github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
25 607 коммитов 1 544 Ветки 132 Теги 502 MiB
Граф коммитов

158 Коммитов

Автор SHA1 Сообщение Дата
Erik Krogh Kristensen 73f26956a6 Merge branch 'js-team-sprint' into priv-file-polish 2020-06-17 21:03:09 +02:00
Erik Krogh Kristensen bdda587247 Merge branch 'js-team-sprint' into build-leaks 2020-06-17 19:51:30 +02:00
Erik Krogh Kristensen 6d6f29eb85
Merge pull request #3726 from erik-krogh/bad-code-polish 
JS: Bad code polish
 2020-06-17 19:45:37 +02:00
Erik Krogh Kristensen 7aa911b9f4 add reference to cwe-116 in change-note 2020-06-17 17:20:46 +02:00
Erik Krogh Kristensen 345283fe34 add change note 2020-06-17 10:48:27 +02:00
Jonas Jensen e0ba23d2c7 C++: @precision high for tainted-format-string* 
I think these queries have excellent results on lgtm.com. Many of the
results come from projects that use `sprintf` like it's a templating
engine, trusting that values from `argv` or `getenv` contain the correct
number of `%s`. I think we want to flag that.

The structure of the change note is modeled after 91af51cf46.
 2020-06-17 09:03:13 +02:00
Erik Krogh Kristensen 02c825351c add change note for js/bad-code-sanitization 2020-06-16 16:25:30 +02:00
Erik Krogh Kristensen cb5b946546 add changenote for yargs 2020-06-16 14:37:53 +02:00
Erik Krogh Kristensen 696879653a add qhelp to js/biased-cryptographic-random 2020-06-16 11:10:09 +02:00
Asger Feldthaus 824054ba62 JS: Change note and updated help 2020-06-15 17:34:36 +01:00
Erik Krogh Kristensen 23223fc5fb change-note 2020-06-15 17:22:11 +02:00
Erik Krogh Kristensen dc09a68eb4 add change-note 2020-06-15 14:30:34 +02:00
Erik Krogh Kristensen 8682918779 add change note 2020-06-15 13:47:43 +02:00
Asger Feldthaus 91d98c0d00 JS: Change note 2020-06-12 13:12:55 +01:00
yoff e5480e471a
Merge pull request #3591 from RasmusWL/python-taintkind-fixup 
Python: Fix some problems in TaintKind useage
 2020-06-05 16:03:18 +02:00
Erik Krogh Kristensen 58f4f7129e change-note 2020-06-04 16:25:26 +02:00
Erik Krogh Kristensen e47770281a
update change-note 
Co-authored-by: Asger F <asgerf@github.com>
 2020-06-04 11:14:25 +02:00
Erik Krogh Kristensen baee47f3c6 remove mention of fetch from change-note 2020-06-03 13:56:32 +02:00
Erik Krogh Kristensen c80baf981a
simplify change-note 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-06-03 13:33:31 +02:00
Erik Krogh Kristensen 19dd472ee5 change note 2020-06-03 12:19:48 +02:00
Esben Sparre Andreasen f9ed64fc45
Merge branch 'master' into js/membershiptest 2020-06-02 08:54:44 +02:00
Asger F 712c53afe9
Merge pull request #3579 from erik-krogh/fix-change-note-merge 
JS: remove duplicates from change-note
 2020-06-01 13:22:23 +01:00
Geoffrey White 9ee75aaca1 C++: Change note. 2020-05-29 16:22:42 +01:00
Rasmus Wriedt Larsen 59548a523e Python: Add change-note about UntrustedStringKind imports 2020-05-29 13:45:10 +02:00
Erik Krogh Kristensen df3fb842c5 remove duplicates from change-note 2020-05-27 20:36:23 +02:00
Erik Krogh Kristensen 33da82d884 Merge branch 'master' of https://github.com/github/codeql into pr/erik-krogh/3566 2020-05-27 12:21:14 +00:00
Erik Krogh Kristensen d05a61c745 Merge branch 'master' of https://github.com/github/codeql into pr/erik-krogh/3566 2020-05-27 12:12:08 +00:00
Erik Krogh Kristensen 3ae4e90902 change note 2020-05-27 09:45:49 +00:00
Erik Krogh Kristensen 0c00331527
less -> fewer 
Co-authored-by: Asger F <asgerf@github.com>
 2020-05-26 14:30:29 +02:00
Erik Krogh Kristensen 124c4cb15e Merge branch 'master' of github.com:github/codeql into OptionalSanitizer 2020-05-26 13:59:57 +02:00
semmle-qlci be5b343a0c
Merge pull request #3564 from max-schaefer/js/reflective-argument-access 
Approved by asgerf
 2020-05-26 12:09:13 +01:00
Max Schaefer 5b0a3b9673 JavaScript: Change "Less results" to "Fewer results" in change notes. 2020-05-26 10:49:30 +01:00
Max Schaefer abfcc42133 JavaScript: Re-alphabetise change notes. 2020-05-26 10:49:30 +01:00
Max Schaefer 215682f67c JavaScript: Add change note. 2020-05-26 10:49:30 +01:00
semmle-qlci 4b56229ca0
Merge pull request #3527 from esbena/js/fastify 
Approved by asgerf
 2020-05-26 10:44:59 +01:00
Erik Krogh Kristensen 3f66c04e12 change note 2020-05-26 00:09:11 +02:00
Dave Bartolomeo 12688f80ce
Merge pull request #3559 from jbj/vcs-remove 
C++: Remove VCS.qll and all queries using it
 2020-05-25 14:30:31 -04:00
Jonas Jensen e28ed848a4 C++: Remove VCS.qll and all queries using it 
All these queries have been deprecated since 2018. There is
unfortunately no way to deprecate a library, but it's been years since
we populated any databases using the VCS library, so nobody should be
using it.
 2020-05-25 19:28:06 +02:00
Jonas Jensen bc09720704
Merge pull request #3479 from geoffw0/fp2762 
C++: Allow equality to block taint (security taint tracking)
 2020-05-25 15:11:10 +02:00
semmle-qlci b9ecf1a304
Merge pull request #3447 from erik-krogh/LibCmdInjection 
Approved by asgerf, mchammer01
 2020-05-22 17:10:57 +01:00
Erik Krogh Kristensen b79b25ef87 correct cwe-78 to cwe-078 2020-05-21 12:38:44 +00:00
Esben Sparre Andreasen a76c70d2d7 JS: model fastify 2020-05-21 13:42:27 +02:00
semmle-qlci c15d22d9f8
Merge pull request #3516 from asger-semmle/js/typescript-3.9.2 
Approved by erik-krogh
 2020-05-20 11:31:57 +01:00
semmle-qlci 2bbc1c2af0
Merge pull request #3478 from erik-krogh/PromiseAll 
Approved by asgerf, esbena
 2020-05-20 11:03:05 +01:00
semmle-qlci 29b8a0db92
Merge pull request #3508 from asger-semmle/js/shared-data-flow-node 
Approved by esbena
 2020-05-20 10:58:09 +01:00
Tom Hvitved e9839198f4
Merge pull request #3484 from calumgrant/cs/index-initializers 
C#: Extract indexed initializers correctly
 2020-05-20 09:22:47 +02:00
semmle-qlci 26dfca80f6
Merge pull request #3510 from max-schaefer/cull-boring-queries 
Approved by asgerf, esbena
 2020-05-19 15:41:53 +01:00
Max Schaefer a803120414 Lower precision for a number of queries. 
These queries are currently run by default, but don't have their results displayed.

Looking through results on LGTM.com, they are either false positives (e.g., `BitwiseSignCheck` which flags many perfectly harmless operations and `CompareIdenticalValues` which mostly flags NaN checks) or harmless results that developers are unlikely to care about (e.g., `EmptyArrayInit` or `MisspelledIdentifier`).

With this PR, the only queries that are still run but not displayed are security queries, where different considerations may apply.
 2020-05-19 13:43:17 +01:00
Geoffrey White 7d630c458e Merge branch 'master' into fp2762 2020-05-19 11:43:50 +01:00
Asger Feldthaus 0db0ddf476 JS: Add a change note 2020-05-19 11:07:35 +01:00
Asger Feldthaus f49b36aec7 JS: Change note 2020-05-19 09:52:26 +01:00
semmle-qlci 0c081a8e87
Merge pull request #3497 from esbena/js/yield-and-local-objects 
Approved by asgerf, erik-krogh
 2020-05-19 09:02:22 +01:00
Erik Krogh Kristensen aa396a39d3 Merge branch 'master' of https://github.com/github/codeql into pr/erik-krogh/3478 2020-05-18 20:57:51 +00:00
Asger F 96d6115452
Merge branch 'master' into js/sql-type-tracking 2020-05-18 15:58:42 +01:00
Erik Krogh Kristensen 70a28f60e3 Merge branch 'master' of https://github.com/github/codeql into pr/erik-krogh/3478 2020-05-18 14:05:37 +00:00
Max Schaefer bdd778f989 JavaScript: Add change note. 2020-05-18 12:08:36 +01:00
Esben Sparre Andreasen a9ba6ac659 JS: make LocalObjects::isEscape aware of `yield` 2020-05-18 12:43:46 +02:00
Erik Krogh Kristensen bd3c4d4077 Merge branch 'master' of https://github.com/github/codeql into pr/erik-krogh/3478 2020-05-18 07:51:19 +00:00
Esben Sparre Andreasen ddb545c182 JS: introduce MembershipTests.qll and use in two locations 2020-05-18 09:50:00 +02:00
semmle-qlci 6041d52936
Merge pull request #3424 from asger-semmle/js/express-param-handler 
Approved by esbena
 2020-05-18 08:48:24 +01:00
semmle-qlci 0230b79efc
Merge pull request #3391 from erik-krogh/SplitFPs 
Approved by esbena
 2020-05-18 08:46:26 +01:00
Erik Krogh Kristensen dfdecf1450 add change note 2020-05-17 10:32:27 +02:00
semmle-qlci 8d41ce1630
Merge pull request #3480 from erik-krogh/moreSlip 
Approved by esbena
 2020-05-16 21:17:27 +01:00
Asger Feldthaus 435f9ea09f JS: Change note 2020-05-15 17:27:30 +01:00
Asger Feldthaus e311cc7689 JS: Change note 2020-05-15 13:06:37 +01:00
Calum Grant 53ca3ccf53 C#: Update changenotes 2020-05-15 13:06:17 +01:00
Geoffrey White 48f3db3fbe Merge branch 'master' into fp2762 2020-05-15 09:55:30 +01:00
Erik Krogh Kristensen 4eb96848a6 add change note for bluebird and "Promise" 2020-05-15 09:58:33 +02:00
Erik Krogh Kristensen 7df35a6bab update change note 2020-05-15 09:52:59 +02:00
semmle-qlci a536069059
Merge pull request #3408 from esbena/js/unsafe-html-expansion 
Approved by asgerf, mchammer01
 2020-05-15 08:24:12 +01:00
Geoffrey White 6579c71866 C++: Change note. 2020-05-14 18:44:06 +01:00
Geoffrey White df5e16c45d C++: Add a 1.25 change note file (didn't we used to have templates for these?). 2020-05-14 18:41:14 +01:00
semmle-qlci 23532ae49a
Merge pull request #3467 from erik-krogh/tarSlip 
Approved by esbena
 2020-05-14 14:06:42 +01:00
semmle-qlci 57f44c5a81
Merge pull request #2886 from asger-semmle/js/call-graph-exploration 
Approved by erik-krogh, esbena
 2020-05-14 14:01:23 +01:00
Erik Krogh Kristensen 422ade16db
Apply suggestions from code review 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-05-14 10:05:59 +02:00
Erik Krogh Kristensen ce5356f592 change note 2020-05-14 09:48:50 +02:00
Calum Grant f5daeea618
Merge pull request #3421 from hvitved/csharp/dataflow/change-note 
C#/Java/C++: Add change note for #3110
 2020-05-13 13:53:01 +01:00
Esben Sparre Andreasen c6fa88af28 JS: change notes 2020-05-13 12:56:33 +02:00
Esben Sparre Andreasen 7722d77c86 JS: add the NoSQL $where as a sink for js/code-injection 2020-05-13 08:30:22 +02:00
Esben Sparre Andreasen 20cf04442c JS: model marsdb and minimongo 2020-05-13 08:28:59 +02:00
Erik Krogh Kristensen 83d34b939c change note 2020-05-12 14:24:04 +02:00
Erik Krogh Kristensen 8b3e86c4f8 change note 2020-05-11 13:40:59 +02:00
Tom Hvitved c837ab7d1a
Apply suggestions from code review 
Co-authored-by: Jonas Jensen <jbj@github.com>
 2020-05-11 11:42:50 +02:00
Tom Hvitved 948c2f7f7e C++: Add change note 2020-05-07 16:01:55 +02:00
Tom Hvitved 0b85f3fed4 Address review comments 2020-05-07 15:58:46 +02:00
Erik Krogh Kristensen a3fb13882b Merge branch 'master' into SplitFPs 2020-05-07 10:51:11 +02:00
Tom Hvitved f19b1045d6 Java: Add change note 2020-05-06 15:52:49 +02:00
Tom Hvitved ddd62a56cc C#: Add change note for #3110 2020-05-06 14:28:47 +02:00
semmle-qlci 9210660ea0
Merge pull request #3401 from erik-krogh/jsonLike 
Approved by esbena
 2020-05-06 08:00:44 +01:00
Tom Hvitved 3d37a49ccd C#: Add change note 2020-05-05 14:28:13 +02:00
Erik Krogh Kristensen a4eee7e88e
more -> additional 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-05-05 14:01:39 +02:00
Erik Krogh Kristensen bffb12725b add test and change-note to prototype-polution 2020-05-05 13:49:11 +02:00
Erik Krogh Kristensen 38db731e0b add change note and new test for js/incomplete-url-scheme-check 2020-05-05 13:38:27 +02:00
Erik Krogh Kristensen f56915d99f add change note for js/xss 2020-05-05 13:36:50 +02:00
Erik Krogh Kristensen 9a7f8d97d2 change note 2020-05-04 09:49:20 +02:00
Erik Krogh Kristensen ffdbe31a30 change-note 2020-05-04 09:08:46 +02:00
Esben Sparre Andreasen 04b5a794f1
Merge pull request #3313 from esbena/js/typical-bad-sanitizer 
New query: Incomplete HTML attribute sanitization
 2020-04-27 14:31:13 +02:00
Esben Sparre Andreasen f0a05f6a6c JS: change notes 2020-04-24 09:18:16 +02:00
Erik Krogh Kristensen e7d8cd8e8c Merge remote-tracking branch 'upstream/master' into MoarJQuery 2020-04-23 14:10:53 +02:00
Erik Krogh Kristensen 67443718c0 change note 2020-04-23 13:55:37 +02:00