github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
12 906 коммитов 1 534 Ветки 130 Теги 471 MiB
Граф коммитов

12906 Коммитов

Автор SHA1 Сообщение Дата
Max Schaefer 5b0a3b9673 JavaScript: Change "Less results" to "Fewer results" in change notes. 2020-05-26 10:49:30 +01:00
Max Schaefer abfcc42133 JavaScript: Re-alphabetise change notes. 2020-05-26 10:49:30 +01:00
Max Schaefer 215682f67c JavaScript: Add change note. 2020-05-26 10:49:30 +01:00
Max Schaefer 7ddf5ced23 JavaScript: Update expected output for unrelated tests. 2020-05-26 10:49:30 +01:00
Max Schaefer 9d3a9d71f1 JavaScript: Add basic support for reasoning about reflective parameter accesses. 
Currently, only `arguments[c]` for a constant value `c` is supported.

This allows us to detect the prototype-pollution vulnerabilities in (old versions of) `extend`, `jquery`, and `node.extend`.
 2020-05-26 09:59:29 +01:00
Max Schaefer a39e8b4802 JavaScript: Add test for `FlowSteps::argumentPassing` predicate. 2020-05-26 09:51:06 +01:00
Anders Schack-Mulligen 6bc9624a4c
Merge pull request #3236 from luchua-bc/java-improper-url-validation 
Java: Improper url validation
 2020-05-26 09:48:44 +02:00
Mathias Vorreiter Pedersen 5fb76df44f
Merge pull request #3556 from jbj/qldoc-CodeDuplication 
C++/JavaScript: Improve CodeDuplication.qll QLDoc
 2020-05-26 09:17:28 +02:00
semmle-qlci 64aefc612f
Merge pull request #3554 from jbj/too-few-arguments-ambiguous 
Approved by dbartol
 2020-05-26 07:26:53 +01:00
Dave Bartolomeo 5c20d56134
Merge pull request #3558 from jbj/qldoc-default-objc 
C++: Properly deprecate objc.qll and default.qll
 2020-05-25 14:31:25 -04:00
Dave Bartolomeo 12688f80ce
Merge pull request #3559 from jbj/vcs-remove 
C++: Remove VCS.qll and all queries using it
 2020-05-25 14:30:31 -04:00
Jonas Jensen e28ed848a4 C++: Remove VCS.qll and all queries using it 
All these queries have been deprecated since 2018. There is
unfortunately no way to deprecate a library, but it's been years since
we populated any databases using the VCS library, so nobody should be
using it.
 2020-05-25 19:28:06 +02:00
Jonas Jensen 85df60ea65 C++: Replace `import default` with `import cpp` 
Some tests still used the old name for the top-level library.
 2020-05-25 19:07:28 +02:00
Jonas Jensen 5fc2a3de92 C++: QLDoc for default.qll and objc.qll 
These are both deprecated.
 2020-05-25 19:05:41 +02:00
Jonas Jensen 6fc9e1d84c C++/JavaScript: Improve CodeDuplication.qll QLDoc 
I took most of the docs from the corresponding predicates in
JavaScript's `CodeDuplication.qll`. Where JavaScript had a corresponding
predicate but didn't have QLDoc, I added new QLDoc to both.
 2020-05-25 18:59:48 +02:00
Taus 7716cff3d8
Merge pull request #3551 from RasmusWL/python-fix-upcoming-deprecation 
Python: Fix (upcoming) deprecation compiler-warnings
 2020-05-25 16:17:57 +02:00
semmle-qlci 8146073c74
Merge pull request #3553 from RasmusWL/python-fix-tainttracking-import 
Approved by tausbn
 2020-05-25 14:18:54 +01:00
semmle-qlci 6f1f926e0c
Merge pull request #3552 from RasmusWL/python-fix-filename-example 
Approved by tausbn
 2020-05-25 14:17:05 +01:00
Jonas Jensen bc09720704
Merge pull request #3479 from geoffw0/fp2762 
C++: Allow equality to block taint (security taint tracking)
 2020-05-25 15:11:10 +02:00
Jonas Jensen 3d58e6f7af
Merge pull request #3515 from hvitved/dataflow/remove-deprecated 
Data flow: Remove deprecated predicates
 2020-05-25 15:08:28 +02:00
Jonas Jensen b4c32a00d8 C++: Fix up QLDoc in TooFewArguments.qll 2020-05-25 14:49:02 +02:00
Jonas Jensen b1edc1d255 C++: Only give alert when no def fits arg count 
The `cpp/too-few-arguments` query produced alerts for ambiguous
databases where a function had multiple possible declarations, with some
declarations having the right number of parameters and some having too
many. With this change, the query errs on the side of caution in those
cases and does not produce an alert.

This fixes false positives on racket/racket.

The new `hasDefiniteNumberOfParameters` is exactly the negation of the
old `hasZeroParamDecl`.
 2020-05-25 14:48:57 +02:00
Bt2018 2a654af983
Correct the select statement in the query 2020-05-25 08:24:38 -04:00
Rasmus Wriedt Larsen f602f3e1c7 Python: Use proper import for semmle.python.dataflow.TaintTracking 
It was moved in 637677d515, but imports were not
updated.
 2020-05-25 13:45:49 +02:00
Rasmus Wriedt Larsen 74167923bc Python: Fix filename example 
I got my eyes on this one since it was using a deprecated method, BUT it was
also doing the thing, since File.getName() is the same as
File.getAbsolutePath(), and that doesn't match the description :\
 2020-05-25 13:17:32 +02:00
Rasmus Wriedt Larsen 6ce1b9f7fa Python: Fix use of StrConst.strValue() 2020-05-25 13:12:56 +02:00
Anders Schack-Mulligen 0d75c6a5f1
Merge pull request #3506 from ggolawski/spring-actuators-fix 
Fixes FPs in SpringBootActuators query
 2020-05-25 13:09:56 +02:00
semmle-qlci ac1a338390
Merge pull request #3407 from RasmusWL/python-add-BoundMethodValue-v2 
Approved by tausbn
 2020-05-25 12:00:45 +01:00
Rasmus Wriedt Larsen 32c8dd0491 Python: Fix (upcoming) deprecation compiler-warnings 
In a near-future release overriding a deprecated predicate without making as
deprecated would give a compiler warning.

Not fixing the XML one. [I can see that this shouldn't be reported
anymore](https://github.com/github/codeql/pull/3520#issuecomment-631552943), and
it's not safe to remove since it was only marked as deprecated in
e6425bb4cf.
 2020-05-25 11:05:30 +02:00
Taus a2308771a3
Merge pull request #3489 from yoff/DeprecateObject 
Python: Modernise `py/missing-equals`.
 2020-05-25 10:56:16 +02:00
Rasmus Wriedt Larsen 49d7e12acd Python: Remove unnecessary restriction from getNamedArgumentForCall 
As agreed in https://github.com/github/codeql/pull/3407
 2020-05-25 10:17:37 +02:00
Rasmus Wriedt Larsen 4fc3cae646 Python: Add test for how arguments to *args and **kwargs are handled 2020-05-25 10:16:10 +02:00
Rasmus Wriedt Larsen 87ee6ae101 Python: Add a bit of docs to CallableObjectInternal 
As requested :)
 2020-05-25 09:53:28 +02:00
Rasmus Wriedt Larsen 9e0d57c610
Python: Fix grammar in QLDoc 
Co-authored-by: Taus <tausbn@gmail.com>
 2020-05-25 09:47:01 +02:00
Rasmus Lerchedahl Petersen 3e712be431 Python: Modernise 2020-05-25 09:00:34 +02:00
semmle-qlci b9ecf1a304
Merge pull request #3447 from erik-krogh/LibCmdInjection 
Approved by asgerf, mchammer01
 2020-05-22 17:10:57 +01:00
James Fletcher 9259dca40d
Merge pull request #3540 from github/jf205-patch-2 
Link README.md to CodeQL for Go repo
 2020-05-22 10:29:55 +01:00
Shati Patel 8c1e4d49ca
Merge pull request #3537 from syang-ng/master 
fix an error in the code snippet of the documentation about global-data-flow-java
 2020-05-21 19:43:51 +01:00
James Fletcher 49d4c76f2f
Update README.md 2020-05-21 16:37:44 +01:00
syang-ng 184209d1eb fix an error in the code snippet of the documentation about global-data-flow-java 2020-05-21 22:00:15 +08:00
Geoffrey White 0f4723aee4
Merge pull request #3520 from dbartol/github/codeql-c-analysis-team/79 
C++: Mark deprecated overrides as deprecated
 2020-05-21 14:55:39 +01:00
Erik Krogh Kristensen b79b25ef87 correct cwe-78 to cwe-078 2020-05-21 12:38:44 +00:00
Erik Krogh Kristensen b297837969
Apply suggestions from doc review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2020-05-21 14:32:02 +02:00
Dave Bartolomeo 5641b2c140 C++: Remove deprecated predicate from `File` 2020-05-20 14:14:49 -04:00
Dave Bartolomeo ff1e70efce C++: Undo changes to shared `XML.qll` 2020-05-20 14:14:31 -04:00
semmle-qlci 8df7b7c42a
Merge pull request #3525 from erik-krogh/ZipTaint 
Approved by asgerf
 2020-05-20 16:45:02 +01:00
Bt2018 74ab6981eb
Fix HTML tag issue 2020-05-20 10:23:40 -04:00
semmle-qlci 079021a3e9
Merge pull request #3453 from RasmusWL/python-flask-routed-params 
Approved by tausbn
 2020-05-20 14:47:53 +01:00
Erik Krogh Kristensen a23cde1354 autoformat 2020-05-20 15:36:46 +02:00
Geoffrey White 9babd5dc10 C++: Another positive effect of the change. 2020-05-20 12:49:01 +01:00