hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-07 18:51:06 +01:00
Code Issues Packages Projects Releases Wiki Activity
34,755 Commits 1,691 Branches 160 Tags
codeql-cli/v2.9.0
Commit Graph

34755 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Wriedt Larsen
b1bca85162 Python: Add interesting test-case 2021-12-16 22:48:51 +01:00
Rasmus Wriedt Larsen
5a7efd0fee Python: Minor adjustments to QLDoc of HTTP::Client::Request 2021-12-16 22:48:51 +01:00
Erik Krogh Kristensen
2626b0b3dc QL: fix test workflow 2021-12-16 22:26:42 +01:00
Erik Krogh Kristensen
be076dc2c8 add Erik and Taus as QL-for-QL reviewers 2021-12-16 21:47:42 +01:00
Mathias Vorreiter Pedersen
53a1f935b7 C++: Fix join-order in 'HttpStringLiteral' charpred. 2021-12-16 17:12:50 +00:00
Chris Gavin
8fabbd697e Merge pull request #7422 from github/todo-comment-kind 
Add `kind` metadata to example query.
 2021-12-16 16:36:15 +00:00
Chris Smowton
e3b2eed2d2 Merge pull request #7423 from github/atorralba/log4j-CVE-2021-45046 
Java: Cover CVE-2021-45046 in the Log4jJndiInjection query
 2021-12-16 16:00:45 +00:00
Nick Rolfe
dba26a92e9 Merge remote-tracking branch 'origin/main' into nickrolfe/user-controlled-bypass 2021-12-16 15:05:01 +00:00
Erik Krogh Kristensen
8eda061d2f add dbscheme and codeql version to query hash 2021-12-16 15:49:07 +01:00
Tom Hvitved
579b58b8fa Merge pull request #7402 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2021-12-16 15:42:10 +01:00
Arthur Baars
3ef707e358 Address comment 2021-12-16 15:38:41 +01:00
Arthur Baars
cdbd8b27d3 Ruby: SimpleParameter is not an Expr 2021-12-16 15:38:40 +01:00
Rasmus Wriedt Larsen
6ce1524192 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-12-16 15:19:37 +01:00
Chris Gavin
4a1e2ed408 Add a severity and select the correct number of columns. 2021-12-16 14:02:36 +00:00
Tom Hvitved
e9ef53c31b Merge pull request #7390 from hvitved/ruby/deprecate-pattern-classes 
Ruby: Deprecate `Pattern` classes
 2021-12-16 14:36:13 +01:00
Tony Torralba
7d6cba77a0 Add tests 2021-12-16 13:44:01 +01:00
Tony Torralba
2e0ca6ce2b Add stubs 2021-12-16 13:44:01 +01:00
Tony Torralba
7d70b77141 Add new sinks and taint steps 2021-12-16 13:43:58 +01:00
Chris Gavin
407c265daf Add kind metadata to example query. 2021-12-16 12:12:36 +00:00
Michael Nebel
95d175e9e0 Merge pull request #7406 from michaelnebel/csharp-system-threading-csv 
C#: Convert more flow summaries to CSV format.
 2021-12-16 12:56:44 +01:00
Michael Nebel
d777ba8a25 C#: Cleanup private imports in LibraryTypeDataFlow. 2021-12-16 11:24:24 +01:00
Michael Nebel
a26403b359 Convert System.Tuple and friends flow to CSV format. 2021-12-16 11:20:04 +01:00
Asger Feldthaus
0e9c2377e3 JS: Use a field in RouterHandlerParameter 2021-12-16 10:26:35 +01:00
Michael Nebel
348e3b74f3 C#: Convert System.Text.Encoding flow to CSV format. 2021-12-16 10:03:12 +01:00
CodeQL CI
f274f06d9b Merge pull request #7409 from asgerf/js/track-functions-with-methods 
Approved by erik-krogh
 2021-12-16 09:01:42 +00:00
CodeQL CI
acbf7913b2 Merge pull request #7408 from asgerf/js/trusted-types-sinks 
Approved by esbena
 2021-12-16 08:59:51 +00:00
Michael Nebel
a5c055581e C#: Convert System.Runtime.CompilerServices.ConfiguredTaskAwaitable<>.ConfiguredTaskAwaiter flow to CSV format. 2021-12-16 09:36:39 +01:00
Michael Nebel
ddb7d722bc C#: Convert System.Runtime.CompilerServices.TaskAwaiter<> flow to CSV format. 2021-12-16 09:36:39 +01:00
Michael Nebel
bdd44c1c46 C#: Convert System.Runtime.CompilerServices.ConfiguredTaskAwaitable flow to CSV format. 2021-12-16 09:36:39 +01:00
Michael Nebel
034d45ddc0 C#: Convert System.Threading.Tasks.TaskFactory flow to CSV format. 2021-12-16 09:36:39 +01:00
Michael Nebel
440976fe63 C#: Convert System.Threading.Tasks.Task<> flow to CSV format. 2021-12-16 09:36:39 +01:00
Michael Nebel
cde98c7799 C#: Convert System.Threading.Tasks.Task flow to CSV format. 2021-12-16 09:36:39 +01:00
Michael Nebel
90d7b94b8a Merge pull request #7413 from hvitved/csharp/fix-test 
C#: Fix broken `FlowSummariesFiltered` test
 2021-12-16 09:31:33 +01:00
Rasmus Wriedt Larsen
1cc5e54357 Python: Add SSRF queries 
I've added 2 queries:

- one that detects full SSRF, where an attacker can control the full URL,
  which is always bad
- and one for partial SSRF, where an attacker can control parts of an
  URL (such as the path, query parameters, or fragment), which is not a
  big problem in many cases (but might still be exploitable)

full SSRF should run by default, and partial SSRF should not (but makes
it easy to see the other results).

Some elements of the full SSRF queries needs a bit more polishing, like
being able to detect `"https://" + user_input` is in fact controlling
the full URL.
 2021-12-16 01:48:34 +01:00
github-actions[bot]
18489c0ded Add changed framework coverage reports 2021-12-16 00:09:34 +00:00
Dave Bartolomeo
d5ef1cf28d Update docs/change-notes.md 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-12-15 15:58:14 -05:00
Rasmus Wriedt Larsen
579de0c3f0 Python: Remove getResponse and do manual taint steps 2021-12-15 21:55:04 +01:00
Rasmus Wriedt Larsen
f8fc583af3 Python: client request: getUrl => getAUrlPart 
I think `getUrl` is a bit too misleading, since from the name, I would
only ever expect ONE result for one request being made.

`getAUrlPart` captures that there could be multiple results, and that
they might not constitute a whole URl.

Which is the same naming I used when I tried to model this a long time ago
a80860cdc6/python/ql/lib/semmle/python/web/Http.qll (L102-L111)
 2021-12-15 21:55:04 +01:00
Rasmus Wriedt Larsen
6f81685f48 Python: Add modeling of http.client.HTTPResponse 2021-12-15 21:55:04 +01:00
Rasmus Wriedt Larsen
a5bae30d81 Python: Add tests of http.client.HTTPResponse 2021-12-15 20:39:46 +01:00
Tom Hvitved
4ccf9bf67c Address review comments 2021-12-15 19:57:27 +01:00
Henry Mercer
5696146179 Java: Convert telemetry queries to summary metrics 
Use the support for summary metrics with messages that'll be in the next
version of the CodeQL CLI.
 2021-12-15 17:59:01 +00:00
Tom Hvitved
8f1b2b3bb5 C#: Fix broken FlowSummariesFiltered test 2021-12-15 18:32:25 +01:00
Arthur Baars
b53e3499cb Merge pull request #7249 from ShockwaveNN/patch-1 
Fix ruby incorrect version in documentation
 2021-12-15 18:32:24 +01:00
luchua-bc
29ce0e9ef1 Add sanitizer for virtual method calls 2021-12-15 16:19:50 +00:00
Sam Partington
db7b3bc136 Remove experimental tag from non-ATM queries 2021-12-15 16:17:14 +00:00
Asger Feldthaus
53b3581ed0 JS: Add test to stress flow through properties 2021-12-15 17:16:56 +01:00
Tony Torralba
6dfe0ce7c5 Adapt chage note to new format 2021-12-15 16:57:20 +01:00
Tony Torralba
f0e9b768f2 Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-12-15 16:53:47 +01:00
Tony Torralba
65b6c16254 Fix stub after merge 2021-12-15 16:53:47 +01:00