github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
10 954 коммитов 1 538 Ветки 130 Теги 478 MiB
Граф коммитов

633 Коммитов

Автор SHA1 Сообщение Дата
Henning Makholm baacc6f66b Java tests: add queries.xml 
The `queries.xml` file defines which extractor the `codeql test` runner will use
to extract databases for the tests. In the future one will be able to write this
information in `qlpack.yml`, but we can't do that immediately because the
_existing_ CodeQL tooling would  refuse to parse  a `qlpack.yml` that has
the new field in it.
 2019-12-07 02:38:02 +01:00
yo-h ed97be459f
Merge pull request #2454 from aschackmull/java/explicit-mul-zero 
Java: Allow explicit zero multiplication in java/evaluation-to-constant.
 2019-12-06 18:13:43 -05:00
Jonas Jensen 57917bec17
Merge pull request #2480 from hvitved/dataflow/performance-tweaks 
Data flow: Various performance tweaks
 2019-12-03 18:44:11 +01:00
Henning Makholm 95c26a51af remove java test EmptyInterface 
This is a test of an internal query for the Semmle repository. It cannot
run against the public QL repository alone, and therefore should not be
tested here.

https://git.semmle.com/Semmle/code/pull/35690 adds the test back to the
internal repo.
 2019-12-02 15:29:42 +01:00
Tom Hvitved b3990c5a1d Data flow: Revert reordering changes in `flowStore` and `flowRead` 2019-12-02 14:25:59 +01:00
Tom Hvitved 5baa133e6c Data flow: Sync files 2019-12-02 13:41:17 +01:00
Jonas Jensen 5b24b1efc3 Merge remote-tracking branch 'upstream/rc/1.23' into mergeback-20191202 
Conflicts solved:
	javascript/extractor/src/com/semmle/js/extractor/Main.java
	javascript/ql/test/query-tests/Statements/UseOfReturnlessFunction/tst.js
 2019-12-02 09:57:34 +01:00
Anders Schack-Mulligen 333d0a69d2 Java/C++/C#: Bugfix for field flow through reverse read. 2019-11-29 09:38:24 +01:00
Anders Schack-Mulligen 2c3a6d7359 Java: Allow explicit zero multiplication in java/evaluation-to-constant. 2019-11-27 11:49:43 +01:00
Anders Schack-Mulligen 3d0e3aa1fd Java: Fix a number of performance issues when toString is cached. 2019-11-27 09:06:15 +01:00
yo-h 8a8b795696
Merge pull request #2447 from aschackmull/java/cache-perf 
Java: Improve performance by normalizing import order to reduce cache invalidation.
 2019-11-26 16:26:53 -05:00
Anders Schack-Mulligen deb6a6e5c6 Java: Improve performance by normalizing import order to reduce cache invalidation. 2019-11-26 17:20:01 +01:00
Anders Schack-Mulligen 18e1708036
Merge pull request #2412 from Cornelius-Riemenschneider/nullness-corr-cond 
Java: Nullness library: track instanceof expressions in correlated conditions
 2019-11-26 10:33:34 +01:00
Cornelius Riemenschneider 37f162106a Fix formatting of file. 2019-11-25 17:04:38 +01:00
Cornelius Riemenschneider 3368169df8 Address review. 2019-11-25 14:54:50 +01:00
Tom Hvitved a26efdf4c1 Java/C++/C#: Rename `DataFlowErasedType` back to `DataFlowType` 2019-11-25 11:43:58 +01:00
Cornelius Riemenschneider 0e7a08201f Address review by Anders. 2019-11-22 12:19:06 +01:00
Jonathan Leitschuh 21193bd780 Java: Use of HTTP/FTP to download/upload Maven artifacts 
This adds a security alert for the use of HTTP or FTP to download or upload
artifacts using Maven.
 2019-11-21 13:35:29 -05:00
Cornelius Riemenschneider 5d4b6c3a8c Nullness: Track correlated conditions of equality tests of variables. 2019-11-21 19:24:40 +01:00
Cornelius Riemenschneider 92f32a12d8 Add tests for nullness tracking by comparing variables. 2019-11-21 19:23:39 +01:00
Cornelius Riemenschneider 3e5324e772 More precise Nullness tracking by taking correlated instanceof expressions into account. 
Fixes #2238.
 2019-11-21 18:38:27 +01:00
Cornelius Riemenschneider d8aae1c126 Add tests to track nullness by instanceof checks. 2019-11-21 18:38:27 +01:00
Tom Hvitved acc7d5298d Data flow: Sync files 2019-11-20 14:10:02 +01:00
Tom Hvitved 6c0dbcfca2 Java/C++: Add `DataFlowErasedType` aliases 2019-11-20 14:09:53 +01:00
yh-semmle de65f023d6
Merge pull request #2167 from aschackmull/java/dataflow-out-of-arg-refactor 
Java/C++/C#: Refactor dataflow to simplify return flow.
 2019-11-15 11:10:06 -05:00
Anders Schack-Mulligen 81a90943c0 Java: Fix range analysis bug where int was assumed. 2019-11-15 15:08:14 +01:00
Anders Schack-Mulligen 106b8cfbca Java/C++/C#: Fix bad magic and bad join-order. 2019-11-14 13:17:17 +01:00
Anders Schack-Mulligen 6a2edce040
Merge pull request #2205 from rneatherway/java/hamcrest-nullness 
Java: Respect Hamcrest assertThat(X, notNullValue())
 2019-11-14 13:09:56 +01:00
Dave Bartolomeo e89ecc19e3
Merge pull request #2302 from max-schaefer/test-qlpacks 
Add `qlpack.yml` files for test folders.
 2019-11-13 12:21:19 -07:00
yh-semmle 429c307832
Merge pull request #2304 from aschackmull/java/rangeanalysis-integral-fix 
Java: Fix range analysis bug in integral inequality bounds.
 2019-11-12 16:33:12 -05:00
Anders Schack-Mulligen 7619275c8b Java: Fix range analysis bug in integral inequality bounds. 2019-11-12 17:28:40 +01:00
Anders Schack-Mulligen 8cd6b51763 Java: Add ConditionalExpr to overflow candidate pattern. 2019-11-12 17:27:18 +01:00
Max Schaefer 5b2e32b051 Add `qlpack.yml` files for test folders. 2019-11-12 15:03:02 +00:00
Anders Schack-Mulligen e6d0a2eca5
Merge pull request #2215 from yh-semmle/java-remove-obsolete-queries 
Java: remove some obsolete metric queries
 2019-11-12 10:14:55 +01:00
Anders Schack-Mulligen b0fecbce28
Merge pull request #2230 from yh-semmle/java-move-cwe502-lib 
Java: move `UnsafeDeserialization.qll` to standard library location
 2019-11-11 10:44:52 +01:00
Sauyon Lee 0040c9fb4c
Update links to OWASP cheat sheet 2019-11-06 20:21:47 -08:00
Robin Neatherway 7850d67a78 Remove TODO comment 
I've checked Hamcrest versions 1.3, 2.0, 2.1 and 2.2
 2019-11-06 17:47:02 +00:00
yh-semmle e232f538e9 Java 13: update test options 2019-11-02 16:09:32 -04:00
yh-semmle e8a65101bc Java 13: add db stats for `@yieldstmt` 2019-11-02 16:09:32 -04:00
yh-semmle de0869c216 Java 13: remove superfluous disjunct in `JumpStmt.getAPotentialTarget()` 2019-11-02 16:09:31 -04:00
yh-semmle 8fb4dbe092 Java 13: account for changes to switch expressions 2019-11-02 16:09:31 -04:00
yh-semmle 9f37237b4a Java 13: add stmt kind `@yieldstmt` to dbscheme 2019-11-02 16:09:31 -04:00
Robin Neatherway d3016e5b98 Run autoformatter 2019-10-31 11:21:57 +00:00
yh-semmle 8620b0513e Java: move `UnsafeDeserialization.qll` to standard library location 2019-10-30 11:18:36 -04:00
Robin Neatherway 96f9a01355 Correct minor compilation errors in test code 2019-10-29 17:52:13 +00:00
Robin Neatherway 84202ff2e1 Java: Respect Hamcrest assertThat(X, notNullValue()) 2019-10-29 17:52:13 +00:00
Anders Schack-Mulligen d0842fc35d Java/C++/C#: Minor refactor following review comment. 2019-10-28 16:31:22 +01:00
Anders Schack-Mulligen 0ffcf9ce64
Merge pull request #2192 from JLLeitschuh/feature/JLL/http_response_splitting_netty 
Add CWE-113 check for io.netty.handler.codec.http.DefaultHttpHeaders
 2019-10-28 15:01:20 +01:00
Anders Schack-Mulligen 379ef1d2f9 Java: Fix bad magic and join-order. 2019-10-28 10:40:06 +01:00
Jonathan Leitschuh 934eed97df
Apply suggestions from code review for netty DefaultHttpHeaders 
Co-Authored-By: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2019-10-25 12:30:16 -04:00
yh-semmle 80fd5b2ada
Merge pull request #2175 from aschackmull/java/continue-in-false-loop 
Java: Port C++ query cpp/continue-in-false-loop to Java.
 2019-10-24 20:47:59 -04:00
Jonathan Leitschuh dcbd6e0a11 Add CWE-113 check for io.netty.handler.codec.http.DefaultHttpHeaders 
Closes #2185
 2019-10-24 10:27:40 -04:00
Anders Schack-Mulligen fe2988ab39
Merge pull request #2152 from yh-semmle/java-alert-suppression-annotations 
Java: support LGTM alert suppression using `@SuppressWarnings` annotations
 2019-10-24 15:04:29 +02:00
Anders Schack-Mulligen 3462624995 Java: Add test. 2019-10-23 16:24:26 +02:00
Henning Makholm 347d97c14c qlpack.json is now qlpack.yml 2019-10-22 17:36:35 +02:00
Anders Schack-Mulligen da57dbc528 Java: Port C++ query cpp/continue-in-false-loop. 2019-10-22 17:07:57 +02:00
Henning Makholm fd768a1af6 Add some new-style suite definitions 2019-10-22 15:51:00 +02:00
Anders Schack-Mulligen c37195b226 Java/C++/C#: Sync. 2019-10-22 11:42:35 +02:00
Anders Schack-Mulligen 2ffbb2ecd6 Java: Refactor dataflow to simplify return flow. 2019-10-22 11:42:35 +02:00
yh-semmle 28720679ad Java: remove some obsolete metric queries 2019-10-19 20:55:46 -04:00
yh-semmle afcde14403
Merge pull request #2085 from aschackmull/java/overflow-check-fp 
Java: Add another overflow check pattern to UselessComparisonTest.
 2019-10-18 11:01:24 -04:00
yh-semmle 155d14a185 Java: simplify `Extents.qll` 2019-10-18 09:46:00 -04:00
yh-semmle 4348241f72 Java: simplify `java/alert-suppression-annotations` 2019-10-18 09:45:49 -04:00
Anders Schack-Mulligen 27b8a46dac Java: Exclude loop conditions from overflow check heuristic. 2019-10-18 11:58:46 +02:00
yh-semmle 1d415b3680 Java: enable `java/alert-suppression-annotations` in LGTM suite 2019-10-17 22:09:04 -04:00
yh-semmle ee2c97f147 Java: add extra test for `java/alert-suppression-annotations` 2019-10-17 22:09:04 -04:00
yh-semmle 62521dca32 Java: account for multiple strings in `java/alert-suppression-annotations` 2019-10-17 22:09:04 -04:00
yh-semmle f3a980deb6 Java: clarify predicate name in `java/alert-suppression-annotations` 2019-10-17 22:09:03 -04:00
yh-semmle d165ce95f2 Java: tidy QLDoc in `Extents.qll` 2019-10-17 22:09:03 -04:00
yh-semmle e3f828c588 Java: refine ranges in `java/alert-suppression-annotations` 2019-10-17 22:09:03 -04:00
yh-semmle b2bc8382b0 Java: add alert-suppression query for `@SuppressWarnings("lgtm[...]")` 2019-10-17 22:09:02 -04:00
Pavel Avgustinov 7fa6c54731
Merge pull request #2119 from hmakholm/pr/qlpacks 
Add qlpack.json files
 2019-10-16 14:27:10 +01:00
yh-semmle 5aced3e432
Merge pull request #2128 from AlexTereshenkov/move-qll-java 
Move qll file to support import from custom QL queries
 2019-10-15 11:39:10 -04:00
Anders Schack-Mulligen 309961d493
Merge pull request #2118 from yh-semmle/java-non-sync-override 
Java: restrict `java/non-sync-override` to immediate overrides
 2019-10-15 16:40:00 +02:00
alexey 715f1ddaca Move qll file to support import from custom QL queries 2019-10-15 14:55:09 +01:00
Tom Hvitved cae7f9d805
Merge pull request #2099 from aschackmull/java/callcontext-bool-pruning 
Java: Data-flow pruning based on call contexts.
 2019-10-15 09:36:36 +02:00
Anders Schack-Mulligen 2be5c38615 Java: Address comments. 2019-10-14 14:59:14 +02:00
Henning Makholm 29167bbff8 Add qlpack.json files 
Eventually these files will subsume the current `queries.xml` files
at the top of query-containing and library directories. For now they're
just here to support internal testing of the tooling support for them
we're writing on.

Format and contents is a work in progress. If you're not in Semmle,
don't depend on anything here making sense (or staying stable) until
you see the version tags increase to something nonzero.
 2019-10-12 17:38:01 +02:00
yh-semmle 64db00ae6d Java: refine type of parent column in `exprs` relation 2019-10-10 19:57:53 -04:00
yh-semmle 35552a8c0e Java: restrict `java/non-sync-override` to immediate overrides 2019-10-10 19:56:42 -04:00
Anders Schack-Mulligen 312c573eb6 Java: Remove unneeded import. 2019-10-09 10:10:36 +02:00
Anders Schack-Mulligen e123f97303 Java: Remove useless pruning. 2019-10-09 09:35:30 +02:00
Anders Schack-Mulligen 5e0ce81030 Java: Refactor to improve join-pipeline. 2019-10-08 17:15:06 +02:00
Anders Schack-Mulligen 20084fb3c0 Java: Fix pruning in partialPathStep. 2019-10-08 11:28:53 +02:00
Anders Schack-Mulligen bf14889077 Java: Refactor to improve performance. 2019-10-08 11:28:35 +02:00
Anders Schack-Mulligen 3c4e877913 Java: Minor refactor. 2019-10-07 16:18:48 +02:00
Anders Schack-Mulligen f8123679a1 Java: Qldoc updates. 2019-10-07 16:12:31 +02:00
Anders Schack-Mulligen 38aba7bfc1 Java: Fix qltest. 2019-10-07 15:51:42 +02:00
Anders Schack-Mulligen 75ebc098bb Java: Fix semantic merge conflict. 2019-10-07 15:42:26 +02:00
Anders Schack-Mulligen b581e38782 Java: Autoformat and sync post rebase. 2019-10-07 15:26:39 +02:00
Cornelius Riemenschneider 9ef61bd43c Address more parts of Anders review. 2019-10-07 15:19:20 +02:00
Cornelius Riemenschneider 812a0bcb16 Address some parts of Anders' review. 2019-10-07 15:17:17 +02:00
Cornelius Riemenschneider 0f5dd5d7c7 Add one more test with a more complicated guard. 2019-10-07 15:14:42 +02:00
Cornelius Riemenschneider 393fb02dfa Fix undesirable join order. 2019-10-07 15:14:41 +02:00
Tom Hvitved eabfa31767 Synchronize data flow files 2019-10-07 15:13:48 +02:00
Tom Hvitved 46933ef65e Java: Autoformat 2019-10-07 15:12:13 +02:00
Cornelius Riemenschneider d79eaffd3a Prune unreachable paths in the Java dataflow library based on call context. 
We now detect patterns like
f(bool cond){
       if(cond)
        then A
        else B
and prune branches for calls like f(true) or f(false).
This pruning is done both in the local (bigstep) flow graph
as well as in the inter-procedural dataflow graph.
 2019-10-07 15:10:54 +02:00
Cornelius Riemenschneider dba93b30e7 Add tests exhibiting false positives in the dataflow library, where call context is not used to prune branches. 2019-10-07 14:59:55 +02:00
Anders Schack-Mulligen 066a2f0d12 Java: Add another overflow check pattern to UselessComparisonTest. 2019-10-04 15:04:40 +02:00
Tom Hvitved 7f6e253425 Java: Update expected test output 2019-10-04 11:09:44 +02:00
Tom Hvitved 9b58d799cb Java/C++/C#: Tweak `AccessPathNil::toString()` 
Move the type annotation outside the brackets, to avoid prefixes such as
`[ : T]`.
 2019-10-04 11:09:44 +02:00
yh-semmle 3313af5189
Merge pull request #2036 from aschackmull/java/eq-ssa-guard 
Java: Improve guards for equal ssa variables.
 2019-10-02 12:00:59 -04:00
Anders Schack-Mulligen f87cb4d6ac Java/C++/C#: Address review comments and fix test. 2019-10-02 14:32:17 +02:00
Anders Schack-Mulligen f97958296d Java/C++/C#: Sync. 2019-09-26 17:12:08 +02:00
Anders Schack-Mulligen 0afea80d53 Java: Improve guards for equal ssa variables. 2019-09-26 16:29:13 +02:00
Anders Schack-Mulligen 4221639155 Java: Improve taint/value distinction for flow through with fields. 2019-09-26 16:25:15 +02:00
Anders Schack-Mulligen 7c1594df13 Java: Slight precision improvement for getter/setter detection. 2019-09-25 10:14:49 +02:00
Anders Schack-Mulligen f8f3a4b25f Java: Minor additional type pruning. 2019-09-23 11:07:10 +02:00
Anders Schack-Mulligen 42a970b905 Java: Update qldoc. 2019-09-20 16:21:03 +02:00
Anders Schack-Mulligen d9aa46d3b0 Java: Add missing field pruning. 2019-09-20 16:13:48 +02:00
Anders Schack-Mulligen 648335d46d Java: Remove two unnecessary unbinds. 2019-09-20 16:12:56 +02:00
Tom Hvitved 6318cc9a71 Java: Update expected test output 2019-09-18 13:36:15 +02:00
Tom Hvitved d8074ddfa6 Sync files 2019-09-18 13:36:15 +02:00
Anders Schack-Mulligen 2d620698d8 Java: Adjust qltest expected output. 2019-09-12 11:00:49 +02:00
Anders Schack-Mulligen 95e2f162d9 Java/C++/C#: Adjust toString of empty accesspath. 2019-09-12 11:00:49 +02:00
Anders Schack-Mulligen 0a4b15d40b Java/C++/C#: Add nodes predicate to PathGraph. 2019-09-12 11:00:49 +02:00
Jonas Jensen d51e5212fb Merge remote-tracking branch 'upstream/master' into dataflow-TTwo 
Conflicts:
      cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl.qll
      cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl2.qll
      cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl3.qll
      cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImpl4.qll
      cpp/ql/src/semmle/code/cpp/dataflow/internal/DataFlowImplLocal.qll
      cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl.qll
      cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl2.qll
      cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl3.qll
      cpp/ql/src/semmle/code/cpp/ir/dataflow/internal/DataFlowImpl4.qll
      cpp/ql/test/library-tests/dataflow/fields/flow.expected
      csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl.qll
      csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl2.qll
      csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl3.qll
      csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl4.qll
      csharp/ql/src/semmle/code/csharp/dataflow/internal/DataFlowImpl5.qll
      java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl.qll
      java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl2.qll
      java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl3.qll
      java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl4.qll
      java/ql/src/semmle/code/java/dataflow/internal/DataFlowImpl5.qll
 2019-09-08 21:08:43 +02:00
Anders Schack-Mulligen 6b85fe087a Java: Restrict the output of Range Analysis to the best bounds. 2019-09-06 15:39:46 +02:00
Anders Schack-Mulligen aa07020d9d Java: Autoformat. 2019-09-06 09:03:45 +02:00
Jonas Jensen 9c9b7ac651 C#/C++/Java: Revert AccessPathNil.toString changes 
This caused too many `*.expected` files to change, also in our internal
repo.
 2019-09-02 15:59:36 +02:00
Jonas Jensen a98992f0f9 C#/C++/Java: distinguish toString of nil from cons 2019-09-02 14:22:03 +02:00
Jonas Jensen cdede8744f C#/C++/Java: Prettier PartialAccessPath.toString 2019-09-02 14:05:50 +02:00
Jonas Jensen c3bc9f8575 C#/C++/Java: Unbreak partial data flow support 
Partial data flow had a semantic merge conflict with this branch. The
problem is that partial data flow doesn't (and shouldn't) cause the
initial pruning steps to run, but the length-2 access paths depend on
the `consCand` information that comes from that initial pruning. The
solution is to restore the old `AccessPath` class, now called
`PartialAccessPath` for use only by partial data flow.

With this change, partial data flow will in some cases allow more field
flow than non-partial data flow.
 2019-09-02 14:02:39 +02:00
Jonas Jensen dec0c3a0ee C#/C++/Java: Make AccessPath abstract 
This was requested by @hvitved in code review. There is no difference in
the generated DIL.
 2019-09-02 13:14:30 +02:00
Jonas Jensen b1be123e31 C#/C++/Java: Prettier AccessPath.toString 
The `ppReprType` predicate should now be `none()` instead of `result=""`
to signal that there is nothing to print. That seems clearer to me.
 2019-09-02 13:14:20 +02:00
Jonas Jensen 6c96a8d339 Java: Accept test changes 
Note: the results in `partial` have regressed and will need to be fixed
in a follow-up commit.
 2019-09-02 13:14:17 +02:00
Jonas Jensen b2c94cc6b4 C++/C#/Java: Restore the AccessPathCons class 2019-09-02 13:14:13 +02:00
Jonas Jensen fbe34015f3 C++/C#/Java: AccessPath class names reflect length 
One -> ConsNil
Two -> ConsCons
 2019-09-02 13:13:59 +02:00
Jonas Jensen e8006bb2cc C++/C#/Java: data flow AccessPath up to length 2 
This commit does not include updates to test results.
 2019-09-02 13:13:46 +02:00
yh-semmle c359675fa9
Merge pull request #1802 from aschackmull/java/taint-step-extension-point 
Java: Add a global extension point for taint steps.
 2019-08-30 17:19:58 -04:00
Anders Schack-Mulligen 8a318ce4e7 Java: Extend test with graph. 2019-08-30 14:35:21 +02:00
Anders Schack-Mulligen 6582734733 Java: Add test. 2019-08-30 14:32:55 +02:00
Anders Schack-Mulligen 5e6326d1d5 Java/C++/C#: Add support for dataflow exploration by partial paths. 2019-08-30 14:32:55 +02:00
Luke Cartey dfa371c65b Java: Add missing SQL query APIs. 
* executeLargeUpdate
 * prepareCall
 2019-08-30 10:40:49 +01:00
Anders Schack-Mulligen ae98d4fd8e Java: Change extension point to use a unit type. 2019-08-29 11:05:45 +02:00
Tom Hvitved 853a3aa998
Merge pull request #1799 from aschackmull/java/fieldflow-perf 
Java/C++/C#: Improve performance of data flow with fields.
 2019-08-28 16:30:25 +02:00
Luke Cartey 1669d283fe
Merge pull request #1795 from aschackmull/java/localexprflow 
Java: Add localExprFlow and localExprTaint.
 2019-08-28 14:04:49 +01:00
Anders Schack-Mulligen 2bea0a459a Java/C++/C#: Sync. 2019-08-23 11:34:17 +02:00
Anders Schack-Mulligen 6e97f22b43 Java/C++/C#: Improve performance of pruning in field flow. 2019-08-23 11:32:45 +02:00
Pavel Avgustinov cc854dd937 Merge branch 'master' of github.com:Semmle/ql into attribute 2019-08-23 09:55:35 +01:00
Calum Grant ff20a2ceb9
Merge pull request #1761 from hvitved/csharp/dataflow/fields 
C#: Data flow through fields
 2019-08-22 20:46:00 +01:00
Anders Schack-Mulligen ef0c6d01eb Java: Add a global extension point for taint steps. 2019-08-22 16:38:59 +02:00
Tom Hvitved 0801e51175
Merge pull request #1790 from jbj/tainttracking-cross-language 
C++/C#/Java: Shared TaintTrackingImpl.qll
 2019-08-22 14:17:23 +02:00
Anders Schack-Mulligen 3aedadcb35 Java: Add localExprFlow and localExprTaint. 2019-08-22 11:25:23 +02:00
Jonas Jensen ad9ee54b65 C++/C#/Java: defaultAdditionalTaintStep 2019-08-22 11:14:06 +02:00
yh-semmle 9012c3240f
Merge pull request #1789 from aschackmull/java/autoformat 
Java: Autoformat.
 2019-08-21 12:36:55 -04:00
Tom Hvitved a2ffddec5f
Merge pull request #1785 from jbj/dataflow-recursion-prevention-shared 
C++/C#/Java: Pyrameterize ConfigurationRecursionPrevention
 2019-08-21 15:56:50 +02:00
Jonas Jensen 25701f203d C++/C#/Java: Shared TaintTrackingImpl.qll 
This file is now identical in all languages. Unifying this file led to
the following changes:
- The documentation spelling fixes and example from the C++ version
  were copied to the other versions and updated.
- The steps through `NonLocalJumpNode` from C# were abstracted into a
  `globalAdditionalTaintStep` predicate that's empty for C++ and Java.
- The `defaultTaintBarrier` predicate from Java is now present but empty
  on C++ and C#.
- The C++ `isAdditionalFlowStep` predicate on
  `TaintTracking::Configuration` no longer includes `localFlowStep`.
  That should avoid some unnecessary tuple copying.
 2019-08-21 14:55:54 +02:00
Anders Schack-Mulligen 629c19e719 Java: Autoformat. 2019-08-21 14:38:17 +02:00
Pavel Avgustinov cb3551b4d6 Merge commit '76982404' into attribute 2019-08-21 12:44:07 +01:00
Jonas Jensen 863bf523d6 C++/C#/Java: Autoformat 2019-08-21 13:24:01 +02:00
Jonas Jensen fdd3b901f7 C/C#/Java: Share ConfigurationRecursionPrevention 
This class was copy-pasted in all `DataFlowN.qll` files without using
the identical-files system to keep the copies in sync. The class is now
moved to the `DataFlowImplN.qll` files.

This also has the effect of preventing recursion through first data flow
library copy for C/C++. Such recursion has been deprecated for over a
year, and some forms of recursions are already ruled out by the library
implementation.
 2019-08-21 13:04:10 +02:00
Jonas Jensen 6fc3a62edb C++/C#/Java: Change another caller of localFlow 
There was also a use of `localFlowStep` in `DataFlowImplCommon` that
should now be `simpleLocalFlowStep`.
 2019-08-21 10:20:15 +02:00
Jonas Jensen c9ea5ad9a3 C#/Java: Remove `cached` from wrapper predicate 2019-08-21 09:43:13 +02:00
Jonas Jensen 4b7813b98e C++/C#/Java: Split localFlowStep predicate in two 
There's now a `localFlowStep` predicate for use directly in queries and
other libraries and a `simpleLocalFlowStep` for use only by the global
data flow library. The former predicate is intended to include field
flow, but the latter may not.

This will let Java and C# (and possibly C++ IR) avoid getting two kinds
of field flow at the same time, both from SSA and from the global data
flow library. It should let C++ AST add some form of field flow to
`localFlowStep` without making it an input to the global data flow
library.
 2019-08-21 09:27:01 +02:00
Pavel Avgustinov 7176b438c4 Merge commit '7bfed6e517cbcabfe06cf614981baee8cbde5342' into attribute 2019-08-20 14:08:57 +01:00
Tom Hvitved 7ab9c8b90d Java/C++/C#: `flowCandFwdRead()` refactor 2019-08-20 14:44:04 +02:00
Tom Hvitved 14378ee41a Java/C++/C#: Remove some `unbind()` calls from shared data flow implementation 2019-08-20 13:59:01 +02:00
Jonas Jensen f1e6e36ce6 Java: Remove wrong definition of taint tracking 
This explanation, taken from C/C++, was not correct for Java.
 2019-08-20 13:45:38 +02:00
Jonas Jensen 9ac0cdd2a2 Java: Don't use the deprecated Configuration2 2019-08-20 13:45:37 +02:00
Jonas Jensen aeb2323128 Java: Use pyrameterized modules for TaintTracking 2019-08-20 13:45:37 +02:00
Tom Hvitved a0c834c83d Java/C++/C#: Improve data flow join orders for field flow 2019-08-20 10:14:08 +02:00
Anders Schack-Mulligen 6ff4fe38ec Java/C++/C#: Add field flow support for stores in nested fields. 2019-08-19 14:41:06 +02:00
yh-semmle 73d8e16cd0 Java: remove obsolete `VCS.qll` and associated queries 2019-08-18 14:53:46 -04:00
Pavel Avgustinov 127c33700c Add Java stubs readme 2019-08-17 18:57:50 +01:00
Pavel Avgustinov c92eb58300 Add j2objc license 2019-08-17 16:31:18 +01:00
Pavel Avgustinov b52ea1e21b Add Apache Shiro third-party notice 2019-08-17 16:31:18 +01:00
Anders Schack-Mulligen 9e4f2f8594 Java: Don't use default dataflow in libs imported by default. 2019-08-16 13:27:53 +02:00
Anders Schack-Mulligen 1938ac4937 Java/C++/C#: Sync. 2019-08-14 10:32:15 +02:00
Anders Schack-Mulligen 0c56f955e8 Java: Fix bad join order. 2019-08-14 10:10:19 +02:00
Anders Schack-Mulligen 411bc16f44 Java/C++/C#: Address review comment. 2019-08-13 16:57:48 +02:00
Anders Schack-Mulligen 9e902066ad Java/C++/C#: Elaborate qldoc. 2019-08-13 16:57:48 +02:00
Anders Schack-Mulligen 4550175b16 Java/C++/C#: Add support for BarrierGuards. 2019-08-13 16:57:48 +02:00
yh-semmle 5e910a4808
Merge pull request #1724 from aschackmull/java/google-xmlreader 
Java: Treat SecureJDKXercesXMLReader as a secure XMLReader.
 2019-08-13 09:52:32 -04:00
Tom Hvitved 36043d04bd
Merge pull request #1729 from xiemaisi/data-flow-nodes-location 
Java/C++/C#: Provide path-node locations via `hasLocationInfo`, not `getLocation`.
 2019-08-13 12:22:59 +02:00
Max Schaefer eb8087f4ea Java/C++/C#: Provide path-node locations via `hasLocationInfo`, not `getLocation`. 2019-08-12 12:52:30 +01:00
Anders Schack-Mulligen 41763e6025 Java: Treat SecureJDKXercesXMLReader as a secure XMLReader. 2019-08-09 16:00:41 +02:00
Anders Schack-Mulligen a50ea54ff6 Java: Fix tests. 2019-08-08 12:03:01 +02:00
Anders Schack-Mulligen b3e56d5b04 Java: Fix copy-paste typo. 2019-08-08 11:44:44 +02:00
Anders Schack-Mulligen 20e6f5594f Java: Improve barriers for the CWE-190 Arithmetic* queries. 2019-08-07 15:22:23 +02:00
yh-semmle 033879f5a6
Merge pull request #1639 from aschackmull/java/in-out-barriers 
Java/C++/C# DataFlow: Add support for in/out barriers on sources and sinks.
 2019-08-07 01:07:19 -04:00
yh-semmle 9e4405f385
Merge pull request #1688 from aschackmull/java-cookbook/int-literal-value 
Java Cookbook: Slight improvement to the IntegerLiteral pattern.
 2019-08-05 20:37:58 -04:00
yh-semmle 7e90728c67
Merge pull request #1679 from aschackmull/java/reader-taint 
Java: Adjust taint steps for Reader::read.
 2019-08-05 12:46:12 -04:00
Anders Schack-Mulligen a80cb262fc Java/C++/C#: Elaborate qldoc. 2019-08-05 16:28:25 +02:00
Anders Schack-Mulligen 9ebb83497d Java/C++/C#: Fix small mistake. 2019-08-05 15:34:12 +02:00
Anders Schack-Mulligen 2dc83c539c Java/C++/C#: Sync dataflow. 2019-08-05 12:07:32 +02:00
Anders Schack-Mulligen f8804943ee Java: Change in/out barriers to be explicit in the configuration. 2019-08-05 12:05:12 +02:00
Anders Schack-Mulligen 15c61b57f7 Java Cookbook: Slight improvement to the IntegerLiteral pattern. 2019-08-05 11:03:30 +02:00
Jonas Jensen 73d8bf38a9
Merge pull request #1680 from aschackmull/cookbook/autoformat 
Cookbook examples: Autoformat
 2019-08-05 10:24:56 +02:00
Anders Schack-Mulligen b1b1ede6b0 Java: Improve the precision of java/hardcoded-credential-api-call. 2019-08-02 16:50:58 +02:00
Anders Schack-Mulligen 9b74e9c4a4 Java: Autoformat cookbook examples. 2019-08-02 15:27:28 +02:00
Anders Schack-Mulligen 4ffc41277a Java: Adjust taint steps for Reader::read. 2019-08-02 14:21:06 +02:00
Anders Schack-Mulligen 1a779179e7
Merge pull request #1666 from yh-semmle/java-xxe-qhelp 
Java: update XXE qhelp with note on processing limits
 2019-08-01 10:01:53 +02:00
yh-semmle dc45ba5627 Java: update XXE qhelp with note on processing limits 2019-07-31 15:45:28 -04:00
semmle-qlci 1d806971ed
Merge pull request #1634 from aibaars/cookbook 
Approved by aschackmull, dave-bartolomeo, hvitved, markshannon, xiemaisi, yh-semmle
 2019-07-31 14:31:28 +01:00
yh-semmle 37395877a7
Merge pull request #1633 from aschackmull/java/taint-string-concat 
Java: Add taint step for String::concat.
 2019-07-30 00:21:52 -04:00
Arthur Baars ccde7cf6cf Add @id to example queries 2019-07-26 17:47:11 +02:00
Arthur Baars bdce7d07c1 Move 'snippet' queries to 'snippets' folders 2019-07-26 17:47:11 +02:00
Arthur Baars 30860daac4 Add cookbook queries 2019-07-26 17:47:11 +02:00
yh-semmle a1b4d09b42
Merge pull request #1630 from aschackmull/java/switchexpr-tostring 
Java: Add toString override for SwitchExpr.
 2019-07-26 11:32:24 -04:00