codeql

Граф коммитов

Автор	SHA1	Сообщение	Дата
Remco Vermeulen	76e56cdac7	Adjust query severities	2023-10-09 12:52:09 -07:00
erik-krogh	a7ab9fd93b	add change-notes	2023-10-09 09:43:06 +02:00
erik-krogh	f48b47c656	JavaScript: add import that populate the shared abstract classes	2023-10-09 09:14:55 +02:00
erik-krogh	c2942b37a7	JS: delete various outdated deprecations	2023-10-09 09:14:55 +02:00
erik-krogh	0d992a3d1f	delete old deprecated aliases of various regex libraries	2023-10-09 09:14:54 +02:00
erik-krogh	d261cec3cd	add change-note	2023-10-07 15:41:08 +02:00
erik-krogh	56e9eda2b9	fix performance by caching `getArgument`	2023-10-07 13:06:45 +02:00
erik-krogh	7ca0996912	add a taint-tracking tests for calls to tagged template strings	2023-10-06 21:39:42 +02:00
erik-krogh	9b6501787a	add API-graph test for the new tagged template calls	2023-10-06 21:25:34 +02:00
erik-krogh	18e6a5491c	recognize tagged templates as `DataFlow::CallNode`	2023-10-06 21:14:00 +02:00
erik-krogh	951ed01d6b	combine the `library-tests/CallGraphs/FullTest` tests into one file	2023-10-06 20:57:09 +02:00
Asger F	97b3ebe385	Merge pull request #14380 from asgerf/js/amd-range JS: Add AmdModuleDefinition::Range	2023-10-05 21:05:28 +02:00
Cornelius Riemenschneider	96edc1d349	Add skeleton bazel files for accessing the dbschemes.	2023-10-05 09:00:38 +02:00
Asger F	315272839d	JS: Change note	2023-10-05 08:13:43 +02:00
Asger F	162c477236	JS: Add AmdModuleDefinition::Range	2023-10-04 20:38:37 +02:00
github-actions[bot]	9fe993bec3	Release preparation for version 2.15.0	2023-10-04 14:15:27 +00:00
Henry Mercer	da92da2204	Bump minor versions of packs we regularly release	2023-10-03 16:31:23 +01:00
Henry Mercer	f3847b3f51	Merge branch 'main' into henrymercer/rc-3.11-mergeback	2023-10-03 16:30:23 +01:00
amammad	97c27ac11b	revert SqlInjection.ql changes	2023-09-29 01:36:00 +10:00
amammad	58f4cd77dc	add TypeORM to javascript.qll file add tests improvement on comments	2023-09-29 01:23:22 +10:00
Anders Schack-Mulligen	855c89667d	JavaScript: Use shared FileSystem library.	2023-09-28 08:58:55 +02:00
amammad	0eb0c238f3	stash	2023-09-23 20:28:34 +10:00
amammad	bafe357500	V3	2023-09-23 18:22:43 +10:00
amammad	0c40223192	v1	2023-09-23 18:17:49 +10:00
amammad	a8aeb1d03e	add active record and data mapper patterns support	2023-09-22 22:50:55 +10:00
amammad	522a2e2594	v2	2023-09-22 18:56:47 +10:00
github-actions[bot]	3acf5244b0	Post-release preparation for codeql-cli-2.14.6	2023-09-20 10:25:10 +00:00
github-actions[bot]	0a3670727f	Release preparation for version 2.14.6	2023-09-19 11:40:30 +00:00
Erik Krogh Kristensen	7e7852eff6	Merge pull request #13641 from erik-krogh/multi-char JS/RB: write qhelp for `incomplete-multi-character-sanitization`	2023-09-14 14:48:30 +02:00
erik-krogh	c6b8c444d0	fix out of bounds string access in isUsingDecl	2023-09-13 21:53:49 +02:00
erik-krogh	fdd349c1a3	fix out of bounds string access in isUsingDecl	2023-09-13 20:11:21 +02:00
Max Schaefer	e722e3288f	Merge pull request #13771 from github/max-schaefer/server-side-url-redirect-help JavaScript: Improve query help for `js/server-side-unvalidated-url-redirection`.	2023-09-13 13:20:48 +01:00
amammad	54a44777b7	v1	2023-09-13 19:14:15 +10:00
Max Schaefer	a9e81672f0	Make suggestion to replace example.com more explicit.	2023-09-12 16:54:05 +01:00
Max Schaefer	7ddb7da65e	Apply suggestions from code review Co-authored-by: Felicity Chapman <felicitymay@github.com>	2023-09-12 16:47:23 +01:00
github-actions[bot]	d699880c86	Post-release preparation for codeql-cli-2.14.4	2023-09-08 21:17:52 +00:00
Chuan-kai Lin	1a575ef297	Merge pull request #14167 from asgerf/ts/tolerate-out-of-order-requests JS: tolerate out of order requests in TypeScript extractor	2023-09-08 12:33:44 -07:00
Asger F	ea384b340a	JS: Change note	2023-09-08 10:31:04 +02:00
Asger F	e08a873829	JS: Tolerate TypeScript files being requested out of order	2023-09-08 10:31:04 +02:00
Max Schaefer	46d7165885	Explain about redirects to example.com.	2023-09-07 09:12:07 +01:00
Max Schaefer	a02f373e79	Use better sanitiser.	2023-09-06 14:06:16 +01:00
github-actions[bot]	abf2b12b1c	Release preparation for version 2.14.4	2023-09-05 16:56:14 +00:00
erik-krogh	984795ee46	fix off-by-one	2023-08-30 13:29:23 +02:00
erik-krogh	2643ab3dbf	`using` is not a keyword	2023-08-30 08:44:59 +02:00
erik-krogh	5e11fe74f7	Merge branch 'main' into ts52	2023-08-30 07:57:55 +02:00
Dave Bartolomeo	3343b78015	Merge pull request #14074 from github/post-release-prep/codeql-cli-2.14.3 Post-release preparation for codeql-cli-2.14.3	2023-08-28 13:34:10 -04:00
github-actions[bot]	3eba77421a	Post-release preparation for codeql-cli-2.14.3	2023-08-28 15:53:49 +00:00
erik-krogh	78487d437f	add test for await using in TypeScript	2023-08-28 13:30:35 +02:00
erik-krogh	be2712698b	add support for await using in the JS parser	2023-08-28 09:34:13 +02:00
erik-krogh	1cbee6a8a4	delete leftover todo comment that was implemented	2023-08-28 08:40:35 +02:00
erik-krogh	56f1ff8af1	bump from release candidate to final release	2023-08-24 20:32:27 +02:00
erik-krogh	0273b20c75	add downgrade and upgrade script 🤞	2023-08-24 20:30:26 +02:00
erik-krogh	ce97d38a18	add to the stat file	2023-08-24 20:30:26 +02:00
erik-krogh	cb66d62959	add test for the new type-stuff in TS 5.2 we get for free	2023-08-24 20:30:26 +02:00
erik-krogh	dc454d3a72	add support for the new `using` keyword in TypeScript	2023-08-24 20:30:26 +02:00
erik-krogh	a7d92b3473	add JS support the `using` keyword	2023-08-24 20:30:26 +02:00
erik-krogh	dfc83d844a	very initial support for TypeScript 5.2	2023-08-24 20:30:25 +02:00
Asger F	2b540e251a	Merge pull request #14007 from asgerf/js/import-path-string JS: Follow immediate predecessors in path resolution	2023-08-23 15:28:22 +02:00
Asger F	d146514275	Merge pull request #13928 from asgerf/js/ignore-huge-files JS: Ignore files larger than 10 MB during extraction	2023-08-23 15:09:58 +02:00
Asger F	b8fc84e8e4	JS: Change note	2023-08-23 14:11:07 +02:00
Asger F	c6a757e085	JS: More robust handling of cyclic aliases	2023-08-23 14:11:07 +02:00
Asger F	794a459c1b	JS: Add reproduction test	2023-08-23 14:11:07 +02:00
Asger F	b93e404441	JS: Change log	2023-08-23 14:05:21 +02:00
Asger F	ae2a1c7399	JS: Change note	2023-08-23 13:39:56 +02:00
Asger F	d8462ad1b3	JS: Add a file size limit to extractor	2023-08-23 09:54:55 +02:00
Asger F	bc47646a79	JS: Move getMegabyteCountFromPrefixedEnv into a shared place	2023-08-23 09:54:55 +02:00
Asger F	dec6039469	JS: Follow immediate predecessors in path resolution	2023-08-23 09:53:51 +02:00
Max Schaefer	87364137df	Use more sensible validator in example.	2023-08-21 15:14:01 +01:00
github-actions[bot]	098dfb4242	Release preparation for version 2.14.3	2023-08-18 14:48:15 +00:00
yoff	7f2f6f14e7	Merge pull request #13729 from yoff/python/model-aws-lambdas Python/JavaScript: Shared module for serverless functions	2023-08-16 15:14:08 +02:00
Erik Krogh Kristensen	6a3b9e10eb	Merge pull request #13914 from erik-krogh/escape-unicode ReDoS: escape unicode chars in the output for the ReDoS queries	2023-08-15 11:21:21 +02:00
Henry Mercer	1213eba630	Merge branch 'main' into post-release-prep/codeql-cli-2.14.2	2023-08-11 13:54:55 +01:00
erik-krogh	5ffce86768	change the defaults in the qhelp for missing-rate-limit to something more reasonable	2023-08-10 13:40:17 +02:00
github-actions[bot]	432c21d4fb	Post-release preparation for codeql-cli-2.14.2	2023-08-09 18:45:18 +00:00
erik-krogh	0bce42410a	support arbitrary codepoints in NfaUtils.qll	2023-08-08 22:14:51 +02:00
erik-krogh	92db7b047c	escape unicode chars in the output for the ReDoS queries	2023-08-08 00:15:54 +02:00
github-actions[bot]	79c90fa36a	Release preparation for version 2.14.2	2023-08-07 18:08:52 +00:00
Erik Krogh Kristensen	6631e838cf	re-appearing -> reappearing Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>	2023-08-07 09:57:52 +02:00
Asger F	5950865b55	Merge pull request #13755 from github/max-schaefer/js-server-crash-help JavaScript: Improve qhelp for js/server-crash.	2023-08-03 10:04:08 +02:00
Asger F	c38cbe859d	Merge pull request #13737 from asgerf/dynamic/fuzzy-models Dynamic: add Fuzzy token	2023-08-03 09:58:24 +02:00
Max Schaefer	5124310f14	Update javascript/ql/src/Security/CWE-730/ServerCrash.qhelp Co-authored-by: Asger F <asgerf@github.com>	2023-08-01 17:03:05 +01:00
Jeongsoo Lee	1d5eb4a960	Update javascript/ql/lib/change-notes/2023-07-28-mad-log-injection.md Co-authored-by: Asger F <asgerf@github.com>	2023-07-31 15:38:35 -07:00
Jeongsoo Lee	4529d8b75a	Add support for log injection in MaD	2023-07-28 22:37:56 +00:00
github-actions[bot]	f91b7a9342	Post-release preparation for codeql-cli-2.14.1	2023-07-21 16:16:25 +00:00
github-actions[bot]	c936a920b0	Release preparation for version 2.14.1	2023-07-20 16:32:27 +00:00
Max Schaefer	7823ff968c	JavaScript: Improve query help for `js/server-side-unvalidated-url-redirection`.	2023-07-19 13:23:25 +01:00
Max Schaefer	9432fec612	JavaScript: Improve qhelp for js/server-crash. The examples now use `fs.access` instead of the deprecated `fs.exists`. I have also rewritten the async/await example, since as of Node.js v15 the default behaviour for uncaught exceptions has changed to terminating the process instead of logging a warning, making the previous advice incorrect.	2023-07-17 14:44:23 +01:00
Asger F	d57276ca35	Merge pull request #13719 from asgerf/js/barrier-inout JS: Replace barrier edges with barrier nodes	2023-07-13 16:36:52 +02:00
erik-krogh	1fe66232c6	suggestions based on review: add a popular library example for HTML-sanitization, and use the old text about ../ replacements	2023-07-13 14:28:11 +02:00
Erik Krogh Kristensen	9db970f055	apply suggestion from review Co-authored-by: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>	2023-07-13 14:17:33 +02:00
Asger F	f3fab587a9	JS: Add Fuzzy token in identifying access path	2023-07-13 14:01:06 +02:00
Asger F	7c9e1ad6ec	JS: Fix accidental recursion in Vue model The API graph entry point depended on API::Node. This was due to depending on the the TComponent newtype which has a branch that depends on API::Node	2023-07-13 13:41:21 +02:00
Max Schaefer	b8eb2ef8d8	Merge branch 'main' into max-schaefer/improve-command-injection-qhelp	2023-07-13 12:11:15 +01:00
Max Schaefer	ae237247f2	Apply suggestions from code review Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>	2023-07-13 12:10:57 +01:00
Rasmus Lerchedahl Petersen	02c41f3dcf	JavaScript: Use shared library for serverless	2023-07-12 16:46:34 +02:00
Asger F	c7abd4c2af	JS: Remove the unused edge-sanitizer hook in UnvalidatedDynamicMethodCall	2023-07-12 09:26:37 +02:00
Asger F	c8af28c2ca	Merge pull request #13700 from asgerf/js/path-join-spread JS: Recognize 'fs/promises' alias and handle spread arguments in path.join()	2023-07-11 15:31:13 +02:00
Asger F	1a395c5b34	JS: Use sanitizerOut in PrototypePollutingAssignment	2023-07-11 15:24:10 +02:00
Asger F	03bdebe3b3	JS: Update a test. The test had a bug on the line `src = src` so the new code is "more equivalent than usual"	2023-07-11 15:24:09 +02:00
Asger F	b09ed4b0e3	JS: Update UnsafeJQueryPlugin	2023-07-11 15:01:33 +02:00
Asger F	a1d8a05bcb	JS: Update ResourceExhaustion	2023-07-11 14:56:53 +02:00
Asger F	58a557b18e	JS: Update InsecureRandomness	2023-07-11 14:56:43 +02:00
Asger F	e863e2376d	JS: Use sanitizerIn in ExtenralAPIUsedWithUntrustedData	2023-07-11 14:50:29 +02:00
Asger F	094302a27b	JS: Replace sanitizing prefix edge with node	2023-07-11 14:48:13 +02:00
Asger F	944a2ca825	JS: Replace ClearTextLogging::isSanitizerEdge with a node	2023-07-11 14:20:17 +02:00
Asger F	68584e549e	JS: Replace isOptionallySanitizedEdge with a node	2023-07-11 12:57:33 +02:00
Asger F	3691b836cb	JS: Add tests	2023-07-11 11:37:30 +02:00
Asger F	0841677b14	JS: Add isSanitizerX variants in TaintTracking	2023-07-11 11:14:37 +02:00
Asger F	d53beb3784	JS: Embed check for in/out barriers in edge barrier check	2023-07-11 11:04:28 +02:00
Asger F	4964d811a5	JS: Add interface for isBarrier in/out	2023-07-11 11:04:28 +02:00
Max Schaefer	63c45a0da3	Add another example of when and how to use shell-quote.	2023-07-10 14:02:17 +01:00
Asger F	8234b8f175	JS: Change note	2023-07-10 13:19:44 +02:00
Asger F	27085b1fd0	JS: Fix whitespace	2023-07-10 12:07:13 +02:00
Asger F	fe90146a16	JS: Add test for path.join with spread argument	2023-07-10 12:07:07 +02:00
Asger F	06bc0f6957	JS: Add test for fs/promises	2023-07-10 12:05:03 +02:00
github-actions[bot]	13cf054a9d	Post-release preparation for codeql-cli-2.14.0	2023-07-07 14:55:41 +00:00
Asger F	965ca169e5	JS: Recognise fs/promises	2023-07-07 14:14:49 +02:00
Asger F	d49359a95c	JS: Add step through spread arg to path.join()	2023-07-07 14:10:50 +02:00
github-actions[bot]	6484ee106e	Release preparation for version 2.14.0	2023-07-07 08:22:14 +00:00
Dave Bartolomeo	9631e9f2f1	Bump minor version numbers post-GHES	2023-07-06 10:10:01 -04:00
Dave Bartolomeo	2bb9adfbf1	Merge remote-tracking branch 'origin/main' into dbartol/mergeback-3.10	2023-07-06 10:00:46 -04:00
Erik Krogh Kristensen	b2a60bf3d1	Merge pull request #13642 from erik-krogh/san-script JS/RB: Fix FP in incomplete-multi-character-sanitization	2023-07-06 15:38:39 +02:00
Max Schaefer	1d3e3440f2	Add example of manual sanitisation.	2023-07-06 12:54:30 +01:00
Max Schaefer	240e0799b0	Fix spurious character in code example.	2023-07-06 12:54:03 +01:00
Max Schaefer	83a854c3ff	Update javascript/ql/src/Security/CWE-078/IndirectCommandInjection.qhelp Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2023-07-06 12:47:06 +01:00
Max Schaefer	6fb41adc61	Apply suggestions from code review Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2023-07-06 12:02:44 +01:00
Max Schaefer	f89992eb16	Address more review feedback.	2023-07-05 12:02:11 +01:00
Max Schaefer	921d8de8dc	Apply suggestions from code review Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2023-07-05 11:19:30 +01:00
Max Schaefer	5fb6b5810f	Clarify that splitting arguments on space is not safe.	2023-07-04 15:58:37 +01:00
Max Schaefer	74af0b1f05	Improve command-injection example and provide a fixed version.	2023-07-04 15:58:37 +01:00
Chuan-kai Lin	6912f7ed3a	Merge pull request #13638 from cklin/remove-pragma-assume-small-delta Remove pragma[assume_small_delta]	2023-07-03 07:00:36 -07:00
Erik Krogh Kristensen	8676516cb9	recursively -> repeatedly Co-authored-by: Asger F <asgerf@github.com>	2023-07-03 13:17:13 +02:00
Asger F	4c9501eba5	Merge pull request #13529 from jorgectf/seclab/webix-modeling JS: Add models for `webix`	2023-07-03 12:03:18 +02:00
erik-krogh	3e2b8124c9	apply suggestions from review	2023-07-03 10:03:45 +02:00
erik-krogh	bea4162736	delete multi-char note from the `incomplete-sanitization` qhelp	2023-07-03 09:10:54 +02:00
erik-krogh	a60478ba8a	write qhelp for js/incomplete-multi-character-sanitization	2023-07-03 09:07:13 +02:00
erik-krogh	f9eee906cf	fix FP by requiring that the regular expression mention on of the chars important in the prefix	2023-07-01 20:30:09 +02:00
erik-krogh	bd400be6ec	add FP for incomplete-multi-char-sanitization	2023-07-01 20:28:31 +02:00
Chuan-kai Lin	ce464a7d69	Remove pragma[assume_small_delta]	2023-06-30 11:09:29 -07:00
github-actions[bot]	668aaa2dc8	Post-release preparation for codeql-cli-2.13.5	2023-06-30 08:51:48 +00:00
Jorge	e210b0d0a7	Apply suggestions from code review Co-authored-by: Asger F <asgerf@github.com>	2023-06-29 16:06:34 +02:00
github-actions[bot]	9d7987f822	Release preparation for version 2.13.5	2023-06-29 09:26:18 +00:00
jorgectf	2ac334bf15	Adapt `Webix` modeling to support HTML use-cases	2023-06-28 15:26:30 +02:00
Kasper Svendsen	ab5e241310	Javascript: Enable implicit this warnings for remaining packs	2023-06-27 11:56:29 +02:00
jorgectf	1e663b8889	Update `HeuristicSourceCodeInjection.expected`	2023-06-26 13:32:20 +02:00
jorgectf	bb67a9000e	Fix `WebixTemplateSink`	2023-06-26 13:32:00 +02:00
Jorge	5bd044211e	Apply suggestions from code review Co-authored-by: Asger F <asgerf@github.com>	2023-06-26 13:27:23 +02:00
Rasmus Wriedt Larsen	0121263e03	Merge branch 'main' into python/enable-summaries-from-models	2023-06-26 11:34:12 +02:00
Jorge	08b9a5e2b2	Add missing `;`	2023-06-23 23:10:06 +02:00
Jorge	3c980db93a	Format `webix.js`	2023-06-23 18:08:01 +02:00

1 2 3 4 5 ...

9332 Коммитов