mirror of
https://github.com/github/codeql.git
synced 2026-07-07 12:35:33 +02:00
Compare commits
28 Commits
codeql-cli
...
max-schaef
| Author | SHA1 | Date | |
|---|---|---|---|
|
|
35ce1ff582 | ||
|
|
6685ed328a | ||
|
|
28bedda5ea | ||
|
|
9d719aa44e | ||
|
|
68f2501bf0 | ||
|
|
5ffb773568 | ||
|
|
0ad338f04a | ||
|
|
96d6e8e3f2 | ||
|
|
3cd06b0026 | ||
|
|
62a9ffd277 | ||
|
|
80506f1028 | ||
|
|
62a992473f | ||
|
|
2bf4c32433 | ||
|
|
2399793c8a | ||
|
|
24e779b826 | ||
|
|
cf0173acad | ||
|
|
d15c60ba76 | ||
|
|
c6ff42986d | ||
|
|
990c40c8c8 | ||
|
|
6108f787dd | ||
|
|
0509c0fdf3 | ||
|
|
89867d6214 | ||
|
|
8c818a8657 | ||
|
|
883bd9f3b3 | ||
|
|
cea87a53e0 | ||
|
|
33f83a2089 | ||
|
|
e5b17af9b5 | ||
|
|
b860b21ced |
2
.github/dependabot.yml
vendored
2
.github/dependabot.yml
vendored
@@ -25,7 +25,7 @@ updates:
|
||||
allow:
|
||||
- dependency-name: "golang.org/x/mod"
|
||||
- dependency-name: "golang.org/x/tools"
|
||||
group:
|
||||
groups:
|
||||
extractor-dependencies:
|
||||
patterns:
|
||||
- "golang.org/x/*"
|
||||
|
||||
@@ -1,10 +1,3 @@
|
||||
## 0.10.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
|
||||
## 0.10.0
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
## 0.10.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted the deprecated `AnalysedString` class, use the new name `AnalyzedString`.
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.10.1
|
||||
lastReleaseVersion: 0.10.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-all
|
||||
version: 0.10.1
|
||||
version: 0.10.1-dev
|
||||
groups: cpp
|
||||
dbscheme: semmlecode.cpp.dbscheme
|
||||
extractor: cpp
|
||||
|
||||
@@ -1,11 +1,3 @@
|
||||
## 0.8.1
|
||||
|
||||
### New Queries
|
||||
|
||||
* The query `cpp/redundant-null-check-simple` has been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null.
|
||||
|
||||
Note: This query was incorrectly noted as being promoted to Code Scanning in CodeQL version 2.14.6.
|
||||
|
||||
## 0.8.0
|
||||
|
||||
### Query Metadata Changes
|
||||
|
||||
@@ -1,7 +1,6 @@
|
||||
## 0.8.1
|
||||
|
||||
### New Queries
|
||||
|
||||
---
|
||||
category: newQuery
|
||||
---
|
||||
* The query `cpp/redundant-null-check-simple` has been promoted to Code Scanning. The query finds cases where a pointer is compared to null after it has already been dereferenced. Such comparisons likely indicate a bug at the place where the pointer is dereferenced, or where the pointer is compared to null.
|
||||
|
||||
Note: This query was incorrectly noted as being promoted to Code Scanning in CodeQL version 2.14.6.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.1
|
||||
lastReleaseVersion: 0.8.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/cpp-queries
|
||||
version: 0.8.1
|
||||
version: 0.8.1-dev
|
||||
groups:
|
||||
- cpp
|
||||
- queries
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.7.1
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.0
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.7.1
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.1
|
||||
lastReleaseVersion: 1.7.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-all
|
||||
version: 1.7.1
|
||||
version: 1.7.1-dev
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 1.7.1
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 1.7.0
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 1.7.1
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 1.7.1
|
||||
lastReleaseVersion: 1.7.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-solorigate-queries
|
||||
version: 1.7.1
|
||||
version: 1.7.1-dev
|
||||
groups:
|
||||
- csharp
|
||||
- solorigate
|
||||
|
||||
@@ -1,9 +1,3 @@
|
||||
## 0.8.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
|
||||
## 0.8.0
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
## 0.8.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.1
|
||||
lastReleaseVersion: 0.8.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-all
|
||||
version: 0.8.1
|
||||
version: 0.8.1-dev
|
||||
groups: csharp
|
||||
dbscheme: semmlecode.csharp.dbscheme
|
||||
extractor: csharp
|
||||
|
||||
@@ -1,9 +1,3 @@
|
||||
## 0.8.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The `cs/web/insecure-direct-object-reference` and `cs/web/missing-function-level-access-control` have been improved to better recognize attributes on generic classes.
|
||||
|
||||
## 0.8.0
|
||||
|
||||
### New Queries
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
## 0.8.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The `cs/web/insecure-direct-object-reference` and `cs/web/missing-function-level-access-control` have been improved to better recognize attributes on generic classes.
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The `cs/web/insecure-direct-object-reference` and `cs/web/missing-function-level-access-control` have been improved to better recognize attributes on generic classes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.1
|
||||
lastReleaseVersion: 0.8.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/csharp-queries
|
||||
version: 0.8.1
|
||||
version: 0.8.1-dev
|
||||
groups:
|
||||
- csharp
|
||||
- queries
|
||||
|
||||
@@ -1,11 +1,3 @@
|
||||
## 0.7.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
* Support has been added for file system access sinks in the following libraries: [net/http](https://pkg.go.dev/net/http), [Afero](https://github.com/spf13/afero), [beego](https://pkg.go.dev/github.com/astaxie/beego), [Echo](https://pkg.go.dev/github.com/labstack/echo), [Fiber](https://github.com/kataras/iris), [Gin](https://pkg.go.dev/github.com/gin-gonic/gin), [Iris](https://github.com/kataras/iris).
|
||||
* Added `GoKit.qll` to `go.qll` enabling the GoKit framework by default
|
||||
|
||||
## 0.7.0
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added `GoKit.qll` to `go.qll` enabling the GoKit framework by default
|
||||
@@ -1,7 +1,4 @@
|
||||
## 0.7.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
* Support has been added for file system access sinks in the following libraries: [net/http](https://pkg.go.dev/net/http), [Afero](https://github.com/spf13/afero), [beego](https://pkg.go.dev/github.com/astaxie/beego), [Echo](https://pkg.go.dev/github.com/labstack/echo), [Fiber](https://github.com/kataras/iris), [Gin](https://pkg.go.dev/github.com/gin-gonic/gin), [Iris](https://github.com/kataras/iris).
|
||||
* Added `GoKit.qll` to `go.qll` enabling the GoKit framework by default
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Support has been added for file system access sinks in the following libraries: [net/http](https://pkg.go.dev/net/http), [Afero](https://github.com/spf13/afero), [beego](https://pkg.go.dev/github.com/astaxie/beego), [Echo](https://pkg.go.dev/github.com/labstack/echo), [Fiber](https://github.com/kataras/iris), [Gin](https://pkg.go.dev/github.com/gin-gonic/gin), [Iris](https://github.com/kataras/iris).
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.7.1
|
||||
lastReleaseVersion: 0.7.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-all
|
||||
version: 0.7.1
|
||||
version: 0.7.1-dev
|
||||
groups: go
|
||||
dbscheme: go.dbscheme
|
||||
extractor: go
|
||||
|
||||
@@ -1,9 +1,3 @@
|
||||
## 0.7.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The query "Incorrect conversion between integer types" (`go/incorrect-integer-conversion`) has been improved. It can now detect parsing an unsigned integer type (like `uint32`) and converting it to the signed integer type of the same size (like `int32`), which may lead to more results. It also treats `int` and `uint` more carefully, which may lead to more results or fewer incorrect results.
|
||||
|
||||
## 0.7.0
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
## 0.7.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The query "Incorrect conversion between integer types" (`go/incorrect-integer-conversion`) has been improved. It can now detect parsing an unsigned integer type (like `uint32`) and converting it to the signed integer type of the same size (like `int32`), which may lead to more results. It also treats `int` and `uint` more carefully, which may lead to more results or fewer incorrect results.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.7.1
|
||||
lastReleaseVersion: 0.7.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/go-queries
|
||||
version: 0.7.1
|
||||
version: 0.7.1-dev
|
||||
groups:
|
||||
- go
|
||||
- queries
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 0.0.6
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.0.5
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.0.6
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.0.6
|
||||
lastReleaseVersion: 0.0.5
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-automodel-queries
|
||||
version: 0.0.6
|
||||
version: 0.0.6-dev
|
||||
groups:
|
||||
- java
|
||||
- automodel
|
||||
|
||||
@@ -1,41 +1,3 @@
|
||||
## 0.8.1
|
||||
|
||||
### New Features
|
||||
|
||||
* Added predicate `MemberRefExpr::getReceiverExpr`
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The `isBarrier`, `isBarrierIn`, `isBarrierOut`, and `isAdditionalFlowStep` methods of the taint-tracking configurations for local queries in the `ArithmeticTaintedLocalQuery`, `ExternallyControlledFormatStringLocalQuery`, `ImproperValidationOfArrayIndexQuery`, `NumericCastTaintedQuery`, `ResponseSplittingLocalQuery`, `SqlTaintedLocalQuery`, and `XssLocalQuery` libraries have been changed to match their remote counterpart configurations.
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
* Deleted the deprecated `getAValue` predicate from the `Annotation` class.
|
||||
* Deleted the deprecated alias `FloatingPointLiteral`, use `FloatLiteral` instead.
|
||||
* Deleted the deprecated `getASuppressedWarningLiteral` predicate from the `SuppressWarningsAnnotation` class.
|
||||
* Deleted the deprecated `getATargetExpression` predicate form the `TargetAnnotation` class.
|
||||
* Deleted the deprecated `getRetentionPolicyExpression` predicate from the `RetentionAnnotation` class.
|
||||
* Deleted the deprecated `conditionCheck` predicate from `Preconditions.qll`.
|
||||
* Deleted the deprecated `semmle.code.java.security.performance` folder, use `semmle.code.java.security.regexp` instead.
|
||||
* Deleted the deprecated `ExternalAPI` class from `ExternalApi.qll`, use `ExternalApi` instead.
|
||||
* Modified the `EnvInput` class in `semmle.code.java.dataflow.FlowSources` to include `environment` and `file` source nodes.
|
||||
There are no changes to results unless you add source models using the `environment` or `file` source kinds.
|
||||
* Added `environment` source models for the following methods:
|
||||
* `java.lang.System#getenv`
|
||||
* `java.lang.System#getProperties`
|
||||
* `java.lang.System#getProperty`
|
||||
* `java.util.Properties#get`
|
||||
* `java.util.Properties#getProperty`
|
||||
* Added `file` source models for the following methods:
|
||||
* the `java.io.FileInputStream` constructor
|
||||
* `hudson.FilePath#newInputStreamDenyingSymlinkAsNeeded`
|
||||
* `hudson.FilePath#openInputStream`
|
||||
* `hudson.FilePath#read`
|
||||
* `hudson.FilePath#readFromOffset`
|
||||
* `hudson.FilePath#readToString`
|
||||
* Modified the `DatabaseInput` class in `semmle.code.java.dataflow.FlowSources` to include `database` source nodes.
|
||||
There are no changes to results unless you add source models using the `database` source kind.
|
||||
* Added `database` source models for the following method:
|
||||
* `java.sql.ResultSet#getString`
|
||||
|
||||
## 0.8.0
|
||||
|
||||
### New Features
|
||||
|
||||
@@ -0,0 +1,22 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Modified the `EnvInput` class in `semmle.code.java.dataflow.FlowSources` to include `environment` and `file` source nodes.
|
||||
There are no changes to results unless you add source models using the `environment` or `file` source kinds.
|
||||
* Added `environment` source models for the following methods:
|
||||
* `java.lang.System#getenv`
|
||||
* `java.lang.System#getProperties`
|
||||
* `java.lang.System#getProperty`
|
||||
* `java.util.Properties#get`
|
||||
* `java.util.Properties#getProperty`
|
||||
* Added `file` source models for the following methods:
|
||||
* the `java.io.FileInputStream` constructor
|
||||
* `hudson.FilePath#newInputStreamDenyingSymlinkAsNeeded`
|
||||
* `hudson.FilePath#openInputStream`
|
||||
* `hudson.FilePath#read`
|
||||
* `hudson.FilePath#readFromOffset`
|
||||
* `hudson.FilePath#readToString`
|
||||
* Modified the `DatabaseInput` class in `semmle.code.java.dataflow.FlowSources` to include `database` source nodes.
|
||||
There are no changes to results unless you add source models using the `database` source kind.
|
||||
* Added `database` source models for the following method:
|
||||
* `java.sql.ResultSet#getString`
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: feature
|
||||
---
|
||||
* Added predicate `MemberRefExpr::getReceiverExpr`
|
||||
12
java/ql/lib/change-notes/2023-10-09-outdated-deprecations.md
Normal file
12
java/ql/lib/change-notes/2023-10-09-outdated-deprecations.md
Normal file
@@ -0,0 +1,12 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
* Deleted the deprecated `getAValue` predicate from the `Annotation` class.
|
||||
* Deleted the deprecated alias `FloatingPointLiteral`, use `FloatLiteral` instead.
|
||||
* Deleted the deprecated `getASuppressedWarningLiteral` predicate from the `SuppressWarningsAnnotation` class.
|
||||
* Deleted the deprecated `getATargetExpression` predicate form the `TargetAnnotation` class.
|
||||
* Deleted the deprecated `getRetentionPolicyExpression` predicate from the `RetentionAnnotation` class.
|
||||
* Deleted the deprecated `conditionCheck` predicate from `Preconditions.qll`.
|
||||
* Deleted the deprecated `semmle.code.java.security.performance` folder, use `semmle.code.java.security.regexp` instead.
|
||||
* Deleted the deprecated `ExternalAPI` class from `ExternalApi.qll`, use `ExternalApi` instead.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The `isBarrier`, `isBarrierIn`, `isBarrierOut`, and `isAdditionalFlowStep` methods of the taint-tracking configurations for local queries in the `ArithmeticTaintedLocalQuery`, `ExternallyControlledFormatStringLocalQuery`, `ImproperValidationOfArrayIndexQuery`, `NumericCastTaintedQuery`, `ResponseSplittingLocalQuery`, `SqlTaintedLocalQuery`, and `XssLocalQuery` libraries have been changed to match their remote counterpart configurations.
|
||||
8
java/ql/lib/change-notes/2023-10-17-new-models.md
Normal file
8
java/ql/lib/change-notes/2023-10-17-new-models.md
Normal file
@@ -0,0 +1,8 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added models for the following packages:
|
||||
|
||||
* com.alibaba.fastjson2
|
||||
* javax.management
|
||||
* org.apache.http.client.utils
|
||||
@@ -1,37 +0,0 @@
|
||||
## 0.8.1
|
||||
|
||||
### New Features
|
||||
|
||||
* Added predicate `MemberRefExpr::getReceiverExpr`
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The `isBarrier`, `isBarrierIn`, `isBarrierOut`, and `isAdditionalFlowStep` methods of the taint-tracking configurations for local queries in the `ArithmeticTaintedLocalQuery`, `ExternallyControlledFormatStringLocalQuery`, `ImproperValidationOfArrayIndexQuery`, `NumericCastTaintedQuery`, `ResponseSplittingLocalQuery`, `SqlTaintedLocalQuery`, and `XssLocalQuery` libraries have been changed to match their remote counterpart configurations.
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
* Deleted the deprecated `getAValue` predicate from the `Annotation` class.
|
||||
* Deleted the deprecated alias `FloatingPointLiteral`, use `FloatLiteral` instead.
|
||||
* Deleted the deprecated `getASuppressedWarningLiteral` predicate from the `SuppressWarningsAnnotation` class.
|
||||
* Deleted the deprecated `getATargetExpression` predicate form the `TargetAnnotation` class.
|
||||
* Deleted the deprecated `getRetentionPolicyExpression` predicate from the `RetentionAnnotation` class.
|
||||
* Deleted the deprecated `conditionCheck` predicate from `Preconditions.qll`.
|
||||
* Deleted the deprecated `semmle.code.java.security.performance` folder, use `semmle.code.java.security.regexp` instead.
|
||||
* Deleted the deprecated `ExternalAPI` class from `ExternalApi.qll`, use `ExternalApi` instead.
|
||||
* Modified the `EnvInput` class in `semmle.code.java.dataflow.FlowSources` to include `environment` and `file` source nodes.
|
||||
There are no changes to results unless you add source models using the `environment` or `file` source kinds.
|
||||
* Added `environment` source models for the following methods:
|
||||
* `java.lang.System#getenv`
|
||||
* `java.lang.System#getProperties`
|
||||
* `java.lang.System#getProperty`
|
||||
* `java.util.Properties#get`
|
||||
* `java.util.Properties#getProperty`
|
||||
* Added `file` source models for the following methods:
|
||||
* the `java.io.FileInputStream` constructor
|
||||
* `hudson.FilePath#newInputStreamDenyingSymlinkAsNeeded`
|
||||
* `hudson.FilePath#openInputStream`
|
||||
* `hudson.FilePath#read`
|
||||
* `hudson.FilePath#readFromOffset`
|
||||
* `hudson.FilePath#readToString`
|
||||
* Modified the `DatabaseInput` class in `semmle.code.java.dataflow.FlowSources` to include `database` source nodes.
|
||||
There are no changes to results unless you add source models using the `database` source kind.
|
||||
* Added `database` source models for the following method:
|
||||
* `java.sql.ResultSet#getString`
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.1
|
||||
lastReleaseVersion: 0.8.0
|
||||
|
||||
6
java/ql/lib/ext/com.alibaba.fastjson2.model.yml
Normal file
6
java/ql/lib/ext/com.alibaba.fastjson2.model.yml
Normal file
@@ -0,0 +1,6 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: summaryModel
|
||||
data:
|
||||
- ["com.alibaba.fastjson2", "JSON", False, "parseArray", "(String,Class)", "", "Argument[0]", "ReturnValue.Element", "taint", "ai-manual"]
|
||||
6
java/ql/lib/ext/javax.management.model.yml
Normal file
6
java/ql/lib/ext/javax.management.model.yml
Normal file
@@ -0,0 +1,6 @@
|
||||
extensions:
|
||||
- addsTo:
|
||||
pack: codeql/java-all
|
||||
extensible: summaryModel
|
||||
data:
|
||||
- ["javax.management", "ObjectName", True, "ObjectName", "(String)", "", "Argument[0]", "Argument[this]", "taint", "ai-manual"]
|
||||
@@ -10,6 +10,7 @@ extensions:
|
||||
- ["org.apache.http.client.utils", "URIBuilder", True, "setHost", "(String)", "", "Argument[0]", "ReturnValue", "taint", "ai-manual"]
|
||||
- ["org.apache.http.client.utils", "URIBuilder", True, "setPath", "(String)", "", "Argument[0]", "Argument[this].SyntheticField[org.apache.http.client.utils.URIBuilder.path]", "taint", "ai-manual"]
|
||||
- ["org.apache.http.client.utils", "URIBuilder", True, "setPathSegments", "(List)", "", "Argument[0]", "Argument[this].SyntheticField[org.apache.http.client.utils.URIBuilder.path]", "taint", "ai-manual"]
|
||||
- ["org.apache.http.client.utils", "URIBuilder", True, "setPort", "(int)", "", "Argument[this]", "ReturnValue", "value", "ai-manual"]
|
||||
- ["org.apache.http.client.utils", "URLEncodedUtils", True, "parse", "(URI,String)", "", "Argument[0]", "ReturnValue.Element", "taint", "ai-manual"]
|
||||
- ["org.apache.http.client.utils", "URIUtils", True, "createURI", "(String,String,int,String,String,String)", "", "Argument[1]", "ReturnValue", "taint", "hq-manual"]
|
||||
- ["org.apache.http.client.utils", "URIUtils", True, "extractHost", "(URI)", "", "Argument[0]", "ReturnValue", "taint", "hq-manual"]
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-all
|
||||
version: 0.8.1
|
||||
version: 0.8.1-dev
|
||||
groups: java
|
||||
dbscheme: config/semmlecode.dbscheme
|
||||
extractor: java
|
||||
|
||||
@@ -1,9 +1,3 @@
|
||||
## 0.8.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed.
|
||||
|
||||
## 0.8.0
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
## 0.8.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed.
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Most data flow queries that track flow from *remote* flow sources now use the current *threat model* configuration instead. This doesn't lead to any changes in the produced alerts (as the default configuration is *remote* flow sources) unless the threat model configuration is changed.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.1
|
||||
lastReleaseVersion: 0.8.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/java-queries
|
||||
version: 0.8.1
|
||||
version: 0.8.1-dev
|
||||
groups:
|
||||
- java
|
||||
- queries
|
||||
|
||||
@@ -1,21 +1,3 @@
|
||||
## 0.8.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The contents of `.jsp` files are now extracted, and any `<script>` tags inside these files will be parsed as JavaScript.
|
||||
* [Import attributes](https://github.com/tc39/proposal-import-attributes) are now supported in JavaScript code.
|
||||
Note that import attributes are an evolution of an earlier proposal called "import assertions", which were implemented in TypeScript 4.5.
|
||||
The QL library includes new predicates named `getImportAttributes()` that should be used in favor of the now deprecated `getImportAssertion()`;
|
||||
in addition, the `getImportAttributes()` method of the `DynamicImportExpr` has been renamed to `getImportOptions()`.
|
||||
* Deleted the deprecated `getAnImmediateUse`, `getAUse`, `getARhs`, and `getAValueReachingRhs` predicates from the `API::Node` class.
|
||||
* Deleted the deprecated `mayReferToParameter` predicate from `DataFlow::Node`.
|
||||
* Deleted the deprecated `getStaticMethod` and `getAStaticMethod` predicates from `DataFlow::ClassNode`.
|
||||
* Deleted the deprecated `isLibaryFile` predicate from `ClassifyFiles.qll`, use `isLibraryFile` instead.
|
||||
* Deleted many library models that were build on the AST. Use the new models that are build on the dataflow library instead.
|
||||
* Deleted the deprecated `semmle.javascript.security.performance` folder, use `semmle.javascript.security.regexp` instead.
|
||||
* Tagged template literals have been added to `DataFlow::CallNode`. This allows the analysis to find flow into functions called with a tagged template literal,
|
||||
and the arguments to a tagged template literal are part of the API-graph in `ApiGraphs.qll`.
|
||||
|
||||
## 0.8.0
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -0,0 +1,5 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Tagged template literals have been added to `DataFlow::CallNode`. This allows the analysis to find flow into functions called with a tagged template literal,
|
||||
and the arguments to a tagged template literal are part of the API-graph in `ApiGraphs.qll`.
|
||||
@@ -0,0 +1,9 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted the deprecated `getAnImmediateUse`, `getAUse`, `getARhs`, and `getAValueReachingRhs` predicates from the `API::Node` class.
|
||||
* Deleted the deprecated `mayReferToParameter` predicate from `DataFlow::Node`.
|
||||
* Deleted the deprecated `getStaticMethod` and `getAStaticMethod` predicates from `DataFlow::ClassNode`.
|
||||
* Deleted the deprecated `isLibaryFile` predicate from `ClassifyFiles.qll`, use `isLibraryFile` instead.
|
||||
* Deleted many library models that were build on the AST. Use the new models that are build on the dataflow library instead.
|
||||
* Deleted the deprecated `semmle.javascript.security.performance` folder, use `semmle.javascript.security.regexp` instead.
|
||||
@@ -0,0 +1,7 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* [Import attributes](https://github.com/tc39/proposal-import-attributes) are now supported in JavaScript code.
|
||||
Note that import attributes are an evolution of an earlier proposal called "import assertions", which were implemented in TypeScript 4.5.
|
||||
The QL library includes new predicates named `getImportAttributes()` that should be used in favor of the now deprecated `getImportAssertion()`;
|
||||
in addition, the `getImportAttributes()` method of the `DynamicImportExpr` has been renamed to `getImportOptions()`.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* The contents of `.jsp` files are now extracted, and any `<script>` tags inside these files will be parsed as JavaScript.
|
||||
@@ -1,17 +0,0 @@
|
||||
## 0.8.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* The contents of `.jsp` files are now extracted, and any `<script>` tags inside these files will be parsed as JavaScript.
|
||||
* [Import attributes](https://github.com/tc39/proposal-import-attributes) are now supported in JavaScript code.
|
||||
Note that import attributes are an evolution of an earlier proposal called "import assertions", which were implemented in TypeScript 4.5.
|
||||
The QL library includes new predicates named `getImportAttributes()` that should be used in favor of the now deprecated `getImportAssertion()`;
|
||||
in addition, the `getImportAttributes()` method of the `DynamicImportExpr` has been renamed to `getImportOptions()`.
|
||||
* Deleted the deprecated `getAnImmediateUse`, `getAUse`, `getARhs`, and `getAValueReachingRhs` predicates from the `API::Node` class.
|
||||
* Deleted the deprecated `mayReferToParameter` predicate from `DataFlow::Node`.
|
||||
* Deleted the deprecated `getStaticMethod` and `getAStaticMethod` predicates from `DataFlow::ClassNode`.
|
||||
* Deleted the deprecated `isLibaryFile` predicate from `ClassifyFiles.qll`, use `isLibraryFile` instead.
|
||||
* Deleted many library models that were build on the AST. Use the new models that are build on the dataflow library instead.
|
||||
* Deleted the deprecated `semmle.javascript.security.performance` folder, use `semmle.javascript.security.regexp` instead.
|
||||
* Tagged template literals have been added to `DataFlow::CallNode`. This allows the analysis to find flow into functions called with a tagged template literal,
|
||||
and the arguments to a tagged template literal are part of the API-graph in `ApiGraphs.qll`.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.1
|
||||
lastReleaseVersion: 0.8.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/javascript-all
|
||||
version: 0.8.1
|
||||
version: 0.8.1-dev
|
||||
groups: javascript
|
||||
dbscheme: semmlecode.javascript.dbscheme
|
||||
extractor: javascript
|
||||
|
||||
@@ -1047,29 +1047,185 @@ deprecated module RegExpPatterns {
|
||||
deprecated predicate commonTLD = commonTld/0;
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `metachar` is a meta-character that is used to escape special characters
|
||||
* into a form described by regular expression `regex`.
|
||||
*/
|
||||
predicate escapingScheme(string metachar, string regex) {
|
||||
metachar = "&" and regex = "&.+;"
|
||||
or
|
||||
metachar = "%" and regex = "%.+"
|
||||
or
|
||||
metachar = "\\" and regex = "\\\\.+"
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets a predecessor of `nd` that is not an SSA phi node.
|
||||
*/
|
||||
DataFlow::Node getASimplePredecessor(DataFlow::Node nd) {
|
||||
result = nd.getAPredecessor() and
|
||||
not exists(SsaDefinition ssa |
|
||||
ssa = nd.(DataFlow::SsaDefinitionNode).getSsaVariable().getDefinition()
|
||||
|
|
||||
ssa instanceof SsaPhiNode or
|
||||
ssa instanceof SsaVariableCapture
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* A call to `String.prototype.replace` that replaces all instances of a pattern.
|
||||
*/
|
||||
class Replacement extends StringReplaceCall {
|
||||
Replacement() { this.isGlobal() }
|
||||
|
||||
/**
|
||||
* Gets the input of this replacement.
|
||||
*/
|
||||
DataFlow::Node getInput() { result = this.getReceiver() }
|
||||
|
||||
/**
|
||||
* Gets the output of this replacement.
|
||||
*/
|
||||
DataFlow::SourceNode getOutput() { result = this }
|
||||
|
||||
/**
|
||||
* Holds if this replacement escapes `char` using `metachar`.
|
||||
*
|
||||
* For example, during HTML entity escaping `<` is escaped (to `<`)
|
||||
* using `&`.
|
||||
*/
|
||||
predicate escapes(string char, string metachar) {
|
||||
exists(string regexp, string repl |
|
||||
escapingScheme(metachar, regexp) and
|
||||
this.replaces(char, repl) and
|
||||
repl.regexpMatch(regexp)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this replacement unescapes `char` using `metachar`.
|
||||
*
|
||||
* For example, during HTML entity unescaping `<` is unescaped (from
|
||||
* `<`) using `<`.
|
||||
*/
|
||||
predicate unescapes(string metachar, string char) {
|
||||
exists(string regexp, string orig |
|
||||
escapingScheme(metachar, regexp) and
|
||||
this.replaces(orig, char) and
|
||||
orig.regexpMatch(regexp)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the previous replacement in this chain of replacements.
|
||||
*/
|
||||
Replacement getPreviousReplacement() {
|
||||
result.getOutput() = getASimplePredecessor*(this.getInput())
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets an earlier replacement in this chain of replacements that
|
||||
* performs an escaping.
|
||||
*/
|
||||
Replacement getAnEarlierEscaping(string metachar) {
|
||||
exists(Replacement pred | pred = this.getPreviousReplacement() |
|
||||
if pred.escapes(_, metachar)
|
||||
then result = pred
|
||||
else (
|
||||
not pred.unescapes(metachar, _) and result = pred.getAnEarlierEscaping(metachar)
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets an earlier replacement in this chain of replacements that
|
||||
* performs a unescaping.
|
||||
*/
|
||||
Replacement getALaterUnescaping(string metachar) {
|
||||
exists(Replacement succ | this = succ.getPreviousReplacement() |
|
||||
if succ.unescapes(metachar, _)
|
||||
then result = succ
|
||||
else (
|
||||
not succ.escapes(_, metachar) and result = succ.getALaterUnescaping(metachar)
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if data flows from `pred` to `succ` through a replacement step that
|
||||
* backslash-escapes `escaped`.
|
||||
*/
|
||||
private predicate replacementStep(DataFlow::Node pred, DataFlow::Node succ, string escaped) {
|
||||
exists(Replacement repl |
|
||||
repl.getInput() = pred and
|
||||
repl.getOutput() = succ and
|
||||
repl.escapes(escaped, "\\")
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if data flows from `pred` to `succ` through a replacement step that
|
||||
* either backslash-escapes `escaped` or (if `escaped` is empty) does not
|
||||
* backslash-escape any character.
|
||||
*/
|
||||
private predicate regExpTaintStep(DataFlow::Node pred, DataFlow::Node succ, string escaped) {
|
||||
TaintTracking::sharedTaintStep(pred, succ) and
|
||||
(
|
||||
replacementStep(pred, succ, escaped)
|
||||
or
|
||||
not replacementStep(pred, succ, _) and
|
||||
escaped = ""
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the string that results from appending `newEscape` to `escaped`
|
||||
* if `escaped` does not already contain `newEscape`.
|
||||
*
|
||||
* The parameter `newEscape` must be at most one character long.
|
||||
*/
|
||||
bindingset[escaped, newEscape]
|
||||
private string addEscape(string escaped, string newEscape) {
|
||||
newEscape = "" and result = escaped
|
||||
or
|
||||
escaped.charAt(_) = newEscape and result = escaped
|
||||
or
|
||||
newEscape.length() = 1 and
|
||||
result = escaped + newEscape
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets a node whose value may flow (inter-procedurally) to `re`, where it is interpreted
|
||||
* as a part of a regular expression.
|
||||
*
|
||||
* The parameter `escaped` is the set of characters that are escaped along the way.
|
||||
*/
|
||||
private DataFlow::Node regExpSource(DataFlow::Node re, DataFlow::TypeBackTracker t) {
|
||||
private DataFlow::Node regExpSource(DataFlow::Node re, string escaped, DataFlow::TypeBackTracker t) {
|
||||
t.start() and
|
||||
re = result and
|
||||
escaped = "" and
|
||||
isInterpretedAsRegExp(result)
|
||||
or
|
||||
exists(DataFlow::TypeBackTracker t2, DataFlow::Node succ | succ = regExpSource(re, t2) |
|
||||
t2 = t.smallstep(result, succ)
|
||||
exists(DataFlow::TypeBackTracker t2, DataFlow::Node succ, string escaped2 | succ = regExpSource(re, escaped2, t2) |
|
||||
t2 = t.smallstep(result, succ) and
|
||||
escaped = escaped2
|
||||
or
|
||||
TaintTracking::sharedTaintStep(result, succ) and
|
||||
t = t2
|
||||
exists(string newEscape | regExpTaintStep(result, succ, newEscape) |
|
||||
t = t2 and
|
||||
escaped = addEscape(escaped2, newEscape)
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets a node whose value may flow (inter-procedurally) to `re`, where it is interpreted
|
||||
* as a part of a regular expression.
|
||||
*
|
||||
* The parameter `escaped` is the set of characters that are escaped along the way.
|
||||
*/
|
||||
private DataFlow::Node regExpSource(DataFlow::Node re) {
|
||||
result = regExpSource(re, DataFlow::TypeBackTracker::end())
|
||||
private DataFlow::Node regExpSource(DataFlow::Node re, string escaped) {
|
||||
result = regExpSource(re, escaped, DataFlow::TypeBackTracker::end())
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -1099,6 +1255,12 @@ abstract class RegExpPatternSource extends DataFlow::Node {
|
||||
* Gets the root term of the regular expression parsed from this pattern.
|
||||
*/
|
||||
abstract RegExpTerm getRegExpTerm();
|
||||
|
||||
/**
|
||||
* Holds if `char` may be backslash-escaped before it is interpreted as
|
||||
* a part of a regular expression.
|
||||
*/
|
||||
abstract predicate escapes(string char);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -1117,6 +1279,8 @@ private class RegExpLiteralPatternSource extends RegExpPatternSource, DataFlow::
|
||||
override DataFlow::SourceNode getARegExpObject() { result = this }
|
||||
|
||||
override RegExpTerm getRegExpTerm() { result = astNode.getRoot() }
|
||||
|
||||
override predicate escapes(string char) { none() }
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -1125,8 +1289,9 @@ private class RegExpLiteralPatternSource extends RegExpPatternSource, DataFlow::
|
||||
*/
|
||||
private class StringRegExpPatternSource extends RegExpPatternSource {
|
||||
DataFlow::Node parse;
|
||||
string escaped;
|
||||
|
||||
StringRegExpPatternSource() { this = regExpSource(parse) }
|
||||
StringRegExpPatternSource() { this = regExpSource(parse, escaped) }
|
||||
|
||||
override DataFlow::Node getAParse() { result = parse }
|
||||
|
||||
@@ -1141,6 +1306,8 @@ private class StringRegExpPatternSource extends RegExpPatternSource {
|
||||
override string getPattern() { result = this.getStringValue() }
|
||||
|
||||
override RegExpTerm getRegExpTerm() { result = this.asExpr().(StringLiteral).asRegExp() }
|
||||
|
||||
override predicate escapes(string char) { escaped.charAt(_) = char }
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -1149,8 +1316,9 @@ private class StringRegExpPatternSource extends RegExpPatternSource {
|
||||
*/
|
||||
private class StringConcatRegExpPatternSource extends RegExpPatternSource {
|
||||
DataFlow::Node parse;
|
||||
string escaped;
|
||||
|
||||
StringConcatRegExpPatternSource() { this = regExpSource(parse) }
|
||||
StringConcatRegExpPatternSource() { this = regExpSource(parse, escaped) }
|
||||
|
||||
override DataFlow::Node getAParse() { result = parse }
|
||||
|
||||
@@ -1165,6 +1333,8 @@ private class StringConcatRegExpPatternSource extends RegExpPatternSource {
|
||||
override string getPattern() { result = this.getStringValue() }
|
||||
|
||||
override RegExpTerm getRegExpTerm() { result = this.asExpr().(AddExpr).asRegExp() }
|
||||
|
||||
override predicate escapes(string char) { escaped.charAt(_) = char }
|
||||
}
|
||||
|
||||
module RegExp {
|
||||
|
||||
@@ -12,7 +12,19 @@ private import codeql.regex.HostnameRegexp as Shared
|
||||
module Impl implements Shared::HostnameRegexpSig<TreeImpl> {
|
||||
class DataFlowNode = JS::DataFlow::Node;
|
||||
|
||||
class RegExpPatternSource = RegExp::RegExpPatternSource;
|
||||
class RegExpPatternSource extends JS::DataFlow::Node instanceof RegExp::RegExpPatternSource {
|
||||
RegExpPatternSource() {
|
||||
not super.escapes(_)
|
||||
}
|
||||
|
||||
RegExp::RegExpTerm getRegExpTerm() {
|
||||
result = super.getRegExpTerm()
|
||||
}
|
||||
|
||||
JS::DataFlow::Node getAParse() {
|
||||
result = super.getAParse()
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
import Shared::Make<TreeImpl, Impl>
|
||||
|
||||
@@ -1,9 +1,3 @@
|
||||
## 0.8.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added the `AmdModuleDefinition::Range` class, making it possible to define custom aliases for the AMD `define` function.
|
||||
|
||||
## 0.8.0
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -16,111 +16,6 @@
|
||||
|
||||
import javascript
|
||||
|
||||
/**
|
||||
* Gets a predecessor of `nd` that is not an SSA phi node.
|
||||
*/
|
||||
DataFlow::Node getASimplePredecessor(DataFlow::Node nd) {
|
||||
result = nd.getAPredecessor() and
|
||||
not exists(SsaDefinition ssa |
|
||||
ssa = nd.(DataFlow::SsaDefinitionNode).getSsaVariable().getDefinition()
|
||||
|
|
||||
ssa instanceof SsaPhiNode or
|
||||
ssa instanceof SsaVariableCapture
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if `metachar` is a meta-character that is used to escape special characters
|
||||
* into a form described by regular expression `regex`.
|
||||
*/
|
||||
predicate escapingScheme(string metachar, string regex) {
|
||||
metachar = "&" and regex = "&.+;"
|
||||
or
|
||||
metachar = "%" and regex = "%.+"
|
||||
or
|
||||
metachar = "\\" and regex = "\\\\.+"
|
||||
}
|
||||
|
||||
/**
|
||||
* A call to `String.prototype.replace` that replaces all instances of a pattern.
|
||||
*/
|
||||
class Replacement extends StringReplaceCall {
|
||||
Replacement() { this.isGlobal() }
|
||||
|
||||
/**
|
||||
* Gets the input of this replacement.
|
||||
*/
|
||||
DataFlow::Node getInput() { result = this.getReceiver() }
|
||||
|
||||
/**
|
||||
* Gets the output of this replacement.
|
||||
*/
|
||||
DataFlow::SourceNode getOutput() { result = this }
|
||||
|
||||
/**
|
||||
* Holds if this replacement escapes `char` using `metachar`.
|
||||
*
|
||||
* For example, during HTML entity escaping `<` is escaped (to `<`)
|
||||
* using `&`.
|
||||
*/
|
||||
predicate escapes(string char, string metachar) {
|
||||
exists(string regexp, string repl |
|
||||
escapingScheme(metachar, regexp) and
|
||||
this.replaces(char, repl) and
|
||||
repl.regexpMatch(regexp)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if this replacement unescapes `char` using `metachar`.
|
||||
*
|
||||
* For example, during HTML entity unescaping `<` is unescaped (from
|
||||
* `<`) using `<`.
|
||||
*/
|
||||
predicate unescapes(string metachar, string char) {
|
||||
exists(string regexp, string orig |
|
||||
escapingScheme(metachar, regexp) and
|
||||
this.replaces(orig, char) and
|
||||
orig.regexpMatch(regexp)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets the previous replacement in this chain of replacements.
|
||||
*/
|
||||
Replacement getPreviousReplacement() {
|
||||
result.getOutput() = getASimplePredecessor*(this.getInput())
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets an earlier replacement in this chain of replacements that
|
||||
* performs an escaping.
|
||||
*/
|
||||
Replacement getAnEarlierEscaping(string metachar) {
|
||||
exists(Replacement pred | pred = this.getPreviousReplacement() |
|
||||
if pred.escapes(_, metachar)
|
||||
then result = pred
|
||||
else (
|
||||
not pred.unescapes(metachar, _) and result = pred.getAnEarlierEscaping(metachar)
|
||||
)
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Gets an earlier replacement in this chain of replacements that
|
||||
* performs a unescaping.
|
||||
*/
|
||||
Replacement getALaterUnescaping(string metachar) {
|
||||
exists(Replacement succ | this = succ.getPreviousReplacement() |
|
||||
if succ.unescapes(metachar, _)
|
||||
then result = succ
|
||||
else (
|
||||
not succ.escapes(_, metachar) and result = succ.getALaterUnescaping(metachar)
|
||||
)
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
from Replacement primary, Replacement supplementary, string message, string metachar
|
||||
where
|
||||
primary.escapes(metachar, _) and
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
## 0.8.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added the `AmdModuleDefinition::Range` class, making it possible to define custom aliases for the AMD `define` function.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.1
|
||||
lastReleaseVersion: 0.8.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/javascript-queries
|
||||
version: 0.8.1
|
||||
version: 0.8.1-dev
|
||||
groups:
|
||||
- javascript
|
||||
- queries
|
||||
|
||||
@@ -57,4 +57,9 @@
|
||||
/^http:\/\/(..|...)\.example\.com\/index\.html/; // OK, wildcards are intentional
|
||||
/^http:\/\/.\.example\.com\/index\.html/; // OK, the wildcard is intentional
|
||||
/^(foo.example\.com|whatever)$/; // kinda OK - one disjunction doesn't even look like a hostname
|
||||
|
||||
function makeHostnameRegExp(hostname) {
|
||||
return new RegExp(`^https://${hostname.replace(/[\.\\]/g, '\\$&')}$`);
|
||||
}
|
||||
makeHostnameRegExp('test.example.com'); // OK
|
||||
});
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 0.7.1
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.7.0
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.7.1
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.7.1
|
||||
lastReleaseVersion: 0.7.0
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
name: codeql/suite-helpers
|
||||
version: 0.7.1
|
||||
version: 0.7.1-dev
|
||||
groups: shared
|
||||
warnOnImplicitThis: true
|
||||
|
||||
@@ -1,16 +1,3 @@
|
||||
## 0.11.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added better support for API graphs when encountering `from ... import *`. For example in the code `from foo import *; Bar()`, we will now find a result for `API::moduleImport("foo").getMember("Bar").getACall()`
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
* Deleted the deprecated `getAUse`, `getAnImmediateUse`, `getARhs`, and `getAValueReachingRhs` predicates from the `API::Node` class.
|
||||
* Deleted the deprecated `fullyQualifiedToAPIGraphPath` class from `SubclassFinder.qll`, use `fullyQualifiedToApiGraphPath` instead.
|
||||
* Deleted the deprecated `Paths.qll` file.
|
||||
* Deleted the deprecated `semmle.python.security.performance` folder, use `semmle.python.security.regexp` instead.
|
||||
* Deleted the deprecated `semmle.python.security.strings` and `semmle.python.web` folders.
|
||||
* Improved modeling of decoding through pickle related functions (which can lead to code execution), resulting in additional sinks for the _Deserializing untrusted input_ query (`py/unsafe-deserialization`). Added support for `pandas.read_pickle`, `numpy.load` and `joblib.load`.
|
||||
|
||||
## 0.11.0
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Improved modeling of decoding through pickle related functions (which can lead to code execution), resulting in additional sinks for the _Deserializing untrusted input_ query (`py/unsafe-deserialization`). Added support for `pandas.read_pickle`, `numpy.load` and `joblib.load`.
|
||||
@@ -1,12 +1,9 @@
|
||||
## 0.11.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Added better support for API graphs when encountering `from ... import *`. For example in the code `from foo import *; Bar()`, we will now find a result for `API::moduleImport("foo").getMember("Bar").getACall()`
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
* Deleted the deprecated `getAUse`, `getAnImmediateUse`, `getARhs`, and `getAValueReachingRhs` predicates from the `API::Node` class.
|
||||
* Deleted the deprecated `fullyQualifiedToAPIGraphPath` class from `SubclassFinder.qll`, use `fullyQualifiedToApiGraphPath` instead.
|
||||
* Deleted the deprecated `Paths.qll` file.
|
||||
* Deleted the deprecated `semmle.python.security.performance` folder, use `semmle.python.security.regexp` instead.
|
||||
* Deleted the deprecated `semmle.python.security.strings` and `semmle.python.web` folders.
|
||||
* Improved modeling of decoding through pickle related functions (which can lead to code execution), resulting in additional sinks for the _Deserializing untrusted input_ query (`py/unsafe-deserialization`). Added support for `pandas.read_pickle`, `numpy.load` and `joblib.load`.
|
||||
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added better support for API graphs when encountering `from ... import *`. For example in the code `from foo import *; Bar()`, we will now find a result for `API::moduleImport("foo").getMember("Bar").getACall()`
|
||||
4
python/ql/lib/change-notes/2023-10-17-contextmanager.md
Normal file
4
python/ql/lib/change-notes/2023-10-17-contextmanager.md
Normal file
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Added support for functions decorated with `contextlib.contextmanager`.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.11.1
|
||||
lastReleaseVersion: 0.11.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/python-all
|
||||
version: 0.11.1
|
||||
version: 0.11.1-dev
|
||||
groups: python
|
||||
dbscheme: semmlecode.python.dbscheme
|
||||
extractor: python
|
||||
|
||||
@@ -240,6 +240,19 @@ predicate hasPropertyDecorator(Function func) {
|
||||
)
|
||||
}
|
||||
|
||||
/**
|
||||
* Holds if the function `func` has a `contextlib.contextmanager`.
|
||||
*/
|
||||
predicate hasContextmanagerDecorator(Function func) {
|
||||
exists(ControlFlowNode contextmanager |
|
||||
contextmanager.(NameNode).getId() = "contextmanager" and contextmanager.(NameNode).isGlobal()
|
||||
or
|
||||
contextmanager.(AttrNode).getObject("contextmanager").(NameNode).getId() = "contextlib"
|
||||
|
|
||||
func.getADecorator() = contextmanager.getNode()
|
||||
)
|
||||
}
|
||||
|
||||
// =============================================================================
|
||||
// Callables
|
||||
// =============================================================================
|
||||
@@ -1604,6 +1617,24 @@ class ExtractedReturnNode extends ReturnNode, CfgNode {
|
||||
override ReturnKind getKind() { any() }
|
||||
}
|
||||
|
||||
/**
|
||||
* A data flow node that represents the value yielded by a callable with a
|
||||
* `contextlib.contextmanager` decorator. We treat this as a normal return, which makes
|
||||
* things just work when used in a `with` statement -- technically calling the function
|
||||
* directly will give you a `contextlib._GeneratorContextManager` instance, so it's a
|
||||
* slight workaround solution.
|
||||
*
|
||||
* See https://docs.python.org/3/library/contextlib.html#contextlib.contextmanager
|
||||
*/
|
||||
class YieldNodeInContextManagerFunction extends ReturnNode, CfgNode {
|
||||
YieldNodeInContextManagerFunction() {
|
||||
hasContextmanagerDecorator(node.getScope()) and
|
||||
node = any(Yield yield).getValue().getAFlowNode()
|
||||
}
|
||||
|
||||
override ReturnKind getKind() { any() }
|
||||
}
|
||||
|
||||
/** A data-flow node that represents the output of a call. */
|
||||
abstract class OutNode extends Node {
|
||||
/** Gets the underlying call, where this node is a corresponding output of kind `kind`. */
|
||||
|
||||
@@ -1,7 +1,3 @@
|
||||
## 0.9.1
|
||||
|
||||
No user-facing changes.
|
||||
|
||||
## 0.9.0
|
||||
|
||||
### New Queries
|
||||
|
||||
@@ -1,3 +0,0 @@
|
||||
## 0.9.1
|
||||
|
||||
No user-facing changes.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.9.1
|
||||
lastReleaseVersion: 0.9.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/python-queries
|
||||
version: 0.9.1
|
||||
version: 0.9.1-dev
|
||||
groups:
|
||||
- python
|
||||
- queries
|
||||
|
||||
@@ -195,3 +195,42 @@ class MyClass(object):
|
||||
def with_global_modifier(self):
|
||||
global some_value
|
||||
print(some_value) # $ tracked
|
||||
|
||||
# ------------------------------------------------------------------------------
|
||||
# yield
|
||||
# ------------------------------------------------------------------------------
|
||||
|
||||
def yielding_function():
|
||||
x = tracked # $ tracked
|
||||
yield x # $ tracked
|
||||
|
||||
def test_yield():
|
||||
for x in yielding_function(): # $ MISSING: tracked
|
||||
print(x) # $ MISSING: tracked
|
||||
|
||||
gen = yielding_function()
|
||||
y = next(gen) # $ MISSING: tracked
|
||||
print(y) # $ MISSING: tracked
|
||||
|
||||
|
||||
# see https://docs.python.org/3.11/library/contextlib.html#contextlib.contextmanager
|
||||
from contextlib import contextmanager
|
||||
import contextlib
|
||||
|
||||
@contextmanager
|
||||
def managed_resource():
|
||||
x = tracked # $ tracked
|
||||
yield x # $ tracked
|
||||
|
||||
def test_context_manager():
|
||||
with managed_resource() as x: # $ tracked
|
||||
print(x) # $ tracked
|
||||
|
||||
@contextlib.contextmanager
|
||||
def managed_resource2():
|
||||
x = tracked # $ tracked
|
||||
yield x # $ tracked
|
||||
|
||||
def test_context_manager2():
|
||||
with managed_resource2() as x: # $ tracked
|
||||
print(x) # $ tracked
|
||||
|
||||
@@ -32,6 +32,12 @@ edges
|
||||
| TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | TarSlipImprov.py:141:34:141:36 | GSSA Variable tar |
|
||||
| TarSlipImprov.py:141:34:141:36 | GSSA Variable tar | TarSlipImprov.py:142:9:142:13 | GSSA Variable entry |
|
||||
| TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry |
|
||||
| TarSlipImprov.py:151:14:151:50 | ControlFlowNode for closing() | TarSlipImprov.py:151:55:151:56 | SSA variable tf |
|
||||
| TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | TarSlipImprov.py:151:14:151:50 | ControlFlowNode for closing() |
|
||||
| TarSlipImprov.py:151:55:151:56 | SSA variable tf | TarSlipImprov.py:152:19:152:20 | ControlFlowNode for tf |
|
||||
| TarSlipImprov.py:152:19:152:20 | ControlFlowNode for tf | TarSlipImprov.py:157:18:157:40 | ControlFlowNode for py2_tarxz() |
|
||||
| TarSlipImprov.py:157:9:157:14 | SSA variable tar_cm | TarSlipImprov.py:162:20:162:23 | SSA variable tarc |
|
||||
| TarSlipImprov.py:157:18:157:40 | ControlFlowNode for py2_tarxz() | TarSlipImprov.py:157:9:157:14 | SSA variable tar_cm |
|
||||
| TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | TarSlipImprov.py:162:20:162:23 | SSA variable tarc |
|
||||
| TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() | TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm |
|
||||
| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() |
|
||||
@@ -122,6 +128,12 @@ nodes
|
||||
| TarSlipImprov.py:141:34:141:36 | GSSA Variable tar | semmle.label | GSSA Variable tar |
|
||||
| TarSlipImprov.py:142:9:142:13 | GSSA Variable entry | semmle.label | GSSA Variable entry |
|
||||
| TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | semmle.label | ControlFlowNode for entry |
|
||||
| TarSlipImprov.py:151:14:151:50 | ControlFlowNode for closing() | semmle.label | ControlFlowNode for closing() |
|
||||
| TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
| TarSlipImprov.py:151:55:151:56 | SSA variable tf | semmle.label | SSA variable tf |
|
||||
| TarSlipImprov.py:152:19:152:20 | ControlFlowNode for tf | semmle.label | ControlFlowNode for tf |
|
||||
| TarSlipImprov.py:157:9:157:14 | SSA variable tar_cm | semmle.label | SSA variable tar_cm |
|
||||
| TarSlipImprov.py:157:18:157:40 | ControlFlowNode for py2_tarxz() | semmle.label | ControlFlowNode for py2_tarxz() |
|
||||
| TarSlipImprov.py:159:9:159:14 | SSA variable tar_cm | semmle.label | SSA variable tar_cm |
|
||||
| TarSlipImprov.py:159:18:159:52 | ControlFlowNode for closing() | semmle.label | ControlFlowNode for closing() |
|
||||
| TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | semmle.label | ControlFlowNode for Attribute() |
|
||||
@@ -199,6 +211,7 @@ subpaths
|
||||
| TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | TarSlipImprov.py:129:6:129:26 | ControlFlowNode for Attribute() | TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:129:6:129:26 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:130:5:130:7 | ControlFlowNode for tar | ControlFlowNode for tar |
|
||||
| TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | TarSlipImprov.py:133:7:133:39 | ControlFlowNode for Attribute() | TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:133:7:133:39 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:134:1:134:3 | ControlFlowNode for tar | ControlFlowNode for tar |
|
||||
| TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:141:6:141:29 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:143:36:143:40 | ControlFlowNode for entry | ControlFlowNode for entry |
|
||||
| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:151:22:151:49 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | ControlFlowNode for tarc |
|
||||
| TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:159:26:159:51 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:169:9:169:12 | ControlFlowNode for tarc | ControlFlowNode for tarc |
|
||||
| TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:176:6:176:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:178:36:178:40 | ControlFlowNode for entry | ControlFlowNode for entry |
|
||||
| TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | TarSlipImprov.py:182:6:182:31 | ControlFlowNode for Attribute() | TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | Extraction of tarfile from $@ to a potentially untrusted source $@. | TarSlipImprov.py:182:6:182:31 | ControlFlowNode for Attribute() | ControlFlowNode for Attribute() | TarSlipImprov.py:184:21:184:25 | ControlFlowNode for entry | ControlFlowNode for entry |
|
||||
|
||||
BIN
ql/Cargo.lock
generated
BIN
ql/Cargo.lock
generated
Binary file not shown.
@@ -9,4 +9,4 @@ edition = "2018"
|
||||
lazy_static = "1.4.0"
|
||||
chrono = "0.4.31"
|
||||
rayon = "1.8.0"
|
||||
regex = "1.10.0"
|
||||
regex = "1.10.2"
|
||||
|
||||
@@ -16,5 +16,5 @@ clap = { version = "4.2", features = ["derive"] }
|
||||
tracing = "0.1"
|
||||
tracing-subscriber = { version = "0.3.17", features = ["env-filter"] }
|
||||
rayon = "1.8.0"
|
||||
regex = "1.10.0"
|
||||
regex = "1.10.2"
|
||||
codeql-extractor = { path = "../../shared/tree-sitter-extractor" }
|
||||
|
||||
@@ -1,14 +1,3 @@
|
||||
## 0.8.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
* Deleted the deprecated `isWeak` predicate from the `CryptographicOperation` class.
|
||||
* Deleted the deprecated `getStringOrSymbol` and `isStringOrSymbol` predicates from the `ConstantValue` class.
|
||||
* Deleted the deprecated `getAPI` from the `IOOrFileMethodCall` class.
|
||||
* Deleted the deprecated `codeql.ruby.security.performance` folder, use `codeql.ruby.security.regexp` instead.
|
||||
* GraphQL enums are no longer considered remote flow sources.
|
||||
|
||||
## 0.8.0
|
||||
|
||||
### Major Analysis Improvements
|
||||
|
||||
4
ruby/ql/lib/change-notes/2023-09-18-graphql-sources.md
Normal file
4
ruby/ql/lib/change-notes/2023-09-18-graphql-sources.md
Normal file
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* GraphQL enums are no longer considered remote flow sources.
|
||||
@@ -1,10 +1,8 @@
|
||||
## 0.8.1
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Deleted the deprecated `isBarrierGuard` predicate from the dataflow library and its uses, use `isBarrier` and the `BarrierGuard` module instead.
|
||||
* Deleted the deprecated `isWeak` predicate from the `CryptographicOperation` class.
|
||||
* Deleted the deprecated `getStringOrSymbol` and `isStringOrSymbol` predicates from the `ConstantValue` class.
|
||||
* Deleted the deprecated `getAPI` from the `IOOrFileMethodCall` class.
|
||||
* Deleted the deprecated `codeql.ruby.security.performance` folder, use `codeql.ruby.security.regexp` instead.
|
||||
* GraphQL enums are no longer considered remote flow sources.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.1
|
||||
lastReleaseVersion: 0.8.0
|
||||
|
||||
@@ -1,5 +1,5 @@
|
||||
name: codeql/ruby-all
|
||||
version: 0.8.1
|
||||
version: 0.8.1-dev
|
||||
groups: ruby
|
||||
extractor: ruby
|
||||
dbscheme: ruby.dbscheme
|
||||
|
||||
@@ -1,10 +1,3 @@
|
||||
## 0.8.1
|
||||
|
||||
### New Queries
|
||||
|
||||
* Added a new experimental query, `rb/jwt-empty-secret-or-algorithm`, to detect when application uses an empty secret or weak algorithm.
|
||||
* Added a new experimental query, `rb/jwt-missing-verification`, to detect when the application does not verify a JWT payload.
|
||||
|
||||
## 0.8.0
|
||||
|
||||
### Minor Analysis Improvements
|
||||
|
||||
@@ -1,6 +1,5 @@
|
||||
## 0.8.1
|
||||
|
||||
### New Queries
|
||||
|
||||
---
|
||||
category: newQuery
|
||||
---
|
||||
* Added a new experimental query, `rb/jwt-empty-secret-or-algorithm`, to detect when application uses an empty secret or weak algorithm.
|
||||
* Added a new experimental query, `rb/jwt-missing-verification`, to detect when the application does not verify a JWT payload.
|
||||
* Added a new experimental query, `rb/jwt-missing-verification`, to detect when the application does not verify a JWT payload.
|
||||
@@ -1,2 +1,2 @@
|
||||
---
|
||||
lastReleaseVersion: 0.8.1
|
||||
lastReleaseVersion: 0.8.0
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Reference in New Issue
Block a user