hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-19 00:13:44 +01:00
Code Issues Packages Projects Releases Wiki Activity
36,554 Commits 1,693 Branches 160 Tags
codeql-cli/v2.9.2
Commit Graph

36554 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Anders Schack-Mulligen
30cb80b341 Merge pull request #5181 from smowton/smowton/feature/commons-tostringbuilder 
Java: Add models for Commons ToStringBuilder
 2021-06-04 12:30:36 +02:00
Rasmus Wriedt Larsen
350f79e1e1 Python: Model sensitive data based on variable names 2021-06-04 11:28:07 +02:00
Rasmus Wriedt Larsen
f5fd0f8d1c Python: Model sensitive data based on parameter names 2021-06-04 11:28:07 +02:00
Rasmus Wriedt Larsen
925e67d734 Python: Model sensitive data from subscripts 2021-06-04 11:28:07 +02:00
Rasmus Wriedt Larsen
d6532e280a Python: minor cleanup in SensitiveDataSources 2021-06-04 11:28:07 +02:00
Rasmus Wriedt Larsen
00a71a1c41 Python: Port sensitive data modeling 
No longer using points-to 🎉
 2021-06-04 11:28:07 +02:00
Tom Hvitved
6678ac0347 Desugar compound assignments 2021-06-04 10:39:06 +02:00
Tom Hvitved
da9adfbab4 Improve performance of desugaring transformations 2021-06-04 10:34:00 +02:00
Tom Hvitved
57eee0368d Add CFG tests for compound assignments 2021-06-04 10:34:00 +02:00
Tom Hvitved
dfcf4c90ab Merge pull request #199 from github/hvitved/splat-expr 
Rename `(Hash)SplatArgument` to `(Hash)SplatExpr` and make them `UnaryOperation`s
 2021-06-04 10:33:42 +02:00
Tamás Vajk
8d7f8a5bab Merge pull request #5997 from tamasvajk/fix/colliding-method-ids 
C#: Base IDs for constructed methods on their unconstructed counterparts
 2021-06-04 10:29:53 +02:00
Tamás Vajk
63c6ddd426 Merge pull request #6000 from tamasvajk/feature/extract-non-public-symbols 
C#: Change compilation settings to include all non-public symbols
 2021-06-04 10:28:55 +02:00
Tom Hvitved
1007f2aaff Rename (Hash)SplatArgument to (Hash)SplatExpr and make them UnaryOperations 2021-06-04 10:04:06 +02:00
Tom Hvitved
372f8645a9 Add (hash)splat AST tests 2021-06-04 09:53:14 +02:00
Tony Torralba
58aa25ddc2 Fix QLDocs 2021-06-04 09:32:00 +02:00
yo-h
8d879facf7 Merge pull request #5988 from github/AlonaHlobina-patch-1 
Update versions-compilers.rst
 2021-06-03 13:56:28 -04:00
yo-h
c0aadcf8ba Update docs/codeql/support/reusables/versions-compilers.rst 2021-06-03 13:49:57 -04:00
Nick Rolfe
8b987757c6 Merge upgrades qlpack into ql/src 2021-06-03 18:28:20 +01:00
Tom Hvitved
2094aa983a Merge pull request #194 from github/hvitved/desugar-child 2021-06-03 18:07:33 +02:00
Mathias Vorreiter Pedersen
d450aa2ce4 C++: Add some testcases that require path sensitivity. 2021-06-03 18:02:29 +02:00
Marcono1234
6003b6edd2 Java: Adjust change note for statement toString() changes 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-06-03 17:17:00 +02:00
Marcono1234
485b0be805 Java: Fix expected test output 2021-06-03 17:15:00 +02:00
Arthur Baars
03ef1261d3 Merge pull request #192 from github/aibaars/release-workflow 
Build workflow: create release
 2021-06-03 16:52:50 +02:00
Marcono1234
2889f94128 Java: Add change note for statement toString() changes 2021-06-03 16:27:37 +02:00
Marcono1234
e0a45507f8 Java: Adjust toString() for statements 2021-06-03 16:27:36 +02:00
Marcono1234
7e778bc008 Java: Override toString() for statements 
Additionally remove redundant QLDoc which is inherited anyways.
 2021-06-03 16:27:35 +02:00
Anders Schack-Mulligen
bd9e3d0fa9 Merge pull request #5751 from aschackmull/java/collection-flow 
Java: Convert all collection and array steps from taint flow to value flow.
 2021-06-03 15:29:14 +02:00
Tom Hvitved
908e9ff3b5 Include desugared node in AstDesugar.ql 2021-06-03 14:46:32 +02:00
Tom Hvitved
cc02c95092 C#: Sync files 2021-06-03 13:54:51 +02:00
Tom Hvitved
d0b6808299 Java: Move common CSV logic for sources and sinks into shared library 2021-06-03 13:54:51 +02:00
Rasmus Wriedt Larsen
3b68c87b6c Python: Add sensitive data test-cases 2021-06-03 13:38:29 +02:00
Tamas Vajk
1ce7c631ff Fix failing tests 2021-06-03 13:01:42 +02:00
Erik Krogh Kristensen
d30f53a21a add change note 2021-06-03 12:35:39 +02:00
Erik Krogh Kristensen
608a0314df add location reads from the history libary as client-side remote flow 2021-06-03 12:33:25 +02:00
Erik Krogh Kristensen
e543c6c665 add a js/client-side-unvalidated-url-redirection sink for the history library 2021-06-03 12:23:05 +02:00
Rasmus Wriedt Larsen
79bef11cf7 Python: Use "new" SensitiveDataHeuristics 2021-06-03 12:10:29 +02:00
Tamas Vajk
793e3db085 C#: Change compilation settings to include all non-public symbols 2021-06-03 11:54:05 +02:00
Rasmus Wriedt Larsen
e9acea8643 Python: Improve multidict modeling 2021-06-03 11:50:49 +02:00
Rasmus Wriedt Larsen
2e851cd5f0 Python: Improve yarl.URL modeling 2021-06-03 11:38:15 +02:00
Rasmus Wriedt Larsen
9372e3b284 Python: Add aiohttp.web change-note 2021-06-03 11:23:28 +02:00
Tamas Vajk
5a3a011b8e Fix test results 2021-06-03 11:17:01 +02:00
Tom Hvitved
3d60c146ad C#: Base IDs for constructed methods on their unconstructed counterparts 2021-06-03 11:11:32 +02:00
Tamas Vajk
d044b15533 C#: Add colliding method ID tests 2021-06-03 11:11:32 +02:00
Tony Torralba
56a429a5f9 Merge branch 'main' into promote-jexl-injection 2021-06-03 11:10:56 +02:00
Tony Torralba
607dcd4a27 Don't use CSV models for private flow configs 2021-06-03 11:05:13 +02:00
Rasmus Wriedt Larsen
3c47e583d8 Python: Add test for missing data-flow step in aiohttp.web 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
2dbbf52903 Python: Model HTTP responses in aiohttp.web 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
735df4597f Python: Aiohttp add response tests 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
5d4140d3e2 Python: Handle more complicated route-setup in aiohttp 
Since we want to be able to easy select request-handlers that are not
set up as part of a view-class, we need to easily be able to identify
those. To handle cases like the one below, we _can't_ just define these
to be all the async functions that are not methods on a class :(

```py
    # see https://docs.aiohttp.org/en/stable/web_quickstart.html#organizing-handlers-in-classes

    class MyCustomHandlerClass:

        async def foo_handler(self, request):  # $ MISSING: requestHandler
            return web.Response(text="MyCustomHandlerClass.foo")

    my_custom_handler = MyCustomHandlerClass()
    app.router.add_get("/MyCustomHandlerClass/foo", my_custom_handler.foo_handler)   # $ routeSetup="/MyCustomHandlerClass/foo"
```

So it seemed easiest to narrow down the route-setups, but that means we
want both refinement and extensibility... so `::Range` pattern to the
rescue 🎉

The important piece of code that still works after this commit, but
which hasn't been changed, is the one below:

```codeql
  /**
   * A parameter that will receive a `aiohttp.web.Request` instance when a request
   * handler is invoked.
   */
  class AiohttpRequestHandlerRequestParam extends Request::InstanceSource, RemoteFlowSource::Range,
    DataFlow::ParameterNode {
    AiohttpRequestHandlerRequestParam() {
      exists(Function requestHandler |
        requestHandler = any(AiohttpCoroutineRouteSetup setup).getARequestHandler() and
```
 2021-06-03 10:55:34 +02:00
Rasmus Wriedt Larsen
919a0b6b84 Python: aiohttp route setup is more complicated than expected 2021-06-03 10:55:34 +02:00