github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
59 946 коммитов 1 542 Ветки 132 Теги 495 MiB
Граф коммитов

1667 Коммитов

Автор SHA1 Сообщение Дата
Max Schaefer a803120414 Lower precision for a number of queries. 
These queries are currently run by default, but don't have their results displayed.

Looking through results on LGTM.com, they are either false positives (e.g., `BitwiseSignCheck` which flags many perfectly harmless operations and `CompareIdenticalValues` which mostly flags NaN checks) or harmless results that developers are unlikely to care about (e.g., `EmptyArrayInit` or `MisspelledIdentifier`).

With this PR, the only queries that are still run but not displayed are security queries, where different considerations may apply.
 2020-05-19 13:43:17 +01:00
Geoffrey White 7d630c458e Merge branch 'master' into fp2762 2020-05-19 11:43:50 +01:00
Asger Feldthaus 0db0ddf476 JS: Add a change note 2020-05-19 11:07:35 +01:00
Asger Feldthaus f49b36aec7 JS: Change note 2020-05-19 09:52:26 +01:00
semmle-qlci 0c081a8e87
Merge pull request #3497 from esbena/js/yield-and-local-objects 
Approved by asgerf, erik-krogh
 2020-05-19 09:02:22 +01:00
Erik Krogh Kristensen aa396a39d3 Merge branch 'master' of https://github.com/github/codeql into pr/erik-krogh/3478 2020-05-18 20:57:51 +00:00
Asger F 96d6115452
Merge branch 'master' into js/sql-type-tracking 2020-05-18 15:58:42 +01:00
Erik Krogh Kristensen 70a28f60e3 Merge branch 'master' of https://github.com/github/codeql into pr/erik-krogh/3478 2020-05-18 14:05:37 +00:00
Max Schaefer bdd778f989 JavaScript: Add change note. 2020-05-18 12:08:36 +01:00
Esben Sparre Andreasen a9ba6ac659 JS: make LocalObjects::isEscape aware of `yield` 2020-05-18 12:43:46 +02:00
Erik Krogh Kristensen bd3c4d4077 Merge branch 'master' of https://github.com/github/codeql into pr/erik-krogh/3478 2020-05-18 07:51:19 +00:00
Esben Sparre Andreasen ddb545c182 JS: introduce MembershipTests.qll and use in two locations 2020-05-18 09:50:00 +02:00
semmle-qlci 6041d52936
Merge pull request #3424 from asger-semmle/js/express-param-handler 
Approved by esbena
 2020-05-18 08:48:24 +01:00
semmle-qlci 0230b79efc
Merge pull request #3391 from erik-krogh/SplitFPs 
Approved by esbena
 2020-05-18 08:46:26 +01:00
Erik Krogh Kristensen dfdecf1450 add change note 2020-05-17 10:32:27 +02:00
semmle-qlci 8d41ce1630
Merge pull request #3480 from erik-krogh/moreSlip 
Approved by esbena
 2020-05-16 21:17:27 +01:00
Asger Feldthaus 435f9ea09f JS: Change note 2020-05-15 17:27:30 +01:00
Asger Feldthaus e311cc7689 JS: Change note 2020-05-15 13:06:37 +01:00
Calum Grant 53ca3ccf53 C#: Update changenotes 2020-05-15 13:06:17 +01:00
Geoffrey White 48f3db3fbe Merge branch 'master' into fp2762 2020-05-15 09:55:30 +01:00
Erik Krogh Kristensen 4eb96848a6 add change note for bluebird and "Promise" 2020-05-15 09:58:33 +02:00
Erik Krogh Kristensen 7df35a6bab update change note 2020-05-15 09:52:59 +02:00
semmle-qlci a536069059
Merge pull request #3408 from esbena/js/unsafe-html-expansion 
Approved by asgerf, mchammer01
 2020-05-15 08:24:12 +01:00
Geoffrey White 6579c71866 C++: Change note. 2020-05-14 18:44:06 +01:00
Geoffrey White df5e16c45d C++: Add a 1.25 change note file (didn't we used to have templates for these?). 2020-05-14 18:41:14 +01:00
semmle-qlci 23532ae49a
Merge pull request #3467 from erik-krogh/tarSlip 
Approved by esbena
 2020-05-14 14:06:42 +01:00
semmle-qlci 57f44c5a81
Merge pull request #2886 from asger-semmle/js/call-graph-exploration 
Approved by erik-krogh, esbena
 2020-05-14 14:01:23 +01:00
Erik Krogh Kristensen 422ade16db
Apply suggestions from code review 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-05-14 10:05:59 +02:00
Erik Krogh Kristensen ce5356f592 change note 2020-05-14 09:48:50 +02:00
Calum Grant f5daeea618
Merge pull request #3421 from hvitved/csharp/dataflow/change-note 
C#/Java/C++: Add change note for #3110
 2020-05-13 13:53:01 +01:00
Esben Sparre Andreasen c6fa88af28 JS: change notes 2020-05-13 12:56:33 +02:00
Esben Sparre Andreasen 7722d77c86 JS: add the NoSQL $where as a sink for js/code-injection 2020-05-13 08:30:22 +02:00
Esben Sparre Andreasen 20cf04442c JS: model marsdb and minimongo 2020-05-13 08:28:59 +02:00
Erik Krogh Kristensen 83d34b939c change note 2020-05-12 14:24:04 +02:00
Erik Krogh Kristensen 8b3e86c4f8 change note 2020-05-11 13:40:59 +02:00
Tom Hvitved c837ab7d1a
Apply suggestions from code review 
Co-authored-by: Jonas Jensen <jbj@github.com>
 2020-05-11 11:42:50 +02:00
Tom Hvitved 948c2f7f7e C++: Add change note 2020-05-07 16:01:55 +02:00
Tom Hvitved 0b85f3fed4 Address review comments 2020-05-07 15:58:46 +02:00
Erik Krogh Kristensen a3fb13882b Merge branch 'master' into SplitFPs 2020-05-07 10:51:11 +02:00
Tom Hvitved f19b1045d6 Java: Add change note 2020-05-06 15:52:49 +02:00
Tom Hvitved ddd62a56cc C#: Add change note for #3110 2020-05-06 14:28:47 +02:00
semmle-qlci 9210660ea0
Merge pull request #3401 from erik-krogh/jsonLike 
Approved by esbena
 2020-05-06 08:00:44 +01:00
Tom Hvitved 3d37a49ccd C#: Add change note 2020-05-05 14:28:13 +02:00
Erik Krogh Kristensen a4eee7e88e
more -> additional 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-05-05 14:01:39 +02:00
Erik Krogh Kristensen bffb12725b add test and change-note to prototype-polution 2020-05-05 13:49:11 +02:00
Erik Krogh Kristensen 38db731e0b add change note and new test for js/incomplete-url-scheme-check 2020-05-05 13:38:27 +02:00
Erik Krogh Kristensen f56915d99f add change note for js/xss 2020-05-05 13:36:50 +02:00
Erik Krogh Kristensen 9a7f8d97d2 change note 2020-05-04 09:49:20 +02:00
Erik Krogh Kristensen ffdbe31a30 change-note 2020-05-04 09:08:46 +02:00
Esben Sparre Andreasen 04b5a794f1
Merge pull request #3313 from esbena/js/typical-bad-sanitizer 
New query: Incomplete HTML attribute sanitization
 2020-04-27 14:31:13 +02:00
semmle-qlci cbe417f5eb
Merge pull request #3336 from erik-krogh/MoarJQuery 
Approved by esbena
 2020-04-25 15:17:55 +01:00
Esben Sparre Andreasen f0a05f6a6c JS: change notes 2020-04-24 09:18:16 +02:00
Jonas Jensen d98e956c2b
Merge pull request #3322 from felicitymay/merge-124-master 
Merge rc/1.24 into master
 2020-04-24 08:48:54 +02:00
Erik Krogh Kristensen e7d8cd8e8c Merge remote-tracking branch 'upstream/master' into MoarJQuery 2020-04-23 14:10:53 +02:00
Erik Krogh Kristensen 67443718c0 change note 2020-04-23 13:55:37 +02:00
Erik Krogh Kristensen 5382976195 change note 2020-04-23 11:52:16 +02:00
semmle-qlci da3292606c
Merge pull request #3191 from erik-krogh/XssDom 
Approved by esbena, mchammer01
 2020-04-23 09:17:07 +01:00
Felicity Chapman 89bf35cd43 Merge branch 'rc/1.24' into merge-124-master 
Conflicts:
	change-notes/1.24/analysis-javascript.md
    Resolved in favor of the rc/1.24 branch
 2020-04-22 19:01:47 +01:00
Felicity Chapman 523f1068b8 Editorial suggestions 
We don't hyphenate "QL-library" and there were a few typos. Feel free to further revise this if I've changed the meaning too much.

As discussed separately, I was unable to raise this as a PR in GitHub.com and had to resort to a direct commit.

(cherry picked from commit e29468135d)
 2020-04-22 18:15:43 +01:00
Taus ac8cca37e8 Apply suggestions from code review 
Co-Authored-By: Felicity Chapman <felicitymay@github.com>
(cherry picked from commit 44b570f7b6)
 2020-04-22 18:15:43 +01:00
Taus Brock-Nannestad 63234aae40 Python: Finalise change notes for 1.24. 
(cherry picked from commit e97d88c158)
 2020-04-22 18:15:42 +01:00
Felicity Chapman e29468135d
Editorial suggestions 
We don't hyphenate "QL-library" and there were a few typos. Feel free to further revise this if I've changed the meaning too much.

As discussed separately, I was unable to raise this as a PR in GitHub.com and had to resort to a direct commit.
 2020-04-22 15:48:01 +01:00
Taus 44b570f7b6
Apply suggestions from code review 
Co-Authored-By: Felicity Chapman <felicitymay@github.com>
 2020-04-22 16:03:20 +02:00
Taus Brock-Nannestad e97d88c158 Python: Finalise change notes for 1.24. 2020-04-22 14:31:04 +02:00
Erik Krogh Kristensen ac44cb425e
Merge branch 'master' into js/call-graph-exploration 2020-04-22 10:49:26 +02:00
Erik Krogh Kristensen a5bbfa30d1 add change note 2020-04-22 10:23:07 +02:00
Asger Feldthaus 18188b659c JS: Add 1.25 change note 2020-04-21 10:53:37 +01:00
Felicity Chapman dc83ac61b5
Fix error in 3287 
@jbj - apologies for the over-eager merge of #3287. This should fix the error you highlighted.
 2020-04-20 15:12:43 +01:00
Erik Krogh Kristensen aee7cc117d add change-note 2020-04-20 13:08:51 +02:00
Felicity Chapman 962f13ee13
Merge pull request #3287 from felicitymay/1.24/SD-61-Cpp-finalize-notes 
1.24 release: finalize change notes for C/C++
 2020-04-20 09:07:58 +01:00
Felicity Chapman 3bfcd618c0
Merge pull request #3286 from felicitymay/1.24/SD-61-JS-finalize-notes 
1.24 release: finalize change notes for JavaScript
 2020-04-20 09:07:47 +01:00
Erik Krogh Kristensen 2632699397 Merge branch 'master' of git.semmle.com:Semmle/ql into Mispelled 2020-04-18 17:58:57 +02:00
semmle-qlci 243dea706e
Merge pull request #3269 from erik-krogh/Promisify 
Approved by esbena
 2020-04-18 13:02:42 +01:00
yo-h 26f624d2d4
Merge pull request #3285 from felicitymay/1.24/SD-61-Java-finalize-notes 
1.24 release: finalize change notes for Java
 2020-04-17 17:04:38 -04:00
Felicity Chapman 05d0d844bd Editorial changes 2020-04-17 14:44:14 +01:00
Calum Grant dbff9b6fc7
Merge pull request #3284 from felicitymay/1.24/SD-61-CS-finalize-notes 
1.24 release: finalize change notes for C#
 2020-04-17 14:13:39 +01:00
Felicity Chapman d5145d9f0a Sort table alphabetically 2020-04-17 14:05:21 +01:00
Felicity Chapman c1323886b6
Update change-notes/1.24/analysis-javascript.md 
Co-Authored-By: Esben Sparre Andreasen <esbena@github.com>
 2020-04-17 13:30:49 +01:00
Erik Krogh Kristensen cffa911661 retarget change note for 1.25 2020-04-17 14:22:57 +02:00
Erik Krogh Kristensen a2ddf7bf8f retarget change-note for 1.25 2020-04-17 14:19:17 +02:00
Erik Krogh Kristensen 88f600fa34
more -> additional 
Co-Authored-By: Esben Sparre Andreasen <esbena@github.com>
 2020-04-17 14:14:08 +02:00
Erik Krogh Kristensen 225dc4b017 change-note 2020-04-17 13:54:48 +02:00
Felicity Chapman 01a31c1065 Minor editorial changes 2020-04-17 12:50:20 +01:00
Felicity Chapman ee12e6a00b Sort alphabetically 2020-04-17 12:35:33 +01:00
Felicity Chapman 67e8a5c8d8 Minor editorial changes 2020-04-17 12:11:33 +01:00
Erik Krogh Kristensen e72eed1db5
more -> additional 
Co-Authored-By: Esben Sparre Andreasen <esbena@github.com>
 2020-04-17 13:10:06 +02:00
Felicity Chapman 81b3b4884c Add LGTM info for new queries and comment detail 
Plus minor editorial changes
 2020-04-17 12:09:27 +01:00
Felicity Chapman 08d1a2c5ea Reorder table and remove empty sections 2020-04-17 11:30:18 +01:00
Erik Krogh Kristensen 3b230648d2 change-note 2020-04-17 11:45:08 +02:00
Jonas Jensen 7dab89ef56 C++: More details about lib implementation changes 
This commit mostly restores the previous note about library changes but
avoids mentioning queries in the library section.
 2020-04-17 10:32:28 +02:00
Jonas Jensen 9191190248 C++: Spaceship operator change note 2020-04-17 10:18:17 +02:00
Jonas Jensen 7e67dcca6f C++: Tidy up 1.24 change notes 
- Merged the two notes for `cpp/uncontrolled-allocation-size` into one.
- Added note about renaming of a query id.
- Moved the use of IR in queries from the library section to the queries
  section, rephrasing the note in terms of query results/performance
  rather than library implementation.
- Grouped, without text changes, the three notes about the `Allocation`
  library
- Grouped all the notes about standard-library models, abbreviating them
  to eliminate the common text.
- Removed the note about `strlen` (#2647) since that should no longer
  affect the results of queries or IR data flow after we started using
  unsound IR for data flow.
 2020-04-15 16:08:57 +02:00
Geoffrey White 92187d9e71 C++: Change note. 2020-04-14 14:00:46 +01:00
Jonas Jensen 42e9d1416b
Merge pull request #3206 from geoffw0/newfreefix 
C++: Fix `cpp/new-free-mismatch` false positives
 2020-04-08 08:39:43 +02:00
Geoffrey White 66a0b7884e Merge branch 'master' into alloc-size 2020-04-07 17:12:35 +01:00
semmle-qlci e5d3286ee9
Merge pull request #3183 from asger-semmle/js/bad-url-scheme-check 
Approved by esbena
 2020-04-06 14:53:15 +01:00
Geoffrey White 050e239507 C++: Change note. 2020-04-06 14:39:07 +01:00
Calum Grant 6cce0de9b2
Merge pull request #3124 from hvitved/csharp/dataflow/sources-and-sinks 
C#: Introduce `RemoteFlowSink` class
 2020-04-06 12:36:14 +01:00
Asger Feldthaus 2c6beadf68 JS: Recognize more forms of scheme checks 2020-04-06 12:30:03 +01:00
Jonas Jensen 16c7a35b1c
Merge pull request #3195 from geoffw0/taintstring 
C++: Model taint flow through std::string constructor and c_str()
 2020-04-03 12:05:07 +02:00
Tom Hvitved 08fbd1d2ad C#: Update change notes 2020-04-03 10:25:46 +02:00
Geoffrey White ab716ebe75 C++: Change note. 2020-04-02 19:49:42 +01:00
Geoffrey White 6b5f4d9e12 Merge branch 'master' into av114 2020-04-01 18:23:21 +01:00
semmle-qlci 1975a83cdd
Merge pull request #3116 from max-schaefer/js/postgres-type-tracking 
Approved by asgerf
 2020-03-27 09:23:52 +00:00
semmle-qlci e7fd97e72b
Merge pull request #3119 from erik-krogh/SockJS 
Approved by esbena
 2020-03-25 21:36:29 +00:00
Tom Hvitved 95b6f6aee0 C#: Add change note 2020-03-25 20:05:39 +01:00
Erik Krogh Kristensen f7faaa634f change-note 2020-03-25 11:37:39 +01:00
semmle-qlci ac7c74dcee
Merge pull request #3111 from RasmusWL/python-fabric-command-injection 
Approved by BekaValentine
 2020-03-25 10:07:33 +00:00
Max Schaefer efbcec09ef JavaScript: Add type tracking to Postgres model. 2020-03-24 17:30:07 +00:00
Rasmus Wriedt Larsen 49fa7c8589 Python: update 1.24 changelog 2020-03-24 10:15:36 +01:00
semmle-qlci 4c9a6b73ee
Merge pull request #3107 from erik-krogh/FArgs 
Approved by esbena
 2020-03-24 08:32:56 +00:00
Erik Krogh Kristensen 833183c706 change note 2020-03-23 14:13:30 +01:00
Asger F 6c2842bd49
Merge pull request #2919 from asger-semmle/js/property-barriers 
JS: Make sanitizers no longer block taint inside an object
 2020-03-23 11:43:18 +00:00
Luke Cartey 9eee16b2d6
Merge pull request #3091 from hvitved/csharp/xpath-injection-more-sinks 
C#: Teach XPath injection query about `XPathNavigator`
 2020-03-23 09:39:26 +00:00
semmle-qlci 2c7af72f14
Merge pull request #2858 from RasmusWL/python-support-django2 
Approved by tausbn
 2020-03-23 09:35:46 +00:00
Tom Hvitved fc74a482a4 C#: More XPath injection sinks 2020-03-19 14:13:35 +01:00
Tom Hvitved 0d45700088 C#: Add change note 2020-03-19 13:41:22 +01:00
Asger Feldthaus de7fbce27b JS: Adjust whitespace in change notes 2020-03-18 11:55:13 +00:00
Asger Feldthaus 08ad4f785a JS: Tweak other parts of change note for consistency 2020-03-18 11:55:12 +00:00
Asger Feldthaus ad2b150d05 JS: Add change note 2020-03-18 11:55:12 +00:00
Jonas Jensen f1ad0dafdc
Merge pull request #2849 from geoffw0/model-gets 
C++: Model for gets
 2020-03-18 11:06:23 +01:00
semmle-qlci ea46873bfe
Merge pull request #3065 from erik-krogh/PathSinks 
Approved by esbena
 2020-03-17 13:00:00 +00:00
Erik Krogh Kristensen 9403026fff add change note 2020-03-17 11:48:02 +01:00
Geoffrey White 034f7cc948 Merge branch 'master' into model-gets 2020-03-16 15:12:36 +00:00
Geoffrey White 40db92bfd1 C++: Change note. 2020-03-16 13:22:00 +00:00
semmle-qlci 7e093a8e5c
Merge pull request #3041 from erik-krogh/JQueryAjax 
Approved by esbena
 2020-03-14 22:31:59 +00:00
Esben Sparre Andreasen 4d6aa20990
Merge pull request #3004 from esbena/js/additional-mongodb-and-mongoose-injection-sinks 
JS: Mongoose and MongoDB improvements
 2020-03-14 12:31:43 +01:00
Geoffrey White cecbdae3e1 C++: Change note. 2020-03-13 17:58:31 +00:00
Jonas Jensen 917b984909
Merge pull request #3050 from geoffw0/mismatching_placement_new 
C++: Fix mismatching new/free FP in template code.
 2020-03-12 12:42:29 +01:00
Geoffrey White f84c94b5fb C++: Change note. 2020-03-11 18:11:51 +00:00
Erik Krogh Kristensen 2c18144560 change note 2020-03-11 17:01:41 +01:00
Erik Krogh Kristensen dd261c51f7 add change note 2020-03-11 14:42:57 +01:00
Rasmus Wriedt Larsen 2da1503942 Merge branch 'master' into python-support-django2 2020-03-11 11:21:47 +01:00
Esben Sparre Andreasen 5b1b945c35 JS: distinguishes escapes in strings and regular expression literals 2020-03-10 12:26:20 +01:00
Esben Sparre Andreasen e61f522f30 JS: bump change notes for mongodb 2020-03-10 09:57:45 +01:00
Max Schaefer 3c785ecaa7 JavaScript: Move flow summaries to `experimental`. 
Also update description and change note to call out their experimental character more clearly.
 2020-03-09 12:57:20 +00:00
Asger Feldthaus a9a9c14eea JS: Change note 2020-03-07 15:15:13 +00:00
semmle-qlci 7891f8621e
Merge pull request #2982 from esbena/js/request-model-with-chaining 
Approved by asgerf
 2020-03-06 08:57:42 +00:00
Esben Sparre Andreasen db335ae89b JS: add default/chaining for `request` 2020-03-04 12:36:49 +01:00
Asger Feldthaus 6f2b05932e JS: Change note 2020-03-04 11:18:12 +00:00
Esben Sparre Andreasen 4625217a68 Merge branch 'master' of github.com:Semmle/ql into js/more-fs-modules 2020-03-03 15:07:51 +01:00
semmle-qlci 7f3f629d39
Merge pull request #2913 from asger-semmle/js/prototype-pollution-path 
Approved by erik-krogh
 2020-03-03 10:29:47 +00:00
Esben Sparre Andreasen adddebf039 Merge branch 'master' of github.com:Semmle/ql into js/more-fs-modules 2020-03-03 10:55:16 +01:00
semmle-qlci e1c5449885
Merge pull request #2867 from erik-krogh/UselessCat 
Approved by esbena
 2020-03-03 09:10:25 +00:00
Erik Krogh Kristensen 019266e537 change name of Useless cat 2020-03-02 13:06:08 +01:00
Anders Schack-Mulligen b210009eec
Merge pull request #2923 from yo-h/java-customizations 
Java: add `Customizations.qll`
 2020-03-02 09:58:34 +01:00
Esben Sparre Andreasen a589061bee JS: add type-tracking to the fs-module and model the `original-fs` 2020-02-28 12:54:59 +01:00
Erik Krogh Kristensen ce9cd53bf1 Merge remote-tracking branch 'upstream/master' into UselessCat 2020-02-28 09:56:23 +01:00
Erik Krogh Kristensen 17f1974e05
Apply suggestions from code review 
Co-Authored-By: mc <42146119+mchammer01@users.noreply.github.com>
 2020-02-28 09:43:32 +01:00
Asger Feldthaus 52ebe49a0b JS: Flag deep assignments in prototype pollution query 2020-02-27 12:17:55 +00:00
Erik Krogh Kristensen 9c06c48dc7
Merge pull request #2884 from esbena/js/practically-exploitable-redos 
JS: add query js/exploitable-polynomial-redos
 2020-02-27 10:19:17 +01:00
Esben Sparre Andreasen 1b73cee692 JS: add js/exploitable-polynomial-redos 2020-02-27 08:42:43 +01:00
yo-h 62f8bf2b2e Java: add release note for `Customizations.qll` 2020-02-26 14:36:27 -05:00
Asger F 160fc48803
Merge pull request #2896 from asger-semmle/typescript-3.8 
TS: Support Typescript 3.8
 2020-02-25 08:19:01 +00:00
Asger F e665e3c187
Update change-notes/1.24/analysis-javascript.md 
Co-Authored-By: Esben Sparre Andreasen <esbena@github.com>
 2020-02-24 15:07:28 +00:00
Asger Feldthaus 6360073da4 JS: Rephrase change note 2020-02-24 14:35:17 +00:00
Erik Krogh Kristensen b72404dc99 add change note 2020-02-24 14:07:49 +01:00
Geoffrey White 06e649fc30 C++: Add support for fgetws. 2020-02-24 11:47:32 +00:00
Asger Feldthaus 05d9e64dab TS: Add change note 2020-02-24 11:40:27 +00:00
Geoffrey White 34b790d601 C++: Change note. 2020-02-24 11:33:27 +00:00
Asger Feldthaus 1ee112a341 JS: Add change note 2020-02-21 13:55:27 +00:00
semmle-qlci ee5cf95f5b
Merge pull request #2892 from asger-semmle/js/field-methods 
Approved by esbena
 2020-02-21 13:49:42 +00:00
Rasmus Wriedt Larsen e804e98d60 Python: Update change-notes 2020-02-21 14:08:09 +01:00
Asger Feldthaus 01fed95fe6 JS: Add change note 2020-02-21 11:49:20 +00:00
Robert Marsh 7a7444b4e1
Docs: Simplify change note 
Co-Authored-By: Felicity Chapman <felicitymay@github.com>
 2020-02-20 12:50:52 -08:00
Robert Marsh d151c2eeb7 C++: change note for IR-based GVN 2020-02-19 14:39:36 -08:00
Robert Marsh 8ea5739b7a C++: release note for DefaultTaintTracking 2020-02-19 14:32:49 -08:00
Esben Sparre Andreasen abe7aeef7c
Merge pull request #2643 from esbena/js/unsafe-jquery 
JS: add query js/unsafe-jquery-plugin
 2020-02-18 09:26:14 +01:00
semmle-qlci ecad925101
Merge pull request #2631 from hvitved/dataflow/generalize-flow-summaries 
Approved by aschackmull
 2020-02-17 18:22:46 +00:00
semmle-qlci 23ed2bcc64
Merge pull request #2782 from asger-semmle/js/export-as-ns 
Approved by erik-krogh, max-schaefer
 2020-02-17 11:22:58 +00:00
Tom Hvitved 8e325ead91 Add change notes 2020-02-17 11:00:10 +01:00
Max Schaefer ad83a8946c JavaScript: Sort lines in change notes. 2020-02-14 11:15:09 +00:00
Max Schaefer f181111886 JavaScript: Add model of `http2` compatibility API. 
Also deprecated the `httpOrHttps` predicate, which was now only used in one place and seemed a little pointless anyway.
 2020-02-14 11:14:31 +00:00
semmle-qlci da566a4484
Merge pull request #2828 from erik-krogh/CVE24 
Approved by esbena
 2020-02-14 09:12:48 +00:00
semmle-qlci 769dce511b
Merge pull request #2788 from erik-krogh/CVE42-sink 
Approved by esbena
 2020-02-14 08:00:00 +00:00
Erik Krogh Kristensen d6afd438ba add model for chrome-remote-interface as a ClientRequest 2020-02-13 10:58:07 +01:00
Taus 12113e947f
Merge pull request #2603 from RasmusWL/python-fix-http-source-sink 
Python: Make web libs use HttpRequestTaintSource and HttpResponseTaintSink
 2020-02-12 13:42:22 +01:00
Robert Marsh 5269fb713f
Merge pull request #2812 from geoffw0/nospacezero 
C++: Improve NoSpaceForZeroTerminator.ql
 2020-02-11 14:37:32 -05:00
Geoffrey White 87781a944b C++: Change note. 2020-02-11 15:25:59 +00:00
Tom Hvitved 1948446ad3 Address review comments 2020-02-11 11:56:40 +01:00
Tom Hvitved dc27ee7b9f C#: Add change note 2020-02-10 20:33:57 +01:00
Tom Hvitved 2b2bb5db80
Merge pull request #2803 from calumgrant/cs/stackalloc-expr 
C#: Handle implicitly-typed stackallocs
 2020-02-10 20:28:16 +01:00
Erik Krogh Kristensen 67cd303a91 add change note 2020-02-10 13:51:48 +01:00
Calum Grant a95ef31984 C#: Analysis change notes 2020-02-10 11:36:30 +00:00
Esben Sparre Andreasen 736ccb98c2 JS: model the `send` library for `js/path-injection` 2020-02-07 12:45:32 +01:00
Calum Grant 389e6266d9
Merge pull request #2773 from hvitved/csharp/useless-assignment-to-local-default 
C#: Remove false positives for `cs/useless-assignment-to-local`
 2020-02-07 10:37:19 +00:00
Asger Feldthaus 91a5385e7f JS: Add libraries to change note 2020-02-06 14:59:52 +00:00
Asger Feldthaus 75c008eec1 JS: Change note 2020-02-06 14:33:20 +00:00
Tom Hvitved 69d9d4122a C#: Add change note 2020-02-05 20:12:41 +01:00
Felicity Chapman d0e7bfce28
Merge pull request #2738 from aschackmull/java/ldapinjection-changenote 
Java: Add change note for LDAP injection query.
 2020-02-05 11:29:29 +00:00
semmle-qlci 53763c789f
Merge pull request #2741 from esbena/js/split-and-slice-for-tainted-path 
Approved by erik-krogh
 2020-02-05 10:53:39 +00:00
Anders Schack-Mulligen cf815351a9 Java: Elaborate change note. 2020-02-04 16:18:35 +01:00
Tom Hvitved 00fdc70155
Merge pull request #2710 from calumgrant/cs/short-circuit-out 
C#: Remove false positive in cs/non-short-circuit
 2020-02-04 12:09:17 +01:00
Esben Sparre Andreasen bbd60f52ba JS: add additional flow steps to js/path-injection 2020-02-03 16:36:25 +01:00
Asger Feldthaus 9abf5f06e6 TS: Resolve imports using TypeScript symbols 2020-02-03 09:32:56 +00:00
Esben Sparre Andreasen 7f25c1bf47 JS: address doc-review comments 2020-01-31 19:33:04 +01:00
Esben Sparre Andreasen fef918ac13 JS: add query "Unsafe jQuery plugin" 2020-01-31 19:33:04 +01:00
semmle-qlci d995d5a4a0
Merge pull request #2716 from esbena/js/additional-koa-requests 
Approved by erik-krogh
 2020-01-31 18:30:42 +00:00
Anders Schack-Mulligen 7647d94068 Java: Add change note for LDAP injection query. 2020-01-31 16:48:35 +01:00
yo-h 563be9f817
Merge pull request #2719 from aschackmull/java/deprecate-parexpr 
Java: Deprecate ParExpr
 2020-01-30 18:23:13 -05:00
Anders Schack-Mulligen 843fd37c75 Java: Add change note. 2020-01-30 10:52:16 +01:00
Anders Schack-Mulligen b7a8d0e903
Apply suggestions from code review 
Co-Authored-By: Jonas Jensen <jbj@github.com>
 2020-01-30 10:41:13 +01:00
Anders Schack-Mulligen 2039ec37e5 Java/C++/C#: Add change note for taint-getters. 2020-01-29 16:26:23 +01:00
Tom Hvitved 474815bf57
Merge pull request #2660 from calumgrant/cs/release-notes 
C#: Add release notes and precisions to queries
 2020-01-29 16:05:45 +01:00
Esben Sparre Andreasen a6d3afd817 JS: support additional Koa request sources 2020-01-29 14:49:01 +01:00
Calum Grant aff0a7534c
Update change-notes/1.24/analysis-csharp.md 
Fix indentation

Co-Authored-By: James Fletcher <42464962+jf205@users.noreply.github.com>
 2020-01-29 11:44:17 +00:00
semmle-qlci fb90c2ba52
Merge pull request #2681 from asger-semmle/csrf-only-session-cookie-access 
Approved by erik-krogh, max-schaefer
 2020-01-29 10:46:48 +00:00
Jonas Jensen 27b5902258
Merge pull request #2707 from geoffw0/taint-format 
C++: Add TaintFunction model to FormattingFunction
 2020-01-29 08:20:34 +01:00
Calum Grant 6b377d7ad4 C#: Analysis change notes 2020-01-28 14:59:25 +00:00
Geoffrey White fc1816cbd7 C++: Update change note. 2020-01-28 14:53:18 +00:00
Rasmus Wriedt Larsen 9b2ca0c9c7 Python: Update web libraries to use HttpSources and HttpSinks 2020-01-28 13:06:48 +01:00
Anders Schack-Mulligen 4cb28d9b1d Java: Add new query for large left shifts and bugfix ConstantExpAppearsNonConstant. 2020-01-28 10:13:34 +01:00
Geoffrey White 1ddabee1b8 C++: Change note. 2020-01-28 08:46:46 +00:00
yo-h 8c00671f24
Merge pull request #2698 from aschackmull/java/changenote-csrf-query 
Java: Add change note for java/spring-disabled-csrf-protection.
 2020-01-27 21:09:15 -05:00
Chris Gavin 708890add3 Java: Add a change note for `java/suspicious-date-format`. 2020-01-27 11:57:56 +00:00
Anders Schack-Mulligen efe8981129 Java: Add change note for java/spring-disabled-csrf-protection. 2020-01-27 11:33:31 +01:00
semmle-qlci 7d9956e3f3
Merge pull request #2675 from erik-krogh/WebSocket 
Approved by esbena
 2020-01-27 08:40:37 +00:00
yo-h 50320c7828
Merge pull request #2628 from aschackmull/java/no-adhoc-testclass 
Java: Replace ad-hoc TestClass detection.
 2020-01-23 14:09:11 -05:00
Asger Feldthaus 406c6eb981 JS: Sharpen missing CSRF middleware query 2020-01-23 14:22:49 +00:00
Anders Schack-Mulligen 0bbe571064
Update change-notes/1.24/analysis-java.md 
Co-Authored-By: Felicity Chapman <felicitymay@github.com>
 2020-01-23 13:13:51 +01:00
Anders Schack-Mulligen fd141917c7 Java: Add change note. 2020-01-23 11:08:35 +01:00
Jonas Jensen ceeb9ab718
Merge pull request #2622 from MathiasVP/implicit-function-declaration 
C++: Add 'implicit function declaration' query
 2020-01-23 09:23:44 +01:00
James Fletcher f1749b3990
Merge pull request #2654 from calumgrant/cs/null-dereference 
C#: Improvements to cs/dereferenced-value-may-be-null
 2020-01-22 20:15:20 +00:00
Erik Krogh Kristensen 6345e9bde1 add change note 2020-01-22 15:14:10 +01:00
semmle-qlci 007b0795ec
Merge pull request #2636 from erik-krogh/NewSocketIO 
Approved by esbena
 2020-01-22 13:46:11 +00:00
Erik Krogh Kristensen 1228d506b4 update change notes to reflect that library models have improved 2020-01-22 12:52:45 +01:00
Erik Krogh Kristensen 750e9786f6 add change note for EventEmitter 2020-01-22 10:31:38 +01:00
Calum Grant 6692e61fa2 C#: Analysis change notes 2020-01-21 13:55:32 +00:00
Calum Grant 86fa7e5c38 C#: Analysis change notes 2020-01-20 14:37:28 +00:00
Geoffrey White 97c346285e CPP: Change note. 2020-01-17 18:56:21 +00:00
Jonas Jensen 3632d51abc
Merge pull request #2635 from geoffw0/modelstrdup 
CPP: Model strdup
 2020-01-17 19:26:26 +01:00
Geoffrey White 7dbda22a29 CPP: Update change note. 2020-01-17 16:19:39 +00:00
Mathias Vorreiter Pedersen 303c6aa5b7 C++: Added query to suites and change-notes 2020-01-17 14:51:40 +01:00
semmle-qlci 4efc418e2c
Merge pull request #2617 from asger-semmle/prototype-pollution-utility 
Approved by esbena, mchammer01
 2020-01-16 13:02:07 +00:00
Geoffrey White f4aba14d3a CPP: Change note. 2020-01-16 11:08:19 +00:00
Asger Feldthaus 7141f15858 JS: Add change note 2020-01-15 11:49:57 +00:00
Geoffrey White 170981ef41 CPP: Change note. 2020-01-14 14:36:44 +00:00
semmle-qlci 3c4749be88
Merge pull request #2624 from asger-semmle/js-duplicate-alert-strict-mode 
Approved by max-schaefer
 2020-01-14 11:59:45 +00:00
Asger Feldthaus 2245882441 JS: Add change note and fix cwe tags 2020-01-14 10:53:40 +00:00
Asger Feldthaus 73e60a7400 JS: Ignore strict-mode-call-stack-introspection for expr stmts 2020-01-13 16:03:03 +00:00
semmle-qlci 40de391490
Merge pull request #2616 from asger-semmle/promise-missing-await-change-note 
Approved by mchammer01
 2020-01-13 12:03:11 +00:00
Asger F 6c4da30a64
Update change-notes/1.24/analysis-javascript.md 
Co-Authored-By: mc <42146119+mchammer01@users.noreply.github.com>
 2020-01-13 11:05:03 +00:00
Anders Schack-Mulligen 183fd91a01
Merge pull request #2615 from yo-h/java-add-change-note 
Java: add change note for `java/maven/non-https-url`
 2020-01-13 09:54:48 +01:00
yo-h bf8ef42c1a Java: add change note for `java/maven/non-https-url` 2020-01-10 11:03:48 -05:00
Asger Feldthaus 18db551e10 JS: Add change note for js/missing-await 2020-01-10 11:10:57 +00:00
Anders Schack-Mulligen ad92d6fe0f
Merge pull request #2607 from yo-h/java-alert-suppression-block-comment 
Java: allow single-line `/* ... */` comments for alert suppression
 2020-01-10 11:05:23 +01:00
yo-h 7ffa517803
Merge pull request #2584 from aschackmull/java/nonnull-final-field 
Java: Include non-null final fields in clearlyNotNull.
 2020-01-09 18:48:45 -05:00
semmle-qlci f1f69ef85d
Merge pull request #2589 from esbena/js/ignore-duplicate-params-for-empty-functions 
Approved by erik-krogh
 2020-01-09 11:58:04 +00:00
shati-patel 3cfc7d2e54
Merge pull request #2611 from jf205/mergeback-123 
Merge rc/1.23 into master
 2020-01-08 16:12:47 +00:00
Dave Bartolomeo 6c8de44800
Merge pull request #2604 from geoffw0/returnthis 
CPP: Exclude template classes from cpp/assignment-does-not-return-this
 2020-01-08 09:12:22 -07:00