hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
79,688 Commits 1,671 Branches 157 Tags
codeql-cli-2.22.0
Commit Graph

2712 Commits

Author SHA1 Message Date
Asger F
3fcf4ef7a1 JS: More precise model of .shift() 
Array.prototype.shift only returns the first array element.

The mutation of Argument[this] is not yet modelled, and is better handled when we have use-use flow.
 2024-09-12 13:42:15 +02:00
Asger F
e4f7560bcd JS: Add missing qldoc 2024-09-12 13:42:14 +02:00
Asger F
15fc450a9e JS: Add reminder to update ClientSideUrlRedirect 2024-09-12 13:42:13 +02:00
Asger F
da696817a3 JS: Convert 'split' taint step to legacy taint step 2024-09-12 13:42:05 +02:00
Asger F
133b016c7c JS: Remove old 'split' handling from TaintedUrlSuffix 2024-09-12 13:41:56 +02:00
Asger F
e87e543850 JS: Ensure optional steps/barriers are computed in the correct stage 2024-09-12 13:35:38 +02:00
Asger F
7790f68fe2 JS: Make the TaintedUrlSuffix library use optional steps/barriers 2024-09-12 13:35:36 +02:00
Asger F
3b34cd72f2 JS: Handle split() with '#' or '?' separator in a separate summary 
This summary uses the notion of optional steps/barriers so it becomes configurable whether there is flow into the zero'th array element.

Also makes sure we handle the second-argument version of split().
 2024-09-12 13:35:33 +02:00
Asger F
24983a5836 JS: Add OptionalStep and OptionalBarrier MaD tokens 
OptionalStep[foo] and OptionalBarrier[foo] contribute steps/barriers that are not active by default, but can be opted into by specific queries or for specific flow states.

(Will be used in the following commits)
 2024-09-12 13:30:39 +02:00
Sid Shankar
bc70d5ceb1 Adds change note 2024-09-11 00:52:21 +00:00
Asger F
87454a4f11 JS: Remove unused predicate 2024-09-10 14:44:49 +02:00
github-actions[bot]
97edff3f70 Post-release preparation for codeql-cli-2.18.4 2024-09-09 18:45:46 +00:00
github-actions[bot]
91537cdf9a Release preparation for version 2.18.4 2024-09-09 16:08:48 +00:00
Asger F
3d4287b7cc JS: Remove ContentSet#asArrayIndex() 
For ContentSet it is ambiguous whether asArrayIndex() should get a singleton content set, or the KnownArrayElement content set. The user will now have to choose between asSingleton().asArrayIndex() or ContentSet::arrayElementKnown.
 2024-09-09 13:28:32 +02:00
Asger F
013d226ae3 JS: Update comment 2024-09-09 13:26:27 +02:00
Asger F
55d4e7e742 JS: Use ArrayElementKnown when reading a constant array index 2024-09-09 13:26:25 +02:00
Asger F
094112c905 Merge pull request #17213 from asgerf/jss/spread-argument 
JS: Improve handling of spread arguments and rest parameters [shared data flow branch]
 2024-09-09 13:15:22 +02:00
Asger F
fb9732a33f JS: Add another test and TODO about an issue with constant array indices 2024-09-06 08:43:11 +02:00
Asger F
a9a8351cce JS: Fix one case of missing handling of unknown array index 2024-09-06 08:43:09 +02:00
Asger F
92bb4b3da8 JS: Address some comments from hvitved 2024-09-05 11:32:07 +02:00
erik-krogh
e2b16bd8f9 add some change-notes 2024-09-03 22:06:07 +02:00
erik-krogh
0fdd06fff5 use my script to delete outdated deprecations 2024-09-03 20:30:58 +02:00
Henry Mercer
3490067316 Merge branch 'main' into henrymercer/rc-3.15-mergeback 2024-08-29 19:48:01 +01:00
Asger F
4568967a76 JS: Do not use legacy taint steps in TaintedUrlSuffix 
Tainted URL suffix steps are added as configuration-specific additional
steps, which means implicit reads may occur before any of these steps.

These steps accidentally included the legacy taint steps which include
a step from 'arguments' to all positional parameters. Combined with the
implicit read, arguments could escape their array index and flow to
any parameter while in the tainted-url flow state.
 2024-08-29 13:48:30 +02:00
Asger F
a2d53c261b JS: Update test output and add related TODO in model of 'async' 2024-08-27 11:35:35 +02:00
Asger F
837a8be1b8 JS: Update test output and add related TODO in 'markdown-table' model 2024-08-27 11:35:34 +02:00
Asger F
371f7ef551 JS: Add implicit taint read of array elements 2024-08-27 11:35:31 +02:00
Asger F
4389b5c999 JS: Fix issue for .apply() calls 2024-08-27 11:35:28 +02:00
Asger F
34e6864fa3 JS: Note issue with .apply() calls 2024-08-27 11:35:27 +02:00
Asger F
ac1dd1850e JS: Remove taint step from array element to whole array 2024-08-27 11:35:26 +02:00
Asger F
895cb872ad JS: Add taint into dynamic argument array 2024-08-27 11:35:24 +02:00
Asger F
6a083136d7 JS: Hide some nodes 2024-08-27 11:35:22 +02:00
Asger F
acdc896c04 JS: Support for dynamic args to flow summaries 2024-08-27 11:35:21 +02:00
Asger F
53a2a66dd0 Add new nodes to early stage 2024-08-27 11:35:20 +02:00
Asger F
60c3d077b2 Update DataFlowImplConsistency.qll 2024-08-27 11:35:17 +02:00
Asger F
bbb1c8c374 Remove old arguments-array position 2024-08-27 11:35:16 +02:00
Asger F
ed33a6e91b JS: Add explicit model of .join() 2024-08-27 11:35:15 +02:00
Asger F
fa7ad03068 JS: Add store/load steps for the new argument arrays 2024-08-27 11:35:15 +02:00
Asger F
623dbda77d Do not pass regular positional args into the rest parameter 2024-08-27 11:35:14 +02:00
Asger F
a72f79576a JS: Add corresponding argument positions 2024-08-27 11:35:13 +02:00
Asger F
6c7d745a2b JS: Add nodes for static/dynamic argument/parameter arrays 2024-08-27 11:35:12 +02:00
Asger F
7cfe3dae85 JS: Port step for dynamic imports 2024-08-23 10:07:28 +02:00
Asger F
423fd04545 JS: Update new xsjs-specific code to respect TEarlyStageNode 2024-08-22 13:22:35 +02:00
Asger F
c54f5858b1 Merge branch 'main' into js/shared-dataflow-merge-main 2024-08-22 13:22:05 +02:00
Asger F
a1688f6a1a Merge pull request #17240 from knewbury01/knewbury01/fix-helmetrequiredsetting-model 
Update JS helmet model structure
 2024-08-22 11:59:28 +02:00
Asger F
09aca6b47e Merge pull request #17212 from mbaluda/main 
Add support for importing NPM modules in XSJS sources
 2024-08-22 10:54:33 +02:00
github-actions[bot]
0724fd7ce2 Post-release preparation for codeql-cli-2.18.3 2024-08-21 18:25:54 +00:00
github-actions[bot]
17cd9624fb Release preparation for version 2.18.3 2024-08-21 17:13:52 +00:00
Asger F
9ee7599aeb JS: Move AngularJSTemplateUrlSink to ClientSideUrlRedirection query 
This is not perfect but at least we can be consistent about keeping URLs-that-lead-to-xss in the same query
 2024-08-16 14:37:13 +02:00
Asger F
2d264052b3 JS: Treat browser message events as client-side sources 2024-08-16 11:02:12 +02:00