github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
61 816 коммитов 1 541 ветка 130 Теги 480 MiB
Граф коммитов

9332 Коммитов

Автор SHA1 Сообщение Дата
erik-krogh 56f1ff8af1
bump from release candidate to final release 2023-08-24 20:32:27 +02:00
erik-krogh 0273b20c75
add downgrade and upgrade script 🤞 2023-08-24 20:30:26 +02:00
erik-krogh ce97d38a18
add to the stat file 2023-08-24 20:30:26 +02:00
erik-krogh cb66d62959
add test for the new type-stuff in TS 5.2 we get for free 2023-08-24 20:30:26 +02:00
erik-krogh dc454d3a72
add support for the new `using` keyword in TypeScript 2023-08-24 20:30:26 +02:00
erik-krogh a7d92b3473
add JS support the `using` keyword 2023-08-24 20:30:26 +02:00
erik-krogh dfc83d844a
very initial support for TypeScript 5.2 2023-08-24 20:30:25 +02:00
Asger F 2b540e251a
Merge pull request #14007 from asgerf/js/import-path-string 
JS: Follow immediate predecessors in path resolution
 2023-08-23 15:28:22 +02:00
Asger F d146514275
Merge pull request #13928 from asgerf/js/ignore-huge-files 
JS: Ignore files larger than 10 MB during extraction
 2023-08-23 15:09:58 +02:00
Asger F b8fc84e8e4 JS: Change note 2023-08-23 14:11:07 +02:00
Asger F c6a757e085 JS: More robust handling of cyclic aliases 2023-08-23 14:11:07 +02:00
Asger F 794a459c1b JS: Add reproduction test 2023-08-23 14:11:07 +02:00
Asger F b93e404441 JS: Change log 2023-08-23 14:05:21 +02:00
Asger F ae2a1c7399 JS: Change note 2023-08-23 13:39:56 +02:00
Asger F d8462ad1b3 JS: Add a file size limit to extractor 2023-08-23 09:54:55 +02:00
Asger F bc47646a79 JS: Move getMegabyteCountFromPrefixedEnv into a shared place 2023-08-23 09:54:55 +02:00
Asger F dec6039469 JS: Follow immediate predecessors in path resolution 2023-08-23 09:53:51 +02:00
Max Schaefer 87364137df Use more sensible validator in example. 2023-08-21 15:14:01 +01:00
github-actions[bot] 098dfb4242 Release preparation for version 2.14.3 2023-08-18 14:48:15 +00:00
yoff 7f2f6f14e7
Merge pull request #13729 from yoff/python/model-aws-lambdas 
Python/JavaScript: Shared module for serverless functions
 2023-08-16 15:14:08 +02:00
Erik Krogh Kristensen 6a3b9e10eb
Merge pull request #13914 from erik-krogh/escape-unicode 
ReDoS: escape unicode chars in the output for the ReDoS queries
 2023-08-15 11:21:21 +02:00
Henry Mercer 1213eba630
Merge branch 'main' into post-release-prep/codeql-cli-2.14.2 2023-08-11 13:54:55 +01:00
erik-krogh 5ffce86768
change the defaults in the qhelp for missing-rate-limit to something more reasonable 2023-08-10 13:40:17 +02:00
github-actions[bot] 432c21d4fb Post-release preparation for codeql-cli-2.14.2 2023-08-09 18:45:18 +00:00
erik-krogh 0bce42410a
support arbitrary codepoints in NfaUtils.qll 2023-08-08 22:14:51 +02:00
erik-krogh 92db7b047c
escape unicode chars in the output for the ReDoS queries 2023-08-08 00:15:54 +02:00
github-actions[bot] 79c90fa36a Release preparation for version 2.14.2 2023-08-07 18:08:52 +00:00
Erik Krogh Kristensen 6631e838cf
re-appearing -> reappearing 
Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>
 2023-08-07 09:57:52 +02:00
Asger F 5950865b55
Merge pull request #13755 from github/max-schaefer/js-server-crash-help 
JavaScript: Improve qhelp for js/server-crash.
 2023-08-03 10:04:08 +02:00
Asger F c38cbe859d
Merge pull request #13737 from asgerf/dynamic/fuzzy-models 
Dynamic: add Fuzzy token
 2023-08-03 09:58:24 +02:00
Max Schaefer 5124310f14
Update javascript/ql/src/Security/CWE-730/ServerCrash.qhelp 
Co-authored-by: Asger F <asgerf@github.com>
 2023-08-01 17:03:05 +01:00
Jeongsoo Lee 1d5eb4a960
Update javascript/ql/lib/change-notes/2023-07-28-mad-log-injection.md 
Co-authored-by: Asger F <asgerf@github.com>
 2023-07-31 15:38:35 -07:00
Jeongsoo Lee 4529d8b75a Add support for log injection in MaD 2023-07-28 22:37:56 +00:00
github-actions[bot] f91b7a9342 Post-release preparation for codeql-cli-2.14.1 2023-07-21 16:16:25 +00:00
github-actions[bot] c936a920b0 Release preparation for version 2.14.1 2023-07-20 16:32:27 +00:00
Max Schaefer 7823ff968c JavaScript: Improve query help for `js/server-side-unvalidated-url-redirection`. 2023-07-19 13:23:25 +01:00
Max Schaefer 9432fec612 JavaScript: Improve qhelp for js/server-crash. 
The examples now use `fs.access` instead of the deprecated `fs.exists`. I have also rewritten the async/await example, since as of Node.js v15 the default behaviour for uncaught exceptions has changed to terminating the process instead of logging a warning, making the previous advice incorrect.
 2023-07-17 14:44:23 +01:00
Asger F d57276ca35
Merge pull request #13719 from asgerf/js/barrier-inout 
JS: Replace barrier edges with barrier nodes
 2023-07-13 16:36:52 +02:00
erik-krogh 1fe66232c6
suggestions based on review: add a popular library example for HTML-sanitization, and use the old text about ../ replacements 2023-07-13 14:28:11 +02:00
Erik Krogh Kristensen 9db970f055
apply suggestion from review 
Co-authored-by: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2023-07-13 14:17:33 +02:00
Asger F f3fab587a9 JS: Add Fuzzy token in identifying access path 2023-07-13 14:01:06 +02:00
Asger F 7c9e1ad6ec JS: Fix accidental recursion in Vue model 
The API graph entry point depended on API::Node.

This was due to depending on the the TComponent newtype which has a branch that depends on API::Node
 2023-07-13 13:41:21 +02:00
Max Schaefer b8eb2ef8d8
Merge branch 'main' into max-schaefer/improve-command-injection-qhelp 2023-07-13 12:11:15 +01:00
Max Schaefer ae237247f2
Apply suggestions from code review 
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
 2023-07-13 12:10:57 +01:00
Rasmus Lerchedahl Petersen 02c41f3dcf JavaScript: Use shared library for serverless 2023-07-12 16:46:34 +02:00
Asger F c7abd4c2af JS: Remove the unused edge-sanitizer hook in UnvalidatedDynamicMethodCall 2023-07-12 09:26:37 +02:00
Asger F c8af28c2ca
Merge pull request #13700 from asgerf/js/path-join-spread 
JS: Recognize 'fs/promises' alias and handle spread arguments in path.join()
 2023-07-11 15:31:13 +02:00
Asger F 1a395c5b34 JS: Use sanitizerOut in PrototypePollutingAssignment 2023-07-11 15:24:10 +02:00
Asger F 03bdebe3b3 JS: Update a test. 
The test had a bug on the line `src = src` so the new code is "more equivalent than usual"
 2023-07-11 15:24:09 +02:00
Asger F b09ed4b0e3 JS: Update UnsafeJQueryPlugin 2023-07-11 15:01:33 +02:00
Asger F a1d8a05bcb JS: Update ResourceExhaustion 2023-07-11 14:56:53 +02:00
Asger F 58a557b18e JS: Update InsecureRandomness 2023-07-11 14:56:43 +02:00
Asger F e863e2376d JS: Use sanitizerIn in ExtenralAPIUsedWithUntrustedData 2023-07-11 14:50:29 +02:00
Asger F 094302a27b JS: Replace sanitizing prefix edge with node 2023-07-11 14:48:13 +02:00
Asger F 944a2ca825 JS: Replace ClearTextLogging::isSanitizerEdge with a node 2023-07-11 14:20:17 +02:00
Asger F 68584e549e JS: Replace isOptionallySanitizedEdge with a node 2023-07-11 12:57:33 +02:00
Asger F 3691b836cb JS: Add tests 2023-07-11 11:37:30 +02:00
Asger F 0841677b14 JS: Add isSanitizerX variants in TaintTracking 2023-07-11 11:14:37 +02:00
Asger F d53beb3784 JS: Embed check for in/out barriers in edge barrier check 2023-07-11 11:04:28 +02:00
Asger F 4964d811a5 JS: Add interface for isBarrier in/out 2023-07-11 11:04:28 +02:00
Max Schaefer 63c45a0da3 Add another example of when and how to use shell-quote. 2023-07-10 14:02:17 +01:00
Asger F 8234b8f175 JS: Change note 2023-07-10 13:19:44 +02:00
Asger F 27085b1fd0 JS: Fix whitespace 2023-07-10 12:07:13 +02:00
Asger F fe90146a16 JS: Add test for path.join with spread argument 2023-07-10 12:07:07 +02:00
Asger F 06bc0f6957 JS: Add test for fs/promises 2023-07-10 12:05:03 +02:00
github-actions[bot] 13cf054a9d Post-release preparation for codeql-cli-2.14.0 2023-07-07 14:55:41 +00:00
Asger F 965ca169e5 JS: Recognise fs/promises 2023-07-07 14:14:49 +02:00
Asger F d49359a95c JS: Add step through spread arg to path.join() 2023-07-07 14:10:50 +02:00
github-actions[bot] 6484ee106e Release preparation for version 2.14.0 2023-07-07 08:22:14 +00:00
Dave Bartolomeo 9631e9f2f1 Bump minor version numbers post-GHES 2023-07-06 10:10:01 -04:00
Dave Bartolomeo 2bb9adfbf1 Merge remote-tracking branch 'origin/main' into dbartol/mergeback-3.10 2023-07-06 10:00:46 -04:00
Erik Krogh Kristensen b2a60bf3d1
Merge pull request #13642 from erik-krogh/san-script 
JS/RB: Fix FP in incomplete-multi-character-sanitization
 2023-07-06 15:38:39 +02:00
Max Schaefer 1d3e3440f2 Add example of manual sanitisation. 2023-07-06 12:54:30 +01:00
Max Schaefer 240e0799b0 Fix spurious character in code example. 2023-07-06 12:54:03 +01:00
Max Schaefer 83a854c3ff
Update javascript/ql/src/Security/CWE-078/IndirectCommandInjection.qhelp 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-07-06 12:47:06 +01:00
Max Schaefer 6fb41adc61
Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-07-06 12:02:44 +01:00
Max Schaefer f89992eb16 Address more review feedback. 2023-07-05 12:02:11 +01:00
Max Schaefer 921d8de8dc
Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-07-05 11:19:30 +01:00
Max Schaefer 5fb6b5810f Clarify that splitting arguments on space is not safe. 2023-07-04 15:58:37 +01:00
Max Schaefer 74af0b1f05 Improve command-injection example and provide a fixed version. 2023-07-04 15:58:37 +01:00
Chuan-kai Lin 6912f7ed3a
Merge pull request #13638 from cklin/remove-pragma-assume-small-delta 
Remove pragma[assume_small_delta]
 2023-07-03 07:00:36 -07:00
Erik Krogh Kristensen 8676516cb9
recursively -> repeatedly 
Co-authored-by: Asger F <asgerf@github.com>
 2023-07-03 13:17:13 +02:00
Asger F 4c9501eba5
Merge pull request #13529 from jorgectf/seclab/webix-modeling 
JS: Add models for `webix`
 2023-07-03 12:03:18 +02:00
erik-krogh 3e2b8124c9
apply suggestions from review 2023-07-03 10:03:45 +02:00
erik-krogh bea4162736
delete multi-char note from the `incomplete-sanitization` qhelp 2023-07-03 09:10:54 +02:00
erik-krogh a60478ba8a
write qhelp for js/incomplete-multi-character-sanitization 2023-07-03 09:07:13 +02:00
erik-krogh f9eee906cf
fix FP by requiring that the regular expression mention on of the chars important in the prefix 2023-07-01 20:30:09 +02:00
erik-krogh bd400be6ec
add FP for incomplete-multi-char-sanitization 2023-07-01 20:28:31 +02:00
Chuan-kai Lin ce464a7d69 Remove pragma[assume_small_delta] 2023-06-30 11:09:29 -07:00
github-actions[bot] 668aaa2dc8 Post-release preparation for codeql-cli-2.13.5 2023-06-30 08:51:48 +00:00
Jorge e210b0d0a7
Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-29 16:06:34 +02:00
github-actions[bot] 9d7987f822 Release preparation for version 2.13.5 2023-06-29 09:26:18 +00:00
jorgectf 2ac334bf15 Adapt `Webix` modeling to support HTML use-cases 2023-06-28 15:26:30 +02:00
Kasper Svendsen ab5e241310 Javascript: Enable implicit this warnings for remaining packs 2023-06-27 11:56:29 +02:00
jorgectf 1e663b8889 Update `HeuristicSourceCodeInjection.expected` 2023-06-26 13:32:20 +02:00
jorgectf bb67a9000e Fix `WebixTemplateSink` 2023-06-26 13:32:00 +02:00
Jorge 5bd044211e
Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-26 13:27:23 +02:00
Rasmus Wriedt Larsen 0121263e03
Merge branch 'main' into python/enable-summaries-from-models 2023-06-26 11:34:12 +02:00
Jorge 08b9a5e2b2
Add missing `;` 2023-06-23 23:10:06 +02:00
Jorge 3c980db93a
Format `webix.js` 2023-06-23 18:08:01 +02:00
Jorge 8ff525933e
Merge branch 'main' into seclab/webix-modeling 2023-06-23 18:06:26 +02:00
yoff 26856a82a6
Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-23 10:15:20 +02:00
Kevin Stubbings 3605269e13 Add webix copy function 2023-06-22 22:16:28 -07:00
jorgectf 7e7e2aaac7 Remove non-existing import 2023-06-22 01:15:08 +02:00
jorgectf 868129c7e7 Add change note 2023-06-22 01:14:06 +02:00
jorgectf 6947e99c15 Add models for `webix` 
Co-authored-by: Kevin Stubbings <Kwstubbs@users.noreply.github.com>
 2023-06-22 01:07:33 +02:00
Henry Mercer 5afdaf8fe1
Merge pull request #13525 from github/rc/3.10 
Merge `rc/3.10` back to `main`
 2023-06-21 17:13:36 +01:00
Adrien Pessu e332a4348d
Update javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-06-21 12:55:33 +01:00
Adrien Pessu 4d1bbe36a9
Merge branch 'main' into main 2023-06-21 09:11:57 +01:00
Adrien Pessu 7dfb404fd7 clean examples 2023-06-21 08:11:39 +00:00
Adrien Pessu e85987bfc5 remove useless phrase 2023-06-21 07:59:24 +00:00
Erik Krogh Kristensen 12b3913a4b
Merge pull request #13511 from tspascoal/patch-1 
JS: Single quote was preventing the shell from expanding the BODY variable in Expression injection in Actions example
 2023-06-21 09:57:20 +02:00
Adrien Pessu 9cb12cdcbe Merge branch 'main' of https://github.com/adrienpessu/codeql 2023-06-20 17:28:28 +00:00
Adrien Pessu 2a2f6de78c fixed text not in a tag 2023-06-20 17:27:37 +00:00
Adrien Pessu 77077da20c
Merge branch 'main' into main 2023-06-20 18:24:44 +01:00
Adrien Pessu 36cb60c746 Add fixed proposition for NodeJS 2023-06-20 17:22:56 +00:00
Jami 5259a6ecfc
Merge pull request #13324 from jcogs33/jcogs33/shared-sink-kind-validation 
Shared: share MaD kind validation across languages
 2023-06-20 11:56:12 -04:00
Tiago Pascoal 150854603b
Single quote was preventing the shell from expanding the BODY variable 
While this prevents the attack highlighted in the query help it also prevents it from working.

Double quotes will allow the expansion of the variable while still preventing the attack
 2023-06-20 11:38:27 +01:00
github-actions[bot] 18b678e69e Post-release preparation for codeql-cli-2.13.4 2023-06-20 10:20:05 +00:00
Adrien Pessu eb28266bcb improv example the help file 2023-06-19 17:00:52 +00:00
Tony Torralba 8f6d2ed2f9 Adjust ZipSlip query description according to review suggestions. 2023-06-19 10:27:41 +02:00
Tony Torralba 3c4d938cf1 Apply code review suggestions. 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-19 10:20:19 +02:00
Tony Torralba 433fc680ec
Apply suggestions from code review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2023-06-19 10:17:40 +02:00
Rasmus Lerchedahl Petersen 3cf9e3e692 Py/js/ruby: sync files 2023-06-18 21:52:49 +02:00
Tony Torralba c97868f774 Add change notes 2023-06-16 09:01:02 +02:00
Tony Torralba 3e96fe60c5 Go/Java/JS/Python/Ruby: Update the description and qhelp of the ZipSlip query 
All filesystem operations, not just writes, with paths built from untrusted archive entry names are dangerous
 2023-06-16 08:52:44 +02:00
Asger F 318a60b208
Merge pull request #13456 from asgerf/js/vuex-perf 
JS: Restrict length of state path in vuex model
 2023-06-14 19:50:06 +02:00
Asger F 22b98c8959 JS: Restrict length of state path in vuex model 2023-06-14 15:48:58 +02:00
Jami 35591113c2
Merge branch 'main' into jcogs33/shared-sink-kind-validation 2023-06-14 08:06:34 -04:00
Asger F f737054216
Merge pull request #13380 from asgerf/js/fix-sink-kind 
JS: Fix invalid source kind in test
 2023-06-14 12:56:58 +02:00
Asger F 5aea6fc16c JS: Remove dataExtensions clause from test qlpack 2023-06-14 10:42:31 +02:00
Asger F 21831516f4 JS: use test-local data extensions 2023-06-14 10:38:33 +02:00
erik-krogh 3fd9f26b52
use consistent indentation in mongoose.js 2023-06-12 16:40:42 +02:00
erik-krogh cd6f738f72
add mongoose.Types.ObjectId.isValid as a sanitizer-guard for NoSQL injection 2023-06-12 16:38:11 +02:00
Jami Cogswell 9abe3e3da4 Shared: use a module as input to 'KindValidation' 2023-06-09 14:35:37 -04:00
Jami Cogswell da58b2afc8 Shared: move shared file to 'shared' folder and add parameterized module for 'getInvalidModelKind' 2023-06-08 20:05:27 -04:00
Jeroen Ketema bff11c3d23
Apply suggestions from code review 2023-06-08 22:33:50 +02:00
github-actions[bot] e4be303a23 Release preparation for version 2.13.4 2023-06-08 19:57:37 +00:00
Asger F 76a8e9827e
Merge pull request #13283 from asgerf/js/restrict-regex-search-function 
JS: Be more conservative about flagging "search" call arguments as regex
 2023-06-08 10:50:51 +02:00
Erik Krogh Kristensen 6ba7f9a238
Merge pull request #13352 from erik-krogh/once-again-deps-not-py-cpp 
delete old deprecations
 2023-06-07 13:00:57 +02:00
Asger F 17f9239c33 JS: Fix invalid source kind in test 2023-06-06 13:40:06 +02:00
Erik Krogh Kristensen 0e6693bdea
Merge pull request #12874 from erik-krogh/ts51 
JS: Add support for TS 5.1
 2023-06-06 11:51:51 +02:00
Erik Krogh Kristensen b78cd48954
Merge pull request #13329 from erik-krogh/sqlhelp 
JS: improve the sql-injection help page
 2023-06-06 08:44:44 +02:00
Jami Cogswell 5a23421d9a Shared: minor updates to comments 2023-06-05 13:46:56 -04:00
erik-krogh 3cb2ec4e87
fix nits from doc review 2023-06-05 19:06:07 +02:00
Jami Cogswell 9d5972acc2 Shared: update qldocs 2023-06-05 12:18:34 -04:00
Jami Cogswell 3f1dc8e5c7 Shared: add outdated Swift sink kinds 2023-06-05 12:18:34 -04:00
Jami Cogswell 62ac0dc471 Shared: add outdated sink kind msg to 'getInvalidModelKind' for all languages 2023-06-05 12:18:33 -04:00
Jami Cogswell 76f5dca861 Shared: move 'OutdatedSinkKind' to shared file and add outdated JS and C# sink kinds 2023-06-05 12:18:33 -04:00
Jami Cogswell 7b629f5d63 Shared: include 'qltest%' and 'test-%' 2023-06-05 12:18:33 -04:00
Jami Cogswell 254e447923 JS/Python/Ruby: update getInvalidModelKind 2023-06-05 12:18:33 -04:00
Jami Cogswell 7317c29eea Shared: update kind information 2023-06-05 12:18:33 -04:00
Jami Cogswell 0ab1848b70 JS/Python/Ruby: use 'SharedModelValidation' file 2023-06-05 12:18:33 -04:00
Jami Cogswell ddb5d92ef8 Shared: add source, summary, and neutral shared valid kinds 2023-06-05 12:18:33 -04:00
Jami Cogswell 869f820fcf Shared: add 'SharedModelValidation' file as experiment 2023-06-05 12:18:33 -04:00
Jami Cogswell e24e3a6115 JS/Python/Ruby: add getInvalidModelKind as experiment 2023-06-05 12:18:33 -04:00
Erik Krogh Kristensen 219ec9d05d
Merge pull request #13127 from erik-krogh/polReDoS 
ReDoS: revert new superlinear algorithm.
 2023-06-02 16:10:24 +02:00
erik-krogh ac9ede4ec0
add change-notes 2023-06-02 11:58:11 +02:00
erik-krogh f61b781386
JS: delete effectively empty file 2023-06-02 11:58:09 +02:00
erik-krogh 3584e85fe8
JS: fix tutorial 2023-06-02 11:58:08 +02:00
erik-krogh 9000243828
JS: fix compilation 2023-06-02 11:58:08 +02:00
erik-krogh 44b6366586
delete old deprecations 2023-06-02 11:58:08 +02:00
Asger F 77d2799278
Update javascript/ql/lib/semmle/javascript/Regexp.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-06-02 10:33:44 +02:00
erik-krogh 1b44b59842
add stress test 2023-06-01 23:20:23 +02:00
erik-krogh 8eed1a95f6
stop recursive fromRhs related to getLaterBaseAccess 2023-06-01 23:16:52 +02:00
erik-krogh 97afa5733b
add support for namespaced JSX attributes 2023-06-01 21:52:14 +02:00
erik-krogh f4b68fb8c3
bump TypeScript to stable version 2023-06-01 21:51:43 +02:00
Jami 3886ebffa9
Merge branch 'main' into jcogs33/update-javascript-sink-kinds 2023-06-01 14:09:10 -04:00
erik-krogh 9aeba4f31e
changes based on review 2023-06-01 17:24:44 +02:00
Erik Krogh Kristensen 96a720cfa0
Merge pull request #13285 from erik-krogh/redoshelp 
ReDoS: fix whitespace in the samples in ReDoS.qhelp
 2023-06-01 15:53:58 +02:00
Asger F baef99995d JS: Change note 2023-06-01 14:10:11 +02:00
erik-krogh 1e08105863
less duplicated headers in the sql-injection samples 2023-05-31 18:04:34 +02:00
erik-krogh 98820780af
show how to use mysql.escape in the sql-injection qhelp 2023-05-31 18:04:34 +02:00
erik-krogh 7d801e05ee
add an example of using dollar eq 2023-05-31 18:04:23 +02:00
erik-krogh e24b45b423
elaborate on both SQL and NoSQL injection in the js/sql-injection qhelp 2023-05-31 09:57:38 +02:00
erik-krogh b343dcaadd
put string/object in the alert-message for sql-injection 2023-05-31 08:06:04 +02:00
Arthur Baars 490d22d123 Merge remote-tracking branch 'upstream/main' into post-release-prep/codeql-cli-2.13.3 2023-05-30 21:31:28 +02:00
Asger F c637b6f59a JS: Update test for RegExpAlwaysMatches 2023-05-26 14:10:26 +02:00
Asger F 9df9ca2916 JS: Update test and expectations for MissingRegExpAnchor 2023-05-26 14:07:34 +02:00
Asger F 40daa9c906 JS: Update RegExpInjection test and expectations 2023-05-26 14:05:36 +02:00
Asger F 2629ec1b1d JS: Be more conservative about flagging "search" call arguments as regex 2023-05-26 11:55:53 +02:00
erik-krogh 9f5bf8fb22
also fix the first code-block 2023-05-25 13:56:29 +02:00
erik-krogh 765076bcba
fix whitespace in the samples in ReDoS.qhelp 2023-05-25 13:28:39 +02:00
github-actions[bot] d2e192020b Post-release preparation for codeql-cli-2.13.3 2023-05-24 11:26:12 +00:00
Erik Krogh Kristensen 796e71f8be
Merge pull request #13176 from MaxSchlueter/fixquery12 
Fix "Introducing the JavaScript libraries" query12.qll and add test case
 2023-05-24 10:56:53 +02:00
Arthur Baars e33f3a6668
Merge pull request #13154 from aibaars/sync-dbscheme-py 
JS/Ruby/QL/Python: sync dbscheme fragments
 2023-05-23 19:14:29 +02:00
Max Schlueter 40aa9417d0 Fix query12 and add test case 2023-05-23 11:52:51 +02:00
erik-krogh f7419c9250
add expected output 2023-05-23 09:56:06 +02:00
erik-krogh f85b3e13c2
update expected output 2023-05-23 09:56:06 +02:00
Erik Krogh Kristensen 50cb5ea184
Merge pull request #13164 from erik-krogh/polyQhelp 
ReDoS: add another example to the qhelp in poly-redos, showing how to just limit the length of the input
 2023-05-23 09:25:15 +02:00
Erik Krogh Kristensen e658177c31
Merge pull request #12975 from tyage/support-sub-modules 
JS: Support sub modules
 2023-05-23 09:24:43 +02:00
github-actions[bot] 7aa23cf11d Release preparation for version 2.13.3 2023-05-22 20:47:00 +00:00
Erik Krogh Kristensen 653cd86c13
update qldoc 2023-05-22 20:48:21 +02:00
Arthur Baars 7978c65467 JS: add upgrade/downgrade scripts 2023-05-22 19:28:59 +02:00
Erik Krogh Kristensen 3647b9cfeb
Merge pull request #13196 from erik-krogh/indirectCommand 
JS: require arguments to be shell interpreted to be flagged by indirect-command-injection
 2023-05-22 11:53:57 +02:00
erik-krogh 708a99528f
initial implementation of TS 5.1 2023-05-22 10:11:32 +02:00
erik-krogh 710b309142
apply suggestions from doc review 2023-05-21 22:18:48 +02:00
erik-krogh 10bf17c33e
Merge branch 'main' into polyQhelp 2023-05-21 22:17:06 +02:00
Erik Krogh Kristensen 239234c5d2
fix bad change-note 
Co-authored-by: Asger F <asgerf@github.com>
 2023-05-17 14:47:32 +02:00
erik-krogh 5a82454710
add change-note 2023-05-17 12:02:21 +02:00