codeql

Граф коммитов

Автор	SHA1	Сообщение	Дата
smiddy007	31b56bf966	Update javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash Co-authored-by: Asger F <asgerf@github.com>	2023-04-19 13:32:23 -04:00
Asger F	1c2fdc8df9	JS: Ignore more webpack modules	2023-04-19 10:29:14 +02:00
Arthur Baars	dcca0e0c6c	JavaScript: switch to shared YamlPopulator	2023-04-19 08:34:38 +02:00
Nate Johnson	4ae8377713	Merge branch 'main' into js-insecure-http-parser	2023-04-18 22:00:13 -04:00
Nate Johnson	78229bb264	Moved into experimental	2023-04-18 21:59:14 -04:00
Alex Ford	924ce250dd	Merge pull request #12847 from github/post-release-prep/codeql-cli-2.13.0 Post-release preparation for codeql-cli-2.13.0	2023-04-18 14:40:40 +01:00
Arthur Baars	e5d89b969a	Merge pull request #12780 from aibaars/shared-yaml-lib JS: extract YAML library to a shared pack	2023-04-18 11:09:53 +02:00
Tom Hvitved	f6d000eb20	Merge pull request #12805 from hvitved/remove-queries-xml Remove all `queries.xml` files	2023-04-18 10:52:14 +02:00
Kasper Svendsen	9d34d090ab	Merge pull request #12843 from kaspersv/kaspersv/prevent-bad-js-join-order Prevent JS join order regression	2023-04-18 09:09:43 +02:00
Nate Johnson	bbb1ee9597	Merge branch 'main' into js-insecure-http-parser	2023-04-18 00:45:32 -04:00
Nate Johnson	cb90f9af3c	Fix to include specification of flag in NODE_OPTIONS	2023-04-18 00:41:48 -04:00
Nate Johnson	522a285d9e	Qhelp file for explanation	2023-04-18 00:41:28 -04:00
Nate Johnson	2e27447c65	Include example	2023-04-18 00:41:11 -04:00
smiddy007	e4ec1ae261	Update InsufficientPasswordHash.qhelp change file name to original	2023-04-17 13:18:47 -04:00
smiddy007	88d2f65c5f	Rename InsufficientPasswordHash_NodeJS_fixed.js to InsufficientPasswordHash_fixed.js	2023-04-17 13:17:13 -04:00
smiddy007	cbe45f7e55	Rename InsufficientPasswordHash_NodeJS.js to InsufficientPasswordHash.js	2023-04-17 13:16:57 -04:00
smiddy007	36d7370998	Delete InsufficientPasswordHash_CryptoJS_fixed file not used in qhelp	2023-04-17 13:16:25 -04:00
smiddy007	e65daaae49	Delete InsufficientPasswordHash_CryptoJS.js not used in qhelp file	2023-04-17 13:15:10 -04:00
github-actions[bot]	648f0e19ec	Post-release preparation for codeql-cli-2.13.0	2023-04-17 15:39:24 +00:00
Kasper Svendsen	ad82433a88	Prevent JS join order regression	2023-04-17 13:24:19 +02:00
Arthur Baars	34d3040ce2	Add change note	2023-04-17 12:59:14 +02:00
Asger F	13b1e97caa	JS: Fix the ExtendCall restriction	2023-04-17 12:30:08 +02:00
Asger F	eafef91dbc	JS: Update test output after ExtendCall restriction	2023-04-17 12:28:23 +02:00
Asger F	024760610a	JS: Add prototype pollution test	2023-04-17 12:27:34 +02:00
Asger F	2f4a181a7d	JS: revert path sanitizers in proto pollution query	2023-04-17 12:21:00 +02:00
Asger F	04079752f7	JS: update test output after adding 'this' sanitizer	2023-04-17 12:15:46 +02:00
Asger F	f87f6c8556	JS: Add test to unsafe jquery plugin	2023-04-17 12:15:05 +02:00
Asger F	b728f71b4b	JS: Move 'this' sanitizer to customizations	2023-04-17 12:11:18 +02:00
Asger F	62dca44ee5	Update UntrustedDataToExternalAPI.expected	2023-04-17 08:23:04 +02:00
Asger F	c250ba7f27	JS: Undo sanitization of path.normalize()	2023-04-17 08:23:04 +02:00
Asger F	9db63c3a6a	JS: Change note	2023-04-17 08:23:04 +02:00
Asger F	b0d4b31103	JS: Trim whitespace in test	2023-04-17 08:23:04 +02:00
Asger F	c7f16cd224	JS: Add test	2023-04-17 08:23:03 +02:00
Asger F	0d598c437d	JS: Fix observed FPs in UnsafeJQueryPlugin	2023-04-17 08:20:18 +02:00
Asger F	b321151a28	JS: Restrict ExtendCall flow in proto pollution query	2023-04-17 08:20:18 +02:00
Asger F	efb582b661	JS: Drive-by fix to newly gained FPs	2023-04-17 08:20:18 +02:00
Asger F	869c6d27fe	JS: Add implied receiver steps	2023-04-17 08:20:18 +02:00
Asger F	74dbc71535	JS: Change Extend steps to PreCallGraphStep	2023-04-17 08:20:18 +02:00
github-actions[bot]	075d063370	Release preparation for version 2.13.0	2023-04-14 13:31:30 +00:00
Erik Krogh Kristensen	cece307c60	Merge pull request #12802 from erik-krogh/history-xss JS: add browser history as XSS sink	2023-04-14 13:35:19 +02:00
smiddy007	ec97cdc8a0	Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS library.	2023-04-13 23:16:20 -04:00
Alex Eyers-Taylor	c6a482819a	Bump all qlpacks major versions	2023-04-13 19:15:27 +01:00
Alex Ford	8c46bfd051	Merge pull request #12816 from github/rc/3.9 Merge `rc/3.9` into `main`	2023-04-13 12:35:41 +01:00
Tom Hvitved	3cc9dec9c8	Remove all `queries.xml` files	2023-04-13 11:18:58 +02:00
Arthur Baars	ead8108aed	Apply suggestions from code review Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2023-04-13 11:11:55 +02:00
Erik Krogh Kristensen	cfb273ae01	Merge pull request #12799 from erik-krogh/oneColumn JS: use 1-based column locations for diagnostics	2023-04-12 14:48:20 +02:00
Asger F	b819f55203	Merge pull request #12792 from asgerf/js/redux-model-perf JS: add getForwardingFunction and use to sharpen useSelector model	2023-04-12 14:09:59 +02:00
erik-krogh	d3cc1d6991	update expected output of diagnostics test	2023-04-12 13:42:05 +02:00
erik-krogh	b1957623c1	add browser history as XSS sink	2023-04-12 13:38:18 +02:00
Erik Krogh Kristensen	8cb54b748b	Merge pull request #12787 from tyage/add-router-sink JS: Add New XSS sink - Next.js router.push/replace	2023-04-12 13:30:21 +02:00
erik-krogh	fe5e4845b1	use 1-based column locations for diagnostics	2023-04-12 08:14:15 +02:00
Arthur Baars	83cd55cb29	Js/Yaml: add getFile() predicate	2023-04-11 16:01:44 +01:00
erik-krogh	3c4bd5b6a7	forward toString() etc. predicates from YamlNode to Locatable	2023-04-11 15:37:01 +02:00
erik-krogh	b5e90483f5	improve the ESLint model to avoid overriding Yaml classes	2023-04-11 15:36:18 +02:00
Asger F	aef0fa3c8a	JS: Expand QLDoc	2023-04-11 14:16:36 +02:00
Asger F	d702c7b990	Merge pull request #12759 from asgerf/js/getset-in-pattern JS: Fix parsing of 'get' or 'set' pattern with a default value	2023-04-11 14:03:00 +02:00
Asger F	2c65a49d7c	JS: Add getForwardingFunction() to API graphs	2023-04-11 14:00:30 +02:00
Asger F	4ce03d4dc4	JS: Restrict useSelector steps to local callbacks	2023-04-11 13:33:46 +02:00
Asger F	3cc931306f	JS: Add test for selector nodes with multiple access paths	2023-04-11 13:33:27 +02:00
Nate Johnson	a0f4a5100f	Insecure HTTP parser query for JavaScript	2023-04-09 20:38:55 -04:00
tyage	40d475863d	Add change note	2023-04-08 18:36:50 +09:00
tyage	320cb99dbf	Add replace method test	2023-04-08 18:31:48 +09:00
tyage	668e1accaa	Remove unnecessary whiteline	2023-04-08 18:24:31 +09:00
tyage	7f9b8557ac	Add Next.js router push as XSS sink	2023-04-08 18:18:34 +09:00
Arthur Baars	4fca4b668c	JS: use shared YAML library	2023-04-06 15:11:35 +02:00
Henry Mercer	e1b3807dfc	Merge remote-tracking branch 'origin/rc/3.9' into henrymercer/merge-back-3.9	2023-04-05 14:57:57 +01:00
github-actions[bot]	ac426b1302	Post-release preparation for codeql-cli-2.12.6	2023-04-04 16:49:26 +00:00
Asger F	5cc7380bcd	JS: Change note	2023-04-04 16:49:14 +02:00
Asger F	621e2e71c8	JS: Don't try to parse "get=" as a method prop	2023-04-04 16:37:28 +02:00
Asger F	eb8046daef	JS: Add trap test showing parse error	2023-04-04 16:33:13 +02:00
erik-krogh	0b4f239ab5	only set the file in the diagnostics message if the file is within the source root	2023-04-03 13:49:29 +01:00
erik-krogh	a7c2892af4	only set the file in the diagnostics message if the file is within the source root	2023-04-03 12:38:10 +02:00
Asger F	53de9ae580	Merge pull request #12729 from asgerf/js/crypto-modernize JS: Modernize crypto libraries	2023-04-03 12:16:22 +02:00
Jeroen Ketema	17bd9c12d7	JS: Fix qhelp after file rename	2023-04-03 09:25:19 +02:00
Erik Krogh Kristensen	1e1a692ee6	Merge pull request #12686 from erik-krogh/backtick-parse-error JS: add backticks around the concrete parse error	2023-03-31 14:56:38 +02:00
Asger F	64cf27ab87	JS: Modernize crypto libraries	2023-03-31 14:49:23 +02:00
Asger F	40530ae14d	JS: Simplfy with set literal	2023-03-31 12:04:56 +02:00
Asger F	4a06b81429	JS: Use API graphs in CryptoJS	2023-03-31 12:03:14 +02:00
Asger F	dec1e4dfd6	Merge pull request #12666 from smiddy007/improve-insufficient-pw-hash-query JS: Improve insufficient pw hash query	2023-03-31 11:58:41 +02:00
github-actions[bot]	0a3218676c	Release preparation for version 2.12.6	2023-03-30 19:25:06 +00:00
Alex Ford	62fcea030a	Merge pull request #12718 from github/post-release-prep/codeql-cli-2.12.5 Post-release preparation for codeql-cli-2.12.5	2023-03-30 15:50:56 +01:00
Erik Krogh Kristensen	b382465078	Merge pull request #12679 from ctbellanti/improved-certificate-validation JS: Improved coverage for disabled certificate validation	2023-03-30 16:24:33 +02:00
github-actions[bot]	e87ce62f95	Post-release preparation for codeql-cli-2.12.5	2023-03-30 13:48:58 +00:00
erik-krogh	47783326c2	add test for https.createServer in DisablingCertificateValidation.ql	2023-03-30 14:15:25 +02:00
Asger F	43174cfe3a	Merge pull request #12668 from asgerf/js/jquery-callback-sinks JS: fix handling of jQuery sinks involving callback	2023-03-30 12:42:53 +02:00
Jeroen Ketema	0acca2ba76	Merge pull request #12687 from jketema/unit-2 Make imports of `codeql.util.Unit` private	2023-03-29 13:07:12 +02:00
Asger F	2ef1743bf4	Merge pull request #11615 from asgerf/js/extension-docs JS: docs for customizing library models with data extensions	2023-03-29 10:20:53 +02:00
smiddy007	0eb61d39d3	formatting	2023-03-28 11:28:32 -04:00
smiddy007	fe3b0a56ca	Removed unnecessary field	2023-03-28 11:27:23 -04:00
smiddy007	8e9f2185c8	Merge branch 'main' into improve-insufficient-pw-hash-query	2023-03-28 11:15:10 -04:00
smiddy007	123eb1e57b	Update javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll Co-authored-by: Asger F <asgerf@github.com>	2023-03-28 11:14:28 -04:00
Erik Krogh Kristensen	13c0effbd2	change to minor change	2023-03-28 15:27:16 +02:00
erik-krogh	4b3a419509	just use quoteWithBackticks	2023-03-28 15:23:15 +02:00
Erik Krogh Kristensen	451f6f01bb	Merge pull request #12633 from erik-krogh/more-global-flow JS: better callgraph support for global variables	2023-03-28 15:19:50 +02:00
Jeroen Ketema	3b8ad087eb	Make imports of `codeql.util.Unit` private	2023-03-28 14:14:13 +02:00
Asger F	61a7ee9387	JS: Use getABoundFunctionValue instead of type-tracking	2023-03-28 12:56:03 +02:00
erik-krogh	70dfa6e15c	use StringUtil.quoteWithBackticks instead of manually quoting with a single backtick	2023-03-28 12:34:44 +02:00
erik-krogh	e5e20ab42c	add backticks around the concrete parse error	2023-03-28 10:57:13 +02:00
Asger F	04b28c5118	Merge branch 'main' into js/extension-docs	2023-03-28 10:12:22 +02:00
smiddy007	2caab8748e	Merge branch 'improve-insufficient-pw-hash-query' of https://github.com/smiddy007/codeql into improve-insufficient-pw-hash-query	2023-03-27 15:20:24 -04:00

1 2 3 4 5 ...

8897 Коммитов