github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
10 679 коммитов 1 542 Ветки 132 Теги 495 MiB
Граф коммитов

3014 Коммитов

Автор SHA1 Сообщение Дата
Asger Feldthaus 260b243c28 TS: Add test case to DeclBeforeUse 2020-02-24 11:40:27 +00:00
Asger Feldthaus 8d58aad0f2 TS: Support type-only import/export 2020-02-24 11:40:27 +00:00
Asger Feldthaus 0351f0b775 TS: Add test and documentation for private fields 2020-02-24 11:40:27 +00:00
Asger Feldthaus 8531c113a1 TS: Fix imports 2020-02-24 11:40:27 +00:00
Asger Feldthaus 9b52acc62a TS: Handle export * as ns 2020-02-24 11:40:27 +00:00
Asger Feldthaus 7f939fe1e4 TS: Update to TypeScript 3.8.2 2020-02-24 11:40:27 +00:00
semmle-qlci 94aa77748d
Merge pull request #2810 from erik-krogh/CVE74 
Approved by asgerf
 2020-02-24 11:32:42 +00:00
Asger Feldthaus f923b24bc5 JS: Fix test 2020-02-24 11:19:23 +00:00
Erik Krogh Kristensen 75c1852ee4
doc changes from review 
Co-Authored-By: Esben Sparre Andreasen <esbena@github.com>
 2020-02-24 11:58:59 +01:00
Erik Krogh Kristensen 44db0f4e5d better printing of the options arg 2020-02-21 15:39:49 +01:00
Asger Feldthaus d1df251b92 JS: Proto pollution: Add is-plain-object sanitizer 2020-02-21 14:38:33 +00:00
Erik Krogh Kristensen 90e5671d98 Merge branch 'master' of git.semmle.com:Semmle/ql into CVE481 2020-02-21 15:25:07 +01:00
Asger Feldthaus a673539c98 JS: Update expected output 2020-02-21 13:51:23 +00:00
Asger Feldthaus b780bc4d59 JS: Also track into callbacks 2020-02-21 13:51:22 +00:00
Asger Feldthaus e8e649102f JS: Also propagate out of returns 2020-02-21 13:51:22 +00:00
Asger Feldthaus 8c36b999cc JS: Track flow into calls to bound functions 2020-02-21 13:51:20 +00:00
semmle-qlci ee5cf95f5b
Merge pull request #2892 from asger-semmle/js/field-methods 
Approved by esbena
 2020-02-21 13:49:42 +00:00
semmle-qlci e163d8d8c8
Merge pull request #2796 from asger-semmle/js/partial-invoke-receiver 
Approved by esbena
 2020-02-21 13:48:43 +00:00
Erik Krogh Kristensen 75410e5760 big refactor of UselessUseOfCal 2020-02-21 14:26:42 +01:00
semmle-qlci 382e4bc06a
Merge pull request #2895 from max-schaefer/js/improve-param-qldoc 
Approved by asgerf
 2020-02-21 12:01:02 +00:00
Max Schaefer 75495d7aad
Update javascript/ql/src/semmle/javascript/Variables.qll 
Co-Authored-By: Asger F <asgerf@github.com>
 2020-02-21 10:06:32 +00:00
Erik Krogh Kristensen 6ea14532ab small changes based on review 2020-02-21 10:27:57 +01:00
Max Schaefer fc4afe6eb2 JavaScript: Improve qldoc for `Parameter` to clarify that it also contains catch-clause parameters. 2020-02-21 09:14:00 +00:00
semmle-qlci 2df3fe8f36
Merge pull request #2883 from asger-semmle/typescript-3.7.5 
Approved by erik-krogh
 2020-02-20 15:59:36 +00:00
Erik Krogh Kristensen 924272a7a5 insert placeholder qhelp 2020-02-20 14:35:26 +01:00
Erik Krogh Kristensen b2ccec28e0 require the file to be non-empty 2020-02-20 14:34:50 +01:00
Erik Krogh Kristensen b1cbfce50b use SystemCommandExecution and a few small fixes 2020-02-20 14:17:37 +01:00
Erik Krogh Kristensen 03e295ef11 Merge branch 'master' of git.semmle.com:Semmle/ql into CVE74 2020-02-20 12:19:32 +01:00
semmle-qlci f6af5da7f7
Merge pull request #2778 from erik-krogh/FalsySanitizer 
Approved by asgerf
 2020-02-20 11:17:03 +00:00
Erik Krogh Kristensen 63036aa444 Merge branch 'master' of git.semmle.com:Semmle/ql into CVE74 2020-02-20 12:09:06 +01:00
semmle-qlci 8b277f7226
Merge pull request #2868 from asger-semmle/js/missing-await-void 
Approved by max-schaefer
 2020-02-20 10:56:47 +00:00
Asger Feldthaus 6448acfa88 TS: Depend on TypeScript 3.7.5 2020-02-20 10:53:17 +00:00
Erik Krogh Kristensen 12c0291dde require that an options object has a known set of properties 2020-02-20 11:35:11 +01:00
Erik Krogh Kristensen b5ef45e6c2 add isSync predicate to SystemCommandExecution 2020-02-20 11:30:23 +01:00
Erik Krogh Kristensen a193cb110e support arrow functions in the callbacks 2020-02-20 11:13:39 +01:00
Erik Krogh Kristensen 558beb7255 simplify the output file argument 2020-02-20 10:57:33 +01:00
semmle-qlci 091c6c063c
Merge pull request #2856 from esbena/js/fix-RegExp-getPredecessor-getSuccessor 
Approved by max-schaefer
 2020-02-20 09:50:52 +00:00
Erik Krogh Kristensen a5fdcb67f9 restricts alerts to the first line 2020-02-20 10:43:41 +01:00
Erik Krogh Kristensen d4e73df92f remove dead predicate 2020-02-20 10:39:16 +01:00
Erik Krogh Kristensen 56f3e431f9 update expected output 2020-02-20 10:28:53 +01:00
Erik Krogh Kristensen 80962803b0 update doc for VarAccessBarrier, and make the class private 2020-02-20 10:09:32 +01:00
Erik Krogh Kristensen 2d437efdfd
corrections on qldoc 
Co-Authored-By: Asger F <asgerf@github.com>
 2020-02-20 09:54:11 +01:00
Asger Feldthaus 479770dc07 JS: Recognize class members in more cases 2020-02-19 17:04:41 +00:00
Erik Krogh Kristensen bdab9ee12b change useless cat query to only flag instances that can be re-written to 2020-02-19 16:59:28 +01:00
Asger Feldthaus 77105f6572 JS: Do not flag void operands MissingAwait 2020-02-19 09:30:03 +00:00
Erik Krogh Kristensen 344060e139 accept IO redirections as OK 2020-02-19 10:12:24 +01:00
Max Schaefer 4346691cdc JavaScript: Distinguish `{lo}` and `{lo,}` in the regular expression parser. 2020-02-19 08:26:14 +00:00
Erik Krogh Kristensen 73a7d406a5 add query for useless use of cat 2020-02-18 19:18:45 +01:00
Erik Krogh Kristensen e359e1a373 use a barrier directly instead of a barrier guard 2020-02-18 10:57:28 +01:00
Esben Sparre Andreasen abe7aeef7c
Merge pull request #2643 from esbena/js/unsafe-jquery 
JS: add query js/unsafe-jquery-plugin
 2020-02-18 09:26:14 +01:00
Esben Sparre Andreasen e8938fb466 JS: introduce RegExpSequence::nextElement and previousElement 2020-02-17 23:20:25 +01:00
Erik Krogh Kristensen 56e5bd50f6 update expected output 2020-02-17 14:55:08 +01:00
Erik Krogh Kristensen 2885d48ad0 changes based on review 2020-02-17 14:44:10 +01:00
Asger Feldthaus 9249b92d85 JS: Fix typo in comment 2020-02-17 12:48:13 +00:00
Esben Sparre Andreasen 8a9587fc91 JS: fix RegExp::getSuccessor/getPredecessor for sequence end/starts 2020-02-17 13:40:53 +01:00
Erik Krogh Kristensen d1a58f1d17 Merge remote-tracking branch 'upstream/master' into CVE74 2020-02-17 13:18:52 +01:00
Erik Krogh Kristensen b07f3d36d8 qldoc on splitPath 2020-02-17 13:17:12 +01:00
Erik Krogh Kristensen 5375604109 calling `pop` or `shift` on a SplitPath returns a PosixPath 2020-02-17 13:15:46 +01:00
Esben Sparre Andreasen c5ee436b16 JS: add RegExp::getSuccessor/getPredecessor tests 2020-02-17 13:06:55 +01:00
Erik Krogh Kristensen 3855268201 use RegExpCreationNode 2020-02-17 13:02:47 +01:00
Erik Krogh Kristensen 46cbeb0bc6 add more steps to the SplitPath label 2020-02-17 12:58:27 +01:00
semmle-qlci 23ed2bcc64
Merge pull request #2782 from asger-semmle/js/export-as-ns 
Approved by erik-krogh, max-schaefer
 2020-02-17 11:22:58 +00:00
Erik Krogh Kristensen a6d644bac0 add support for path.normalize(path.realtive(...)) 2020-02-14 13:10:35 +01:00
Erik Krogh Kristensen 94814fa721 fix typos in the test 2020-02-14 13:03:35 +01:00
Erik Krogh Kristensen d765a33b8d add support for "../" prefixes in sanitizer 2020-02-14 12:36:54 +01:00
Erik Krogh Kristensen 9d61004128 remove redundant constructor on sink 2020-02-14 12:31:12 +01:00
Max Schaefer f181111886 JavaScript: Add model of `http2` compatibility API. 
Also deprecated the `httpOrHttps` predicate, which was now only used in one place and seemed a little pointless anyway.
 2020-02-14 11:14:31 +00:00
Erik Krogh Kristensen 3a146514ce add sanitizer for relative ".." in js/path-injection 2020-02-14 10:51:48 +01:00
semmle-qlci da566a4484
Merge pull request #2828 from erik-krogh/CVE24 
Approved by esbena
 2020-02-14 09:12:48 +00:00
semmle-qlci 769dce511b
Merge pull request #2788 from erik-krogh/CVE42-sink 
Approved by esbena
 2020-02-14 08:00:00 +00:00
Erik Krogh Kristensen 897bb4d801 add test for chrome-remote-interface 2020-02-13 15:12:45 +01:00
Erik Krogh Kristensen 1ab5ca4e64
typo in docstring 
Co-Authored-By: Esben Sparre Andreasen <esbena@github.com>
 2020-02-13 14:15:28 +01:00
Erik Krogh Kristensen d6afd438ba add model for chrome-remote-interface as a ClientRequest 2020-02-13 10:58:07 +01:00
Erik Krogh Kristensen 35d8151374 add a few arrary methods to TaintedPath.qll 2020-02-11 12:23:51 +01:00
Erik Krogh Kristensen 8e316d2f05 add unary type-tracking predicates 2020-02-10 12:51:09 +01:00
Erik Krogh Kristensen 0f511c92b4 Merge remote-tracking branch 'upstream/master' into FalsySanitizer 2020-02-10 09:54:58 +01:00
semmle-qlci 37360e7d93
Merge pull request #2794 from esbena/js/move-EnumeratedPropName 
Approved by asgerf
 2020-02-07 21:31:37 +00:00
semmle-qlci 76ba48c6fb
Merge pull request #2790 from esbena/js/model-send 
Approved by asgerf
 2020-02-07 21:30:54 +00:00
Asger Feldthaus e4844bfad2 JS: Fix deprecated API usage 2020-02-07 17:17:48 +00:00
Asger Feldthaus ad10414604 JS: Update expected output of existing test 2020-02-07 16:57:57 +00:00
Erik Krogh Kristensen 06e13cb3a1 Merge branch 'master' of git.semmle.com:Semmle/ql into FalsySanitizer 2020-02-07 16:13:02 +01:00
Erik Krogh Kristensen c6668da02e expand how indirectCommandArguments are found 2020-02-07 15:00:05 +01:00
Asger Feldthaus 254af4f3a8 JS: Rewrite LodashUnderscore::AnalyzedThisInBoundCallback 2020-02-07 13:58:07 +00:00
Erik Krogh Kristensen dd9e3d2fec expose TaintTracking::arrayFunctionTaintStep and add a step for "concat" 2020-02-07 14:57:32 +01:00
Asger Feldthaus fea5a4331d JS: Rewrite React::AnalyzedThisInBoundCallback 2020-02-07 13:55:42 +00:00
Asger Feldthaus 3b28bdbeed JS: Rewrite AnalyzedThisInArrayIterationFunction 2020-02-07 13:55:36 +00:00
Asger Feldthaus f942e69482 JS: Improve flow through partial invokes 2020-02-07 13:54:14 +00:00
Esben Sparre Andreasen dcdaa96570 JS: remove unused imports 2020-02-07 14:10:50 +01:00
Esben Sparre Andreasen cb30329b3d JS: make DynamicPropertyAccess.qll from PrototypePollutionUtility.ql 2020-02-07 13:57:52 +01:00
Erik Krogh Kristensen 1ece6b9afe update expected output of tests 2020-02-07 12:57:51 +01:00
semmle-qlci 125c6a071c
Merge pull request #2787 from asger-semmle/js/lazy-cache-test-case 
Approved by esbena
 2020-02-07 11:53:04 +00:00
Esben Sparre Andreasen 736ccb98c2 JS: model the `send` library for `js/path-injection` 2020-02-07 12:45:32 +01:00
Erik Krogh Kristensen 8ea6070120 add indirect command injection sink for a concatenated array 2020-02-07 11:04:34 +01:00
Asger Feldthaus a2fa6bb41f JS: Add test case for lazy-cache 2020-02-07 09:50:37 +00:00
Asger Feldthaus a628f787e8 JS: Fix qldoc comment 2020-02-06 14:59:52 +00:00
Asger Feldthaus f84af74d1d JS: Handle more libraries 2020-02-06 14:59:52 +00:00
Asger Feldthaus c559ab13e7 JS: Add test and handle parameter with source object 2020-02-06 14:59:52 +00:00
Asger Feldthaus 34a9dce33d JS: Detect property enumeration through for-own 2020-02-06 14:59:52 +00:00
Asger Feldthaus 418f841749 JS: Handle imports through lazy-cache 2020-02-06 14:59:52 +00:00
semmle-qlci 180e9d4731
Merge pull request #2779 from asger-semmle/js/protopol-regression-fix 
Approved by esbena
 2020-02-06 14:58:19 +00:00