hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-17 23:43:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
36,554 Commits 1,693 Branches 160 Tags
codeql-cli/v2.9.2
Commit Graph

36554 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alex Ford
214532516b try to avoid a future merge conflict 2021-06-17 14:41:51 +01:00
Alex Ford
762656ee60 Add QLDoc to ActiveRecord.qll 2021-06-17 14:41:51 +01:00
Alex Ford
12a0af1d28 Tidy up PotentiallyUnsafeSqlExecutingMethodCall characteristic predicate 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2021-06-17 14:39:40 +01:00
Geoffrey White
b4cbe6dce8 C++: Increase query precision to high. 2021-06-17 14:33:17 +01:00
Geoffrey White
b5c71fd1d7 C++: Repair funcion call in a function call. 2021-06-17 14:33:16 +01:00
Geoffrey White
e5147c2a1f C++: Exclude functions that don't involve buffers. 2021-06-17 14:33:16 +01:00
Tony Torralba
1014400a08 Fix test comments 2021-06-17 15:03:45 +02:00
Tony Torralba
3ec2c1308e Add RequestForgerySanitizer 2021-06-17 14:58:27 +02:00
Tony Torralba
0c71393171 Merge branch 'main' into atorralba/promote-unsafe-android-webview-fetch 2021-06-17 14:54:25 +02:00
Tom Hvitved
eca11f1b40 C#: Adjust getQualifiedName for type parameters 2021-06-17 14:47:19 +02:00
Chris Smowton
64001cc02c Merge pull request #5587 from smowton/smowton/admin/promote-ssrf-query 
Promote SSRF query from experimental
 2021-06-17 13:02:33 +01:00
Chris Smowton
d28c95d16c Field foo of -> Field[foo] of 2021-06-17 12:49:25 +01:00
Chris Smowton
74b2a2c7a6 Improve style of interpretField 2021-06-17 12:45:44 +01:00
Geoffrey White
a481e5c292 C++: Exclude template code. 2021-06-17 12:36:14 +01:00
Geoffrey White
8efdf359dc C++: Fix some incorrect uses of 'const' in the tests. 2021-06-17 12:36:13 +01:00
Geoffrey White
3641cdcc1f C++: Add a test case involving an array. 2021-06-17 12:36:09 +01:00
Chris Smowton
5cf0243dd0 Add change note 2021-06-17 12:34:40 +01:00
Chris Smowton
2cc1f46871 Model constructors for (Imm|M)utable(Pair|Triple) 2021-06-17 12:34:40 +01:00
Chris Smowton
fbaa382158 Add tests for Pair.of and Triple.of 2021-06-17 12:34:40 +01:00
Chris Smowton
eebaab8fe9 Order left and right consistently 2021-06-17 12:34:40 +01:00
Chris Smowton
365aab9bd9 Improve matching of Field specifiers; add Field recognition in tests 2021-06-17 12:34:36 +01:00
Geoffrey White
23db21cd90 C++: Test spacing. 2021-06-17 12:33:31 +01:00
Chris Smowton
472a2a64dd Add models for Apache Commons tuples 2021-06-17 12:25:21 +01:00
Chris Smowton
73fa680224 Add support for CSV-specified flow to or from fields. 2021-06-17 12:24:28 +01:00
Geoffrey White
d590952aaa C++: Add a test case involving nested function calls. 2021-06-17 12:23:18 +01:00
Geoffrey White
7632c9edb5 C++: Add test cases involving strings and comparisons. 2021-06-17 12:23:17 +01:00
Geoffrey White
2e236dd2a9 C++: Add a test case involving a harmless assert. 2021-06-17 12:23:17 +01:00
Geoffrey White
dca397dfb1 C++: Add a test case with a template class. 2021-06-17 12:23:16 +01:00
Tamas Vajk
07b83d5dc1 Remove commented code 2021-06-17 13:04:39 +02:00
Tamás Vajk
c532db58fd Apply suggestions from code review 
Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
 2021-06-17 13:04:39 +02:00
Tamas Vajk
e61f725196 Apply code review findings 2021-06-17 13:04:39 +02:00
Tamas Vajk
4abaa7870f Add CSV coverage PR commenter 2021-06-17 13:04:39 +02:00
Tamás Vajk
200126b302 Merge pull request #6008 from github/tamasvajk/feature/csv-coverage-report 
Add timeseries CSV generator script
 2021-06-17 13:03:41 +02:00
Chris Smowton
11b70326fd Add Jakarta WS url-open sink 2021-06-17 11:58:41 +01:00
Chris Smowton
da1e760269 Adjust Spring models to use erased function signatures 2021-06-17 11:43:33 +01:00
Chris Smowton
1176fec287 Improve docs 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-06-17 11:43:33 +01:00
Chris Smowton
09f27554d0 Note incidental extra models in change note 2021-06-17 11:43:33 +01:00
Chris Smowton
7509e36382 Remove no-longer-needed BasicRequestLine model from InsecureBasicAuth.ql; adjust test expectations accordingly 2021-06-17 11:43:33 +01:00
Chris Smowton
c531b81ebe Rename RequestForgery.java -> SanitizationTests.java 2021-06-17 11:43:33 +01:00
Chris Smowton
cb99e17f4d Split and rename JavaNetHttp and ApacheHttp tests for consistency 2021-06-17 11:43:32 +01:00
Chris Smowton
6c4a909b86 Remove dead code from test 2021-06-17 11:43:32 +01:00
Chris Smowton
08ab5f5546 Remove redundant test 2021-06-17 11:43:32 +01:00
Chris Smowton
74569ce316 Tidy Jax-RS test 2021-06-17 11:43:32 +01:00
Chris Smowton
57ca36baad Tidy Spring test 2021-06-17 11:43:32 +01:00
Chris Smowton
8b080a94e7 Convert request forgery tests to inline expectations; add missing models revealed by this process. 2021-06-17 11:43:32 +01:00
Chris Smowton
b66dcbe5b6 Factor request-forgery config so it can be used in an inline-expectations test 2021-06-17 11:43:32 +01:00
Chris Smowton
ee872f1752 Add missing tests, add additional models revealed missing in the process, and add stubs to support them all. 2021-06-17 11:43:32 +01:00
Chris Smowton
49bbfc3f4b Convert SSRF sinks into url-open CSV sinks 
I also drop the previous approach of taint-tracking through various builder objects in favour of assuming that a URI set in a request-builder object is highly likely to end up requested in some way or another.

This will cause the `java/non-https-url` query to pick the new sinks up too, and fixes a Spring case that had never worked but went unnoticed until now.
 2021-06-17 11:43:30 +01:00
Chris Smowton
0f2139ff5d Fix and document one-based argument indexing in StringFormat's getAnArgUsageOffset 2021-06-17 11:41:06 +01:00
Chris Smowton
55c72cebf2 Improve StringBuilder append chain tracking 
Previously this didn't catch the case of constructors chaining directly into appends, like `StringBuilder sb = new StringBuilder("1").append("2")`
 2021-06-17 11:41:06 +01:00