hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
76,593 Commits 1,671 Branches 157 Tags
codeql-cli-2.20.6
Commit Graph

10833 Commits

Author SHA1 Message Date
Napalys
def8d75cb8 Added test case for Array.prototype.toSorted, which is currently not flagged as a taint sink. 2024-11-12 12:01:51 +01:00
Asger F
80ee372ddf JS: Replace an unused value with _ 2024-11-12 11:24:17 +01:00
Asger F
637baabe37 JS: Clarify why there are no SSA definitions 2024-11-12 11:23:35 +01:00
Napalys Klicius
6266dab518 Merge pull request #17951 from Napalys/napalys/reverse-support 
JS: Added support for reverse function
 2024-11-12 10:09:18 +01:00
Napalys
00790bf3f4 Added change notes 2024-11-11 15:43:54 +01:00
Napalys Klicius
1eabb6cbdd Update javascript/ql/test/experimental/Security/CWE-918/check-regex.js 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2024-11-11 15:40:22 +01:00
Napalys Klicius
42f7f73ae1 Update ArrayInPlaceManipulationTaintStep documentation 2024-11-11 15:38:57 +01:00
Napalys
ae57c12b15 Added change notes 2024-11-11 10:38:14 +01:00
Napalys
82f09f1f8b Updated TS version to 5.7.1-release candidate 2024-11-11 10:19:32 +01:00
Napalys
81bc7cd19f Refactored SortTaintStep to ArrayInPlaceManipulationTaintStep to support both sort and reverse functions. Fixed newly added test case. from 8026a99db7 2024-11-11 08:32:03 +01:00
Napalys
1c298f0231 Added test case for Array.prototype.reverse, which is currently not flagged as a potential sink. 2024-11-11 08:32:02 +01:00
Napalys
f1c6dc1d9b Moved SortTaintStep to more appropriate home TaintTracking->Arrays 2024-11-11 08:32:01 +01:00
Napalys
70cf1a57bc Now catches usage of RegExp. after matchAll usage. 2024-11-08 08:59:31 +01:00
Napalys
c2baf0bd6d Added test where RegExp. is used after matchAll but it not flagged as potential issue 2024-11-08 08:56:12 +01:00
Napalys
dbd57e3870 Fixed issue where TaintTracking was not catching matchAll vulnerability 2024-11-07 13:40:10 +01:00
Napalys
a4fe728af2 Added matchAll test which is not marked as vulnurability by CodeQL 2024-11-07 13:35:09 +01:00
Napalys
514375dbf9 Fixes false positives from commit 42600c93ff 2024-11-07 13:00:54 +01:00
Napalys
42600c93ff Added tests which shows false positive SSRF via matchAll 2024-11-07 11:40:20 +01:00
Napalys
449cee91c8 Fixes false positives from commit 445552d3b53ec9592e8e3892cb337d1004b6a432 2024-11-07 10:33:13 +01:00
Napalys
4106663d89 Added tests for regex sanitization to identify false positives matchAll 2024-11-07 10:27:58 +01:00
Mikaël Barbero
881fe0ba57 fix: add "actions" tag to ActionsArtifactLeak 
Similar to javascript/ql/src/Security/CWE-094/ExpressionInjection.ql
 2024-11-05 15:58:46 +01:00
Napalys Klicius
5e8b1b061f Update javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2024-11-05 10:29:22 +01:00
Napalys Klicius
7825a46085 Merge branch 'github:main' into napalys/matchAll-support 2024-11-05 09:31:30 +01:00
Napalys
b239bfabf1 Added tests forIncompleteHostnameRegExp and normalizedPaths using matchAll 2024-11-05 09:22:26 +01:00
Napalys
ccee34d6d3 Added support for matchAll in CWE-020 including new test cases 2024-11-05 08:51:24 +01:00
github-actions[bot]
f107d16b4e Post-release preparation for codeql-cli-2.19.3 2024-11-04 17:20:08 +00:00
github-actions[bot]
cc7b724123 Release preparation for version 2.19.3 2024-11-04 16:37:28 +00:00
Rasmus Wriedt Larsen
c0ad9ba529 Merge branch 'main' into js-threat-models 2024-11-01 10:48:32 +01:00
Rasmus Wriedt Larsen
dc8e645594 JS: Convert remaining queries to use ActiveThreatModelSourceAsSource 2024-11-01 10:47:10 +01:00
Rasmus Wriedt Larsen
19fae76a94 JS: Remove dummy comment 
Co-authored-by: Asger F <asgerf@github.com>
 2024-11-01 10:24:22 +01:00
Rasmus Wriedt Larsen
61e60de969 JS: Model readline as a stdin threat-model source 
Technically not always true, but my assumption is that +90% of the time
that's what it will be used for, so while we could be more precise by
adding a taint-step from the `input` part of the construction, I'm not
sure it's worth it in this case.

Furthermore, doing so would break with the current way we model
threat-model sources, and how sources are generally modeled in JS... so
for a very pretty setup it would require changing all the other `file`
threat-model sources to start at the constructors such as
`fs.createReadStream()` and have taint-propagation steps towards the
actual use (like we do in Python)...

I couldn't see an easy path forwards for doing this while keeping the
Concepts integration, so I opted for the simpler solution here.
 2024-10-31 14:29:30 +01:00
Rasmus Wriedt Larsen
eca8bf5a35 JS: Do simple modeling of process.stdin as threat-model source 2024-10-31 14:26:45 +01:00
Rasmus Wriedt Larsen
34b86c39c1 JS: Model fs.promises.readFile as file source 
You could argue that proper modeling be done in the same way as
`NodeJSFileSystemAccessRead` is done for the callback based `fs` API (in
NodeJSLib.qll). However, that work is straying from the core goals I'm
working towards right now, so I'll argue that "perfect is the enemy of
good", and leave this as is for now.
 2024-10-31 14:09:38 +01:00
Rasmus Wriedt Larsen
971f53870e JS: Include fs externs 
Makes a difference due to the modeling of NodeJSFileSystemAccessRead depending on these, see
412e841d69/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll (L479-L488)

File copied from 7cef4322e7/javascript/externs/nodejs/fs.js
 2024-10-31 13:51:22 +01:00
Rasmus Wriedt Larsen
b47fa77dc6 JS: Add tests for stdin threat-model sources 2024-10-31 12:59:21 +01:00
Rasmus Wriedt Larsen
2b6c27eb60 JS: Add initial file threat-model support 
However, as indicated by the `MISSING` annotations, we could do better.
 2024-10-29 15:14:39 +01:00
Rasmus Wriedt Larsen
3656864695 JS: Add database threat-model source modeling 2024-10-29 15:11:09 +01:00
Tom Hvitved
1259b7e8e7 JS: Post-processing query for inline test expectations 2024-10-29 13:35:38 +01:00
Rasmus Wriedt Larsen
7c7420a9a4 JS: Add change-note 2024-10-29 11:35:56 +01:00
Rasmus Wriedt Larsen
84f6b89ced JS: Minor improvements to threat-model Concepts 
Mirroring what was done for Python
 2024-10-29 11:29:48 +01:00
Asger F
6aef571c17 JS: Bump extractor version string 2024-10-29 11:28:06 +01:00
Asger F
3cc6b11e6b JS: Expand attribute regex to include some Vue attributes 2024-10-29 11:19:01 +01:00
Asger F
560b3da851 JS: Add test with some special Vue attributes 2024-10-29 11:18:17 +01:00
Asger F
2fb108419c JS: Only parameter-calls as lambda calls 2024-10-29 08:32:15 +01:00
Asger F
1e9e57e46e JS: Fix missing qldoc 2024-10-29 08:32:14 +01:00
Asger F
52ba91a7f8 JS: Updates to nodes/edges in tests 
Only changes to nodes/edges for various reasons, no actual result changes
 2024-10-29 08:32:13 +01:00
Asger F
1243188825 JS: Update CleartextLogging with fixed FP 2024-10-29 08:32:11 +01:00
Asger F
18b39460f5 JS: Add regained results in UnsafeJQueryPlugin 
These were marked as 'NOT OK' in the test file, but weren't previously flagged for some reason
 2024-10-29 08:32:10 +01:00
Asger F
d3e70c1e97 JS: Add in-barrier to XSS query 
This is a bit of a bandaid to cover issues with the push() method on next/router being
treated as an array push, which causes it to flow into other taint sources.
 2024-10-29 08:32:08 +01:00
Asger F
1b85feb1fa JS: Add imprecise post-update steps for when a captured var/this is not tracked precisely 
With the capture library we sometimes bails out of handling certain functions for scalability reasons.

This means we have a notion of "captured but imprecisely-tracked" variables and 'this'. In these cases we go back to propagating flow from a post-update node to the local source.
 2024-10-29 08:32:07 +01:00