hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
81,307 Commits 1,671 Branches 157 Tags
codeql-cli-2.22.2
Commit Graph

2631 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
3791b159fb Merge pull request #7892 from erik-krogh/nanSan 
JS: Add a `isNaN` sanitizer, and use it in queries that already had a typeof check
 2022-02-11 10:13:06 +01:00
Erik Krogh Kristensen
2ffd79d451 Merge pull request #7921 from erik-krogh/snapdragon 
JS: add model for the snapdragon library
 2022-02-11 10:10:55 +01:00
Erik Krogh Kristensen
eb56a5aef3 support more patterns that recognize valid numbers 2022-02-10 19:50:35 +01:00
CodeQL CI
9ebbd9efa1 Merge pull request #7591 from asgerf/js/mysql-sinks 
Approved by esbena
 2022-02-10 12:50:36 +00:00
CodeQL CI
1a91a79b5b Merge pull request #5841 from erik-krogh/libCode 
Approved by esbena, ethanpalm
 2022-02-10 11:36:45 +00:00
Erik Krogh Kristensen
d55920ad27 add model for the snapdragon library 2022-02-10 11:32:59 +01:00
Erik Krogh Kristensen
d6721ec574 implement a isNaN guard for unsafe-shell-command-construction 2022-02-09 09:51:57 +01:00
Erik Krogh Kristensen
4bbb7ad320 Merge pull request #7876 from erik-krogh/zipRelative 
JS: recognize more startswith sanitizers for path-injection queries
 2022-02-08 15:22:39 +01:00
Erik Krogh Kristensen
b59c7911a3 update locations of expected output 2022-02-07 15:23:26 +01:00
Erik Krogh Kristensen
ca5f91e587 recognize more startswith sanitizers for path-injection queries 2022-02-07 14:19:13 +01:00
Erik Krogh Kristensen
d1d4ebb3b5 add values written to the global scope as exports 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
d790f3ccbb add test for unsafe-code-construction query 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
955ad8c458 add JSON.stringify as a code-injection sanitizer 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
68a5c1f5b5 add code-injection sink for calls to node 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
0584a6acaf recognize a nodejs re-exports in a loop 2022-02-07 10:12:38 +01:00
Erik Krogh Kristensen
ab2d3a7ca0 Merge pull request #7828 from Naman-ntc/main 
JS: Adding model for `.get` function of `Map` in Unvalidated Dynamic Method Call
 2022-02-04 20:19:02 +01:00
Erik Krogh Kristensen
edcb3ba902 add file sources from jszip to js/zip-slip 2022-02-04 14:39:49 +01:00
Naman Jain
009c95774e update expected files 2022-02-04 12:28:17 +00:00
Naman Jain
5e1ca3154f Update javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCallGood3.js 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-02-04 16:13:05 +05:30
Naman Jain
5121414a53 Update javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCallGood4.js 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-02-04 16:12:58 +05:30
Esben Sparre Andreasen
72b5edc144 Document and format event-stream-orig.js 
Some anti-virus products (rightfully) flag this event-stream-orig.js as a malicious file.
This change does two things:
- neutralises the file such that the code can not be run accidentally
- documents the purpose of the file
 2022-02-04 09:27:47 +01:00
Naman Jain
9809d30f00 file renaming and updated expected file 2022-02-03 09:35:17 +00:00
Naman Jain
adc8bf37fe fixed mistake in examples 2022-02-03 09:29:42 +00:00
Naman Jain
aea7054938 modified query and added tests 2022-02-02 19:39:08 +05:30
Erik Krogh Kristensen
0f85a52f09 Merge pull request #7773 from erik-krogh/CWE-367 
JS: add a js/file-system-race query
 2022-02-01 15:36:13 +01:00
Erik Krogh Kristensen
e6c90670e6 Merge pull request #7740 from erik-krogh/CWE-347 
JS: promote the js/jwt-missing-verification query out of experimental
 2022-02-01 13:10:35 +01:00
Erik Krogh Kristensen
7b925604df update expected output 2022-01-28 12:21:33 +01:00
Erik Krogh Kristensen
7aa59ca233 Merge pull request #7633 from erik-krogh/CWE-300 
JS: add js/http-dependency query
 2022-01-28 12:10:14 +01:00
Erik Krogh Kristensen
bf9bcc9600 add a js/file-system-race query 2022-01-28 09:41:12 +01:00
Stephan Brandauer
b7690e5e6b Merge pull request #7734 from kaeluka/js-add-node-prefix-to-module-import 
js: add support for the 'node:' prefix for importing internal modules
 2022-01-26 10:15:08 +01:00
Erik Krogh Kristensen
de633940fe promote the js/jwt-missing-verification query out of exeprimental 2022-01-26 09:35:54 +01:00
Stephan Brandauer
4ee290acd3 update test for 'node:' prefix 2022-01-25 14:25:44 +01:00
Stephan Brandauer
20ea825e4a test for 'node:' prefix for importing node modules 2022-01-25 13:43:16 +01:00
Erik Krogh Kristensen
cc527bdecd Merge pull request #7721 from erik-krogh/CWE-1275 
JS: add a js/samesite-none-cookie cookie
 2022-01-25 13:28:08 +01:00
Erik Krogh Kristensen
d4bac887cf add a js/samesite-none-cookie cookie 2022-01-24 21:39:41 +01:00
Erik Krogh Kristensen
ef2eacebce add a js/empty-password-in-configuration-file query 2022-01-19 10:48:45 +01:00
Erik Krogh Kristensen
b7a0b8765e add js/http-dependency query 2022-01-19 10:05:39 +01:00
Erik Krogh Kristensen
2433eafef2 add query for detecting insecure temprary files 2022-01-18 14:54:56 +01:00
Asger Feldthaus
708408a458 JS: Recognize "sql" option as a query string 2022-01-13 13:04:41 +01:00
Erik Krogh Kristensen
1a8b6d7414 recognize ranges without upper bounds 2022-01-07 18:38:01 +01:00
Erik Krogh Kristensen
acaf294bee support a limited number of regexp ranges 2022-01-07 18:36:30 +01:00
CodeQL CI
39ec7132af Merge pull request #7049 from asgerf/js/routing-trees 
Approved by erik-krogh
 2021-12-17 12:26:38 +00:00
CodeQL CI
acbf7913b2 Merge pull request #7408 from asgerf/js/trusted-types-sinks 
Approved by esbena
 2021-12-16 08:59:51 +00:00
Asger Feldthaus
4d85799fc7 JS: Add test for fastify-rate-limit 2021-12-15 16:18:22 +01:00
Asger Feldthaus
615b2ec539 JS: Fix handling of fastify-plugin 2021-12-15 16:04:46 +01:00
Asger Feldthaus
7e947b2a65 JS: Use return value of trusted type policy callback as a sink 2021-12-14 13:28:46 +01:00
Ian Wright
1c79d1f985 Merge pull request #7352 from github/esbena/atm-endpoint-polish 
ATM Endpoint filtering improvements
 2021-12-14 08:19:23 +00:00
Erik Krogh Kristensen
de4458346f Merge pull request #7344 from SZFsir/main 
JS: Improve inter-procedural type inference for FunctionExpr
 2021-12-13 21:58:53 +01:00
Esben Sparre Andreasen
c66d29998e update test output for additional DatabaseAccesses 2021-12-13 13:42:28 +01:00
Esben Sparre Andreasen
9ffc02944d add file write model for express-fileupload mv 2021-12-10 15:05:34 +01:00