hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 19:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,643 Commits 1,672 Branches 157 Tags
alexet/avoid-path-node-java
Commit Graph

10872 Commits

Author SHA1 Message Date
Jami
5259a6ecfc Merge pull request #13324 from jcogs33/jcogs33/shared-sink-kind-validation 
Shared: share MaD kind validation across languages
 2023-06-20 11:56:12 -04:00
Tiago Pascoal
150854603b Single quote was preventing the shell from expanding the BODY variable 
While this prevents the attack highlighted in the query help it also prevents it from working.

Double quotes will allow the expansion of the variable while still preventing the attack
 2023-06-20 11:38:27 +01:00
github-actions[bot]
18b678e69e Post-release preparation for codeql-cli-2.13.4 2023-06-20 10:20:05 +00:00
Adrien Pessu
eb28266bcb improv example the help file 2023-06-19 17:00:52 +00:00
Tony Torralba
8f6d2ed2f9 Adjust ZipSlip query description according to review suggestions. 2023-06-19 10:27:41 +02:00
Tony Torralba
3c4d938cf1 Apply code review suggestions. 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-19 10:20:19 +02:00
Tony Torralba
433fc680ec Apply suggestions from code review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2023-06-19 10:17:40 +02:00
Rasmus Lerchedahl Petersen
3cf9e3e692 Py/js/ruby: sync files 2023-06-18 21:52:49 +02:00
Tony Torralba
c97868f774 Add change notes 2023-06-16 09:01:02 +02:00
Tony Torralba
3e96fe60c5 Go/Java/JS/Python/Ruby: Update the description and qhelp of the ZipSlip query 
All filesystem operations, not just writes, with paths built from untrusted archive entry names are dangerous
 2023-06-16 08:52:44 +02:00
Asger F
318a60b208 Merge pull request #13456 from asgerf/js/vuex-perf 
JS: Restrict length of state path in vuex model
 2023-06-14 19:50:06 +02:00
Asger F
22b98c8959 JS: Restrict length of state path in vuex model 2023-06-14 15:48:58 +02:00
Jami
35591113c2 Merge branch 'main' into jcogs33/shared-sink-kind-validation 2023-06-14 08:06:34 -04:00
Asger F
f737054216 Merge pull request #13380 from asgerf/js/fix-sink-kind 
JS: Fix invalid source kind in test
 2023-06-14 12:56:58 +02:00
Asger F
5aea6fc16c JS: Remove dataExtensions clause from test qlpack 2023-06-14 10:42:31 +02:00
Asger F
21831516f4 JS: use test-local data extensions 2023-06-14 10:38:33 +02:00
erik-krogh
3fd9f26b52 use consistent indentation in mongoose.js 2023-06-12 16:40:42 +02:00
erik-krogh
cd6f738f72 add mongoose.Types.ObjectId.isValid as a sanitizer-guard for NoSQL injection 2023-06-12 16:38:11 +02:00
Jami Cogswell
9abe3e3da4 Shared: use a module as input to 'KindValidation' 2023-06-09 14:35:37 -04:00
Jami Cogswell
da58b2afc8 Shared: move shared file to 'shared' folder and add parameterized module for 'getInvalidModelKind' 2023-06-08 20:05:27 -04:00
Jeroen Ketema
bff11c3d23 Apply suggestions from code review 2023-06-08 22:33:50 +02:00
github-actions[bot]
e4be303a23 Release preparation for version 2.13.4 2023-06-08 19:57:37 +00:00
Asger F
76a8e9827e Merge pull request #13283 from asgerf/js/restrict-regex-search-function 
JS: Be more conservative about flagging "search" call arguments as regex
 2023-06-08 10:50:51 +02:00
Erik Krogh Kristensen
6ba7f9a238 Merge pull request #13352 from erik-krogh/once-again-deps-not-py-cpp 
delete old deprecations
 2023-06-07 13:00:57 +02:00
Asger F
17f9239c33 JS: Fix invalid source kind in test 2023-06-06 13:40:06 +02:00
Erik Krogh Kristensen
0e6693bdea Merge pull request #12874 from erik-krogh/ts51 
JS: Add support for TS 5.1
 2023-06-06 11:51:51 +02:00
Erik Krogh Kristensen
b78cd48954 Merge pull request #13329 from erik-krogh/sqlhelp 
JS: improve the sql-injection help page
 2023-06-06 08:44:44 +02:00
Jami Cogswell
5a23421d9a Shared: minor updates to comments 2023-06-05 13:46:56 -04:00
erik-krogh
3cb2ec4e87 fix nits from doc review 2023-06-05 19:06:07 +02:00
Jami Cogswell
9d5972acc2 Shared: update qldocs 2023-06-05 12:18:34 -04:00
Jami Cogswell
3f1dc8e5c7 Shared: add outdated Swift sink kinds 2023-06-05 12:18:34 -04:00
Jami Cogswell
62ac0dc471 Shared: add outdated sink kind msg to 'getInvalidModelKind' for all languages 2023-06-05 12:18:33 -04:00
Jami Cogswell
76f5dca861 Shared: move 'OutdatedSinkKind' to shared file and add outdated JS and C# sink kinds 2023-06-05 12:18:33 -04:00
Jami Cogswell
7b629f5d63 Shared: include 'qltest%' and 'test-%' 2023-06-05 12:18:33 -04:00
Jami Cogswell
254e447923 JS/Python/Ruby: update getInvalidModelKind 2023-06-05 12:18:33 -04:00
Jami Cogswell
7317c29eea Shared: update kind information 2023-06-05 12:18:33 -04:00
Jami Cogswell
0ab1848b70 JS/Python/Ruby: use 'SharedModelValidation' file 2023-06-05 12:18:33 -04:00
Jami Cogswell
ddb5d92ef8 Shared: add source, summary, and neutral shared valid kinds 2023-06-05 12:18:33 -04:00
Jami Cogswell
869f820fcf Shared: add 'SharedModelValidation' file as experiment 2023-06-05 12:18:33 -04:00
Jami Cogswell
e24e3a6115 JS/Python/Ruby: add getInvalidModelKind as experiment 2023-06-05 12:18:33 -04:00
Erik Krogh Kristensen
219ec9d05d Merge pull request #13127 from erik-krogh/polReDoS 
ReDoS: revert new superlinear algorithm.
 2023-06-02 16:10:24 +02:00
erik-krogh
ac9ede4ec0 add change-notes 2023-06-02 11:58:11 +02:00
erik-krogh
f61b781386 JS: delete effectively empty file 2023-06-02 11:58:09 +02:00
erik-krogh
3584e85fe8 JS: fix tutorial 2023-06-02 11:58:08 +02:00
erik-krogh
9000243828 JS: fix compilation 2023-06-02 11:58:08 +02:00
erik-krogh
44b6366586 delete old deprecations 2023-06-02 11:58:08 +02:00
Asger F
77d2799278 Update javascript/ql/lib/semmle/javascript/Regexp.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-06-02 10:33:44 +02:00
erik-krogh
1b44b59842 add stress test 2023-06-01 23:20:23 +02:00
erik-krogh
8eed1a95f6 stop recursive fromRhs related to getLaterBaseAccess 2023-06-01 23:16:52 +02:00
erik-krogh
97afa5733b add support for namespaced JSX attributes 2023-06-01 21:52:14 +02:00