hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-06 18:21:07 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,872 Commits 1,691 Branches 160 Tags
codeql-cli/v2.8.4
Commit Graph

33872 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
haby0
69690a2509 Modify sinks 2021-11-25 15:47:30 +08:00
haby0
4438f8c58c Add MyBatis Mapper Sql Injection 2021-11-25 15:47:29 +08:00
CodeQL CI
d3da790191 Merge pull request #6873 from erik-krogh/explicit-this 
Approved by esbena
 2021-11-24 15:23:35 -08:00
Chris Smowton
3c8f6e3c07 Merge pull request #6717 from luchua-bc/java/thread-resource-abuse 
Java: CWE-400 - Query to detect uncontrolled thread resource consumption
 2021-11-24 18:59:41 +00:00
Geoffrey White
4c5faaf985 C++: Autoformat result not checked query. 2021-11-24 18:26:39 +00:00
Geoffrey White
8abaf1247a C++: Clean up result not checked query. 2021-11-24 18:26:39 +00:00
Geoffrey White
5ffbf563b8 C++: Add metadata for result not checked query. 2021-11-24 18:26:38 +00:00
Geoffrey White
72a03257e7 C++: Add qhelp for result not checked query. 2021-11-24 18:26:38 +00:00
Geoffrey White
5eb814fd8b C++: Prototype SSL result not checked query. 2021-11-24 18:26:37 +00:00
Geoffrey White
7869733ab5 C++: Autoformat result conflation query. 2021-11-24 18:25:58 +00:00
Geoffrey White
88b6bd9478 C++: Switch result conflation query to a slightly simpler dataflow-only approach. 2021-11-24 18:25:57 +00:00
Geoffrey White
ce2b86b9e3 C++: Add metadata for result conflation query. 2021-11-24 18:25:57 +00:00
Geoffrey White
2eae6a3e9a C++: Add qhelp for result conflation query. 2021-11-24 18:25:56 +00:00
Geoffrey White
6afcbce421 C++: Prototype SSL result conflation query. 2021-11-24 18:22:24 +00:00
Arthur Baars
5d0dfe8c04 Re-generate library and dbscheme 2021-11-24 17:18:04 +01:00
Arthur Baars
e7524dea69 Update tree-sitter-ruby 2021-11-24 17:18:03 +01:00
Arthur Baars
4b3b1d2a8b Merge pull request #7222 from aibaars/ruby-ci-fix 
Ruby: fix CI jobs after removal of `.codeql-manifest.json`
 2021-11-24 17:16:52 +01:00
Erik Krogh Kristensen
1e752f305d apply the explicit this patch to new code 2021-11-24 15:26:19 +01:00
Erik Krogh Kristensen
08ce03cd93 Merge branch 'main' into explicit-this 2021-11-24 15:24:58 +01:00
Erik Krogh Kristensen
3bab8c6d1d Merge pull request #7173 from erik-krogh/getRubyInSync 
JS/PY/RB: get ReDoSUtil in sync for ruby
 2021-11-24 15:20:23 +01:00
Rasmus Wriedt Larsen
651a76c9ce Python: Add CWE-532 to CleartextLogging 
Relevant for this query:

CWE-532: Insertion of Sensitive Information into Log File

> While logging all information may be helpful during development
> stages, it is important that logging levels be set appropriately
> before a product ships so that sensitive user data and system
> information are not accidentally exposed to potential attackers.

See https://cwe.mitre.org/data/definitions/532.html

JS also did this recently: https://github.com/github/codeql/pull/7103
 2021-11-24 14:59:52 +01:00
Rasmus Wriedt Larsen
c05ffd4d00 JS/PY: Remove CWE-315 form CleartextLogging 
Since it is not relevant for this query:

CWE-315: Cleartext Storage of Sensitive Information in a Cookie

See https://cwe.mitre.org/data/definitions/315.html
 2021-11-24 14:59:18 +01:00
Anders Schack-Mulligen
7ca3407c86 Dataflow: Sync. 2021-11-24 14:43:00 +01:00
Anders Schack-Mulligen
a7ec0fa900 Dataflow: Remove more disjunction-induced tuple duplication. 2021-11-24 14:39:49 +01:00
Michael Nebel
b9d0a60ce7 C#: Addressed review comments from hvitved 2021-11-24 14:35:52 +01:00
luchua-bc
b0031a0d85 Add local input test case and update qldoc 2021-11-24 13:30:50 +00:00
Tom Hvitved
1d1780b30f C#: Fix bug in getEnclosingCallable 2021-11-24 14:24:01 +01:00
Rasmus Wriedt Larsen
7dde52ced2 Merge pull request #7131 from RasmusWL/wsgiref.simple_server 
Python: Model `wsgiref.simple_server` applications
 2021-11-24 14:22:23 +01:00
Anders Schack-Mulligen
4efdcc22a2 Dataflow: Improve barrier handling. 2021-11-24 14:17:05 +01:00
Tom Hvitved
f85fa87f69 C#: Add test that illustrates problem with getEnclosingCallable 2021-11-24 13:59:29 +01:00
Rasmus Wriedt Larsen
2a5e0a3b77 Merge pull request #7145 from RasmusWL/remove-owasp-tags 
Python/Ruby: Remove owasp tags
 2021-11-24 13:56:48 +01:00
Rasmus Wriedt Larsen
e2652591a5 Python: Change perf fix PoorMansFunctionResolution 
Thanks @yoff, this leaves us with the following evaluation, which looks
very close to the one in the other fix (but with cleaner implementation)
-- both at 688k max tuples (although numbers are not exactly the same).

```
[2021-11-24 13:48:40] (14s) Tuple counts for PoorMansFunctionResolution::getSimpleMethodReferenceWithinClass#ff/2@e5f05asv after 74ms:
                      47493  ~3%     {3} r1 = JOIN Class::Class::getAMethod_dispred#ff WITH py_Classes ON FIRST 1 OUTPUT Lhs.1, 0, Lhs.0
                      47335  ~0%     {2} r2 = JOIN r1 WITH AstGenerated::Function_::getArg_dispred#fff ON FIRST 2 OUTPUT Rhs.2, Lhs.2
                      46683  ~0%     {2} r3 = JOIN r2 WITH DataFlowPublic::ParameterNode::getParameter_dispred#fb_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1
                      259968 ~4%     {2} r4 = JOIN r3 WITH LocalSources::Cached::hasLocalSource#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1
                      161985 ~0%     {3} r5 = JOIN r4 WITH Attributes::AttrRef::accesses_dispred#bff_102#join_rhs ON FIRST 1 OUTPUT Rhs.1 'result', Lhs.1, Rhs.2
                      161985 ~2%     {3} r6 = JOIN r5 WITH Attributes::AttrRead#class#f ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Lhs.0 'result'
                      688766 ~0%     {3} r7 = JOIN r6 WITH Function::Function::getName_dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1, Rhs.1 'func', Lhs.2 'result'
                      20928  ~0%     {2} r8 = JOIN r7 WITH Class::Class::getAMethod_dispred#ff ON FIRST 2 OUTPUT Lhs.1 'func', Lhs.2 'result'
                                     return r8
```
 2021-11-24 13:52:05 +01:00
Rasmus Wriedt Larsen
1411804e58 Python: Allow custom fastapi.APIRouter subclasses 2021-11-24 13:46:38 +01:00
Tom Hvitved
1d654d1eac C#: Restrict refReadBeforeWrite 2021-11-24 13:43:14 +01:00
Tom Hvitved
1739673202 C#: Enable SSA consistency queries 2021-11-24 13:43:14 +01:00
Chris Smowton
c74eac4930 Remove needless casts 2021-11-24 12:18:05 +00:00
Chris Smowton
cec91c4831 Update ThreadResourceAbuse.qhelp 2021-11-24 12:15:48 +00:00
Chris Smowton
5101a8e9f3 Fix qhelp test 2021-11-24 12:12:56 +00:00
Chris Smowton
136ecaf49a Abbreviate qhelp example 2021-11-24 12:12:22 +00:00
Michael Nebel
c3996b00d5 C#: Update the Microsoft.NETCore.App stub 2021-11-24 13:09:06 +01:00
Chris Smowton
120f2045cd Document XXE sanitisation policy 2021-11-24 12:03:28 +00:00
Mathias Vorreiter Pedersen
6d9cea90cb Merge pull request #7226 from MathiasVP/shorter-ir-dataflow-paths 
C++: Hide some IR dataflow nodes
 2021-11-24 11:13:52 +00:00
Michael Nebel
a3ca9ad27d C#: Sync flow summary implementation files and implement specific parts for ruby and java 2021-11-24 12:09:20 +01:00
Michael Nebel
e153a65216 C#: Update flow summaries test for EntityFramework to print results in CSV syntax 2021-11-24 12:09:20 +01:00
Michael Nebel
914d3d86af C#: Update flow summaries test to print results in CSV syntax 2021-11-24 12:09:20 +01:00
Michael Nebel
3a7d51d2ee C#: Don't throw away ReturnKind information, when printing flow summaries. Note that any non NormalReturnKind printed summary will not be in the flow summary CSV language 2021-11-24 12:09:20 +01:00
Michael Nebel
e607c51292 C#: Initial implementation of csv printing in FlowSummaries test 2021-11-24 12:09:20 +01:00
Rasmus Wriedt Larsen
47448d9efc Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-11-24 12:02:12 +01:00
Mathias Vorreiter Pedersen
6c7a01d3d5 C++: Add some comments to the two 'flowThrough' predicates. 2021-11-24 10:50:44 +00:00
Rasmus Wriedt Larsen
d493cfdf3a Python: Model FastAPI FileResponse as FileSystemAccess 
This was an oversight from our initial FastAPI modeling work.
 2021-11-24 11:44:51 +01:00