Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Create SECURITY.dc #3168

Open
wants to merge 3,317 commits into
base: cs/assembly-prefix
Choose a base branch
from
Open

Create SECURITY.dc #3168

wants to merge 3,317 commits into from

Conversation

wdcne
Copy link

@wdcne wdcne commented Mar 31, 2020

No description provided.

BekaValentine and others added 30 commits March 16, 2020 11:24
@BekaValentine
Python: ObjectAPI.qll: Adds getOrigin predicate
787b80f
@BekaValentine
Python: Exceptions.qll: Updates handledObject to use getOrigin
5d55db1
@esbena
JS: add Mongoose createConnection tests
730396d
@esbena
JS: model mongoose Model on createConnection.<model/models>
dc27a8f
@esbena
JS: add Mongoose Document tests
55ab519
@esbena
JS: model Mongoose Document for additional js/nosql-injection sinks
9d9926f
@esbena
JS: fixup mongoose test
833d1b1
@esbena
JS: refactor NoSQL::Mongoose. Introduce Mongoose::CommonInterface
b75486b
@esbena
Merge pull request github#3045 from Semmle/esbena-patch-2
7dc8066 
JS: loosen qldoc for `barrierGuardIsRelevant`
@BekaValentine
Python: IllegalExceptionHandlerType.ql: Autoformats
45e47b9
@BekaValentine
Python: ObjectAPI.qll: getOrigin now returns a CFG
34ab4ef
@BekaValentine
Python: Exceptions.qll: Clean up handleObject again
c7a2925
@BekaValentine
Python: IncorrectExceptOrder.ql: Autoformats w/ new QL indentation
68c455c
@BekaValentine
Python: UnguardedNextInGenerator.ql: Excludes next with default value
ff6e0ce
@rdmarsh2
C++/C#: autoformat
de2d23b
@jbj
Docs: refactor guidelines for new queries
9899d46
@erik-krogh
autoformat
d7b69fc
@aschackmull
Java: Add URLDecoder.decode as taint step.
9c9e302
@erik-krogh
change import to an absolute import to fix warning
095d4d7
@esbena
JS: rename Mongoose::CommonInterfase -> Mongoose::InvokeNode
380f66c
@erik-krogh @esbena
Apply suggestions from code review
9a3176d 
Co-Authored-By: Esben Sparre Andreasen <esbena@github.com>
@erik-krogh
changes based on review
1dfe9e9
@erik-krogh
add change note
9403026
@p0
Merge pull request github#3078 from jbj/contributing-supported-2
1472bf0 
Docs: refactor guidelines for new queries
@semmle-qlci
Merge pull request github#3065 from erik-krogh/PathSinks
ea46873 
Approved by esbena
@semmle-qlci
Merge pull request github#3036 from erik-krogh/CustomTrack
fa08258 
Approved by asgerf
@semmle-qlci
Merge pull request github#3070 from erik-krogh/DataPerf
8792d0d 
Approved by asgerf
@hvitved
Address review comments
0645940
@hvitved
Data flow: Sync files
2e8bd5c
@dbartol
C++: Model varargs in IR, Part I
9cc3cda 
This change introduces a new synthesized `IRVariable` in every varargs function. This variable represents the entire set of arguments passed to the ellipsis by the caller. We give it an opaque type big enough hold all of the arguments passed by the largest vararg call in the database. It is treated just like any other parameter. It is initialized the same, it has indirect buffers, etc.

I had to introduce a couple new APIs to `Call` and `Function`. The QLDoc comments should explain these. I added tests for these new APIs as well.

The next step will be to change the IR generation for the `va_*` macros to manipulate the ellipsis parameter.
RasmusWL and others added 28 commits March 27, 2020 16:20
@RasmusWL
Python: Constrain execution paths for taint_at_depth
d55acc3 
Thanks Taus!
@jf205
Update language.rst
2c571d3
@shati-patel
Merge pull request github#3149 from Semmle/jf205-patch-2
28e5904 
Change 'Set Literals' to 'Set literals'
@nickrolfe
Merge pull request github#3147 from dbartol/dbartol/FloatLiterals
1baf5df 
C++: Fix test expectations for complex literals
@aschackmull
Merge pull request github#3142 from MathiasVP/no-magic-in-parameterTh…
57c9277 
…roughFlowCand

Data flow: No magic in returnFlowCallableCand
@aschackmull
Merge pull request github#3117 from adityasharad/java/jackson-taint-s…
b2769b4 
…teps

Java: Add taint steps through Jackson serialization methods.
@tausbn
Merge pull request github#3132 from RasmusWL/python-fix-iterable-unpa…
b4fbfa0 
…cking-taint-CP

Python: Fix iterable-unpacking taint CP
Data flow: Add module doc comment for TaintTrackingImpl.qll
e5e94e3 
Modelled after the correponding comment for `DataFlowImpl.qll`.
@tausbn
Python: Autoformat all .ql files.
87a9f51
@aschackmull
Merge pull request github#3155 from max-schaefer/add-module-comment
caf0d15 
Data flow: Add module doc comment for `TaintTrackingImpl.qll`
@tausbn
Merge branch 'master' into python-autoformat-almost-everything
6eb9c6f
@tausbn
Python: Autoformat a few final stragglers.
727cde3
@tausbn
Python: Autoformat one final straggler.
ab4cef5
@hvitved
Merge pull request github#2921 from aschackmull/dataflow/consistency-…
9fa9c10 
…checks

Java: Add data-flow consistency checks.
@semmle-qlci
Merge pull request github#3127 from erik-krogh/PromiseTrack
fce04f0 
Approved by asgerf
@tausbn
Python: Fix test failures.
b990fac 
How could the tests fail because of autoformatting, you may ask?

The answer is deprecation warnings. These specify the location of the deprecated
entity, and due to autoformatting these moved around.
@max-schaefer
Docs: Bump supported Go version.
3657514 
cf github/codeql-go#39
@jbj
C++: Remove noise from argHasPostUpdate check
dd322be 
This consistency check seems to have value for AST data flow, but I've
disabled it on the IR for now.

This commit also includes two unrelated changes that seem to fix a
semantic merge conflict.
@RasmusWL
Merge pull request github#3096 from tausbn/python-autoformat-almost-e…
573494d 
…verything

Python: Autoformat (almost) all `.qll` files.
@RasmusWL
Merge pull request github#3156 from tausbn/python-autoformat-all-ql-f…
0b4bfed 
…iles

Python: Autoformat all `.ql` files.
@jbj
C++: Fix other copies of the argHasPostUpdate test
531ef64
@RasmusWL
Python: Apply suggestion from Taus
663dc24 
rewrote the qldoc to explain it as well.
@RasmusWL
Python: Move helper predicate outside of class
fad03e7 
otherwise the helper predicate can (and sometimes will) be evaluated once _per_
instance of that class.
@RasmusWL
Python: Fixup comment alignment
6127d8b
@semmle-qlci
Merge pull request github#3161 from Semmle/max-schaefer-patch-1
3027e5d 
Approved by felicitymay
@rdmarsh2
Merge pull request github#3162 from jbj/argHasPostUpdate-cpp
4bbf462 
C++: Remove noise from argHasPostUpdate check
@tausbn
Merge pull request github#2889 from RasmusWL/python-add-custom-saniti…
e31143c 
…zer-example

Python: Add example for how to write your own sanitizer
@wdcne
Create SECURITY.dc
f04cfea
@ghost
Copy link

ghost commented Mar 31, 2020

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@wdcne wdcne changed the base branch from master to cs/assembly-prefix March 31, 2020 01:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.