github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
71 645 коммитов 1 534 Ветки 130 Теги 471 MiB
Граф коммитов

246 Коммитов

Автор SHA1 Сообщение Дата
Max Schaefer f181111886 JavaScript: Add model of `http2` compatibility API. 
Also deprecated the `httpOrHttps` predicate, which was now only used in one place and seemed a little pointless anyway.
 2020-02-14 11:14:31 +00:00
semmle-qlci da566a4484
Merge pull request #2828 from erik-krogh/CVE24 
Approved by esbena
 2020-02-14 09:12:48 +00:00
semmle-qlci 769dce511b
Merge pull request #2788 from erik-krogh/CVE42-sink 
Approved by esbena
 2020-02-14 08:00:00 +00:00
Erik Krogh Kristensen d6afd438ba add model for chrome-remote-interface as a ClientRequest 2020-02-13 10:58:07 +01:00
Taus 12113e947f
Merge pull request #2603 from RasmusWL/python-fix-http-source-sink 
Python: Make web libs use HttpRequestTaintSource and HttpResponseTaintSink
 2020-02-12 13:42:22 +01:00
Robert Marsh 5269fb713f
Merge pull request #2812 from geoffw0/nospacezero 
C++: Improve NoSpaceForZeroTerminator.ql
 2020-02-11 14:37:32 -05:00
Geoffrey White 87781a944b C++: Change note. 2020-02-11 15:25:59 +00:00
Tom Hvitved 1948446ad3 Address review comments 2020-02-11 11:56:40 +01:00
Tom Hvitved dc27ee7b9f C#: Add change note 2020-02-10 20:33:57 +01:00
Tom Hvitved 2b2bb5db80
Merge pull request #2803 from calumgrant/cs/stackalloc-expr 
C#: Handle implicitly-typed stackallocs
 2020-02-10 20:28:16 +01:00
Erik Krogh Kristensen 67cd303a91 add change note 2020-02-10 13:51:48 +01:00
Calum Grant a95ef31984 C#: Analysis change notes 2020-02-10 11:36:30 +00:00
Esben Sparre Andreasen 736ccb98c2 JS: model the `send` library for `js/path-injection` 2020-02-07 12:45:32 +01:00
Calum Grant 389e6266d9
Merge pull request #2773 from hvitved/csharp/useless-assignment-to-local-default 
C#: Remove false positives for `cs/useless-assignment-to-local`
 2020-02-07 10:37:19 +00:00
Asger Feldthaus 91a5385e7f JS: Add libraries to change note 2020-02-06 14:59:52 +00:00
Asger Feldthaus 75c008eec1 JS: Change note 2020-02-06 14:33:20 +00:00
Tom Hvitved 69d9d4122a C#: Add change note 2020-02-05 20:12:41 +01:00
Felicity Chapman d0e7bfce28
Merge pull request #2738 from aschackmull/java/ldapinjection-changenote 
Java: Add change note for LDAP injection query.
 2020-02-05 11:29:29 +00:00
semmle-qlci 53763c789f
Merge pull request #2741 from esbena/js/split-and-slice-for-tainted-path 
Approved by erik-krogh
 2020-02-05 10:53:39 +00:00
Anders Schack-Mulligen cf815351a9 Java: Elaborate change note. 2020-02-04 16:18:35 +01:00
Tom Hvitved 00fdc70155
Merge pull request #2710 from calumgrant/cs/short-circuit-out 
C#: Remove false positive in cs/non-short-circuit
 2020-02-04 12:09:17 +01:00
Esben Sparre Andreasen bbd60f52ba JS: add additional flow steps to js/path-injection 2020-02-03 16:36:25 +01:00
Asger Feldthaus 9abf5f06e6 TS: Resolve imports using TypeScript symbols 2020-02-03 09:32:56 +00:00
Esben Sparre Andreasen 7f25c1bf47 JS: address doc-review comments 2020-01-31 19:33:04 +01:00
Esben Sparre Andreasen fef918ac13 JS: add query "Unsafe jQuery plugin" 2020-01-31 19:33:04 +01:00
semmle-qlci d995d5a4a0
Merge pull request #2716 from esbena/js/additional-koa-requests 
Approved by erik-krogh
 2020-01-31 18:30:42 +00:00
Anders Schack-Mulligen 7647d94068 Java: Add change note for LDAP injection query. 2020-01-31 16:48:35 +01:00
yo-h 563be9f817
Merge pull request #2719 from aschackmull/java/deprecate-parexpr 
Java: Deprecate ParExpr
 2020-01-30 18:23:13 -05:00
Anders Schack-Mulligen 843fd37c75 Java: Add change note. 2020-01-30 10:52:16 +01:00
Anders Schack-Mulligen b7a8d0e903
Apply suggestions from code review 
Co-Authored-By: Jonas Jensen <jbj@github.com>
 2020-01-30 10:41:13 +01:00
Anders Schack-Mulligen 2039ec37e5 Java/C++/C#: Add change note for taint-getters. 2020-01-29 16:26:23 +01:00
Tom Hvitved 474815bf57
Merge pull request #2660 from calumgrant/cs/release-notes 
C#: Add release notes and precisions to queries
 2020-01-29 16:05:45 +01:00
Esben Sparre Andreasen a6d3afd817 JS: support additional Koa request sources 2020-01-29 14:49:01 +01:00
Calum Grant aff0a7534c
Update change-notes/1.24/analysis-csharp.md 
Fix indentation

Co-Authored-By: James Fletcher <42464962+jf205@users.noreply.github.com>
 2020-01-29 11:44:17 +00:00
semmle-qlci fb90c2ba52
Merge pull request #2681 from asger-semmle/csrf-only-session-cookie-access 
Approved by erik-krogh, max-schaefer
 2020-01-29 10:46:48 +00:00
Jonas Jensen 27b5902258
Merge pull request #2707 from geoffw0/taint-format 
C++: Add TaintFunction model to FormattingFunction
 2020-01-29 08:20:34 +01:00
Calum Grant 6b377d7ad4 C#: Analysis change notes 2020-01-28 14:59:25 +00:00
Geoffrey White fc1816cbd7 C++: Update change note. 2020-01-28 14:53:18 +00:00
Rasmus Wriedt Larsen 9b2ca0c9c7 Python: Update web libraries to use HttpSources and HttpSinks 2020-01-28 13:06:48 +01:00
Anders Schack-Mulligen 4cb28d9b1d Java: Add new query for large left shifts and bugfix ConstantExpAppearsNonConstant. 2020-01-28 10:13:34 +01:00
Geoffrey White 1ddabee1b8 C++: Change note. 2020-01-28 08:46:46 +00:00
yo-h 8c00671f24
Merge pull request #2698 from aschackmull/java/changenote-csrf-query 
Java: Add change note for java/spring-disabled-csrf-protection.
 2020-01-27 21:09:15 -05:00
Chris Gavin 708890add3 Java: Add a change note for `java/suspicious-date-format`. 2020-01-27 11:57:56 +00:00
Anders Schack-Mulligen efe8981129 Java: Add change note for java/spring-disabled-csrf-protection. 2020-01-27 11:33:31 +01:00
semmle-qlci 7d9956e3f3
Merge pull request #2675 from erik-krogh/WebSocket 
Approved by esbena
 2020-01-27 08:40:37 +00:00
yo-h 50320c7828
Merge pull request #2628 from aschackmull/java/no-adhoc-testclass 
Java: Replace ad-hoc TestClass detection.
 2020-01-23 14:09:11 -05:00
Asger Feldthaus 406c6eb981 JS: Sharpen missing CSRF middleware query 2020-01-23 14:22:49 +00:00
Anders Schack-Mulligen 0bbe571064
Update change-notes/1.24/analysis-java.md 
Co-Authored-By: Felicity Chapman <felicitymay@github.com>
 2020-01-23 13:13:51 +01:00
Anders Schack-Mulligen fd141917c7 Java: Add change note. 2020-01-23 11:08:35 +01:00
Jonas Jensen ceeb9ab718
Merge pull request #2622 from MathiasVP/implicit-function-declaration 
C++: Add 'implicit function declaration' query
 2020-01-23 09:23:44 +01:00
James Fletcher f1749b3990
Merge pull request #2654 from calumgrant/cs/null-dereference 
C#: Improvements to cs/dereferenced-value-may-be-null
 2020-01-22 20:15:20 +00:00
Erik Krogh Kristensen 6345e9bde1 add change note 2020-01-22 15:14:10 +01:00
semmle-qlci 007b0795ec
Merge pull request #2636 from erik-krogh/NewSocketIO 
Approved by esbena
 2020-01-22 13:46:11 +00:00
Erik Krogh Kristensen 1228d506b4 update change notes to reflect that library models have improved 2020-01-22 12:52:45 +01:00
Erik Krogh Kristensen 750e9786f6 add change note for EventEmitter 2020-01-22 10:31:38 +01:00
Calum Grant 6692e61fa2 C#: Analysis change notes 2020-01-21 13:55:32 +00:00
Calum Grant 86fa7e5c38 C#: Analysis change notes 2020-01-20 14:37:28 +00:00
Geoffrey White 97c346285e CPP: Change note. 2020-01-17 18:56:21 +00:00
Jonas Jensen 3632d51abc
Merge pull request #2635 from geoffw0/modelstrdup 
CPP: Model strdup
 2020-01-17 19:26:26 +01:00
Geoffrey White 7dbda22a29 CPP: Update change note. 2020-01-17 16:19:39 +00:00
Mathias Vorreiter Pedersen 303c6aa5b7 C++: Added query to suites and change-notes 2020-01-17 14:51:40 +01:00
semmle-qlci 4efc418e2c
Merge pull request #2617 from asger-semmle/prototype-pollution-utility 
Approved by esbena, mchammer01
 2020-01-16 13:02:07 +00:00
Geoffrey White f4aba14d3a CPP: Change note. 2020-01-16 11:08:19 +00:00
Asger Feldthaus 7141f15858 JS: Add change note 2020-01-15 11:49:57 +00:00
Geoffrey White 170981ef41 CPP: Change note. 2020-01-14 14:36:44 +00:00
semmle-qlci 3c4749be88
Merge pull request #2624 from asger-semmle/js-duplicate-alert-strict-mode 
Approved by max-schaefer
 2020-01-14 11:59:45 +00:00
Asger Feldthaus 2245882441 JS: Add change note and fix cwe tags 2020-01-14 10:53:40 +00:00
Asger Feldthaus 73e60a7400 JS: Ignore strict-mode-call-stack-introspection for expr stmts 2020-01-13 16:03:03 +00:00
semmle-qlci 40de391490
Merge pull request #2616 from asger-semmle/promise-missing-await-change-note 
Approved by mchammer01
 2020-01-13 12:03:11 +00:00
Asger F 6c4da30a64
Update change-notes/1.24/analysis-javascript.md 
Co-Authored-By: mc <42146119+mchammer01@users.noreply.github.com>
 2020-01-13 11:05:03 +00:00
Anders Schack-Mulligen 183fd91a01
Merge pull request #2615 from yo-h/java-add-change-note 
Java: add change note for `java/maven/non-https-url`
 2020-01-13 09:54:48 +01:00
yo-h bf8ef42c1a Java: add change note for `java/maven/non-https-url` 2020-01-10 11:03:48 -05:00
Asger Feldthaus 18db551e10 JS: Add change note for js/missing-await 2020-01-10 11:10:57 +00:00
Anders Schack-Mulligen ad92d6fe0f
Merge pull request #2607 from yo-h/java-alert-suppression-block-comment 
Java: allow single-line `/* ... */` comments for alert suppression
 2020-01-10 11:05:23 +01:00
yo-h 7ffa517803
Merge pull request #2584 from aschackmull/java/nonnull-final-field 
Java: Include non-null final fields in clearlyNotNull.
 2020-01-09 18:48:45 -05:00
semmle-qlci f1f69ef85d
Merge pull request #2589 from esbena/js/ignore-duplicate-params-for-empty-functions 
Approved by erik-krogh
 2020-01-09 11:58:04 +00:00
Dave Bartolomeo 6c8de44800
Merge pull request #2604 from geoffw0/returnthis 
CPP: Exclude template classes from cpp/assignment-does-not-return-this
 2020-01-08 09:12:22 -07:00
Max Schaefer de15ecf47b
Merge pull request #2593 from asger-semmle/regexp-always-matches 
JS: Add RegExpAlwaysMatches query
 2020-01-08 15:21:39 +00:00
yo-h 1078424f79 Java: allow single-line `/* ... */` comments for alert suppression 2020-01-08 09:19:25 -05:00
Geoffrey White 8044fefb1f CPP: Change note. 2020-01-08 13:19:11 +00:00
Calum Grant f67240a316 C#: Analysis change notes 2020-01-07 18:39:51 +00:00
Dave Bartolomeo 3072e9c7da
Merge pull request #2598 from geoffw0/av114_asm 
CPP: Exclude functions containing asm from cpp/missing-return
 2020-01-07 09:04:14 -07:00
Geoffrey White c584ceb2f4 CPP: Change note. 2020-01-07 12:46:07 +00:00
Asger Feldthaus d55d5cc4ed JS: Address comments from doc review 2020-01-07 10:27:46 +00:00
Tom Hvitved 5552c2e912
Merge pull request #2563 from calumgrant/cs/tuple-expr 
C#: Handle tuple expressions
 2020-01-07 09:31:17 +01:00
Tom Hvitved ed2125969e
Merge pull request #2568 from calumgrant/cs/assignment-to-_ 
C#: Remove FP in useless assignment to _
 2020-01-06 15:39:45 +01:00
Asger F 9928762769 JS: Add RegExpAlwaysMatches query 2020-01-06 13:48:02 +00:00
Asger F 79f8d02019 JS: Add change note 2020-01-06 11:38:13 +00:00
semmle-qlci 48deb30756
Merge pull request #2573 from max-schaefer/js/generalise-alert-suppression 
Approved by asgerf
 2020-01-06 10:43:17 +00:00
semmle-qlci 5dcc5b3b1e
Merge pull request #2581 from erik-krogh/FlowUselessExpr 
Approved by max-schaefer
 2020-01-06 08:33:36 +00:00
Esben Sparre Andreasen 96748ca32e JS: sharpen js/duplicate-parameter-name 2020-01-06 08:51:00 +01:00
Anders Schack-Mulligen e74aa33f9d Java: Include non-null final fields in clearlyNotNull. 2020-01-03 16:24:54 +01:00
Max Schaefer 8d1ad5c5f3 JavaScript: Alert suppression through single-line /* */ style comments. 2020-01-02 10:45:20 +00:00
Calum Grant 68f42a6f47 C#: Analysis change notes 2019-12-27 12:07:26 +00:00
Calum Grant 0f178be12e C#: Update change notes. 2019-12-23 15:29:20 +00:00
Jonas Jensen 7e84453ec9
Merge pull request #2542 from geoffw0/datetime 
C++: Sort through the leap year and japanese era queries
 2019-12-23 10:13:12 +01:00
Jonas Jensen 939979ddef
Merge branch 'master' into overflowcalc 2019-12-19 14:12:00 +01:00
Erik Krogh Kristensen 0611dc3f60 move change notes to extractor-javascript.md 2019-12-18 14:21:43 +01:00
Erik Krogh Kristensen 807664e545 add change note 2019-12-18 11:35:16 +01:00
Erik Krogh Kristensen f140820511 fix FP related to block-level flow type annotations 2019-12-17 16:10:20 +01:00
Geoffrey White a5e10a7ae2 C++: More change notes. 2019-12-17 11:56:23 +00:00
Geoffrey White 19835cd11d C++: Change note. 2019-12-17 10:27:13 +00:00
Geoffrey White acca39bfc7 C++: Repair following merge. 2019-12-16 14:12:32 +00:00
Geoffrey White 0da826f0c3 Merge branch 'master' into overflowcalc 2019-12-16 13:48:38 +00:00
Calum Grant a5b2549f6f
Merge pull request #2514 from hvitved/csharp/code-contracts 
C#: Recognize Code Contract assertions
 2019-12-16 13:00:01 +00:00
Geoffrey White 91af51cf46 CPP: Change note. 2019-12-13 16:58:37 +00:00
Tom Hvitved 78f63a3679 C#: Add change note 2019-12-11 16:57:35 +01:00
Calum Grant 3049bf2c85
Merge pull request #2358 from cldrn/ASPNetPagesValidateRequest 
Adds CodeQL query to check for Pages with disabled built-in validation
 2019-12-09 13:05:03 +00:00
yo-h ed97be459f
Merge pull request #2454 from aschackmull/java/explicit-mul-zero 
Java: Allow explicit zero multiplication in java/evaluation-to-constant.
 2019-12-06 18:13:43 -05:00
Anders Schack-Mulligen 5a2ed9fd81 Java: Add change note. 2019-12-06 11:50:27 +00:00
Calum Grant 59ce8842bb Merge branch 'master' of git.semmle.com:Semmle/ql into ASPNetPagesValidateRequest 
# Conflicts:
#	change-notes/1.24/analysis-csharp.md
 2019-12-05 15:58:47 +00:00
Calum Grant 73c8888361
Merge pull request #2356 from cldrn/ASPNetRequestValidationMode 
Adds CodeQL query to check for insecure RequestValidationMode in ASP.NET
 2019-12-04 17:02:08 +00:00
Geoffrey White b752a6c8ed
Merge pull request #2381 from jbj/StackVariable 
C++: Add StackVariable class, preferred over LocalScopeVariable
 2019-12-03 10:35:16 +00:00
semmle-qlci cfcd18b411
Merge pull request #2429 from erik-krogh/typeAheadSink 
Approved by esbena
 2019-12-03 08:07:25 +00:00
Paulino Calderon 24b2471533
Update change-notes/1.24/analysis-csharp.md 
tag update

Co-Authored-By: James Fletcher <42464962+jf205@users.noreply.github.com>
 2019-12-02 16:44:25 -05:00
Calum Grant fcd13dc595 Merge remote-tracking branch 'upstream/master' into ASPNetRequestValidationMode 
# Conflicts:
#	change-notes/1.24/analysis-csharp.md
 2019-12-02 12:03:11 +00:00
semmle-qlci dc7a0c1b91
Merge pull request #2442 from hvitved/csharp/dataflow/conversion-operator 
Approved by calumgrant
 2019-12-02 11:01:35 +00:00
Erik Krogh Kristensen c6c1ebe81a Merge remote-tracking branch 'upstream/master' into typeAheadSink 2019-12-02 08:41:49 +01:00
Calum Grant a4251f67a2 C#: Analysis change notes. 2019-11-29 10:32:04 +00:00
Max Schaefer f958916c76
Merge pull request #2330 from erik-krogh/exceptionXss 
JS: Added query for detecting XSS that happens through an exception
 2019-11-29 09:04:45 +00:00
semmle-qlci 73e08eba43
Merge pull request #2468 from max-schaefer/js/regexp-predecessor 
Approved by asgerf
 2019-11-28 16:57:31 +00:00
Jonas Jensen 763b18cd11 Merge remote-tracking branch 'upstream/master' into StackVariable 
Conflicts:
      change-notes/1.24/analysis-cpp.md
      cpp/ql/src/Security/CWE/CWE-131/NoSpaceForZeroTerminator.ql
 2019-11-28 17:51:20 +01:00
Max Schaefer a788bf87a0 JavaScript: Fix `RegExpTerm.getPredecessor` and `getSuccessor`. 
These were originally meant to give you the term that is textually matched right before/right after the receiver. When I introduced support for lookbehinds, I changed the behaviour to give you the term that is _operationally_ matched before/after the receiver (remember that lookbehinds are implemented by reverse-matching).

However, I think that's rarely ever what you want, and is wrong for the only two uses of these predicates, where it's the textual matching order that we are after, not the operational order.

Consequently, I've changed the semantics back and updated the comments to hopefully clarify the intention.
 2019-11-28 15:14:50 +00:00
Calum Grant 5833b15f0e C#: Analysis change notes. 2019-11-27 17:30:02 +00:00
Erik Krogh Kristensen 34e44e89fd Merge remote-tracking branch 'upstream/master' into typeAheadSink 2019-11-27 15:19:06 +01:00
Erik Krogh Kristensen 9351cd44e4 Merge remote-tracking branch 'githubsemmle/master' into HEAD 2019-11-27 13:45:59 +01:00
semmle-qlci 4916bed9cd
Merge pull request #2433 from asger-semmle/import-js-file 
Approved by max-schaefer
 2019-11-27 10:55:59 +00:00
Erik Krogh Kristensen 6d63d75d87
remove superfluous line break 
Co-Authored-By: Esben Sparre Andreasen <esbena@github.com>
 2019-11-27 10:52:01 +01:00
Erik Krogh Kristensen b5a57986c6 small changes based on review feedback 2019-11-26 15:57:31 +01:00
Erik Krogh Kristensen 5a0cabb039 Merge remote-tracking branch 'upstream/master' into typeAheadSink 2019-11-26 14:37:40 +01:00
Tom Hvitved 355c4f7154 C#: Add change note 2019-11-26 13:54:19 +01:00
Jonas Jensen b1745f588c
Merge pull request #2402 from geoffw0/nospace 
CPP: Make NoSpaceForZeroTerminator.ql more conservative.
 2019-11-26 13:36:05 +01:00
Erik Krogh Kristensen b06acd1ed0 add change note 2019-11-26 12:52:41 +01:00
Erik Krogh Kristensen 0f948339af add change note 2019-11-26 11:23:30 +01:00
Asger F e3e15a6015 JS: Rephrase change note 2019-11-25 17:20:42 +00:00
Asger F 2508da7971 JS: Add change note 2019-11-25 17:01:32 +00:00
Geoffrey White 1d233f2f9e CPP: Change notes for the queries. 2019-11-22 15:27:08 +00:00
Geoffrey White 62008597d4 CPP: Change notes for the library. 2019-11-22 15:27:08 +00:00
Erik Krogh Kristensen 9fc20cd9b0 add change note 2019-11-22 15:58:00 +01:00
Max Schaefer a3a46bfdc2 JavaScript: Add change note. 2019-11-22 09:27:14 +00:00
semmle-qlci 62859d140d
Merge pull request #2394 from esbena/js/support-getDerivedFromError 
Approved by max-schaefer
 2019-11-22 07:45:45 +00:00
Esben Sparre Andreasen edb94db6ef JS: add change notes 2019-11-21 13:20:08 +01:00
Esben Sparre Andreasen 6328a0a8b9 JS: improve FP filter for js/unbound-event-handler-receiver 2019-11-21 13:13:40 +01:00
Geoffrey White 5c855fc925 CPP: Change note. 2019-11-20 15:34:41 +00:00
Jonas Jensen 0731309b1e C++: Change note for StackVariable 2019-11-19 11:44:03 +01:00
Erik Krogh Kristensen d4f42d872a change change-note to target 1.24 instead of 1.23 2019-11-19 11:10:34 +01:00