github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
12 906 коммитов 1 534 Ветки 130 Теги 471 MiB
Граф коммитов

3634 Коммитов

Автор SHA1 Сообщение Дата
Erik Krogh Kristensen fc7e9eb8c8 add test for non-tracked aliasing 2020-05-18 22:40:41 +02:00
Erik Krogh Kristensen b8ba31aaa0 autoformat 2020-05-18 21:06:19 +02:00
Erik Krogh Kristensen 0758413cc7 revert change to import 2020-05-18 21:06:19 +02:00
Erik Krogh Kristensen 742abf8751 refactor package export into a library, and add tests for the library 2020-05-18 21:06:14 +02:00
Erik Krogh Kristensen d7b852f408 use count aggregate to count 2020-05-18 21:03:26 +02:00
Erik Krogh Kristensen 202b8a56b7 apply the unique aggregate where trivially applicable 2020-05-18 20:37:38 +02:00
Asger F 96d6115452
Merge branch 'master' into js/sql-type-tracking 2020-05-18 15:58:42 +01:00
Erik Krogh Kristensen 70a28f60e3 Merge branch 'master' of https://github.com/github/codeql into pr/erik-krogh/3478 2020-05-18 14:05:37 +00:00
Asger F a9983fdb49
Update javascript/ql/src/semmle/javascript/frameworks/SQL.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-05-18 13:23:22 +01:00
Max Schaefer 6797fec1a3 JavaScript: Add more models of packages that execute commands over SSH. 2020-05-18 12:08:14 +01:00
Esben Sparre Andreasen a9ba6ac659 JS: make LocalObjects::isEscape aware of `yield` 2020-05-18 12:43:46 +02:00
Erik Krogh Kristensen 0f82370f4e rename getHighLight() -> getAlertLocation() 2020-05-18 12:28:28 +02:00
Erik Krogh Kristensen 2b1724291b adjust qhelp to focus on user-controlled data 2020-05-18 12:27:20 +02:00
Erik Krogh Kristensen d18808698a adjust qhelp to focus on the execFile API 2020-05-18 12:22:46 +02:00
Erik Krogh Kristensen 9c294513c7
Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2020-05-18 12:18:20 +02:00
semmle-qlci 14664be467
Merge pull request #3468 from p0/imp/nodejs-vm-sinks 
Approved by esbena
 2020-05-18 11:10:13 +01:00
Erik Krogh Kristensen c6276ddd1c update expected output after restricting precise array tracking to Promise.all 2020-05-18 11:49:07 +02:00
Asger Feldthaus a18e0b37cf JS: simplify sequelize model 2020-05-18 09:34:17 +01:00
Asger F f52c827966
Apply suggestions from code review 
Base type of EscapingSanitizer

Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-05-18 09:31:09 +01:00
Asger F ffb22c061a
Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-05-18 09:28:22 +01:00
Erik Krogh Kristensen bd3c4d4077 Merge branch 'master' of https://github.com/github/codeql into pr/erik-krogh/3478 2020-05-18 07:51:19 +00:00
semmle-qlci 6041d52936
Merge pull request #3424 from asger-semmle/js/express-param-handler 
Approved by esbena
 2020-05-18 08:48:24 +01:00
semmle-qlci 135eae9895
Merge pull request #3483 from esbena/js/fix-qhelp-FNs 
Approved by asgerf
 2020-05-18 08:47:05 +01:00
semmle-qlci 0230b79efc
Merge pull request #3391 from erik-krogh/SplitFPs 
Approved by esbena
 2020-05-18 08:46:26 +01:00
Erik Krogh Kristensen 8717f7bd0d restrict precise array elements to Promise.all() 2020-05-17 15:58:59 +02:00
Erik Krogh Kristensen 2d6e3a5784 support outdir in tsconfig.json 2020-05-17 10:32:27 +02:00
Erik Krogh Kristensen c8cf958c8a add test cases for js/shell-command-constructed-from-input 2020-05-17 10:32:27 +02:00
Erik Krogh Kristensen 59001bbdf4 add qhelp for js/shell-command-constructed-from-input 2020-05-17 10:32:27 +02:00
Erik Krogh Kristensen 5e647da0de add js/shell-command-constructed-from-input query 2020-05-17 10:32:15 +02:00
Erik Krogh Kristensen a1a6826278 support non-SourceNode in IndirectCommandArgument#argumentList 2020-05-16 23:15:37 +02:00
Erik Krogh Kristensen a6cd91bb49 add support for mz/fs and mz/child_process 2020-05-16 23:15:33 +02:00
Erik Krogh Kristensen bb8905b46e add "valid" to the AdHocWhitelistCheckSanitizer 2020-05-16 22:43:36 +02:00
semmle-qlci 8d41ce1630
Merge pull request #3480 from erik-krogh/moreSlip 
Approved by esbena
 2020-05-16 21:17:27 +01:00
Asger Feldthaus 897a3e39c9 JS: Autoformat 2020-05-16 09:37:16 +01:00
Asger Feldthaus 0171c9e10c JS: Autoformat 2020-05-16 09:25:18 +01:00
Asger Feldthaus d279845a43 JS: Minor fixes 2020-05-16 09:24:53 +01:00
Erik Krogh Kristensen e2cd7e6230 more precise taint-tracking for Promise.all 2020-05-15 22:02:41 +02:00
Asger Feldthaus 5249e84359 JS: Type track spanner model 2020-05-15 17:27:30 +01:00
Asger Feldthaus d225715828 JS: Type track mssql model 2020-05-15 17:27:30 +01:00
Asger Feldthaus 6dcee5a0ef JS: Type track sqlite model 2020-05-15 17:27:30 +01:00
Asger Feldthaus 84cd02cf01 JS: Type track pg model 2020-05-15 17:27:27 +01:00
Asger Feldthaus f7771f17d1 JS: Type track mysql model 2020-05-15 17:27:27 +01:00
Asger Feldthaus 3e9849b7c4 JS: Type track sequelize model 2020-05-15 17:27:24 +01:00
Esben Sparre Andreasen 1c5bffc095 JS: fix some FNs in the qhelp examples 2020-05-15 12:40:38 +02:00
Erik Krogh Kristensen 3138918f1d add test for promise inside Promise.all 2020-05-15 11:49:29 +02:00
Asger Feldthaus d84f1b47c2 JS: Refactor RequestInputAccess to use source nodes 2020-05-15 09:59:28 +01:00
Asger Feldthaus da974f1527 JS: Add test with dynamic access to req.query 2020-05-15 09:59:28 +01:00
Asger Feldthaus 659e2ff709 JS: Tweak evaluation of route handler params 2020-05-15 09:59:27 +01:00
Asger F b9995b784d Update javascript/ql/src/semmle/javascript/frameworks/ConnectExpressShared.qll 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-05-15 09:59:27 +01:00
Asger Feldthaus a982cdc39c JS: Autoformat 2020-05-15 09:59:27 +01:00
Asger Feldthaus bfbe70a7a9 JS: Fixes 2020-05-15 09:59:27 +01:00
Asger Feldthaus 82d3a7eb23 JS: Go back to disjunction 😭 2020-05-15 09:59:27 +01:00
Asger Feldthaus c45d84f8f3 JS: Update getRouteHandlerParameter and router tracking 2020-05-15 09:59:27 +01:00
Asger Feldthaus 9cacfab7c6 JS: Recognize Express param value callback as RemoteFlowSource 2020-05-15 09:59:26 +01:00
Erik Krogh Kristensen 6d79bab7e4 rename Fs to FS 2020-05-15 10:54:08 +02:00
Erik Krogh Kristensen dd3342ba6f restrict the number of stored array elements 2020-05-15 10:01:27 +02:00
Erik Krogh Kristensen cb96ee8def
remove redundant instanceof check 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-05-15 09:58:18 +02:00
semmle-qlci a536069059
Merge pull request #3408 from esbena/js/unsafe-html-expansion 
Approved by asgerf, mchammer01
 2020-05-15 08:24:12 +01:00
Erik Krogh Kristensen 6775294ac1 update expected output 2020-05-14 22:26:44 +02:00
Erik Krogh Kristensen e7d1b12ac8 add test 2020-05-14 20:31:23 +02:00
Erik Krogh Kristensen 6d2bffef72 add fs.open/openSync as ZipSlip sinks 2020-05-14 20:31:13 +02:00
Erik Krogh Kristensen 2d675262b2 use the generalized fs module in more places 2020-05-14 20:31:00 +02:00
Erik Krogh Kristensen 5132e61ce7 add tests 2020-05-14 18:55:49 +02:00
Erik Krogh Kristensen e98f794dab implement precise data-flow steps for Promise.all 2020-05-14 18:55:44 +02:00
semmle-qlci c06680a496
Merge pull request #3470 from asger-semmle/js/cache-module-import 
Approved by esbena
 2020-05-14 17:20:04 +01:00
semmle-qlci 23532ae49a
Merge pull request #3467 from erik-krogh/tarSlip 
Approved by esbena
 2020-05-14 14:06:42 +01:00
semmle-qlci 57f44c5a81
Merge pull request #2886 from asger-semmle/js/call-graph-exploration 
Approved by erik-krogh, esbena
 2020-05-14 14:01:23 +01:00
semmle-qlci 384df88df1
Merge pull request #3359 from erik-krogh/MayHavePropName 
Approved by esbena
 2020-05-14 13:52:45 +01:00
Asger Feldthaus e491431f4e JS: Autoformat 2020-05-14 13:29:33 +01:00
Pavel Avgustinov 3cc13db3a0 NodeJSLib: Restore backwards-compatibility. 2020-05-14 12:51:09 +01:00
Asger Feldthaus 1cdb51741f JS: Dont use deprecated API in test case 2020-05-14 11:08:31 +01:00
Pavel Avgustinov ab2d059ed4 JavaScript: Model extra sinks in `vm` module 2020-05-14 10:01:40 +01:00
Erik Krogh Kristensen b12e21edcc add test for new zipslip sanitizer 2020-05-14 10:11:37 +02:00
Erik Krogh Kristensen 422ade16db
Apply suggestions from code review 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-05-14 10:05:59 +02:00
Erik Krogh Kristensen 4175d36269 add test case 2020-05-14 09:46:54 +02:00
Erik Krogh Kristensen b727fa81a0 add a path sanitizer to zipslip 2020-05-14 09:46:50 +02:00
Erik Krogh Kristensen 71e7083dcb add "linkname" as a file-name-property for zip-slip 2020-05-14 09:06:23 +02:00
Erik Krogh Kristensen a19718a10f add fs.link and fs.linkSync as writing file system calls 2020-05-14 09:00:50 +02:00
Asger Feldthaus 2ef7719b06 JS: PathExprInModule deprecation notice 2020-05-13 16:35:24 +01:00
Asger Feldthaus 3846f534a8 JS: Factor out overridden part of PathExpr.getSearchRoot 2020-05-13 16:34:43 +01:00
Asger Feldthaus 5f510878f3 JS: Remove PathExprBase and PathExprInModule 2020-05-13 16:34:28 +01:00
Asger Feldthaus 2d88385ffb JS: Cache moduleImport 2020-05-13 15:07:13 +01:00
Esben Sparre Andreasen 9552352d6a JS: address qhelp feedback 2020-05-13 12:53:59 +02:00
Esben Sparre Andreasen 7305a873b1 JS: formatting 2020-05-13 11:28:48 +02:00
Esben Sparre Andreasen fedd32fc2b JS: address review comment 2020-05-13 09:57:02 +02:00
Esben Sparre Andreasen 91f43a7dae JS: address review comments 2020-05-13 09:52:01 +02:00
Esben Sparre Andreasen 7722d77c86 JS: add the NoSQL $where as a sink for js/code-injection 2020-05-13 08:30:22 +02:00
Esben Sparre Andreasen 20cf04442c JS: model marsdb and minimongo 2020-05-13 08:28:59 +02:00
jcreedcmu 3c233c762c
Merge pull request #3431 from jcreedcmu/jcreed/jump-to-def-langs 
Java, Javascript, Csharp: Add jump-to-definition queries
 2020-05-12 10:54:11 -04:00
semmle-qlci 6fb047aef6
Merge pull request #3451 from erik-krogh/fstreamWrite 
Approved by esbena
 2020-05-12 14:58:02 +01:00
semmle-qlci ee848328ab
Merge pull request #3442 from erik-krogh/SmallPerfs 
Approved by esbena
 2020-05-12 14:36:34 +01:00
Erik Krogh Kristensen d46148c045 add test case 2020-05-12 14:23:28 +02:00
Erik Krogh Kristensen 3707792cfd recognize reading/wrinting calls to fstream methods 2020-05-12 14:18:07 +02:00
Jonas Jensen 451ae7b762
Merge pull request #3444 from dbartol/codeql-c-analysis-team/68 
Rename `sanity` -> `consistency`
 2020-05-12 12:33:08 +02:00
Erik Krogh Kristensen bd768cbd7e autoformat 2020-05-12 12:28:02 +02:00
Erik Krogh Kristensen 2fbdeceae7 add getContainedNode constraint to charpred of IndirectInclusionTest, and refactor two getEnclosingExpr() 2020-05-12 10:19:06 +02:00
semmle-qlci 8ce9c9d57e
Merge pull request #3441 from erik-krogh/BabelDirectives 
Approved by esbena
 2020-05-12 08:57:20 +01:00
Jason Reed 66da91fe59 Java, Javascript, Csharp: Restrict definitions predicates 
Only expose definition-use relation itself, and getEncodedFile.
 2020-05-11 15:14:16 -04:00
Dave Bartolomeo 3987267f26 Rename `sanity` -> `consistency` 2020-05-11 13:46:26 -04:00
Dave Bartolomeo 06783938d3 JavaScript: Rename `sanity` -> `consistency` 2020-05-11 13:46:12 -04:00