hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-27 04:13:51 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,884 Commits 1,694 Branches 161 Tags
codeql-cli/v2.8.5
Commit Graph

33884 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Erik Krogh Kristensen
7c26efbc12 case insensitive authorization header 2020-06-03 15:23:51 +02:00
Erik Krogh Kristensen
b508ad41c8 don't have a separate fetch module 2020-06-03 15:20:06 +02:00
Erik Krogh Kristensen
46cd0143d8 Update javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2020-06-03 15:18:10 +02:00
Mathias Vorreiter Pedersen
d295e2139a C++: Accept tests after merge from master 2020-06-03 15:13:44 +02:00
Mathias Vorreiter Pedersen
43a0d4c97d Merge branch 'master' into flat-structs 2020-06-03 15:11:14 +02:00
Esben Sparre Andreasen
8316121a44 JS: formatting 2020-06-03 15:02:36 +02:00
Jonas Jensen
ad292d8fb6 C++: Accept one more test change from last commit 2020-06-03 14:51:05 +02:00
Tom Hvitved
86dd86848f C#: Update call-sensitivity data-flow tests 2020-06-03 14:21:23 +02:00
Erik Krogh Kristensen
baee47f3c6 remove mention of fetch from change-note 2020-06-03 13:56:32 +02:00
Erik Krogh Kristensen
28a1900612 treat all writes to Authorization as a CredentialsExpr 2020-06-03 13:55:49 +02:00
Erik Krogh Kristensen
6466ab19a0 Update javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-06-03 13:51:04 +02:00
Erik Krogh Kristensen
f8caec76ab move the Fetch module to ClientRequests 2020-06-03 13:37:34 +02:00
Erik Krogh Kristensen
aa463d8298 mention fetch instead of node-fetch 2020-06-03 13:33:43 +02:00
Erik Krogh Kristensen
c80baf981a simplify change-note 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-06-03 13:33:31 +02:00
Erik Krogh Kristensen
1b53cd4bd9 update docstring of FetchAuthorization 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-06-03 13:31:16 +02:00
Jonas Jensen
8f702d4b49 C++: Override toString on argument indirections 
Without this override, end users would see the string
`BufferReadSideEffect` in path explanations.
 2020-06-03 13:04:10 +02:00
Erik Krogh Kristensen
19dd472ee5 change note 2020-06-03 12:19:48 +02:00
Erik Krogh Kristensen
a1940979ba support credentials in a Buffer 2020-06-03 12:02:00 +02:00
Erik Krogh Kristensen
ba44ebe8a8 better support for browser based fetch API 2020-06-03 11:51:24 +02:00
Erik Krogh Kristensen
3622fb8716 support more variants of the Headers API 2020-06-03 11:50:10 +02:00
Anders Schack-Mulligen
a969dbc6ca Java: Fix missing CFG edge for switch expressions. 2020-06-03 10:49:08 +02:00
Anders Schack-Mulligen
8d6e39eb18 Java: Add instanceof type bounds for ArrayAccess. 2020-06-03 09:42:37 +02:00
Mathias Vorreiter Pedersen
b890b162f4 C++: Restrict the side effect of StoreChainEndInstructionSideEffect to be WriteSideEffectInstructions 2020-06-03 09:28:06 +02:00
Esben Sparre Andreasen
afee864295 JS: make use of the colletions type tracking steps 2020-06-03 08:19:34 +02:00
Esben Sparre Andreasen
36b7574ac1 JS: add additional route handler registration tests 2020-06-03 08:18:11 +02:00
Esben Sparre Andreasen
117f009d17 JS: use HTTP::RouteHandlerCandidateContainer in Express 2020-06-03 08:18:11 +02:00
Esben Sparre Andreasen
9964902c10 JS: introduce HTTP::RouteHandlerCandidateContainer 2020-06-03 08:16:58 +02:00
Esben Sparre Andreasen
606f8274c7 JS: add tests for various route handler registration patterns 2020-06-03 08:16:58 +02:00
Robert Marsh
f7752b0a01 C++/C#: add IRParameter subclass of IRVariable 2020-06-02 17:22:10 -07:00
Erik Krogh Kristensen
3c802007a3 add support for string concatenations and base64-encoding of hardcoded credentials 2020-06-02 23:15:13 +02:00
Erik Krogh Kristensen
b6dc94fccb add fetch.Headers.Authorization as a CredentialsExpr 2020-06-02 23:02:16 +02:00
Erik Krogh Kristensen
14f0d1687a factor fetch import into NodeJSLib 2020-06-02 22:45:47 +02:00
Asger Feldthaus
8342981799 JS: Make isCoercedToBoolean private 2020-06-02 17:16:55 +01:00
Jonas Jensen
10dfa497a5 Merge remote-tracking branch 'upstream/master' into dataflow-indirect-args 
Fixed a semantic merge conflict by accepting test changes in
`cpp/ql/test/library-tests/dataflow/fields/ir-path-flow.expected`.
 2020-06-02 18:03:34 +02:00
Jonas Jensen
9c50acc0f9 Merge pull request #3602 from MathiasVP/path-problem-for-dataflow-tests 
C++: Make path-problem versions of ir-flow.ql and flow.ql
 2020-06-02 17:59:26 +02:00
Asger Feldthaus
8a38633639 JS: Handle exec() == undefined 2020-06-02 16:52:07 +01:00
Asger Feldthaus
7d5384b723 JS: Autoformat 2020-06-02 16:38:40 +01:00
Asger Feldthaus
945db4d86c JS: Fix test output 2020-06-02 16:38:21 +01:00
Philip Ginsbach
8b3dd6dec4 Merge pull request #3572 from ginsbach/typeunions 
introduce type unions in the handbook
 2020-06-02 16:31:36 +01:00
Mathias Vorreiter Pedersen
2a1ba6d592 C++: Share configurations in testcases 2020-06-02 16:50:57 +02:00
Mathias Vorreiter Pedersen
b9af1123d9 C++: Make path-problem versions of ir-flow.ql and flow.ql 2020-06-02 16:28:01 +02:00
Jonas Jensen
771fd0b1cc C++: Fixup wording 2020-06-02 15:46:34 +02:00
Jonas Jensen
5f0d283212 Merge remote-tracking branch 'upstream/master' into dataflow-indirect-args 
The conflicts came from how `this` is now a parameter but not a
`Parameter` on `master`.

Conflicts:
	cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowUtil.qll
	cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/defaulttainttracking.cpp
	cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/tainted.expected
	cpp/ql/test/library-tests/dataflow/DefaultTaintTracking/test_diff.expected
	cpp/ql/test/library-tests/dataflow/dataflow-tests/dataflow-ir-consistency.expected
	cpp/ql/test/library-tests/dataflow/fields/ir-flow.expected
	cpp/ql/test/library-tests/syntax-zoo/dataflow-ir-consistency.expected
 2020-06-02 15:35:02 +02:00
Tom Hvitved
1e8b7ed367 C#: Avoid multiple taint-tracking configurations 
The taint-tracking configuration in `ExposureOfPrivateInformation.ql`
overlaps with the XSS taint-tracking configuration, as witnessed by this import chain:

```
semmle.code.csharp.security.dataflow.ExposureOfPrivateInformation.qll imports
semmle.code.csharp.security.dataflow.flowsinks.ExternalLocationSink imports
semmle.code.csharp.security.dataflow.flowsinks.Remote imports
semmle.code.csharp.security.dataflow.XSS
```

(The same for `CleartextStorage.qll` and `LogForging.ql`.)

The fix is to use `TaintTracking2` for the XSS configuration.
 2020-06-02 14:42:35 +02:00
Mathias Vorreiter Pedersen
ce34d91a07 C++: Add more QLDoc to StoreNode and LoadNode classes, and related predicates. I also simplified the code a bit by moving common implementations of predicates into shared super classes. Finally, I added a getLocation predicate to StoreNode to match the structure of the LoadNode class. 2020-06-02 13:50:00 +02:00
semmle-qlci
e7800d4695 Merge pull request #3415 from esbena/js/membershiptest 
Approved by asgerf
 2020-06-02 11:36:51 +01:00
Calum Grant
b099f13f55 Merge pull request #3514 from hvitved/csharp/remove-more-deprecated 
C#: Remove more deprecated classes and predicates
 2020-06-02 10:35:14 +01:00
Mathias Vorreiter Pedersen
e17b486195 Merge pull request #3593 from rdmarsh2/rdmarsh/cpp/add-qldoc-2 
C++: Add QLDoc for AST classes up to Include.qll
 2020-06-02 10:23:23 +02:00
Robert
a0ee41306a Update cpp/ql/src/codeql-suites/slow-queries.yml 
Co-authored-by: Robert Marsh <rdmarsh2@gmail.com>
 2020-06-02 09:22:23 +01:00
Esben Sparre Andreasen
f9ed64fc45 Merge branch 'master' into js/membershiptest 2020-06-02 08:54:44 +02:00