github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
62 622 коммитов 1 534 Ветки 130 Теги 471 MiB
Граф коммитов

9363 Коммитов

Автор SHA1 Сообщение Дата
Cornelius Riemenschneider 790615fbc2
Merge pull request #14552 from github/criemen/bazel-js 
Javascript extractor: Bazel-based build
 2023-10-24 19:36:39 +02:00
Cornelius Riemenschneider 42c343e820 Address review 2023-10-24 16:03:35 +02:00
amammad e3dbdc3887 add custom query builder and active record querybuilder support 2023-10-22 21:39:59 +02:00
Cornelius Riemenschneider 9ba32a0440 Add bazel-based build for the Javascript extractor. 2023-10-20 16:23:50 +02:00
Cornelius Riemenschneider de85f2bbf8 Fix errorprone violations. 2023-10-20 16:23:35 +02:00
Erik Krogh Kristensen f562d5319f
Merge pull request #14539 from flyboss/main 
fix typo ('Configration' to ‘Configuration’)
 2023-10-20 14:10:42 +02:00
flyboss ee813c1e61
Update UnsafeHtmlConstructionQuery.qll 
add a deprecated alias in case anyone depends on the misspelled name.
 2023-10-20 17:57:23 +08:00
flyboss 86336565eb fix typo 2023-10-19 02:34:31 +00:00
github-actions[bot] 8dcd8b9e5b Post-release preparation for codeql-cli-2.15.1 2023-10-17 20:24:00 +00:00
github-actions[bot] 3b3c036626 Release preparation for version 2.15.1 2023-10-16 17:49:39 +00:00
Arthur Baars 0e3369f93f
Merge pull request #14484 from aibaars/ts53-js 
JS: Support import attributes
 2023-10-16 10:47:49 +02:00
erik-krogh 69c3e62965
add change-note 2023-10-13 15:16:39 +02:00
erik-krogh 9080e84fc9
add support for extracting `.jsp` files 2023-10-13 12:09:27 +02:00
Arthur Baars a4d0ef6350 Add changenote 2023-10-12 13:04:00 +02:00
Arthur Baars a9a21aa313 Rename DynamicImportExpr::getImport{Attributes => Options} 2023-10-12 13:00:39 +02:00
Arthur Baars 1f4fcf1f31 Rename test files 2023-10-12 13:00:39 +02:00
Arthur Baars a1c1f7b910 Add tests for deprecated 'assert' syntax 2023-10-12 13:00:39 +02:00
Arthur Baars f38d2e1b89 Replace 'assert' with 'with' in QL test files 2023-10-12 13:00:39 +02:00
Arthur Baars c28004f2a6 Rename 'getImportAssertion()' to 'getImportAttributes()' in QL library 2023-10-12 13:00:39 +02:00
Arthur Baars 07172da1bc Add tests for deprecated 'assert' syntax 2023-10-12 12:51:13 +02:00
Arthur Baars f7b02c01dd Rename getAssertion() to getAttributes() in the extractor 2023-10-12 12:51:13 +02:00
Arthur Baars 1d9ee5da3c Rename 'assertions' to 'attributes' in JS extractor 2023-10-12 12:49:25 +02:00
Arthur Baars b936e91fe9 Support JS import attributes (previously import assertions) 2023-10-12 11:43:42 +02:00
Henry Mercer 1a370bfbbe
Merge pull request #14443 from github/post-release-prep/codeql-cli-2.15.0 
Post-release preparation for codeql-cli-2.15.0
 2023-10-11 17:39:04 +01:00
github-actions[bot] ae6af17c74 Post-release preparation for codeql-cli-2.15.0 2023-10-11 14:19:20 +00:00
Erik Krogh Kristensen 85bb14f04f
Merge pull request #14405 from erik-krogh/tagCall 
JS: recognize tagged template literals as `DataFlow::CallNode`
 2023-10-11 11:25:34 +02:00
Erik Krogh Kristensen 6377e92067
Update javascript/ql/lib/semmle/javascript/dataflow/DataFlow.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2023-10-11 09:52:48 +02:00
erik-krogh ccd06c78b9
delete an .expected file outside the test directories 2023-10-10 21:35:19 +02:00
amammad 242f7e1c53 update pg :) 2023-10-10 11:42:32 +02:00
amammad 18edef6ea4 add better-sqlite3 tests 2023-10-10 11:20:17 +02:00
amammad bbeb7b39d7 add better-sqlite3 2023-10-10 11:17:04 +02:00
Remco Vermeulen 76e56cdac7
Adjust query severities 2023-10-09 12:52:09 -07:00
erik-krogh a7ab9fd93b
add change-notes 2023-10-09 09:43:06 +02:00
erik-krogh f48b47c656
JavaScript: add import that populate the shared abstract classes 2023-10-09 09:14:55 +02:00
erik-krogh c2942b37a7
JS: delete various outdated deprecations 2023-10-09 09:14:55 +02:00
erik-krogh 0d992a3d1f
delete old deprecated aliases of various regex libraries 2023-10-09 09:14:54 +02:00
erik-krogh d261cec3cd
add change-note 2023-10-07 15:41:08 +02:00
erik-krogh 56e9eda2b9
fix performance by caching `getArgument` 2023-10-07 13:06:45 +02:00
erik-krogh 7ca0996912
add a taint-tracking tests for calls to tagged template strings 2023-10-06 21:39:42 +02:00
erik-krogh 9b6501787a
add API-graph test for the new tagged template calls 2023-10-06 21:25:34 +02:00
erik-krogh 18e6a5491c
recognize tagged templates as `DataFlow::CallNode` 2023-10-06 21:14:00 +02:00
erik-krogh 951ed01d6b
combine the `library-tests/CallGraphs/FullTest` tests into one file 2023-10-06 20:57:09 +02:00
Asger F 97b3ebe385
Merge pull request #14380 from asgerf/js/amd-range 
JS: Add AmdModuleDefinition::Range
 2023-10-05 21:05:28 +02:00
Cornelius Riemenschneider 96edc1d349 Add skeleton bazel files for accessing the dbschemes. 2023-10-05 09:00:38 +02:00
Asger F 315272839d JS: Change note 2023-10-05 08:13:43 +02:00
Asger F 162c477236 JS: Add AmdModuleDefinition::Range 2023-10-04 20:38:37 +02:00
github-actions[bot] 9fe993bec3 Release preparation for version 2.15.0 2023-10-04 14:15:27 +00:00
Henry Mercer da92da2204 Bump minor versions of packs we regularly release 2023-10-03 16:31:23 +01:00
Henry Mercer f3847b3f51 Merge branch 'main' into henrymercer/rc-3.11-mergeback 2023-10-03 16:30:23 +01:00
amammad 97c27ac11b revert SqlInjection.ql changes 2023-09-29 01:36:00 +10:00
amammad 58f4cd77dc add TypeORM to javascript.qll file 
add tests
improvement on comments
 2023-09-29 01:23:22 +10:00
Anders Schack-Mulligen 855c89667d JavaScript: Use shared FileSystem library. 2023-09-28 08:58:55 +02:00
amammad 0eb0c238f3 stash 2023-09-23 20:28:34 +10:00
amammad bafe357500 V3 2023-09-23 18:22:43 +10:00
amammad 0c40223192 v1 2023-09-23 18:17:49 +10:00
amammad a8aeb1d03e add active record and data mapper patterns support 2023-09-22 22:50:55 +10:00
amammad 522a2e2594 v2 2023-09-22 18:56:47 +10:00
github-actions[bot] 3acf5244b0 Post-release preparation for codeql-cli-2.14.6 2023-09-20 10:25:10 +00:00
github-actions[bot] 0a3670727f Release preparation for version 2.14.6 2023-09-19 11:40:30 +00:00
Erik Krogh Kristensen 7e7852eff6
Merge pull request #13641 from erik-krogh/multi-char 
JS/RB: write qhelp for `incomplete-multi-character-sanitization`
 2023-09-14 14:48:30 +02:00
erik-krogh c6b8c444d0
fix out of bounds string access in isUsingDecl 2023-09-13 21:53:49 +02:00
erik-krogh fdd349c1a3
fix out of bounds string access in isUsingDecl 2023-09-13 20:11:21 +02:00
Max Schaefer e722e3288f
Merge pull request #13771 from github/max-schaefer/server-side-url-redirect-help 
JavaScript: Improve query help for `js/server-side-unvalidated-url-redirection`.
 2023-09-13 13:20:48 +01:00
amammad 54a44777b7 v1 2023-09-13 19:14:15 +10:00
Max Schaefer a9e81672f0 Make suggestion to replace example.com more explicit. 2023-09-12 16:54:05 +01:00
Max Schaefer 7ddb7da65e
Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2023-09-12 16:47:23 +01:00
github-actions[bot] d699880c86 Post-release preparation for codeql-cli-2.14.4 2023-09-08 21:17:52 +00:00
Chuan-kai Lin 1a575ef297
Merge pull request #14167 from asgerf/ts/tolerate-out-of-order-requests 
JS: tolerate out of order requests in TypeScript extractor
 2023-09-08 12:33:44 -07:00
Asger F ea384b340a JS: Change note 2023-09-08 10:31:04 +02:00
Asger F e08a873829 JS: Tolerate TypeScript files being requested out of order 2023-09-08 10:31:04 +02:00
Max Schaefer 46d7165885 Explain about redirects to example.com. 2023-09-07 09:12:07 +01:00
Max Schaefer a02f373e79 Use better sanitiser. 2023-09-06 14:06:16 +01:00
github-actions[bot] abf2b12b1c Release preparation for version 2.14.4 2023-09-05 16:56:14 +00:00
erik-krogh 984795ee46
fix off-by-one 2023-08-30 13:29:23 +02:00
erik-krogh 2643ab3dbf
`using` is not a keyword 2023-08-30 08:44:59 +02:00
erik-krogh 5e11fe74f7
Merge branch 'main' into ts52 2023-08-30 07:57:55 +02:00
Dave Bartolomeo 3343b78015
Merge pull request #14074 from github/post-release-prep/codeql-cli-2.14.3 
Post-release preparation for codeql-cli-2.14.3
 2023-08-28 13:34:10 -04:00
github-actions[bot] 3eba77421a Post-release preparation for codeql-cli-2.14.3 2023-08-28 15:53:49 +00:00
erik-krogh 78487d437f
add test for await using in TypeScript 2023-08-28 13:30:35 +02:00
erik-krogh be2712698b
add support for await using in the JS parser 2023-08-28 09:34:13 +02:00
erik-krogh 1cbee6a8a4
delete leftover todo comment that was implemented 2023-08-28 08:40:35 +02:00
erik-krogh 56f1ff8af1
bump from release candidate to final release 2023-08-24 20:32:27 +02:00
erik-krogh 0273b20c75
add downgrade and upgrade script 🤞 2023-08-24 20:30:26 +02:00
erik-krogh ce97d38a18
add to the stat file 2023-08-24 20:30:26 +02:00
erik-krogh cb66d62959
add test for the new type-stuff in TS 5.2 we get for free 2023-08-24 20:30:26 +02:00
erik-krogh dc454d3a72
add support for the new `using` keyword in TypeScript 2023-08-24 20:30:26 +02:00
erik-krogh a7d92b3473
add JS support the `using` keyword 2023-08-24 20:30:26 +02:00
erik-krogh dfc83d844a
very initial support for TypeScript 5.2 2023-08-24 20:30:25 +02:00
Asger F 2b540e251a
Merge pull request #14007 from asgerf/js/import-path-string 
JS: Follow immediate predecessors in path resolution
 2023-08-23 15:28:22 +02:00
Asger F d146514275
Merge pull request #13928 from asgerf/js/ignore-huge-files 
JS: Ignore files larger than 10 MB during extraction
 2023-08-23 15:09:58 +02:00
Asger F b8fc84e8e4 JS: Change note 2023-08-23 14:11:07 +02:00
Asger F c6a757e085 JS: More robust handling of cyclic aliases 2023-08-23 14:11:07 +02:00
Asger F 794a459c1b JS: Add reproduction test 2023-08-23 14:11:07 +02:00
Asger F b93e404441 JS: Change log 2023-08-23 14:05:21 +02:00
Asger F ae2a1c7399 JS: Change note 2023-08-23 13:39:56 +02:00
Asger F d8462ad1b3 JS: Add a file size limit to extractor 2023-08-23 09:54:55 +02:00
Asger F bc47646a79 JS: Move getMegabyteCountFromPrefixedEnv into a shared place 2023-08-23 09:54:55 +02:00
Asger F dec6039469 JS: Follow immediate predecessors in path resolution 2023-08-23 09:53:51 +02:00
Max Schaefer 87364137df Use more sensible validator in example. 2023-08-21 15:14:01 +01:00
github-actions[bot] 098dfb4242 Release preparation for version 2.14.3 2023-08-18 14:48:15 +00:00
yoff 7f2f6f14e7
Merge pull request #13729 from yoff/python/model-aws-lambdas 
Python/JavaScript: Shared module for serverless functions
 2023-08-16 15:14:08 +02:00
Erik Krogh Kristensen 6a3b9e10eb
Merge pull request #13914 from erik-krogh/escape-unicode 
ReDoS: escape unicode chars in the output for the ReDoS queries
 2023-08-15 11:21:21 +02:00
Henry Mercer 1213eba630
Merge branch 'main' into post-release-prep/codeql-cli-2.14.2 2023-08-11 13:54:55 +01:00
erik-krogh 5ffce86768
change the defaults in the qhelp for missing-rate-limit to something more reasonable 2023-08-10 13:40:17 +02:00
github-actions[bot] 432c21d4fb Post-release preparation for codeql-cli-2.14.2 2023-08-09 18:45:18 +00:00
erik-krogh 0bce42410a
support arbitrary codepoints in NfaUtils.qll 2023-08-08 22:14:51 +02:00
erik-krogh 92db7b047c
escape unicode chars in the output for the ReDoS queries 2023-08-08 00:15:54 +02:00
github-actions[bot] 79c90fa36a Release preparation for version 2.14.2 2023-08-07 18:08:52 +00:00
Erik Krogh Kristensen 6631e838cf
re-appearing -> reappearing 
Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>
 2023-08-07 09:57:52 +02:00
Asger F 5950865b55
Merge pull request #13755 from github/max-schaefer/js-server-crash-help 
JavaScript: Improve qhelp for js/server-crash.
 2023-08-03 10:04:08 +02:00
Asger F c38cbe859d
Merge pull request #13737 from asgerf/dynamic/fuzzy-models 
Dynamic: add Fuzzy token
 2023-08-03 09:58:24 +02:00
Max Schaefer 5124310f14
Update javascript/ql/src/Security/CWE-730/ServerCrash.qhelp 
Co-authored-by: Asger F <asgerf@github.com>
 2023-08-01 17:03:05 +01:00
Jeongsoo Lee 1d5eb4a960
Update javascript/ql/lib/change-notes/2023-07-28-mad-log-injection.md 
Co-authored-by: Asger F <asgerf@github.com>
 2023-07-31 15:38:35 -07:00
Jeongsoo Lee 4529d8b75a Add support for log injection in MaD 2023-07-28 22:37:56 +00:00
github-actions[bot] f91b7a9342 Post-release preparation for codeql-cli-2.14.1 2023-07-21 16:16:25 +00:00
github-actions[bot] c936a920b0 Release preparation for version 2.14.1 2023-07-20 16:32:27 +00:00
Max Schaefer 7823ff968c JavaScript: Improve query help for `js/server-side-unvalidated-url-redirection`. 2023-07-19 13:23:25 +01:00
Max Schaefer 9432fec612 JavaScript: Improve qhelp for js/server-crash. 
The examples now use `fs.access` instead of the deprecated `fs.exists`. I have also rewritten the async/await example, since as of Node.js v15 the default behaviour for uncaught exceptions has changed to terminating the process instead of logging a warning, making the previous advice incorrect.
 2023-07-17 14:44:23 +01:00
Asger F d57276ca35
Merge pull request #13719 from asgerf/js/barrier-inout 
JS: Replace barrier edges with barrier nodes
 2023-07-13 16:36:52 +02:00
erik-krogh 1fe66232c6
suggestions based on review: add a popular library example for HTML-sanitization, and use the old text about ../ replacements 2023-07-13 14:28:11 +02:00
Erik Krogh Kristensen 9db970f055
apply suggestion from review 
Co-authored-by: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2023-07-13 14:17:33 +02:00
Asger F f3fab587a9 JS: Add Fuzzy token in identifying access path 2023-07-13 14:01:06 +02:00
Asger F 7c9e1ad6ec JS: Fix accidental recursion in Vue model 
The API graph entry point depended on API::Node.

This was due to depending on the the TComponent newtype which has a branch that depends on API::Node
 2023-07-13 13:41:21 +02:00
Max Schaefer b8eb2ef8d8
Merge branch 'main' into max-schaefer/improve-command-injection-qhelp 2023-07-13 12:11:15 +01:00
Max Schaefer ae237247f2
Apply suggestions from code review 
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
 2023-07-13 12:10:57 +01:00
Rasmus Lerchedahl Petersen 02c41f3dcf JavaScript: Use shared library for serverless 2023-07-12 16:46:34 +02:00
Asger F c7abd4c2af JS: Remove the unused edge-sanitizer hook in UnvalidatedDynamicMethodCall 2023-07-12 09:26:37 +02:00
Asger F c8af28c2ca
Merge pull request #13700 from asgerf/js/path-join-spread 
JS: Recognize 'fs/promises' alias and handle spread arguments in path.join()
 2023-07-11 15:31:13 +02:00
Asger F 1a395c5b34 JS: Use sanitizerOut in PrototypePollutingAssignment 2023-07-11 15:24:10 +02:00
Asger F 03bdebe3b3 JS: Update a test. 
The test had a bug on the line `src = src` so the new code is "more equivalent than usual"
 2023-07-11 15:24:09 +02:00
Asger F b09ed4b0e3 JS: Update UnsafeJQueryPlugin 2023-07-11 15:01:33 +02:00
Asger F a1d8a05bcb JS: Update ResourceExhaustion 2023-07-11 14:56:53 +02:00
Asger F 58a557b18e JS: Update InsecureRandomness 2023-07-11 14:56:43 +02:00
Asger F e863e2376d JS: Use sanitizerIn in ExtenralAPIUsedWithUntrustedData 2023-07-11 14:50:29 +02:00
Asger F 094302a27b JS: Replace sanitizing prefix edge with node 2023-07-11 14:48:13 +02:00
Asger F 944a2ca825 JS: Replace ClearTextLogging::isSanitizerEdge with a node 2023-07-11 14:20:17 +02:00
Asger F 68584e549e JS: Replace isOptionallySanitizedEdge with a node 2023-07-11 12:57:33 +02:00
Asger F 3691b836cb JS: Add tests 2023-07-11 11:37:30 +02:00
Asger F 0841677b14 JS: Add isSanitizerX variants in TaintTracking 2023-07-11 11:14:37 +02:00
Asger F d53beb3784 JS: Embed check for in/out barriers in edge barrier check 2023-07-11 11:04:28 +02:00
Asger F 4964d811a5 JS: Add interface for isBarrier in/out 2023-07-11 11:04:28 +02:00
Max Schaefer 63c45a0da3 Add another example of when and how to use shell-quote. 2023-07-10 14:02:17 +01:00
Asger F 8234b8f175 JS: Change note 2023-07-10 13:19:44 +02:00
Asger F 27085b1fd0 JS: Fix whitespace 2023-07-10 12:07:13 +02:00
Asger F fe90146a16 JS: Add test for path.join with spread argument 2023-07-10 12:07:07 +02:00
Asger F 06bc0f6957 JS: Add test for fs/promises 2023-07-10 12:05:03 +02:00
github-actions[bot] 13cf054a9d Post-release preparation for codeql-cli-2.14.0 2023-07-07 14:55:41 +00:00
Asger F 965ca169e5 JS: Recognise fs/promises 2023-07-07 14:14:49 +02:00
Asger F d49359a95c JS: Add step through spread arg to path.join() 2023-07-07 14:10:50 +02:00
github-actions[bot] 6484ee106e Release preparation for version 2.14.0 2023-07-07 08:22:14 +00:00