AlexTereshenkov
3e6f8fb6be
Add bind-socket-all-network-interfaces Python query ( #2048 )
...
Add bind-socket-all-network-interfaces Python query
2019-10-03 11:23:11 +01:00
Jonas Jensen
8bed418022
C++: enable the QL-based CFG code
2019-10-03 10:04:24 +02:00
Robert Marsh
68c38ba34a
C++: Add change note
2019-10-02 11:38:20 -07:00
yh-semmle
3313af5189
Merge pull request #2036 from aschackmull/java/eq-ssa-guard
...
Java: Improve guards for equal ssa variables.
2019-10-02 12:00:59 -04:00
Tom Hvitved
b66479c028
C#: Add change note
2019-10-02 16:31:26 +02:00
Anders Schack-Mulligen
0154e31e64
Java: Add change note.
2019-10-02 11:47:53 +02:00
Erik Krogh Kristensen
aa1368741b
rename suspicious-method-name to suspicious-method-name-declaration
2019-10-01 14:37:07 +02:00
Jonas Jensen
7c319efb8b
C++: Data flow through reference parameters
2019-10-01 10:43:49 +02:00
Jonas Jensen
f417640da4
Merge pull request #1938 from dave-bartolomeo/dave/InNOut
...
C++: Rename predicates in `FunctionInputsAndOutputs.qll` and add QLDoc
2019-09-30 13:30:19 +02:00
Erik Krogh Kristensen
0320f0f26b
add query for detecting suspisous method names in TypeScript
2019-09-30 13:05:50 +02:00
Dave Bartolomeo
28aa7dcae2
C++: Fix PR feedback
2019-09-26 13:56:43 -07:00
Max Schaefer
d4fca84898
JavaScript: Improve XSS sanitizer detection.
...
We now use local data flow to detect more regexp-based sanitizers.
2019-09-23 17:07:06 +01:00
Jonas Jensen
898976121b
Merge pull request #1987 from geoffw0/toomanyformat
...
CPP: WrongNumberOfFormatArguments.ql Fix
2019-09-23 16:05:11 +02:00
semmle-qlci
e2c941c577
Merge pull request #1916 from erik-krogh/taintedLength
...
Approved by asger-semmle, xiemaisi
2019-09-23 11:47:48 +01:00
semmle-qlci
7a57a3c743
Merge pull request #1996 from xiemaisi/js/fix-illegal-invocation-refl
...
Approved by esben-semmle
2019-09-23 09:16:33 +01:00
Max Schaefer
149ae5d7ab
JavaScript: Fix IllegalInvocation.
...
This fixes false positives that arise when a call such as `f.apply` can either be interpreted as a reflective invocation of `f`, or a normal call to method `apply` of `f`.
2019-09-23 07:44:14 +01:00
Erik Krogh Kristensen
814c5537be
update name of loop bound injection in change-notes
2019-09-20 22:56:08 +02:00
Geoffrey White
accb8246d4
CPP: Change note.
2019-09-20 15:15:35 +01:00
Calum Grant
b31cd8ab32
Merge pull request #1982 from hvitved/csharp/null-maybe-dynamic
...
C#: Remove false positives from `cs/dereferenced-value-may-be-null`
2019-09-20 14:46:01 +01:00
Calum Grant
8408e90b5f
C#: Change note & docs.
2019-09-20 14:44:07 +01:00
semmle-qlci
6d9d859119
Merge pull request #1934 from asger-semmle/node-js-classification
...
Approved by esben-semmle
2019-09-20 09:50:34 +01:00
Tom Hvitved
fb68d839a9
C#: Add change note
2019-09-20 10:40:20 +02:00
Robert Marsh
fd88f7a3ce
Merge pull request #1884 from jbj/dataflow-addressof
...
C++: Data flow through address-of operator (&)
2019-09-19 09:15:43 -07:00
semmle-qlci
6f2e485ace
Merge pull request #1950 from xiemaisi/js/rate-limiter-flexible
...
Approved by esben-semmle
2019-09-19 12:45:45 +01:00
Erik Krogh Kristensen
3ef187f7f2
Add external/cwe/cwe-834 tag in change notes for js/loop-bound-injectoin
...
Co-Authored-By: Max Schaefer <max@semmle.com>
2019-09-19 11:30:15 +02:00
Esben Sparre Andreasen
b631bfc8eb
Merge branch 'master' into node-js-classification
2019-09-19 09:42:26 +02:00
semmle-qlci
57a6c0c20d
Merge pull request #1918 from esben-semmle/js/improve-getAResponseDataNode
...
Approved by asger-semmle
2019-09-18 14:03:45 +01:00
semmle-qlci
479fca9e30
Merge pull request #1946 from xiemaisi/js/top-level-await
...
Approved by asger-semmle
2019-09-18 12:32:09 +01:00
Max Schaefer
3970ead7ab
JavaScript: Add support for `rate-limiter-flexible` package.
2019-09-18 12:25:33 +01:00
Max Schaefer
9ff5c7007a
JavaScript: Add support for top-level `await`.
2019-09-18 09:56:21 +01:00
Esben Sparre Andreasen
ac6554b7da
Merge branch 'master' into js/improve-getAResponseDataNode
2019-09-17 13:18:41 +02:00
Jonas Jensen
fd6d06fe6f
C++: Data flow through address-of operator (&)
...
The data flow library conflates pointers and their objects in some
places but not others. For example, a member function call `x.f()` will
cause flow from `x` of type `T` to `this` of type `T*` inside `f`. It
might be ideal to avoid that conflation, but that's not realistic
without using the IR.
We've had good experience in the taint tracking library with conflating
pointers and objects, and it improves results for field flow, so perhaps
it's time to try it out for all data flow.
2019-09-17 13:16:34 +02:00
Asger F
f8eff06aa1
JS: Change note
2019-09-17 11:20:39 +01:00
Esben Sparre Andreasen
c9d31e90fe
JS: add change notes
2019-09-16 10:11:43 +02:00
Erik Krogh Kristensen
3fb64abb09
fix consistency and spelling in the documentation
...
suggestions from the documentation team
Co-Authored-By: shati-patel <42641846+shati-patel@users.noreply.github.com>
2019-09-13 14:52:11 +01:00
Erik Krogh Kristensen
5b2b60f132
change DOS to DoS, and other small documentation fixes
...
Co-Authored-By: Max Schaefer <max@semmle.com>
2019-09-13 10:26:01 +01:00
Erik Krogh Kristensen
17a71a97c5
add loop-bound-injection to change-notes
2019-09-12 15:28:14 +01:00
Calum Grant
e330d5a6c6
Merge pull request #1549 from hvitved/csharp/cfg/loop-unrolling
...
C#: Loop unrolling for `foreach` statements
2019-09-12 10:24:26 +01:00
semmle-qlci
72db219c13
Merge pull request #1910 from xiemaisi/js/unused-index-variable
...
Approved by esben-semmle, shati-semmle
2019-09-11 14:33:32 +01:00
Max Schaefer
500cde68c3
JavaScript: Add new query `UnusedIndexVariable`.
2019-09-11 11:36:50 +01:00
Esben Sparre Andreasen
086c473c18
JS: sharpen js/http-to-file-access
2019-09-11 12:05:33 +02:00
semmle-qlci
16c95d8c5e
Merge pull request #1876 from esben-semmle/js/more-delimiter-stripping-whitelisting
...
Approved by xiemaisi
2019-09-11 09:16:57 +01:00
Esben Sparre Andreasen
f7bfc472c1
JS: treat server responses as untrusted for command injections
2019-09-11 09:38:18 +02:00
Asger F
194a1c3530
JS: Change note
2019-09-09 15:42:43 +01:00
semmle-qlci
e899250e87
Merge pull request #1894 from asger-semmle/fp-incorrect-suffix-check
...
Approved by xiemaisi
2019-09-09 15:33:47 +01:00
semmle-qlci
89cba089b4
Merge pull request #1892 from asger-semmle/event-handler-sink
...
Approved by esben-semmle
2019-09-09 15:33:21 +01:00
Asger F
b6690bb644
JS: Add change note
2019-09-09 12:45:03 +01:00
Calum Grant
3734552081
C#: Add change note for datetime queries.
2019-09-06 16:45:02 +01:00
Asger F
dfd18a51ee
JS: Change note
2019-09-06 16:03:16 +01:00
Robert Marsh
94c625f03f
Merge pull request #1777 from jbj/ast-field-flow-defbyref
...
C++: Don't use definitionByReference for data flow
2019-09-05 10:23:28 -07:00
semmle-qlci
fd2e8486e4
Merge pull request #1862 from asger-semmle/prototype-pollution-angular-merge
...
Approved by esben-semmle
2019-09-05 12:50:58 +01:00
Esben Sparre Andreasen
a9665f53b8
JS: whitelist quote stripping for js/incomplete-sanitization
2019-09-05 09:47:49 +01:00
Jonas Jensen
114c2fe0d4
Merge remote-tracking branch 'upstream/master' into ast-field-flow-defbyref
2019-09-05 09:33:45 +02:00
Robert Marsh
a3290503ec
Merge pull request #1806 from jbj/localExprFlow
...
C++: Add localExprFlow and localExprTaint
2019-09-04 10:38:46 -07:00
Asger F
93a3f571ec
JS: Add change note
2019-09-04 16:14:51 +01:00
Jonas Jensen
cdcc716675
Merge pull request #1867 from geoffw0/erafix9
...
CPP: Add date to JapaneseEraDate.ql
2019-09-04 13:16:04 +02:00
Jonas Jensen
3ba650911c
Merge pull request #1847 from geoffw0/erafix8
...
CPP: Deal with two very similar Japanese era queries
2019-09-04 09:57:10 +02:00
Geoffrey White
84112d3630
CPP: Change note.
2019-09-03 18:30:24 +01:00
semmle-qlci
6778f28424
Merge pull request #1854 from asger-semmle/prototype-pollution-precision
...
Approved by esben-semmle, xiemaisi
2019-09-03 10:50:24 +01:00
Jonas Jensen
d7681bf122
C++: Don't use definitionByReference for data flow
...
The data flow library conflates pointers and objects enough for the
`definitionByReference` predicate to be too strict in some cases. It was
too permissive in other cases that are now (or will be) handled better
by field flow.
See also the change note entry.
2019-09-03 11:49:01 +02:00
Tom Hvitved
4b32ee77e6
C#: Add change note
2019-09-03 09:35:58 +02:00
Asger F
c71a66a045
JS: Add change note
2019-09-02 11:05:07 +01:00
Max Schaefer
91e46cd6fd
JavaScript: Fix parsing of asynchronous generator methods.
2019-09-02 09:56:42 +01:00
semmle-qlci
6d55d1f7c0
Merge pull request #1707 from asger-semmle/canonical-name-call-graph
...
Approved by xiemaisi
2019-09-02 09:45:24 +01:00
Max Schaefer
742c9708a9
Merge pull request #1828 from asger-semmle/jsdoc-relation
...
JS: Make getDocumentation handle chain assignments
2019-09-02 08:43:40 +01:00
Jonas Jensen
63311739a5
C++: Add localExprFlow and localExprTaint
...
This is for ODASA-8053.
2019-09-02 09:29:10 +02:00
yh-semmle
f54545522e
Merge pull request #1759 from aschackmull/java/flow-exploration
...
Java/C++/C#: Add support for dataflow exploration by partial paths.
2019-08-30 17:00:17 -04:00
Asger F
45941869ad
JS: Change note
2019-08-30 18:25:39 +01:00
Asger F
9533ca0926
JS: Change note
2019-08-30 18:19:49 +01:00
Asger F
3186942906
JS: Add change note
2019-08-30 16:05:13 +01:00
semmle-qlci
a97aefe0c3
Merge pull request #1835 from xiemaisi/js/dom-fixes
...
Approved by asger-semmle
2019-08-30 14:45:06 +01:00
Taus
a2841b4245
Merge pull request #1763 from markshannon/python-cwe-312
...
Python: Two new queries for CWE-312.
2019-08-30 15:28:56 +02:00
Anders Schack-Mulligen
455bb6cd15
Java/C++/C#: Add change notes.
2019-08-30 14:35:21 +02:00
Anders Schack-Mulligen
6749f7a1b7
Merge pull request #1843 from lukecartey/java/add-missing-sql-apis
...
Java: Add missing SQL query APIs.
2019-08-30 14:27:40 +02:00
Luke Cartey
e118f9a5f9
Add change note.
2019-08-30 10:48:37 +01:00
Mark Shannon
811815aa4e
Merge branch 'master' into python-cwe-312
2019-08-30 10:39:04 +01:00
Tom Hvitved
ae5fb7f330
C#: Introduce `BarrierGuard`s
2019-08-30 09:37:16 +02:00
Geoffrey White
b254e1f48e
CPP: Change note.
2019-08-29 18:24:29 +01:00
Calum Grant
424ab3ed6a
C#: Analysis change notes.
2019-08-29 18:12:58 +01:00
Mark Shannon
4f172bd075
Python: Add change note for CWE-312 queries.
2019-08-29 16:05:11 +01:00
Jonas Jensen
c8a9ec465e
C++: New change-notes file for 1.23
2019-08-28 13:36:57 +02:00
Max Schaefer
78ce290de3
JavaScript: Fix `DomMethodCallExpr.interpretsArgumentsAsHTML`.
2019-08-28 11:22:03 +01:00