hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
76,207 Commits 1,671 Branches 157 Tags
codeql-cli-2.20.5
Commit Graph

10776 Commits

Author SHA1 Message Date
Asger F
be617cee4a JS: More precise handling of .exec() 2024-12-09 15:03:51 +01:00
Asger F
703cad9e95 Expand test case 2024-12-09 15:00:56 +01:00
Asger F
2a2a4d2b67 JS: Add TaintedUrlSuffixCustomizations 
Importing TaintedUrlSuffix.qll causes the flow label to materialised in unrelated queries, so:

- Renames TaintedUrlSuffix.qll to TaintedUrlSuffixCustomizations.qll
- Make the flow label class abstract
- Adds a new TaintedUrlSuffix.qll that re-exports the above file and also materialises the flow label
- Import the *Customizations.qll file from contexts where we don't want to materialise the flow label
 2024-12-09 14:59:29 +01:00
Asger F
d1694013ff JS: Update test showing accidental flow label materialisation 
This wouldn't be an issue once FlowLabel is completely deprecated but it will cause perf issues in the interim, so this is fixed in the next commit
 2024-12-09 14:59:28 +01:00
Asger F
8fe39bdd38 JS: Update query's own output after test changes 2024-12-09 14:59:27 +01:00
Asger F
71a6a47713 JS: Fix issue with new RegExp().exec() 2024-12-09 14:59:25 +01:00
Asger F
f6d0835c64 JS: Show problem with new RegExp().exec() 2024-12-09 14:59:24 +01:00
Asger F
ef833de60e JS: Replace DocumentUrl with TaintedUrlSuffix 2024-12-09 14:59:23 +01:00
Asger F
e2b2d1c9ab JS: Allow arbitrary comments in ConsistencyChecking 
Because line comments cannot be used inside JSX elements
 2024-12-09 14:59:21 +01:00
Asger F
712c69ebc8 JS: Fixup the test expectations 2024-12-09 14:59:19 +01:00
Asger F
f8ff504f5c JS: Add ClientSideUrlRedirect test consistency 
Update Consistency.ql again
 2024-12-09 14:59:18 +01:00
Henry Mercer
92d614dbcd Add periods for consistency 2024-12-06 19:13:05 +00:00
github-actions[bot]
8c64648520 Release preparation for version 2.20.0 2024-12-06 19:10:28 +00:00
Henry Mercer
a6a4ad6400 Revert "Release preparation for version 2.20.0" 2024-12-06 19:00:27 +00:00
github-actions[bot]
cf71a1525b Post-release preparation for codeql-cli-2.20.0 2024-12-04 18:36:17 +00:00
Henry Mercer
e0e82ad7ad Add periods for consistency 2024-12-04 16:05:15 +00:00
github-actions[bot]
96564b7128 Release preparation for version 2.20.0 2024-12-04 16:01:14 +00:00
Henry Mercer
963f084d87 Merge branch 'main' into henrymercer/merge-back-rc-3.16 2024-12-04 13:39:10 +00:00
Jeroen Ketema
3d8493757e JS: Update expected test results 2024-12-03 19:19:01 +01:00
Asger F
3f0d0e3a05 JS: Deprecate DataFlow::BarrierGuardNode 2024-12-03 14:30:50 +01:00
Asger F
b3461989b1 JS: Remove use of SanitizerGuardNode in experimental SSRF query 
Makes a quick effort attempt to restore the original behaviour, though
it is not exactly the same due to lack of recursion.
 2024-12-03 14:30:36 +01:00
Asger F
0d79c7141c JS: Update two more uses of SanitizerGuardNode 2024-12-03 14:30:35 +01:00
Asger F
62c17d3f4e JS: Update SanitizerGuardNode use in BasicTaintTracking test 2024-12-03 14:30:34 +01:00
Asger F
f620191da4 JS: Deprecate SanitizerGuardNode 2024-12-03 14:30:33 +01:00
Asger F
2ae7386775 JS: Also apply new BarrierGuardLegacy pattern in Xss.qll 2024-12-03 14:30:32 +01:00
Asger F
2ef652da2c JS: Add more deprecation annotations in tests 2024-12-03 14:30:31 +01:00
Asger F
21494fbdff JS: Refactor BarrierGuardLegacy pattern to not depend on SanitizerGuardNode 
Previously our barrier guard classes were direct descendents of SanitizerGuardNode which made it hard to deprecate that class.

Now our barrier guards are not descending from any shared class. Instead they are contributed to SanitizerGuardNode via a private helper class we can remove in the future.
 2024-12-03 14:30:29 +01:00
Asger F
a574ff1669 JS: Remove use of MakeLegacyBarrierGuard in experimental SSRF 2024-12-03 14:30:28 +01:00
Asger F
08d25c122d JS: Deprecate more uses of ConsistencyConfiguration 2024-12-03 14:30:27 +01:00
Asger F
75ab4856b8 Remove unsupported features from PoI 2024-12-03 14:30:25 +01:00
Asger F
e6680dec8f JS: Avoid use of LabeledSanitizerGuardNode in TaintedObject 
Drive-by bugfix: Rename sanitizes -> blocksExpr.
This fixes a bug that caused the sanitizer guard not to work in df2.

The test output reflects the fact that the barrier guard works now.
 2024-12-03 14:30:24 +01:00
Asger F
0ce1fe767d JS: Deprecate ConsistencyChecking to avoid deprecation warnings 2024-12-03 14:30:23 +01:00
Asger F
04a3a6707f JS: Update a reference to AdditionalSanitizerGuardNode 
Unlike most other references to this class, we're not subclassing it here, we're
just trying to reuse some standard barrier guards but with a different flow state.
 2024-12-03 14:30:22 +01:00
Asger F
834d35bc42 JS: Port experimental DecompressionBombs to ConfigSig 2024-12-03 14:30:21 +01:00
Asger F
871bc3b84a JS: Port experimental CorsPermissiveConfiguration to ConfigSig 
The tests show a new (source, sink) pair for an already-flagged sink.

Not sure why it was not flagged originally since the data flow path seems valid, given the steps provided by our models.
 2024-12-03 14:30:20 +01:00
Asger F
f5a6485ef2 JS: Port experimental decodeJwtWithoutVerificationLocalSource 2024-12-03 14:30:19 +01:00
Asger F
72e522631d JS: Port experimental jwtDecodeWithoutVerification to ConfigSig 2024-12-03 14:30:18 +01:00
Asger F
7e162f5451 JS: Port experimental EnvValueInjection to ConfigSig 2024-12-03 14:30:17 +01:00
Asger F
4f839070a0 JS: Port experimental EnvValueAndKeyInjection to ConfigSig 2024-12-03 14:30:16 +01:00
Asger F
8887ca1722 JS: Port an experimental CodeInjection variant to ConfigSig 2024-12-03 14:30:15 +01:00
Asger F
1832e93766 JS: Port FormParsers test to ConfigSig 2024-12-03 14:30:14 +01:00
Asger F
4d7401a074 JS: Deprecate tests for deprecated APIs 
Mainly adds 'deprecated' in front of a bunch of tests for deprecated APIs.
 2024-12-03 14:30:12 +01:00
Asger F
3548544970 JS: Avoid some uses of deprecated guard classes in tests 2024-12-03 14:30:11 +01:00
Asger F
a568d8c086 JS: Port threat-model test to ConfigSig 2024-12-03 14:30:10 +01:00
Asger F
f758b67d30 JS: Openly recommend SummarizedCallable 2024-12-03 14:30:09 +01:00
Asger F
249104b8ae JS: Update comments referring to old Configuration style 
Also avoid the term "analysis-specific" because it's not a term we use anywhere else.
 2024-12-03 14:30:08 +01:00
Asger F
13ee597848 JS: Add some proper documentation to SummarizedCallable 2024-12-03 14:30:07 +01:00
Asger F
988fa9c0ef JS: Deprecate AdditionalSanitizerGuardNode 
We're deprecating the class through an alias, but it is still the base class for a non-deprecated class, for backwards compatibility. For this reason we're also deprecating all of its member predicates so we can remove those in the future.
 2024-12-03 14:30:06 +01:00
Asger F
0b1e859e70 JS: Remove uses of AdditionalSanitizerGuardNode 2024-12-03 14:30:05 +01:00
Asger F
c2abb0fbd0 JS: Remove reference to AdditionalSanitizerGuard from CachedStages 2024-12-03 14:30:04 +01:00