hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-06 18:21:07 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,872 Commits 1,691 Branches 160 Tags
codeql-cli/v2.8.4
Commit Graph

33872 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Asger F
614c80706f Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2021-12-07 10:48:44 +01:00
Asger Feldthaus
5559681916 JS: Change note 2021-12-07 10:46:18 +01:00
Asger Feldthaus
635ac0a209 JS: Fix perf issue in data flow step generation 2021-12-07 10:46:18 +01:00
Asger Feldthaus
da8e67b7ee JS: Use routing trees to detect deeply tainted req.body 2021-12-07 10:46:18 +01:00
Asger Feldthaus
7492293c5b JS: Add test with route handler indirection 2021-12-07 10:46:18 +01:00
Asger Feldthaus
3cbe94ac0a JS: Add consistency checks to TemplateObjectInjection test 2021-12-07 10:46:18 +01:00
Asger Feldthaus
64db70f3ac JS: Add explicit body-parsers to TemplateObjectInjection test 2021-12-07 10:46:18 +01:00
Asger Feldthaus
8af430d40f JS: Shift line numbers in TemplateObjectInjection test 2021-12-07 10:46:17 +01:00
Asger Feldthaus
5f8ea3965d JS: Do not flag auth endpoints that are immune to Login CSRF 2021-12-07 10:46:17 +01:00
Asger Feldthaus
66b1612e5e JS: Treat non-cookie based auth as CSRF preventer 2021-12-07 10:46:17 +01:00
Asger Feldthaus
b73219392b JS: Improve precision of missing CSRF middleware 2021-12-07 10:46:17 +01:00
Asger Feldthaus
d0e94e655d JS: Exclude error handling from auth calls 2021-12-07 10:46:17 +01:00
Asger Feldthaus
400bf10cc3 JS: Move fastify-specific route handler step into extension point 2021-12-07 10:46:17 +01:00
Asger Feldthaus
71820569e1 JS: Instantiate for Fastify 2021-12-07 10:46:15 +01:00
Asger Feldthaus
cfb9265f0a JS: Add template steps for res.locals.x 2021-12-07 10:44:53 +01:00
Asger Feldthaus
5269933461 JS: Port missing rate limiting query 2021-12-07 10:44:19 +01:00
Asger Feldthaus
389a3c9073 JS: Port CSRF query 2021-12-07 10:43:06 +01:00
Asger Feldthaus
16fa066636 JS: Fix false negative in Mongo model 2021-12-07 10:43:05 +01:00
Asger Feldthaus
3dd5d4d7b4 JS: Instantiate for Express and add tests 2021-12-07 10:43:03 +01:00
Erik Krogh Kristensen
3ebf1e3c13 Add codeql-go sources (894102defd) 2021-12-07 10:42:38 +01:00
Erik Krogh Kristensen
a3d11c61a8 QL: Add codeql-go sources (894102defd) 2021-12-07 10:42:38 +01:00
Erik Krogh Kristensen
d852b28653 Add codeql sources (3c59aa319e) 2021-12-07 10:42:34 +01:00
Erik Krogh Kristensen
44c3787457 QL: Add codeql sources (3c59aa319e) 2021-12-07 10:42:34 +01:00
Asger Feldthaus
aae4260819 JS: Routing model 2021-12-07 10:41:55 +01:00
Asger Feldthaus
e9575c3df6 JS: Support AdditionalUseStep in API graphs 2021-12-07 10:41:52 +01:00
Erik Krogh Kristensen
3c59aa319e Merge pull request #7245 from erik-krogh/explicit-this-all-the-places 
All langs: apply the explicit-this patch to all remaining code
 2021-12-07 10:40:26 +01:00
Taus
7cd9369d91 Python: Autoformat 2021-12-07 09:29:24 +00:00
Taus
33a9f86f54 Python: Change integer in trois.py 2021-12-07 08:54:07 +00:00
Taus
dd33f4f4d2 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-12-07 09:48:53 +01:00
Harry Maclean
6f42153eac Ruby: Include empty StmtSequences in CFG 
Empty StmtSequences appear, for example, in the `else` branch of `if`
statements like the following:

    foo

    if cond
      bar
    else
    end

    baz

Before this change, the CFG for this code would look like this:

        foo
         │
         │
         ▼
        cond
         │
    true │
         ▼
        bar
         │
         │
         ▼
         if
         │
         │
         ▼
        baz

i.e. there is linear flow through the condition, the `then` branch, and
out of the if. This doesn't account for the possibility that the
condition is false and `bar` is not executed. After this change, the CFG
looks like this:

          foo
           │
           │
           ▼
          cond
         │    │
    true │    │ false
         ▼    │
        bar   │
         │    │
         │    │
         ▼    ▼
           if
           │
           │
           ▼
          baz

i.e. we correctly account for the `false` condition.
 2021-12-07 16:01:50 +13:00
Geoffrey White
4e68a4670b Merge pull request #7322 from MathiasVP/fix-performance-of-unused-static-functions 
C++: Fix performance of 'cpp/unused-static-function'.
 2021-12-06 17:30:51 +00:00
Mathias Vorreiter Pedersen
4765772725 C++: Fix performance of 'cpp/unused-static-function'. 2021-12-06 16:41:10 +00:00
Tom Hvitved
243b92b28c C#: Avoid CIL instructions with multiple types 2021-12-06 14:42:41 +01:00
Tom Hvitved
60c0bcf8f7 C#: Include dup instructions in CIL ExprMissingType consistency test 2021-12-06 14:37:07 +01:00
Tom Hvitved
c39fe59a04 C#: Populate UnknownType 2021-12-06 14:09:17 +01:00
Rasmus Wriedt Larsen
7ae1047fda JS: Tag queries with CWE-328 
CWE-328: Use of Weak Hash, see https://cwe.mitre.org/data/definitions/328.html
 2021-12-06 14:02:24 +01:00
Rasmus Wriedt Larsen
ff9ed0d4fb Java: Tag queries with CWE-328 
CWE-328: Use of Weak Hash, see https://cwe.mitre.org/data/definitions/328.html

Since weak hash functions (md5/sha1) are considered for the
`java/weak-cryptographic-algorithm` query. See
caeeebf572/java/ql/lib/semmle/code/java/security/Encryption.qll (L148)

To keep things consistent between `java/weak-cryptographic-algorithm`
and `java/potentially-weak-cryptographic-algorithm`, I also added the
tag to the latter.
 2021-12-06 13:59:00 +01:00
Tom Hvitved
5dbbb86d46 Ruby: Restructure ParameterNode(Impl) 2021-12-06 13:43:19 +01:00
Tom Hvitved
728e3abee5 Ruby: Tweak Method::isPrivate join-orders 2021-12-06 13:36:48 +01:00
Tom Hvitved
36569f997f Ruby: Add InlineFlowTest.qll 2021-12-06 13:35:07 +01:00
Benjamin Muskalla
557cb0a09e Add job name 2021-12-06 11:42:03 +01:00
Benjamin Muskalla
657c576186 Skip diffs if same branch 2021-12-06 11:30:14 +01:00
Benjamin Muskalla
38debc0b64 Remove push trigger 2021-12-06 11:21:15 +01:00
Mathias Vorreiter Pedersen
6b1ac73a46 Merge pull request #7177 from ihsinme/ihsinme-patch-6141 
fix request for cpp exceptions
 2021-12-06 09:24:59 +00:00
Anders Schack-Mulligen
de1269f18f Merge pull request #7308 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2021-12-06 09:58:49 +01:00
github-actions[bot]
c46ede02e6 Add changed framework coverage reports 2021-12-06 00:09:47 +00:00
Alex Ford
6adfea2365 Merge pull request #7163 from github/ruby/file-reader-extend 
Ruby: Extend `FileSystemReadAccess` to include more potential sources of input from the filesystem
 2021-12-05 23:32:43 +00:00
haby0
daf6a4ce07 Partial modification 2 2021-12-04 17:45:02 +08:00
Aditya Sharad
f68a40f82b JS: Simplify calculation of token features for endpoints 
Use a `strictcount` to identify whether there is exactly one feature or not.
If so, we use it. If not, we use the empty string.
Add context to ensure we filter the set of data flow nodes down to only
the set of endpoint nodes.

This performance optimisation avoids calculating the Cartesian product
of data flow nodes and feature names, but it does not avoid calculating
the (slightly smaller) Cartesian product of endpoint nodes and feature names.
Product size = number of endpoint nodes * number of feature names.
At time of writing there are 8 feature names.
 2021-12-03 14:20:27 -08:00
Aditya Sharad
fac2769d85 JS: Replace an exists+concat with an equivalent strictconcat 2021-12-03 14:20:26 -08:00