hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-08 03:01:10 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,872 Commits 1,691 Branches 160 Tags
codeql-cli/v2.8.4
Commit Graph

33872 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Mathias Vorreiter Pedersen
8caff41138 C++: Throw away most of the usage of IR-computed def-use information. Instead, we rely on the shared SSA library's use-use edges. 2021-10-28 12:35:00 +01:00
Mathias Vorreiter Pedersen
3a488574e5 C++: Rewrite the PartialDefinitionNode classes to match the new StoreNodes. 2021-10-28 12:35:00 +01:00
Mathias Vorreiter Pedersen
8bef79502f C++: Similarly to the previous commit, we throw away the old memory-edges based way of doing read steps. Instead, we use the shared SSA library to transfer flow into a new ReadNode IPA branch, perform the necessary read steps, and then use the shared SSA library to transfer flow out of the ReadNode again. 2021-10-28 12:35:00 +01:00
Mathias Vorreiter Pedersen
5ebefe2d30 C++: Throw away the old way of doing store steps using memory edges. Instead, we introduce a StoreNode IPA branch that does store steps and instead use the shared SSA library to transfer flow into these nodes before a store step, and out of them following a sequence of store steps. 2021-10-28 12:35:00 +01:00
Rasmus Wriedt Larsen
6648a695eb Python: Add flask specific path-injection test 2021-10-28 13:34:18 +02:00
Rasmus Lerchedahl Petersen
b3ba75a00f Python: Fix tests by managing local sources 
`API::Node::getAwaited` is restriced to local sources
 2021-10-28 13:22:59 +02:00
jorgectf
3dec222922 Merge remote-tracking branch 'origin/main' into jorgectf/python/jwt-queries 2021-10-28 13:11:46 +02:00
jorgectf
7069f45864 Polish documentation 2021-10-28 13:09:28 +02:00
Nick Rolfe
2059896882 Ruby: clean up docs 2021-10-28 12:04:48 +01:00
Rasmus Wriedt Larsen
436152a46d Python: Refactor flask file sending tests 2021-10-28 12:37:07 +02:00
Rasmus Wriedt Larsen
58bc1102e5 Merge branch 'main' into jorgectf/python/deserialization 2021-10-28 12:31:34 +02:00
Geoffrey White
e8895686f8 Merge pull request #6980 from geoffw0/unusedqhelp 
C++: Remove old and unused qhelp files
 2021-10-28 10:55:31 +01:00
Mathias Vorreiter Pedersen
1842fed7a2 C++: Add shared SSA library and instantiate it with the IR. 2021-10-28 10:52:09 +01:00
Mathias Vorreiter Pedersen
13ce2569d7 C++/C#: Sync identical IR files· 2021-10-28 10:52:00 +01:00
Mathias Vorreiter Pedersen
bccd4e9e93 C++: Add 'getReturnAddress' and 'getReturnAddressOperand' predicates to 'ReturnValueInstruction'. 2021-10-28 10:51:49 +01:00
Nick Rolfe
bd92403b42 Ruby: fix qhelp 2021-10-28 10:42:56 +01:00
Rasmus Wriedt Larsen
6d09334cba Merge pull request #6330 from porcupineyhairs/pyPathTraversal 
Python : Add Flask sinks for path injection query
 2021-10-28 11:39:40 +02:00
Rasmus Wriedt Larsen
3fa66519f5 Merge branch 'main' into fastapi 2021-10-28 11:37:40 +02:00
Rasmus Wriedt Larsen
d9e5d179d2 Python: Minor fix to QLDoc 
and auto-formatting
 2021-10-28 11:15:34 +02:00
Rasmus Wriedt Larsen
358663ffbb Python: Fix tests 2021-10-28 11:14:41 +02:00
Erik Krogh Kristensen
12305aae42 extract regexp literals from string concatenations 2021-10-28 10:44:33 +02:00
yoff
9478faf040 Merge pull request #6967 from RasmusWL/ruamel.yaml 
Python: Model `ruamel.yaml` PyPI package
 2021-10-28 10:19:08 +02:00
Arthur Baars
3fb0139430 Protect against flag injection 2021-10-28 09:58:10 +02:00
ihsinme
2574aa8980 Update InsecureTemporaryFile.ql 2021-10-28 10:51:48 +03:00
Rasmus Lerchedahl Petersen
56dab252c9 Python: remove spurious dataflow step 2021-10-28 09:47:04 +02:00
Rasmus Lerchedahl Petersen
cca675a161 Python: Add test for async taint 
(which we belive we have just broken)
 2021-10-28 09:47:04 +02:00
ihsinme
432fc74455 Apply suggestions from code review 
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
 2021-10-28 10:37:01 +03:00
ihsinme
235a3ec232 Update InsecureTemporaryFile.qhelp 2021-10-28 10:34:42 +03:00
ihsinme
0addb2d1ea Update IncorrectChangingWorkingDirectory.ql 2021-10-28 10:17:48 +03:00
ihsinme
c3b1d7e5c8 Apply suggestions from code review 
Co-authored-by: Mathias Vorreiter Pedersen <mathiasvp@github.com>
 2021-10-28 10:17:13 +03:00
ihsinme
1c80f26178 Update ExposureSensitiveInformationUnauthorizedActor.ql 2021-10-28 09:50:41 +03:00
ihsinme
04ee78aecf Apply suggestions from code review 
thanks

Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
 2021-10-28 09:46:26 +03:00
Tony Torralba
cee80f766f Merge pull request #6983 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2021-10-28 08:19:34 +02:00
github-actions[bot]
adfc725225 Add changed framework coverage reports 2021-10-28 00:08:41 +00:00
Porcuiney Hairs
4fd3f212f8 Python : Add Flask sinks for path injection query 2021-10-28 02:12:11 +05:30
Nick Rolfe
0d161bec7a Merge pull request #6982 from github/nickrolfe/also-revert-cargo-lock 
Ruby: also revert Cargo.lock
 2021-10-27 20:33:07 +01:00
Erik Krogh Kristensen
96b6f670d9 filter away paths that start with libary inputs and end with a fixed-property write 2021-10-27 21:01:11 +02:00
Erik Krogh Kristensen
78371894f4 update import after rebasing on main 2021-10-27 20:47:06 +02:00
Erik Krogh Kristensen
a9a9e34265 recognize delete expresssions as a sink for js/prototype-polluting-assignment 2021-10-27 20:37:42 +02:00
Erik Krogh Kristensen
1243c736dd use ConcatenationNode::isCoercion 2021-10-27 20:37:42 +02:00
Erik Krogh Kristensen
2dedfb302a remove paths without unmatched returns from js/prototype-polluting-assignment 2021-10-27 20:37:42 +02:00
Erik Krogh Kristensen
0c9c9bbde7 detect library input when the arguments object is converted to an array 2021-10-27 20:37:41 +02:00
Erik Krogh Kristensen
fa9e9dd847 split out predicates in ClassifyFiles to avoid unnecessary computations 2021-10-27 20:35:38 +02:00
Erik Krogh Kristensen
3d124cf95e add change-note 2021-10-27 20:35:38 +02:00
Erik Krogh Kristensen
d1238dfd8b update alert message to distinguish between library input and remote flow 2021-10-27 20:35:38 +02:00
Erik Krogh Kristensen
6e183af383 ignore test files for the `prototypeLessObject' predicate 2021-10-27 20:35:37 +02:00
Erik Krogh Kristensen
e94b0f5913 recognize inclusion based sanitizers for js/prototype-polluting-assignment 2021-10-27 20:35:37 +02:00
Erik Krogh Kristensen
2a808b2cd6 track taint through string coercions for js/prototype-polluting-assignment 2021-10-27 20:35:37 +02:00
Erik Krogh Kristensen
2d65aa17db recognize exported functions that use the arguments object 2021-10-27 20:35:37 +02:00
Erik Krogh Kristensen
78774233c7 add library input as source to js/prototype-polluting-assignment 2021-10-27 20:35:36 +02:00