Arthur Baars
|
ab93b3784b
|
Merge remote-tracking branch 'upstream/main' into incomplete-hostname
|
2022-03-16 12:31:12 +01:00 |
|
Erik Krogh Kristensen
|
195ce9c58a
|
add some API-nodes to js/disabling-certificate-validation
|
2022-03-14 21:33:13 +01:00 |
|
Erik Krogh Kristensen
|
cebd24156c
|
support that the base is not a method-call in getAChainedMethodCall
|
2022-03-09 11:12:04 +01:00 |
|
Arthur Baars
|
bb348116ab
|
JavaScript: update expected output
|
2022-03-07 16:10:08 +01:00 |
|
Erik Krogh Kristensen
|
4fba5e4dfb
|
step through parentheses in barrier functions
|
2022-02-25 17:47:12 +01:00 |
|
Erik Krogh Kristensen
|
ad3399733b
|
recognize more module exports from the factory pattern
|
2022-02-23 21:29:45 +01:00 |
|
Erik Krogh Kristensen
|
e13b2df86f
|
Merge pull request #8185 from erik-krogh/amdImp
JS: recognize modules imported by AMD imports as library inputs
|
2022-02-23 20:21:45 +01:00 |
|
Stephan Brandauer
|
a664e02d04
|
Merge pull request #8014 from kaeluka/js/functionality-from-untrusted-source
JS: Functionality from untrusted sources query (CWE-830)
|
2022-02-23 12:45:31 +01:00 |
|
Erik Krogh Kristensen
|
203212657e
|
recognize modules imported by AMD imports as library inputs
|
2022-02-23 10:39:45 +01:00 |
|
Stephan Brandauer
|
c17d8b145a
|
Merge pull request #8054 from asgerf/js/split-request-forgery
JS: split request forgery query into server-side and client-side variants
|
2022-02-23 10:27:16 +01:00 |
|
Esben Sparre Andreasen
|
58e0d54744
|
Merge pull request #8168 from github/esbena/hapi-reflected-xss
JS: model hapi handler returns as reflected-xss sinks
|
2022-02-23 08:53:15 +01:00 |
|
Esben Sparre Andreasen
|
2c527f7b35
|
model hapi handler returns as reflected-xss sinks
|
2022-02-22 14:12:01 +01:00 |
|
Erik Krogh Kristensen
|
517e17d422
|
support more property writes in js/prototype-pollution-utility, and generalize ObjectDefinePropertyAsPropWrite
|
2022-02-22 13:23:34 +01:00 |
|
Stephan Brandauer
|
2278e7f6e6
|
CWE 830 polish error messages
|
2022-02-22 11:41:54 +01:00 |
|
Stephan Brandauer
|
82330391c3
|
CWE-830 add support for setting attributes via setAttribute method
|
2022-02-22 11:41:54 +01:00 |
|
Stephan Brandauer
|
d80cd1aeb5
|
CWE 830 test where both branches in a ternary are unsafe
|
2022-02-22 11:41:53 +01:00 |
|
Stephan Brandauer
|
2934aa1a3a
|
rewrite docs, improve error messages, etc
|
2022-02-22 11:41:53 +01:00 |
|
Stephan Brandauer
|
d2335b65d5
|
stylistic improvements after review
|
2022-02-22 11:41:53 +01:00 |
|
Stephan Brandauer
|
9aec4437e2
|
polish qhelp for CWE-830 and add test file
|
2022-02-22 11:41:53 +01:00 |
|
Stephan Brandauer
|
fd77e27ed9
|
replace taint tracking by type tracking and merge remaining queries for CWE-830
|
2022-02-22 11:41:53 +01:00 |
|
Stephan Brandauer
|
8cafa6d562
|
improve error message in CWE-830
|
2022-02-22 11:41:53 +01:00 |
|
Stephan Brandauer
|
780fa97869
|
always require integrity checking for certain CDNs
|
2022-02-22 11:41:53 +01:00 |
|
Stephan Brandauer
|
83764df4f5
|
rename tests for CW-830 to clarify responsibilities
|
2022-02-22 11:41:52 +01:00 |
|
Stephan Brandauer
|
8d397fea09
|
JS: query to find dynamic creations of DOM elements that use untrusted sources
|
2022-02-22 11:41:52 +01:00 |
|
Stephan Brandauer
|
b35c70994f
|
permit http urls to 127.0.0.1 and others
|
2022-02-22 11:41:52 +01:00 |
|
Stephan Brandauer
|
6722c17bb0
|
JS: Functionality from untrusted sources query (CWE-830)
|
2022-02-22 11:41:52 +01:00 |
|
Esben Sparre Andreasen
|
1d437dd722
|
Merge pull request #8043 from github/esbena/sharpen-hardcoded-credentials
JS: Sharpen hardcoded credentials
|
2022-02-21 10:02:58 +01:00 |
|
Asger Feldthaus
|
cf66d01e80
|
JS: Add consistency test
|
2022-02-16 13:35:01 +01:00 |
|
Asger Feldthaus
|
3103cfd925
|
JS: Rename to tests to clientSide.js and serverSide.js
|
2022-02-16 13:35:01 +01:00 |
|
Asger Feldthaus
|
3fbc3a4d70
|
JS: Add ClientSideRequestForgery to RequestForgery test
|
2022-02-16 13:35:01 +01:00 |
|
Esben Sparre Andreasen
|
f08a140505
|
update tests for password patterns
|
2022-02-16 13:22:19 +01:00 |
|
Esben Sparre Andreasen
|
816d79692b
|
ignore deliberately hardcoded password strings
|
2022-02-16 09:47:01 +01:00 |
|
Esben Sparre Andreasen
|
78744a0182
|
add additional tests
|
2022-02-16 09:44:56 +01:00 |
|
Esben Sparre Andreasen
|
e67c09f9ab
|
change example passwords in test
|
2022-02-16 08:56:00 +01:00 |
|
Erik Krogh Kristensen
|
3791b159fb
|
Merge pull request #7892 from erik-krogh/nanSan
JS: Add a `isNaN` sanitizer, and use it in queries that already had a typeof check
|
2022-02-11 10:13:06 +01:00 |
|
Erik Krogh Kristensen
|
2ffd79d451
|
Merge pull request #7921 from erik-krogh/snapdragon
JS: add model for the snapdragon library
|
2022-02-11 10:10:55 +01:00 |
|
Erik Krogh Kristensen
|
eb56a5aef3
|
support more patterns that recognize valid numbers
|
2022-02-10 19:50:35 +01:00 |
|
CodeQL CI
|
9ebbd9efa1
|
Merge pull request #7591 from asgerf/js/mysql-sinks
Approved by esbena
|
2022-02-10 12:50:36 +00:00 |
|
CodeQL CI
|
1a91a79b5b
|
Merge pull request #5841 from erik-krogh/libCode
Approved by esbena, ethanpalm
|
2022-02-10 11:36:45 +00:00 |
|
Erik Krogh Kristensen
|
d55920ad27
|
add model for the snapdragon library
|
2022-02-10 11:32:59 +01:00 |
|
Erik Krogh Kristensen
|
d6721ec574
|
implement a isNaN guard for unsafe-shell-command-construction
|
2022-02-09 09:51:57 +01:00 |
|
Erik Krogh Kristensen
|
4bbb7ad320
|
Merge pull request #7876 from erik-krogh/zipRelative
JS: recognize more startswith sanitizers for path-injection queries
|
2022-02-08 15:22:39 +01:00 |
|
Erik Krogh Kristensen
|
b59c7911a3
|
update locations of expected output
|
2022-02-07 15:23:26 +01:00 |
|
Erik Krogh Kristensen
|
ca5f91e587
|
recognize more startswith sanitizers for path-injection queries
|
2022-02-07 14:19:13 +01:00 |
|
Erik Krogh Kristensen
|
d1d4ebb3b5
|
add values written to the global scope as exports
|
2022-02-07 13:34:18 +01:00 |
|
Erik Krogh Kristensen
|
d790f3ccbb
|
add test for unsafe-code-construction query
|
2022-02-07 13:34:18 +01:00 |
|
Erik Krogh Kristensen
|
955ad8c458
|
add JSON.stringify as a code-injection sanitizer
|
2022-02-07 13:34:18 +01:00 |
|
Erik Krogh Kristensen
|
68a5c1f5b5
|
add code-injection sink for calls to node
|
2022-02-07 13:34:18 +01:00 |
|
Erik Krogh Kristensen
|
0584a6acaf
|
recognize a nodejs re-exports in a loop
|
2022-02-07 10:12:38 +01:00 |
|
Erik Krogh Kristensen
|
ab2d3a7ca0
|
Merge pull request #7828 from Naman-ntc/main
JS: Adding model for `.get` function of `Map` in Unvalidated Dynamic Method Call
|
2022-02-04 20:19:02 +01:00 |
|