10776 Commits

Author	SHA1	Message	Date
Napalys	89f3b6f8d3	JS: Added test case for bad sanitizer with unknown flags, currently not flagged.	2024-11-28 11:26:35 +01:00
Napalys	38be0e4c0a	JS: Now BadHtmlSanitizers also flags new RegExp as potential issue	2024-11-28 11:26:34 +01:00
Napalys	41f21d429b	JS: Added test case which is not flagged but should be abusing new RegExp with global flag	2024-11-28 11:26:33 +01:00
Asger F	805fd0b46e	JS: Refine speculative step definition	2024-11-26 15:56:56 +01:00
Asger F	8818fcc207	JS: Benign test output changes	2024-11-26 15:47:13 +01:00
Asger F	c94a01e6b6	JS: Remove reference to argsParseStep ... This was removed as part of the PR that introduced threat models.	2024-11-26 15:36:47 +01:00
Asger F	bf62582f53	JS: Implement 'speculativeTaintStep' ... It is a mandatory part of the interface now; just providing a bare-bones implementation for rather than 'none()'	2024-11-26 15:36:46 +01:00
Asger F	82d61e4194	Merge branch 'js/shared-dataflow-branch' into js/shared-dataflow-merge-main	2024-11-26 15:36:16 +01:00
Asger F	f073f3b791	JS: Rename file to foo.test.js	2024-11-26 13:44:00 +01:00
Asger F	65da9b41b5	JS: Add cross-file test in InsecureRandom	2024-11-26 13:43:24 +01:00
Asger F	b4bd8e701c	JS: Add test for file classification change	2024-11-26 12:33:39 +01:00
Napalys Klicius	e9dff4d68f	Merge pull request #17953 from Napalys/napalys/ts57 ... JS: upgrade TypeScript to 5.7	2024-11-25 14:16:40 +01:00
Napalys Klicius	d6372aebc7	Update javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql ... Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2024-11-25 12:12:12 +01:00
Napalys	e38b63ebcd	JS: previously js/case-sensitive-middleware-path was not taking into consideration unknown flags	2024-11-25 11:56:06 +01:00
Napalys	178da21fb8	JS: Added test case for CWE-178 RegExp with unknown flags	2024-11-25 11:53:00 +01:00
Napalys	f8d623e905	JS: Bumped TS version to 5.7.2	2024-11-25 09:08:51 +01:00
Napalys Klicius	61e00861e5	Merge pull request #18008 from Napalys/napalys/ES2024-group-functions ... JS: Added support for [Object, Map].groupBy ES2024 feature	2024-11-21 19:03:57 +01:00
Alexander Eyers-Taylor	c0474c4e45	Revert "Revert "Post-release preparation for codeql-cli-2.19.4""	2024-11-21 15:37:52 +00:00
Alexander Eyers-Taylor	4effe9e364	Revert "Post-release preparation for codeql-cli-2.19.4"	2024-11-21 14:43:15 +00:00
Napalys Klicius	7ee0a7b398	Update javascript/ql/lib/semmle/javascript/Collections.qll ... Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2024-11-21 14:02:42 +01:00
Napalys Klicius	edb9b47111	Merge pull request #18047 from Napalys/napalys/ES2023-string-protytpe-toWellFormed ... JS: Added taint-step String.prototype.toWellFormed ES2023 feature	2024-11-21 14:01:21 +01:00
Asger F	930a7b6e28	JS: Update output changes to nodes/edges/subpaths	2024-11-21 13:33:39 +01:00
Asger F	7a77432024	JS: Update lost result in insecure-download ... The VariableCapture library consumes one component of the access path limit, which means we lose this result	2024-11-21 13:33:10 +01:00
Asger F	1ac7591faf	JS: Update missed flow in capture-flow.js ... We previously caught this flow because of a heuristic in capture flow. We'll have to fix it properly later.	2024-11-21 12:57:34 +01:00
Asger F	9dad2d62d7	JS: Update DataFlowConsistency	2024-11-21 12:54:11 +01:00
Asger F	ce00bd2cc9	JS: More docs	2024-11-21 11:06:43 +01:00
Asger F	4e62a512c5	JS: Only apply exception propagator when no other summary applies ... Previously a few Promise-related methods were special-cased, which is no longer needed.	2024-11-21 11:01:05 +01:00
Asger F	84820adf3c	Add test for exception flow out of finally()	2024-11-21 11:01:03 +01:00
Asger F	948d21ca07	JS: Propagate exceptions from summarized callables by default	2024-11-21 10:24:31 +01:00
Asger F	dcdb2e5133	JS: Fix callback check so it works without parameters	2024-11-21 10:24:29 +01:00
Asger F	b7dd455aff	JS: Add test case	2024-11-21 09:21:36 +01:00
Napalys Klicius	82ca369dce	Merge pull request #18005 from Napalys/napalys/ES2022-find-functions ... JS: Added support for Array.prototype.[findLastIndex, findLast] ES2022 feature	2024-11-21 08:01:19 +01:00
Napalys	43eda58f83	Added change notes	2024-11-20 17:44:36 +01:00
Napalys	afc2d3e6d2	JS: Add: String.protytpe.toWellFormed to StringManipulationTaintStep	2024-11-20 17:42:25 +01:00
Napalys	09f73d8d6f	JS: Add: test cases for toWellFormed	2024-11-20 17:36:43 +01:00
Napalys	64c45debdb	JS: removed unnecessary getALocalSource from ArrayCallBackDataFlowStep	2024-11-20 14:57:00 +01:00
Napalys	9dbf7d1828	JS: removed unnecessary getALocalSource from ArrayCallBackDataTaintStep	2024-11-20 14:54:06 +01:00
Napalys	cdf43f7118	Added change notes	2024-11-20 14:06:44 +01:00
Asger F	d52bc971b8	Merge branch 'main' into js/shared-dataflow-merge-main	2024-11-20 14:05:03 +01:00
Napalys Klicius	a957e00fe5	Merge branch 'main' into napalys/ES2024-group-functions	2024-11-20 14:03:31 +01:00
Napalys	58faa2d71e	JS: Add: dataflow step for static method of groupBy from Map.	2024-11-20 13:34:11 +01:00
Napalys	6344f83e4b	JS: Add: tests for taint tracking in groupBy functions	2024-11-20 13:22:53 +01:00
github-actions[bot]	3909df75dc	Post-release preparation for codeql-cli-2.19.4	2024-11-19 17:54:03 +00:00
Alex Eyers-Taylor	ef3fc5e29f	Fix broken changelog.	2024-11-19 16:34:30 +00:00
github-actions[bot]	9783a11565	Release preparation for version 2.19.4	2024-11-19 16:21:37 +00:00
Napalys	28ead4011a	JS: Add: taint step to handle propagation of data flow from the array to callback	2024-11-19 14:15:15 +01:00
Napalys	f1e95a8a1d	JS: Add: taint step test cases for findLastIndex, findLast, find	2024-11-19 14:09:58 +01:00
Asger F	d1c9e47d23	JS: More aggressive test file classification	2024-11-19 13:23:32 +01:00
Asger F	01669908f2	JS: Block InsecureRandomness flow into test files	2024-11-19 13:23:31 +01:00
Asger F	80a5a5909e	JS: Use getUnderlyingValue() a few places in VariableCapture	2024-11-19 13:23:29 +01:00