hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-06 18:21:07 +01:00
Code Issues Packages Projects Releases Wiki Activity
34,755 Commits 1,691 Branches 160 Tags
codeql-cli/v2.9.0
Commit Graph

34755 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Harry Maclean
8419daad03 Ruby: Add subclassing support to API Graphs 
Given the code

    class A; end
    class B < A; end
    class C < A; end

You can find uses of B and C with the expression

    API::getTopLevelMember("A").getASubclass()
 2022-01-24 12:21:39 +13:00
luchua-bc
27043a09b3 File path injection with the JFinal framework 2022-01-23 18:07:48 +00:00
Andrew Eisenberg
aee9eb5203 Apply docs fixes 
Co-authored-by: James Fletcher <42464962+jf205@users.noreply.github.com>
 2022-01-21 11:35:15 -08:00
Aditya Sharad
67e3f5edbc Merge pull request #7685 from adityasharad/merge/3.3-3.4 
Merge rc/3.3 into rc/3.4
 2022-01-21 10:49:19 -08:00
Tom Hvitved
85e1cda81b Ruby: Distinguish symbols from strings in ConstantValue 2022-01-21 19:16:12 +01:00
Harry Maclean
8e40899dfd Merge pull request #7419 from github/hmac/const-get 2022-01-22 07:01:09 +13:00
Harry Maclean
2fa18801aa Merge pull request #7665 from github/hmac/barrier-guard-array-const 2022-01-22 06:59:51 +13:00
Geoffrey White
4326e6f706 C++: Split 'gets' model and make it a local source. 2022-01-21 17:29:49 +00:00
Geoffrey White
79735f5ac5 C++: Add test case. 2022-01-21 17:29:48 +00:00
Tony Torralba
78d7e538a5 Remove some JNDI Injection sinks 
Add tests and stubs
 2022-01-21 17:47:15 +01:00
Henry Mercer
c41de33156 Merge pull request #7700 from github/henrymercer/js-atm-fix-xss-results-pattern 
JS: Fix copy/paste error in XSS ML-powered queries results patterns
 2022-01-21 16:18:33 +00:00
Geoffrey White
0b98397e9b C++: Catch another encryption clue. 2022-01-21 16:16:16 +00:00
Geoffrey White
97447d0b3a C++: Expand tests. 2022-01-21 16:16:15 +00:00
Tony Torralba
4df0f399cd Move ContentProvider models to the appropriate file 2022-01-21 16:55:43 +01:00
Tony Torralba
c6dd7ddf7a Fix stub 2022-01-21 16:55:43 +01:00
Tony Torralba
4f253590f1 Fix method name in LocalDatabaseOpenMethodAccess 2022-01-21 16:55:43 +01:00
Tony Torralba
652a1d2dc2 Fix wrongly resolved rebase conflicts 2022-01-21 16:55:43 +01:00
Tony Torralba
5cf664411b Remove unneeded nonSuspicious values 2022-01-21 16:55:43 +01:00
Tony Torralba
baa1f71a53 Add QLDoc 2022-01-21 16:55:43 +01:00
Tony Torralba
4e4f619ae4 Update java/ql/lib/semmle/code/java/security/CleartextStorageAndroidDatabaseQuery.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-01-21 16:55:43 +01:00
Tony Torralba
c5ed5fcaac Apply suggestions from code review 
Co-authored-by: Ethan Palm <56270045+ethanpalm@users.noreply.github.com>
 2022-01-21 16:55:42 +01:00
Tony Torralba
ee84dae164 Fix predicate name 2022-01-21 16:55:42 +01:00
Tony Torralba
16b61f78e6 Fix QLDocs and the qhelp example 2022-01-21 16:55:42 +01:00
Tony Torralba
f0604e2e84 Added query for Cleartext Storage in Android Database 2022-01-21 16:55:42 +01:00
Henry Mercer
84907f91f1 JS: Fix copy/paste error in XSS ML-powered queries results patterns 
We didn’t catch this because our unit tests test only library code due
to the previous difficulty of running queries with an ML model (the ML
models in packs work should fix that), and because the end-to-end
evaluation runs separate queries that have different result patterns.

Going forward we should create unit tests for the queries themselves,
which will require using the ML model in tests. We should also be able
to catch this type of error using DCA.
 2022-01-21 15:17:52 +00:00
Mathias Vorreiter Pedersen
48064c1c8f C++: Fix false positive. 2022-01-21 15:16:02 +00:00
Mathias Vorreiter Pedersen
7c8c2090f7 C++: Add real-world false positive from the 'cpp/return-stack-allocated-memory' query. 2022-01-21 15:14:18 +00:00
Mathias Vorreiter Pedersen
117795c409 Merge pull request #7682 from MathiasVP/rewrite-return-stack-allocated-memory-to-use-ir 
C++: Use the IR for `cpp/return-stack-allocated-memory`.
 2022-01-21 14:57:30 +00:00
yoff
a77a6ec864 Merge pull request #7684 from erik-krogh/patches 
small refactorizations across CodeQL
 2022-01-21 15:04:14 +01:00
Tom Hvitved
9d89cace95 Merge pull request #7643 from michaelnebel/csharp/struct-improvements 
C#: Struct (and to a minor extent anonymous types) improvements
 2022-01-21 14:51:26 +01:00
Anders Schack-Mulligen
5f7ee337cd Java: Use more set literal syntax. 2022-01-21 13:58:27 +01:00
Anders Schack-Mulligen
41d294229d Java: Add support for bitwise compound assignments in Guards. 2022-01-21 13:56:07 +01:00
Rasmus Lerchedahl Petersen
9aa4c4a6a7 python: Add missing input 
also update test expectation
 2022-01-21 13:55:33 +01:00
Rasmus Lerchedahl Petersen
41908cbf9f python: add missing qldoc 2022-01-21 13:55:08 +01:00
Tony Torralba
1eaa379bb7 Merge pull request #7681 from atorralba/atorralba/improve-android-implicit-intents-query 
Java: Improvements to the Android query Use of implicit PendingIntents
 2022-01-21 13:46:17 +01:00
Rasmus Lerchedahl Petersen
49d4b1480d python: Do not remove ChainedConfigs12.qll 
since it was clearly already used.
Add deprecation message instead.
 2022-01-21 12:27:29 +01:00
Rasmus Lerchedahl Petersen
35c9307baa python: rewrite NoSQLInjection to use flow state 
This allows a bit more precision. Specifically, we could
 require the sanitizer to only affect `ConvertedToDict`.
 In practice, most sanitizers woudl probably fail on raw
 input also, though.
 2022-01-21 12:12:58 +01:00
Tony Torralba
c7e1df5689 Update java/ql/src/Security/CWE/CWE-927/ImplicitPendingIntents.qhelp 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2022-01-21 11:57:11 +01:00
Erik Krogh Kristensen
a235f8f023 remove redundant inline type casts 2022-01-21 11:46:33 +01:00
Erik Krogh Kristensen
b75c316c27 fix non-us spelling 2022-01-21 11:46:33 +01:00
Erik Krogh Kristensen
f500bccbe4 add explicit this to member call 2022-01-21 11:46:33 +01:00
Erik Krogh Kristensen
ddfc3bc00f use set literals instead of big disjunctions 2022-01-21 11:46:33 +01:00
Tom Hvitved
55f427ca0e Ruby: Use multiple threads in QL test CI job 2022-01-21 11:46:08 +01:00
Benjamin Muskalla
830c2dc90a Merge pull request #7603 from bmuskalla/commonsIoModel 
Java: Replace Commons IO model
 2022-01-21 11:42:27 +01:00
yoff
5b9ae9cede Merge pull request #7659 from RasmusWL/move-regex-injection-files 
Python: Move regex injection configuration files
 2022-01-21 11:42:06 +01:00
Tony Torralba
0846d1f7b6 Merge pull request #7691 from atorralba/atorralba/fix-recursion-entrypointfieldstep 
Java: Fix recursion in `entrypointFieldStep`
 2022-01-21 11:37:58 +01:00
Tony Torralba
3f6e035016 Docs improvements 2022-01-21 11:37:02 +01:00
yoff
4fd0ada9a8 Merge pull request #7652 from RasmusWL/cleartext-remove-fps 
Python: Remove usernames as sensitive source for cleartext queries
 2022-01-21 11:30:40 +01:00
Erik Krogh Kristensen
f9d5cbf017 update qhelp 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2022-01-21 11:26:58 +01:00
Tony Torralba
d22632ef78 Fix recursion in entrypointFieldStep 
When using local taint tracking to define a RemoteFlowSource, a recursion was created because entrypointFieldStep adds new RemoteFlowSources and was a local taint step. This is fixed by converting entrypointFieldStep into a defaultAdditionalTaintStep instead of a localAdditionalTaintStep, i.e. it will only affect global taint tracking from now on.
 2022-01-21 10:48:13 +01:00