hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
76,593 Commits 1,672 Branches 157 Tags
codeql-cli-2.20.6
Commit Graph

2415 Commits

Author SHA1 Message Date
github-actions[bot]
17cd9624fb Release preparation for version 2.18.3 2024-08-21 17:13:52 +00:00
Asger F
9ee7599aeb JS: Move AngularJSTemplateUrlSink to ClientSideUrlRedirection query 
This is not perfect but at least we can be consistent about keeping URLs-that-lead-to-xss in the same query
 2024-08-16 14:37:13 +02:00
Asger F
2d264052b3 JS: Treat browser message events as client-side sources 2024-08-16 11:02:12 +02:00
Asger F
7dcdad066f Update javascript/ql/lib/semmle/javascript/frameworks/helmet/Helmet.qll 2024-08-16 09:44:53 +02:00
Kristen Newbury
81787a159e Add QL docs to helmet model 2024-08-15 16:32:37 -04:00
Kristen Newbury
e84dda4fa6 Update JS helmet model structure 2024-08-15 16:08:48 -04:00
Mauro Baluda
be0a60a7f6 Add support for importing NPM modules in XSJS sources 2024-08-13 14:45:03 +02:00
Tom Hvitved
0fcfb47423 Sync shared files 2024-08-13 13:34:45 +02:00
Alexander Eyers-Taylor
ffd811a55d Merge pull request #17182 from github/post-release-prep/codeql-cli-2.18.2 
Post-release preparation for codeql-cli-2.18.2
 2024-08-08 16:28:03 +01:00
github-actions[bot]
cc6d87c276 Post-release preparation for codeql-cli-2.18.2 2024-08-08 12:56:21 +00:00
Erik Krogh Kristensen
41506fbfef Merge pull request #14666 from am0o0/amammad-js-hardcodedJWTKey 
JS: Extends CredentialsNode class mostly related to JWT authentication packages
 2024-08-08 10:20:45 +02:00
am0o0
b64cb4da09 remove a part of code related to debugging :) 2024-08-07 20:37:20 +02:00
github-actions[bot]
019da8c287 Release preparation for version 2.18.2 2024-08-07 14:02:38 +00:00
Alexander Eyers-Taylor
46577b585e Revert "Release preparation for version 2.18.2" 2024-08-07 14:24:37 +01:00
github-actions[bot]
c14ba0e4bd Release preparation for version 2.18.2 2024-08-06 12:46:15 +00:00
Asger F
0a143a5f52 JS: Do not include type in path explanation 2024-08-06 12:45:07 +02:00
Asger F
1a532dac29 JS: Update VariableCapture instantiation after merge 2024-08-06 12:45:06 +02:00
am0o0
fce183c7cb apply autoformat to HardcodedCredentialsCustomizations.qll 2024-08-05 14:25:15 +02:00
Asger F
df64388d79 Merge branch 'main' into js/shared-dataflow-merge-main 2024-08-02 13:18:38 +02:00
am0o0
354fcbe7fe apply changes from @erik-krogh 2024-08-01 20:14:36 +02:00
github-actions[bot]
49cc8f8ff8 Post-release preparation for codeql-cli-2.18.1 2024-07-22 22:00:48 +00:00
github-actions[bot]
368bcb684a Release preparation for version 2.18.1 2024-07-22 21:30:50 +00:00
Chuan-kai Lin
23320b6e5e Revert "Release preparation for version 2.18.1" 2024-07-22 13:22:49 -07:00
github-actions[bot]
55935fc123 Release preparation for version 2.18.1 2024-07-22 14:56:15 +00:00
Paul Hodgkinson
c9af53f050 Merge branch 'main' into aegilops/polyfill-io-compromised-script 2024-07-12 12:53:44 +01:00
Paul Hodgkinson
412ad177c2 Merge branch 'main' into aegilops/js/insecure-helmet-middleware 2024-07-11 11:01:38 +01:00
aegilops
0aab2aef3b Formatting of QLL 2024-07-09 18:16:37 +01:00
aegilops
dae2aeb7d3 QLDoc 2024-07-09 18:16:02 +01:00
aegilops
86afd54a9b Moved new query to 'experimental' 
Moved lists of domains to data extensions, including adding those to the overall qlpack.yml

Expanded scope of new query to further domains operated by the untrusted owners of polyfill.io
 2024-07-09 16:38:01 +01:00
github-actions[bot]
ae3aba061b Post-release preparation for codeql-cli-2.18.0 2024-07-08 13:30:13 +00:00
Paul Hodgkinson
d896fdf9fa Merge branch 'main' into aegilops/js/insecure-helmet-middleware 2024-07-08 11:25:47 +01:00
aegilops
1fe14e26b1 Split out "compromised" functionality 2024-07-08 10:56:12 +01:00
github-actions[bot]
b0d6778652 Release preparation for version 2.18.0 2024-07-08 09:10:51 +00:00
aegilops
73fc6bcdb1 Added some missing QLDoc 2024-07-01 17:10:24 +01:00
aegilops
a1b0703690 Added detection for specific Polyfill.io CDN compromise - edited existing library and added new query and tests 2024-07-01 16:21:34 +01:00
am0o0
6ecd8b7ee8 add new default cred kind 2024-07-01 14:42:34 +02:00
am0o0
fa8c457015 move the TextEncoder and Buffer jose.base64url taint steps to a local query taint step 2024-07-01 12:11:53 +02:00
am0o0
60aa711005 implement TextEncoderStep taint step with globalVarRef predicate 2024-07-01 11:59:05 +02:00
am0o0
65fdb8ccce move jose SharedTaintStep to a local taint step, add more additional steps with test cases, update test cases and expected test results 2024-07-01 11:38:17 +02:00
Arthur Baars
b12b33c8f9 Merge remote-tracking branch 'upstream/main' into 'rc/3.14' 2024-06-28 19:50:35 +02:00
Asger F
1d267efb6b JS: Fix missing qldoc 2024-06-28 14:30:56 +02:00
Asger F
1c730bc66e JS: Fix compilation error in DataFlowImplConsistency.qll 2024-06-27 12:47:15 +02:00
Asger F
df0488a470 Ensure Member tokens from flow summaries are seen in PropertyName 2024-06-27 10:22:14 +02:00
Asger F
c52a4b0621 JS: Provide RenderSummarizedCallable 2024-06-27 09:44:45 +02:00
Asger F
e53c0cdce7 Fix unknown Parameter/Argument decoding 2024-06-27 09:39:06 +02:00
Asger F
88edc06517 Avoid bad join in compatibleTypesCached 
This is identical to the code in Ruby and seems to prevent a bad join ordering
in a cached version of this predicate in DataFlowCommon
 2024-06-26 13:51:41 +02:00
Asger F
fc7c2c5b17 Remove unused code 2024-06-26 13:51:40 +02:00
Asger F
e67e89dd70 Implement decodeUnknownArgument/ParameterPosition 2024-06-26 13:51:39 +02:00
Asger F
3bebd709b3 Handle AnyMemberDeep and ArrayElementDeep in encodeContent 2024-06-26 13:51:38 +02:00
Asger F
6c0c67dce4 Implement encodeWith/WithoutContent 2024-06-26 13:51:37 +02:00