hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 01:35:13 +02:00
Code Issues Packages Projects Releases Wiki Activity

upgrade query to detect redash CVE too

Browse Source
This commit is contained in:
amammad
2023-06-30 22:14:50 +10:00
parent 7a17b99c17
commit 816799c4ba
436 changed files with 13346 additions and 1089 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
javascript/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,23 @@
## 0.6.3
### Major Analysis Improvements
* Added support for TypeScript 5.1.
### Minor Analysis Improvements
* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead.
* Deleted the deprecated `localTaintStep` predicate from `DataFlow.qll`.
* Deleted the deprecated `stringStep`, and `localTaintStep` predicates from `TaintTracking.qll`.
* Deleted many modules that started with a lowercase letter. Use the versions that start with an uppercase letter instead.
* Deleted the deprecated `HtmlInjectionConfiguration` and `JQueryHtmlOrSelectorInjectionConfiguration` classes from `DomBasedXssQuery.qll`, use `Configuration` instead.
* Deleted the deprecated `DefiningIdentifier` class and the `Definitions.qll` file it was in. Use `SsaDefinition` instead.
* Deleted the deprecated `definitionReaches`, `localDefinitionReaches`, `getAPseudoDefinitionInput`, `nextDefAfter`, and `localDefinitionOverwrites` predicates from `DefUse.qll`.
* Updated the following JavaScript sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
* `command-line-injection` to `command-injection`
* `credentials[kind]` to `credentials-kind`
* Added a support of sub modules in `node_modules`.
## 0.6.2
### Minor Analysis Improvements

19
javascript/ql/lib/change-notes/released/0.6.3.md Normal file
View File

@@ -0,0 +1,19 @@
## 0.6.3
### Major Analysis Improvements
* Added support for TypeScript 5.1.
### Minor Analysis Improvements
* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead.
* Deleted the deprecated `localTaintStep` predicate from `DataFlow.qll`.
* Deleted the deprecated `stringStep`, and `localTaintStep` predicates from `TaintTracking.qll`.
* Deleted many modules that started with a lowercase letter. Use the versions that start with an uppercase letter instead.
* Deleted the deprecated `HtmlInjectionConfiguration` and `JQueryHtmlOrSelectorInjectionConfiguration` classes from `DomBasedXssQuery.qll`, use `Configuration` instead.
* Deleted the deprecated `DefiningIdentifier` class and the `Definitions.qll` file it was in. Use `SsaDefinition` instead.
* Deleted the deprecated `definitionReaches`, `localDefinitionReaches`, `getAPseudoDefinitionInput`, `nextDefAfter`, and `localDefinitionOverwrites` predicates from `DefUse.qll`.
* Updated the following JavaScript sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
* `command-line-injection` to `command-injection`
* `credentials[kind]` to `credentials-kind`
* Added a support of sub modules in `node_modules`.

2
javascript/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.6.2
lastReleaseVersion: 0.6.3

2
javascript/ql/lib/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-all
version: 0.6.3-dev
version: 0.6.4-dev
groups: javascript
dbscheme: semmlecode.javascript.dbscheme
extractor: javascript

9
javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll
View File

@@ -643,6 +643,15 @@ module ModelOutput {
baseNode = getInvocationFromPath(type, path)
}
/**
* Holds if a `baseNode` is a callable identified by the `type,path` part of a summary row.
*/
cached
predicate resolvedSummaryRefBase(string type, string path, API::Node baseNode) {
summaryModel(type, path, _, _, _) and
baseNode = getNodeFromPath(type, path)
}
/**
* Holds if `node` is seen as an instance of `type` due to a type definition
* contributed by a CSV model.

8
javascript/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 0.6.3
### Minor Analysis Improvements
* Fixed an issue where calls to a method named `search` would lead to false positive alerts related to regular expressions.
This happened when the call was incorrectly seen as a call to `String.prototype.search`, since this function converts its first argument
to a regular expression. The analysis is now more restrictive about when to treat `search` calls as regular expression sinks.
## 0.6.2
### Major Analysis Improvements

2
javascript/ql/src/Security/CWE-094/examples/comment_issue_good.yml
View File

@@ -7,4 +7,4 @@ jobs:
- env:
BODY: ${{ github.event.issue.body }}
run: |
echo '$BODY'
echo "$BODY"

17
javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp
View File

@@ -21,6 +21,23 @@
</p>
</recommendation>
<example>
<p>
The following code example connects to an HTTP request using an hard-codes authentication header:
</p>
<sample src="examples/HardcodedCredentialsHttpRequest.js"/>
<p>
Instead, user name and password can be supplied through the environment variables
<code>username</code> and <code>password</code>, which can be set externally without hard-coding
credentials in the source code.
</p>
<sample src="examples/HardcodedCredentialsHttpRequestFixed.js"/>
</example>
<example>
<p>
The following code example connects to a Postgres database using the <code>pg</code> package

18
javascript/ql/src/Security/CWE-798/examples/HardcodedCredentialsHttpRequest.js Normal file
View File

@@ -0,0 +1,18 @@
let base64 = require('base-64');
let url = 'http://example.org/auth';
let username = 'user';
let password = 'passwd';
let headers = new Headers();
headers.append('Content-Type', 'text/json');
headers.append('Authorization', 'Basic' + base64.encode(username + ":" + password));
fetch(url, {
method:'GET',
headers: headers
})
.then(response => response.json())
.then(json => console.log(json))
.done();

18
javascript/ql/src/Security/CWE-798/examples/HardcodedCredentialsHttpRequestFixed.js Normal file
View File

@@ -0,0 +1,18 @@
let base64 = require('base-64');
let url = 'http://example.org/auth';
let username = process.env.USERNAME;
let password = process.env.PASSWORD;
let headers = new Headers();
headers.append('Content-Type', 'text/json');
headers.append('Authorization', 'Basic' + base64.encode(username + ":" + password));
fetch(url, {
method:'GET',
headers: headers
})
.then(response => response.json())
.then(json => console.log(json))
.done();

7
javascript/ql/src/change-notes/released/0.6.3.md Normal file
View File

@@ -0,0 +1,7 @@
## 0.6.3
### Minor Analysis Improvements
* Fixed an issue where calls to a method named `search` would lead to false positive alerts related to regular expressions.
This happened when the call was incorrectly seen as a call to `String.prototype.search`, since this function converts its first argument
to a regular expression. The analysis is now more restrictive about when to treat `search` calls as regular expression sinks.

2
javascript/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.6.2
lastReleaseVersion: 0.6.3

2
javascript/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries
version: 0.6.3-dev
version: 0.6.4-dev
groups:
- javascript
- queries