10776 Commits

Author	SHA1	Message	Date
Asger F	82682d9a62	JS: Remove a non-deprecated reference to SanitizerGuardNode	2024-12-03 14:30:03 +01:00
Asger F	bc7753de29	JS: Remove non-deprecated reference to AdditionalBarrierGuardNode	2024-12-03 14:30:02 +01:00
Asger F	0cd2e3f9eb	JS: Deprecate old data flow library, except some guard-related nodes	2024-12-03 14:30:01 +01:00
Asger F	071189a9e9	Merge pull request #18175 from asgerf/jss/documentation ... JS: Update data flow documentation and tutorials for JavaScript	2024-12-03 14:23:29 +01:00
Asger F	054558d7b5	JS: Include content properties in type-tracker properties ... Reminder: we have two PropertyName classes because the one in Contents.qll can't depend on DataFlow::Node.	2024-12-03 09:58:54 +01:00
Asger F	8bca66493f	JS: Add test showing lack of inclusion in PropertyName	2024-12-03 09:57:02 +01:00
Napalys Klicius	1e1674a08a	Merge pull request #18089 from Napalys/napalys/regexp-unknown-flags ... JS: RegExp unknown flags support and enhanced compatibility with RegExp objects	2024-12-03 09:43:13 +01:00
Napalys Klicius	08ef0dc1f2	Update javascript/ql/lib/change-notes/2024-11-28-regexp-unknown-flags.md ... Co-authored-by: Asger F <asgerf@github.com>	2024-12-02 13:35:52 +01:00
Asger F	2db89c1b02	JS: Update query17 from intro tutorial	2024-12-02 10:04:09 +01:00
Asger F	103a6ea8a6	JS: Port tutorial query5	2024-12-02 10:04:07 +01:00
Asger F	02c5e49de8	JS: Port tutorial query4	2024-12-02 10:04:05 +01:00
Asger F	1f6335f9ba	JS: Port tutorial query3	2024-12-02 10:04:04 +01:00
Asger F	3319870d00	JS: Port tutorial query2	2024-12-02 10:04:02 +01:00
Asger F	32f020ee6f	JS: Port tutorial query1	2024-12-02 10:04:00 +01:00
Asger F	cab8a40d00	JS: Fix accidental recursion	2024-11-29 14:23:57 +01:00
Asger F	9c6b6981e2	JS: Add test to restrict dependencies	2024-11-29 14:23:56 +01:00
Asger F	2f0c80a98b	JS: Include summary steps in type tracking	2024-11-29 14:23:55 +01:00
Asger F	440cbb7f0a	JS: Add inline-expectation test for type tracking	2024-11-29 14:23:54 +01:00
Asger F	6349903110	JS: Move FlowSummary/Summaries.qll into testUtilities	2024-11-29 14:23:52 +01:00
Asger F	e34064e3b5	JS: Initial instantiation of sumamry type tracking ... Instantiates the library without using it yet.	2024-11-29 14:23:50 +01:00
Asger F	df12f255ac	JS: Rename propagatesFlowExt -> propagatesFlow	2024-11-29 14:23:49 +01:00
Napalys	9d4e737bc2	JS: follow proper code standards for get predicates ... Co-authored-by: asgerf <asgerf@github.com>	2024-11-29 11:32:10 +01:00
Napalys	3171f38cdd	JS: fixed bad alert messages when it came to incomplete sanitization for new RegExp objects	2024-11-29 11:14:45 +01:00
Napalys Klicius	13afd6310b	Update javascript/ql/lib/change-notes/2024-11-28-regexp-unknown-flags.md ... Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2024-11-29 08:26:04 +01:00
Napalys	d2de9a2238	Fixed change notes	2024-11-28 14:24:27 +01:00
Napalys Klicius	9ca0fe4cbf	Update RegExp handling and add test case ... Co-authored-by: erik-krogh <erik-krogh@github.com>	2024-11-28 14:13:40 +01:00
Napalys	fd773603e6	Added change notes	2024-11-28 12:04:09 +01:00
Napalys	9a1c1f4be3	JS: Added in RegExpCreationNode maybeGlobal predicate for more convenience.	2024-11-28 12:03:51 +01:00
Napalys	1d2e08a3b6	JS: now Reg Exp injection treats unknownFlags as sanitization, MetacharEscapeSanitizer	2024-11-28 11:26:58 +01:00
Napalys	62194f5337	JS: add test cases RegExp with unknown flags	2024-11-28 11:26:57 +01:00
Napalys	e673348ed3	JS: now RegExp with unknown flags is not flagged as an issue within password Clear text storage of sensitive information	2024-11-28 11:26:56 +01:00
Napalys	a2c46749c6	JS: fixed issue where MaskingReplacer would work only with regexp literals but not objects	2024-11-28 11:26:55 +01:00
Napalys	1ca57cfb9d	JS: add test cases with RegExp object for MaskingReplacer, currently gives wrong results	2024-11-28 11:26:54 +01:00
Napalys	c71778f1aa	JS: xss does not flag anymore replace with RegExp unknown flags	2024-11-28 11:26:53 +01:00
Napalys	dbae553146	JS: add xss test cases with unknownflags for replace using RegExp	2024-11-28 11:26:52 +01:00
Napalys	fe28657c7d	JS: add test cases with unknown flags for double escaping, works as expected.	2024-11-28 11:26:51 +01:00
Napalys	98fd97799c	JS: imcomplete sanization now handles properly maybe global	2024-11-28 11:26:50 +01:00
Napalys	1ae174849f	JS: incomplete sanitization now also works with RegExp objects	2024-11-28 11:26:48 +01:00
Napalys	76318035ff	JS: Add test cases for RegExp object usage in replace within incomplete sanitization	2024-11-28 11:26:47 +01:00
Napalys	9c2366a660	JS: Added tests for ReDos with unknownFlags, everything seems to be good	2024-11-28 11:26:46 +01:00
Napalys	875478c1c6	JS: Fixed path query not flagging new RegExp with DotRemovingReplaceCall	2024-11-28 11:26:45 +01:00
Napalys	aa557cf950	JS: Added tests for DotRemovingReplaceCall with RegExp Object.	2024-11-28 11:26:44 +01:00
Napalys	a0df33c3ac	JS: UnsafeShellCommand Using unknown flags in the RegExp object is no longer flagged as bad sanitization to reduce false positives.	2024-11-28 11:26:43 +01:00
Napalys	155f1fca85	JS: Added test cases for unsafe shell command sanitization with RegExpr Object, instead of literal	2024-11-28 11:26:42 +01:00
Napalys	23b18aeca9	JS: Now unknown flags are not flagged in taint paths	2024-11-28 11:26:41 +01:00
Napalys	eca7a88615	JS: Fixed docs description	2024-11-28 11:26:40 +01:00
Napalys	7db6f7c721	JS: Added test cases with new RegExp for Tainted paths, currently works only with literals	2024-11-28 11:26:39 +01:00
Napalys	faef9dd877	JS: protyte poluting now treats unknownFlags as potentially good sanitization.	2024-11-28 11:26:38 +01:00
Napalys	41fef0f2b3	JS: Added test cases which cover new RegExp creation with replace on protytpe pulluting	2024-11-28 11:26:37 +01:00
Napalys	18c7b18f82	JS: Now BadHtmlSanitizers new RegExp with unknown flags is also flagged.	2024-11-28 11:26:36 +01:00