hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-16 23:13:43 +01:00
Code Issues Packages Projects Releases Wiki Activity
36,554 Commits 1,692 Branches 160 Tags
codeql-cli/v2.9.2
Commit Graph

36554 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Wriedt Larsen
075953860b Merge branch 'main' into markupsafe-modeling 2021-06-30 13:55:08 +02:00
Anders Schack-Mulligen
f03d460e95 Java: Fix bad join-order. 2021-06-30 13:42:45 +02:00
Tamas Vajk
dc63f23d6b Fix review findings 2021-06-30 13:40:36 +02:00
Tamas Vajk
6a35c8c5f4 Upgrade database in coverage report jobs 2021-06-30 13:40:36 +02:00
Chris Smowton
7f556de8a0 Resolve now-fixed spurious XSS results 2021-06-30 12:04:22 +01:00
Chris Smowton
c37ecb7102 Fix existing JaxRs tests 
* Expose getContentTypeString for use by tests
* Use it to get constant arguments to @Produces annotations
* Note that text/html is xss-vulnerable (I have no idea how it ever came to expect exactly text/plain)
 2021-06-30 12:04:21 +01:00
Chris Smowton
52471b292a Add change note 2021-06-30 12:04:21 +01:00
Chris Smowton
856046ce50 Jax-RS: implement content-type tracking 
This follows content-type specifications across Variant-related functions and the ResponseBuilder class in order to sanitize or sink entities as appropriate.
 2021-06-30 12:04:21 +01:00
Chris Smowton
10714211c6 Add utility functions definining XSS-vulnerable content-types 2021-06-30 12:04:21 +01:00
Chris Smowton
450eebcd40 JaxWS: Pull out MediaType constant interpretation routine 
Also extend the routine slightly to expose multiple content types given with array notation
 2021-06-30 12:04:20 +01:00
Chris Smowton
3e7ea34054 XSS: expose extension point for defining barrier sinks 2021-06-30 12:04:20 +01:00
Tamás Vajk
10a6089739 Merge pull request #6148 from tamasvajk/feature/try-csv-source-models 
C#: Start using CSV based flow models
 2021-06-30 12:58:42 +02:00
Tony Torralba
a3e1b139c3 Fix spring stubs location 2021-06-30 12:56:45 +02:00
Tony Torralba
0bb9e464b2 Merge branch 'main' into atorralba/spring-beans 2021-06-30 12:55:10 +02:00
Rasmus Lerchedahl Petersen
72986e1e28 Python: Add some comments on the booelan sweep 
pattern
 2021-06-30 12:50:36 +02:00
Rasmus Lerchedahl Petersen
4ca0ee87f0 Merge branch 'main' of github.com:github/codeql into python-port-ReDoS 2021-06-30 12:28:54 +02:00
Rasmus Lerchedahl Petersen
52d91917aa Merge branch 'python-port-ReDoS' of github.com:yoff/codeql into python-port-ReDoS 2021-06-30 12:25:59 +02:00
Rasmus Lerchedahl Petersen
09e71cfdfd Python: update test expectations 2021-06-30 12:25:29 +02:00
Rasmus Lerchedahl Petersen
6dfbf80494 Python: Disable use of toUnicode 
until supporting CLI is released
 2021-06-30 12:21:52 +02:00
Rasmus Wriedt Larsen
e5d65992b4 Python: Use DefinitionNode instead of Assign 
Based on https://github.com/github/codeql/pull/6155#discussion_r660964666:

> Hmm... Would it be better to do this using DefinitionNode instead of
> Assign? The latter is fairly limited in what it can represent, and also
> raises questions of whether this definition is sound with regard to
> control-flow splitting.
 2021-06-30 12:08:32 +02:00
yoff
c19522e921 Apply suggestions from code review 
Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>
 2021-06-30 11:49:45 +02:00
Tamas Vajk
0946ae2ae9 Fix review findings 2021-06-30 11:39:51 +02:00
Anders Schack-Mulligen
e235e151f1 Java: Fix bad magic. 2021-06-30 11:09:08 +02:00
Geoffrey White
4a8299e5d0 C++: Change note. 2021-06-30 09:21:10 +01:00
Tony Torralba
9d64cadb50 Adapt tests after applying changes from code review 2021-06-30 10:02:03 +02:00
Tony Torralba
b64b8ecec2 Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-06-30 09:52:22 +02:00
Anders Schack-Mulligen
374859efb4 Merge pull request #6156 from smowton/smowton/feature/jax-rs-content-type-sensitivity 
Jax RS XSS Tests
 2021-06-30 09:52:07 +02:00
Tamás Vajk
a0e768bb43 Merge pull request #6172 from tamasvajk/fix/csv-comment-again 
Fix CSV framework coverage commenter workflow
 2021-06-30 09:10:47 +02:00
Tom Hvitved
22dd53f245 Merge pull request #6167 from hvitved/csharp/trap-stack-preprocessor-conditions 
C#: Add active preprocessor conditions as suffix in all TRAP `.push` instructions
 2021-06-30 08:34:47 +02:00
thank_you
0be2c6b765 Add SQLEscapySanitizerCall class 2021-06-29 19:39:46 -04:00
thank_you
986f2f4302 Add SQLEscape module 2021-06-29 19:39:26 -04:00
jorgectf
d475d52c76 Add partial modeling 2021-06-30 00:59:40 +02:00
jorgectf
c3b3bde35d Add XMLParser concept 2021-06-30 00:59:17 +02:00
jorgectf
b9fa57f518 Move tests to test/ 2021-06-30 00:58:58 +02:00
${sleep,5}
2a65917bb5 Merge pull request #1 from RasmusWL/python-use-sqlalchemy 
Minor updates to SQL alchemy PR
 2021-06-29 18:15:44 -04:00
jorgectf
e02a63a27a Delete trivial *_good.py tests 2021-06-29 23:03:41 +02:00
Sauyon Lee
52d1901d6e Adjust validation models to reflect array parameters 2021-06-29 12:01:24 -07:00
Sauyon Lee
52b24118b3 Add tests for Spring validation.Errors 2021-06-29 12:01:23 -07:00
Geoffrey White
dcc7a6360f C++: Simplify a bit and remove two noopts that don't seem to make a difference. 2021-06-29 19:05:13 +01:00
Edoardo Pirovano
8354f66c29 Performance: Improve join order in data flow library 2021-06-29 18:23:22 +01:00
Geoffrey White
5bf7e453e6 C++: Tidy up WrongTypeFormatArguments.ql somewhat. 2021-06-29 16:45:47 +01:00
Geoffrey White
6e49891ed9 C++: Accept Microsoft/non-Microsoft format specifiers on the opposite platform. 2021-06-29 16:45:46 +01:00
Chris Smowton
bb5fefa47f Sync FlowSummaryImpl.qll 2021-06-29 15:59:55 +01:00
Chris Smowton
47ccb19b84 SSV -> CSV everywhere 
While these are semicolon-delimited, we use CSV as a generic term for delimited values
 2021-06-29 15:59:43 +01:00
Chris Smowton
92ab650b7d Use new interpretSpec/2 predicate where appropriate 2021-06-29 15:59:43 +01:00
Chris Smowton
28ab4c083b Make interpretSpec/3 private again 2021-06-29 15:59:43 +01:00
Chris Smowton
c94c69415f Document Content::hasLocationInfo 2021-06-29 15:59:43 +01:00
Chris Smowton
cf7c966ea7 GenerateFlowTestCase: make imports private 2021-06-29 15:59:43 +01:00
Chris Smowton
5a71812001 Adjust import 
Type Content has moved into DataFlowUtil
 2021-06-29 15:59:43 +01:00
Chris Smowton
95b640db20 Resolve missing qldoc errors 
Document some, make some private, and delete the needless modules surrounding the spring models.
 2021-06-29 15:59:43 +01:00