hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-07 10:41:06 +01:00
Code Issues Packages Projects Releases Wiki Activity
34,755 Commits 1,691 Branches 160 Tags
codeql-cli/v2.9.0
Commit Graph

34755 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Robert Marsh
a126154dfb C++: use -1 for this in dataflow Position 2022-01-07 11:39:26 -05:00
Robert Marsh
1890a14026 C++: IPA for pointer arg instead of negative index 
This takes advantage of the new ArgumentPosition and ParameterPosition
types in the shared DataFlow library interface to represent indirections
with an IPA type rather than the negative-index system in use previously
 2022-01-07 11:39:26 -05:00
Robert Marsh
4f23cce63b C++: Accept more test output 2022-01-07 11:27:45 -05:00
Michael Nebel
23b8444348 C#: Cleanup C# source code file and add a test case for namespace delcarations. 2022-01-07 16:04:43 +01:00
Michael Nebel
b8f6d17bc1 C#: Add test for file scoped namespace. 2022-01-07 16:04:43 +01:00
Michael Nebel
a6d847b532 C#: Make support for FileScoped namespace declaration in the extrator. 2022-01-07 16:04:43 +01:00
Erik Krogh Kristensen
bb94c42a35 explicit this 
Co-authored-by: Taus <tausbn@github.com>
 2022-01-07 15:22:21 +01:00
Mathias Vorreiter Pedersen
4ee653378e Merge pull request #7517 from MathiasVP/avoid-self-joins-in-toctou-query 
C++: Remove bad self joins in `cpp/toctou-race-condition`.
 2022-01-07 13:08:30 +00:00
Michael Nebel
94c1a489e0 Merge pull request #7507 from michaelnebel/csharp-libdataflow-cleanup 
C#: Refactor and cleanup LibraryTypeDataFlow
 2022-01-07 13:16:08 +01:00
Michael Nebel
17219eff61 Merge pull request #7530 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2022-01-07 13:15:49 +01:00
Michael Nebel
929f6ca578 C#: Address review comments. 2022-01-07 10:26:33 +01:00
Michael Nebel
d3368dcc23 C#: Remove the LibraryTypeDataFlow file as the remaining code is dead. 2022-01-07 10:26:32 +01:00
Michael Nebel
9b47249f6a C#: Migrate the legacy clearContent flow summaries to the new framework. 2022-01-07 10:26:32 +01:00
Michael Nebel
fd317c2e7b C#: Move RecordConstructorFlow. 2022-01-07 10:26:32 +01:00
Michael Nebel
fb950848c7 C#: Remove unused case, when converting SummaryComponent stacks. 2022-01-07 10:26:32 +01:00
Michael Nebel
5a0e6ed8e6 C#: Remove unsued predicates in CallableFlowSource and subclasses. 2022-01-07 10:26:32 +01:00
Michael Nebel
19914aba89 C#: Remove CallableFlowSink. 2022-01-07 10:26:32 +01:00
Michael Nebel
ed4d09bc8b C#: Remove unneeded imports. 2022-01-07 10:26:32 +01:00
Michael Nebel
d042c4b3e4 C#: Remove unsused type,class and module AccessPath. 2022-01-07 10:26:32 +01:00
Michael Nebel
d5768bf4ed C#: Remove more empty predicates. 2022-01-07 10:26:31 +01:00
Michael Nebel
a6b79926b2 C#: Remove unused predicate toCallableFlowSink. 2022-01-07 10:26:31 +01:00
Michael Nebel
ecc9593f00 C#: Remove the unused predicate callable flow. 2022-01-07 10:26:31 +01:00
Michael Nebel
c52787c741 C#: Move the declaration of synthetic fields to where they are needed. 2022-01-07 10:26:31 +01:00
Michael Nebel
608aba7cff C#: Delete empty predicate requiresAccessPath. 2022-01-07 10:26:31 +01:00
Felicity Chapman
ad82523b91 Apply suggestions from code review 2022-01-07 08:49:37 +00:00
Felicity Chapman
95c9f89b04 Merge branch 'main' into patch-1 2022-01-07 08:49:13 +00:00
github-actions[bot]
efb1cd4f3b Add changed framework coverage reports 2022-01-07 00:10:30 +00:00
Erik Krogh Kristensen
9afd360731 QL: recognize dependecies of the form: libraryPathDependencies: library-name 2022-01-06 23:35:28 +01:00
Robert Marsh
c6da1f2be0 C++: re-add comment 2022-01-06 12:43:22 -05:00
Robert Marsh
355fc0ae63 C++: Use Guards library in Overflow.qll 
Replaces the ad-hoc guard handling with the Guards library. Fixes an
observed false positive pattern, and (hopefully) means some pragmas are
no longer necessary for performance.
 2022-01-06 12:15:37 -05:00
Robert Marsh
617bdbc5ba C++: test for guard-by-return in Overflow.qll 2022-01-06 12:15:37 -05:00
Robert Marsh
d5682f157a Merge pull request #7525 from MathiasVP/remove-rank-in-ssa-internals 
C++: Remove `rank` aggregate in `SsaInternals`
 2022-01-06 12:09:57 -05:00
Andrew Eisenberg
6d62227576 Merge pull request #7431 from aeisenberg/aeisenberg/solorigate-publish 
Solorigate: Extract to separate qlpack
 2022-01-06 08:53:32 -08:00
Mathias Vorreiter Pedersen
173cefd7e4 C++: Respond to PR reviews. 2022-01-06 15:39:40 +00:00
haby0
759ec31508 Delete shutil_path_injection.py file 2022-01-06 21:38:35 +08:00
Michael Nebel
b3cb250ece Merge pull request #7516 from michaelnebel/csharp/improve-csv-validation 
C#: Introduce Csv validation on kind.
 2022-01-06 14:31:26 +01:00
Michael Nebel
9cafab1b4c Merge pull request #7465 from michaelnebel/csharp-stringvalues-csv 
C#: Introduce flow summaries for StringValues.
 2022-01-06 14:30:29 +01:00
Rasmus Wriedt Larsen
3e1dcc3d11 Merge pull request #7518 from tausbn/python-extend-unreachable-statement-test 
Python: Extend unreachable statement test
 2022-01-06 14:07:29 +01:00
Mathias Vorreiter Pedersen
671954025d C++: Fix qldoc. 2022-01-06 11:02:15 +00:00
Asger F
c9fcdb8261 Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-01-06 11:51:27 +01:00
Mathias Vorreiter Pedersen
2f42054f8f C++: Rename 'hasRankInBlock' to 'hasIndexInBlock' since it's not really a rank computation anymore. 2022-01-06 10:31:05 +00:00
Mathias Vorreiter Pedersen
fdb9fb588c C++: Remove the rank aggregate from 'SsaInternals.qll'. 2022-01-06 10:30:31 +00:00
haby0
05b0daa0b7 Add the test of shutil module in FileSystemAccess.py 2022-01-06 14:14:42 +08:00
Harry Maclean
43ddc54f2b Ruby: Add Module#const_get as a code execution 
Module#const_get takes a single string argument and interprets it as the
name of a constant. It then looks up the constant and returns its value.

    Object.const_get("Math::PI")
    # => 3.141592653589793

By itself, this method is not as dangerous as e.g. eval, but if the
value returned is a class that is then instantiated, this can allow an
attacker to instantiate arbitrary Ruby classes.

As a result, I think it's safe to say that any remote input flowing into
this call is a potential vulnerability. A real-world example of this is
https://github.com/advisories/GHSA-52p9-v744-mwjj.
 2022-01-06 13:03:41 +13:00
Tom Hvitved
ac9cac78bc Ruby: Fix typo 2022-01-06 12:27:03 +13:00
Tom Hvitved
c3fd272f9b Ruby: Simplify getValueText logic for StringlikeLiterals 2022-01-06 12:27:03 +13:00
Tom Hvitved
799ec23b0d Ruby: Generalize ExprChildMapping logic to AstNodes 2022-01-06 12:27:03 +13:00
Tom Hvitved
322f8356dd Ruby: Include StringComponents in the CFG 2022-01-06 12:27:03 +13:00
Tom Hvitved
301d0bbdf8 Ruby: Restructure test to avoid dead code 2022-01-06 12:27:03 +13:00
Harry Maclean
23f1352953 Add ReDoS test that uses string interpolation 
This exercises the support for resolving string interpolations, and is
based on a real vulnerability:

https://github.com/advisories/GHSA-jxhc-q857-3j6g)
 2022-01-06 12:27:03 +13:00