Merge branch 'main' of github.com:github/codeql into htmlReg

2026-05-10 01:10:09 +02:00 · 2021-10-26 14:46:27 +02:00
parent 8d6cac76cc e5e1046c81
commit 44afa34e37
2275 changed files with 216237 additions and 23741 deletions
--- a/javascript/ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql
+++ b/javascript/ql/src/Security/CWE-020/UselessRegExpCharacterEscape.ql
@@ -67,7 +67,7 @@ class RegExpPatternMistake extends TRegExpPatternMistake {
   * The location spans column `startcolumn` of line `startline` to
   * column `endcolumn` of line `endline` in file `filepath`.
   * For more information, see
-   * [Locations](https://help.semmle.com/QL/learn-ql/ql/locations.html).
+   * [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
   */
  predicate hasLocationInfo(
    string filepath, int startline, int startcolumn, int endline, int endcolumn
--- a/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
+++ b/javascript/ql/src/Security/CWE-078/IndirectCommandInjection.ql
@@ -5,7 +5,7 @@
 *              command-line injection vulnerabilities.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 9.8
+ * @security-severity 6.3
 * @precision medium
 * @id js/indirect-command-line-injection
 * @tags correctness
--- a/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
+++ b/javascript/ql/src/Security/CWE-078/ShellCommandInjectionFromEnvironment.ql
@@ -4,7 +4,7 @@
 *              environment may cause subtle bugs or vulnerabilities.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 9.8
+ * @security-severity 6.3
 * @precision high
 * @id js/shell-command-injection-from-environment
 * @tags correctness
--- a/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql
+++ b/javascript/ql/src/Security/CWE-078/UnsafeShellCommandConstruction.ql
@@ -4,7 +4,7 @@
 *              user to change the meaning of the command.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 9.8
+ * @security-severity 6.3
 * @precision high
 * @id js/shell-command-constructed-from-input
 * @tags correctness
--- a/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
+++ b/javascript/ql/src/Security/CWE-078/UselessUseOfCat.ql
@@ -3,7 +3,7 @@
 * @description Using the  `cat` process to read a file is unnecessarily complex, inefficient, unportable, and can lead to subtle bugs, or even security vulnerabilities.
 * @kind problem
 * @problem.severity error
- * @security-severity 9.8
+ * @security-severity 6.3
 * @precision high
 * @id js/unnecessary-use-of-cat
 * @tags correctness
--- a/javascript/ql/src/Security/CWE-094/CodeInjection.ql
+++ b/javascript/ql/src/Security/CWE-094/CodeInjection.ql
@@ -4,11 +4,12 @@
 *              code execution.
 * @kind path-problem
 * @problem.severity error
- * @security-severity 6.1
+ * @security-severity 9.3
 * @precision high
 * @id js/code-injection
 * @tags security
 *       external/cwe/cwe-094
+ *       external/cwe/cwe-095
 *       external/cwe/cwe-079
 *       external/cwe/cwe-116
 */
--- a/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
+++ b/javascript/ql/src/Security/CWE-116/IncompleteSanitization.ql
@@ -79,14 +79,11 @@ predicate allBackslashesEscaped(DataFlow::Node nd) {
  or
  // flow through string methods
  exists(DataFlow::MethodCallNode mc, string m |
-    m = "replace" or
-    m = "replaceAll" or
-    m = "slice" or
-    m = "substr" or
-    m = "substring" or
-    m = "toLowerCase" or
-    m = "toUpperCase" or
-    m = "trim"
+    m =
+      [
+        "replace", "replaceAll", "slice", "substr", "substring", "toLowerCase", "toUpperCase",
+        "trim"
+      ]
  |
    mc = nd and m = mc.getMethodName() and allBackslashesEscaped(mc.getReceiver())
  )
--- a/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
+++ b/javascript/ql/src/Security/CWE-134/TaintedFormatString.ql
@@ -3,7 +3,7 @@
 * @description Using external input in format strings can lead to garbled output.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 9.3
+ * @security-severity 7.3
 * @precision high
 * @id js/tainted-format-string
 * @tags security
--- a/javascript/ql/src/Security/CWE-730/ServerCrash.ql
+++ b/javascript/ql/src/Security/CWE-730/ServerCrash.ql
@@ -104,7 +104,7 @@ class AsyncSentinelCall extends DataFlow::CallNode {
    exists(DataFlow::FunctionNode node | node.getAstNode() = asyncCallee |
      // manual models
      exists(string memberName |
-        not "Sync" = memberName.suffix(memberName.length() - 4) and
+        not memberName.matches("%Sync") and
        this = NodeJSLib::FS::moduleMember(memberName).getACall() and
        node = this.getCallback([1 .. 2])
      )
--- a/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql
+++ b/javascript/ql/src/Security/CWE-834/LoopBoundInjection.ql
@@ -4,10 +4,11 @@
 *              property can cause indefinite looping.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 6.5
+ * @security-severity 7.5
 * @id js/loop-bound-injection
 * @tags security
 *       external/cwe/cwe-834
+ *       external/cwe/cwe-730
 * @precision high
 */

--- a/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
+++ b/javascript/ql/src/Security/CWE-912/HttpToFileAccess.ql
@@ -3,7 +3,7 @@
 * @description Writing network data directly to the file system allows arbitrary file upload and might indicate a backdoor.
 * @kind path-problem
 * @problem.severity warning
- * @security-severity 9.8
+ * @security-severity 6.3
 * @precision medium
 * @id js/http-to-file-access
 * @tags security