ffe36 Simplified returnsRemoteInvocationSerializingExporter() 2021-02-27 13:41:20 +01:00
Rasmus Wriedt Larsen
443780f27e Python/JS: Share modeling of cryptographic algorithms 
I didn't quite know where to place it for JS, so I tried my best :)

The canonical Python version might be changed in the future, but I wanted to
keep this change small.
 2021-02-27 11:39:35 +01:00
Rasmus Wriedt Larsen
010488c899 Python/JS: Update QLDoc for crypto algorithms before sharing 2021-02-27 11:38:45 +01:00
Rasmus Wriedt Larsen
646ea55944 Python/JS: Update Python copy of crypto algorithm modeling 
Now to be shared accross both languages, with sync-identical-files
 2021-02-27 11:38:45 +01:00
haby0
f795d5e0d3 update JSONP Injection ql 2021-02-27 16:25:17 +08:00
Rasmus Lerchedahl Petersen
8b68912c40 Python: Update help and add example 2021-02-26 20:19:31 +01:00
Arthur Baars
c9f86743bd Merge pull request #143 from github/aibaars/ast-test 
AST: add printAST test case
 2021-02-26 19:41:56 +01:00
Rasmus Lerchedahl Petersen
9533c92fcc Python: Clean up tests and add comment 2021-02-26 19:28:44 +01:00
Mathias Vorreiter Pedersen
d4f7fab7df Update cpp/change-notes/2021-02-24-memset-may-be-deleted.md 
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
 2021-02-26 19:17:13 +01:00
Mathias Vorreiter Pedersen
0f7256752a Update cpp/ql/src/Security/CWE/CWE-014/MemsetMayBeDeleted.qhelp 
Co-authored-by: Shati Patel <42641846+shati-patel@users.noreply.github.com>
 2021-02-26 19:16:28 +01:00
Arthur Baars
b2fbeee794 CFG: hide all non-AstNodes 2021-02-26 19:04:33 +01:00
Arthur Baars
5f32b822e2 Remove use of AstNodes 2021-02-26 19:03:55 +01:00
yoff
1670fa0d0e Update python/change-notes/2021-02-23-port-insecure-default-protocol.md 2021-02-26 18:39:49 +01:00
yoff
9a9bda17ed Update python/change-notes/2021-02-23-port-insecure-default-protocol.md 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-02-26 18:38:35 +01:00
Arthur Baars
dd4f297c37 Remove duplicate clause 2021-02-26 17:51:04 +01:00
Erik Krogh Kristensen
af7a188bbd add change note 2021-02-26 17:18:30 +01:00
Erik Krogh Kristensen
214aa072b9 support host for http-proxy client requests 2021-02-26 17:18:29 +01:00
Erik Krogh Kristensen
cc48172fd8 add support for events in http-proxy 2021-02-26 17:17:47 +01:00
Erik Krogh Kristensen
ede1a40a02 add ClientRequst models for http-proxy 2021-02-26 17:17:46 +01:00
CodeQL CI
b7c0d18c4a Merge pull request #5278 from erik-krogh/formData 
Approved by asgerf
 2021-02-26 08:13:41 -08:00
Rasmus Wriedt Larsen
a387496832 Python: Highlight how request.uri works in Tornado 2021-02-26 16:23:21 +01:00
Erik Krogh Kristensen
ae051af9d8 remove redundant code 2021-02-26 14:15:30 +01:00
CodeQL CI
0e70b58a41 Merge pull request #5205 from erik-krogh/ts42 
Approved by asgerf
 2021-02-26 05:06:40 -08:00
Porcupiney Hairs
42a84a18b0 JAVA : Add query to detect Apache Structs enabled DEvmode 
This query detects cases where the development mode is enabled for a
struts configuration. I can't find a CVE per se but, at present, [Github's fuzzy search](https://github.com/search?q=%3Cconstant+name%3D%22struts.devMode%22+value%3D%22true%22+%2F%3E+language%3Axml&type=Code) returns more
than 44000 results. Some of them look like they are classroom projects,
so they may be ineligible for a CVE. But we should be flagging them
anyways as setting the development on in a production system is a very
bad practice and can often lead to remote code execution.
So these should be fixed anyways.
 2021-02-26 16:30:04 +05:30
Porcupiney Hairs
602f63ad45 [Java] Add QL for detecting Spring View Manipulation Vulnerabilities. 2021-02-26 16:29:18 +05:30
Tom Hvitved
ac67c67ad7 Merge pull request #4998 from hvitved/csharp/shared-base-pre-ssa 
C#: Use shared SSA implementation for `{Pre,Base}Ssa`
 2021-02-26 11:29:07 +01:00
Rasmus Wriedt Larsen
b43533ce8d Python: Ensure old dataflow queries are not used 
There seems to have been some cases where the old ones have been picked up
instead of the new ones. At least I spotted _one_ case where this happened, in
an internal actions run.

I'm not sure how to actual debug this, so just removing all the tags that could
make these queries to become picked up :|
 2021-02-26 11:22:23 +01:00
yoff
7f7320ae4c Update python/ql/src/Security/CWE-327/InsecureDefaultProtocol.ql 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-02-26 10:56:48 +01:00
Erik Krogh Kristensen
c59e6fef80 add model for form-data 2021-02-26 10:54:46 +01:00
Erik Krogh Kristensen
00cfc77fc0 Revert "fix file lookup for exclude patterns" 
This reverts commit 74630b0fd8.
 2021-02-26 10:28:20 +01:00
Erik Krogh Kristensen
4ec3289ecc update relation name in .stats file 2021-02-26 10:26:08 +01:00
Erik Krogh Kristensen
bd19d5a93c remove is_abstract_signature.ql 2021-02-26 10:24:40 +01:00
Erik Krogh Kristensen
1cac692b1d Update javascript/ql/src/semmle/javascript/TypeScript.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2021-02-26 10:23:01 +01:00
Mathias Vorreiter Pedersen
42d2a673c7 C++: Respond to review comments. 2021-02-26 10:06:05 +01:00
Tamas Vajk
b3d6d0c12b Fix method name resolution issue with nullable suppression 2021-02-26 09:48:37 +01:00
Mathias Vorreiter Pedersen
4e4ffbd790 Update cpp/change-notes/2021-02-24-memset-may-be-deleted.md 
Co-authored-by: Jonas Jensen <jbj@github.com>
 2021-02-26 09:48:21 +01:00
Rasmus Lerchedahl Petersen
311149ab4f Python: fix spelling 2021-02-26 09:44:24 +01:00
Mathias Vorreiter Pedersen
72daf2eef9 C++: Make the tests more realistic by actually using the local variable for something. Otherwise it looks like a zero-initialization of a buffer, which the query now tries to exclude. 2021-02-26 09:19:05 +01:00
yoff
a067adbaf3 Update python/ql/test/query-tests/Security/CWE-327-py2/options 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-02-26 08:53:20 +01:00
Tamás Vajk
ce69e3ae66 Merge pull request #5263 from tamasvajk/feature/fix-file-move 
C#: Fix potentially concurrent file moves
 2021-02-26 08:27:42 +01:00
Tamás Vajk
8241a9c2f1 Merge pull request #5264 from tamasvajk/feature/more-known-enums 
C#: Add more well-known enum underlying types
 2021-02-26 08:20:14 +01:00
Marcono1234
53dc2ce9b6 Java: Use .inc.qhelp extension for included help files 2021-02-26 00:43:51 +01:00
Marcono1234
e21cbe82a9 Update Java documentation links to Java 11 
Where possible update Java documentation links to Java 11.
Additionally update some other links to use HTTPS.
 2021-02-26 00:43:51 +01:00
yoff
e3b3825ab0 Merge pull request #5151 from RasmusWL/django-get-redirect-url 
Python: Model get_redirect_url in django
 2021-02-25 23:07:33 +01:00