hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-08 03:01:10 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,884 Commits 1,691 Branches 160 Tags
codeql-cli/v2.8.5
Commit Graph

33884 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tom Hvitved
5183290439 Merge pull request #7315 from hvitved/ruby/inline-flow-test 
Ruby: Add `InlineFlowTest.qll`
 2021-12-07 16:29:34 +01:00
Henry Mercer
322e39446d JS: Autoformat 2021-12-07 14:17:11 +00:00
Henry Mercer
016727d6b6 JS: Fix occasional duplicate body tokens 
0e31439 introduces some occasional duplicate tokens due to duplicate AST
node attributes. The long-term fix is to update `CodeToFeatures.qll`,
but for the short-term, we update the concatenation to concatenate
unique (location, token) pairs.
 2021-12-07 14:16:48 +00:00
Philip Ginsbach
b2c1b55c0c rephrase extensions as aliases 2021-12-07 13:09:25 +00:00
Tom Hvitved
b17a93eaad Merge pull request #7316 from hvitved/ruby/is-private-join 
Ruby: Tweak `Method::isPrivate` join-orders
 2021-12-07 13:58:19 +01:00
Tom Hvitved
4d797d6b3d Merge pull request #7324 from github/hmac/empty-else-cfg 
Ruby: Include empty StmtSequences in CFG
 2021-12-07 13:19:15 +01:00
Philip Ginsbach
da43984ba4 fix dependency cycle by removing superfluous classes 2021-12-07 11:59:04 +00:00
Geoffrey White
b82425a35c C++: Add various new test cases. 2021-12-07 11:58:56 +00:00
Geoffrey White
2d4a2e0d44 C++: Test spacing. 2021-12-07 11:58:06 +00:00
Rasmus Wriedt Larsen
ee23799a59 Merge pull request #7319 from RasmusWL/js-cwe-328 
JS: Tag queries with CWE-328
 2021-12-07 11:40:33 +01:00
Anders Schack-Mulligen
6c739b67fa Merge pull request #7318 from RasmusWL/java-cwe-328 
Java: Tag queries with CWE-328
 2021-12-07 11:39:48 +01:00
Asger Feldthaus
23480b2d8f JS: Remove stray TODO 2021-12-07 10:49:14 +01:00
Asger F
614c80706f Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2021-12-07 10:48:44 +01:00
Asger Feldthaus
5559681916 JS: Change note 2021-12-07 10:46:18 +01:00
Asger Feldthaus
635ac0a209 JS: Fix perf issue in data flow step generation 2021-12-07 10:46:18 +01:00
Asger Feldthaus
da8e67b7ee JS: Use routing trees to detect deeply tainted req.body 2021-12-07 10:46:18 +01:00
Asger Feldthaus
7492293c5b JS: Add test with route handler indirection 2021-12-07 10:46:18 +01:00
Asger Feldthaus
3cbe94ac0a JS: Add consistency checks to TemplateObjectInjection test 2021-12-07 10:46:18 +01:00
Asger Feldthaus
64db70f3ac JS: Add explicit body-parsers to TemplateObjectInjection test 2021-12-07 10:46:18 +01:00
Asger Feldthaus
8af430d40f JS: Shift line numbers in TemplateObjectInjection test 2021-12-07 10:46:17 +01:00
Asger Feldthaus
5f8ea3965d JS: Do not flag auth endpoints that are immune to Login CSRF 2021-12-07 10:46:17 +01:00
Asger Feldthaus
66b1612e5e JS: Treat non-cookie based auth as CSRF preventer 2021-12-07 10:46:17 +01:00
Asger Feldthaus
b73219392b JS: Improve precision of missing CSRF middleware 2021-12-07 10:46:17 +01:00
Asger Feldthaus
d0e94e655d JS: Exclude error handling from auth calls 2021-12-07 10:46:17 +01:00
Asger Feldthaus
400bf10cc3 JS: Move fastify-specific route handler step into extension point 2021-12-07 10:46:17 +01:00
Asger Feldthaus
71820569e1 JS: Instantiate for Fastify 2021-12-07 10:46:15 +01:00
Asger Feldthaus
cfb9265f0a JS: Add template steps for res.locals.x 2021-12-07 10:44:53 +01:00
Asger Feldthaus
5269933461 JS: Port missing rate limiting query 2021-12-07 10:44:19 +01:00
Asger Feldthaus
389a3c9073 JS: Port CSRF query 2021-12-07 10:43:06 +01:00
Asger Feldthaus
16fa066636 JS: Fix false negative in Mongo model 2021-12-07 10:43:05 +01:00
Asger Feldthaus
3dd5d4d7b4 JS: Instantiate for Express and add tests 2021-12-07 10:43:03 +01:00
Erik Krogh Kristensen
3ebf1e3c13 Add codeql-go sources (894102defd) 2021-12-07 10:42:38 +01:00
Erik Krogh Kristensen
a3d11c61a8 QL: Add codeql-go sources (894102defd) 2021-12-07 10:42:38 +01:00
Erik Krogh Kristensen
d852b28653 Add codeql sources (3c59aa319e) 2021-12-07 10:42:34 +01:00
Erik Krogh Kristensen
44c3787457 QL: Add codeql sources (3c59aa319e) 2021-12-07 10:42:34 +01:00
Asger Feldthaus
aae4260819 JS: Routing model 2021-12-07 10:41:55 +01:00
Asger Feldthaus
e9575c3df6 JS: Support AdditionalUseStep in API graphs 2021-12-07 10:41:52 +01:00
Erik Krogh Kristensen
3c59aa319e Merge pull request #7245 from erik-krogh/explicit-this-all-the-places 
All langs: apply the explicit-this patch to all remaining code
 2021-12-07 10:40:26 +01:00
Taus
7cd9369d91 Python: Autoformat 2021-12-07 09:29:24 +00:00
Taus
33a9f86f54 Python: Change integer in trois.py 2021-12-07 08:54:07 +00:00
Taus
dd33f4f4d2 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-12-07 09:48:53 +01:00
Harry Maclean
6f42153eac Ruby: Include empty StmtSequences in CFG 
Empty StmtSequences appear, for example, in the `else` branch of `if`
statements like the following:

    foo

    if cond
      bar
    else
    end

    baz

Before this change, the CFG for this code would look like this:

        foo
         │
         │
         ▼
        cond
         │
    true │
         ▼
        bar
         │
         │
         ▼
         if
         │
         │
         ▼
        baz

i.e. there is linear flow through the condition, the `then` branch, and
out of the if. This doesn't account for the possibility that the
condition is false and `bar` is not executed. After this change, the CFG
looks like this:

          foo
           │
           │
           ▼
          cond
         │    │
    true │    │ false
         ▼    │
        bar   │
         │    │
         │    │
         ▼    ▼
           if
           │
           │
           ▼
          baz

i.e. we correctly account for the `false` condition.
 2021-12-07 16:01:50 +13:00
Geoffrey White
4e68a4670b Merge pull request #7322 from MathiasVP/fix-performance-of-unused-static-functions 
C++: Fix performance of 'cpp/unused-static-function'.
 2021-12-06 17:30:51 +00:00
Mathias Vorreiter Pedersen
4765772725 C++: Fix performance of 'cpp/unused-static-function'. 2021-12-06 16:41:10 +00:00
Tom Hvitved
243b92b28c C#: Avoid CIL instructions with multiple types 2021-12-06 14:42:41 +01:00
Tom Hvitved
60c0bcf8f7 C#: Include dup instructions in CIL ExprMissingType consistency test 2021-12-06 14:37:07 +01:00
Tom Hvitved
c39fe59a04 C#: Populate UnknownType 2021-12-06 14:09:17 +01:00
Rasmus Wriedt Larsen
7ae1047fda JS: Tag queries with CWE-328 
CWE-328: Use of Weak Hash, see https://cwe.mitre.org/data/definitions/328.html
 2021-12-06 14:02:24 +01:00
Rasmus Wriedt Larsen
ff9ed0d4fb Java: Tag queries with CWE-328 
CWE-328: Use of Weak Hash, see https://cwe.mitre.org/data/definitions/328.html

Since weak hash functions (md5/sha1) are considered for the
`java/weak-cryptographic-algorithm` query. See
caeeebf572/java/ql/lib/semmle/code/java/security/Encryption.qll (L148)

To keep things consistent between `java/weak-cryptographic-algorithm`
and `java/potentially-weak-cryptographic-algorithm`, I also added the
tag to the latter.
 2021-12-06 13:59:00 +01:00
Tom Hvitved
5dbbb86d46 Ruby: Restructure ParameterNode(Impl) 2021-12-06 13:43:19 +01:00