4844 Commits

Author	SHA1	Message	Date
Asger F	41dd63adc7	Handle forwardRef in React	2023-03-13 11:30:18 +01:00
Asger F	856b50735d	JS: Expand test case	2023-03-07 13:04:26 +01:00
Asger F	d4b4d22378	JS: Step through HTML sanitizers in SQL injection query	2023-03-06 15:10:26 +01:00
Asger F	f4b13e0955	JS: Update printAst expected output	2023-03-03 13:42:42 +01:00
Asger F	7a55b003d2	JS: Fix location of assert clause	2023-03-03 12:21:20 +01:00
Asger F	38194c6ae7	JS: Extract import assertions to DB	2023-03-03 12:21:20 +01:00
erik-krogh	a6c9af4182	add the html argument to the jQuery functions as an XSS sink	2023-03-03 11:09:53 +01:00
erik-krogh	94870b838f	add failing test	2023-03-03 11:08:33 +01:00
Erik Krogh Kristensen	50aa5e072a	Merge pull request #12177 from erik-krogh/alias-html ... JS: More precise type-test sanitizer guards in unsafe-html-construction	2023-02-27 18:16:11 +01:00
Erik Krogh Kristensen	927c322b7b	Merge pull request #11769 from erik-krogh/moreSan ... JS: Sanitizer for `sanitizer(x) === true`	2023-02-27 15:48:34 +01:00
Alex Ford	7c85448cba	Merge pull request #12080 from alexrford/js-use-shared-cryptography ... JS: Use shared `CryptographicOperation` concept	2023-02-27 12:26:38 +00:00
erik-krogh	0e60fc5512	Merge branch 'main' into alias-html	2023-02-27 09:16:25 +01:00
Erik Krogh Kristensen	f8f926ad50	Merge pull request #12175 from erik-krogh/reg-input ... JS: add process.env and process.argv etc. as source for `js/regex-injection`	2023-02-27 09:12:02 +01:00
Alex Ford	1556b1a728	Merge branch 'main' into js-use-shared-cryptography	2023-02-15 17:13:53 +00:00
erik-krogh	51ddb55d7b	use tainted-object to precisely model that plain object are fine, but their properties are not	2023-02-15 15:02:03 +01:00
erik-krogh	b7305fd229	also consider relative exports when finding library inputs	2023-02-14 21:08:13 +01:00
erik-krogh	393649b7ce	don't call environment variables for command-line arguments	2023-02-14 14:27:41 +01:00
erik-krogh	36478124ae	add process.env and process.argv etc. as source for js/regex-injection	2023-02-14 14:21:53 +01:00
erik-krogh	943bdeca6d	make appliesTo recursive	2023-02-14 14:16:45 +01:00
erik-krogh	9549cac3e5	add an additional barrier guard that finds "=== true" versions of previous barrier guards	2023-02-14 14:15:23 +01:00
erik-krogh	c355a26657	add failing test	2023-02-14 14:12:35 +01:00
Erik Krogh Kristensen	2f8c9a5a2c	Merge pull request #12171 from erik-krogh/reg-dot ... JS: dont recognize regexps that match dot as sanitizers	2023-02-14 14:10:44 +01:00
Erik Krogh Kristensen	e3e2df3247	Merge pull request #12166 from erik-krogh/more-html-san ... JS: add `HtmlSanitizer` as a sanitizer DOMBasedXss	2023-02-14 14:09:56 +01:00
Erik Krogh Kristensen	028fcc7edf	Merge pull request #11959 from erik-krogh/ssrfSan ... JS: add encodeURIComponent as a sanitizer for request-forgery	2023-02-14 13:39:53 +01:00
Erik Krogh Kristensen	a498936f16	Merge pull request #12170 from erik-krogh/more-lib ... JS: More library inputs	2023-02-14 13:38:00 +01:00
erik-krogh	4140598769	update expected output for experimental query	2023-02-14 00:08:13 +01:00
erik-krogh	c17d057520	default to index.js when no main: is specified in package.json, and recognize more classes as library inputs	2023-02-13 21:24:41 +01:00
erik-krogh	68656274f4	dont recognize regexps that match dot as sanitizers	2023-02-13 17:36:51 +01:00
erik-krogh	6192544fb4	add test for express-ws as a source	2023-02-13 15:26:50 +01:00
erik-krogh	b85bfc8ba6	add HtmlSanitizer as a sanitizer for DOMBasedXss	2023-02-13 11:57:29 +01:00
erik-krogh	c258e44772	add failing test for spurious edge through sanitizer	2023-02-13 11:49:57 +01:00
Alex Ford	7768026e70	Merge branch 'main' into js-use-shared-cryptography	2023-02-03 15:18:30 +00:00
Alex Ford	e17b3d975d	JS: pick up CryptographicKeys used in asmCrypto encrypt/decrypt calls	2023-02-03 12:16:25 +00:00
Alex Ford	6b2a92a7ca	JS: update CryptographicKey.expected	2023-02-03 12:12:47 +00:00
Alex Ford	b0b8f8725e	JS: add some CryptographicOperation#getBlockMode() tests	2023-02-02 20:30:30 +00:00
Alex Ford	aa2c532a78	JS: adjust test whitespace	2023-02-02 20:30:30 +00:00
Alex Ford	c25dc978df	JS: add blockMode to CryptographicOperation tests	2023-02-02 20:30:30 +00:00
Alex Ford	983055b8f9	JS: Use shared CryptographicOperation concept and implement BlockMode getBlockMode()	2023-02-02 20:30:30 +00:00
yoff	7ae389bb28	Merge pull request #12026 from erik-krogh/nodePty ... JS: add code-injection sink for node-pty	2023-01-31 13:27:32 +01:00
erik-krogh	02da718786	add code-injection sink for node-pty	2023-01-30 15:14:25 +01:00
erik-krogh	e3455a9b21	add support for axios used as a global variable	2023-01-29 22:55:20 +01:00
Erik Krogh Kristensen	99bad77972	Merge pull request #11906 from erik-krogh/moreStem ... JS: expand what is parsed as the stem of a pathexpr	2023-01-25 08:44:44 +01:00
erik-krogh	49f5e89f36	update expected output for experimental query	2023-01-23 22:29:49 +01:00
Erik Krogh Kristensen	fc66c905ff	Merge pull request #11859 from erik-krogh/moreShell ... JS: slightly broaden the regular expression that recognizes bad string-concats used as shell commands	2023-01-23 22:26:17 +01:00
Erik Krogh Kristensen	a10b45e0db	Merge pull request #11927 from mvogelgesang/express-rate-limit ... JS: Updated express-rate-limit example to match implementation examples f…	2023-01-23 14:37:50 +01:00
erik-krogh	3cece50f78	add encodeURIComponent as a sanitizer for request-forgery	2023-01-23 13:53:53 +01:00
erik-krogh	be8ef1b324	add failing test	2023-01-23 13:52:36 +01:00
Erik Krogh Kristensen	1ee9957838	Merge pull request #9807 from erik-krogh/endFilter ... JS: recognize "-->" as a bad tag filter	2023-01-23 10:06:50 +01:00
Mark Vogelgesang	c9119848d9	Updated express-rate-limit example to match implementation examples found on packages README	2023-01-18 14:42:40 -05:00
erik-krogh	4b74dec18f	expand what is parsed as the stem of a pathexpr	2023-01-17 21:28:21 +01:00