hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
81,307 Commits 1,671 Branches 157 Tags
codeql-cli-2.22.2
Commit Graph

11679 Commits

Author SHA1 Message Date
GeekMasher
3b64bd48ab style(js): Update Formatting 2025-06-03 15:59:32 +01:00
GeekMasher
2eb5f10850 feat(js): Add Axios instance support change notes 2025-06-03 15:58:49 +01:00
GeekMasher
6a1cfb6aef feat(js): Add Axios Instance support and add tests 2025-06-03 15:55:23 +01:00
Napalys Klicius
aac56e089a JavaScript: Fix false positive on Flow type annotations in ExprHasNoEffect 2025-06-03 15:26:22 +02:00
Napalys Klicius
46b5ded862 JS: Enhance void context propagation 2025-06-03 15:20:55 +02:00
Napalys Klicius
bf48b59874 JS: Removed exclusion of FunctionExpr from compound statements. 2025-06-03 15:12:26 +02:00
Napalys Klicius
8521c53a40 Renamed test directory to match the query name 
Co-Authored-By: Asger F <316427+asgerf@users.noreply.github.com>
 2025-06-03 14:12:12 +02:00
Napalys Klicius
d1869941c2 Renamed UnhandledStreamPipe.ql to a better fitting name and ID 
As a side effect of merge `security-and-quality` does not contain anymore related new query.

Co-Authored-By: Asger F <316427+asgerf@users.noreply.github.com>
 2025-06-03 13:57:10 +02:00
Napalys Klicius
f6e7059589 Merge branch 'main' into js/quality/stream_pipe 2025-06-03 13:48:41 +02:00
Napalys Klicius
8ba1f3f265 Update javascript/ql/src/Quality/UnhandledStreamPipe.qhelp 
Co-authored-by: Asger F <asgerf@github.com>
 2025-06-03 13:43:45 +02:00
Asger F
9ea4410592 Merge pull request #19587 from asgerf/js/angular2-client-side 
JS: Mark AngularJS $location as client-side remote flow source
 2025-06-03 13:40:01 +02:00
Napalys Klicius
7993f7d8c8 Update qhelp example to more accurately demonstrate flagged cases 2025-06-02 19:08:33 +02:00
Napalys Klicius
bf2f19da56 Update UnhandledStreamPipe.ql 
Address comments

Co-Authored-By: Asger F <316427+asgerf@users.noreply.github.com>
 2025-06-02 19:02:48 +02:00
Napalys Klicius
ae74edb033 Update javascript/ql/src/Quality/UnhandledStreamPipe.ql 
Co-authored-by: Asger F <asgerf@github.com>
 2025-06-02 17:53:54 +02:00
Napalys Klicius
d43695c929 Update javascript/ql/src/Quality/UnhandledStreamPipe.qhelp 
Co-authored-by: Asger F <asgerf@github.com>
 2025-06-02 17:52:42 +02:00
Napalys Klicius
7198372ae5 Update javascript/ql/src/Quality/UnhandledStreamPipe.qhelp 
Co-authored-by: Asger F <asgerf@github.com>
 2025-06-02 17:52:41 +02:00
Napalys Klicius
abd446ae77 Update javascript/ql/src/Quality/UnhandledStreamPipe.ql 
Co-authored-by: Asger F <asgerf@github.com>
 2025-06-02 17:52:40 +02:00
Napalys Klicius
64f00fd0f2 Update javascript/ql/src/Quality/UnhandledStreamPipe.ql 
Co-authored-by: Asger F <asgerf@github.com>
 2025-06-02 17:52:34 +02:00
Napalys Klicius
3cbc4142f0 Update javascript/ql/src/Quality/UnhandledStreamPipe.ql 
Co-authored-by: Asger F <asgerf@github.com>
 2025-06-02 17:40:06 +02:00
Napalys Klicius
aed9e9c883 Merge pull request #19634 from Napalys/js/url_obj_propagation 
JS: Add URL constructor taint tracking for request forgery
 2025-06-02 17:32:44 +02:00
Napalys Klicius
1f256ab71e Added change note 2025-06-02 14:59:43 +02:00
Napalys Klicius
bca1bc7153 JS: Enhance isDomProperty to check for getAPropertyRead on DOM nodes 2025-06-02 14:56:45 +02:00
Napalys Klicius
9b2ef8be10 JS: add test for DOM access where expression appears to have no side effects 2025-06-02 14:54:46 +02:00
Napalys Klicius
c981c4fe30 Update javascript/ql/lib/change-notes/2025-05-30-url-package-taint-step.md 
Co-authored-by: Asger F <asgerf@github.com>
 2025-06-02 13:34:47 +02:00
Napalys Klicius
298ef9ab12 Now able to track error handler registration via instance properties 2025-06-02 11:01:41 +02:00
Napalys Klicius
0b6a747737 Added change note 2025-05-30 18:33:59 +02:00
Napalys Klicius
b9b62fa1c1 JS: Add URL from url package constructor taint step for request forgery detection 2025-05-30 18:32:02 +02:00
Napalys Klicius
19cc3e335f JS: Add test case for RequestForgery with url wrapped via package URL 2025-05-30 18:26:47 +02:00
Napalys Klicius
f843cc02f6 Fix false positives in stream pipe analysis by improving error handler tracking via property access. 2025-05-30 18:08:04 +02:00
Napalys Klicius
d3b2a57fbf Fixed ql warning Expression can be replaced with a cast 2025-05-28 17:34:16 +02:00
Napalys Klicius
2e2b9a9d63 Make predicates private and clarify stream reference naming. 2025-05-28 17:23:55 +02:00
Napalys Klicius
f8f5d8f561 Exclude .pipe detection which are in a test file. 2025-05-28 17:18:39 +02:00
Napalys Klicius
5bb29b6e33 Now flags only .pipe calls which have an error somewhere down the stream, but not on the source stream. 2025-05-28 17:17:43 +02:00
github-actions[bot]
d2c6875eac Post-release preparation for codeql-cli-2.21.4 2025-05-27 18:16:21 +00:00
github-actions[bot]
bfb91e95e3 Release preparation for version 2.21.4 2025-05-27 17:22:05 +00:00
Asger F
076e4a49d5 JS: Mark AngularJS $location as client-side remote flow source 2025-05-27 09:47:43 +02:00
Napalys Klicius
5214cc0407 Excluded ngrx, datorama, angular, react and langchain from stream pipe query. 2025-05-27 09:45:37 +02:00
Napalys Klicius
1f6b3ad929 Update javascript/ql/src/codeql-suites/javascript-security-and-quality.qls 
Co-authored-by: Michael Nebel <michaelnebel@github.com>
 2025-05-27 09:38:24 +02:00
Napalys Klicius
e964b175e6 Added maintainability and error-handling tags 2025-05-26 14:23:20 +02:00
Napalys Klicius
37024ade85 JS: Move query suite selector logic to javascript-security-and-quality.qls 2025-05-26 11:00:48 +02:00
Napalys Klicius
000e69fd48 Replaced fuzzy NonNodeStream MaD to a ql predicate to deal easier with submodules 2025-05-23 13:55:40 +02:00
Napalys Klicius
248f83c4db Added qhelp for UnhandledStreamPipe query 2025-05-23 13:35:36 +02:00
Napalys Klicius
c6db32ed73 Add exceptions for arktype, execa, and highland to prevent them from being flagged by unhandled pipe error query 2025-05-23 12:34:11 +02:00
Napalys Klicius
15ff7cb41a Added more test cases which common js libraries uses .pipe() 2025-05-23 12:30:49 +02:00
Anders Schack-Mulligen
1d30103559 SSA: Distinguish between has and controls branch edge. 2025-05-23 09:56:22 +02:00
Napalys Klicius
b10a9481f3 Fixed false positives from strapi and rxjs/testing as well as when one passes function as second arg to pipe 2025-05-22 18:50:02 +02:00
Napalys Klicius
e6ae8bbde4 Added test cases where second parameter passed to pipe is a function and some popular library ones 2025-05-22 18:50:01 +02:00
Napalys Klicius
ac24fdd348 Add predicate to detect non-stream-like usage in sources of pipe calls 2025-05-22 18:49:59 +02:00
Napalys Klicius
5b1af0c0bd Added detection of custom gulp-plumber sanitizer, thus one would not flag such instances. 2025-05-22 18:49:53 +02:00
Asger F
9202a1b084 Merge pull request #19516 from asgerf/js/npm-package-name-join 
JS: More efficient nested package naming
 2025-05-22 12:46:43 +02:00