github / codeql Public

38 Pull requests merged by 19 people

• Dataflow: Replace a 'noinline' pragma with a 'nomagic' pragma

  #7025 merged Nov 2, 2021

• RC 3.3: merge codeql-ruby repository into github/codeql

  #6955 merged Nov 2, 2021

• Python: Add modeling of `toml`

  #7023 merged Nov 2, 2021

• Python: Model FastAPI

  #6782 merged Nov 2, 2021

• JS: Move LDAP injection out of experimental

  #6781 merged Nov 2, 2021

• Dataflow: Add support for call context restrictions on sources/sinks.

  #6932 merged Nov 2, 2021

• Ruby: use the `rb/` prefix in all query ids

  #7026 merged Nov 2, 2021

• JS: add cwe-319 to js/clear-text-cookie

  #7022 merged Nov 2, 2021

• Python: Type tracker changes

  #6858 merged Nov 2, 2021

• Use the new instanceof syntax everywhere

  #6934 merged Nov 2, 2021

• remove redundant inline casts

  #6994 merged Nov 2, 2021

• C++: Add `isFromSystemMacroDefinition` predicate

  #7014 merged Nov 2, 2021

• Java: Deprecate `StringLiteral.getRepresentedString()`

  #7004 merged Nov 2, 2021

• C# : Add query to detect SSRF

  #5110 merged Nov 2, 2021

• Update CSV framework coverage reports

  #7020 merged Nov 2, 2021

• Java: Model java.util.Optional lambda methods

  #7008 merged Nov 1, 2021

• Java: Add `CharacterLiteral.getCodePointValue()`

  #6614 merged Nov 1, 2021

• Fixed a typo. ( Minor PR)

  #7012 merged Nov 1, 2021

• JS: Fix FP in mixed-this static access

  #7003 merged Nov 1, 2021

• Python: Support `flask.blueprints.Blueprint`

  #6991 merged Oct 29, 2021

• Python: Model `asyncpg`

  #6776 merged Oct 29, 2021

• Dataflow: Refactor public references to DataFlowCallable

  #7000 merged Oct 29, 2021

• Fix LGTM version number in language reference

  #6965 merged Oct 29, 2021

• JS: Move cookie queries out of experimental.

  #6855 merged Oct 29, 2021

• C++: Fix the two null termination queries and re-enable them.

  #6915 merged Oct 29, 2021

• Docs: Fix one-word typo

  #6856 merged Oct 28, 2021

• Java: instanceof pattern matching is no longer a preview feature

  #6992 merged Oct 28, 2021

• Python: Small fixup for `flask.send_from_directory`

  #6989 merged Oct 28, 2021

• Ruby: clean up docs

  #6987 merged Oct 28, 2021

• C++: Remove old and unused qhelp files

  #6980 merged Oct 28, 2021

• Python : Add Flask sinks for path injection query

  #6330 merged Oct 28, 2021

• Python: Model `ruamel.yaml` PyPI package

  #6967 merged Oct 28, 2021

• Update CSV framework coverage reports

  #6983 merged Oct 28, 2021

• Ruby: also revert Cargo.lock

  #6982 merged Oct 27, 2021

• Ruby: update lgtm.com query console links

  #6981 merged Oct 27, 2021

• Ruby: revert crate updates

  #6979 merged Oct 27, 2021

• Ruby: update Cargo.lock

  #6974 merged Oct 27, 2021

• Java: Simple support for Ratpack HTTP Framework

  #4991 merged Oct 27, 2021

30 Pull requests opened by 20 people

• Python: Promote ReDoS queries

  #6972 opened Oct 27, 2021

• Java: CWE-266 - Query to detect Intent URI Permission Manipulation in Android applications

  #6975 opened Oct 27, 2021

• Ruby: add regex injection query

  #6978 opened Oct 27, 2021

• Update tracing-subscriber requirement from 0.2 to 0.3 in /ruby/extractor

  #6985 opened Oct 28, 2021

• Update tracing-subscriber requirement from 0.2 to 0.3 in /ruby/generator

  #6986 opened Oct 28, 2021

• Java: Expand `org.apache.commons.codec` model

  #6988 opened Oct 28, 2021

• JS: Recognize regexp-based '..' check in tainted path

  #6993 opened Oct 28, 2021

• Rewrite qhelp-pr-preview.yml

  #6995 opened Oct 28, 2021

• Java: Add FieldValueNode to break up cartesian step relation.

  #7002 opened Oct 29, 2021

• Java: Ratpack HTTP Framework Additional Modeling

  #7007 opened Oct 29, 2021

• Python : Add sanitizers for Path Injection Query

  #7009 opened Oct 29, 2021

• JS: make array taint-step better

  #7010 opened Oct 31, 2021

• Dbartol/rc/merge

  #7011 opened Oct 31, 2021

• Ruby: Add Server-Side Request Forgery query

  #7015 opened Nov 1, 2021

• Python: Model Django REST framework

  #7016 opened Nov 1, 2021

• Ruby: expose TRAP compression option

  #7017 opened Nov 1, 2021

• C++: Further performance improvement for the null termination queries

  #7018 opened Nov 1, 2021

• Java: Extend String dataflow models

  #7019 opened Nov 1, 2021

• JS: Add insufficient key size query

  #7021 opened Nov 2, 2021

• more efficient implementation of calleeApiName

  #7027 opened Nov 2, 2021

• Ruby: Prune nodes before computing `trackUseNode`

  #7028 opened Nov 2, 2021

• JS: add js/session-fixation query

  #7029 opened Nov 2, 2021

• Dbartol/sync

  #7030 opened Nov 2, 2021

• Python: Taint through `async with`

  #7031 opened Nov 2, 2021

• JS: add CWE-497 to js/stack-trace-exposure

  #7032 opened Nov 2, 2021

• Python: Model `flask_admin`

  #7033 opened Nov 2, 2021

• Java: Fix incorrect CSV models; add validation predicate

  #7034 opened Nov 2, 2021

• Ruby: Truncate concatenated strings in `getValueText`

  #7036 opened Nov 2, 2021

• Merge rc/3.3 into main

  #7038 opened Nov 2, 2021

• Add updated framework support for JS/Java

  #7039 opened Nov 2, 2021

4 Issues closed by 4 people

• Java: Add CharacterLiteral.getIntValue

  #3635 closed Nov 1, 2021

• LGTM.com - false positive - typescript access to static methods

  #6853 closed Nov 1, 2021

• No source code was seen during the build.

  #6996 closed Oct 28, 2021

• Some .qhelp files appear to be unused

  #5274 closed Oct 28, 2021

7 Issues opened by 7 people

• Implement queries to detect Trojan Source

  #7037 opened Nov 2, 2021

• LGTM.com - false positive for move and copy assignment operators not returning *this (C++)

  #7035 opened Nov 2, 2021

• Does CodeQL support edits on call graph?

  #7013 opened Nov 1, 2021

• CodeQL Language Feature: Trailing comma at end of List

  #7006 opened Oct 29, 2021

• Ruby parse error on valid Ruby code

  #7005 opened Oct 29, 2021

• Incorrect message when using `\G` in CodeQL beta support for Ruby

  #7001 opened Oct 29, 2021

• False Positive in Javascript ZipSlip

  #6990 opened Oct 28, 2021

24 Unresolved conversations

Sometimes conversations happen on old items that aren’t yet closed. Here is a list of all the Issues and Pull Requests with unresolved conversations.

• C++: Redesign IR dataflow using the shared SSA library

  #6825 commented on Nov 2, 2021 • 55 new comments

• Python: Add JWT security-related queries

  #5588 commented on Oct 28, 2021 • 30 new comments

• Java: CWE-347 Query for detecting Signature Exclusion Attack with SAML assertion

  #6935 commented on Nov 2, 2021 • 14 new comments

• CPP: Add query for CWE-377 Insecure Temporary File

  #6947 commented on Oct 29, 2021 • 13 new comments

• CPP: Add query for CWE-243 Creation of chroot Jail Without Changing Working Directory

  #6948 commented on Nov 2, 2021 • 12 new comments

• Java: Initial CSV model generator

  #6664 commented on Nov 2, 2021 • 10 new comments

• JS: extract regexp literals for string concatenations

  #6756 commented on Nov 2, 2021 • 10 new comments

• CPP: Add query for CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

  #6950 commented on Oct 29, 2021 • 8 new comments

• [Javascript] CWE-348: Client supplied ip used in security check

  #6864 commented on Oct 29, 2021 • 4 new comments

• JS: Add library input as source to js/prototype-polluting-assignment

  #5908 commented on Oct 28, 2021 • 2 new comments

• Python: Port and extend XXE modeling

  #6112 commented on Oct 28, 2021 • 2 new comments

• Yet another SSRF query for Javascript

  #6714 commented on Oct 29, 2021 • 2 new comments

• LGTM.com - false positive - Unnecessary deletion of local variable

  #6953 commented on Oct 28, 2021 • 1 new comment

• CodeQL - false positive - JPL Rule 24

  #6522 commented on Nov 1, 2021 • 1 new comment

• JS: Add query for unsafe construction of code from library input

  #5841 commented on Oct 28, 2021 • 1 new comment

• JS/Py/Ruby: add a bad-tag-filter query

  #6561 commented on Oct 27, 2021 • 1 new comment

• JS: add explicit this to all member calls

  #6873 commented on Nov 1, 2021 • 1 new comment

• JS: add pragma[noinline] to predicates where the qldoc mentions join-order

  #6881 commented on Oct 27, 2021 • 1 new comment

• Java:ecj is disabled for create a java database

  #6933 commented on Oct 28, 2021 • 0 new comments

• Java : Add SSTI query

  #5935 commented on Oct 29, 2021 • 0 new comments

• Python: Add cookie security-related queries

  #6360 commented on Oct 28, 2021 • 0 new comments

• Data flow: Support hidden parameter/return nodes in `subpaths` predicate

  #6824 commented on Nov 2, 2021 • 0 new comments

• Data flow: Restrict derived flow summaries

  #6931 commented on Nov 2, 2021 • 0 new comments

• Android: Add ExplicitIntentSanitizer and allowIntentExtrasImplicitRead

  #6966 commented on Oct 27, 2021 • 0 new comments