hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-18 16:03:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
36,554 Commits 1,692 Branches 160 Tags
codeql-cli/v2.9.2
Commit Graph

36554 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Rasmus Wriedt Larsen
dee93783a2 Python: Update .expected for py/weak-sensitive-data-hashing 
Now there is a path from the _imports_ of the functions that would
return sensitive data, so we produce more alerts.

I'm not entirely happy about this "double reporting", but I'm not sure
how to get around it without either:

1. disabling the extra taint-step for calls. Not ideal since we would
   loose good sources.
2. disabling the extra sources based on function name. Not ideal since
   we would loose good sources.
3. disabling the extra sources based on function name, for those calls
   that would be handled with the extra taint-step for calls. Not ideal
   since that would require running the data-flow query initially to
   prune these out :|

So for now, I think the best approach is to accept some risk on this,
and ship to learn :)
 2021-06-11 13:56:55 +02:00
Arthur Baars
88fb3c7097 Merge pull request #203 from github/aibaars/pack-qhelp-samples 
Query pack: include .rb and .erb sample files from queries directory
 2021-06-11 13:50:17 +02:00
Arthur Baars
909e6d5a62 Query pack: include .rb and .erb sample files from queries directory 
These are required by the qhelp files.
 2021-06-11 13:42:43 +02:00
Anders Schack-Mulligen
f24565738b Merge pull request #6029 from atorralba/atorralba/tainted-key-read-steps 
Java: Add Map key-read-steps as local additional taint steps
 2021-06-11 13:14:18 +02:00
Joe Farebrother
dc19d1db35 Add change note 2021-06-11 11:41:30 +01:00
Joe Farebrother
04ffe80366 Add unit tests 2021-06-11 11:41:27 +01:00
Joe Farebrother
153e0c4ac3 Add modelling for more com.google.common.base methods 2021-06-11 11:40:37 +01:00
Rasmus Wriedt Larsen
df67028a1d Python: Model aiohttp.StreamReader 2021-06-11 12:06:53 +02:00
Arthur Baars
78a6ed43c3 Merge pull request #202 from github/aibaars-patch-2 
HardCodedCredentials: fix query metadata comment
 2021-06-11 12:05:44 +02:00
Tony Torralba
c828c7031f Add change note 2021-06-11 12:04:11 +02:00
Rasmus Wriedt Larsen
2d31ef7016 Python: Fix last TODOs in aiohttp tests 2021-06-11 12:00:02 +02:00
Arthur Baars
661d6e8e38 HardCodedCredentials: fix query metadata comment 2021-06-11 11:59:46 +02:00
Rasmus Wriedt Larsen
64a0e3fd0a Merge branch 'main' into aiohttp-modeling 2021-06-11 11:42:24 +02:00
Rasmus Wriedt Larsen
8b8e1334cc Python: Fix syntax error 2021-06-11 11:42:14 +02:00
Rasmus Wriedt Larsen
46f7a2b572 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2021-06-11 11:28:11 +02:00
Rasmus Wriedt Larsen
6f29b01abc Python: Model rsa 2021-06-11 11:23:06 +02:00
Rasmus Wriedt Larsen
40714c05b7 Python: Add tests for rsa PyPI package 2021-06-11 11:17:13 +02:00
Rasmus Wriedt Larsen
3d5f379b8c Merge branch 'main' into sensitive-improvements 2021-06-11 10:48:20 +02:00
John L. Singleton
cd61fb4753 this should be abstract 2021-06-10 19:54:58 -04:00
John L. Singleton
219dc71ae6 changlog entry 2021-06-10 17:15:06 -04:00
John L. Singleton
2a01324172 more maintainable pattern for class abstractions 2021-06-10 17:09:32 -04:00
Calum Grant
a594afb828 Add security-severity metadata 2021-06-10 20:11:08 +01:00
Erik Krogh Kristensen
50d574d20d add graphql injection to the sql-injection query 2021-06-10 21:01:54 +02:00
Tom Hvitved
8860b8adf0 Merge pull request #198 from github/hvitved/desugar-compound-assignment 2021-06-10 19:39:54 +02:00
John L. Singleton
bd7c416356 comment change 2021-06-10 11:21:11 -04:00
John L. Singleton
0d3f53b013 Changes to structure per feedback of @jbj 2021-06-10 11:16:58 -04:00
Alex Ford
f74dff560b Merge pull request #187 from github/hardcoded-credentials 
Add rb/hardcoded-credentials query
 2021-06-10 16:12:32 +01:00
Taus
e7b9603c5b Merge pull request #6053 from RasmusWL/fix-tests 
Python: Fix tests
 2021-06-10 16:55:45 +02:00
Alex Ford
8839d4c584 limit additional flow steps in rb/hardcoded-credentials to string concatenation 2021-06-10 14:59:28 +01:00
Rasmus Wriedt Larsen
dd457f9641 Python: Fix tests 2021-06-10 15:58:56 +02:00
Alex Ford
fe45dadd55 set precision to high for rb/hardcoded-credentials 2021-06-10 14:52:26 +01:00
John L. Singleton
f174d7a0e0 Comment changes 2021-06-10 09:52:22 -04:00
John L. Singleton
14c419a75f autoformatting 2021-06-10 09:39:43 -04:00
CodeQL CI
a241c114da Merge pull request #5836 from RasmusWL/ec-class-improvement 
Approved by tausbn
 2021-06-10 06:20:56 -07:00
Rasmus Wriedt Larsen
04db33513e Merge branch 'main' into sensitive-improvements 2021-06-10 15:11:09 +02:00
Rasmus Wriedt Larsen
ea0c1d7db3 Python: Better handling of sensitive functions 
This solution was the best I could come up with, but it _is_ a bit
brittle since you need to remember to add this additional taint step
to any configuration that relies on sensitive data sources... I don't
see an easy way around this though :|
 2021-06-10 15:08:21 +02:00
Tamas Vajk
916780a452 Fix codeql CLI path 2021-06-10 15:07:54 +02:00
Rasmus Wriedt Larsen
f167143a84 Python: Use real config in TestSensitiveDataSources 
This will enable better tests in just one second
 2021-06-10 15:01:31 +02:00
Rasmus Wriedt Larsen
c341643ec1 Python: Add more tests for sensitive function handling 2021-06-10 14:36:05 +02:00
Owen Mansel-Chan
e0130a932e Update experimental query using NewCookie 2021-06-10 13:33:20 +01:00
Owen Mansel-Chan
c173b89529 Model NewCookie 2021-06-10 13:32:39 +01:00
Owen Mansel-Chan
ee6019a2d8 Fix tests for experimental httponly query 2021-06-10 13:31:28 +01:00
Rasmus Wriedt Larsen
eb4f168dd4 Python: Clarify SensitiveAttributeAccess 
The comment about imports was placed wrong. I also realized we didn't
even have a single test-case for
`this.(DataFlow::AttrRead).getAttributeNameExpr() = sensitiveLookupStringConst(classification)`
so I added that (notice that this is only `getattr(foo, x)` and not
`getattr(foo, "password")`)
 2021-06-10 14:09:47 +02:00
Owen Mansel-Chan
d5d27d5ccf Duplicate tests for Jakarta 2021-06-10 10:43:40 +01:00
Owen Mansel-Chan
0ad35421f2 Comment out stubs (Jakarta) 2021-06-10 10:43:40 +01:00
Owen Mansel-Chan
318d1ea484 Stubs in javax-ws-rs-api-3.0.0 
Generated using java-autostub
 2021-06-10 10:43:39 +01:00
Owen Mansel-Chan
e6a6a8898b Move Jax XSS sinks to JaxWS.qll and add tests 2021-06-10 10:43:39 +01:00
Owen Mansel-Chan
d1fe62d4d5 (Minor) Update comments to match ExternalFlow docs 2021-06-10 10:43:38 +01:00
Owen Mansel-Chan
1ae9d68409 Move and convert URL redirect sinks 
Adds for them as well
 2021-06-10 10:43:37 +01:00
Owen Mansel-Chan
f2ff2aa3e1 Add flow tests for JAX-RS 2021-06-10 10:43:37 +01:00