Граф коммитов

182 Коммитов

Автор SHA1 Сообщение Дата
Tom Hvitved c3f23f542a C#: Add change note 2019-10-28 13:15:20 +01:00
semmle-qlci 30a907861b
Merge pull request #2193 from max-schaefer/js/autobuilder-exclude-node_modules
Approved by asger-semmle
2019-10-28 11:26:51 +00:00
Geoffrey White 8839bdd688
Merge pull request #1428 from jbj/infinite-loops-visible
C++: Make cpp/comparison-with-wider-type visible
2019-10-28 09:49:38 +00:00
semmle-qlci 33374ee089
Merge pull request #2202 from asger-semmle/express-sendfile
Approved by esbena
2019-10-28 09:24:34 +00:00
Ziemowit Laski 1d052a8e62 [CPP-434] Address comments re change notes. 2019-10-25 13:07:54 -07:00
semmle-qlci d2f3574427
Merge pull request #2165 from erik-krogh/dosHigh
Approved by asger-semmle
2019-10-25 16:28:07 +01:00
Jonas Jensen d63cc3d287 Merge remote-tracking branch 'upstream/master' into infinite-loops-visible
Moved the change note to 1.23.
2019-10-25 15:44:03 +02:00
Max Schaefer d4b9beb010 JavaScript: Teach autobuilder not to extract `node_modules` and `bower_components` folders. 2019-10-25 14:25:02 +01:00
Asger F 4e3f6c5107 JS: Add change note 2019-10-25 13:09:39 +01:00
yh-semmle 80fd5b2ada
Merge pull request #2175 from aschackmull/java/continue-in-false-loop
Java: Port C++ query cpp/continue-in-false-loop to Java.
2019-10-24 20:47:59 -04:00
Erik Krogh Kristensen 5489a80372 add query for detecting ignored calls to Array.prototype.concat 2019-10-24 16:17:19 +02:00
Erik Krogh Kristensen 834b572f45 add initial support for expressions in TypeScript 2019-10-24 10:17:00 +02:00
Calum Grant 6ac163abac C#: Add change note 2019-10-23 21:59:42 +01:00
Taus 30483db621
Merge pull request #2146 from RasmusWL/python-improve-iter-returns-non-iterator
Python: improve py/iter-returns-non-iterator
2019-10-23 11:53:00 +02:00
Robert Marsh 9f0499cce9
Merge pull request #2063 from jbj/dataflow-ref-parameter
C++: Data flow through reference parameters
2019-10-22 09:40:15 -07:00
Anders Schack-Mulligen da57dbc528 Java: Port C++ query cpp/continue-in-false-loop. 2019-10-22 17:07:57 +02:00
Rasmus Wriedt Larsen e487fd3648 Python: Improve alert message for py/iter-returns-non-iterator
Fixes https://github.com/Semmle/ql/issues/1427
2019-10-22 10:27:55 +02:00
semmle-qlci 1c79ec550e
Merge pull request #2092 from esben-semmle/js/brittle-system-reflection-command
Approved by mchammer01, xiemaisi
2019-10-22 08:36:44 +01:00
Erik Krogh Kristensen 1ae8e25603 change precision of js/loop-bound-injection and fix a false positive 2019-10-22 09:21:19 +02:00
semmle-qlci 0dcb189e67
Merge pull request #2162 from xiemaisi/js/remove-deprecated-queries
Approved by esben-semmle
2019-10-22 07:15:58 +01:00
Esben Sparre Andreasen 5a983cb535 JS: add query js/shell-command-injection-from-environment 2019-10-21 23:31:55 +02:00
Max Schaefer 90cefead84
Merge pull request #1988 from erik-krogh/unreacableOverloads
JS: Unreachable overloads
2019-10-21 14:57:29 +01:00
Max Schaefer 55fb86d618 JavaScript: Remove deprecated queries.
These queries have all been deprecated since 1.17 (released in July 2018). I think it's time to say goodbye.
2019-10-21 14:42:02 +01:00
Rasmus Wriedt Larsen 016c95a69c
Merge pull request #2078 from taus-semmle/python-unreachable-suppressed
Python: Teach `py/unreachable-statement` about `contextlib.suppress`.
2019-10-21 15:14:39 +02:00
Taus Brock-Nannestad 99b99ef2b6 Python: Teach `py/unreachable-statement` about `contextlib.suppress`. 2019-10-21 14:31:05 +02:00
Erik Krogh Kristensen 9eda120de4 implement a new query to detect unreachable overloaded methods in TypeScript 2019-10-21 13:34:42 +02:00
yh-semmle afcde14403
Merge pull request #2085 from aschackmull/java/overflow-check-fp
Java: Add another overflow check pattern to UselessComparisonTest.
2019-10-18 11:01:24 -04:00
Anders Schack-Mulligen 582a91f1e9 Java: Add change note. 2019-10-18 11:59:09 +02:00
Max Schaefer a4bffe35fd JavaScript: Add support for `globalThis`. 2019-10-17 12:04:01 +01:00
Geoffrey White 6f96d1759f
Merge pull request #2077 from jbj/cfg-enable-pr
C++: enable the QL-based CFG code
2019-10-16 14:06:22 +01:00
Esben Sparre Andreasen e1d7434be4 JS: add query js/useless-regexp-character-escape 2019-10-16 00:15:54 +02:00
Anders Schack-Mulligen 309961d493
Merge pull request #2118 from yh-semmle/java-non-sync-override
Java: restrict `java/non-sync-override` to immediate overrides
2019-10-15 16:40:00 +02:00
Tom Hvitved b142113037
Merge pull request #2087 from calumgrant/cs/localexprflow
C#: Implement localExprFlow and localExprTaint
2019-10-15 15:33:50 +02:00
Ziemowit Laski f40c21bf6e [CPP-434] Add release note. 2019-10-14 08:06:02 -07:00
Geoffrey White 62311eb37d CPP: Change note. 2019-10-14 11:03:49 +01:00
yh-semmle b37d92ac95 Java: add change note for `java/non-sync-override` 2019-10-11 19:36:45 -04:00
Jonas Jensen c99845ce5d
Merge pull request #2035 from geoffw0/comparison
CPP: Unclear comparison precedence template fix
2019-10-10 16:31:54 +02:00
semmle-qlci 7ba04768cd
Merge pull request #2098 from asger-semmle/ts-computed-field-name-context
Approved by esben-semmle
2019-10-10 12:06:46 +01:00
Geoffrey White cdf48cf0d4 CPP: Change note. 2019-10-10 09:23:03 +01:00
Esben Sparre Andreasen 0e79d3db46
Merge pull request #2065 from erik-krogh/noReturn
JS: use of returnless function
2019-10-09 13:44:39 +02:00
semmle-qlci c8e5be74d5
Merge pull request #2093 from asger-semmle/ts-unused-var-fix
Approved by erik-krogh
2019-10-08 13:51:46 +01:00
Asger F 1fc01d9b5d JS: Add change note 2019-10-08 13:51:13 +01:00
Jonas Jensen 5d7a0b8dd5 Merge remote-tracking branch 'upstream/master' into dataflow-ref-parameter
I've accepted the new test output, which shows that this branch fixes
two false negatives in the test cases from #2088.
2019-10-08 13:09:20 +02:00
Asger F ea35b8418a JS: Add change note 2019-10-08 12:05:31 +01:00
Erik Krogh Kristensen be18adca3c update description in change-notes 2019-10-08 11:54:56 +02:00
Erik Krogh Kristensen 9788b16dee add change note for js/use-of-returnless-function 2019-10-08 11:54:08 +02:00
Esben Sparre Andreasen 24a5301d87
Merge pull request #2056 from erik-krogh/suspiciousMethodName
JS: add query for detecting suspicious method names in TypeScript
2019-10-08 10:49:57 +02:00
Calum Grant af25536648 C#: Add localExprFlow and localExprTaint, and change notes. 2019-10-04 16:46:02 +01:00
Tom Hvitved b55e2948be
Merge pull request #1986 from calumgrant/cs/switch-cfg
C#: Fix CFG for switch statements where the default case is not the last
2019-10-04 16:54:04 +02:00
Calum Grant 48dee29620
Merge pull request #2021 from hvitved/csharp/local-not-disposed
C#: Refactor `cs/local-not-disposed` using data flow library
2019-10-03 15:21:06 +01:00
AlexTereshenkov 3e6f8fb6be
Add bind-socket-all-network-interfaces Python query (#2048)
Add bind-socket-all-network-interfaces Python query
2019-10-03 11:23:11 +01:00
Jonas Jensen 8bed418022 C++: enable the QL-based CFG code 2019-10-03 10:04:24 +02:00
Robert Marsh 68c38ba34a C++: Add change note 2019-10-02 11:38:20 -07:00
yh-semmle 3313af5189
Merge pull request #2036 from aschackmull/java/eq-ssa-guard
Java: Improve guards for equal ssa variables.
2019-10-02 12:00:59 -04:00
Tom Hvitved b66479c028 C#: Add change note 2019-10-02 16:31:26 +02:00
Anders Schack-Mulligen 0154e31e64 Java: Add change note. 2019-10-02 11:47:53 +02:00
Erik Krogh Kristensen aa1368741b rename suspicious-method-name to suspicious-method-name-declaration 2019-10-01 14:37:07 +02:00
Jonas Jensen 7c319efb8b C++: Data flow through reference parameters 2019-10-01 10:43:49 +02:00
Jonas Jensen f417640da4
Merge pull request #1938 from dave-bartolomeo/dave/InNOut
C++: Rename predicates in `FunctionInputsAndOutputs.qll` and add QLDoc
2019-09-30 13:30:19 +02:00
Erik Krogh Kristensen 0320f0f26b add query for detecting suspisous method names in TypeScript 2019-09-30 13:05:50 +02:00
Dave Bartolomeo 28aa7dcae2 C++: Fix PR feedback 2019-09-26 13:56:43 -07:00
Max Schaefer d4fca84898 JavaScript: Improve XSS sanitizer detection.
We now use local data flow to detect more regexp-based sanitizers.
2019-09-23 17:07:06 +01:00
Jonas Jensen 898976121b
Merge pull request #1987 from geoffw0/toomanyformat
CPP: WrongNumberOfFormatArguments.ql Fix
2019-09-23 16:05:11 +02:00
semmle-qlci e2c941c577
Merge pull request #1916 from erik-krogh/taintedLength
Approved by asger-semmle, xiemaisi
2019-09-23 11:47:48 +01:00
semmle-qlci 7a57a3c743
Merge pull request #1996 from xiemaisi/js/fix-illegal-invocation-refl
Approved by esben-semmle
2019-09-23 09:16:33 +01:00
Max Schaefer 149ae5d7ab JavaScript: Fix IllegalInvocation.
This fixes false positives that arise when a call such as `f.apply` can either be interpreted as a reflective invocation of `f`, or a normal call to method `apply` of `f`.
2019-09-23 07:44:14 +01:00
Erik Krogh Kristensen 814c5537be update name of loop bound injection in change-notes 2019-09-20 22:56:08 +02:00
Geoffrey White accb8246d4 CPP: Change note. 2019-09-20 15:15:35 +01:00
Calum Grant b31cd8ab32
Merge pull request #1982 from hvitved/csharp/null-maybe-dynamic
C#: Remove false positives from `cs/dereferenced-value-may-be-null`
2019-09-20 14:46:01 +01:00
Calum Grant 8408e90b5f C#: Change note & docs. 2019-09-20 14:44:07 +01:00
semmle-qlci 6d9d859119
Merge pull request #1934 from asger-semmle/node-js-classification
Approved by esben-semmle
2019-09-20 09:50:34 +01:00
Tom Hvitved fb68d839a9 C#: Add change note 2019-09-20 10:40:20 +02:00
Robert Marsh fd88f7a3ce
Merge pull request #1884 from jbj/dataflow-addressof
C++: Data flow through address-of operator (&)
2019-09-19 09:15:43 -07:00
semmle-qlci 6f2e485ace
Merge pull request #1950 from xiemaisi/js/rate-limiter-flexible
Approved by esben-semmle
2019-09-19 12:45:45 +01:00
Erik Krogh Kristensen 3ef187f7f2
Add external/cwe/cwe-834 tag in change notes for js/loop-bound-injectoin
Co-Authored-By: Max Schaefer <max@semmle.com>
2019-09-19 11:30:15 +02:00
Esben Sparre Andreasen b631bfc8eb
Merge branch 'master' into node-js-classification 2019-09-19 09:42:26 +02:00
semmle-qlci 57a6c0c20d
Merge pull request #1918 from esben-semmle/js/improve-getAResponseDataNode
Approved by asger-semmle
2019-09-18 14:03:45 +01:00
semmle-qlci 479fca9e30
Merge pull request #1946 from xiemaisi/js/top-level-await
Approved by asger-semmle
2019-09-18 12:32:09 +01:00
Max Schaefer 3970ead7ab JavaScript: Add support for `rate-limiter-flexible` package. 2019-09-18 12:25:33 +01:00
Max Schaefer 9ff5c7007a JavaScript: Add support for top-level `await`. 2019-09-18 09:56:21 +01:00
Esben Sparre Andreasen ac6554b7da
Merge branch 'master' into js/improve-getAResponseDataNode 2019-09-17 13:18:41 +02:00
Jonas Jensen fd6d06fe6f C++: Data flow through address-of operator (&)
The data flow library conflates pointers and their objects in some
places but not others. For example, a member function call `x.f()` will
cause flow from `x` of type `T` to `this` of type `T*` inside `f`. It
might be ideal to avoid that conflation, but that's not realistic
without using the IR.

We've had good experience in the taint tracking library with conflating
pointers and objects, and it improves results for field flow, so perhaps
it's time to try it out for all data flow.
2019-09-17 13:16:34 +02:00
Asger F f8eff06aa1 JS: Change note 2019-09-17 11:20:39 +01:00
Esben Sparre Andreasen c9d31e90fe JS: add change notes 2019-09-16 10:11:43 +02:00
Erik Krogh Kristensen 3fb64abb09
fix consistency and spelling in the documentation
suggestions from the documentation team

Co-Authored-By: shati-patel <42641846+shati-patel@users.noreply.github.com>
2019-09-13 14:52:11 +01:00
Erik Krogh Kristensen 5b2b60f132
change DOS to DoS, and other small documentation fixes
Co-Authored-By: Max Schaefer <max@semmle.com>
2019-09-13 10:26:01 +01:00
Erik Krogh Kristensen 17a71a97c5 add loop-bound-injection to change-notes 2019-09-12 15:28:14 +01:00
Calum Grant e330d5a6c6
Merge pull request #1549 from hvitved/csharp/cfg/loop-unrolling
C#: Loop unrolling for `foreach` statements
2019-09-12 10:24:26 +01:00
semmle-qlci 72db219c13
Merge pull request #1910 from xiemaisi/js/unused-index-variable
Approved by esben-semmle, shati-semmle
2019-09-11 14:33:32 +01:00
Max Schaefer 500cde68c3 JavaScript: Add new query `UnusedIndexVariable`. 2019-09-11 11:36:50 +01:00
Esben Sparre Andreasen 086c473c18 JS: sharpen js/http-to-file-access 2019-09-11 12:05:33 +02:00
semmle-qlci 16c95d8c5e
Merge pull request #1876 from esben-semmle/js/more-delimiter-stripping-whitelisting
Approved by xiemaisi
2019-09-11 09:16:57 +01:00
Esben Sparre Andreasen f7bfc472c1 JS: treat server responses as untrusted for command injections 2019-09-11 09:38:18 +02:00
Asger F 194a1c3530 JS: Change note 2019-09-09 15:42:43 +01:00
semmle-qlci e899250e87
Merge pull request #1894 from asger-semmle/fp-incorrect-suffix-check
Approved by xiemaisi
2019-09-09 15:33:47 +01:00
semmle-qlci 89cba089b4
Merge pull request #1892 from asger-semmle/event-handler-sink
Approved by esben-semmle
2019-09-09 15:33:21 +01:00
Asger F b6690bb644 JS: Add change note 2019-09-09 12:45:03 +01:00
Calum Grant 3734552081 C#: Add change note for datetime queries. 2019-09-06 16:45:02 +01:00
Asger F dfd18a51ee JS: Change note 2019-09-06 16:03:16 +01:00
Robert Marsh 94c625f03f
Merge pull request #1777 from jbj/ast-field-flow-defbyref
C++: Don't use definitionByReference for data flow
2019-09-05 10:23:28 -07:00