hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-25 08:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into seclab/webix-modeling

Browse Source
This commit is contained in:
Jorge
2023-06-23 18:06:26 +02:00
committed by GitHub
parent 3605269e13 ca71d48e4a
commit 8ff525933e
950 changed files with 33524 additions and 6161 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
javascript/ql/lib/CHANGELOG.md
View File

@@ -1,3 +1,23 @@
## 0.6.3
### Major Analysis Improvements
* Added support for TypeScript 5.1.
### Minor Analysis Improvements
* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead.
* Deleted the deprecated `localTaintStep` predicate from `DataFlow.qll`.
* Deleted the deprecated `stringStep`, and `localTaintStep` predicates from `TaintTracking.qll`.
* Deleted many modules that started with a lowercase letter. Use the versions that start with an uppercase letter instead.
* Deleted the deprecated `HtmlInjectionConfiguration` and `JQueryHtmlOrSelectorInjectionConfiguration` classes from `DomBasedXssQuery.qll`, use `Configuration` instead.
* Deleted the deprecated `DefiningIdentifier` class and the `Definitions.qll` file it was in. Use `SsaDefinition` instead.
* Deleted the deprecated `definitionReaches`, `localDefinitionReaches`, `getAPseudoDefinitionInput`, `nextDefAfter`, and `localDefinitionOverwrites` predicates from `DefUse.qll`.
* Updated the following JavaScript sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
* `command-line-injection` to `command-injection`
* `credentials[kind]` to `credentials-kind`
* Added a support of sub modules in `node_modules`.
## 0.6.2
### Minor Analysis Improvements

4
javascript/ql/lib/change-notes/2023-04-19-typescript-5-1.md
View File

@@ -1,4 +0,0 @@
---
category: majorAnalysis
---
* Added support for TypeScript 5.1.

5
javascript/ql/lib/change-notes/2023-04-30-npm-submodule.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
- Added a support of sub modules in `node_modules`.

6
javascript/ql/lib/change-notes/2023-05-12-update-js-sink-kinds.md
View File

@@ -1,6 +0,0 @@
---
category: minorAnalysis
---
* Updated the following JavaScript sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
* `command-line-injection` to `command-injection`
* `credentials[kind]` to `credentials-kind`

17
javascript/ql/lib/change-notes/2023-06-02-delete-deps.md → javascript/ql/lib/change-notes/released/0.6.3.md
View File

@@ -1,10 +1,19 @@
---
category: minorAnalysis
---
## 0.6.3
### Major Analysis Improvements
* Added support for TypeScript 5.1.
### Minor Analysis Improvements
* Deleted many deprecated predicates and classes with uppercase `XML`, `JSON`, `URL`, `API`, etc. in their names. Use the PascalCased versions instead.
* Deleted the deprecated `localTaintStep` predicate from `DataFlow.qll`.
* Deleted the deprecated `stringStep`, and `localTaintStep` predicates from `TaintTracking.qll`.
* Deleted many modules that started with a lowercase letter. Use the versions that start with an uppercase letter instead.
* Deleted the deprecated `HtmlInjectionConfiguration` and `JQueryHtmlOrSelectorInjectionConfiguration` classes from `DomBasedXssQuery.qll`, use `Configuration` instead.
* Deleted the deprecated `DefiningIdentifier` class and the `Definitions.qll` file it was in. Use `SsaDefinition` instead.
* Deleted the deprecated `definitionReaches`, `localDefinitionReaches`, `getAPseudoDefinitionInput`, `nextDefAfter`, and `localDefinitionOverwrites` predicates from `DefUse.qll`.
* Deleted the deprecated `definitionReaches`, `localDefinitionReaches`, `getAPseudoDefinitionInput`, `nextDefAfter`, and `localDefinitionOverwrites` predicates from `DefUse.qll`.
* Updated the following JavaScript sink kind names. Any custom data extensions that use these sink kinds will need to be updated accordingly in order to continue working.
* `command-line-injection` to `command-injection`
* `credentials[kind]` to `credentials-kind`
* Added a support of sub modules in `node_modules`.

2
javascript/ql/lib/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.6.2
lastReleaseVersion: 0.6.3

3
javascript/ql/lib/qlpack.yml
View File

@@ -1,11 +1,12 @@
name: codeql/javascript-all
version: 0.6.3-dev
version: 0.6.4-dev
groups: javascript
dbscheme: semmlecode.javascript.dbscheme
extractor: javascript
library: true
upgrades: upgrades
dependencies:
codeql/mad: ${workspace}
codeql/regex: ${workspace}
codeql/tutorial: ${workspace}
codeql/util: ${workspace}

14
javascript/ql/lib/semmle/javascript/frameworks/data/internal/ApiGraphModels.qll
View File

@@ -653,6 +653,17 @@ module ModelOutput {
import Cached
import Specific::ModelOutputSpecific
private import codeql.mad.ModelValidation as SharedModelVal
private module KindValConfig implements SharedModelVal::KindValidationConfigSig {
predicate summaryKind(string kind) { summaryModel(_, _, _, _, kind) }
predicate sinkKind(string kind) { sinkModel(_, _, kind) }
predicate sourceKind(string kind) { sourceModel(_, _, kind) }
}
private module KindVal = SharedModelVal::KindValidation<KindValConfig>;
/**
* Gets an error message relating to an invalid CSV row in a model.
@@ -698,5 +709,8 @@ module ModelOutput {
not isValidNoArgumentTokenInIdentifyingAccessPath(token.getName()) and
result = "Invalid token '" + token + "' is missing its arguments, in access path: " + path
)
or
// Check for invalid model kinds
result = KindVal::getInvalidModelKind()
}
}

8
javascript/ql/src/CHANGELOG.md
View File

@@ -1,3 +1,11 @@
## 0.6.3
### Minor Analysis Improvements
* Fixed an issue where calls to a method named `search` would lead to false positive alerts related to regular expressions.
This happened when the call was incorrectly seen as a call to `String.prototype.search`, since this function converts its first argument
to a regular expression. The analysis is now more restrictive about when to treat `search` calls as regular expression sinks.
## 0.6.2
### Major Analysis Improvements

10
javascript/ql/src/Security/CWE-022/ZipSlip.qhelp
View File

@@ -4,16 +4,16 @@
<qhelp>
<overview>
<p>Extracting files from a malicious zip archive without validating that the destination file path
is within the destination directory can cause files outside the destination directory to be
overwritten, due to the possible presence of directory traversal elements (<code>..</code>) in
<p>Extracting files from a malicious zip file, or similar type of archive,
is at risk of directory traversal attacks if filenames from the archive are
not properly validated.
archive paths.</p>
<p>Zip archives contain archive entries representing each file in the archive. These entries
include a file path for the entry, but these file paths are not restricted and may contain
unexpected special elements such as the directory traversal element (<code>..</code>). If these
file paths are used to determine an output file to write the contents of the archive item to, then
the file may be written to an unexpected location. This can result in sensitive information being
file paths are used to create a filesystem path, then a file operation may happen in an
unexpected location. This can result in sensitive information being
revealed or deleted, or an attacker being able to influence behavior by modifying unexpected
files.</p>

8
javascript/ql/src/Security/CWE-022/ZipSlip.ql
View File

@@ -1,8 +1,8 @@
/**
* @name Arbitrary file write during zip extraction ("Zip Slip")
* @description Extracting files from a malicious zip archive without validating that the
* destination file path is within the destination directory can cause files outside
* the destination directory to be overwritten.
* @name Arbitrary file access during archive extraction ("Zip Slip")
* @description Extracting files from a malicious ZIP file, or similar type of archive, without
* validating that the destination file path is within the destination directory
* can allow an attacker to unexpectedly gain access to resources.
* @kind path-problem
* @id js/zipslip
* @problem.severity error

2
javascript/ql/src/Security/CWE-094/examples/comment_issue_good.yml
View File

@@ -7,4 +7,4 @@ jobs:
- env:
BODY: ${{ github.event.issue.body }}
run: |
echo '$BODY'
echo "$BODY"

17
javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp
View File

@@ -21,6 +21,23 @@
</p>
</recommendation>
<example>
<p>
The following code example connects to an HTTP request using an hard-codes authentication header:
</p>
<sample src="examples/HardcodedCredentialsHttpRequest.js"/>
<p>
Instead, user name and password can be supplied through the environment variables
<code>username</code> and <code>password</code>, which can be set externally without hard-coding
credentials in the source code.
</p>
<sample src="examples/HardcodedCredentialsHttpRequestFixed.js"/>
</example>
<example>
<p>
The following code example connects to a Postgres database using the <code>pg</code> package

18
javascript/ql/src/Security/CWE-798/examples/HardcodedCredentialsHttpRequest.js Normal file
View File

@@ -0,0 +1,18 @@
let base64 = require('base-64');
let url = 'http://example.org/auth';
let username = 'user';
let password = 'passwd';
let headers = new Headers();
headers.append('Content-Type', 'text/json');
headers.append('Authorization', 'Basic' + base64.encode(username + ":" + password));
fetch(url, {
method:'GET',
headers: headers
})
.then(response => response.json())
.then(json => console.log(json))
.done();

18
javascript/ql/src/Security/CWE-798/examples/HardcodedCredentialsHttpRequestFixed.js Normal file
View File

@@ -0,0 +1,18 @@
let base64 = require('base-64');
let url = 'http://example.org/auth';
let username = process.env.USERNAME;
let password = process.env.PASSWORD;
let headers = new Headers();
headers.append('Content-Type', 'text/json');
headers.append('Authorization', 'Basic' + base64.encode(username + ":" + password));
fetch(url, {
method:'GET',
headers: headers
})
.then(response => response.json())
.then(json => console.log(json))
.done();

4
javascript/ql/src/change-notes/2023-06-16-zipslip-rename.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: fix
---
* The query "Arbitrary file write during zip extraction ("Zip Slip")" (`js/zipslip`) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."

7
javascript/ql/src/change-notes/2023-06-01-restrict-regex-search-function.md → javascript/ql/src/change-notes/released/0.6.3.md
View File

@@ -1,6 +1,7 @@
---
category: minorAnalysis
---
## 0.6.3
### Minor Analysis Improvements
* Fixed an issue where calls to a method named `search` would lead to false positive alerts related to regular expressions.
This happened when the call was incorrectly seen as a call to `String.prototype.search`, since this function converts its first argument
to a regular expression. The analysis is now more restrictive about when to treat `search` calls as regular expression sinks.

2
javascript/ql/src/codeql-pack.release.yml
View File

@@ -1,2 +1,2 @@
---
lastReleaseVersion: 0.6.2
lastReleaseVersion: 0.6.3

2
javascript/ql/src/qlpack.yml
View File

@@ -1,5 +1,5 @@
name: codeql/javascript-queries
version: 0.6.3-dev
version: 0.6.4-dev
groups:
- javascript
- queries