mirror of
https://github.com/github/codeql.git
synced 2025-12-20 18:56:32 +01:00
9151a7e433
If the legacy configuration is only enabled if there are no other configurations, defining a configuration in an imported library can lead to unwanted results. For example, code that uses `any(MyTaintKind t).taints(node)` would *stop* working, if it did not define its own configuration. (this actually happened to us) We performed a dist-compare to ensure there is not a performance deg ration by doing this. Results at https://git.semmle.com/gist/rasmuswl/a1eca07f3a92f5f65ee78d733e5d260e Tests that were affected by this: - RockPaperScissors + Simple: new edges because no configuration was defined for SqlInjectionTaint or CommandInjectionTaint - CleartextLogging + CleartextStorage: new edges because no configuration was defined before, AND duplicate deges. - TestNode: new edges because no configuration was defined before - PathInjection: Duplicate edges - TarSlip: Duplicate edges - CommandInjection: Duplicate edges - ReflectedXss: Duplicate edges - SqlInjection: Duplicate edges - CodeInjection: Duplicate edges - StackTraceExposure: Duplicate edges - UnsafeDeserialization: Duplicate edges - UrlRedirect: Duplicate edges
17 lines
2.0 KiB
Plaintext
17 lines
2.0 KiB
Plaintext
edges
|
|
| test.py:11:15:11:26 | dict of externally controlled string | test.py:11:15:11:41 | externally controlled string |
|
|
| test.py:11:15:11:26 | dict of externally controlled string | test.py:11:15:11:41 | externally controlled string |
|
|
| test.py:11:15:11:41 | externally controlled string | test.py:12:18:12:24 | externally controlled string |
|
|
| test.py:11:15:11:41 | externally controlled string | test.py:12:18:12:24 | externally controlled string |
|
|
| test.py:11:15:11:41 | externally controlled string | test.py:13:15:13:21 | externally controlled string |
|
|
| test.py:11:15:11:41 | externally controlled string | test.py:13:15:13:21 | externally controlled string |
|
|
| test.py:11:15:11:41 | externally controlled string | test.py:14:19:14:25 | externally controlled string |
|
|
| test.py:11:15:11:41 | externally controlled string | test.py:14:19:14:25 | externally controlled string |
|
|
| test.py:11:15:11:41 | externally controlled string | test.py:16:16:16:22 | externally controlled string |
|
|
| test.py:11:15:11:41 | externally controlled string | test.py:16:16:16:22 | externally controlled string |
|
|
#select
|
|
| test.py:12:18:12:24 | payload | test.py:11:15:11:26 | dict of externally controlled string | test.py:12:18:12:24 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | Attribute | untrusted input |
|
|
| test.py:13:15:13:21 | payload | test.py:11:15:11:26 | dict of externally controlled string | test.py:13:15:13:21 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | Attribute | untrusted input |
|
|
| test.py:14:19:14:25 | payload | test.py:11:15:11:26 | dict of externally controlled string | test.py:14:19:14:25 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | Attribute | untrusted input |
|
|
| test.py:16:16:16:22 | payload | test.py:11:15:11:26 | dict of externally controlled string | test.py:16:16:16:22 | externally controlled string | Deserializing of $@. | test.py:11:15:11:26 | Attribute | untrusted input |
|