hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 02:13:17 +01:00
Code Issues Packages Projects Releases Wiki Activity
79,451 Commits 1,671 Branches 157 Tags
codeql-cli-2.21.4
Commit Graph

2704 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
412e841d69 JS: Add environment threat-model source 2024-10-25 15:03:43 +02:00
Rasmus Wriedt Larsen
f733ac19a9 JS: Make (most) queries use ActiveThreatModelSource 
7 cases looks something like this:

```
class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource {
  RemoteFlowSourceAsSource() { not this instanceof ClientSideRemoteFlowSource }
}
```

(some have variations like `not this.(ClientSideRemoteFlowSource).getKind().isPathOrUrl()`)

javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
 2024-10-25 15:03:42 +02:00
Rasmus Wriedt Larsen
4b1c027359 JS: Integrate RemoteFlowSource with ThreatModelSource 2024-10-25 14:52:49 +02:00
Rasmus Wriedt Larsen
dbfbd2c00a JS: Remove 'response' from default threat-models 
I didn't want to put the configuration file in
`semmle/javascript/frameworks/**/*.model.yml`, so created `ext/` as in other
languages
 2024-10-25 14:52:49 +02:00
Rasmus Wriedt Larsen
17a6d54e4d JS: Setup basic support for threat-models 
Integration with RemoteFlowSource is not straightforward, so postponing
that for later

Naming in other languages:
- `SourceNode` (for QL only modeling)
- `ThreatModelFlowSource` (for active sources from QL or data-extensions)

However, since we use `LocalSourceNode` in Python, and `SourceNode` in
JS (for local source nodes), it seems a bit confusing to follow the same
naming convention as other languages, and instead I came up with new names.
 2024-10-25 14:50:59 +02:00
Asger F
958602e43e JS: Cache getARead (as per instructions in the SSA library) 2024-10-22 12:46:20 +02:00
Asger F
e784813c3b JS: Make barrier guards work with use-use flow 2024-10-22 12:46:19 +02:00
Asger F
67fdd864c9 JS: Add TODO 2024-10-22 12:46:18 +02:00
Asger F
81af9a1658 Fix missing flow through super calls 2024-10-22 12:46:17 +02:00
Asger F
12370e9210 JS: Use VariableOrThis in variable capture as well 2024-10-22 12:46:16 +02:00
Asger F
d31499d727 JS: introduce implicit this uses in general 2024-10-22 12:46:14 +02:00
Asger F
c3c003b275 JS: Fix post-update flow into 'this' 2024-10-22 12:46:11 +02:00
Asger F
9fc99d6f9d JS: Fix store into object literals that have a post-update node 2024-10-22 12:46:11 +02:00
Asger F
992c144559 JS: Add qldoc to file 2024-10-22 12:46:09 +02:00
Asger F
beaacf96b3 JS: Rename Internal -> Cached since whole file is internal now 2024-10-22 12:46:08 +02:00
Asger F
3fca27bee2 JS: Fix indentation 
Only formatting changes
 2024-10-22 12:46:07 +02:00
Asger F
ed0af958a9 JS: Add Public module and only expose that 
Indentation will be fixed in next commit
 2024-10-22 12:46:06 +02:00
Asger F
3b663bd2f6 JS: Remove BasicBlockInternal module and mark relevant predicates as public 
This exposes the predicates publicly, but will be hidden again in the next commit.
 2024-10-22 12:46:04 +02:00
Asger F
211b42d0ce JS: Move BasicBlocks.qll -> internal/BasicBlocksInternal.qll 2024-10-22 12:46:03 +02:00
Asger F
9e600424cc JS: Remove unused predicate 2024-10-22 12:46:02 +02:00
Asger F
78e961cef3 JS: Add use-use flow 2024-10-22 12:46:01 +02:00
Asger F
7363b578b1 JS: Instantiate shared SSA library 
JS: Remove with statement comment
 2024-10-22 12:45:58 +02:00
Asger F
a258489551 JS: Refactor some internal methods to make them easier to alias 
We need these to return the dominator instead of declaring it in the parameter list, so that we can use it directly to fulfill part of the signature for the SSA library.

We can't rewrite it with an inline predicate since the SSA module calls with a transitive closure '*', which does not permit inline predicates.
 2024-10-22 12:45:57 +02:00
Asger F
443987b484 Merge branch 'main' into js/shared-dataflow-merge-main 2024-10-22 10:30:53 +02:00
github-actions[bot]
079ab77a38 Post-release preparation for codeql-cli-2.19.2 2024-10-15 12:16:59 +00:00
github-actions[bot]
255f55cf1a Release preparation for version 2.19.2 2024-10-15 10:29:25 +00:00
Asger F
e2e91ac7d9 Merge branch 'main' into js/shared-dataflow-merge-main 2024-10-08 09:28:26 +02:00
Asger F
6cbe04dcb7 JS: Consistently use the shared XSS barrier guards in the XSS queries 
Previously only reflected XSS used shared barrier guards.
 2024-10-02 14:44:17 +02:00
Asger F
341bacfe55 JS: Fix bug causing re-evaluation of cached barriers 2024-10-02 14:43:18 +02:00
github-actions[bot]
e97878ed63 Post-release preparation for codeql-cli-2.19.1 2024-09-30 19:49:00 +00:00
github-actions[bot]
455c8c5953 Release preparation for version 2.19.1 2024-09-30 17:59:48 +00:00
Asger F
1cd00a118c Merge branch 'main' into js/shared-dataflow-merge-main 2024-09-18 14:57:50 +02:00
Asger F
7ba6995854 JS: Clarify a comment 2024-09-17 15:59:04 +02:00
github-actions[bot]
79be301984 Post-release preparation for codeql-cli-2.19.0 2024-09-16 14:09:32 +00:00
github-actions[bot]
acdafd9646 Release preparation for version 2.19.0 2024-09-16 10:56:10 +00:00
Dave Bartolomeo
485fc04029 Initial merge from main 2024-09-15 08:55:31 -04:00
Asger F
1df69ec1d2 JS: Actually don't propagate into array element 0 
Preserving tainted-url-suffix into array element 0 seemed like a good idea, but didn't work out so well.
 2024-09-12 13:42:36 +02:00
Asger F
0e4e0f4fdd JS: Preverse tainted-url-suffix when stepping into prefix 
A URL of form https://example.com?evil#bar will contain '?evil' after splitting out the '#' suffix, and vice versa.
 2024-09-12 13:42:28 +02:00
Asger F
74ab346348 JS: Do not include taint steps in TaintedUrlSuffix::step 
TaintedUrlSuffix is currently only used in TaintTracking configs meaning it is already propagated
by taint steps. The inclusion of these taint steps here however meant that implicit reads could appear prior to any of these steps.

This was is problematic for PropRead steps as an expression like x[0] could spuriously read from array element 1 via the path:

x [element 1]
x [empty access path] (after implicit read)
x[0] (taint step through PropRead)
 2024-09-12 13:42:25 +02:00
Asger F
2712bf821a JS: Fix a bug in isSafeClientSideUrlProperty 2024-09-12 13:42:23 +02:00
Asger F
bc04131c72 JS: Disallow implicit reads before an optional step 2024-09-12 13:42:22 +02:00
Asger F
3b09bc548e JS: Add taint step for shift() 2024-09-12 13:42:17 +02:00
Asger F
3fcf4ef7a1 JS: More precise model of .shift() 
Array.prototype.shift only returns the first array element.

The mutation of Argument[this] is not yet modelled, and is better handled when we have use-use flow.
 2024-09-12 13:42:15 +02:00
Asger F
e4f7560bcd JS: Add missing qldoc 2024-09-12 13:42:14 +02:00
Asger F
15fc450a9e JS: Add reminder to update ClientSideUrlRedirect 2024-09-12 13:42:13 +02:00
Asger F
da696817a3 JS: Convert 'split' taint step to legacy taint step 2024-09-12 13:42:05 +02:00
Asger F
133b016c7c JS: Remove old 'split' handling from TaintedUrlSuffix 2024-09-12 13:41:56 +02:00
Asger F
e87e543850 JS: Ensure optional steps/barriers are computed in the correct stage 2024-09-12 13:35:38 +02:00
Asger F
7790f68fe2 JS: Make the TaintedUrlSuffix library use optional steps/barriers 2024-09-12 13:35:36 +02:00
Asger F
3b34cd72f2 JS: Handle split() with '#' or '?' separator in a separate summary 
This summary uses the notion of optional steps/barriers so it becomes configurable whether there is flow into the zero'th array element.

Also makes sure we handle the second-argument version of split().
 2024-09-12 13:35:33 +02:00