hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-19 00:13:44 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,872 Commits 1,693 Branches 160 Tags
codeql-cli/v2.8.4
Commit Graph

33872 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tom Hvitved
6c0dbcfca2 Java/C++: Add DataFlowErasedType aliases 2019-11-20 14:09:53 +01:00
Tom Hvitved
d0b4653e32 C#: Introduce DataFlowErasedType 2019-11-20 14:09:46 +01:00
Max Schaefer
cb20de8070 JavaScript: Add a warning to IncompleteSanitization help. 
Sanitizing away multi-character strings using regular expressions is tricky business, and we should probably warn about it.
 2019-11-20 11:57:50 +00:00
Jonas Jensen
4dafa16572 C++: Fix FP on unevaluated code 
This fixes false positives on tenzir/vast.
 2019-11-20 10:42:36 +01:00
Geoffrey White
9cf819929d Merge pull request #2383 from jbj/field-isStatic 
C++: Don't check if a Field is static
 2019-11-20 09:05:03 +00:00
Robert Marsh
53709deb9d Merge pull request #2342 from jbj/overflow-doc-fixes 
C++: Signed Overflow Check qhelp improvements
 2019-11-19 15:37:52 -08:00
Paulino Calderon
63884c1a86 Mixed spaces and tabs 2019-11-19 13:06:55 -05:00
Paulino Calderon
85eda8c978 Brings security tests from other PRs 2019-11-19 13:04:19 -05:00
Paulino Calderon
96a02aba3f Adds quotes on name and additional info tags 2019-11-19 12:39:10 -05:00
semmle-qlci
51a51d7e0c Merge pull request #2387 from max-schaefer/js/incomplete-dotdot-sanitization 
Approved by asger-semmle
 2019-11-19 16:39:35 +00:00
Jonas Jensen
a1af96e521 C++: Reproduce a reported FP 2019-11-19 16:17:49 +01:00
Shati Patel
49c2398bda QL docs: Update links to blog/demos 2019-11-19 15:06:26 +00:00
Max Schaefer
5565be14fc JavaScript: Teach IncompleteSanitization to flag incomplete path sanitizers. 2019-11-19 15:06:16 +00:00
Erik Krogh Kristensen
1ba777a45d remove deep taint of objects 2019-11-19 15:50:50 +01:00
Erik Krogh Kristensen
c2b48eb546 rename getExceptionalNode to getExceptionTarget 2019-11-19 15:32:17 +01:00
Jonas Jensen
c41114334f Merge remote-tracking branch 'upstream/master' into ir-dataflow-toString 
Solved conflicts in `*.expected` by re-running the tests.
 2019-11-19 14:27:27 +01:00
Erik Krogh Kristensen
d8a5554666 update doc on getExceptionalNode 2019-11-19 14:10:35 +01:00
Erik Krogh Kristensen
abd58ba905 rename 'getThrowsToNode' to 'getExceptionalNode' 2019-11-19 14:08:36 +01:00
Erik Krogh Kristensen
9fa7393d56 add support for try-statements with no catch block 2019-11-19 13:37:35 +01:00
Rasmus Wriedt Larsen
b39bcde31c Merge pull request #2375 from tausbn/python-fix-mutable-value-type-coercion-fp 
Python: Don't report mutable parameters that are in fact immutable.
 2019-11-19 13:26:23 +01:00
Jonas Jensen
fbf2ef8625 C++: Don't check if a Field is static 
A `Field` in the C++ QL libraries can't be static, but I'd for some
reason written two checks for `Field`s being static in the data-flow
library.
 2019-11-19 13:20:21 +01:00
Rasmus Wriedt Larsen
231414ceaf Merge pull request #2374 from tausbn/python-fix-mappingproxytype-fp 
Python: Fix non-container FP relating to `MappingProxyType`.
 2019-11-19 13:13:26 +01:00
Jonas Jensen
b43cbeb17f Merge pull request #2372 from geoffw0/qhelpms 
CPP: Improve TlsSettingsMisconfiguration qhelp
 2019-11-19 13:05:52 +01:00
Erik Krogh Kristensen
0a428a8f44 typo 
Co-Authored-By: Esben Sparre Andreasen <esbena@github.com>
 2019-11-19 13:05:13 +01:00
Jonas Jensen
466f7fe6b2 C++: Use <ol> for recommendations 2019-11-19 12:57:02 +01:00
Erik Krogh Kristensen
2f08ee9faf fix typo 
Co-Authored-By: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2019-11-19 12:53:50 +01:00
James Fletcher
c73ae5399d Merge pull request #2380 from shati-patel/docs/blog-links 
Docs: Update links from blog to security lab
 2019-11-19 11:09:13 +00:00
Shati Patel
820a11294d Docs: Update links from blog to security lab 2019-11-19 10:54:19 +00:00
Jonas Jensen
0731309b1e C++: Change note for StackVariable 2019-11-19 11:44:03 +01:00
Jonas Jensen
4d97534308 C++: Deprecate LocalScopeVariableReachability 2019-11-19 11:43:41 +01:00
Jonas Jensen
1498499994 C++: Relax type in two tests 2019-11-19 11:31:34 +01:00
Jonas Jensen
f5b9837e19 C++: Use StackVariable in Nullness.qll 
This might cause fewer variables to be analysed because not every use of
`LocalScopeVariable` was constrained by the def-use library. Hopefully
this leads to an improved nullness analysis since it avoids treating
`static T *x = nullptr;` the same as `static T *x; x = nullptr;`.
 2019-11-19 11:31:34 +01:00
Jonas Jensen
140575ee71 C++: Use StackVariable where SSA/def-use are used 
These changes should not affect semantics since these uses of
`LocalScopeVariable` were already constrained to stack variables by
their use of SSA or def-use.
 2019-11-19 11:31:34 +01:00
Jonas Jensen
6f9ec0409e C++: Use StackVariable in code that uses RangeSSA 2019-11-19 11:31:33 +01:00
Jonas Jensen
29f66ff095 C++: Use StackVariable, remove not v.isStatic() 
In these files it was possible to remove calls to `isStatic` by
switching from `LocalScopeVariable` to `StackVariable`. This changes
semantics, hopefully for the better, to treat `thread_local` locals the
same as `static` locals.
 2019-11-19 11:30:59 +01:00
Jonas Jensen
e57f98ca64 C++: Use StackVariable in def-use libraries 
Most of the implementation was already in terms of
`SemanticStackVariable`, so not much should have changed.
 2019-11-19 11:30:59 +01:00
Jonas Jensen
95a333d28c C++: Use StackVariable in SSA libraries 
This means we'll no longer get SSA definitions for thread-local
local-scope variables.
 2019-11-19 11:30:59 +01:00
Jonas Jensen
c1ed908834 C++: Use StackVariableReachability 
This library is a drop-in replacement for
`LocalScopeVariableReachability`, so no changes are expected.
 2019-11-19 11:30:59 +01:00
Jonas Jensen
01ca63ae92 C++: Bring back StackVariableReachability.qll 
This is now a copy of `LocalScopeVariableReachability.qll`, just with
`s/LocalScopeVariable/StackVariable/g`. It can be used as a drop-in
replacement since the `LocalScopeVariableReachability.qll` library
implementation was already restricted to `SemanticStackVariable`.
 2019-11-19 11:30:59 +01:00
Jonas Jensen
8110039e0a C++: Bring back the StackVariable QL class 
The new `StackVariable` class actually denotes what its name suggests.
 2019-11-19 11:23:34 +01:00
Erik Krogh Kristensen
d4f42d872a change change-note to target 1.24 instead of 1.23 2019-11-19 11:10:34 +01:00
Taus
4c700882b6 Merge pull request #2190 from RasmusWL/python-modernise-tornado-library 
Python: modernise tornado library
 2019-11-19 09:36:30 +01:00
Erik Krogh Kristensen
de8ed3f508 update test code 2019-11-19 09:04:30 +01:00
Erik Krogh Kristensen
91674f681b refactoring to remove duplicated code and simplify the ExceptionXss query 2019-11-19 08:54:51 +01:00
Robert Marsh
ae47eab727 C++: autoformat 2019-11-18 15:36:08 -08:00
yh-semmle
3d837542e8 Merge pull request #2373 from aschackmull/java/changenote-update 
Java: Update change note to cover #2304 and #2346.
 2019-11-18 12:14:07 -05:00
Taus Brock-Nannestad
3491d90b1e Python: Apply auto-format. 2019-11-18 16:50:32 +01:00
Taus Brock-Nannestad
1385f3c018 Python: Fix non-container FP relating to MappingProxyType. 
Fixes #2307.

Also modernises the query to use the `Value` API.
 2019-11-18 16:50:32 +01:00
Taus Brock-Nannestad
3c47394b7a Python: Apply auto-format. 2019-11-18 16:28:54 +01:00
Taus Brock-Nannestad
cac261858c Python: Don't report mutable parameters that are in fact immutable. 
Fixes #1832.

In the taint sink, we add an additional check that the given control-flow node
can indeed point to a value that is mutable. This takes care of the guard on the
type.

If and when we get around to adding configurations for all of the taint
analyses, we may want to implement this as a barrier instead, pruning any steps
that go through a type test where the type is not mutable.
 2019-11-18 16:18:44 +01:00