github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
57 853 коммитов 1 534 Ветки 130 Теги 471 MiB
Граф коммитов

8411 Коммитов

Автор SHA1 Сообщение Дата
Asger F b28254327a
Update javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-05-10 08:16:31 +02:00
Kasper Svendsen c7d72e0d34 JS: Prevent join order regression 2023-05-09 17:01:41 +02:00
Jaroslav Lobačevski 891a94c166
Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2023-05-09 16:27:32 +02:00
Jaroslav Lobačevski 5aa71352dc
Update javascript/ql/src/Security/CWE-094/ExpressionInjection.qhelp 
Co-authored-by: Asger F <asgerf@github.com>
 2023-05-09 12:23:52 +02:00
Jaroslav Lobačevski 1ad23c5366
Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2023-05-09 12:23:06 +02:00
Kasper Svendsen f619a63f6f JS: Make implicit this receivers explicit 2023-05-09 11:37:25 +02:00
Asger F aec6ba7d5e JS: Fix broken message in example query 2023-05-09 10:53:57 +02:00
Chuan-kai Lin 0984fc7cce JS: Add pragma[only_bind_out] to Locatable::toString() calls 2023-05-04 13:20:56 -07:00
Kasper Svendsen 65deb9d90a
Merge pull request #13016 from kaspersv/kaspersv/js-explicit-this-receivers3 
JS: Make implicit this receivers explicit
 2023-05-04 09:15:01 +02:00
Asger F 1a9956354e JS: Restrict getInput to indirect command injection query 2023-05-03 16:10:03 +02:00
Erik Krogh Kristensen f29db40371
Merge pull request #13011 from kaspersv/kaspersv/explicit-this-receivers-shared2 
JS, Python, Ruby: Make implicit this receivers explicit
 2023-05-03 15:34:59 +02:00
Kasper Svendsen 67950c8e6b JS: Make implicit this receivers explicit 2023-05-03 15:31:00 +02:00
Ian Lynagh b56b843d13
Merge pull request #12987 from github/post-release-prep/codeql-cli-2.13.1 
Post-release preparation for codeql-cli-2.13.1
 2023-05-03 13:12:10 +01:00
Kasper Svendsen aca2ace843 JS, Python, Ruby: Make implicit this receivers explicit 2023-05-03 13:51:51 +02:00
Kasper Svendsen efdaffedee JS: Make implicit this receivers explicit 2023-05-03 10:49:46 +02:00
Asger F b9ad4177f9 JS: List safe environment variables in IndirectCommandInjection 2023-05-03 10:48:14 +02:00
Asger F 4c6711d007 JS: Clarify the difference between context and input sources 2023-05-03 10:30:04 +02:00
Asger F bdcda7ffe6 JS: Move change note to right location 2023-05-03 10:22:40 +02:00
tyage 22f5b7a18b JS: check scoped package and normal package 2023-05-03 13:19:59 +09:00
Asger F 67afbee06d
Merge pull request #12825 from smiddy007/JS-Allow-Truncated-Hash-Forge-NonKeyCipher 
JS: Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS libr…
 2023-05-02 13:59:30 +02:00
github-actions[bot] 18d4af994d Post-release preparation for codeql-cli-2.13.1 2023-05-02 10:50:20 +00:00
tyage be9c8d28b5 JS: drop string comparison 2023-05-02 12:41:03 +09:00
tyage 0d991574ec Fix typo in test 2023-05-02 12:00:42 +09:00
Asger F 5eaaa7e074 JS: Add qldoc 2023-05-01 11:42:55 +02:00
Asger F 08785a4063 JS: Add sources from actions/core 2023-05-01 11:42:17 +02:00
Asger F cb95dbfa14 JS: Add tests 2023-05-01 11:42:17 +02:00
Asger F 2c89f9747b
Merge pull request #12949 from asgerf/js/angular-native 
JS: Add a few more DOM element sources
 2023-05-01 11:08:45 +02:00
Asger F 0497e60ce2 JS: Model actions/exec 2023-05-01 11:05:59 +02:00
Asger F cb9b01cbb7 JS: Port new sources based on comment from JarLob 2023-05-01 11:04:54 +02:00
Asger F 3d208c0a62 JS: Port Actions sources based on PR from R3x 2023-05-01 10:48:43 +02:00
Asger F e9f1e99526
Merge pull request #12887 from asgerf/js/unsafe-yaml-deserialization 
JS: Update model of js-yaml
 2023-05-01 09:57:20 +02:00
tyage f52c845663 Fix comment. 2023-04-30 19:52:11 +09:00
tyage 80d401fba8 JS: change note 2023-04-30 18:26:46 +09:00
tyage 71952fe551 JS: Add test for sub module 2023-04-30 18:18:35 +09:00
tyage c0cf0b430e JS: support submodules 2023-04-30 18:07:52 +09:00
Erik Krogh Kristensen 3d41cd583f
Merge pull request #12963 from tyage/track-interfile-use-router 
JS: Track interfile useRouter
 2023-04-28 22:41:43 +02:00
Asger F d1c8e0abd7
Merge pull request #12951 from asgerf/js/json-with-comments 
JS: Stop complaining about comments in JSON files
 2023-04-28 20:53:35 +02:00
Asger F f87740ab18
Merge pull request #12867 from asgerf/js/webpack-bundles 
JS: Ignore more webpack modules
 2023-04-28 14:35:57 +02:00
Asger F 1b75afb5b1 JS: Change note 2023-04-28 14:32:11 +02:00
github-actions[bot] 3bd29171fb Release preparation for version 2.13.1 2023-04-28 12:14:35 +00:00
tyage 933b55d37d Track interfile useRouter 2023-04-28 15:49:26 +09:00
Asger F 8a9308c8b0 JS: Update test output 2023-04-28 07:55:20 +02:00
Asger F 0c8f895e0f JS: Add one more test 2023-04-27 21:06:20 +02:00
Asger F 97a942de80 JS: Update test output 2023-04-27 21:04:35 +02:00
Asger F 0fb79bdf64 JS: Include a local step before store step 2023-04-27 17:58:02 +02:00
Asger F c674afb674 JS: Fix condition in getRouteHandlerNode 
Previous version did not account for arrays
 2023-04-27 17:58:02 +02:00
Asger F 682ff23e04 JS: Update Express test 2023-04-27 16:36:04 +02:00
Asger F 36889f6d72 JS: Fix isResponse/isRequest 2023-04-27 16:35:56 +02:00
Asger F 70331c0ea4 JS: Decouple chaining from ExplicitResponseSource 2023-04-27 16:14:27 +02:00
Asger F 96e415aba6 JS: Track express route handlers into arrays 2023-04-27 16:14:22 +02:00
Asger F 410719fd9e Update JSONError.expected 2023-04-27 10:57:38 +02:00
Asger F cf1e87de9e JS: Track DOM elements out of collections 2023-04-26 14:55:34 +02:00
Asger F 1f228a049f JS: Add test for iterating over DOM collections 2023-04-26 14:54:38 +02:00
Asger F 0d74d88b7b JS: Add new sink to test 2023-04-26 14:33:04 +02:00
Asger F 4df05b4e74 JS: Shift line numbers in test 2023-04-26 14:33:04 +02:00
Asger F cb04df49eb JS: Treat Angular2 ElementRef.nativeElement as a DOM value 2023-04-26 14:33:04 +02:00
Asger F c9c281cb9a JS: Change note 2023-04-26 12:50:59 +02:00
Asger F 5f011a262c JS: Change note 2023-04-26 12:49:24 +02:00
Asger F 611a7060b4 JS: Add tests 2023-04-26 12:46:20 +02:00
Asger F a446c5452d JS: Update test output 2023-04-26 11:44:56 +02:00
smiddy007 a2a82fcde9
Merge branch 'main' into JS-Allow-Truncated-Hash-Forge-NonKeyCipher 2023-04-25 12:23:31 -04:00
Asger F ff67118097 JS: Add hanging test case 2023-04-25 11:27:40 +02:00
jarlob 6e9f54ef55 Use double curly braces 2023-04-21 19:03:38 +02:00
Asger F 1d0a0dec6f JS: Fix typo 2023-04-20 12:48:17 +02:00
Asger F 1acc0d2ddf JS: Update model of js-yaml 2023-04-20 12:47:13 +02:00
smiddy007 bda0ef3a75
Merge branch 'github:main' into JS-Allow-Truncated-Hash-Forge-NonKeyCipher 2023-04-19 13:40:32 -04:00
smiddy007 4f7275f064 Reformat doc and move change note 2023-04-19 13:39:18 -04:00
smiddy007 31b56bf966
Update javascript/ql/lib/change-notes/2023-04-13-Forge-truncated-sha512-hash 
Co-authored-by: Asger F <asgerf@github.com>
 2023-04-19 13:32:23 -04:00
Asger F 1c2fdc8df9 JS: Ignore more webpack modules 2023-04-19 10:29:14 +02:00
Nate Johnson 4ae8377713
Merge branch 'main' into js-insecure-http-parser 2023-04-18 22:00:13 -04:00
Nate Johnson 78229bb264 Moved into experimental 2023-04-18 21:59:14 -04:00
Alex Ford 924ce250dd
Merge pull request #12847 from github/post-release-prep/codeql-cli-2.13.0 
Post-release preparation for codeql-cli-2.13.0
 2023-04-18 14:40:40 +01:00
Arthur Baars e5d89b969a
Merge pull request #12780 from aibaars/shared-yaml-lib 
JS: extract YAML library to a shared pack
 2023-04-18 11:09:53 +02:00
Tom Hvitved f6d000eb20
Merge pull request #12805 from hvitved/remove-queries-xml 
Remove all `queries.xml` files
 2023-04-18 10:52:14 +02:00
Kasper Svendsen 9d34d090ab
Merge pull request #12843 from kaspersv/kaspersv/prevent-bad-js-join-order 
Prevent JS join order regression
 2023-04-18 09:09:43 +02:00
Nate Johnson bbb1ee9597 Merge branch 'main' into js-insecure-http-parser 2023-04-18 00:45:32 -04:00
Nate Johnson cb90f9af3c Fix to include specification of flag in NODE_OPTIONS 2023-04-18 00:41:48 -04:00
Nate Johnson 522a285d9e Qhelp file for explanation 2023-04-18 00:41:28 -04:00
Nate Johnson 2e27447c65 Include example 2023-04-18 00:41:11 -04:00
smiddy007 e4ec1ae261
Update InsufficientPasswordHash.qhelp 
change file name to original
 2023-04-17 13:18:47 -04:00
smiddy007 88d2f65c5f
Rename InsufficientPasswordHash_NodeJS_fixed.js to InsufficientPasswordHash_fixed.js 2023-04-17 13:17:13 -04:00
smiddy007 cbe45f7e55
Rename InsufficientPasswordHash_NodeJS.js to InsufficientPasswordHash.js 2023-04-17 13:16:57 -04:00
smiddy007 36d7370998
Delete InsufficientPasswordHash_CryptoJS_fixed 
file not used in qhelp
 2023-04-17 13:16:25 -04:00
smiddy007 e65daaae49
Delete InsufficientPasswordHash_CryptoJS.js 
not used in qhelp file
 2023-04-17 13:15:10 -04:00
github-actions[bot] 648f0e19ec Post-release preparation for codeql-cli-2.13.0 2023-04-17 15:39:24 +00:00
Kasper Svendsen ad82433a88 Prevent JS join order regression 2023-04-17 13:24:19 +02:00
Arthur Baars 34d3040ce2 Add change note 2023-04-17 12:59:14 +02:00
Asger F 13b1e97caa JS: Fix the ExtendCall restriction 2023-04-17 12:30:08 +02:00
Asger F eafef91dbc JS: Update test output after ExtendCall restriction 2023-04-17 12:28:23 +02:00
Asger F 024760610a JS: Add prototype pollution test 2023-04-17 12:27:34 +02:00
Asger F 2f4a181a7d JS: revert path sanitizers in proto pollution query 2023-04-17 12:21:00 +02:00
Asger F 04079752f7 JS: update test output after adding 'this' sanitizer 2023-04-17 12:15:46 +02:00
Asger F f87f6c8556 JS: Add test to unsafe jquery plugin 2023-04-17 12:15:05 +02:00
Asger F b728f71b4b JS: Move 'this' sanitizer to customizations 2023-04-17 12:11:18 +02:00
Asger F 62dca44ee5 Update UntrustedDataToExternalAPI.expected 2023-04-17 08:23:04 +02:00
Asger F c250ba7f27 JS: Undo sanitization of path.normalize() 2023-04-17 08:23:04 +02:00
Asger F 9db63c3a6a JS: Change note 2023-04-17 08:23:04 +02:00
Asger F b0d4b31103 JS: Trim whitespace in test 2023-04-17 08:23:04 +02:00
Asger F c7f16cd224 JS: Add test 2023-04-17 08:23:03 +02:00
Asger F 0d598c437d JS: Fix observed FPs in UnsafeJQueryPlugin 2023-04-17 08:20:18 +02:00
Asger F b321151a28 JS: Restrict ExtendCall flow in proto pollution query 2023-04-17 08:20:18 +02:00
Asger F efb582b661 JS: Drive-by fix to newly gained FPs 2023-04-17 08:20:18 +02:00
Asger F 869c6d27fe JS: Add implied receiver steps 2023-04-17 08:20:18 +02:00
Asger F 74dbc71535 JS: Change Extend steps to PreCallGraphStep 2023-04-17 08:20:18 +02:00
github-actions[bot] 075d063370 Release preparation for version 2.13.0 2023-04-14 13:31:30 +00:00
jarlob e9dee3a185 Move `actions/github-script` out of Actions.qll 2023-04-14 14:26:23 +02:00
Erik Krogh Kristensen cece307c60
Merge pull request #12802 from erik-krogh/history-xss 
JS: add browser history as XSS sink
 2023-04-14 13:35:19 +02:00
jarlob 599ec5a3b4 Add comment 2023-04-14 10:52:11 +02:00
jarlob 3724ea1a7b Extract `where` parts into predicates 2023-04-14 10:49:56 +02:00
jarlob ac1c20673d Encapsulate github-script 2023-04-14 10:23:49 +02:00
jarlob d80c541da6 Encapsulate composite actions 2023-04-14 10:06:35 +02:00
smiddy007 ec97cdc8a0 Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS library. 2023-04-13 23:16:20 -04:00
jarlob 94065764d5 Make predicate name clearer 2023-04-14 01:05:21 +02:00
jarlob 79218a3946 Use `YamlMapping` for modeling `Env` 2023-04-14 00:56:51 +02:00
jarlob dd52ef85cd Rename Env 2023-04-13 23:41:31 +02:00
jarlob 76834cbe53 Rename GlobalEnv 2023-04-13 23:13:56 +02:00
jarlob a8a6913512 Simplify `exists` according to the warning 2023-04-13 23:10:16 +02:00
jarlob 8234ea33f0 More details in the changes file. 2023-04-13 23:05:32 +02:00
jarlob 6790318769 Added the composite word 2023-04-13 22:58:32 +02:00
Jaroslav Lobačevski 8f1bccbb4d
Apply suggestions from code review (comments) 
Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
 2023-04-13 22:55:53 +02:00
Alex Eyers-Taylor c6a482819a Bump all qlpacks major versions 2023-04-13 19:15:27 +01:00
Alex Ford 8c46bfd051
Merge pull request #12816 from github/rc/3.9 
Merge `rc/3.9` into `main`
 2023-04-13 12:35:41 +01:00
Tom Hvitved 3cc9dec9c8 Remove all `queries.xml` files 2023-04-13 11:18:58 +02:00
Arthur Baars ead8108aed Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-04-13 11:11:55 +02:00
Erik Krogh Kristensen cfb273ae01
Merge pull request #12799 from erik-krogh/oneColumn 
JS: use 1-based column locations for diagnostics
 2023-04-12 14:48:20 +02:00
Asger F b819f55203
Merge pull request #12792 from asgerf/js/redux-model-perf 
JS: add getForwardingFunction and use to sharpen useSelector model
 2023-04-12 14:09:59 +02:00
erik-krogh d3cc1d6991
update expected output of diagnostics test 2023-04-12 13:42:05 +02:00
erik-krogh b1957623c1
add browser history as XSS sink 2023-04-12 13:38:18 +02:00
Erik Krogh Kristensen 8cb54b748b
Merge pull request #12787 from tyage/add-router-sink 
JS: Add New XSS sink - Next.js router.push/replace
 2023-04-12 13:30:21 +02:00
Arthur Baars 83cd55cb29 Js/Yaml: add getFile() predicate 2023-04-11 16:01:44 +01:00
erik-krogh 3c4bd5b6a7
forward toString() etc. predicates from YamlNode to Locatable 2023-04-11 15:37:01 +02:00
erik-krogh b5e90483f5
improve the ESLint model to avoid overriding Yaml classes 2023-04-11 15:36:18 +02:00
Asger F aef0fa3c8a JS: Expand QLDoc 2023-04-11 14:16:36 +02:00
Asger F 2c65a49d7c JS: Add getForwardingFunction() to API graphs 2023-04-11 14:00:30 +02:00
Asger F 4ce03d4dc4 JS: Restrict useSelector steps to local callbacks 2023-04-11 13:33:46 +02:00
Asger F 3cc931306f JS: Add test for selector nodes with multiple access paths 2023-04-11 13:33:27 +02:00
Nate Johnson a0f4a5100f Insecure HTTP parser query for JavaScript 2023-04-09 20:38:55 -04:00
tyage 40d475863d Add change note 2023-04-08 18:36:50 +09:00
tyage 320cb99dbf Add replace method test 2023-04-08 18:31:48 +09:00
tyage 668e1accaa Remove unnecessary whiteline 2023-04-08 18:24:31 +09:00
tyage 7f9b8557ac Add Next.js router push as XSS sink 2023-04-08 18:18:34 +09:00
jarlob 72b66ffe97 Fix comment. 2023-04-07 10:01:14 +02:00
jarlob 7573c615f6 Fix warnings 2023-04-06 23:07:22 +02:00
jarlob 3745cccedd Fix warnings 2023-04-06 23:02:08 +02:00
jarlob af83d8af41 Add comment 2023-04-06 22:59:09 +02:00
jarlob 9c7eecf547 Add support for composite actions 2023-04-06 22:53:59 +02:00
jarlob baefeab2d1 fix tests 2023-04-06 19:11:04 +02:00
jarlob 0a878d4db9 Support yAml extensions 2023-04-06 19:07:38 +02:00
Arthur Baars 4fca4b668c JS: use shared YAML library 2023-04-06 15:11:35 +02:00
jarlob 40635e60d1 Improve documentation 2023-04-05 10:26:02 +02:00
jarlob 9fba7d31f1 Improve documentation 2023-04-05 10:24:07 +02:00
jarlob 40b7910473 Fix QLDoc warnings 2023-04-05 10:14:54 +02:00
jarlob eef1973b93 Change UI message 2023-04-05 10:05:24 +02:00
jarlob 5c5b9f99a8 Add simple taint tracking for env variables 2023-04-05 10:03:46 +02:00
github-actions[bot] ac426b1302 Post-release preparation for codeql-cli-2.12.6 2023-04-04 16:49:26 +00:00
Asger F 5cc7380bcd JS: Change note 2023-04-04 16:49:14 +02:00
jarlob 39ff3c72a2 Remove label sanitizer because it is prone to race conditions 2023-04-03 23:28:31 +02:00
jarlob 8ea418216c Look for script injections in actions/github-script 2023-04-03 23:13:28 +02:00
jarlob e941218e30 change notes added 2023-04-03 15:15:00 +02:00
jarlob ba5747dff3 fix formatting 2023-04-03 15:10:27 +02:00
jarlob c6eaf194a5 Remove empty.js as it is not needed anymore 2023-04-03 15:09:40 +02:00
jarlob 99d634c8a4 Add more sources, more unit tests, fixes to the GitHub Actions injection query 2023-04-03 15:02:02 +02:00
Asger F 53de9ae580
Merge pull request #12729 from asgerf/js/crypto-modernize 
JS: Modernize crypto libraries
 2023-04-03 12:16:22 +02:00
Jeroen Ketema 17bd9c12d7
JS: Fix qhelp after file rename 2023-04-03 09:25:19 +02:00
Erik Krogh Kristensen 1e1a692ee6
Merge pull request #12686 from erik-krogh/backtick-parse-error 
JS: add backticks around the concrete parse error
 2023-03-31 14:56:38 +02:00
Asger F 64cf27ab87 JS: Modernize crypto libraries 2023-03-31 14:49:23 +02:00
Asger F 40530ae14d JS: Simplfy with set literal 2023-03-31 12:04:56 +02:00
Asger F 4a06b81429 JS: Use API graphs in CryptoJS 2023-03-31 12:03:14 +02:00
Asger F dec1e4dfd6
Merge pull request #12666 from smiddy007/improve-insufficient-pw-hash-query 
JS: Improve insufficient pw hash query
 2023-03-31 11:58:41 +02:00
github-actions[bot] 0a3218676c Release preparation for version 2.12.6 2023-03-30 19:25:06 +00:00
Erik Krogh Kristensen b382465078
Merge pull request #12679 from ctbellanti/improved-certificate-validation 
JS: Improved coverage for disabled certificate validation
 2023-03-30 16:24:33 +02:00
github-actions[bot] e87ce62f95 Post-release preparation for codeql-cli-2.12.5 2023-03-30 13:48:58 +00:00
erik-krogh 47783326c2
add test for https.createServer in DisablingCertificateValidation.ql 2023-03-30 14:15:25 +02:00
Asger F 43174cfe3a
Merge pull request #12668 from asgerf/js/jquery-callback-sinks 
JS: fix handling of jQuery sinks involving callback
 2023-03-30 12:42:53 +02:00
Jeroen Ketema 0acca2ba76
Merge pull request #12687 from jketema/unit-2 
Make imports of `codeql.util.Unit` private
 2023-03-29 13:07:12 +02:00
smiddy007 0eb61d39d3 formatting 2023-03-28 11:28:32 -04:00
smiddy007 fe3b0a56ca Removed unnecessary field 2023-03-28 11:27:23 -04:00
smiddy007 8e9f2185c8
Merge branch 'main' into improve-insufficient-pw-hash-query 2023-03-28 11:15:10 -04:00
smiddy007 123eb1e57b
Update javascript/ql/lib/semmle/javascript/frameworks/CryptoLibraries.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2023-03-28 11:14:28 -04:00
Erik Krogh Kristensen 13c0effbd2
change to minor change 2023-03-28 15:27:16 +02:00
Erik Krogh Kristensen 451f6f01bb
Merge pull request #12633 from erik-krogh/more-global-flow 
JS: better callgraph support for global variables
 2023-03-28 15:19:50 +02:00
Jeroen Ketema 3b8ad087eb
Make imports of `codeql.util.Unit` private 2023-03-28 14:14:13 +02:00
Asger F 61a7ee9387 JS: Use getABoundFunctionValue instead of type-tracking 2023-03-28 12:56:03 +02:00
erik-krogh e5e20ab42c
add backticks around the concrete parse error 2023-03-28 10:57:13 +02:00
smiddy007 2caab8748e Merge branch 'improve-insufficient-pw-hash-query' of https://github.com/smiddy007/codeql into improve-insufficient-pw-hash-query 2023-03-27 15:20:24 -04:00
smiddy007 57ab5a06ae autoformatted 2023-03-27 15:20:08 -04:00
Chris Bellanti 6bf94e800b Added check to disabling certificate validation query 2023-03-27 12:16:20 -04:00
smiddy007 64b56ef107
Merge branch 'main' into improve-insufficient-pw-hash-query 2023-03-27 12:07:21 -04:00
smiddy007 3ef5f3070f small change 2023-03-27 12:02:35 -04:00
Erik Krogh Kristensen d3c3f2dc90
Merge pull request #12628 from erik-krogh/betterReDoS 
ReDoS: better super-linear algorithm
 2023-03-27 15:26:49 +02:00
Asger F 32d7a80221 JS: Change note 2023-03-27 14:56:57 +02:00
Asger F 92a681213d JS: Step through jQuery callback return values 2023-03-27 11:17:27 +02:00
Asger F bc2a772f3b JS: Add test case showing false negative 2023-03-27 11:08:39 +02:00
Jeroen Ketema 977f15f8a4
Merge pull request #12649 from jketema/unit 
Replace all definitions of `Unit` by `import codeql.util.Unit`
 2023-03-27 08:49:50 +02:00
smiddy007 4980948613 changenote 2023-03-26 23:07:32 -04:00
smiddy007 cef6b95b15 Fixed Conflicts due to recent changes to file 2023-03-26 22:32:34 -04:00
smiddy007 ad527b8f69
Added new example files and renamed existing ones 2023-03-26 21:53:22 -04:00
smiddy007 ccf152df00
Added support for progressive hashing in crypto-js module 2023-03-26 21:29:55 -04:00
Jeroen Ketema a87a9438c7
Replace all definitions of `Unit` by `import codeql.util.Unit` 2023-03-24 10:39:34 +01:00
erik-krogh 27c29303da
add test diagnostics test for internal error 2023-03-23 13:12:51 +01:00
erik-krogh e189b36e3f
materialize less strings when ranking states 2023-03-23 10:35:58 +01:00
erik-krogh 0462e2a6ea
update some expected output 2023-03-22 20:47:53 +01:00
Alex Ford 0f267e012a
Merge pull request #12631 from alexrford/js/weak-cryptographic-algorithm_space 
JS: add a missing space in alert message for `js/weak-cryptographic-algorithm`
 2023-03-22 14:12:35 +00:00
erik-krogh 2bba9057a0
better callgraph support for global variables 2023-03-22 13:49:33 +01:00
Erik Krogh Kristensen 663d4e8e3b
Merge pull request #12592 from erik-krogh/rhsRegress 
JS: Fix performance regression in the `GetLaterAccess` module.
 2023-03-22 12:55:56 +01:00
Alex Ford b000b9b5c0 JS: add a missing space in alert message for js/weak-cryptographic-algorithm 2023-03-22 11:12:13 +00:00
Erik Krogh Kristensen bdab57b9d3
Update javascript/ql/lib/semmle/javascript/GlobalAccessPaths.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2023-03-22 10:19:48 +01:00
erik-krogh b071d3557e
JS/PY/RB: add a worst-case test, that now performs OK 2023-03-22 10:13:18 +01:00
erik-krogh 801e0ff050
ReDoS: implement a better super-linear algorithm, with better worst-case performance 2023-03-22 10:13:16 +01:00
erik-krogh c023af7308
manual recursion, and other join-order 2023-03-21 15:22:10 +01:00
erik-krogh 070468ab68
fix performance 2023-03-21 15:19:38 +01:00
erik-krogh 34fe1a8f5e
use SSA in the GetLaterAccess module 2023-03-21 15:19:15 +01:00
Asger F 6d665da4dc
Merge pull request #12570 from github/post-release-prep/codeql-cli-2.12.5 
Post-release preparation for codeql-cli-2.12.5
 2023-03-21 13:06:25 +01:00
Erik Krogh Kristensen 0f813ce2e8
Merge pull request #12543 from erik-krogh/reg-perf 
ReDoS: restrict the edges considered in polynomial-redos for complex regular expressions
 2023-03-20 15:48:35 +01:00
Erik Krogh Kristensen 540542ceb5
Merge pull request #12518 from erik-krogh/more-express-sources 
JS: recognize more express URL related sources
 2023-03-20 08:49:11 +01:00
github-actions[bot] 981e171525 Post-release preparation for codeql-cli-2.12.5 2023-03-17 13:27:00 +00:00
Asger F d537f86324
Merge pull request #12555 from asgerf/js/block-modes 
JS: Include weak block modes as sink in weak crypto algorithm
 2023-03-17 13:23:23 +01:00
erik-krogh e00c41c6e2
add change-note and bump version 2023-03-16 22:37:56 +01:00
erik-krogh a63739915d
add test confirming support for const type parameters 2023-03-16 22:37:35 +01:00
erik-krogh 2c1c41d8a3
add test confirming end-to-end support for well-typed decorators with the new TS 5.0 type ClassMethodDecoratorContext 2023-03-16 22:37:35 +01:00
Asger F bce1f29a7e JS: Add change note 2023-03-16 14:55:00 +01:00
Asger F 86a06bde72 JS: Flag crypto operations with weak block mode 2023-03-16 14:52:52 +01:00
Asger F e907d685f4 JS: Add crypto test with AES-ECB 2023-03-16 14:52:18 +01:00
github-actions[bot] fe4d27e8cc Release preparation for version 2.12.5 2023-03-16 12:58:50 +00:00
erik-krogh f718d78a9a
avoid redundant sources 2023-03-16 13:34:01 +01:00
erik-krogh 54ec047433
ReDoS: put an artificial limitation on the analysis in polynomial-redos for large regular expressions 2023-03-16 12:20:53 +01:00
erik-krogh a72436f6f1
recognize more express URL related sources 2023-03-15 10:14:31 +01:00
Arthur Baars fbe9823a42
Merge branch 'main' into henrymercer/polish-diagnostics 2023-03-14 23:42:33 +01:00
Henry Mercer 1394abcf98 JS: Update diagnostics IDs for consistency with rules 2023-03-14 21:44:19 +00:00
Henry Mercer 1f63c5d5e4 JS: Update parse error diagnostic name for consistency 2023-03-14 21:43:32 +00:00
Asger F feb7c49006
Merge pull request #12382 from asgerf/js/import-assertion 
JS: Support import assertions
 2023-03-14 14:56:32 +01:00
Asger F d953ad63fe
Merge pull request #12445 from asgerf/js/react-forward-ref 
JS: Handle forwardRef in React
 2023-03-14 13:21:16 +01:00
Asger F 8ab3f39b5e
Merge pull request #12423 from asgerf/js/trusted-types-global-flow 
JS: Track trusted types policy callbacks
 2023-03-14 13:09:50 +01:00
Erik Krogh Kristensen 060c37b6a2
Merge pull request #12345 from erik-krogh/delOldDeps 
delete old deprecations
 2023-03-13 12:48:24 +01:00
Asger F 5461f94c6c
Merge pull request #12424 from asgerf/js/html-sanitizer-for-sql 
JS: Add html sanitizers as a taint step in a few queries
 2023-03-13 11:36:19 +01:00
Asger F 41dd63adc7 Handle forwardRef in React 2023-03-13 11:30:18 +01:00
erik-krogh 6c1ebd999e
Merge branch 'main' into delOldDeps 2023-03-13 11:00:29 +01:00
Anders Schack-Mulligen 8d97fe9ed3 JavaScript: Autoformat 2023-03-10 09:41:20 +01:00
Henry Mercer 079451142e
Merge branch 'main' into codeql-ci/atm/release-0.4.9 2023-03-09 16:08:22 +00:00
github-actions[bot] a82aaea514 JS: Bump version of ML-powered library and query packs to 0.4.10 2023-03-09 15:54:49 +00:00
github-actions[bot] f0bb25bfce JS: Bump patch version of ML-powered library and query packs 2023-03-09 15:46:31 +00:00
Asger F 6e744093e2
Merge pull request #12398 from github/post-release-prep/codeql-cli-2.12.4 
Post-release preparation for codeql-cli-2.12.4
 2023-03-09 15:38:21 +01:00
Arthur Baars 942cd7c275
Merge pull request #12113 from erik-krogh/diagnostics 
JS: Implement diagnostics
 2023-03-09 12:57:06 +01:00
Arthur Baars 7ab0f88f78 JS: add link to docs to parse error diagnostic 2023-03-08 16:47:43 +01:00
Arthur Baars e5be8ab1e5 JS: add integration test for diagnostic messages 2023-03-08 16:04:49 +01:00
Asger F 05b5aea477 JS: Changenote 2023-03-07 13:15:44 +01:00
Asger F 856b50735d JS: Expand test case 2023-03-07 13:04:26 +01:00
Asger F 0affd898de JS: Track trusted type policy callbacks 2023-03-07 10:22:26 +01:00
Asger F 4f0e17bf97 JS: Add step to a few other queries 2023-03-07 09:39:40 +01:00
Asger F d4b4d22378 JS: Step through HTML sanitizers in SQL injection query 2023-03-06 15:10:26 +01:00