github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
55 127 коммитов 1 533 Ветки 130 Теги 473 MiB
Граф коммитов

260 Коммитов

Автор SHA1 Сообщение Дата
Mathias Vorreiter Pedersen 24542ec84a Merge branch 'main' into replace-ast-with-ir-use-usedataflow 2022-11-21 15:02:28 +00:00
yoff dd525a4f9b
Merge pull request #11061 from erik-krogh/shared-redosMod 
ReDoS: add a shared regex pack
 2022-11-14 10:53:05 +01:00
Jeroen Ketema 2b37ebd7ed
Merge remote-tracking branch 'upstream/main' into mathiasvp/replace-ast-with-ir-use-usedataflow 2022-11-11 17:24:34 +01:00
Michael Nebel d6ae1ef6f2 Java/C#: Move C# internal implementation for model generation. 2022-11-10 13:57:43 +01:00
Jeroen Ketema 5732c3bca0
Merge branch 'main' into mathiasvp/replace-ast-with-ir-use-usedataflow 2022-11-07 15:03:26 +01:00
erik-krogh 09275a56c1
remove files from identical files that soon won't be identical 2022-11-07 14:22:46 +01:00
Paolo Tranquilli 4702271102 Swift: add `cfg.swift` to AST tests 2022-11-03 18:16:53 +01:00
Jean Helie ce1092c33d add test repo 2022-11-01 20:57:58 +01:00
Mathias Vorreiter Pedersen 1c51ad8d26 C++: Update 'identical-files'. 2022-10-14 10:14:53 +02:00
Tom Hvitved 2b75562037 Ruby: Use `DataFlow::Configuration` in `RegExpConfiguration.qll` 2022-10-11 11:39:45 +02:00
Tom Hvitved 6e61ef10b8 Ruby: Add another dataflow copy 2022-10-04 12:58:50 +02:00
Mathias Vorreiter Pedersen 9d50fc6aa3
Merge pull request #10487 from MathiasVP/fix-identical-files-for-cpp 
C++: Add shared files in `experimental` to `identical-files.json`.
 2022-09-20 15:43:43 +01:00
Mathias Vorreiter Pedersen 351e517786
Update config/identical-files.json 
Co-authored-by: Geoffrey White <40627776+geoffw0@users.noreply.github.com>
 2022-09-20 13:34:31 +01:00
Mathias Vorreiter Pedersen e661c981e4 C++: Add shared files in experimental to 'identical-files.json'. 2022-09-20 12:53:43 +01:00
Rasmus Lerchedahl Petersen efc5cfb852 Merge branch 'main' of github.com:github/codeql into python-dataflow/flow-summaries-from-scratch 2022-09-12 19:56:16 +02:00
Tom Hvitved b3653cc3d0
Merge pull request #10216 from hvitved/ssa/shared-lib 
SSA: Create a new `codeql/shared-ssa` library pack and move implementation there
 2022-09-08 15:39:29 +02:00
Rasmus Wriedt Larsen a9e1e72196
Merge branch 'main' into shared-http-client-request 2022-09-06 10:52:27 +02:00
Rasmus Wriedt Larsen 528ef0eeaa
Ruby: Use separate dataflow copy for HTTP client libs 
As discussed with @hvitved offline. This helps out to ensrue we don't
needlessly evaluate dataflow for configurations that are not needed
anyway. That is, if other library modeling also used the same dataflow
configuration, which ends up being used in query A, then dataflow for
all the `DataFlowImplForLibraries` configurations would be computeted at
once. When we get to evaluate the query `RequestWithoutValidation.ql`
these results mgith have been forgotten since the predicates are not
cached, and everything will have to be computeted again.

In principle we could be added a dataflow copy for each framework.
However, since we know that the `disablesCertificateValidation`
member-predicates for all the HTTP client libraries will all be used at
the same time, and only for the one query, we only add ONE additional
copy.

Note that the only use of `DataFlowImplForLibraries` before this PR is
using `tainttrackingforlibraries.TaintTrackingImpl` (based on
DataFlowImplForLibraries) for regex computation.
c904ba1d16/ruby/ql/lib/codeql/ruby/Regexp.qll (L153)
Since this is currently transitively imported from Frameworks.qll
(through Core.qll, and core/String.qll), the previous approach didn't
actually violate the assumption about all configurations always being in
scope, but it might have been more by accident, than by purpose.
 2022-09-06 10:43:36 +02:00
Tom Hvitved 8e5d6ba4f9 SSA: Create a new `shared` library pack and move implementation there 2022-09-01 09:36:49 +02:00
Tom Hvitved 2681b88035 C#: Update Pre SSA library to use parameterized module 2022-08-31 11:45:15 +02:00
Tom Hvitved 8725bf0620 C#: Update Base SSA library to use parameterized module 2022-08-31 11:45:15 +02:00
Tom Hvitved f553001217 C#: Update CIL SSA library to use parameterized module 2022-08-31 11:45:14 +02:00
Paolo Tranquilli 47b905bfaf Swift: add PrintAst 2022-08-30 18:04:55 +02:00
yoff d9444d8b08 Python: update synced file `FlowSummaryImpl.qll` 2022-08-25 09:31:45 +00:00
yoff 0b5d4c59dd Merge branch 'main' of https://github.com/github/codeql into python-dataflow/flow-summaries-from-scratch 
synced files have changed
 2022-08-25 09:24:05 +00:00
Harry Maclean f1a546c4d6 Rename IncompleteMultiCharacterSanitization[Query] 2022-08-17 16:03:49 +12:00
Harry Maclean b7d9bf4066 Share IncompleteMultiCharacterSanitization JS/Ruby 
Most of the classes and predicates in this query can be shared between
the two languages. There's just a few language-specific things that we
place in IncompleteMultiCharacterSanitizationSpecific.
 2022-08-17 16:03:46 +12:00
Erik Krogh Kristensen f106e064fa
Merge pull request #9422 from erik-krogh/refacReDoS 
Refactorizations of the ReDoS libraries
 2022-08-16 09:32:08 +02:00
Erik Krogh Kristensen 0adb588fe8
Merge pull request #9712 from erik-krogh/badRange 
JS/RB/PY/Java: add suspicious range query
 2022-08-15 13:55:44 +02:00
yoff 75ac24a847
Merge branch 'main' into python-dataflow/flow-summaries-from-scratch 2022-08-10 10:57:59 +02:00
Erik Krogh Kristensen 49276b1f38 Merge branch 'main' into refacReDoS 2022-08-09 16:18:46 +02:00
Mathias Vorreiter Pedersen b20b0a091d Update identical-files. 2022-08-05 11:49:36 +01:00
Erik Krogh Kristensen ff25451699 rename query to overly-large-range, and rewrite the @description 2022-07-12 16:02:46 +02:00
yoff f52d792b36 Merge branch 'main' of https://github.com/github/codeql into python-dataflow/flow-summaries-from-scratch 2022-07-01 12:01:07 +00:00
Andrew Eisenberg a3f4d1bf66 Move contextual queries from src to lib 
With this change, users are now able to run View AST command in
vscode within vscode workspaces that do not include the core libraries.
The relevant core library only needs to be installed in the package
cache.
 2022-06-29 07:51:26 -07:00
Erik Krogh Kristensen a343ceaf8b add suspicious-regexp-range query 2022-06-28 09:49:27 +02:00
Erik Krogh Kristensen 13482fc97b rename ReDoSUtil to NfaUtils, and rename the "performance" folder to "regexp" 2022-06-23 14:36:25 +02:00
Erik Krogh Kristensen dbeae9aefb make a parameterized module out of the RegexpMatching implementation 2022-06-23 14:36:25 +02:00
yoff 140dc1a61e merge in main 2022-06-23 09:05:32 +00:00
Mathias Vorreiter Pedersen 693575a7e5 Update sync-identical-files. 2022-06-15 13:00:57 +01:00
Rasmus Wriedt Larsen 86caf747f3 Go: Sync InlineExpectationsTest 2022-06-02 14:54:51 +02:00
Paolo Tranquilli 946e1f498a Swift: generate `getParent` implementation 
By explicitly marking children in the `schema.yml` file, an internal
`getAChild` predicate is implemented, that is in turn used in `AstNode`
to implement `getParent`.

This is yet to be used in the control flow library to replace the
hand-rolled implementation.

A further, more complex step is to use the same information to fully
generate the core implementation of `PrintAst` (including the
accessor string). This will be done later.

The `parent` tests use the same swift code as the extractor tests, and
this is currently enforced by `sync-files.py`. Notice that `qltest.sh`
had to be modified to deal with multiple files, which was not working
yet.
 2022-06-01 14:32:58 +02:00
Rasmus Wriedt Larsen 7a6646dcaf
Merge pull request #8883 from erik-krogh/pyMaD 
Python: add MaD implementation
 2022-05-30 13:31:07 +02:00
Robert Marsh 8cc509e5e9
Merge pull request #9275 from MathiasVP/swift-add-dataflow-lib 
Swift: Add shared dataflow library
 2022-05-24 15:11:42 -04:00
Tom Hvitved 728ccafe2b
Merge pull request #9024 from hvitved/dataflow/content-flow-lib 
Data flow: Introduce `ContentDataFlow.qll`
 2022-05-24 15:09:16 +02:00
Mathias Vorreiter Pedersen 9b67912da2 Updated sync-identical-files. 2022-05-23 18:04:32 +01:00
Mathias Vorreiter Pedersen 6540e1e8bf Swift: Share 'ControlFlowGraphImplShared.qll' for Swift with Ruby and C#. 2022-05-23 13:12:45 +01:00
Tom Hvitved bd9b6567c7 Data flow: Introduce `ContentDataFlow.qll` 2022-05-19 13:28:56 +02:00
Erik Krogh Kristensen 5d1c41c269 Merge branch 'main' into pyMaD 2022-05-17 12:23:03 +02:00
yoff 2822ed9594 Merge remote-tracking branch 'upstream/main' into python-dataflow/flow-summaries-from-scratch 2022-05-16 08:10:15 +00:00
Nick Rolfe 1115227f9d Merge remote-tracking branch 'origin/main' into nickrolfe/misspelling 2022-05-12 16:10:27 +01:00
Nick Rolfe 4321b5e1fa QL for QL: generalise non-US spelling query 
1. Catch common misspelling as well.
2. Also check names of classes, predicates, etc.
 2022-05-12 13:17:32 +01:00
Rasmus Lerchedahl Petersen 80175a9af5 Python: Compiles and mostly pass tests 
- add flowsummaries shared files
- register in indentical files
- fix initial non-monotonic recursions
  - add DataFlowSourceCall
  - add resolvedCall
  - add SourceParameterNode

failing tests:
- 3/library-tests/with/test.ql
 2022-05-10 12:48:42 +00:00
Joe Farebrother f9f7a01f57 Add Java ReDoS libraries to identical-files.json 2022-05-04 15:41:33 +01:00
Erik Krogh Kristensen 1c2c9159a9 initial MaD implementation for Python 2022-05-02 12:45:19 +02:00
Chris Smowton d309e15072
Merge pull request #8748 from smowton/smowton/admin/dependent-dataflow-configs 
Java: Avoid higher-numbered dataflow configs that depend on lower-numbered ones
 2022-04-22 08:56:00 +01:00
Chris Smowton 27d87e9300 Add TaintTracking3 2022-04-15 09:25:26 +01:00
Asger Feldthaus 4c72c31a5a QL: Add InlineExpectationsTest 2022-04-13 08:45:25 +02:00
Arthur Baars 15c54f6100
Merge pull request #8354 from aibaars/incomplete-url-string-sanitization 
Incomplete url string sanitization
 2022-03-31 10:59:51 +02:00
Michael Nebel 26d5eb64b3 C#/Java: Initial merge ModelGeneratorUtils into CaptureModels. 2022-03-29 11:07:57 +02:00
Michael Nebel 62dcbff67f C#: Update sync files config. 2022-03-29 11:07:57 +02:00
Michael Nebel 858508fa33 C#: Make sure that language independent parts of CaptureSinkModels is in sync. 2022-03-29 11:07:57 +02:00
Michael Nebel b4efd0e154 C#: Make sure that the shared CaptureSummaryModel is in sync. 2022-03-29 11:07:56 +02:00
Arthur Baars 65f8f56095
Merge branch 'main' into incomplete-url-string-sanitization 2022-03-24 11:27:30 +01:00
Rasmus Wriedt Larsen bbf60b875e
Merge pull request #8476 from RasmusWL/shared-concepts-scaffolding 
Python/JS/Ruby: Shared concepts scaffolding
 2022-03-23 10:22:42 +01:00
yoff 47e062cfb9
Merge pull request #8486 from aibaars/incomplete-hostname-python 
Python: switch to shared implementation of IncompleteHostnameRegExp.ql
 2022-03-22 15:06:14 +01:00
Rasmus Wriedt Larsen 311cbb4e13 Merge branch 'main' into shared-concepts-scaffolding 2022-03-22 10:36:33 +01:00
Erik Krogh Kristensen 90a6717932 sync ExponentialBackTracking.qll for ruby 2022-03-22 09:27:04 +01:00
Harry Maclean 91a7e9405c Share HttpToFileAccessQuery between JS and Ruby 
There's so little in this query that it may not be worth sharing, but
it's an interesting exercise in figuring out how we do it nicely.
 2022-03-22 11:10:08 +13:00
Harry Maclean 0cfe37dff4 Share TaintedFormatString between Ruby and JS 2022-03-21 12:51:46 +13:00
Arthur Baars beef8e29bc
Merge pull request #8332 from hvitved/ruby/regexp-taint-flow 
Ruby: Use taint tracking instead of type tracking to define `regExpSource`
 2022-03-18 18:24:02 +01:00
Arthur Baars 9412b331db Revert "Revert "Python: switch to shared implementation of IncompleteHostnameRegExp.ql"" 
This reverts commit 6d24591416.
 2022-03-18 16:31:22 +01:00
Arthur Baars bf888f0f0b Merge remote-tracking branch 'upstream/main' into incomplete-url-string-sanitization 
Conflicts:
	config/identical-files.json
	javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
	javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll
	ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll
 2022-03-18 16:09:20 +01:00
Tom Hvitved d97eaba070 Ruby: Add dataflow/taintracking copies for use in libraries 2022-03-18 14:48:12 +01:00
Arthur Baars 431b60506e Merge remote-tracking branch 'upstream/main' into incomplete-hostname 2022-03-18 13:05:34 +01:00
Arthur Baars 6d24591416 Revert "Python: switch to shared implementation of IncompleteHostnameRegExp.ql" 
This reverts commit ce50f35dda.
 2022-03-18 13:02:55 +01:00
Harry Maclean 36c421346b Introduce ConceptsShared.qll 2022-03-17 13:49:10 +01:00
Asger F 228570129e
Merge branch 'main' into ruby/mad-prototype 2022-03-16 13:50:31 +01:00
Arthur Baars ab93b3784b Merge remote-tracking branch 'upstream/main' into incomplete-hostname 2022-03-16 12:31:12 +01:00
Michael Nebel 20cbd6b332 Java/C#: Include the share files in sync files. 2022-03-14 13:47:24 +01:00
Erik Krogh Kristensen 417def8c8b only mark deprecations as old after 14 months 2022-03-09 18:28:12 +01:00
Erik Krogh Kristensen ef07aaa998 add script for detecting deprecations that are over a year old 2022-03-09 18:25:07 +01:00
Arthur Baars 747c7f6b5e JS/Ruby: share implementation of IncompleteUrlSubstringSanitization query 2022-03-09 12:11:14 +01:00
Jeroen Ketema 3877598c12
C++: Remove `cpp/duplicated-lines-in-files` which was deprecated over a year ago 2022-03-08 12:58:19 +01:00
Arthur Baars ce50f35dda Python: switch to shared implementation of IncompleteHostnameRegExp.ql 2022-03-07 16:10:08 +01:00
Arthur Baars 98f56f4d60 Js/Ruby: Share IncompleteHostnameRegExp.ql 2022-03-07 16:10:08 +01:00
Asger Feldthaus a33e89279d Ruby: instantiate ApiGraphModels library in Ruby 2022-03-01 14:08:20 +01:00
Asger F 02c4966109
Merge pull request #7878 from asgerf/dot-separated-access-paths 
Shared: Switch to dot-separated access paths in summary specs
 2022-02-21 13:29:09 +01:00
Asger Feldthaus 6dbeb81f36 Ruby: use AccessPathSyntax.qll to parse input/output summary specs 2022-02-21 08:16:55 +01:00
Asger Feldthaus dffa1d1558 C#: use AccessPathSyntax.qll to parse input/output summary specs 2022-02-21 08:16:55 +01:00
Asger Feldthaus 753c557dbe Java: use AccessPathSyntax.qll to parse input/output summary specs 2022-02-21 08:16:54 +01:00
Alex Ford cfb2d7ffaf Ruby: add shared SensitiveDataHeuristics.qll 2022-01-28 16:38:58 +00:00
Tony Torralba ea4ff80cc6 Add DataFlowImplForOnActivityResult to identical-files.json 2022-01-19 16:08:31 +01:00
Alex Ford a2104de8a0 Move CryptoAlgorithms::AlgorithmsName into a separate internal/CryptoAlgorithmNames.qll 2021-12-22 16:38:15 +00:00
Alex Ford bdb2d8ba16 Ruby: split OpenSSL parts from CryptoALgorithms.qll and sync with JS/Python version 2021-12-22 16:38:15 +00:00
Erik Krogh Kristensen ee858d840e get ReDoSUtil in sync for ruby 2021-11-18 16:49:34 +01:00
Erik Krogh Kristensen 1cca377e7d
Merge pull request #6561 from erik-krogh/htmlReg 
JS/Py/Ruby: add a bad-tag-filter query
 2021-11-18 09:39:13 +01:00
Mathias Vorreiter Pedersen 7197216185 Add a copy of SsaImplCommon to the identical-files script. 2021-10-28 12:36:36 +01:00
Erik Krogh Kristensen 97264b5dda add the bad tag filter query to ruby 2021-10-26 15:25:12 +02:00
Erik Krogh Kristensen 44afa34e37 Merge branch 'main' of github.com:github/codeql into htmlReg 2021-10-26 14:46:27 +02:00