github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
30 102 коммитов 1 541 ветка 132 Теги 497 MiB
Граф коммитов

3625 Коммитов

Автор SHA1 Сообщение Дата
Tom Hvitved 51f4f57617 C#: Use `cs/` prefix in all query IDs 2021-11-03 10:25:21 +01:00
Mathias Vorreiter Pedersen 4a2894a707
Merge pull request #7025 from MathiasVP/nomagic-parameterCand 
Dataflow: Replace a 'noinline' pragma with a 'nomagic' pragma
 2021-11-02 20:40:44 +00:00
Anders Schack-Mulligen 7d0152f3c0
Merge pull request #6932 from aschackmull/dataflow/flow-features 
Dataflow: Add support for call context restrictions on sources/sinks.
 2021-11-02 13:24:17 +01:00
Mathias Vorreiter Pedersen 6f4107ff23 Dataflow: Replace a 'noinline' pragma with a 'nomagic' pragma. 2021-11-02 11:37:40 +00:00
CodeQL CI 5d62aa5b29
Merge pull request #6994 from erik-krogh/redundant-cast 
Approved by RasmusWL, aschackmull, esbena, geoffw0, hvitved, nickrolfe
 2021-11-02 03:45:48 -07:00
Tamás Vajk 18b08060ae
Merge pull request #5110 from porcupineyhairs/ssrfCsharp 
C# : Add query to detect SSRF
 2021-11-02 09:50:28 +01:00
Erik Krogh Kristensen d36c66cfca remove redundant inline casts in arguments where the type is inferred by the call target 2021-10-29 14:37:56 +02:00
Anders Schack-Mulligen 5951ae79b9 Dataflow: Add language specific predicates. 2021-10-29 11:11:35 +02:00
Anders Schack-Mulligen 00df6798b1 Dataflow: Sync 2021-10-29 11:00:23 +02:00
Erik Krogh Kristensen e75448ebb0 remove redundant inline casts 2021-10-28 16:35:53 +02:00
Mathias Vorreiter Pedersen fc3ff41d65 Merge branch 'main' into use-shared-ssa-in-ir-dataflow 2021-10-28 12:36:36 +01:00
Mathias Vorreiter Pedersen 8135dcefdd Merge branch 'main' into use-shared-ssa-in-ir-dataflow 2021-10-28 12:36:25 +01:00
Mathias Vorreiter Pedersen 13ce2569d7 C++/C#: Sync identical IR files· 2021-10-28 10:52:00 +01:00
Anders Schack-Mulligen 699630af54 Dataflow: Sync. 2021-10-27 13:57:44 +02:00
Anders Schack-Mulligen 034c7f3538 Dataflow: Sync. 2021-10-27 13:57:44 +02:00
Mathias Vorreiter Pedersen 67fd38f328 C#/Ruby: Use a 'noinline' instead of a 'only_bind_into'. 2021-10-26 09:41:52 +01:00
Mathias Vorreiter Pedersen 9145382660 C#: Sync identical files. 2021-10-25 21:55:28 +01:00
Mathias Vorreiter Pedersen ff35100d52 C#: Fix join order in 'inDefDominanceFrontier'. 2021-10-25 21:55:09 +01:00
Tom Hvitved 4e40337d02 C#: Improve join-order in `defaultDelegateConversion` 2021-10-22 10:12:18 +02:00
Porcuiney Hairs f70d808e2f fix testcases 2021-10-22 00:58:59 +05:30
Porcuiney Hairs 9fe822f41c Include suggestions from review 2021-10-22 00:55:01 +05:30
Tom Hvitved f9fb046e9f C#: Update expected test output after rebase 2021-10-20 12:15:27 +02:00
Tom Hvitved 0bf5238f39 Update QL doc for `allowParameterReturnInSelf` 2021-10-20 12:08:58 +02:00
Tom Hvitved 53d4d72fe5 C#: Simplify `SummarizedCallableDefaultClearsContent` 2021-10-20 12:08:58 +02:00
Tom Hvitved dd138b0429 Address review comments 2021-10-20 12:08:58 +02:00
Tom Hvitved a1511e13d8 Data flow: Sync files 2021-10-20 12:08:57 +02:00
Tom Hvitved 1196d0c624 C#: Rework `SummarizedCallable::clearsContent/2` 2021-10-20 12:08:57 +02:00
Tamas Vajk c7c35401e0 C#: Remove cartesian product in stubbing (GeneratedType::getStub) 2021-10-19 12:56:23 +02:00
Geoffrey White 3f3c79f48f
Merge pull request #6884 from geoffw0/setliterals 
Replace or chains with set literals.
 2021-10-18 16:46:55 +01:00
Anders Schack-Mulligen b67032d1cc
Merge pull request #6891 from erik-krogh/fix-java-this 
add explicit this qualifier on all of java
 2021-10-18 17:13:37 +02:00
Tom Hvitved a10bde5795
Merge pull request #6872 from hvitved/dataflow/path-into-callable0-join 
Data flow: Performance tweaks
 2021-10-18 16:25:10 +02:00
Tom Hvitved e6954292aa Address review comments 2021-10-18 14:09:44 +02:00
Anders Schack-Mulligen 91ea064980 Sync 2021-10-18 14:04:50 +02:00
Tom Hvitved 888a1b38aa C#: Handle `Nullable<T>` default parameter values in assemblies 2021-10-15 14:23:18 +02:00
Tom Hvitved 86b1305e35
Merge pull request #6883 from hvitved/csharp/inline-expectations 
C#: Adopt inline test expectations framework
 2021-10-15 09:33:22 +02:00
Geoffrey White 8f30b8b586 Autoformat. 2021-10-14 16:00:23 +01:00
Geoffrey White f08d2ee759 Merge branch 'main' into setliterals 2021-10-14 14:39:39 +01:00
Geoffrey White 3983587682 C#: Set literals. 2021-10-14 14:22:39 +01:00
Tom Hvitved 083214f85a C#: Use inline test expectations for `FieldFlow.ql` 2021-10-14 15:22:21 +02:00
Tom Hvitved ed6a182cd1 C#: Adopt inline test expectations framework 2021-10-14 15:22:21 +02:00
Anders Schack-Mulligen 8b6baa250c
Merge pull request #6878 from aschackmull/remove-singleton-setliteral 
C++/C#/Java/JavaScript/Python: Remove singleton set literals.
 2021-10-14 14:53:05 +02:00
Tom Hvitved f5420333e2 Sync shared files 2021-10-14 11:49:02 +02:00
Anders Schack-Mulligen 57cb300759 C++/C#/Java/JavaScript/Python: Remove singleton set literals. 2021-10-14 11:34:22 +02:00
Erik Krogh Kristensen a358a192c4 add explicit this to all calls to class predicates 2021-10-14 10:11:55 +02:00
Mathias Vorreiter Pedersen a2371370ff
Merge pull request #6865 from MathiasVP/fix-if-none 
C++/C#/JS/Python: Replace 'if p() then q() else none()' with a conjunction
 2021-10-13 19:47:55 +01:00
Tom Hvitved c14dcfbfe4 Data flow: Sync 2021-10-13 20:13:28 +02:00
Tom Hvitved 5be7a97a16 Data flow: Avoid unnecessary non-linear recursion via `getConfiguration()` 2021-10-13 20:10:26 +02:00
Tom Hvitved ee44e742f6 Data flow: Avoid bad join-order in `pathIntoCallable0` 2021-10-13 20:09:43 +02:00
Andrew Eisenberg 878203f1d0
Merge pull request #6862 from github/aeisenberg/tutorial 
Move tutorial directly into each qlpack
 2021-10-13 09:29:37 -07:00
Andrew Eisenberg 0d1632a5d2 Move tutorial directly into each qlpack 
Previously, the tutorial was injected during build time. This is much
simpler.
 2021-10-13 08:37:04 -07:00
Philip Ginsbach c9c0c7f24f fix formatting 2021-10-13 13:10:37 +01:00
Mathias Vorreiter Pedersen 7690625114 C#: Replace 'if p() then q() else none()' with a conjunction. 2021-10-13 12:11:50 +01:00
Philip Ginsbach 6b9ddf1f65 Guard non-extending subtype of G::Guard 2021-10-13 11:44:22 +01:00
Philip Ginsbach e3e741251f ParameterNode non-extending subtype of ParameterNodeImpl 2021-10-13 11:42:41 +01:00
Philip Ginsbach aa656f7542 ArgumentNode non-extending subtype of ArgumentNodeImpl 2021-10-13 11:41:40 +01:00
Andrew Eisenberg bbb2637bcc QlPacks: Add the defaultSuite to query packs that are missing it 
Also, change some examples pack names from `codeql-lang-examples` to
`codeql/lang-examples`. This doesn't affect behaviour since internally,
the legacy name is converted to the modern name.
 2021-10-12 11:54:50 -07:00
Tom Hvitved 10739b11ee
Merge pull request #6841 from hvitved/dataflow/incorrect-summary-chaining 
Data flow: Add tests for missing summary flow
 2021-10-12 15:44:21 +02:00
Tom Hvitved 296e268339
Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-10-12 14:28:32 +02:00
Tom Hvitved 68ea3e7b49 Data flow: Add debugging predicates for rendering data flow graphs for summarized callables 2021-10-11 11:29:08 +02:00
Tom Hvitved 30bf2aade4 C#: Add test for missing summary flow 2021-10-11 11:29:08 +02:00
Tom Hvitved 61973c399e C#: Make `GetCSharpArgsLogs` robust against log directory not existing 2021-10-11 11:28:49 +02:00
Tom Hvitved b05d76a131 C#: Avoid bad magic in `interpretElement0` 2021-10-11 09:30:52 +02:00
Anders Schack-Mulligen 446c738f20
Merge pull request #6790 from aschackmull/dataflow/force-precision 
Dataflow: Force high precision of certain Contents.
 2021-10-08 11:44:26 +02:00
Tom Hvitved 951df380a9
Merge pull request #6829 from hvitved/csharp/gvn-to-string-concat-range 
C#: Speedup GVN string `concat`s by pulling ranges into separate predicates
 2021-10-08 10:02:31 +02:00
Anders Schack-Mulligen 1bec58dee5 Dataflow: Fix more qldoc: s/accesspath/access path/. 2021-10-08 09:41:26 +02:00
Robert Marsh 2539e3247a
Merge pull request #6814 from MathiasVP/fix-qldoc-in-copy-instruction 
C++/C#: Fix QLDoc of `CopyInstruction`
 2021-10-07 11:18:38 -07:00
Anders Schack-Mulligen 2b88a2aa0c Dataflow: Fix qldoc: s/accesspath/access path/. 2021-10-07 14:46:24 +02:00
Tom Hvitved 764a987b09 C#: Speedup GVN string `concat`s by pulling ranges into separate predicates 2021-10-07 13:51:05 +02:00
Andrew Eisenberg e2b1f6ac50 Packaging: Add library flag to upgrades packs 
This flag was missing. It should be there. Otherwise, this
pack cannot be built.
 2021-10-06 14:29:55 -07:00
Mathias Vorreiter Pedersen b089e6d84e C++/C#: Fix QLDoc of 'CopyInstruction'. 2021-10-05 09:14:20 +01:00
Tom Hvitved 70e41b180e
Merge pull request #6800 from hvitved/csharp/constant-cond-tuple-discard 
C#: Filter discards in tuples in `ConstantCondition.ql`
 2021-10-04 14:38:45 +02:00
Tom Hvitved 9762ce706b
Merge pull request #6799 from hvitved/csharp/dead-store-using-discard 
C#: Filter using `var _ = ... results` from `DeadStoreOfLocal.ql`
 2021-10-04 14:38:15 +02:00
Tom Hvitved a315640082 C#: Address review comments 2021-10-04 13:15:26 +02:00
Tom Hvitved f06632a8e7 C#: Filter discards in tuples in `ConstantCondition.ql` 2021-10-04 13:04:18 +02:00
Anders Schack-Mulligen 65a4f36cf8
Merge pull request #6767 from aschackmull/dataflow/callback-postupdate 
Dataflow: Support side-effects for callbacks in summaries.
 2021-10-04 11:13:18 +02:00
Tom Hvitved 70b9b002cb C#: Add change note 2021-10-04 10:48:07 +02:00
Tom Hvitved 682a2aae3a C#: Filter `using var _ = ...` results from `DeadStoreOfLocal.ql` 2021-10-04 10:45:44 +02:00
Porcuiney Hairs cf31b6e7f6 fix testcases 2021-10-02 02:10:18 +05:30
Anders Schack-Mulligen 99ba80d492 C#: Adjust test output. 2021-10-01 16:57:30 +02:00
Anders Schack-Mulligen 98f68cb053 Dataflow: Sync. 2021-10-01 13:11:43 +02:00
Anders Schack-Mulligen 490df2027b Dataflow: Add language-specific predicate forceHighPrecision(). 2021-10-01 13:11:14 +02:00
CodeQL CI e9b4e571e1
Merge pull request #6775 from RasmusWL/fix-hasLocationInfo-url 
Approved by aschackmull, erik-krogh, hvitved, jbj, tausbn
 2021-09-29 16:51:08 +01:00
Rasmus Wriedt Larsen 987b573709 Fix `hasLocationInfo` URL reference 
Follow up to https://github.com/github/codeql/pull/5830
 2021-09-29 13:47:58 +02:00
Tamas Vajk e17071723f C#: Handle invalid code gracefully: global statements in library 2021-09-29 10:23:33 +02:00
Porcuiney Hairs b9c08167f3 C# : Add query to detect SSRF 2021-09-29 04:14:22 +05:30
Anders Schack-Mulligen e95dc82087 Autoformat. 2021-09-28 13:00:50 +02:00
Anders Schack-Mulligen b11cb88a9f Dataflow: Sync to C#. 2021-09-28 11:45:33 +02:00
Geoffrey White 3e1bc66984
Merge pull request #6733 from MathiasVP/fix-qldoc-in-initialize-dynamic-allocation-instruction 
C++/C#: Fix QLDoc on `InitializeDynamicAllocationInstruction`.{`getAllocationAddressOperand` and `getAllocationAddress`}
 2021-09-24 14:30:03 +01:00
Mathias Vorreiter Pedersen 24214002a1 C#/C++: Sync identical files. 2021-09-24 13:13:09 +01:00
Mathias Vorreiter Pedersen 35baff8bac C#/C++: Sync identical files. 2021-09-22 13:32:29 +01:00
Tom Hvitved 364dab6990 Remove `CODEQL_REDUCE_FILES_FOLDERS_RELATIONS` 2021-09-22 09:43:56 +02:00
Anders Schack-Mulligen 044623a360 Dataflow: Sync. 2021-09-20 14:58:28 +02:00
Tom Hvitved 82d463e86e
Merge pull request #6718 from hvitved/csharp/xss-subpath 
C#: Add `subpaths` predicate to XSS queries
 2021-09-20 12:47:27 +02:00
Tom Hvitved 64507ab316
Merge pull request #6712 from hvitved/csharp/subsumption-perf-take2 
C#: Speedup type subsumption calculation
 2021-09-20 11:59:24 +02:00
Tom Hvitved b9c4abe7dc C#: Fix qldoc typos 2021-09-20 10:42:01 +02:00
Tom Hvitved 6d315a5d16 C#: Add `subpaths` predicate to XSS queries 2021-09-20 10:40:54 +02:00
github-actions[bot] f0e7be7d56 Add changed framework coverage reports 2021-09-20 00:08:08 +00:00
Tom Hvitved c6c1ad1b90 C#: Update `toString` for nested types 2021-09-18 19:51:37 +02:00
Tom Hvitved 07fe29cc67 C#: Speedup type subsumption calculation 2021-09-18 19:51:37 +02:00
Tamas Vajk 8232698254 C#: Migrate SQL sinks to CSV format 2021-09-17 10:21:31 +02:00
Tamas Vajk f015cea590 Merge branch 'main' into feature/service-stack 2021-09-16 09:42:42 +02:00
Tamas Vajk 05dd3fa0e7 Adjust review findings 2021-09-16 09:42:38 +02:00
Anders Schack-Mulligen c0fd44c909 Dataflow: Sync. 2021-09-15 16:10:54 +02:00
Tom Hvitved 2730423ab2 C#: Upgrade script 2021-09-13 09:49:10 +02:00
Tom Hvitved 5d048a9518 C#: Drop redundant columns from `files` and `folders` relations 2021-09-13 09:49:09 +02:00
Tom Hvitved 0abfb00032
Merge pull request #6660 from hvitved/csharp/dotnet-exec-tracing-windows 
C#: Handle `dotnet exec csc.dll` compiler calls on Windows
 2021-09-13 09:07:50 +02:00
Andrew Eisenberg 9c0f18b88d Remove incorrect directive 
This directive should only be in the
pack.
 2021-09-10 08:57:37 -07:00
Tom Hvitved 649c2ce188
Merge pull request #6586 from hvitved/dataflow/stage2-precise-call-ctx-take2 
Data flow: Add precise call contexts to stage 2
 2021-09-10 11:34:35 +02:00
Tom Hvitved af0b9abab7 C#: Handle `dotnet exec csc.dll` compiler calls on Windows 2021-09-10 11:26:43 +02:00
Tom Hvitved 296d10fe2a Data flow: Adjust `callMayFlowThroughFwd` pragmas 2021-09-10 09:21:24 +02:00
Tamás Vajk ad04099ac2
Merge pull request #6630 from tamasvajk/feature/interface-runtimecallable 
C# Extend runtime callables to cover interface members with default implementation
 2021-09-09 17:24:55 +02:00
Tamas Vajk abe6c90829 Update change note 2021-09-09 13:04:47 +02:00
Tamas Vajk 0a17ab9325 Merge branch 'main' into feature/service-stack 2021-09-09 13:01:43 +02:00
Tamas Vajk 9ab6c29cd3 Extend runtime callables to cover interface members with default implementation 2021-09-08 15:07:49 +02:00
Anders Schack-Mulligen 1af39f0776 Dataflow: Sync. 2021-09-08 13:02:07 +02:00
Anders Schack-Mulligen 2b7882e6e5
Merge pull request #5032 from aschackmull/dataflow/subpaths 
Dataflow: Add subpaths query predicate.
 2021-09-08 11:52:41 +02:00
Tamás Vajk f90d1fd70e
Merge pull request #6636 from tamasvajk/fix/stubbing-2 
C#: Fix member order (yet again) in stubbing
 2021-09-07 17:37:29 +02:00
Rasmus Wriedt Larsen 995a8192a9
Merge pull request #6635 from github/RasmusWL/fix-csharp-cwe-tag 
C#: Fix CWE tag for `cs/insufficient-key-size`
 2021-09-07 15:54:42 +02:00
Tamas Vajk 469993f6d3 C#: Fix member order (yet again) in stubbing 
With explicit interface implementation, the same member name can show up multiple times in a type declaration. This commit defines an explicit order
for these members.
 2021-09-07 15:26:03 +02:00
Tamás Vajk d7934865c9
Merge pull request #6628 from tamasvajk/feature/fix-stub-escaping 
C#: improve stubbing to escape more member names (not just fields)
 2021-09-07 14:29:44 +02:00
Tom Hvitved bef05f885c C#: Update CIL data flow tests 2021-09-07 13:02:20 +02:00
Anders Schack-Mulligen f30dad7705 Dataflow: Update test expected outputs. 2021-09-07 13:02:20 +02:00
Rasmus Wriedt Larsen 8f52089475
C#: Fix CWE tag for `cs/insufficient-key-size` 
Since this targets

CWE-326 Inadequate Encryption Strength

> The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
> \- https://cwe.mitre.org/data/definitions/326.html

and not

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

> The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
> \- https://cwe.mitre.org/data/definitions/327.html

This matches what we do for similar query in Python: https://github.com/github/codeql/blob/main/python/ql/src/Security/CWE-326/WeakCryptoKey.ql
 2021-09-07 12:59:10 +02:00
Anders Schack-Mulligen 7ec1fa2ebe Dataflow: Sync. 2021-09-07 12:51:42 +02:00
Anders Schack-Mulligen 3c3d71d4a0 Dataflow: Sync 2021-09-07 12:51:42 +02:00
Tamás Vajk 1dc712f54d
Merge pull request #6629 from tamasvajk/feature/dispatch-fix 
C#: Fix dispatch library to handle summarized callables with no runti…
 2021-09-07 12:35:45 +02:00
Tamas Vajk 203ca3f91b C#: improve stubbing to escape more member names (not just fields) 2021-09-07 12:34:23 +02:00
Tamás Vajk 7befdc9c5c
Merge pull request #6627 from tamasvajk/feature/stub-readme 
C#: Add readme to stub folder
 2021-09-07 12:09:52 +02:00
Tamás Vajk c63fd4a254
Merge pull request #6260 from tamasvajk/feature/method-name 
C#: Change generic method names to include <> and type args/params
 2021-09-07 12:09:27 +02:00
Tamas Vajk 3a9cf639bd Change ServiceStack redis sinks to code injection instead of SQL injection 2021-09-06 16:59:31 +02:00
Tamas Vajk 5fa9f16c01 Adjust ServiceStack CSV rows with generic method names 2021-09-06 16:45:21 +02:00
Tamas Vajk f6366e1e1f Merge branch 'feature/method-name' into feature/service-stack 2021-09-06 15:52:08 +02:00
Tamas Vajk 207d8f6030 Merge branch 'main' into feature/service-stack 2021-09-06 15:46:43 +02:00
Tamas Vajk 5014ef2337 C#: Add ServiceStack support with CSV data model 2021-09-06 14:06:37 +02:00
Tamas Vajk 43ccc14162 Add ServiceStack stubs and empty test referencing it 2021-09-06 14:05:41 +02:00
Tamas Vajk e3a49f8213 C#: improve stubbing to escape more member names (not just fields) 2021-09-06 14:02:42 +02:00
Tamas Vajk 270b56af1b Extend runtime callables to interface members with default implementation 2021-09-06 14:02:42 +02:00
Tamas Vajk 39a88d2e43 Fix dispatch library to handle summarized callables with no runtime target 2021-09-06 14:02:42 +02:00
Tamas Vajk 648197db35 C#: Fix dispatch library to handle summarized callables with no runtime target 2021-09-06 13:45:43 +02:00
Tamas Vajk 0d88d18781 C#: Add readme to stub folder 2021-09-06 13:42:36 +02:00
Andrew Eisenberg bb9911e06f
Merge pull request #6605 from aeisenberg/aeisenberg/pack/consistency 2021-09-06 04:40:58 -07:00
Tamas Vajk b7f13a7e1f C#: Change generic method names to include <> and type args/params 2021-09-06 11:48:22 +02:00
Andrew Eisenberg 6a47fcaf1f Packaging: Normalize all qlpack.yml files for all languages 
This commit ensures consistency among all of our qlpacks. Here are the
changes:

1. Ensure only modern references are used (codeql-{lang} is converted to
   codeql/{lang}-all or codeql/{lang}-queries where appropriate).
2. Use consistent version numbers. All languages are at 0.0.2 except
   javascript, which is 0.0.3.
3. Convert all `libraryPathDependencies` to `dependencies` with version
   constraints
4. Dependencies from query packs to other packs are always `"*"` since
   these dependencies are always from source and we should get the
   latest.
5. Dependencies from codeql/{lang}-lib to codeql/{lang}-upgrades must
   be strict since there is a tight connection between the libary
   and its relevant upgrades.
 2021-09-03 11:53:28 -07:00
Tamas Vajk c02a743835 Revert redundant order by 2021-09-03 16:51:32 +02:00
Tamas Vajk 3560853f36 C#: Fix ordering of stubbed type members, implemented interfaces, and location comments 2021-09-03 09:53:34 +02:00
Tamás Vajk 82f61ca015
Merge pull request #6577 from tamasvajk/fix/cil-modified-pointer 
C#: Temporarily extract modified pointers as unmodified during CIL ex…
 2021-09-02 10:48:51 +02:00
Tom Hvitved c3ecae503b Data flow: Sync files 2021-09-01 19:58:47 +02:00
Tom Hvitved 136c8b5192 Data flow: Improve `callMayFlowThroughFwd` join order 
Before:
```
[2021-08-25 09:56:29] (1395s) Tuple counts for DataFlowImpl2::Stage3::callMayFlowThroughFwd#ff/2@111fb3:
                      15495496   ~5%         {5} r1 = SCAN DataFlowImpl2::Stage3::fwdFlowOutFromArg#fffff#reorder_0_2_4_1_3 OUTPUT In.3, In.4, In.2 'config', In.0 'call', In.1
                      1450611958 ~6335%      {5} r2 = JOIN r1 WITH DataFlowImpl2::Stage3::fwdFlow#fffff_03412#join_rhs ON FIRST 3 OUTPUT Lhs.3 'call', Lhs.4, Lhs.2 'config', Rhs.3, Rhs.4
                      7043648    ~20415%     {2} r3 = JOIN r2 WITH DataFlowImpl2::Stage3::fwdFlowIsEntered#fffff#reorder_0_3_4_1_2 ON FIRST 5 OUTPUT Lhs.0 'call', Lhs.2 'config'
                                             return r3
```

After:
```
[2021-08-25 10:57:02] (2652s) Tuple counts for DataFlowImpl2::Stage3::callMayFlowThroughFwd#ff/2@d3e27b:
                      15495496 ~0%         {6} r1 = SCAN DataFlowImpl2::Stage3::fwdFlowOutFromArg#fffff#reorder_0_2_4_1_3 OUTPUT In.0 'call', In.1, In.2 'config', In.3, In.4, In.2 'config'
                      9236888  ~22%        {7} r2 = JOIN r1 WITH DataFlowImpl2::Stage3::fwdFlowIsEntered#fffff#reorder_0_3_4_1_2 ON FIRST 3 OUTPUT Lhs.3, Rhs.3, Rhs.4, Lhs.4, Lhs.5, Lhs.0 'call', Lhs.2 'config'
                      7043648  ~20415%     {2} r3 = JOIN r2 WITH DataFlowImpl2::Stage3::fwdFlow#fffff ON FIRST 5 OUTPUT Lhs.5 'call', Lhs.6 'config'
                                           return r3
```
 2021-09-01 19:57:29 +02:00
Tamás Vajk e9ff6e8755
Merge pull request #6578 from tamasvajk/fix/cil-local-decoding 
C#: Handle non-critical exception in CIL local variable extraction
 2021-09-01 12:52:53 +02:00
Tamas Vajk b267d26ff8 C#: Fix completely broken type argument extraction in NoMetadataHandleType 2021-08-31 14:34:27 +02:00
Tamas Vajk d6ae19c87d C#: Handle non-critical exception in CIL local variable extraction 2021-08-31 14:29:53 +02:00
Tamas Vajk 0ba334bb22 C#: Temporarily extract modified pointers as unmodified during CIL extraction 2021-08-31 14:26:36 +02:00
Tom Hvitved c8a5397085
Merge pull request #6513 from hvitved/csharp/cfg/shared 
C#: Make CFG library shared
 2021-08-31 11:55:43 +02:00
Tom Hvitved 7fc536db15 Data flow: Add precise call contexts to stage 2 2021-08-31 10:44:33 +02:00
Tom Hvitved 789e2e48cf C#: Remove temporary dispatch restriction 2021-08-30 14:49:04 +02:00
Tom Hvitved 05b45da42f
Merge pull request #6556 from hvitved/csharp/insecure-sql-conn-flow 
C#: Use data flow instead of taint tracking in `InsecureSQLConnection.ql`
 2021-08-30 11:31:22 +02:00
Tom Hvitved 7e1efbdd8e C#: Use data flow instead of taint tracking in `InsecureSQLConnection.ql` 2021-08-26 13:48:57 +02:00
Tom Hvitved 592a42231f C#: Fix test for `InsecureSQLConnection.ql` 2021-08-26 13:48:56 +02:00
Tom Hvitved ab2bc38789 C#: Use shared logic in `NodeGraph.ql` test 2021-08-25 11:35:12 +02:00
Tom Hvitved d405284d36 C#: Make CFG library shared 2021-08-25 11:35:11 +02:00
Tom Hvitved 01f7fdfea5 C#: Update call-context data-flow tests 2021-08-25 10:34:53 +02:00
Ian Lynagh a9db1c52e5 All languages: Add getPrimaryQlClasses() 
This is a non-overridable predicate that concatenates all the
getAPrimaryQlClass() results into a comma-separated string.
 2021-08-23 15:49:10 +01:00
Andrew Eisenberg c9f1c98390 Packaging: C# refactoring 
Split c# pack into `codeql/csharp-all` and `codeql/csharp-queries`.
 2021-08-19 14:09:35 -07:00
Tamás Vajk 763de4fff9
Merge pull request #6425 from raulgarciamsft/insecureRandom_potential_fix 
C#: Adding Membership.GeneratePassword() as a bad source of random data
 2021-08-19 11:16:26 +02:00
Tamas Vajk d97525e21e Fix minor quality issues in comment and change note 2021-08-19 09:30:23 +02:00
Erik Krogh Kristensen dd59f79947 use min() instead of rank[1]() 2021-08-18 11:09:03 +02:00
Andrew Eisenberg 03d6b15401 Merge branch 'main' into aeisenberg/pack/cpp 2021-08-17 15:28:47 -07:00
Tom Hvitved 44ff623d8c
Merge pull request #5508 from edvraa/deserializers 
deserialization sinks
 2021-08-17 11:41:52 +02:00
Andrew Eisenberg e566fb9c5a Packaging: Update suite-helpers qlpack 
Uses new style naming scheme.
 2021-08-16 17:51:33 -07:00
Tamás Vajk 166a6b02f6
Merge pull request #6268 from tamasvajk/feature/generic-type-name 
C#: Remove type args/params from generic type names in extractor
 2021-08-16 12:22:16 +02:00
Tamas Vajk 2437546009 Merge branch 'main' into feature/service-stack 2021-08-10 15:16:17 +02:00
Tamas Vajk 243424063a Add pragma inline to getMember/Method/Callable 2021-08-10 13:25:56 +02:00
Tamas Vajk 51661bfa62 Add pragma noinline to fix uselessUpcast check 2021-08-10 13:24:30 +02:00
Tamas Vajk 91bd3d1a11 Cache getName to improve performance 2021-08-09 10:28:31 +02:00
Tom Hvitved 15db6dfb10
Merge pull request #6431 from hvitved/csharp/silence-xml-extraction 
C#: Silence XML extraction commands
 2021-08-09 09:36:23 +02:00
Tamás Vajk c1cf2a1c5f
Merge pull request #5579 from edvraa/cookies 
C#: HttpOnly and Secure cookie queries
 2021-08-09 08:58:11 +02:00
Raul Garcia 2708326624
Update csharp/ql/test/query-tests/Security Features/CWE-338/InsecureRandomness.cs 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2021-08-05 16:33:01 -07:00
Raul Garcia (MSFT) e117077761 Adding change-note 2021-08-05 15:29:18 -07:00
Tom Hvitved 5b5ed97421 C#: Silence XML extraction commands 2021-08-05 15:24:01 +02:00
Tom Hvitved 9eb3f28ef1 C#: Add missing `nodes` predicate to XSS queries 2021-08-05 13:53:52 +02:00
Tom Hvitved 6471092139
Merge pull request #6394 from github/p0/csharp-virtual-dispatch-limit 
C#: Guard against virtual dispatch branching too much.
 2021-08-05 13:20:14 +02:00
Raul Garcia (MSFT) 7340a1293f Fixing query & test 2021-08-04 19:37:57 -07:00
Raul Garcia (MSFT) 8544356f90 Adding `Membership.GeneratePassword()` as a bad source of random data because of the bias. 2021-08-04 17:12:00 -07:00
edvraa db2f9add53 Post merge 2021-08-04 18:37:17 +03:00
edvraa d1e41689bb Merge with main 2021-08-04 14:25:34 +03:00
edvraa e790ee7c2e Fix formatting 2021-08-04 14:06:27 +03:00
Tamas Vajk 6405b89443 Add DB upgrade script to change generic type names to undecorated ones 2021-08-04 12:38:16 +02:00
Tamas Vajk f1a596ee81 Fix code review findings 2021-08-04 12:38:16 +02:00
Tamas Vajk 62f5af9ac8 Fix TupleType::getName 2021-08-04 12:38:16 +02:00
Tamas Vajk d3803b01e4 Fix nested generic type qualified names 2021-08-04 12:38:16 +02:00
Tamas Vajk 99fe9d8d07 Fix erroneous space in type name 2021-08-04 12:38:16 +02:00
Tamas Vajk 0cfd73c818 Adjust QL getName to the extracted undecorated names 2021-08-04 12:38:15 +02:00
Tamas Vajk 8df77060ba C#: Remove type args/params from generic type names in extractor 2021-08-04 12:38:15 +02:00
Pavel Avgustinov 2be9f3e41e C#: Guard against virtual dispatch branching too much. 
We have observed databases where dispatch to highly overridden
virtual methots (like Enumerable.GetEnumerator) ends up branching
to many thousands of overrides, if there is not sufficient type
context to prune. This causes performance problems for analyses
that use dataflow.

As an immediate fix, this commit prevents branching to virtual
method overrides if this would result in branching to 1,000 or
more methods.
 2021-08-02 09:40:16 +01:00
Tom Hvitved 7a475eb0a2 C#: Fix CSV overrides logic 2021-08-02 10:35:21 +02:00
Tom Hvitved df29538840 C#: Add test that exhibits bug in CSV overrides logic 2021-08-02 10:35:21 +02:00
Arthur Baars ed054acd8e
Merge pull request #6305 from intrigus-lgtm/patch-5 
C# remove spurious spaces in <code> tag
 2021-07-19 17:09:36 +02:00
Tom Hvitved 1c68d3f4cd
Merge pull request #6309 from hvitved/csharp/dead-store-of-local-perf 
C#: Improve performance of `DeadStoreOfLocal.ql`
 2021-07-17 10:56:35 +02:00
Tom Hvitved 25706e0812
Merge pull request #6303 from hvitved/csharp/get-qual-name-nomagic 
C#: Two `pragma` performance fixes
 2021-07-17 07:53:35 +02:00
Tom Hvitved 45ee21622d C#: Cache `NamedElement::getQualifiedName()` 2021-07-16 10:25:07 +02:00
Tom Hvitved 8321d5f312
Merge pull request #6293 from hvitved/csharp/ssa/remove-redundant-conjunct 
C#: Remove redundant conjunct in `ssaDefReachesReadWithinBlock`
 2021-07-16 06:15:34 +02:00
Tom Hvitved c53502a84a C#: Improve performance of `DeadStoreOfLocal.ql` 2021-07-15 22:26:07 +02:00
intrigus-lgtm 7aa19ea00f
C# remove spurious spaces in <code> tag 2021-07-15 19:34:36 +02:00
intrigus-lgtm 88bd464296
C# remove spurious spaces in <code> tag 2021-07-15 19:34:13 +02:00
intrigus-lgtm f587db4385
C# remove spurious spaces in <code> tag 2021-07-15 19:33:24 +02:00
Tom Hvitved 4180528d02 C#: Do not inline `getLeafTypeAt` 2021-07-15 15:41:16 +02:00
Tom Hvitved 7e4d761aa3 C#: Add `nomagic` to `NamedElement::getQualifiedName()` 2021-07-15 15:40:26 +02:00
Arthur Baars a47002c6d8
Merge pull request #6302 from github/aibaars/drop-spaces 
C# remove spurious spaces in <code> tag
 2021-07-15 14:57:21 +02:00
Arthur Baars e387d602b2 C# remove spurious spaces in <code> tag 2021-07-15 14:38:01 +02:00
Anders Schack-Mulligen 8ccdd4fb9f
Merge pull request #6211 from aschackmull/dataflow/refactor-call-context-check 
Dataflow: Refactor call context check
 2021-07-15 12:27:23 +02:00
Tom Hvitved caf88a2d31 C#: Remove redundant conjunct in `ssaDefReachesReadWithinBlock` 2021-07-15 12:25:33 +02:00
mr-sherman 04940a1105
Create 2021-07-14-service-stack-support.md 2021-07-14 15:54:28 -04:00
edvraa fd4d8e2595 Use HasFlow instead HasFlowPath 2021-07-14 16:06:34 +03:00
Anders Schack-Mulligen 11fc23ba09
Merge pull request #6030 from smowton/smowton/admin/test-generator 
Add test-generator script + add generated models for Spring summary steps
 2021-07-14 14:44:07 +02:00
Anders Schack-Mulligen 0ccb213ec5 Dataflow: Sync. 2021-07-14 10:36:09 +02:00
Tom Hvitved febebed15e Data flow: Use cached predicates from `DataFlowImplCommon` in `FlowSummaryImpl.qll` 2021-07-13 16:15:00 +02:00
Tom Hvitved cb1b227c87
Merge pull request #6270 from hvitved/csharp/standalone-nuget-restore 
C#: Skip `dotnet restore` in standalone extraction when `nuget_restore: false` is set
 2021-07-13 13:36:40 +02:00
Tom Hvitved 6ba6d9931c C#: Skip `dotnet restore` in standalone extraction when `nuget_restore: false` is set 2021-07-12 15:16:16 +02:00
edvraa a0942e0360 JsonConvert 2021-07-12 15:23:04 +03:00
edvraa f4cb6c50c0 YamlDotNet 2021-07-12 13:25:50 +03:00
edvraa 1e4409f9ed SharpSerializer 2021-07-12 13:22:20 +03:00
edvraa c3ac3ca41c FsPickler 2021-07-12 13:20:57 +03:00
Tom Hvitved 09daf86e33 Data flow: Fix bad join-orders in `summaryNodeType` 2021-07-12 12:09:06 +02:00
edvraa 1682e993bc Merge with Main 2021-07-12 11:32:47 +03:00
edvraa 40e8a900de Apply changes from code review 2021-07-12 02:08:23 +03:00
edvraa 6393dca22f Apply changes from code review 2021-07-12 01:13:41 +03:00
edvraa 3de7b280e4 AuthCookie.qll moved to experimental 2021-07-12 01:13:40 +03:00
edvraa 02f0d81830 delete unused predicate 2021-07-12 01:13:40 +03:00
edvraa 3723f7f132 comments 2021-07-12 01:13:40 +03:00
edvraa 2c9d6827ad comments 2021-07-12 01:13:40 +03:00
edvraa 74cb61a475 Autoformat 2021-07-12 01:13:40 +03:00
edvraa 65fb46af3d fix help files 2021-07-12 01:13:40 +03:00
edvraa d0e9a01edc Rename files 2021-07-12 01:13:40 +03:00
edvraa 5c9a3d5ce7 Single Secure query 2021-07-12 01:13:39 +03:00
edvraa 07327984b0 Single HttpOnly query 2021-07-12 01:13:39 +03:00
edvraa dea4d67ebd Extract to predicate isCookieWithSensitiveName 2021-07-12 01:13:39 +03:00
edvraa 7e723e90f1 Remove redundant `iResponse.getAppendMethod() = mc.getTarget()`, it is already covered by higher level `exists` 2021-07-12 01:13:39 +03:00
edvraa 98261a63c5 typo accessibe -> accessible 2021-07-12 01:13:39 +03:00
edvraa 89c4102462 HttpOnly and Secure cookie queries 2021-07-12 01:13:39 +03:00
Tom Hvitved 4de4753c67 C#: Remove `Query.qll` top-level modules 2021-07-04 09:35:27 +02:00
Tom Hvitved c812d4e4e8 C#: Add `Query` suffix to libraries that should only be imported by queries 2021-07-04 09:35:26 +02:00
github-actions[bot] 55aff21587 Add changed framework coverage reports 2021-07-02 00:09:02 +00:00
Tamás Vajk 05842dcdb3
Merge pull request #6181 from tamasvajk/feature/test-options-files 
C#: Start using 'options' files in tests
 2021-07-01 17:03:27 +02:00
Tamas Vajk 5e2770339f Add adjusted expected files 2021-07-01 16:09:11 +02:00
Tamas Vajk 03d1a3e0ad Trim test files + remove duplicate newlines 2021-07-01 16:09:11 +02:00
Tamas Vajk 4900ecfabe Manual fixes 2021-07-01 16:09:11 +02:00
Tamas Vajk c29d11087b C#: Start using 'options' files in tests 2021-07-01 16:08:47 +02:00
Anders Schack-Mulligen 37f8794d01
Merge pull request #6165 from edoardopirovano/fix-regression 
Performance: Improve join order in data flow library
 2021-07-01 14:13:18 +02:00
Tamás Vajk 10a6089739
Merge pull request #6148 from tamasvajk/feature/try-csv-source-models 
C#: Start using CSV based flow models
 2021-06-30 12:58:42 +02:00
Tamas Vajk 0946ae2ae9 Fix review findings 2021-06-30 11:39:51 +02:00