Tom Hvitved
c3f23f542a
C#: Add change note
2019-10-28 13:15:20 +01:00
semmle-qlci
30a907861b
Merge pull request #2193 from max-schaefer/js/autobuilder-exclude-node_modules
...
Approved by asger-semmle
2019-10-28 11:26:51 +00:00
Geoffrey White
8839bdd688
Merge pull request #1428 from jbj/infinite-loops-visible
...
C++: Make cpp/comparison-with-wider-type visible
2019-10-28 09:49:38 +00:00
semmle-qlci
33374ee089
Merge pull request #2202 from asger-semmle/express-sendfile
...
Approved by esbena
2019-10-28 09:24:34 +00:00
Ziemowit Laski
1d052a8e62
[CPP-434] Address comments re change notes.
2019-10-25 13:07:54 -07:00
semmle-qlci
d2f3574427
Merge pull request #2165 from erik-krogh/dosHigh
...
Approved by asger-semmle
2019-10-25 16:28:07 +01:00
Jonas Jensen
d63cc3d287
Merge remote-tracking branch 'upstream/master' into infinite-loops-visible
...
Moved the change note to 1.23.
2019-10-25 15:44:03 +02:00
Max Schaefer
d4b9beb010
JavaScript: Teach autobuilder not to extract `node_modules` and `bower_components` folders.
2019-10-25 14:25:02 +01:00
Asger F
4e3f6c5107
JS: Add change note
2019-10-25 13:09:39 +01:00
yh-semmle
80fd5b2ada
Merge pull request #2175 from aschackmull/java/continue-in-false-loop
...
Java: Port C++ query cpp/continue-in-false-loop to Java.
2019-10-24 20:47:59 -04:00
Erik Krogh Kristensen
5489a80372
add query for detecting ignored calls to Array.prototype.concat
2019-10-24 16:17:19 +02:00
Erik Krogh Kristensen
834b572f45
add initial support for expressions in TypeScript
2019-10-24 10:17:00 +02:00
Calum Grant
6ac163abac
C#: Add change note
2019-10-23 21:59:42 +01:00
Taus
30483db621
Merge pull request #2146 from RasmusWL/python-improve-iter-returns-non-iterator
...
Python: improve py/iter-returns-non-iterator
2019-10-23 11:53:00 +02:00
Robert Marsh
9f0499cce9
Merge pull request #2063 from jbj/dataflow-ref-parameter
...
C++: Data flow through reference parameters
2019-10-22 09:40:15 -07:00
Anders Schack-Mulligen
da57dbc528
Java: Port C++ query cpp/continue-in-false-loop.
2019-10-22 17:07:57 +02:00
Rasmus Wriedt Larsen
e487fd3648
Python: Improve alert message for py/iter-returns-non-iterator
...
Fixes https://github.com/Semmle/ql/issues/1427
2019-10-22 10:27:55 +02:00
semmle-qlci
1c79ec550e
Merge pull request #2092 from esben-semmle/js/brittle-system-reflection-command
...
Approved by mchammer01, xiemaisi
2019-10-22 08:36:44 +01:00
Erik Krogh Kristensen
1ae8e25603
change precision of js/loop-bound-injection and fix a false positive
2019-10-22 09:21:19 +02:00
semmle-qlci
0dcb189e67
Merge pull request #2162 from xiemaisi/js/remove-deprecated-queries
...
Approved by esben-semmle
2019-10-22 07:15:58 +01:00
Esben Sparre Andreasen
5a983cb535
JS: add query js/shell-command-injection-from-environment
2019-10-21 23:31:55 +02:00
Max Schaefer
90cefead84
Merge pull request #1988 from erik-krogh/unreacableOverloads
...
JS: Unreachable overloads
2019-10-21 14:57:29 +01:00
Max Schaefer
55fb86d618
JavaScript: Remove deprecated queries.
...
These queries have all been deprecated since 1.17 (released in July 2018). I think it's time to say goodbye.
2019-10-21 14:42:02 +01:00
Rasmus Wriedt Larsen
016c95a69c
Merge pull request #2078 from taus-semmle/python-unreachable-suppressed
...
Python: Teach `py/unreachable-statement` about `contextlib.suppress`.
2019-10-21 15:14:39 +02:00
Taus Brock-Nannestad
99b99ef2b6
Python: Teach `py/unreachable-statement` about `contextlib.suppress`.
2019-10-21 14:31:05 +02:00
Erik Krogh Kristensen
9eda120de4
implement a new query to detect unreachable overloaded methods in TypeScript
2019-10-21 13:34:42 +02:00
yh-semmle
afcde14403
Merge pull request #2085 from aschackmull/java/overflow-check-fp
...
Java: Add another overflow check pattern to UselessComparisonTest.
2019-10-18 11:01:24 -04:00
Anders Schack-Mulligen
582a91f1e9
Java: Add change note.
2019-10-18 11:59:09 +02:00
Max Schaefer
a4bffe35fd
JavaScript: Add support for `globalThis`.
2019-10-17 12:04:01 +01:00
Geoffrey White
6f96d1759f
Merge pull request #2077 from jbj/cfg-enable-pr
...
C++: enable the QL-based CFG code
2019-10-16 14:06:22 +01:00
Esben Sparre Andreasen
e1d7434be4
JS: add query js/useless-regexp-character-escape
2019-10-16 00:15:54 +02:00
Anders Schack-Mulligen
309961d493
Merge pull request #2118 from yh-semmle/java-non-sync-override
...
Java: restrict `java/non-sync-override` to immediate overrides
2019-10-15 16:40:00 +02:00
Tom Hvitved
b142113037
Merge pull request #2087 from calumgrant/cs/localexprflow
...
C#: Implement localExprFlow and localExprTaint
2019-10-15 15:33:50 +02:00
Ziemowit Laski
f40c21bf6e
[CPP-434] Add release note.
2019-10-14 08:06:02 -07:00
Geoffrey White
62311eb37d
CPP: Change note.
2019-10-14 11:03:49 +01:00
yh-semmle
b37d92ac95
Java: add change note for `java/non-sync-override`
2019-10-11 19:36:45 -04:00
Jonas Jensen
c99845ce5d
Merge pull request #2035 from geoffw0/comparison
...
CPP: Unclear comparison precedence template fix
2019-10-10 16:31:54 +02:00
semmle-qlci
7ba04768cd
Merge pull request #2098 from asger-semmle/ts-computed-field-name-context
...
Approved by esben-semmle
2019-10-10 12:06:46 +01:00
Geoffrey White
cdf48cf0d4
CPP: Change note.
2019-10-10 09:23:03 +01:00
Esben Sparre Andreasen
0e79d3db46
Merge pull request #2065 from erik-krogh/noReturn
...
JS: use of returnless function
2019-10-09 13:44:39 +02:00
semmle-qlci
c8e5be74d5
Merge pull request #2093 from asger-semmle/ts-unused-var-fix
...
Approved by erik-krogh
2019-10-08 13:51:46 +01:00
Asger F
1fc01d9b5d
JS: Add change note
2019-10-08 13:51:13 +01:00
Jonas Jensen
5d7a0b8dd5
Merge remote-tracking branch 'upstream/master' into dataflow-ref-parameter
...
I've accepted the new test output, which shows that this branch fixes
two false negatives in the test cases from #2088 .
2019-10-08 13:09:20 +02:00
Asger F
ea35b8418a
JS: Add change note
2019-10-08 12:05:31 +01:00
Erik Krogh Kristensen
be18adca3c
update description in change-notes
2019-10-08 11:54:56 +02:00
Erik Krogh Kristensen
9788b16dee
add change note for js/use-of-returnless-function
2019-10-08 11:54:08 +02:00
Esben Sparre Andreasen
24a5301d87
Merge pull request #2056 from erik-krogh/suspiciousMethodName
...
JS: add query for detecting suspicious method names in TypeScript
2019-10-08 10:49:57 +02:00
Calum Grant
af25536648
C#: Add localExprFlow and localExprTaint, and change notes.
2019-10-04 16:46:02 +01:00
Tom Hvitved
b55e2948be
Merge pull request #1986 from calumgrant/cs/switch-cfg
...
C#: Fix CFG for switch statements where the default case is not the last
2019-10-04 16:54:04 +02:00
Calum Grant
48dee29620
Merge pull request #2021 from hvitved/csharp/local-not-disposed
...
C#: Refactor `cs/local-not-disposed` using data flow library
2019-10-03 15:21:06 +01:00
AlexTereshenkov
3e6f8fb6be
Add bind-socket-all-network-interfaces Python query ( #2048 )
...
Add bind-socket-all-network-interfaces Python query
2019-10-03 11:23:11 +01:00
Jonas Jensen
8bed418022
C++: enable the QL-based CFG code
2019-10-03 10:04:24 +02:00
Robert Marsh
68c38ba34a
C++: Add change note
2019-10-02 11:38:20 -07:00
yh-semmle
3313af5189
Merge pull request #2036 from aschackmull/java/eq-ssa-guard
...
Java: Improve guards for equal ssa variables.
2019-10-02 12:00:59 -04:00
Tom Hvitved
b66479c028
C#: Add change note
2019-10-02 16:31:26 +02:00
Anders Schack-Mulligen
0154e31e64
Java: Add change note.
2019-10-02 11:47:53 +02:00
Erik Krogh Kristensen
aa1368741b
rename suspicious-method-name to suspicious-method-name-declaration
2019-10-01 14:37:07 +02:00
Jonas Jensen
7c319efb8b
C++: Data flow through reference parameters
2019-10-01 10:43:49 +02:00
Jonas Jensen
f417640da4
Merge pull request #1938 from dave-bartolomeo/dave/InNOut
...
C++: Rename predicates in `FunctionInputsAndOutputs.qll` and add QLDoc
2019-09-30 13:30:19 +02:00
Erik Krogh Kristensen
0320f0f26b
add query for detecting suspisous method names in TypeScript
2019-09-30 13:05:50 +02:00
Dave Bartolomeo
28aa7dcae2
C++: Fix PR feedback
2019-09-26 13:56:43 -07:00
Max Schaefer
d4fca84898
JavaScript: Improve XSS sanitizer detection.
...
We now use local data flow to detect more regexp-based sanitizers.
2019-09-23 17:07:06 +01:00
Jonas Jensen
898976121b
Merge pull request #1987 from geoffw0/toomanyformat
...
CPP: WrongNumberOfFormatArguments.ql Fix
2019-09-23 16:05:11 +02:00
semmle-qlci
e2c941c577
Merge pull request #1916 from erik-krogh/taintedLength
...
Approved by asger-semmle, xiemaisi
2019-09-23 11:47:48 +01:00
semmle-qlci
7a57a3c743
Merge pull request #1996 from xiemaisi/js/fix-illegal-invocation-refl
...
Approved by esben-semmle
2019-09-23 09:16:33 +01:00
Max Schaefer
149ae5d7ab
JavaScript: Fix IllegalInvocation.
...
This fixes false positives that arise when a call such as `f.apply` can either be interpreted as a reflective invocation of `f`, or a normal call to method `apply` of `f`.
2019-09-23 07:44:14 +01:00
Erik Krogh Kristensen
814c5537be
update name of loop bound injection in change-notes
2019-09-20 22:56:08 +02:00
Geoffrey White
accb8246d4
CPP: Change note.
2019-09-20 15:15:35 +01:00
Calum Grant
b31cd8ab32
Merge pull request #1982 from hvitved/csharp/null-maybe-dynamic
...
C#: Remove false positives from `cs/dereferenced-value-may-be-null`
2019-09-20 14:46:01 +01:00
Calum Grant
8408e90b5f
C#: Change note & docs.
2019-09-20 14:44:07 +01:00
semmle-qlci
6d9d859119
Merge pull request #1934 from asger-semmle/node-js-classification
...
Approved by esben-semmle
2019-09-20 09:50:34 +01:00
Tom Hvitved
fb68d839a9
C#: Add change note
2019-09-20 10:40:20 +02:00
Robert Marsh
fd88f7a3ce
Merge pull request #1884 from jbj/dataflow-addressof
...
C++: Data flow through address-of operator (&)
2019-09-19 09:15:43 -07:00
semmle-qlci
6f2e485ace
Merge pull request #1950 from xiemaisi/js/rate-limiter-flexible
...
Approved by esben-semmle
2019-09-19 12:45:45 +01:00
Erik Krogh Kristensen
3ef187f7f2
Add external/cwe/cwe-834 tag in change notes for js/loop-bound-injectoin
...
Co-Authored-By: Max Schaefer <max@semmle.com>
2019-09-19 11:30:15 +02:00
Esben Sparre Andreasen
b631bfc8eb
Merge branch 'master' into node-js-classification
2019-09-19 09:42:26 +02:00
semmle-qlci
57a6c0c20d
Merge pull request #1918 from esben-semmle/js/improve-getAResponseDataNode
...
Approved by asger-semmle
2019-09-18 14:03:45 +01:00
semmle-qlci
479fca9e30
Merge pull request #1946 from xiemaisi/js/top-level-await
...
Approved by asger-semmle
2019-09-18 12:32:09 +01:00
Max Schaefer
3970ead7ab
JavaScript: Add support for `rate-limiter-flexible` package.
2019-09-18 12:25:33 +01:00
Max Schaefer
9ff5c7007a
JavaScript: Add support for top-level `await`.
2019-09-18 09:56:21 +01:00
Esben Sparre Andreasen
ac6554b7da
Merge branch 'master' into js/improve-getAResponseDataNode
2019-09-17 13:18:41 +02:00
Jonas Jensen
fd6d06fe6f
C++: Data flow through address-of operator (&)
...
The data flow library conflates pointers and their objects in some
places but not others. For example, a member function call `x.f()` will
cause flow from `x` of type `T` to `this` of type `T*` inside `f`. It
might be ideal to avoid that conflation, but that's not realistic
without using the IR.
We've had good experience in the taint tracking library with conflating
pointers and objects, and it improves results for field flow, so perhaps
it's time to try it out for all data flow.
2019-09-17 13:16:34 +02:00
Asger F
f8eff06aa1
JS: Change note
2019-09-17 11:20:39 +01:00
Esben Sparre Andreasen
c9d31e90fe
JS: add change notes
2019-09-16 10:11:43 +02:00
Erik Krogh Kristensen
3fb64abb09
fix consistency and spelling in the documentation
...
suggestions from the documentation team
Co-Authored-By: shati-patel <42641846+shati-patel@users.noreply.github.com>
2019-09-13 14:52:11 +01:00
Erik Krogh Kristensen
5b2b60f132
change DOS to DoS, and other small documentation fixes
...
Co-Authored-By: Max Schaefer <max@semmle.com>
2019-09-13 10:26:01 +01:00
Erik Krogh Kristensen
17a71a97c5
add loop-bound-injection to change-notes
2019-09-12 15:28:14 +01:00
Calum Grant
e330d5a6c6
Merge pull request #1549 from hvitved/csharp/cfg/loop-unrolling
...
C#: Loop unrolling for `foreach` statements
2019-09-12 10:24:26 +01:00
semmle-qlci
72db219c13
Merge pull request #1910 from xiemaisi/js/unused-index-variable
...
Approved by esben-semmle, shati-semmle
2019-09-11 14:33:32 +01:00
Max Schaefer
500cde68c3
JavaScript: Add new query `UnusedIndexVariable`.
2019-09-11 11:36:50 +01:00
Esben Sparre Andreasen
086c473c18
JS: sharpen js/http-to-file-access
2019-09-11 12:05:33 +02:00
semmle-qlci
16c95d8c5e
Merge pull request #1876 from esben-semmle/js/more-delimiter-stripping-whitelisting
...
Approved by xiemaisi
2019-09-11 09:16:57 +01:00
Esben Sparre Andreasen
f7bfc472c1
JS: treat server responses as untrusted for command injections
2019-09-11 09:38:18 +02:00
Asger F
194a1c3530
JS: Change note
2019-09-09 15:42:43 +01:00
semmle-qlci
e899250e87
Merge pull request #1894 from asger-semmle/fp-incorrect-suffix-check
...
Approved by xiemaisi
2019-09-09 15:33:47 +01:00
semmle-qlci
89cba089b4
Merge pull request #1892 from asger-semmle/event-handler-sink
...
Approved by esben-semmle
2019-09-09 15:33:21 +01:00
Asger F
b6690bb644
JS: Add change note
2019-09-09 12:45:03 +01:00
Calum Grant
3734552081
C#: Add change note for datetime queries.
2019-09-06 16:45:02 +01:00
Asger F
dfd18a51ee
JS: Change note
2019-09-06 16:03:16 +01:00
Robert Marsh
94c625f03f
Merge pull request #1777 from jbj/ast-field-flow-defbyref
...
C++: Don't use definitionByReference for data flow
2019-09-05 10:23:28 -07:00