hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
76,593 Commits 1,672 Branches 157 Tags
codeql-cli-2.20.6
Commit Graph

10833 Commits

Author SHA1 Message Date
erik-krogh
5a82454710 add change-note 2023-05-17 12:02:21 +02:00
erik-krogh
cbd7601a41 implement isShellInterpreted on ExecActionsCall 2023-05-17 11:07:48 +02:00
erik-krogh
3293a55e8f require arguments to be shell interpreted to be flagged by indirect-command-injection 2023-05-17 11:07:45 +02:00
Asger F
f94fdc6348 JS: Remove mention of TrackedNode in docs 2023-05-17 10:37:12 +02:00
erik-krogh
480e71fd69 avoid contractions 2023-05-17 08:42:45 +02:00
Jami Cogswell
003bb2f6f5 JS: add change note 2023-05-16 15:45:55 -04:00
Jami Cogswell
359f6ffd1e JS: update 'credentials[%]' sink kind to 'credentials-%' 2023-05-16 15:45:55 -04:00
Jami Cogswell
7880e9e92c JS: update 'command-line-injection' sink kind to 'command-injection' 2023-05-16 15:45:55 -04:00
Arthur Baars
2911a6cc30 JS: remove unused tables 2023-05-16 17:03:41 +02:00
Arthur Baars
fef0e1f1c8 JS: sync shared dbscheme fragments 2023-05-16 17:03:41 +02:00
erik-krogh
2ebce99eae add another example of how to fix the prototype pollution issue 2023-05-15 17:24:02 +02:00
erik-krogh
7a338c408e fix typo, the variable in the example is called items 2023-05-15 17:23:40 +02:00
erik-krogh
83ca1495e0 trim the whitespace in the poly-redos examples 2023-05-15 16:47:24 +02:00
erik-krogh
d989359656 add another example to the qhelp in poly-redos, showing how to just limit the length of the input 2023-05-15 16:47:02 +02:00
Asger F
20e8ee8423 Merge pull request #12748 from JarLob/yi 
JS: Add more sources, more unit tests, fixes to the GitHub Actions injection query
 2023-05-15 11:03:00 +02:00
tyage
93af0d0c2f formatting 2023-05-13 17:37:31 +00:00
tyage
6f66c047d0 JS: ignoresub pkgs in node_modules directory 2023-05-13 09:12:28 +00:00
Max Schaefer
5dfe52afd0 Merge pull request #13152 from github/max-schaefer/unsafe-shell-command-construction-examples-sync 
JavaScript: Use synchronous APIs in examples for js/shell-command-constructed-from-input.
 2023-05-12 16:50:25 +01:00
Max Schaefer
2e7eb50319 JavaScript: Use synchronous APIs in examples for js/shell-command-constructed-from-input. 2023-05-12 14:42:11 +01:00
Max Schaefer
a4f6ccf2fc JavaScript: Use gender-neutral language in qhelp for js/user-controlled-bypass 2023-05-12 14:21:40 +01:00
Kasper Svendsen
fe2f36a1fe JS: Make implicit this receivers explicit 2023-05-12 12:12:48 +02:00
Kasper Svendsen
7dd9906e95 JS: Enable implicit this receiver warnings 2023-05-12 09:49:14 +02:00
Kasper Svendsen
189f8515c0 JS: Make implicit this receivers explicit 2023-05-12 09:49:14 +02:00
Kasper Svendsen
2184fefe7f Merge pull request #13121 from kaspersv/kaspersv/javascript-explicit-this-receivers4 
JS: Make implicit this receivers explicit
 2023-05-12 08:21:52 +02:00
Kasper Svendsen
489a73c2c3 JS: Make implicit this receivers explicit 2023-05-11 11:50:56 +02:00
Erik Krogh Kristensen
71be426284 Merge pull request #13015 from kaspersv/kaspersv/js-explicit-this-receivers2 
JS: Make implicit this receivers explicit
 2023-05-11 10:39:11 +02:00
tyage
f6a8cd27ca Update javascript/ql/lib/semmle/javascript/NPM.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-05-10 19:36:49 +09:00
Asger F
f4b5f39c57 Merge pull request #13044 from cklin/javascript-locatable-tostring-join-ordering 
JS: Add pragma[only_bind_out] to Locatable::toString() calls
 2023-05-10 10:08:48 +02:00
Asger F
c376eeb133 Merge pull request #12978 from asgerf/js/github-actions-sources 
JS: Add sources and sinks related to GitHub Actions
 2023-05-10 09:55:24 +02:00
Asger F
b28254327a Update javascript/ql/lib/semmle/javascript/security/dataflow/IndirectCommandInjectionCustomizations.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-05-10 08:16:31 +02:00
Kasper Svendsen
c7d72e0d34 JS: Prevent join order regression 2023-05-09 17:01:41 +02:00
Jaroslav Lobačevski
891a94c166 Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2023-05-09 16:27:32 +02:00
Jaroslav Lobačevski
5aa71352dc Update javascript/ql/src/Security/CWE-094/ExpressionInjection.qhelp 
Co-authored-by: Asger F <asgerf@github.com>
 2023-05-09 12:23:52 +02:00
Jaroslav Lobačevski
1ad23c5366 Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2023-05-09 12:23:06 +02:00
Kasper Svendsen
f619a63f6f JS: Make implicit this receivers explicit 2023-05-09 11:37:25 +02:00
Asger F
aec6ba7d5e JS: Fix broken message in example query 2023-05-09 10:53:57 +02:00
Chuan-kai Lin
0984fc7cce JS: Add pragma[only_bind_out] to Locatable::toString() calls 2023-05-04 13:20:56 -07:00
Kasper Svendsen
65deb9d90a Merge pull request #13016 from kaspersv/kaspersv/js-explicit-this-receivers3 
JS: Make implicit this receivers explicit
 2023-05-04 09:15:01 +02:00
Asger F
1a9956354e JS: Restrict getInput to indirect command injection query 2023-05-03 16:10:03 +02:00
Erik Krogh Kristensen
f29db40371 Merge pull request #13011 from kaspersv/kaspersv/explicit-this-receivers-shared2 
JS, Python, Ruby: Make implicit this receivers explicit
 2023-05-03 15:34:59 +02:00
Kasper Svendsen
67950c8e6b JS: Make implicit this receivers explicit 2023-05-03 15:31:00 +02:00
Ian Lynagh
b56b843d13 Merge pull request #12987 from github/post-release-prep/codeql-cli-2.13.1 
Post-release preparation for codeql-cli-2.13.1
 2023-05-03 13:12:10 +01:00
Kasper Svendsen
aca2ace843 JS, Python, Ruby: Make implicit this receivers explicit 2023-05-03 13:51:51 +02:00
Kasper Svendsen
efdaffedee JS: Make implicit this receivers explicit 2023-05-03 10:49:46 +02:00
Asger F
b9ad4177f9 JS: List safe environment variables in IndirectCommandInjection 2023-05-03 10:48:14 +02:00
Asger F
4c6711d007 JS: Clarify the difference between context and input sources 2023-05-03 10:30:04 +02:00
Asger F
bdcda7ffe6 JS: Move change note to right location 2023-05-03 10:22:40 +02:00
tyage
22f5b7a18b JS: check scoped package and normal package 2023-05-03 13:19:59 +09:00
Asger F
67afbee06d Merge pull request #12825 from smiddy007/JS-Allow-Truncated-Hash-Forge-NonKeyCipher 
JS: Allow NonKeyCiphers to include truncated SHA-512 MDs in Forge JS libr…
 2023-05-02 13:59:30 +02:00
github-actions[bot]
18d4af994d Post-release preparation for codeql-cli-2.13.1 2023-05-02 10:50:20 +00:00