hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-18 13:36:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,884 Commits 1,714 Branches 162 Tags
codeql-cli/v2.8.5
Commit Graph

33884 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Taus
38548c9acd Python: Simplify charpred for LocalSourceNode 
The somewhat convoluted `comes_from_cfgnode` was originally introduced
in order to have local sources for instances of global variables. This
was needed because global variables have an implicit "scope entry" SSA
definition that flows to the first actual use of the variable (and so
would not fit the strict "has no incoming flow" definition of a local
source node).

However, a subsequent change means that we include all global variable
reads anyway, and so the old definition is no longer needed.

(See commit 3fafb47b16 for further
context.)
 2021-04-20 13:19:36 +00:00
Taus
038bf612be Python: Add change note 2021-04-20 13:06:30 +00:00
Jonas Jensen
f02c86cb22 Merge pull request #5726 from MathiasVP/fix-false-positive-in-return-stack-allocated-memory-2 
C++: Fix false positive in return stack allocated memory (second attempt)
 2021-04-20 15:05:11 +02:00
Taus
a55b43b67e Python: Use LocalSourceNode throughout step 
This commit does a lot of stuff all at once, so here are the main
highlights:

In `TypeTracker.qll`, we change `StepSummary::step` to step only between
source nodes. Because reads and writes of global variables happen in two
different (jump) steps, this requires the intermediate
`ModuleVariableNode` to _also_ be a `LocalSourceNode`, and we therefore
modify the charpred for that class accordingly. (This also means
changing a few of the tests to account for these new source nodes.)

In addition, we change `TypeTracker::step` to likewise step between
local source nodes.

Next, to enable the use of the `track` convenience method on nodes, we
add some pragmas to `TypeTracker::step` that prevent bad joins from
occurring. With this, we can eliminate all of the manual type tracker
join predicates.

Next, we observe that because `StepSummary::step` now uses `flowsTo`, it
automatically encapsulates all local-flow steps. In particular this
means we do not have to use `typePreservingStep` in `smallstep`, but can
use `jumpStep` directly. A similar observation applies to
`TypeTracker::smallstep`.

Having done this, we no longer need `typePreservingStep`, so we get rid
of it.
 2021-04-20 12:59:33 +00:00
Taus
31bd701bd5 Python: Final LocalSourceNode fixes 2021-04-20 12:59:33 +00:00
Chris Smowton
9bfb0d93ca Autoformat QL 2021-04-20 13:59:09 +01:00
Rasmus Wriedt Larsen
897105de02 Merge pull request #5717 from tausbn/python-use-api-graphs-in-django 
Python: Use API graphs in Django model
 2021-04-20 14:57:55 +02:00
thank_you
7773c53124 Replace any(string) with _ wildcard 2021-04-20 08:49:08 -04:00
thank_you
bbd3552392 Rename predicate to getQuery 2021-04-20 08:47:37 -04:00
Erik Krogh Kristensen
19c5889775 use mayHaveBooleanValue 2021-04-20 14:39:54 +02:00
Erik Krogh Kristensen
13d915927b add change note 2021-04-20 14:39:54 +02:00
Erik Krogh Kristensen
7046f1a902 add taint-step for markdown-it when the HTML flag is set 2021-04-20 14:39:54 +02:00
Taus
76700d17d6 Merge pull request #5684 from RasmusWL/flask-more-taint-tests 
Python: Add taint tests for .get() in flask
 2021-04-20 14:08:08 +02:00
Asger Feldthaus
f8d428cb2d JS: Use function-forwarding steps when tracking rate limiters 2021-04-20 13:00:42 +01:00
Mathias Vorreiter Pedersen
93e55e2631 C++: Fix FP in cpp/return-stack-allocated-memory. 2021-04-20 13:58:12 +02:00
Mathias Vorreiter Pedersen
1797b6c7f9 C++: Add FP test from the work on smart pointers in dataflow. 2021-04-20 13:54:57 +02:00
Asger Feldthaus
581f4ed757 JS: Generalize handling of route handler wrapper functions 2021-04-20 12:46:40 +01:00
Chris Smowton
0ec3ee29e4 Style last use of SecureASTCustomizer 2021-04-20 12:44:49 +01:00
Hayk Andriasyan
bb58a50503 Update GroovyInjection.qhelp 2021-04-20 15:41:58 +04:00
p0wn4j
f2de440886 [Java] CWE-094: Query to detect Groovy Code Injections 2021-04-20 19:18:24 +04:00
Arthur Baars
122315db3f Remove 'Method' class 2021-04-20 13:41:11 +02:00
haby0
3e376f95c4 Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-20 19:36:16 +08:00
haby0
b1ee864ad9 Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-20 19:35:52 +08:00
haby0
9e87f4ec4e Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.ql 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-20 19:35:34 +08:00
haby0
408dd31d3c Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-20 19:34:37 +08:00
haby0
9ece4dac0f Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-20 19:33:47 +08:00
haby0
d82878ac3b Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-20 19:33:06 +08:00
haby0
0b1637a409 Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-20 19:32:39 +08:00
haby0
b60bffaf83 Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-20 19:31:59 +08:00
Jonas Jensen
d4fdd50e2c Merge pull request #5723 from MathiasVP/cleanup-smart-ptr-model 
C++: Simplify smart pointer model
 2021-04-20 13:25:02 +02:00
Tom Hvitved
dd1bb18938 C#: Various data-flow performance tweaks 
- Cache `DataFlowCall::getEnclosingCallable()`.
- Cache `ParameterNode`.
- Cache `ArgumentNode`.
- Force proper join-orders for uses of `getNodeType()`.
- Inline `localFlow` to prevent calculating full TC.
 2021-04-20 11:56:25 +02:00
Tom Hvitved
1f9239089f Merge pull request #5695 from hvitved/csharp/dispose-not-called-on-exc-perf 
C#: Improve performance of `DisposeNotCalledOnException.ql`
 2021-04-20 11:52:18 +02:00
Tom Hvitved
b2a7a3ed30 Merge pull request #5674 from hvitved/csharp/ssa/call-graph-perf 
C#: Improve performance of `SsaImpl::CallGraph::SimpleDelegateAnalysis`
 2021-04-20 11:51:52 +02:00
Geoffrey White
2b7e599dc4 Merge pull request #5703 from MathiasVP/improve-access-of-memory-location-after-end-of-buffer-using-strncat 
C++: Improve cpp/access-memory-location-after-end-buffer-strncat
 2021-04-20 10:44:24 +01:00
Alex Ford
28e46c8915 add FLinesOfCode.ql metric query 2021-04-20 10:12:52 +01:00
Mathias Vorreiter Pedersen
61d4d17225 C++: Simplify smart pointer model and accept test changes. 2021-04-20 09:57:58 +02:00
Tamás Vajk
408954e4d8 C#: Add Dapper to supported frameworks 2021-04-20 09:30:47 +02:00
haby0
0053158884 update qhelp file and ql comments 2021-04-20 10:58:54 +08:00
thank_you
c5fbbc0551 Refactor SqlAlchemy model 
- Replaced classes that look for SqlAlchemy instances with predicates
- General clean-up of code
 2021-04-19 18:56:00 -04:00
yo-h
87cd72496c Java: add extractor diagnostic queries 2021-04-19 15:34:16 -04:00
yo-h
cb524b6c19 Merge pull request #5611 from github/yo-h/java16 
Java: adjust test `options` for JDK 16 upgrade
 2021-04-19 15:12:23 -04:00
Taus
bc6685aa3f Python: Fix typo 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-04-19 19:57:35 +02:00
Alex Ford
7bfc61789d line count MetricFile predicates 2021-04-19 18:08:01 +01:00
Alex Ford
62bf58b289 WIP: populate numlines table 2021-04-19 18:06:35 +01:00
Anders Schack-Mulligen
5458c02cc2 Merge pull request #5456 from aschackmull/java/adopt-flow-summary 
Java: Use shared flow summary library for CSV models.
 2021-04-19 16:21:10 +02:00
Anders Schack-Mulligen
33db0c13cd Merge pull request #5689 from github/aeisenberg/rework-staleness 
Actions: Change staleness calculation
 2021-04-19 15:57:41 +02:00
Tom Hvitved
9128ec72ad C#: A few minor SSA performance tweaks 2021-04-19 15:51:14 +02:00
Anders Schack-Mulligen
80eb0a2df6 Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-19 15:45:58 +02:00
CodeQL CI
437bba1e3c Merge pull request #5716 from erik-krogh/vscodeRegress 
Approved by esbena
 2021-04-19 06:30:02 -07:00
Tom Hvitved
15e4b7f95d C#: Remove CP from HardcodedCredentials::getCredentialSink 2021-04-19 15:03:11 +02:00