hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
28,569 Commits 1,671 Branches 157 Tags
aeisenberg/codeql-workspace
Commit Graph

6555 Commits

Author SHA1 Message Date
CodeQL CI
e5e1046c81 Merge pull request #6962 from asgerf/js/template-db-constraint-err 
Approved by erik-krogh
 2021-10-26 13:43:57 +01:00
Anders Schack-Mulligen
90bebaa5a9 Merge pull request #6960 from erik-krogh/useSetLiteral 
use set literal instead of big disjunction of literals
 2021-10-26 14:06:05 +02:00
Erik Krogh Kristensen
090fb2df10 Merge pull request #6857 from erik-krogh/fixPipes 
JS: skip pipes and other special files when determining which files to extract
 2021-10-26 13:59:40 +02:00
Erik Krogh Kristensen
a3c55c2aec use set literal instead of big disjunction of literals 2021-10-26 12:55:25 +02:00
Henry Mercer
7e0e35f364 Rename ATM query pack for consistency with other packs 2021-10-25 17:32:25 +01:00
CodeQL CI
b5554da496 Merge pull request #6924 from asgerf/js/skip-files-with-unsupported-encoding 
Approved by esbena
 2021-10-25 14:48:38 +01:00
Asger Feldthaus
bfb1da55d6 JS: Bump extractor version string 2021-10-25 11:49:56 +02:00
Asger Feldthaus
f3e2b0b946 JS: Avoid using non-existent attribute as parent 2021-10-25 11:49:56 +02:00
Asger Feldthaus
ac62379b17 JS: Add TRAP test 2021-10-25 11:49:39 +02:00
Henry Mercer
02b1fe27d2 Merge pull request #6907 from github/henrymercer/add-experimental-atm-libraries 
JS: [Internal only] Add experimental libraries and queries for adaptive threat modeling
 2021-10-22 11:02:09 +01:00
Asger Feldthaus
fa0ce5380b JS: Skip files with unsupported file encoding 2021-10-20 12:16:50 +02:00
Henry Mercer
548a344d34 JS: Implement suggestions from review 
Co-authored-by: Andrew Eisenberg <aeisenberg@github.com>
 2021-10-19 12:00:40 +01:00
Henry Mercer
4d7a8285ad JS: Initial commit of Adaptive Threat Modeling 2021-10-18 17:24:24 +01:00
Geoffrey White
a0e501c3a9 Sync identical files. 2021-10-15 14:34:02 +01:00
Geoffrey White
8f30b8b586 Autoformat. 2021-10-14 16:00:23 +01:00
Geoffrey White
f08d2ee759 Merge branch 'main' into setliterals 2021-10-14 14:39:39 +01:00
Geoffrey White
b9cce57db4 JS: Fix mistake. 2021-10-14 14:22:43 +01:00
Geoffrey White
882adc8e50 JS: Set literals. 2021-10-14 14:22:42 +01:00
Anders Schack-Mulligen
8b6baa250c Merge pull request #6878 from aschackmull/remove-singleton-setliteral 
C++/C#/Java/JavaScript/Python: Remove singleton set literals.
 2021-10-14 14:53:05 +02:00
Mathias Vorreiter Pedersen
47a85bbb1d Merge pull request #6869 from MathiasVP/fix-prefix/suffix-equality 
Java/JS/Python: Replace '.prefix'/'.suffix' with '.matches'
 2021-10-14 13:47:03 +01:00
Tom Hvitved
f5420333e2 Sync shared files 2021-10-14 11:49:02 +02:00
Anders Schack-Mulligen
57cb300759 C++/C#/Java/JavaScript/Python: Remove singleton set literals. 2021-10-14 11:34:22 +02:00
Mathias Vorreiter Pedersen
a2371370ff Merge pull request #6865 from MathiasVP/fix-if-none 
C++/C#/JS/Python: Replace 'if p() then q() else none()' with a conjunction
 2021-10-13 19:47:55 +01:00
Mathias Vorreiter Pedersen
4991301f36 JS: Fix incorrect fix. 2021-10-13 19:45:02 +01:00
Andrew Eisenberg
0d1632a5d2 Move tutorial directly into each qlpack 
Previously, the tutorial was injected during build time. This is much
simpler.
 2021-10-13 08:37:04 -07:00
Mathias Vorreiter Pedersen
f3bb0a676e JS: Replace '.prefix'/'.suffix' with '.matches'. 2021-10-13 13:23:07 +01:00
Mathias Vorreiter Pedersen
887849857d JS: Replace 'if p() then q() else none()' with a conjunction. 2021-10-13 12:13:55 +01:00
Andrew Eisenberg
bbb2637bcc QlPacks: Add the defaultSuite to query packs that are missing it 
Also, change some examples pack names from `codeql-lang-examples` to
`codeql/lang-examples`. This doesn't affect behaviour since internally,
the legacy name is converted to the modern name.
 2021-10-12 11:54:50 -07:00
Erik Krogh Kristensen
7d4266aea7 skip pipes and other special files when determining which files to extract 2021-10-12 14:06:41 +02:00
yoff
f6122c8a6c Merge pull request #6734 from erik-krogh/regBehind 
JS/PY: do not filter away regular expressions with lookbehinds
 2021-10-10 13:54:26 +02:00
Henry Mercer
4b069d41f6 Merge pull request #6818 from github/henrymercer/js/add-classify-files-to-library-pack 
JS: Move `ClassifyFiles.qll` to library pack
 2021-10-07 11:18:20 +01:00
CodeQL CI
a0dd3d9e75 Merge pull request #6815 from asgerf/js/adjust-security-severity-scores 
Approved by erik-krogh, esbena
 2021-10-07 02:36:19 -07:00
Henry Mercer
83cbc86f50 JS: Move ClassifyFiles.qll to library pack 
This allows us to use this library in packs that depend on the
`codeql/javascript-all` library pack.
 2021-10-06 16:08:06 +01:00
Andrew Eisenberg
57ef989a89 Fixes compile errors by moving files 
The two files moved in this commit are referenced from the
javascript/lib qlpack, but they are located in the
javascript/src qlpack. This causes compile errors when running
compile-ish commands for javascript queries. Moving the
files fixes it.
 2021-10-05 14:00:02 -07:00
Asger Feldthaus
3a20ca96c4 JS: Update CWE tags and severity score of code injection query 
The derived security-severity score of the JS code injection query
was much lower than for other languages (6.1 versus 9.3), possibly due
some differences in CWE tags, such as the inclusion of CWE-079.

We also add the more specific CWE-095 ("eval injection") for consistency
with other languages. It is a child of CWE-094 ("code injection") which
was already tagged.
 2021-10-05 10:12:19 +02:00
Asger Feldthaus
c4e8af983a JS: Update score and add CWE-730 to LoopBoundInjection 
This is a denial-of-service query, but was missing the CWE-730 tag
("denial of service") and consequently had a lower score than the
other DoS queries.
 2021-10-05 10:10:01 +02:00
Asger Feldthaus
682a71176d JS: Make TaintedFormatString have same severity as LogInjection 
The CWE number for this query is associated with buffer overflows
from printf/scanf-style functions in C++, which has likely determined
its derived security score.

But in JavaScript, a tainted format string is unlikely to lead to
anything worse than log injection so we're manually update its score
to reflect this.
 2021-10-05 10:10:01 +02:00
Asger Feldthaus
83ca4ef6d9 JS: Lower security-severity of queries with speculative threat model 
In the CVSS calculator we model this by setting 'Attack Complexity' to
High and 'User Interaction' to Low (as opposed to None).

CVSS vector:
  CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:H/A:N
 2021-10-05 10:10:01 +02:00
CodeQL CI
40d98ad678 Merge pull request #6789 from asgerf/js/restrict-package-exports 
Approved by erik-krogh
 2021-10-05 06:20:23 +01:00
Asger Feldthaus
cbd577694c JS: Autoformat 2021-10-04 13:30:15 +02:00
yoff
1ce9426adf Merge pull request #6761 from RasmusWL/cryptodome-sha3 
Python/JS: Recognize SHA-3 hash functions
 2021-10-01 13:33:36 +02:00
Asger Feldthaus
c8e7df7900 JS: Add test case 2021-10-01 12:02:40 +02:00
Asger Feldthaus
600e5bad0d JS: Exclude methods declared private/protected 2021-10-01 11:46:32 +02:00
Asger Feldthaus
af1b04de9c JS: Restrict what property names that are considered public exports 2021-10-01 11:42:03 +02:00
Rasmus Wriedt Larsen
987b573709 Fix hasLocationInfo URL reference 
Follow up to https://github.com/github/codeql/pull/5830
 2021-09-29 13:47:58 +02:00
Rasmus Wriedt Larsen
ded3088529 Python/JS: Recognize SHA-3 hash functions 
Official names are SHA3-224, SHA3-256, SHA3-384, SHA3-512 as per
https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf
 2021-09-27 12:08:40 +02:00
Erik Krogh Kristensen
805d1d170c do not filter away regular expressions with lookbehinds 2021-09-22 17:14:29 +02:00
Tom Hvitved
364dab6990 Remove CODEQL_REDUCE_FILES_FOLDERS_RELATIONS 2021-09-22 09:43:56 +02:00
Erik Krogh Kristensen
5c73fed83a fix dbsheme upgrade from TypeScript 4.4 PR 2021-09-15 22:38:27 +02:00
Erik Krogh Kristensen
3f736d3eb8 Merge pull request #6694 from erik-krogh/owasp-fixes 
JS/Java: use the correct cwe tags
 2021-09-15 13:46:35 +02:00