github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
67 318 коммитов 1 534 Ветки 130 Теги 471 MiB
Граф коммитов

9667 Коммитов

Автор SHA1 Сообщение Дата
Asger F f5c437694c Update UselessConditional.expected 2024-02-13 18:31:24 +01:00
Asger F f27fda801e Update tests.expected 2024-02-13 18:30:23 +01:00
Asger F 7122a7502a JS: Fix flow through && 
This is a long-standing bug we've been unable to fix due to noise from type inference.
 2024-02-13 14:43:03 +01:00
Asger F 6598a669a1 JS: Use set literal 2024-02-13 09:30:35 +01:00
Asger F 543e183d99 JS: Describe 1-step aliasing rule 2024-02-13 09:29:15 +01:00
Asger F baa3c35d6f JS: Refactor aliasing relation 2024-02-13 09:24:00 +01:00
Paolo Tranquilli a944443d39 Merge branch 'main' into redsun82/bzlmod 2024-02-12 16:03:50 +01:00
Paolo Tranquilli 53539226a8 Bazel: use internal codeql module 2024-02-12 14:27:55 +01:00
Asger F 8d3a19aaad JS: Fix termination criteria 
Previously it was theoretically possible to create a cycle of preferred predecessors, since badness had higher precedence than depth. We now require the preferred predecessor to have lower depth.

With this criteria we can remove the arbitray cap on badness.
 2024-02-12 11:44:52 +01:00
Asger F 0fbe530d9e JS: Fix some broken comments 2024-02-12 11:39:40 +01:00
Asger F 6d01ba67f7 JS: Check isPrivateLike in isExported instead 2024-02-12 11:39:29 +01:00
Erik Krogh Kristensen 1520305ae1
Merge pull request #15523 from erik-krogh/exclude-tagged 
JS: exclude tagged template literals from `js/superfluous-trailing-arguments`
 2024-02-12 11:31:18 +01:00
Dave Bartolomeo 92bd550c55
Merge pull request #15531 from github/post-release-prep/codeql-cli-2.16.2 
Post-release preparation for codeql-cli-2.16.2
 2024-02-08 05:58:17 -08:00
github-actions[bot] b5139078d0 Post-release preparation for codeql-cli-2.16.2 2024-02-06 19:22:35 +00:00
erik-krogh 94b7bda3dc
exclude tagged template literals from `js/superfluous-trailing-arguments` 2024-02-06 09:36:30 +01:00
github-actions[bot] c1b35fbf47 Release preparation for version 2.16.2 2024-02-05 17:58:57 +00:00
James Ockers 9f7f9fcc6e Updating change-notes to reflect what will be the visible change to end users 2024-02-02 11:38:17 -08:00
Rasmus Lerchedahl Petersen f433039a25 Add change note 2024-02-02 11:23:35 +01:00
Rasmus Lerchedahl Petersen f275531542 Add support for TS 5.4-beta 2024-02-02 11:03:44 +01:00
Asger F 8a2485a22f JS: Address some comments 2024-02-01 20:54:27 +01:00
Asger F aa5cccdddd JS: Make sinkHasPrimaryName public 2024-01-31 20:39:25 +01:00
James Ockers 0f1e21aa09 Adding per-language change-notes 2024-01-30 17:28:34 -08:00
James Ockers eb5e0123d6 exclude certification from maybeCertificate() regexes 2024-01-30 13:16:18 -08:00
Asger F 19ba9fed99 Handle externs 2024-01-30 17:13:02 +01:00
Asger F 1737ba1a6b JS: Add library for naming endpoints 2024-01-30 16:36:51 +01:00
Asger F 6cfdd7aec4 JS: Add InlineExpectationsTest 2024-01-30 13:20:57 +01:00
Asger F 8930ce74af JS: Do not view packages as nested in a private package 2024-01-30 13:20:57 +01:00
Asger F 2d8d11fa78 JS: Restrict type-only exports in API graphs 2024-01-30 13:20:57 +01:00
Asger F 0e0fb0e52d JS: Remove API graph edge causing ambiguity 2024-01-30 13:20:56 +01:00
Asger F e441dd472b JS: Expose hasBothNamedAndDefaultExports() 2024-01-30 13:20:55 +01:00
Sid Shankar b1d7a635f5 Renames diagnostic query files and tests 
This commit renames the files relating to the diagnostic query that produces information on the number of files extracted. The files have been renamed from "SuccessfullExtractedFiles.*" to "ExtractedFiles.*". All related tests and test files have been renamed too.

The `@tags` and `@id` attributes of the queries have been left untouched, consistent with the `@tags` and `@id` for similar queries in other languages.
 2024-01-29 20:19:20 +00:00
Henry Mercer 10343dd822
Merge pull request #15416 from github/post-release-prep/codeql-cli-2.16.1 
Post-release preparation for codeql-cli-2.16.1
 2024-01-25 14:15:25 +00:00
erik-krogh 396da117bb
remove an FP in overly-large-range for [@-Z] 2024-01-25 14:15:06 +01:00
GitHub Security Lab df10a7e7f0
Merge branch 'main' into amammad-js-bombs 2024-01-25 11:23:38 +01:00
github-actions[bot] d0b74c00fe Post-release preparation for codeql-cli-2.16.1 2024-01-23 23:02:29 +00:00
github-actions[bot] 7ef611e6dc Release preparation for version 2.16.1 2024-01-23 19:45:16 +00:00
erik-krogh 865df920f9
add change-notes 2024-01-22 19:30:57 +01:00
erik-krogh 8be7eadace
delete outdated deprecations 2024-01-22 09:11:35 +01:00
Sid Shankar 2d71294f61
Merge pull request #15256 from sidshank/change/adjust-extracted-files-diagnostics 
Js/Py/Rb: Report any extracted file as successfully extracted
 2024-01-17 11:04:06 -05:00
Sid Shankar 2c683c910f Merge branch 'change/adjust-extracted-files-diagnostics' of https://github.com/sidshank/codeql into change/adjust-extracted-files-diagnostics 2024-01-17 14:32:36 +00:00
Sid Shankar 0824ab77e9 Adds change notes 2024-01-17 14:31:40 +00:00
erik-krogh 1a8a70dc1b
mark the range [0-?] as good in the overly-large-range query 2024-01-17 13:11:57 +01:00
Sid Shankar 59098be8c4
Merge branch 'main' into change/adjust-extracted-files-diagnostics 2024-01-16 21:51:41 -05:00
Alexander Eyers-Taylor 934474681d
Merge pull request #15254 from github/post-release-prep/codeql-cli-2.16.0 
Post-release preparation for codeql-cli-2.16.0
 2024-01-16 14:50:40 +00:00
github-actions[bot] 57df8b92df Post-release preparation for codeql-cli-2.16.0 2024-01-15 15:00:50 +00:00
Asger F 96f8a02a72 JS: Treat private-field methods as private 2024-01-15 13:00:39 +01:00
Asger F 59c9ac735a
Merge pull request #15295 from asgerf/js/type-model-export 
JS: Include sink nodes as base-case when resolving types
 2024-01-11 20:47:32 +01:00
Erik Krogh Kristensen d782bd9b1f
Merge pull request #13624 from jorgectf/seclab/dotjs 
JS: Add `dot.js` support
 2024-01-11 14:57:19 +01:00
Asger F 82cee61999 JS: Include sink nodes as base-case when resolving types 2024-01-11 13:41:21 +01:00
Erik Krogh Kristensen 51fe477ed1
Merge pull request #15271 from erik-krogh/fastTS 
JS: faster TypeScript extraction
 2024-01-10 21:02:34 +01:00
erik-krogh 06c1fff770
address review comments 2024-01-10 13:53:54 +01:00
Erik Krogh Kristensen 3000b4b9b3
rename PropsTaintStep to PropsFlowStep 
Co-authored-by: Asger F <asgerf@github.com>
 2024-01-10 09:45:29 +01:00
erik-krogh d0fcb7d1ed
faster TypeScript extraction by not having to compute the "type-string" for a type every time 2024-01-09 15:30:55 +01:00
Sid Shankar e30a0d1e83 JS: Report any extracted file as successfully extracted 2024-01-08 22:19:33 +00:00
github-actions[bot] a6c8cc9551 Release preparation for version 2.16.0 2024-01-08 13:11:26 +00:00
erik-krogh 58dc14d5bb
update expected output 2024-01-04 11:38:58 +01:00
erik-krogh a9f2b3fad6
promote `PropsTaintStep` to a `PreCallGraphStep` 2024-01-04 10:45:22 +01:00
Aditya Sharad b1803d0ac2
Merge rc/3.12 into main 2023-12-21 16:40:51 -08:00
erik-krogh fe3e768414
update expected output of tests 2023-12-20 14:10:36 +01:00
github-actions[bot] 8f72b0e4f7 Post-release preparation for codeql-cli-2.15.5 2023-12-19 10:32:57 +00:00
Jorge f8cfd698fa
Merge branch 'main' into seclab/dotjs 2023-12-19 10:44:52 +01:00
github-actions[bot] 19af35b29a Release preparation for version 2.15.5 2023-12-18 21:22:44 +00:00
Jorge b81fbd7669
Add change note 2023-12-18 12:55:30 +01:00
erik-krogh a694928dd3
use the extractor option directly instead 2023-12-15 10:39:36 +01:00
erik-krogh ad4f464850
add warnOnImplicitThis 2023-12-15 09:55:30 +01:00
erik-krogh 9cc708b122
add integration test for the new extractor option to disable type extraction 2023-12-15 09:53:13 +01:00
Erik Krogh Kristensen a700aa4cde
Merge pull request #15110 from rvermeulen/rvermeulen/xml-attr-data-flow-node 
JavaScript: Add support for XML attributes in the data flow graph
 2023-12-14 21:45:57 +01:00
erik-krogh c752f26f91
use direct string comparison instead, that doesn't crash on invalid values 2023-12-14 20:43:16 +01:00
erik-krogh 5bbf79bf26
fix the parsing of boolean environment variables in the TypeScript extractor 2023-12-14 20:43:16 +01:00
erik-krogh 1a0d29ba8a
rename extractor environment variable to `CODEQL_EXTRACTOR_JAVASCRIPT_OPTION_SKIP_TYPES` 2023-12-14 20:43:16 +01:00
erik-krogh 62205f6a7f
add environment variable to skip extraction of types in TypeScript 2023-12-14 20:43:16 +01:00
erik-krogh b5fe0e5709
make sure `reset()` is called when manually invoking the TS extractor, so environment-variables are read 2023-12-14 20:43:16 +01:00
erik-krogh 96d1573978
move `TypeVarDepth` further up, so its declared before it's used 2023-12-14 20:43:15 +01:00
erik-krogh 10cf53b8d3
fix a `this` reference 
`this` didn't refer to anything specific, and it was in fact `undefined` in the context it was invoked. There was already a  `let typeTable = this;` further up (where `this` refers to the class instance), so I used `typeTable`.
 2023-12-14 20:43:15 +01:00
erik-krogh 43b228dbb4
exclude all the lib.d.ts files when running the TS extractor directly 
e.g. the `lib.es5.d.ts` file was not excluded
 2023-12-14 20:43:15 +01:00
Remco Vermeulen 133a243298
Add support for XML attributes in the data flow graph 2023-12-14 11:33:53 -08:00
erik-krogh 0db788bb10
use direct string comparison instead, that doesn't crash on invalid values 2023-12-14 14:50:17 +01:00
erik-krogh 5e91b2f5bc
fix the parsing of boolean environment variables in the TypeScript extractor 2023-12-14 14:40:10 +01:00
Erik Krogh Kristensen 063f69c10e
Merge pull request #15072 from erik-krogh/ts-various 
JS: Various TypeScript extraction fixes.
 2023-12-14 14:17:42 +01:00
erik-krogh 72e99b5b9d
rename extractor environment variable to `CODEQL_EXTRACTOR_JAVASCRIPT_OPTION_SKIP_TYPES` 2023-12-14 12:52:49 +01:00
Tom Hvitved c8b4a215bc
Merge pull request #14573 from hvitved/flow-summary-impl-param 
Move `FlowSummaryImpl.qll` to `dataflow` pack
 2023-12-14 12:24:15 +01:00
Jeroen Ketema 99e65df6ce
Merge remote-tracking branch 'upstream/rc/3.12' into mb12 2023-12-13 15:43:39 +01:00
Tom Hvitved a46964dfe8 Address review comments 2023-12-12 13:55:52 +01:00
erik-krogh 896432b646
add environment variable to skip extraction of types in TypeScript 2023-12-12 12:25:00 +01:00
erik-krogh cf31ef4960
make sure `reset()` is called when manually invoking the TS extractor, so environment-variables are read 2023-12-12 10:51:09 +01:00
erik-krogh c246a9c12c
move `TypeVarDepth` further up, so its declared before it's used 2023-12-12 10:34:42 +01:00
erik-krogh 13a01e1545
fix a `this` reference 
`this` didn't refer to anything specific, and it was in fact `undefined` in the context it was invoked. There was already a  `let typeTable = this;` further up (where `this` refers to the class instance), so I used `typeTable`.
 2023-12-12 10:32:31 +01:00
erik-krogh ca95a6e9cf
exclude all the lib.d.ts files when running the TS extractor directly 
e.g. the `lib.es5.d.ts` file was not excluded
 2023-12-12 10:29:09 +01:00
Tom Hvitved 28373e0fdf JS: Adapt to changes in shared code 2023-12-10 11:25:43 +01:00
erik-krogh e8f9e366d5
remove redundant imports for JS 2023-12-08 16:56:54 +01:00
github-actions[bot] 92af5f5386 Post-release preparation for codeql-cli-2.15.4 2023-12-06 22:59:22 +00:00
github-actions[bot] c04457e9e7 Release preparation for version 2.15.4 2023-12-06 21:11:50 +00:00
amammad 1547cd0546 added inline tests, move to experimental dir 2023-12-05 18:59:46 +01:00
amammad 2c4d2d3069
Merge branch 'main' into amammad-js-CodeInjection_execa 2023-12-05 18:38:09 +01:00
amammad 67fb802f29 fix conflict 2023-12-05 18:37:50 +01:00
Jorge 8abd1d9855
Merge branch 'main' into seclab/dotjs 2023-11-30 19:42:18 +01:00
Jorge 91bc043f30
Add `.html.dot` to `Autobuild.java` 2023-11-30 19:38:24 +01:00
Felicity Chapman 4cb2f53223
Remove unwanted period from query name 
Our style guide states that names should not end in a period. I'm updating this now to allow us to automate a process for GitHub docs, see: https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#query-name-name
 2023-11-30 14:31:17 +00:00
Rafael 1a05c2e704
Added Django test 2023-11-29 08:26:49 +01:00
Rafael 0a74a3a765
Update javascript/ql/src/change-notes/2023-11-28-django-urls.md 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-11-29 08:23:02 +01:00
Rafael 0b0c9e3e48
Create 2023-11-28-django-urls.md 2023-11-28 22:29:53 +01:00
Rafael 286e3951bf
Detect Django template URLs 
Django URLs are currently not detected, but flask and nunjucks URL are. (See https://github.com/github/codeql/issues/12267)
 2023-11-28 22:22:07 +01:00
erik-krogh abb8d65483
Merge branch 'main' into amammad-js-SQLI 2023-11-23 21:17:58 +01:00
erik-krogh 43c76468c9
add change-note 2023-11-23 21:17:33 +01:00
amammad 60b422a35c fix second round of code review. improve documents, fix better-sqlite3 method 2023-11-23 14:01:38 +01:00
erik-krogh dd1e71ace9
update the JS change notes to mention security severity instead of just severity 2023-11-23 10:28:22 +01:00
amammad eb552b7c93 add failingPositiveTests to inlinetests 2023-11-22 08:00:38 +01:00
amammad 0328a2986d move TypeORM library file and tests to experimental 
add inline tests :)
Fix TypeORM fuzzy method according to Review
 2023-11-21 19:59:06 +01:00
amammad 999ec7053e fix Query class docstring 2023-11-21 18:56:05 +01:00
Max Schaefer 2c5ce3216e
Merge pull request #14846 from github/max-schaefer/js/path-injection 
Update qhelp for js/path-injection.
 2023-11-21 13:50:41 +00:00
Max Schaefer dfffa1e237
Apply suggestions from code review 
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
 2023-11-21 10:07:11 +00:00
erik-krogh 5611a3e417
use exact version 2023-11-20 20:48:51 +01:00
erik-krogh 10b3efa667
update to the stable version of TypeScript 5.3 2023-11-20 20:32:24 +01:00
erik-krogh dde9a7cd7e
Merge branch 'main' into ts53-ts 2023-11-20 20:31:00 +01:00
Max Schaefer d147faba4e Update qhelp for js/path-injection. 2023-11-20 11:58:00 +00:00
github-actions[bot] bad499e360 Post-release preparation for codeql-cli-2.15.3 2023-11-17 14:35:41 +00:00
github-actions[bot] 6ec9b95072 Release preparation for version 2.15.3 2023-11-16 13:07:16 +00:00
Henry Mercer de83929a60 Remove LoC metrics from the analysis summary 2023-11-16 11:36:44 +00:00
Remco Vermeulen 52540b42fc
Merge branch 'main' into rvermeulen/javascript-adjust-security-severity 2023-11-14 11:21:38 -08:00
Remco Vermeulen 6bd7047e41
Restore XssThroughDom.ql's severity 2023-11-14 11:20:51 -08:00
Cornelius Riemenschneider 97fd2033f1 Take our node, not the one that comes first on the PATH. 2023-11-09 22:00:00 +01:00
Cornelius Riemenschneider b4ec13235d Address review. 2023-11-09 09:40:29 +01:00
Cornelius Riemenschneider 6b37d2009b
Merge branch 'main' into criemen/js-bazel 2023-11-08 16:11:47 +01:00
Rasmus Wriedt Larsen 43d9d2ceb7
Merge pull request #14603 from github/max-schaefer/broken-crypto-algorithm-link 
JavaScript/Python/Ruby: Improve alert message for `*/weak-cryptographic-algorithm`.
 2023-11-08 14:29:24 +01:00
Erik Krogh Kristensen f643fd7d74
Merge pull request #14716 from erik-krogh/invalid-main 
JS: catch when the main: path is invalid on Windows
 2023-11-08 08:33:58 +01:00
Geoffrey White b63294764b
Merge pull request #14705 from geoffw0/qhelplink 
Fix a dead ReDoS link in docs
 2023-11-07 17:40:19 +00:00
erik-krogh ae577d1e44
catch when the main: path is invalid on Windows 2023-11-07 17:42:21 +01:00
Geoffrey White e8a466a02c Update dead link. 2023-11-07 09:26:07 +00:00
Jorge b08d57a85f
Add `{{!` to `TEMPLATE_EXPR_OPENING_TAG` 2023-11-06 20:40:00 +00:00
Cornelius Riemenschneider be02512dfe Add a build system for the junit tests. 
This is a bit more complicated than our usual setup, as we both need to
unzip the typescript parser wrapper, and make node accessible on the path.
 2023-11-06 17:58:28 +01:00
amammad 36f0a78450 fix typeorm test.ts according to Review 2023-11-06 16:23:35 +01:00
amammad d7f1e19d40 fix sqlite.js test according to Review 2023-11-06 15:22:36 +01:00
amammad cc5dd3180a fix better-sqlite3 tests according to Review 2023-11-06 15:18:55 +01:00
amammad c858e4974d fix Sqlite and BetterSqlite3 issues according to Review 2023-11-06 14:57:40 +01:00
Cornelius Riemenschneider 52fcc5f435 Export test data directories. 2023-11-06 13:47:56 +01:00
Cornelius Riemenschneider 63854e36b4 Use the TestPaths helper to lookup files. 2023-11-06 13:47:56 +01:00
Cornelius Riemenschneider a773532d07 Refactor JS test suite to be more in line with other Java projects. 
Therefore, we move the test suite out of the `src` directory.
 2023-11-06 13:47:56 +01:00
Cornelius Riemenschneider 6c7ea86a12 Introduce a bazel-based build for the entire JS pack. 2023-11-06 13:47:56 +01:00
Cornelius Riemenschneider 465eb00228 More fine-grained dependency on internal extractors. 2023-11-06 13:44:28 +01:00
Arthur Baars 01e7d57dba Add changenote 2023-11-06 13:38:33 +01:00
Arthur Baars 7f4bcdfa64 Rename test files 2023-11-06 13:38:33 +01:00
Arthur Baars eecf32db4d Add tests for deprecated 'assert' syntax 2023-11-06 13:38:33 +01:00
Arthur Baars 4192d09e5c Add tests for deprecated 'assert' syntax 2023-11-06 13:38:33 +01:00
Arthur Baars b4d89f7554 Replace 'assert' with 'with' in QL test files 2023-11-06 13:38:33 +01:00
Arthur Baars 3d45944649 Rename 'assertions' to 'attributes' in JS extractor 2023-11-06 13:38:32 +01:00
Arthur Baars bd62ec294e Support TS 5.3 import attributes (previously import assertions) 2023-11-06 13:38:32 +01:00
Arthur Baars 1067dd9dd3 Auto-format 2023-11-06 13:38:32 +01:00
Arthur Baars ec075f8fbe Upgrade typescript to 5.3.1-rc 2023-11-06 13:38:24 +01:00
erik-krogh abcb5a7a95
remove the remaining yarn files 2023-11-05 19:24:59 +01:00
erik-krogh 688afddaf2
Re-order expected test output of all JS tests 2023-10-31 16:38:22 +01:00
Arthur Baars 5cc94e1105 Express.js: add req.path as remote input source 2023-10-31 12:44:26 +01:00
Arthur Baars 21b7a51d0a Add test case for req.path 2023-10-31 12:44:25 +01:00
Arthur Baars 1479509d93 Re-order expected test ouput 2023-10-31 12:44:25 +01:00
Chris Smowton 79e1aa0498
Merge pull request #14634 from github/post-release-prep/codeql-cli-2.15.2 
Post-release preparation for codeql-cli-2.15.2
 2023-10-31 10:24:53 +00:00
github-actions[bot] 2b939fdf08 Post-release preparation for codeql-cli-2.15.2 2023-10-30 16:06:51 +00:00
Harry Maclean 083be305e1 Shared: Add neutralModel extensible predicate 
The neutralModel extensible predicate already exists in Java and C#, so
this change brings the dynamic languages more in line with static
languages. The Model Editor uses this predicate to mark endpoints as
"not interesting" from a data flow perspective.
 2023-10-30 11:31:57 +00:00
github-actions[bot] 4641990021 Release preparation for version 2.15.2 2023-10-30 11:05:53 +00:00
erik-krogh cf958f0828
lower the severity of js/identity-replacement to medium 2023-10-27 13:54:17 +02:00
Max Schaefer 104700f6d3 Address review comment. 2023-10-27 10:19:28 +01:00
Max Schaefer 08cc8b8e80 Autoformat. 2023-10-26 15:36:06 +01:00
erik-krogh 302199a74a
fix `TypeExprKinds` crashing on a `ThisExpression` 2023-10-26 16:33:54 +02:00
Max Schaefer abef8483bd
Merge pull request #14600 from github/max-schaefer/express-rate-limit 
JavaScript: Add support for importing `express-rate-limit` using a named import.
 2023-10-26 15:15:22 +01:00
Max Schaefer 741735cc83 Port changes to JavaScript. 2023-10-26 14:47:24 +01:00
Max Schaefer aff848b038
Update javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-10-26 13:06:52 +01:00
Max Schaefer 2c7291336d Move test files into right directory. 2023-10-26 12:16:52 +01:00
Max Schaefer bb146a1758 JavaScript: Add support for `rateLimit` export from `express-rate-limit` package. 2023-10-26 12:14:57 +01:00
Cornelius Riemenschneider 790615fbc2
Merge pull request #14552 from github/criemen/bazel-js 
Javascript extractor: Bazel-based build
 2023-10-24 19:36:39 +02:00
Cornelius Riemenschneider 42c343e820 Address review 2023-10-24 16:03:35 +02:00
amammad e3dbdc3887 add custom query builder and active record querybuilder support 2023-10-22 21:39:59 +02:00
Cornelius Riemenschneider 9ba32a0440 Add bazel-based build for the Javascript extractor. 2023-10-20 16:23:50 +02:00
Cornelius Riemenschneider de85f2bbf8 Fix errorprone violations. 2023-10-20 16:23:35 +02:00
Erik Krogh Kristensen f562d5319f
Merge pull request #14539 from flyboss/main 
fix typo ('Configration' to ‘Configuration’)
 2023-10-20 14:10:42 +02:00
flyboss ee813c1e61
Update UnsafeHtmlConstructionQuery.qll 
add a deprecated alias in case anyone depends on the misspelled name.
 2023-10-20 17:57:23 +08:00
flyboss 86336565eb fix typo 2023-10-19 02:34:31 +00:00
github-actions[bot] 8dcd8b9e5b Post-release preparation for codeql-cli-2.15.1 2023-10-17 20:24:00 +00:00
github-actions[bot] 3b3c036626 Release preparation for version 2.15.1 2023-10-16 17:49:39 +00:00
Arthur Baars 0e3369f93f
Merge pull request #14484 from aibaars/ts53-js 
JS: Support import attributes
 2023-10-16 10:47:49 +02:00
erik-krogh 69c3e62965
add change-note 2023-10-13 15:16:39 +02:00
erik-krogh 9080e84fc9
add support for extracting `.jsp` files 2023-10-13 12:09:27 +02:00
Arthur Baars a4d0ef6350 Add changenote 2023-10-12 13:04:00 +02:00
Arthur Baars a9a21aa313 Rename DynamicImportExpr::getImport{Attributes => Options} 2023-10-12 13:00:39 +02:00
Arthur Baars 1f4fcf1f31 Rename test files 2023-10-12 13:00:39 +02:00
Arthur Baars a1c1f7b910 Add tests for deprecated 'assert' syntax 2023-10-12 13:00:39 +02:00
Arthur Baars f38d2e1b89 Replace 'assert' with 'with' in QL test files 2023-10-12 13:00:39 +02:00
Arthur Baars c28004f2a6 Rename 'getImportAssertion()' to 'getImportAttributes()' in QL library 2023-10-12 13:00:39 +02:00
Arthur Baars 07172da1bc Add tests for deprecated 'assert' syntax 2023-10-12 12:51:13 +02:00
Arthur Baars f7b02c01dd Rename getAssertion() to getAttributes() in the extractor 2023-10-12 12:51:13 +02:00
Arthur Baars 1d9ee5da3c Rename 'assertions' to 'attributes' in JS extractor 2023-10-12 12:49:25 +02:00
Arthur Baars b936e91fe9 Support JS import attributes (previously import assertions) 2023-10-12 11:43:42 +02:00
amammad 3899f2cdf3 upgrade execa scripts 2023-10-12 10:44:57 +02:00
Henry Mercer 1a370bfbbe
Merge pull request #14443 from github/post-release-prep/codeql-cli-2.15.0 
Post-release preparation for codeql-cli-2.15.0
 2023-10-11 17:39:04 +01:00
amammad 261cabde67 better comments 2023-10-11 17:44:12 +02:00
amammad b24c6fd579 for demonstration 2023-10-11 17:34:33 +02:00
github-actions[bot] ae6af17c74 Post-release preparation for codeql-cli-2.15.0 2023-10-11 14:19:20 +00:00
amammad de2ee4d289 stash I can't especify the argument and command differences with new API 2023-10-11 14:36:56 +02:00
amammad 4cd3618dcd
Merge branch 'main' into amammad-js-CodeInjection_execa 2023-10-11 13:27:26 +02:00
Erik Krogh Kristensen 85bb14f04f
Merge pull request #14405 from erik-krogh/tagCall 
JS: recognize tagged template literals as `DataFlow::CallNode`
 2023-10-11 11:25:34 +02:00
Erik Krogh Kristensen 6377e92067
Update javascript/ql/lib/semmle/javascript/dataflow/DataFlow.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2023-10-11 09:52:48 +02:00
amammad 32859eb057 move to experimental 2023-10-10 22:46:44 +02:00
amammad 4198f61c16 fix a qldoc isuse 2023-10-10 22:21:43 +02:00
amammad 6f73e9c3ba revert for in additional steps 2023-10-10 22:12:37 +02:00
amammad 9053ceb3b7 revert a unexpected test file 2023-10-10 21:37:59 +02:00
amammad e13050b64e revert a unexpected test file 2023-10-10 21:35:52 +02:00
erik-krogh ccd06c78b9
delete an .expected file outside the test directories 2023-10-10 21:35:19 +02:00
amammad 242f7e1c53 update pg :) 2023-10-10 11:42:32 +02:00
amammad 18edef6ea4 add better-sqlite3 tests 2023-10-10 11:20:17 +02:00
amammad bbeb7b39d7 add better-sqlite3 2023-10-10 11:17:04 +02:00
Remco Vermeulen 76e56cdac7
Adjust query severities 2023-10-09 12:52:09 -07:00
erik-krogh a7ab9fd93b
add change-notes 2023-10-09 09:43:06 +02:00
erik-krogh f48b47c656
JavaScript: add import that populate the shared abstract classes 2023-10-09 09:14:55 +02:00
erik-krogh c2942b37a7
JS: delete various outdated deprecations 2023-10-09 09:14:55 +02:00
erik-krogh 0d992a3d1f
delete old deprecated aliases of various regex libraries 2023-10-09 09:14:54 +02:00
erik-krogh d261cec3cd
add change-note 2023-10-07 15:41:08 +02:00
erik-krogh 56e9eda2b9
fix performance by caching `getArgument` 2023-10-07 13:06:45 +02:00
amammad 6789273ab1 remove a test predicate 2023-10-07 12:05:44 +02:00
amammad aff6f00450 comments improvement,separate module file, fix tests 2023-10-07 12:02:39 +02:00
amammad 5a49f6bb9b fix tests 2023-10-06 22:10:57 +02:00
erik-krogh 7ca0996912
add a taint-tracking tests for calls to tagged template strings 2023-10-06 21:39:42 +02:00
erik-krogh 9b6501787a
add API-graph test for the new tagged template calls 2023-10-06 21:25:34 +02:00
erik-krogh 18e6a5491c
recognize tagged templates as `DataFlow::CallNode` 2023-10-06 21:14:00 +02:00
amammad f5efddc011 comments improvement 2023-10-06 21:12:59 +02:00
amammad e45268cd4d improve and fix bugs and add Form Flow Sources test files 2023-10-06 21:01:42 +02:00
erik-krogh 951ed01d6b
combine the `library-tests/CallGraphs/FullTest` tests into one file 2023-10-06 20:57:09 +02:00
amammad 5bc21a6178 delete old tests 2023-10-06 16:09:05 +02:00
amammad 7d961e1af2 do review improvements 2023-10-06 16:07:10 +02:00
amammad eef8137166 add Dice package, add global taint steps by SharedTaintStep, use getASuccessor 2023-10-06 10:58:26 +02:00
amammad faaddd4dfe updates for FormParsers and ReadableStream modules, add separate module for Readable Streams, BusBoy RemoteFlowSources is covering more sources now!, modularize 2023-10-05 21:46:58 +02:00
Asger F 97b3ebe385
Merge pull request #14380 from asgerf/js/amd-range 
JS: Add AmdModuleDefinition::Range
 2023-10-05 21:05:28 +02:00
Cornelius Riemenschneider 96edc1d349 Add skeleton bazel files for accessing the dbschemes. 2023-10-05 09:00:38 +02:00
Asger F 315272839d JS: Change note 2023-10-05 08:13:43 +02:00
Asger F 162c477236 JS: Add AmdModuleDefinition::Range 2023-10-04 20:38:37 +02:00
github-actions[bot] 9fe993bec3 Release preparation for version 2.15.0 2023-10-04 14:15:27 +00:00
Henry Mercer da92da2204 Bump minor versions of packs we regularly release 2023-10-03 16:31:23 +01:00
Henry Mercer f3847b3f51 Merge branch 'main' into henrymercer/rc-3.11-mergeback 2023-10-03 16:30:23 +01:00
amammad e81a4fc330 remove CLI sources Library file and local sources for lower FPs 2023-10-01 05:44:13 +10:00
amammad 97c27ac11b revert SqlInjection.ql changes 2023-09-29 01:36:00 +10:00
amammad 58f4cd77dc add TypeORM to javascript.qll file 
add tests
improvement on comments
 2023-09-29 01:23:22 +10:00
Anders Schack-Mulligen 855c89667d JavaScript: Use shared FileSystem library. 2023-09-28 08:58:55 +02:00
amammad 0eb0c238f3 stash 2023-09-23 20:28:34 +10:00
amammad bafe357500 V3 2023-09-23 18:22:43 +10:00
amammad 0c40223192 v1 2023-09-23 18:17:49 +10:00
amammad a8aeb1d03e add active record and data mapper patterns support 2023-09-22 22:50:55 +10:00
amammad 2c74dc23c9 add second order command execution sinks to tests 2023-09-22 20:00:36 +10:00
amammad a20ca78599 V1 2023-09-22 19:23:34 +10:00
amammad f1a7f0a7e8 V1 2023-09-22 19:21:41 +10:00
amammad 522a2e2594 v2 2023-09-22 18:56:47 +10:00
github-actions[bot] 3acf5244b0 Post-release preparation for codeql-cli-2.14.6 2023-09-20 10:25:10 +00:00
github-actions[bot] 0a3670727f Release preparation for version 2.14.6 2023-09-19 11:40:30 +00:00
Erik Krogh Kristensen 7e7852eff6
Merge pull request #13641 from erik-krogh/multi-char 
JS/RB: write qhelp for `incomplete-multi-character-sanitization`
 2023-09-14 14:48:30 +02:00
erik-krogh c6b8c444d0
fix out of bounds string access in isUsingDecl 2023-09-13 21:53:49 +02:00