github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
10 573 коммитов 1 542 Ветки 132 Теги 495 MiB
Граф коммитов

10573 Коммитов

Автор SHA1 Сообщение Дата
Jonas Jensen dfe1a7e2f0 C++: Avoid `iDominates*` in Overflow.qll 
The `iDominates` relation is directly on control-flow nodes, and its
transitive closure is far too large. It got compiled into a recursion
rather than `fastTC`, and I've observed that recursion to take about an
hour on a medium-size customer snapshot.

The fix is to check for dominance at the basic-block level.
 2020-02-28 10:48:23 +01:00
Geoffrey White 4ca57db553
Merge pull request #2929 from Semmle/rc/1.23 
Merge rc/1.23 into master
 2020-02-28 09:30:20 +00:00
semmle-qlci ec90627a64
Merge pull request #2909 from yo-h/experimental 
Approved by aschackmull, jbj, max-schaefer, tausbn
 2020-02-28 03:15:58 +00:00
yo-h f8bf055fe1
Merge pull request #2927 from aschackmull/java/taintgettersetter-tests 
Java: Add some more taint-getter-setter tests.
 2020-02-27 22:12:25 -05:00
yo-h 7dc5f9446a
Merge pull request #2920 from aschackmull/java/typeflow-irrelevant-pruning 
Java: Remove some irrelevant bounds from TypeFlow.
 2020-02-27 22:10:32 -05:00
Taus 0da554c701
Merge pull request #2914 from RasmusWL/python-remove-optimize-true-directive 
Python: Remove `--optimize: true` from options files
 2020-02-27 13:16:59 +01:00
Taus d9383d0e86
Merge pull request #2902 from RasmusWL/python-use-of-input 
Python: Highlight py/use-of-input is for Python 2
 2020-02-27 13:15:32 +01:00
Taus 8bd3063d2b
Merge pull request #2875 from RasmusWL/python-taint-urlsplit 
Python: Add taint for urlsplit
 2020-02-27 13:13:47 +01:00
Asger F b25a4614de
Merge pull request #2926 from asger-semmle/js/format-everything 
JS: Autoformat everything
 2020-02-27 12:11:01 +00:00
Taus e09907894d
Merge pull request #2817 from BekaValentine/objectapi-to-valueapi-truncateddivision 
Python: ObjectAPI to ValueAPI: TruncatedDivision
 2020-02-27 12:52:26 +01:00
Anders Schack-Mulligen 33f6392be5 Java: Add some more taint-getter-setter tests. 2020-02-27 10:47:25 +01:00
Asger Feldthaus fefcf1a7a6 JS: Autoformat everything 2020-02-27 09:41:01 +00:00
Anders Schack-Mulligen 0c30d7cced Java: Update test output. 2020-02-27 10:28:12 +01:00
Erik Krogh Kristensen 9c06c48dc7
Merge pull request #2884 from esbena/js/practically-exploitable-redos 
JS: add query js/exploitable-polynomial-redos
 2020-02-27 10:19:17 +01:00
Esben Sparre Andreasen 1b73cee692 JS: add js/exploitable-polynomial-redos 2020-02-27 08:42:43 +01:00
yo-h 63adc63597 `CONTRIBUTING.md`: add paragraph on maintaining backwards compatibility 2020-02-26 18:39:23 -05:00
yo-h aeb8793197
Update docs/experimental.md 
Break sentence down into shorter ones, as per review comment.
 2020-02-26 18:38:42 -05:00
Rebecca Valentine b0493458d6 Combine and clean up the test files 2020-02-26 09:04:14 -08:00
Rebecca Valentine ba1f3c46b8 Removes obsolete `asBuiltin` predicate 2020-02-26 08:17:45 -08:00
Geoffrey White 427b440389
Merge pull request #2918 from jbj/UnsignedGEZero-recursion 
C++: Fix performance of UnsignedGEZero.ql
 2020-02-26 15:49:03 +00:00
Taus 85f5ad2231
Merge pull request #2904 from RasmusWL/python-http-clients 
Python: Model outgoing HTTP client requests
 2020-02-26 15:49:41 +01:00
Rasmus Wriedt Larsen 771dfecf6d Python: Add sanitized edges for urlsplit test 2020-02-26 14:10:30 +01:00
Rasmus Wriedt Larsen 0b31cb1716 Python: Show that we have initial taint in urlsplit test 2020-02-26 14:09:02 +01:00
Rasmus Wriedt Larsen 400a8ffae5 Python: Use slightly better name than foobar 
I intended to rename before committing, but woops
 2020-02-26 14:08:10 +01:00
Anders Schack-Mulligen 508b6050a8 Java: Remove some irrelevant bounds from TypeFlow. 2020-02-26 13:51:25 +01:00
Taus dce121b565
Merge pull request #2916 from BekaValentine/python-objectapi-to-valueapi-callargsandothers 
Python: ObjectAPI to ValueAPI: CallArgs and Others
 2020-02-26 12:51:18 +01:00
semmle-qlci 326522c250
Merge pull request #2846 from erik-krogh/CVE481 
Approved by asgerf, esbena
 2020-02-26 11:16:41 +00:00
Jonas Jensen 5f6d07dd57 C++: Fix performance of UnsignedGEZero.ql 
This query used two fastTC operations that were already somewhat
inefficient on their own but could send the evaluator into an OOM loop
when run in parallel without enough RAM.

The fix is to recurse manually, starting just from the expressions that
are potential candidates for alerts.
 2020-02-26 11:32:41 +01:00
Rasmus Wriedt Larsen 4330d4e289 Python: Remove unused import in test 2020-02-26 10:26:30 +01:00
Rasmus Wriedt Larsen 5fae3a8d0a Python: Explain complexity of HTTPConnection.request 2020-02-26 10:26:30 +01:00
Rasmus Wriedt Larsen b213db03fd Python: Consolidate stdlib http client tests 
Move the stdlib tests from test/{2,3}/library-tests/ into /test/library-tests/,
and deal with version by using sys.version_info (results should be the same for
both versions).

six tests were moved from /library-tests/web/client/stdlib => /library-tests/web/client/six
 2020-02-26 10:26:30 +01:00
Rasmus Wriedt Larsen be187bcc0a Python: Make Client::HttpRequest extend ControlFlowNode 
Taus poitned out that the reuqest being send off, doesn't *need* to happen on a
CallNode. Someone *could* use a __setattr__ or property :\
 2020-02-26 10:26:30 +01:00
Rasmus Wriedt Larsen e25079acc2 Python: Remove unnecessary cast 2020-02-26 10:26:30 +01:00
Rasmus Wriedt Larsen cd5399d43e Python: Model outgoing http client requests 2020-02-26 10:26:30 +01:00
yo-h 21dd8757dd
Update docs/experimental.md 
Co-Authored-By: Felicity Chapman <felicitymay@github.com>
 2020-02-25 23:11:29 -05:00
Rebecca Valentine e07a003f75 Swaps overridden_call globally 2020-02-25 11:02:18 -08:00
Rebecca Valentine 50c91b99da Swaps correct_args_if_called_as_method globally 2020-02-25 11:01:51 -08:00
Rebecca Valentine fb0cae76cf Swaps wrong_args globally 2020-02-25 11:00:39 -08:00
Rebecca Valentine 3a764ade8d Swaps too_many_args globally 2020-02-25 10:59:55 -08:00
Rebecca Valentine 3b0be46377 Swaps too_few_args globally 2020-02-25 10:59:16 -08:00
Rebecca Valentine 2c32a859cc Swaps illegally_named_parameter globally 2020-02-25 10:58:08 -08:00
Rebecca Valentine 4857a947ac Swaps get_function_or_initializer globally 2020-02-25 10:51:40 -08:00
Rebecca Valentine cf4b7e1270 Swaps arg_count globally 2020-02-25 10:50:30 -08:00
Rebecca Valentine c2a3af7e67 Adds objectapi suffix to private predicates 2020-02-25 10:48:29 -08:00
Rebecca Valentine 930228acc5 Un-autoformats 2020-02-25 09:52:46 -08:00
yo-h d06caefd8e Address code review comments for `experimental.md` 2020-02-25 11:17:42 -05:00
Erik Krogh Kristensen dc6bfad023 Merge remote-tracking branch 'upstream/master' into CVE481 2020-02-25 16:25:03 +01:00
Rasmus Wriedt Larsen f10a86d3ac Python: Remove `--optimize: true` from options files 
Tests will be run with optimizations on by default now.
 2020-02-25 15:52:00 +01:00
Rasmus Wriedt Larsen 8f70101572 Python: docs: Use <code> tag consistently in UseofInput.qhelp 2020-02-25 15:40:08 +01:00
Jonas Jensen db33c360bc
Merge pull request #2910 from aschackmull/dataflow/cleanup 
Java/C++: Minor dataflow cleanup.
 2020-02-25 12:47:10 +01:00