Asger F
871bc3b84a
JS: Port experimental CorsPermissiveConfiguration to ConfigSig
...
The tests show a new (source, sink) pair for an already-flagged sink.
Not sure why it was not flagged originally since the data flow path seems valid, given the steps provided by our models.
2024-12-03 14:30:20 +01:00
Asger F
f5a6485ef2
JS: Port experimental decodeJwtWithoutVerificationLocalSource
2024-12-03 14:30:19 +01:00
Asger F
72e522631d
JS: Port experimental jwtDecodeWithoutVerification to ConfigSig
2024-12-03 14:30:18 +01:00
Asger F
7e162f5451
JS: Port experimental EnvValueInjection to ConfigSig
2024-12-03 14:30:17 +01:00
Asger F
4f839070a0
JS: Port experimental EnvValueAndKeyInjection to ConfigSig
2024-12-03 14:30:16 +01:00
Asger F
8887ca1722
JS: Port an experimental CodeInjection variant to ConfigSig
2024-12-03 14:30:15 +01:00
Asger F
1832e93766
JS: Port FormParsers test to ConfigSig
2024-12-03 14:30:14 +01:00
Asger F
4d7401a074
JS: Deprecate tests for deprecated APIs
...
Mainly adds 'deprecated' in front of a bunch of tests for deprecated APIs.
2024-12-03 14:30:12 +01:00
Asger F
3548544970
JS: Avoid some uses of deprecated guard classes in tests
2024-12-03 14:30:11 +01:00
Asger F
a568d8c086
JS: Port threat-model test to ConfigSig
2024-12-03 14:30:10 +01:00
Asger F
071189a9e9
Merge pull request #18175 from asgerf/jss/documentation
...
JS: Update data flow documentation and tutorials for JavaScript
2024-12-03 14:23:29 +01:00
Asger F
054558d7b5
JS: Include content properties in type-tracker properties
...
Reminder: we have two PropertyName classes because the one in Contents.qll can't depend on DataFlow::Node.
2024-12-03 09:58:54 +01:00
Asger F
8bca66493f
JS: Add test showing lack of inclusion in PropertyName
2024-12-03 09:57:02 +01:00
Napalys Klicius
1e1674a08a
Merge pull request #18089 from Napalys/napalys/regexp-unknown-flags
...
JS: RegExp unknown flags support and enhanced compatibility with RegExp objects
2024-12-03 09:43:13 +01:00
Asger F
2db89c1b02
JS: Update query17 from intro tutorial
2024-12-02 10:04:09 +01:00
Asger F
103a6ea8a6
JS: Port tutorial query5
2024-12-02 10:04:07 +01:00
Asger F
02c5e49de8
JS: Port tutorial query4
2024-12-02 10:04:05 +01:00
Asger F
1f6335f9ba
JS: Port tutorial query3
2024-12-02 10:04:04 +01:00
Asger F
3319870d00
JS: Port tutorial query2
2024-12-02 10:04:02 +01:00
Asger F
32f020ee6f
JS: Port tutorial query1
2024-12-02 10:04:00 +01:00
Asger F
9c6b6981e2
JS: Add test to restrict dependencies
2024-11-29 14:23:56 +01:00
Asger F
2f0c80a98b
JS: Include summary steps in type tracking
2024-11-29 14:23:55 +01:00
Asger F
440cbb7f0a
JS: Add inline-expectation test for type tracking
2024-11-29 14:23:54 +01:00
Asger F
6349903110
JS: Move FlowSummary/Summaries.qll into testUtilities
2024-11-29 14:23:52 +01:00
Napalys
3171f38cdd
JS: fixed bad alert messages when it came to incomplete sanitization for new RegExp objects
2024-11-29 11:14:45 +01:00
Napalys Klicius
9ca0fe4cbf
Update RegExp handling and add test case
...
Co-authored-by: erik-krogh <erik-krogh@github.com >
2024-11-28 14:13:40 +01:00
Napalys
1d2e08a3b6
JS: now Reg Exp injection treats unknownFlags as sanitization, MetacharEscapeSanitizer
2024-11-28 11:26:58 +01:00
Napalys
62194f5337
JS: add test cases RegExp with unknown flags
2024-11-28 11:26:57 +01:00
Napalys
e673348ed3
JS: now RegExp with unknown flags is not flagged as an issue within password Clear text storage of sensitive information
2024-11-28 11:26:56 +01:00
Napalys
a2c46749c6
JS: fixed issue where MaskingReplacer would work only with regexp literals but not objects
2024-11-28 11:26:55 +01:00
Napalys
1ca57cfb9d
JS: add test cases with RegExp object for MaskingReplacer, currently gives wrong results
2024-11-28 11:26:54 +01:00
Napalys
c71778f1aa
JS: xss does not flag anymore replace with RegExp unknown flags
2024-11-28 11:26:53 +01:00
Napalys
dbae553146
JS: add xss test cases with unknownflags for replace using RegExp
2024-11-28 11:26:52 +01:00
Napalys
fe28657c7d
JS: add test cases with unknown flags for double escaping, works as expected.
2024-11-28 11:26:51 +01:00
Napalys
98fd97799c
JS: imcomplete sanization now handles properly maybe global
2024-11-28 11:26:50 +01:00
Napalys
1ae174849f
JS: incomplete sanitization now also works with RegExp objects
2024-11-28 11:26:48 +01:00
Napalys
76318035ff
JS: Add test cases for RegExp object usage in replace within incomplete sanitization
2024-11-28 11:26:47 +01:00
Napalys
9c2366a660
JS: Added tests for ReDos with unknownFlags, everything seems to be good
2024-11-28 11:26:46 +01:00
Napalys
875478c1c6
JS: Fixed path query not flagging new RegExp with DotRemovingReplaceCall
2024-11-28 11:26:45 +01:00
Napalys
aa557cf950
JS: Added tests for DotRemovingReplaceCall with RegExp Object.
2024-11-28 11:26:44 +01:00
Napalys
a0df33c3ac
JS: UnsafeShellCommand Using unknown flags in the RegExp object is no longer flagged as bad sanitization to reduce false positives.
2024-11-28 11:26:43 +01:00
Napalys
155f1fca85
JS: Added test cases for unsafe shell command sanitization with RegExpr Object, instead of literal
2024-11-28 11:26:42 +01:00
Napalys
23b18aeca9
JS: Now unknown flags are not flagged in taint paths
2024-11-28 11:26:41 +01:00
Napalys
7db6f7c721
JS: Added test cases with new RegExp for Tainted paths, currently works only with literals
2024-11-28 11:26:39 +01:00
Napalys
faef9dd877
JS: protyte poluting now treats unknownFlags as potentially good sanitization.
2024-11-28 11:26:38 +01:00
Napalys
41fef0f2b3
JS: Added test cases which cover new RegExp creation with replace on protytpe pulluting
2024-11-28 11:26:37 +01:00
Napalys
18c7b18f82
JS: Now BadHtmlSanitizers new RegExp with unknown flags is also flagged.
2024-11-28 11:26:36 +01:00
Napalys
89f3b6f8d3
JS: Added test case for bad sanitizer with unknown flags, currently not flagged.
2024-11-28 11:26:35 +01:00
Napalys
38be0e4c0a
JS: Now BadHtmlSanitizers also flags new RegExp as potential issue
2024-11-28 11:26:34 +01:00
Napalys
41f21d429b
JS: Added test case which is not flagged but should be abusing new RegExp with global flag
2024-11-28 11:26:33 +01:00
