hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-21 01:13:43 +01:00
Code Issues Packages Projects Releases Wiki Activity
36,554 Commits 1,693 Branches 161 Tags
codeql-cli/v2.9.2
Commit Graph

36554 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Tom Hvitved
498f9b2547 Merge pull request #5848 from hvitved/csharp/trap-key-escape 
C#: Escape IDs in TRAP label definitions
 2021-05-10 16:13:13 +02:00
Tony Torralba
8553ca1019 Autoformatting 2021-05-10 15:42:20 +02:00
Mathias Vorreiter Pedersen
51d04cb5b3 C++: Correct test annotation. 2021-05-10 15:30:35 +02:00
Mathias Vorreiter Pedersen
c0b65314be C++: Fix false positive by restricting _both_ the old (unconverted) expression _and_ all of the conversions. 2021-05-10 15:18:42 +02:00
Rasmus Wriedt Larsen
c2a6b811fc Python: Add modeling of ujson PyPI package 
The problem with `tainted_filelike` not having taint, is that in the call

`ujson.dump(tainted_obj, tainted_filelike)`

there is no PostUpdateNote for `tainted_filelike` :( The reason is that
points-to is not able to resolve the call, so none of the clauses in
`argumentPreUpdateNode` matches

See 08731fc6cf/python/ql/src/semmle/python/dataflow/new/internal/DataFlowPrivate.qll (L101-L111)

Let's deal with that issue in an other PR though
 2021-05-10 15:10:31 +02:00
Rasmus Wriedt Larsen
72d08f4d6e Python: Model json load/dump 2021-05-10 15:10:30 +02:00
Rasmus Wriedt Larsen
63f28d7d9b Python: Model keyword args to json loads/dumps 2021-05-10 15:10:29 +02:00
Rasmus Wriedt Larsen
784e0cdb96 Python: Improve tests of json module 
Inspired by the work on previous commit
 2021-05-10 15:10:28 +02:00
Rasmus Wriedt Larsen
3fe9a3d933 Python: Add modeling of simplejson PyPI package 
I noticed that we don't handle PostUpdateNote very well in the concept tests,
for exmaple for `json.dump(...)` there _should_ have been an `encodeOutput` as
part of the inline expectations.

I'll work on fixing that up in a separate PR, to keep things clean.
 2021-05-10 15:10:27 +02:00
Mathias Vorreiter Pedersen
c7cd75437f C++: Add testcase demonstrating false positive from conversions. 2021-05-10 14:58:33 +02:00
CodeQL CI
a3d17a1437 Merge pull request #5769 from erik-krogh/libXss 
Approved by esbena
 2021-05-10 05:58:07 -07:00
yoff
78370cf63f Update python/ql/src/experimental/semmle/python/frameworks/Stdlib.qll 2021-05-10 14:53:40 +02:00
Erik Krogh Kristensen
504c34ed2c use shouldPrint to filter out regular expressions from other files 2021-05-10 14:51:13 +02:00
Erik Krogh Kristensen
d6f9e37e39 add printAst.ql support for regular expressions 2021-05-10 13:31:00 +02:00
ihsinme
9e5a38debd Update DeclarationOfVariableWithUnnecessarilyWideScope.expected 2021-05-10 14:17:40 +03:00
Asger Feldthaus
3e5dc1efb7 JS: More robust hasUnderlyingType 2021-05-10 13:17:25 +02:00
ihsinme
d3c6093f37 Update test.c 2021-05-10 14:16:38 +03:00
ihsinme
c8f2937df9 Update DeclarationOfVariableWithUnnecessarilyWideScope.ql 2021-05-10 14:16:11 +03:00
Tom Hvitved
7f1f2b4dd3 C#: Fix GetHashCode/Equals on EscapingTextWriter 2021-05-10 13:05:51 +02:00
Alex Denisov
dcdd54593e C++: Adjust user-defined literals test' expectations 2021-05-10 13:03:40 +02:00
Alex Ford
2154b7df30 add doc for IntegerLiteral.getValue 2021-05-10 11:02:48 +01:00
Alex Ford
48add9ffbc remove internal import in rb/overly-permissive-file 2021-05-10 11:00:59 +01:00
Max Schaefer
8f91e9eba0 JavaScript: Model chaining calls in sqlite3. 2021-05-10 10:58:58 +01:00
Rasmus Wriedt Larsen
8afdf26540 Python: Add modeling of idna PyPI package 2021-05-10 11:47:11 +02:00
Tony Torralba
d99b5bfc66 Reuse previous tests from experimental 2021-05-10 11:17:20 +02:00
Asger F
f4e636dcd6 Update javascript/ql/src/semmle/javascript/frameworks/ClassValidator.qll 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2021-05-10 10:08:10 +01:00
CodeQL CI
097b6e5e33 Merge pull request #5794 from erik-krogh/rxPipe 
Approved by asgerf
 2021-05-10 02:06:34 -07:00
Erik Krogh Kristensen
d913668943 move hasPathWithoutUnmatchedReturn to Configuration.qll 2021-05-10 10:55:33 +02:00
Rasmus Wriedt Larsen
7ed20a8b2c Python: Add reminder to update docs for new frameworks 2021-05-10 10:55:21 +02:00
Erik Krogh Kristensen
b4e35f54d9 fix typo 2021-05-10 10:48:43 +02:00
Erik Krogh Kristensen
646bf99489 rewrite the qhelp to focus more on documenting unsafe functions 2021-05-10 10:48:40 +02:00
Asger Feldthaus
df5eab33f9 JS: Update relevantTaintSource() 2021-05-10 09:43:33 +01:00
CodeQL CI
b1f28afcbd Merge pull request #5741 from asgerf/js/more-cheat-sheet 
Approved by erik-krogh
 2021-05-10 01:34:56 -07:00
Mathias Vorreiter Pedersen
474b337eeb C++: Add change-note. 2021-05-10 10:22:44 +02:00
Mathias Vorreiter Pedersen
c91ed80e6c C++: Fix false positive by computing range of the converted expression. 2021-05-10 10:12:43 +02:00
Mathias Vorreiter Pedersen
7ac7830973 C++: Add testcase with false positive involving a conversion on the large-expression side of the comparison. 2021-05-10 10:11:31 +02:00
Erik Krogh Kristensen
3fe5dd0f35 add comment about filtering away jQuery from the source 2021-05-10 10:05:18 +02:00
Tony Torralba
c70503142f Require JS enabled even when cross-origin access is enabled in the webviews 2021-05-10 09:45:59 +02:00
Tom Hvitved
8b465e86e0 Merge pull request #5820 from hvitved/csharp/cfg/constructor-same-compilation 
C#: Improve CFG for constructors when there are multiple implementations
 2021-05-10 09:23:16 +02:00
thank_you
0238e51c10 Add checks for EmbeddedDocument classes 
Mongoengine supports EmbeddedDocument documents. We should check for this in our query.
 2021-05-09 19:42:40 -04:00
thank_you
07c3e22428 Fix method name to match flask_mongoengine library 2021-05-09 19:23:52 -04:00
jorgectf
8665747316 Update sink and sanitizer to match new naming 2021-05-08 18:08:50 +02:00
Dave Bartolomeo
d9f243d18a Java: Fix QLDoc for Container.toString() 
Fixes #5828

The QLDoc was just too specific about the default implementation. I've improved the wording.
 2021-05-08 11:14:02 -04:00
Hayk Andriasyan
fd88b72101 Delete JSchOSInjection.qhelp 2021-05-08 12:51:15 +04:00
${sleep,5}
67bc576e30 Delete StdLib.qll 2021-05-07 17:37:02 -04:00
jorgectf
0fc044dfd5 Checkout Stdlib.qll 2021-05-07 23:03:23 +02:00
jorgectf
e7bdc73420 Update .expected 2021-05-07 23:00:21 +02:00
jorgectf
65c6f1976a Rename mongoengine-flask-db-document-subclass 2021-05-07 23:00:08 +02:00
Dave Bartolomeo
773e5f2e2e Merge remote-tracking branch 'upstream/main' into side-effects 2021-05-07 16:50:48 -04:00
Dave Bartolomeo
187e136ecc C++: Generate IR side effects for smart pointer indirections 
When inserting side effect instructions for argument indirections, we now insert side effects for smart pointers as we would for raw pointers. The address operand of the side effect instruction is  the smart pointer object, which is a bit odd. However, I'd like to think through the design of a more principled solution before doing additional work.

A few new tests are added to the existing IR tests. In addition, the IR tests now `#include` some of the shared STL headers. I've disabled IR dumps for functions from those headers, since they only get in the way of the test cases we intended.
 2021-05-07 16:50:03 -04:00