github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
54 192 коммитов 1 534 Ветки 130 Теги 471 MiB
Граф коммитов

8897 Коммитов

Автор SHA1 Сообщение Дата
Asger F feb7c49006
Merge pull request #12382 from asgerf/js/import-assertion 
JS: Support import assertions
 2023-03-14 14:56:32 +01:00
Asger F d953ad63fe
Merge pull request #12445 from asgerf/js/react-forward-ref 
JS: Handle forwardRef in React
 2023-03-14 13:21:16 +01:00
Asger F d74da30fc7 JS: Include trap test for trailing commas 2023-03-14 13:15:12 +01:00
Asger F 8ab3f39b5e
Merge pull request #12423 from asgerf/js/trusted-types-global-flow 
JS: Track trusted types policy callbacks
 2023-03-14 13:09:50 +01:00
Erik Krogh Kristensen 060c37b6a2
Merge pull request #12345 from erik-krogh/delOldDeps 
delete old deprecations
 2023-03-13 12:48:24 +01:00
Asger F 5461f94c6c
Merge pull request #12424 from asgerf/js/html-sanitizer-for-sql 
JS: Add html sanitizers as a taint step in a few queries
 2023-03-13 11:36:19 +01:00
Asger F 41dd63adc7 Handle forwardRef in React 2023-03-13 11:30:18 +01:00
erik-krogh 6c1ebd999e
Merge branch 'main' into delOldDeps 2023-03-13 11:00:29 +01:00
Arthur Baars 7b8ac609f7
Merge pull request #12478 from aibaars/js-fix-npe 
JS: fix NPE
 2023-03-10 18:49:46 +01:00
Arthur Baars 1a70297662 JS: fix NPE 2023-03-10 12:52:41 +01:00
Anders Schack-Mulligen 8d97fe9ed3 JavaScript: Autoformat 2023-03-10 09:41:20 +01:00
Henry Mercer 079451142e
Merge branch 'main' into codeql-ci/atm/release-0.4.9 2023-03-09 16:08:22 +00:00
github-actions[bot] a82aaea514 JS: Bump version of ML-powered library and query packs to 0.4.10 2023-03-09 15:54:49 +00:00
github-actions[bot] f0bb25bfce JS: Bump patch version of ML-powered library and query packs 2023-03-09 15:46:31 +00:00
Asger F 6e744093e2
Merge pull request #12398 from github/post-release-prep/codeql-cli-2.12.4 
Post-release preparation for codeql-cli-2.12.4
 2023-03-09 15:38:21 +01:00
Arthur Baars 942cd7c275
Merge pull request #12113 from erik-krogh/diagnostics 
JS: Implement diagnostics
 2023-03-09 12:57:06 +01:00
Arthur Baars 7ab0f88f78 JS: add link to docs to parse error diagnostic 2023-03-08 16:47:43 +01:00
Arthur Baars e5be8ab1e5 JS: add integration test for diagnostic messages 2023-03-08 16:04:49 +01:00
Asger F 05b5aea477 JS: Changenote 2023-03-07 13:15:44 +01:00
Asger F 856b50735d JS: Expand test case 2023-03-07 13:04:26 +01:00
Asger F 0affd898de JS: Track trusted type policy callbacks 2023-03-07 10:22:26 +01:00
Asger F 4f0e17bf97 JS: Add step to a few other queries 2023-03-07 09:39:40 +01:00
Arthur Baars 51599b3cae Address review comments 2023-03-06 18:40:29 +01:00
Asger F d4b4d22378 JS: Step through HTML sanitizers in SQL injection query 2023-03-06 15:10:26 +01:00
github-actions[bot] af61b45785 Post-release preparation for codeql-cli-2.12.4 2023-03-04 14:16:55 +00:00
Dave Bartolomeo b342e93989 Move change note to appropriate pack 2023-03-03 14:43:00 -05:00
github-actions[bot] 462da63970 Release preparation for version 2.12.4 2023-03-03 14:11:51 +00:00
Asger F 37999eaea0 JS: Fix implicit this 2023-03-03 13:43:17 +01:00
Asger F f4b13e0955 JS: Update printAst expected output 2023-03-03 13:42:42 +01:00
Erik Krogh Kristensen d94e51aaf6
Merge pull request #12377 from erik-krogh/jHtml 
JS: add the html argument to the jQuery functions as an XSS sink
 2023-03-03 13:19:38 +01:00
Asger F 7f96fe725b JS: Change note 2023-03-03 12:21:20 +01:00
Asger F 1264029282 JS: Bump extractor version string 2023-03-03 12:21:20 +01:00
Asger F 7a55b003d2 JS: Fix location of assert clause 2023-03-03 12:21:20 +01:00
Asger F 38194c6ae7 JS: Extract import assertions to DB 2023-03-03 12:21:20 +01:00
Asger F f454151e7a JS: Convert TypeScript import assertions 2023-03-03 12:21:20 +01:00
Asger F 3af085afcb JS: Drive-by allow trailing commas in dynamic imports 2023-03-03 12:21:20 +01:00
Asger F 8d9060f1f9 JS: Store in the Java AST 2023-03-03 12:21:03 +01:00
Asger F c715de2a10 JS: parse import assertions without storing in AST 2023-03-03 12:21:03 +01:00
Asger F 5fdc293d82 JS: Add trap test for import assertions 2023-03-03 12:21:03 +01:00
erik-krogh a6c9af4182
add the html argument to the jQuery functions as an XSS sink 2023-03-03 11:09:53 +01:00
erik-krogh 94870b838f
add failing test 2023-03-03 11:08:33 +01:00
erik-krogh a928f4c9ef
add change-notes 2023-03-03 09:23:10 +01:00
erik-krogh f96d6accbb
delete old deprecations 2023-03-03 09:23:02 +01:00
erik-krogh fc9e63275f
only print a constant when catching an OOM 2023-03-02 22:14:29 +01:00
Erik Krogh Kristensen 094a2b0c46
Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2023-03-02 22:14:17 +01:00
github-actions[bot] 50c90bbc5c ATM: Update model pack dependency of ML-powered model building and query packs 2023-03-02 17:31:03 +00:00
erik-krogh 88810420b1
add location to the parse-error diagnostics 2023-03-02 14:54:58 +01:00
erik-krogh c460eae2e1
implement diagnostics 2023-03-02 14:54:54 +01:00
Asger F b6ec9464eb JS: Remove trailing whitespace 2023-03-01 15:29:51 +01:00
Erik Krogh Kristensen 64dad3db8a
Merge pull request #12333 from kaspersv/kaspersv/fix-join-order 
ReflectedXss: Prevent bad join order
 2023-03-01 12:48:30 +01:00
Erik Krogh Kristensen f3f5f6eacf
Merge pull request #12190 from erik-krogh/fix-erb 
JS: Actually extract `.html.erb` files.
 2023-02-28 16:11:32 +01:00
Kasper Svendsen 86925646f3 ReflectedXss: Prevent bad join order 2023-02-28 12:06:27 +01:00
Erik Krogh Kristensen 50aa5e072a
Merge pull request #12177 from erik-krogh/alias-html 
JS: More precise type-test sanitizer guards in unsafe-html-construction
 2023-02-27 18:16:11 +01:00
erik-krogh 505168f24b
fix upper-case .html.erb files 2023-02-27 17:19:43 +01:00
Erik Krogh Kristensen 927c322b7b
Merge pull request #11769 from erik-krogh/moreSan 
JS: Sanitizer for `sanitizer(x) === true`
 2023-02-27 15:48:34 +01:00
Alex Ford 7c85448cba
Merge pull request #12080 from alexrford/js-use-shared-cryptography 
JS: Use shared `CryptographicOperation` concept
 2023-02-27 12:26:38 +00:00
erik-krogh 0e60fc5512
Merge branch 'main' into alias-html 2023-02-27 09:16:25 +01:00
Erik Krogh Kristensen f8f926ad50
Merge pull request #12175 from erik-krogh/reg-input 
JS: add process.env and process.argv etc. as source for `js/regex-injection`
 2023-02-27 09:12:02 +01:00
Erik Krogh Kristensen 4ffe20ae75
Merge pull request #12189 from erik-krogh/more-export 
JS: also consider relative exports when finding library inputs
 2023-02-27 09:02:55 +01:00
Henry Mercer eb1fe57590
Merge branch 'main' into codeql-ci/atm/release-0.4.8 2023-02-23 16:23:32 +00:00
github-actions[bot] 7e2b286f03 JS: Bump version of ML-powered library and query packs to 0.4.9 2023-02-23 16:12:23 +00:00
github-actions[bot] e02368f6fa JS: Bump patch version of ML-powered library and query packs 2023-02-23 16:04:39 +00:00
erik-krogh 271cc6b961
remove lefterover debug comment 2023-02-17 09:50:22 +01:00
github-actions[bot] 8eb8daa4d4 Post-release preparation for codeql-cli-2.12.3 2023-02-16 17:23:25 +00:00
github-actions[bot] b0315119c6 Release preparation for version 2.12.3 2023-02-16 11:49:06 +00:00
Alex Ford 9cfd0f5f46 JS: fix qldoc 2023-02-16 11:00:37 +00:00
Alex Ford 1556b1a728
Merge branch 'main' into js-use-shared-cryptography 2023-02-15 17:13:53 +00:00
Alex Ford 1958b9dcd5 JS: add missing qldoc 2023-02-15 16:59:03 +00:00
Alex Ford 43af306d60 dynamic: more detailed qldoc for CryptographicOperation#getBlockMode() 2023-02-15 16:55:18 +00:00
Alex Ford e8cbf7287d JS: breaking change note for CryptographicOperation sync 2023-02-15 16:50:24 +00:00
Alex Ford 925b4a3fa8 JS: improve documentation on deprecated CryptographicOperation#getInput() predicate 2023-02-15 16:23:46 +00:00
Alex Ford d4d0b91085 dynamic: switch CryptographicOperation::Range#getBlockMode() back to being an abstract predicate 2023-02-15 16:23:46 +00:00
Alex Ford c7aaad9ed0 JS: avoid adding a deprecated CryptographicOperation#getInput to py/ruby 2023-02-15 16:23:46 +00:00
erik-krogh 51ddb55d7b
use tainted-object to precisely model that plain object are fine, but their properties are not 2023-02-15 15:02:03 +01:00
erik-krogh 09794fa836
delete PrefixStringSanitizer 2023-02-15 14:55:02 +01:00
Rasmus Wriedt Larsen c72dbc49fc
Merge pull request #12165 from RasmusWL/crypto-updates 
Python/Ruby/JS Crypto: Add a few algorithms + block modes
 2023-02-15 14:35:40 +01:00
erik-krogh bec8dc6775
add explicit this 2023-02-15 10:44:57 +01:00
erik-krogh 25a8469586
update expected output, now that .html.erb files are actually extracted 2023-02-15 10:28:05 +01:00
erik-krogh 710e79b2d5
bump extractor version 2023-02-15 10:26:00 +01:00
erik-krogh f9b3a5b5e6
actually extract `.html.erb` files 2023-02-15 10:26:00 +01:00
erik-krogh b7305fd229
also consider relative exports when finding library inputs 2023-02-14 21:08:13 +01:00
erik-krogh de4f5017e1
add change-note 2023-02-14 18:36:07 +01:00
Alex Ford 8d90c02a67 JS: remove unused field 2023-02-14 15:24:22 +00:00
erik-krogh 393649b7ce
don't call environment variables for command-line arguments 2023-02-14 14:27:41 +01:00
erik-krogh 36478124ae
add process.env and process.argv etc. as source for `js/regex-injection` 2023-02-14 14:21:53 +01:00
erik-krogh 943bdeca6d
make `appliesTo` recursive 2023-02-14 14:16:45 +01:00
erik-krogh 9549cac3e5
add an additional barrier guard that finds "=== true" versions of previous barrier guards 2023-02-14 14:15:23 +01:00
erik-krogh c355a26657
add failing test 2023-02-14 14:12:35 +01:00
erik-krogh 3f0fe96f85
add `getBoolValue()` as a utility predicate on `BooleanLiteral` 2023-02-14 14:12:35 +01:00
Erik Krogh Kristensen 2f8c9a5a2c
Merge pull request #12171 from erik-krogh/reg-dot 
JS: dont recognize regexps that match dot as sanitizers
 2023-02-14 14:10:44 +01:00
Erik Krogh Kristensen e3e2df3247
Merge pull request #12166 from erik-krogh/more-html-san 
JS: add `HtmlSanitizer` as a sanitizer DOMBasedXss
 2023-02-14 14:09:56 +01:00
Erik Krogh Kristensen 028fcc7edf
Merge pull request #11959 from erik-krogh/ssrfSan 
JS: add encodeURIComponent as a sanitizer for request-forgery
 2023-02-14 13:39:53 +01:00
Erik Krogh Kristensen a498936f16
Merge pull request #12170 from erik-krogh/more-lib 
JS: More library inputs
 2023-02-14 13:38:00 +01:00
erik-krogh 4140598769
update expected output for experimental query 2023-02-14 00:08:13 +01:00
erik-krogh c17d057520
default to index.js when no main: is specified in package.json, and recognize more classes as library inputs 2023-02-13 21:24:41 +01:00
erik-krogh 68656274f4
dont recognize regexps that match dot as sanitizers 2023-02-13 17:36:51 +01:00
erik-krogh 6192544fb4
add test for express-ws as a source 2023-02-13 15:26:50 +01:00
erik-krogh b85bfc8ba6
add HtmlSanitizer as a sanitizer for DOMBasedXss 2023-02-13 11:57:29 +01:00
erik-krogh c258e44772
add failing test for spurious edge through sanitizer 2023-02-13 11:49:57 +01:00
Rasmus Wriedt Larsen 5235964b07
sync files 2023-02-13 10:44:12 +01:00
erik-krogh 91393a7bc8
add change-note 2023-02-12 23:28:01 +01:00
erik-krogh 6474cfd4c8
add support for express-ws 2023-02-12 23:25:27 +01:00
Henry Mercer e972cb069e
Merge branch 'main' into codeql-ci/atm/release-0.4.7 2023-02-07 21:31:08 +00:00
github-actions[bot] 4f76ebbb0b JS: Bump version of ML-powered library and query packs to 0.4.8 2023-02-07 19:44:25 +00:00
github-actions[bot] 30b2644f17 JS: Bump patch version of ML-powered library and query packs 2023-02-07 19:34:58 +00:00
erik-krogh ecafce8191
improve the CryptoJS model by using API::Node 2023-02-03 21:44:23 +01:00
Alex Ford 7768026e70
Merge branch 'main' into js-use-shared-cryptography 2023-02-03 15:18:30 +00:00
Alex Ford 6c35feaa98 ConceptsShared: add a default implementation of BlockMode CryptographicOperation#getBlockMode() for compatibility with external code 2023-02-03 14:39:32 +00:00
Alex Ford b968b59afc CryptoAlgorithms: make CryptographicAlgorithm#matchesName hold only if that algorithm is the most specific match 2023-02-03 14:15:32 +00:00
Alex Ford e17b3d975d JS: pick up CryptographicKeys used in asmCrypto encrypt/decrypt calls 2023-02-03 12:16:25 +00:00
Alex Ford 6b2a92a7ca JS: update CryptographicKey.expected 2023-02-03 12:12:47 +00:00
Mathias Vorreiter Pedersen 4e7ca1a175
Merge pull request #12082 from github/post-release-prep/codeql-cli-2.12.2 
Post-release preparation for codeql-cli-2.12.2
 2023-02-03 09:40:57 +00:00
github-actions[bot] faf21f3edb Post-release preparation for codeql-cli-2.12.2 2023-02-02 23:01:04 +00:00
Alex Ford b0b8f8725e JS: add some CryptographicOperation#getBlockMode() tests 2023-02-02 20:30:30 +00:00
Alex Ford aa2c532a78 JS: adjust test whitespace 2023-02-02 20:30:30 +00:00
Alex Ford c25dc978df JS: add blockMode to CryptographicOperation tests 2023-02-02 20:30:30 +00:00
Alex Ford 1435ef1862 CryptoAlgorithms: make CryptographicAlgorithm#matchesName split on underscores 2023-02-02 20:30:30 +00:00
Alex Ford 983055b8f9 JS: Use shared CryptographicOperation concept and implement BlockMode getBlockMode() 2023-02-02 20:30:30 +00:00
Alex Ford e5dfbe2c8d ConceptsShared: Add BlockMode#matchesString(string) predicate 2023-02-02 20:27:52 +00:00
Alex Ford 61095b3c58 ConceptsShared: Add deprecated DataFlow::Node CryptographicOperation#getInput() predicate 2023-02-02 20:27:05 +00:00
Kristen Newbury 231110ddca
Update javascript/ql/src/Security/CWE-312/CleartextLogging.qhelp 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-02-02 11:12:44 -05:00
github-actions[bot] a4fa984792 Release preparation for version 2.12.2 2023-02-02 14:34:55 +00:00
Kristen Newbury dc5eb40d5f
Update JS CleartextLogging qhelp 2023-02-01 16:29:13 -05:00
yoff 7ae389bb28
Merge pull request #12026 from erik-krogh/nodePty 
JS: add code-injection sink for node-pty
 2023-01-31 13:27:32 +01:00
erik-krogh 0cefa98490
add missing word to the change-note 2023-01-31 11:53:17 +01:00
erik-krogh 95c19698c7
add change-note 2023-01-31 11:09:07 +01:00
erik-krogh e5e8496084
fix QL-for-QL warnings 2023-01-31 10:55:27 +01:00
erik-krogh 02da718786
add code-injection sink for node-pty 2023-01-30 15:14:25 +01:00
erik-krogh e3455a9b21
add support for axios used as a global variable 2023-01-29 22:55:20 +01:00
Erik Krogh Kristensen 99bad77972
Merge pull request #11906 from erik-krogh/moreStem 
JS: expand what is parsed as the stem of a pathexpr
 2023-01-25 08:44:44 +01:00
erik-krogh 49f5e89f36
update expected output for experimental query 2023-01-23 22:29:49 +01:00
Erik Krogh Kristensen fc66c905ff
Merge pull request #11859 from erik-krogh/moreShell 
JS: slightly broaden the regular expression that recognizes bad string-concats used as shell commands
 2023-01-23 22:26:17 +01:00
Henry Mercer 241951f53e
Merge branch 'main' into codeql-ci/atm/release-0.4.6 2023-01-23 18:24:36 +00:00
github-actions[bot] be481d975c JS: Bump version of ML-powered library and query packs to 0.4.7 2023-01-23 18:22:18 +00:00
github-actions[bot] 40a67d61d2 JS: Bump patch version of ML-powered library and query packs 2023-01-23 18:15:56 +00:00
erik-krogh 11894144aa
remove regular expression that did nothing 2023-01-23 16:38:09 +01:00
Erik Krogh Kristensen a10b45e0db
Merge pull request #11927 from mvogelgesang/express-rate-limit 
JS: Updated express-rate-limit example to match implementation examples f…
 2023-01-23 14:37:50 +01:00
erik-krogh 3cece50f78
add encodeURIComponent as a sanitizer for request-forgery 2023-01-23 13:53:53 +01:00
erik-krogh be8ef1b324
add failing test 2023-01-23 13:52:36 +01:00
Erik Krogh Kristensen 1ee9957838
Merge pull request #9807 from erik-krogh/endFilter 
JS: recognize "-->" as a bad tag filter
 2023-01-23 10:06:50 +01:00
Michael Nebel 69a42d8b1f
Merge pull request #11931 from michaelnebel/csharp/refactor 
Remove the Csv postfix of some predicate names.
 2023-01-23 09:09:48 +01:00
Mathias Vorreiter Pedersen e664662df9
Merge pull request #11944 from github/post-release-prep/codeql-cli-2.12.1 
Post-release preparation for codeql-cli-2.12.1
 2023-01-20 21:52:55 +00:00
github-actions[bot] b62cb6ba84 Post-release preparation for codeql-cli-2.12.1 2023-01-20 19:49:56 +00:00
Jean Helie 9e6f9c2705
Merge pull request #11709 from github/jhelie/add-shell-command-injection 
ATM: add boosted version for `ShellCommandInjectionFromEnvironment` query
 2023-01-20 16:03:30 +01:00
github-actions[bot] 005b3e4a47 Release preparation for version 2.12.1 2023-01-20 12:03:19 +00:00
Michael Nebel dc223cb82e Sync files and make corresponding changes for other languages. 2023-01-19 15:14:06 +01:00
Mark Vogelgesang a3ff0725a3 Removed change-note as it was not necessary 2023-01-18 16:08:29 -05:00
Mark Vogelgesang c9119848d9 Updated express-rate-limit example to match implementation examples found on packages README 2023-01-18 14:42:40 -05:00
erik-krogh 4b74dec18f
expand what is parsed as the stem of a pathexpr 2023-01-17 21:28:21 +01:00
Jean Helie fec7ea6964 ATM: add missing query help files 2023-01-17 12:20:17 +01:00
Jean Helie b08fa43fdf update tests 2023-01-17 12:20:17 +01:00
Jean Helie f07984bab2 update test data 2023-01-17 12:20:17 +01:00
Jean Helie 13aaa22df5 add bosted version of ShellCommandInjectionFromEnvironment 2023-01-17 12:20:17 +01:00
Erik Krogh Kristensen 8ccc384043
Merge pull request #11858 from erik-krogh/moreSpawn 
JS: track shell:true more in js/shell-command-constructed-from-input
 2023-01-16 13:24:50 +01:00
erik-krogh 71af8ab022
simplifications inspired by review 2023-01-13 13:18:52 +01:00
erik-krogh 7ae27bcc34
fix errors in JS printAst 2023-01-12 15:37:52 +01:00
Henry Mercer 70f1015fba
Merge branch 'main' into codeql-ci/atm/release-0.4.5 2023-01-12 12:32:25 +00:00
Pierre c3116b3f0f
Merge branch 'main' into turbo/experimental/combined 2023-01-11 18:02:55 +01:00
github-actions[bot] 76e121e359 JS: Bump version of ML-powered library and query packs to 0.4.6 2023-01-10 21:11:23 +00:00
github-actions[bot] dc88bdccc7 JS: Bump patch version of ML-powered library and query packs 2023-01-10 21:04:31 +00:00
erik-krogh 38ca68febb
recognize "-->" as a bad tag filter 2023-01-10 18:09:56 +01:00
Erik Krogh Kristensen 54c780bdf9
Merge pull request #11853 from erik-krogh/assignMore 
JS: add local flow when recognizing Object.assign calls for library-inputs
 2023-01-10 17:04:29 +01:00
Tony Torralba 72a11e737d
Merge pull request #11775 from atorralba/atorralba/all/omittable-exists 
All: Remove omittable exists variables
 2023-01-10 16:07:06 +01:00
erik-krogh 62b69bbd3e
autoformat 2023-01-10 15:38:13 +01:00
Erik Krogh Kristensen 6623e5fbf3
Merge pull request #11852 from erik-krogh/jsInfiniteChar 
JS: recognize an infinite repetition of a char-class like regex as a char-class like regex
 2023-01-10 15:32:22 +01:00
Erik Krogh Kristensen ce8836fb65
Update javascript/ql/lib/semmle/javascript/PackageExports.qll 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2023-01-10 15:30:44 +01:00
erik-krogh 43696f5e27
add explicit this 2023-01-10 15:27:37 +01:00
erik-krogh 23a847b1cf
track shell:true more in js/shell-command-constructed-from-input 2023-01-10 15:27:37 +01:00
erik-krogh 5c388c554c fix that the `TypeTracker` was unrestricted for the base-case of `nonFirstLocationType` 2023-01-10 13:39:50 +01:00
erik-krogh e02b67af63 add failing test 2023-01-10 13:39:50 +01:00
Tony Torralba 3b6dae41cd JavaScript: Remove omittable exists variables 2023-01-10 13:37:21 +01:00
erik-krogh 79e161e046
slightly broaden the regular expression that recognizes bad string-concats used as shell commands 2023-01-10 12:49:37 +01:00
erik-krogh 9f100ef2c6
add local flow when recognizing Object.assign calls for library-inputs 2023-01-09 17:44:11 +01:00
erik-krogh 90f9e3f825
recognize an infinite repetition of a char-class like regex as a char-class like regex 2023-01-09 17:25:08 +01:00
erik-krogh 785c21f462
fix bad join-order in js/missing-this-qualifier 2023-01-09 16:06:26 +01:00
github-actions[bot] cdb8f67601 Post-release preparation for codeql-cli-2.12.0 2023-01-06 10:36:34 +00:00
Jeroen Ketema 170242f79c
Apply suggestions from code review 2023-01-05 17:57:19 +01:00
Nick Rolfe 6e07076151 tweak wording in 2.12 release notes 2023-01-05 16:46:44 +00:00
github-actions[bot] b6a8193785 Release preparation for version 2.12.0 2023-01-05 16:32:14 +00:00
Aditya Sharad ed73875fac
Merge pull request #11747 from adityasharad/tutorial/library-pack 
Tutorial: Move QL detective tutorial library into shared `codeql/tutorial` library pack
 2023-01-04 08:24:53 -08:00
Erik Krogh Kristensen cedc9c0bff
Merge pull request #11582 from erik-krogh/heuristics 
JS: Add experimental variants of common security queries with more sources
 2023-01-04 10:46:19 +01:00
Aditya Sharad 9988c19a42
Merge branch 'main' into tutorial/library-pack 2023-01-03 14:08:37 -08:00
Calum Grant ad55706527
Merge branch 'main' into calumgrant/remove-lgtm 2023-01-03 10:27:30 +00:00
Arthur Baars 98c5b81456
Merge pull request #11723 from aibaars/alert-suppression 
CodeQL alert suppression
 2022-12-21 10:59:57 +01:00
Arthur Baars 035ad65e43 AlertSuppression: move library into util folder 2022-12-21 10:39:57 +01:00
Jacques b99c500435
Fix associated test 2022-12-20 12:51:13 +09:00
Jacques 97b8126385
Fix javascript 2022-12-20 12:45:59 +09:00
Aditya Sharad ed29b3e4d6
Shared packs: Depend on `codeql/tutorial` from all language libraries 
This allows `import tutorial` from queries targeting
any language, just like before, while removing the
duplicate copies of `tutorial.qll`.
 2022-12-19 15:52:11 -08:00
Calum Grant e982e144a4 JS: Update qltest output 2022-12-19 17:22:51 +00:00
Arthur Baars a8be5d7274 AlertSuppression: add change notes 2022-12-19 17:02:52 +01:00
Arthur Baars 0f313231bc AlertSuppression: add more tests 2022-12-19 16:43:11 +01:00
Calum Grant 4a37c01c5f JavaScript: Remove references to LGTM 2022-12-19 15:15:17 +00:00
Arthur Baars c176606be5 AlertSuppression: allow //lgtm comments to scope over the next line 2022-12-19 16:10:26 +01:00
Arthur Baars 016c7a8ca7
Merge pull request #11719 from aibaars/alert-suppression-shared 
Shared AlertSuppression library
 2022-12-19 16:04:44 +01:00
Henning Makholm ca1c46331a
Merge pull request #11731 from github/hmakholm/pr/no-option 
remove com.semmle.util.data.Option from from extractor code interface II
 2022-12-19 15:36:51 +01:00
erik-krogh 66be8cda06
remove more of the implementation into ConditionalBypassQuery.qll 2022-12-19 14:37:19 +01:00
Arthur Baars 8be882f815
Update javascript/ql/src/AlertSuppression.ql 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-12-19 14:35:16 +01:00
Arthur Baars 682bf6d3a7
Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-12-19 14:16:05 +01:00
yoff d4eb2b964c
Merge pull request #11699 from erik-krogh/shareHost 
Dynamic: Share more regexp code
 2022-12-19 13:29:53 +01:00
Arthur Baars 23f595bea1 JavaScript: use shared AlertSuppression.qll 2022-12-19 12:25:17 +01:00
erik-krogh 442749bb7f
JS: add heuristic variants of queries that use RemoteFlowSource 2022-12-19 12:01:22 +01:00
Jean Helie 31f7702a04
Merge pull request #11726 from github/jhelie/fix-endpoint-large-scale-script 
ATM: fix script updating endpoint large scale test data
 2022-12-19 10:55:30 +01:00
erik-krogh 35e8d6afd4
move getACommonTld into a utility module without parameters 2022-12-18 17:23:45 +01:00
erik-krogh 26c5480ee6
share {js,rb}/regex/missing-regexp-anchor 2022-12-18 17:23:41 +01:00
turbo 1e5426fca2 Create security-experimental suite helper and all language suite implementations 2022-12-18 15:44:08 +01:00
erik-krogh 355499ea52
move `getACommonTld` to the shared pack 2022-12-17 17:26:18 +01:00
erik-krogh f67d0bc8c0
put the shared HostnameRegexp code in the shared regex pack 2022-12-17 17:26:18 +01:00
Henning Makholm 3e85e9f7d9 remove com.semmle.util.data.Option from from extractor code interface II 
com.semmle.util.data.Option is going away. Switch the single
cross-repo call that mentions it to use the new Option-less overload
that was introduced in semmle-code PR 44626.
 2022-12-16 19:03:20 +01:00
Henry Mercer 30451ee950
Merge pull request #11681 from github/henrymercer/mergeback-3.8 
Merge `rc/3.8` back to `main`
 2022-12-16 17:43:12 +00:00
Jean Helie 938a7e828c update tests 2022-12-16 15:31:43 +01:00
Jean Helie cd0220b248 update autogenerated data for endpoint_large_scale 2022-12-16 14:03:01 +01:00
Jean Helie 904a4bd48b fix script updating endpoint_large_scale test data 2022-12-16 14:03:00 +01:00
Erik Krogh Kristensen 1500fa5f67
Merge pull request #10663 from pwntester/restify_improvements 
Javascript: Improve Restify support and add new Spife support
 2022-12-15 11:08:22 +01:00
Erik Krogh Kristensen 55558120d9
add explicit this 2022-12-14 20:59:28 +01:00
Alvaro Muñoz f46a8faf00 port RouteSetup API-based implementation to DataFlow one 2022-12-14 17:37:32 +01:00
turbo 4ec401a3f6 Tag all security queries in supported languages' experimental directories with an experimental tag 2022-12-14 17:15:50 +01:00
Asger F a92acf5218
Merge pull request #11689 from asgerf/js/missing-csrf-qhelp 
JS: Update MissingCsrfMiddleware after 'csurf' deprecation
 2022-12-14 15:50:32 +01:00
Alvaro Muñoz 818c2da1aa fix Spife tests (without heuristics) 2022-12-14 15:42:27 +01:00
Alvaro Muñoz 4cf7299d79 restore Spife.qll to working status 2022-12-14 15:41:53 +01:00
Alvaro Muñoz 14faff4477 fix restify tests 2022-12-14 15:38:35 +01:00
Alvaro Muñoz e1f05e960d Merge branch 'restify_improvements' of https://github.com/pwntester/codeql into restify_improvements 2022-12-14 13:11:13 +01:00
Alvaro Muñoz a71fc930a6 add tests 2022-12-14 13:11:02 +01:00
Asger F b63c658e3b JS: recognize tiny-csrf 2022-12-14 12:30:15 +01:00
Asger F 162419138d JS: Replace csurf -> lusca.csrf from example and qhelp 2022-12-14 12:30:15 +01:00
Henry Mercer 6023a1225c
Merge pull request #11673 from github/codeql-ci/atm/release-0.4.4 
JS: Bump version numbers of ML-powered packs after 0.4.4 release
 2022-12-14 10:27:00 +00:00
Alvaro Muñoz 701676eea1
Update javascript/ql/lib/semmle/javascript/frameworks/Spife.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-12-14 10:18:47 +01:00
Erik Krogh Kristensen 8a89849476
Merge pull request #11660 from erik-krogh/dynamic-useInstanceOf 
Py/JS/RB: Use instanceof in more places
 2022-12-13 21:50:13 +01:00
Henry Mercer a3933fbf4f Bump minor versions of packs we regularly release 2022-12-13 18:59:24 +00:00
Henry Mercer 7167f078be Merge branch 'main' into henrymercer/mergeback-3.8 2022-12-13 18:40:53 +00:00
Asger F bbce52535a JS: Add clarification in another customization doc 2022-12-13 15:34:54 +01:00
Henry Mercer 423374a7b8
Merge branch 'main' into codeql-ci/atm/release-0.4.4 2022-12-13 14:26:21 +00:00
github-actions[bot] 745823ca60 JS: Bump version of ML-powered library and query packs to 0.4.5 2022-12-13 13:32:52 +00:00
github-actions[bot] ea13925a92 JS: Bump patch version of ML-powered library and query packs 2022-12-13 13:28:09 +00:00
Asger F 6b15839221 JS: Add tests for the examples used in the docs 2022-12-13 11:33:12 +01:00
Asger F ba1364a4cb JS: Add sinks mentioned in doc 
Note that 'sql-injection' was already added
 2022-12-13 11:33:12 +01:00
Alvaro Muñoz 270a4355df format Restify.qll 2022-12-13 11:22:24 +01:00
Alvaro Muñoz 4ba3190d29 Replace API::Node with DataFlow::Node for Spife's RouteSetup 2022-12-13 11:10:04 +01:00
erik-krogh b3a9c1ca06
Py/JS/RB: Use instanceof in more places 2022-12-12 16:06:57 +01:00
Alvaro Muñoz 469d7f52dc Use fluent API instead of hasPropertyWrite 2022-12-12 10:46:50 +01:00
Alvaro Muñoz 1410d2838e
Update javascript/ql/lib/semmle/javascript/frameworks/Spife.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-12-12 09:54:02 +01:00
github-actions[bot] 343b7b1c8b Post-release preparation for codeql-cli-2.11.6 2022-12-11 18:15:04 +00:00
github-actions[bot] 0b2fb4f70a Release preparation for version 2.11.6 2022-12-10 15:49:35 +00:00
Asger F 387a673c10
Merge pull request #11567 from asgerf/js/data-extensions2 
JS: Move MaD models to data extensions
 2022-12-09 10:09:24 +01:00
Henry Mercer 280bb6864f
Merge pull request #11604 from github/codeql-ci/atm/release-0.4.3 
JS: Bump version numbers of ML-powered packs after 0.4.3 release
 2022-12-08 13:04:16 +00:00
Chris Smowton 49bc524fd0 Merge remote-tracking branch 'origin/rc/3.8' into smowton/admin/merge-rc38-into-main 2022-12-08 11:12:30 +00:00
Henry Mercer 78f15755d7
Merge branch 'main' into codeql-ci/atm/release-0.4.3 2022-12-07 20:49:26 +00:00
github-actions[bot] d577eeeea8 JS: Bump version of ML-powered library and query packs to 0.4.4 2022-12-07 20:05:30 +00:00
github-actions[bot] 9702ea02fb JS: Bump patch version of ML-powered library and query packs 2022-12-07 20:01:33 +00:00
Alvaro Muñoz 38b2f537d4 Use ReplyCall.super syntax instead of this.(ReplyCall) 2022-12-07 16:39:07 +01:00
Asger F fcdb2fa03f JS: Remove MaD models from .qll files 2022-12-07 11:35:13 +01:00