hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
75,258 Commits 1,671 Branches 157 Tags
codeql-cli-2.20.3
Commit Graph

1945 Commits

Author SHA1 Message Date
Asger F
4473e6d977 JS: Update test with some post-update consistency checks gone 
For a constructor call, the return value acts as the post-update node for the 'this' argument. The fact that constructor calls are sometimes PostUpdateNodes causes some of these harmless alerts.

The warnings have disappeared in some cases because we no longer target getALocalSource() so the target is no longer the constructor call.
 2024-10-29 08:32:01 +01:00
Asger F
cb874945bf Test updates from introduction of implicit 'this' 2024-10-29 08:31:59 +01:00
Asger F
bd94fe1574 JS: Explain false positive in test case 2024-10-29 08:31:58 +01:00
Asger F
16b08b74eb JS: Add test showing potential for FPs when handling refinement guards 2024-10-29 08:31:55 +01:00
Rasmus Wriedt Larsen
d3ae4c930e JS: Model newer yargs command-line parsing pattern 2024-10-25 15:03:43 +02:00
Rasmus Wriedt Larsen
3448751b4c JS: Consolidate command-line argument modeling 
Such that we can reuse the existing modeling, but have it globally
applied as a threat-model as well.

I Basically just moved the modeling. One important aspect is that this
changes is that the previously query-specific `argsParseStep` is now a
globally applied taint-step. This seems reasonable, if someone applied
the argument parsing to any user-controlled string, it seems correct to
propagate that taint for _any_ query.
 2024-10-25 15:03:43 +02:00
Rasmus Wriedt Larsen
412e841d69 JS: Add environment threat-model source 2024-10-25 15:03:43 +02:00
Rasmus Wriedt Larsen
dbfbd2c00a JS: Remove 'response' from default threat-models 
I didn't want to put the configuration file in
`semmle/javascript/frameworks/**/*.model.yml`, so created `ext/` as in other
languages
 2024-10-25 14:52:49 +02:00
Rasmus Wriedt Larsen
05dce8a0be JS: Add test showing default active threat-models 2024-10-25 14:50:59 +02:00
Asger F
e784813c3b JS: Make barrier guards work with use-use flow 2024-10-22 12:46:19 +02:00
Asger F
81af9a1658 Fix missing flow through super calls 2024-10-22 12:46:17 +02:00
Asger F
12370e9210 JS: Use VariableOrThis in variable capture as well 2024-10-22 12:46:16 +02:00
Asger F
0ebe8bdd91 JS: Add test for missing capture flow for 'this' 2024-10-22 12:46:15 +02:00
Asger F
d31499d727 JS: introduce implicit this uses in general 2024-10-22 12:46:14 +02:00
Asger F
8dc0505f84 JS: Add test for missing flow into 'this' in field initializers 2024-10-22 12:46:13 +02:00
Asger F
c3c003b275 JS: Fix post-update flow into 'this' 2024-10-22 12:46:11 +02:00
Asger F
9fc99d6f9d JS: Fix store into object literals that have a post-update node 2024-10-22 12:46:11 +02:00
Asger F
d626e79ed3 JS: Add two test cases for missing flow 2024-10-22 12:46:10 +02:00
Asger F
78e961cef3 JS: Add use-use flow 2024-10-22 12:46:01 +02:00
Asger F
81e74d8bb5 JS: Add test case for spurious flow from lack of use-use 2024-10-22 12:46:00 +02:00
Asger F
12e316b99d JS: Update test output after merging in 'main' 
- Paths are now relative to the test case, not the qlpack
- Paths going through an implicit reads have changed slightly
 2024-10-08 10:11:15 +02:00
Asger F
e2e91ac7d9 Merge branch 'main' into js/shared-dataflow-merge-main 2024-10-08 09:28:26 +02:00
Tom Hvitved
d0ca39fb03 JS: Update expected test output 2024-10-04 08:35:33 +02:00
Asger F
5d2ce172eb JS: Update a test to handle AdditionalSanitizerGuardNode 2024-10-02 14:44:42 +02:00
Asger F
1cd00a118c Merge branch 'main' into js/shared-dataflow-merge-main 2024-09-18 14:57:50 +02:00
Asger F
1df69ec1d2 JS: Actually don't propagate into array element 0 
Preserving tainted-url-suffix into array element 0 seemed like a good idea, but didn't work out so well.
 2024-09-12 13:42:36 +02:00
Asger F
0e4e0f4fdd JS: Preverse tainted-url-suffix when stepping into prefix 
A URL of form https://example.com?evil#bar will contain '?evil' after splitting out the '#' suffix, and vice versa.
 2024-09-12 13:42:28 +02:00
Asger F
74ab346348 JS: Do not include taint steps in TaintedUrlSuffix::step 
TaintedUrlSuffix is currently only used in TaintTracking configs meaning it is already propagated
by taint steps. The inclusion of these taint steps here however meant that implicit reads could appear prior to any of these steps.

This was is problematic for PropRead steps as an expression like x[0] could spuriously read from array element 1 via the path:

x [element 1]
x [empty access path] (after implicit read)
x[0] (taint step through PropRead)
 2024-09-12 13:42:25 +02:00
Asger F
2712bf821a JS: Fix a bug in isSafeClientSideUrlProperty 2024-09-12 13:42:23 +02:00
Asger F
e1bed42481 JS: Add inline expectation test specifically for TaintedUrlSuffix 2024-09-12 13:42:20 +02:00
Asger F
3b09bc548e JS: Add taint step for shift() 2024-09-12 13:42:17 +02:00
Asger F
3ea1134cc1 JS: Add inline test for .shift() method 2024-09-12 13:42:16 +02:00
Sid Shankar
3516117215 Adds test for arbitrary specifiers in TS files 
Adds test for arbitrary identifiers used in imports and exports
 2024-09-11 00:37:49 +00:00
Sid Shankar
785af12f1c Renames test file 2024-09-11 00:28:44 +00:00
Asger F
e0ca1b0482 JS: Benign test updates 2024-09-10 13:07:24 +02:00
Asger F
55d4e7e742 JS: Use ArrayElementKnown when reading a constant array index 2024-09-09 13:26:25 +02:00
Asger F
094112c905 Merge pull request #17213 from asgerf/jss/spread-argument 
JS: Improve handling of spread arguments and rest parameters [shared data flow branch]
 2024-09-09 13:15:22 +02:00
Asger F
fb9732a33f JS: Add another test and TODO about an issue with constant array indices 2024-09-06 08:43:11 +02:00
Asger F
1da68aac73 JS: Benign test output change 
This happened as a result of the bugfix in the previous commit
 2024-09-06 08:43:10 +02:00
Asger F
a9a8351cce JS: Fix one case of missing handling of unknown array index 2024-09-06 08:43:09 +02:00
Asger F
379c7ef20a JS: Add test to show lack of unknown array element being propagated 2024-09-06 08:43:08 +02:00
Asger F
f65879eef1 JS: Update a test that no longer fails 2024-08-27 11:35:37 +02:00
Asger F
cb5dbb919d JS: Update test to reflect implicit read flow has been fixed 
Shows the effect of https://github.com/github/codeql/pull/17262
 2024-08-27 11:35:36 +02:00
Asger F
a2d53c261b JS: Update test output and add related TODO in model of 'async' 2024-08-27 11:35:35 +02:00
Asger F
3e196f83f1 JS: Update Promises/flow2 test 2024-08-27 11:35:32 +02:00
Asger F
aa8bd332bf JS: Add a few more tests 2024-08-27 11:35:31 +02:00
Asger F
371f7ef551 JS: Add implicit taint read of array elements 2024-08-27 11:35:31 +02:00
Asger F
df42e7c527 JS: Add test showing lack of implicit reads for ArrayElement 2024-08-27 11:35:30 +02:00
Asger F
4e7bd9ddd8 JS: Update Arrays test now that array elements do not taint the whole array 2024-08-27 11:35:29 +02:00
Asger F
4389b5c999 JS: Fix issue for .apply() calls 2024-08-27 11:35:28 +02:00