hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
81,788 Commits 1,672 Branches 157 Tags
codeql-cli-2.22.4
Commit Graph

2852 Commits

Author SHA1 Message Date
Napalys
9a1c1f4be3 JS: Added in RegExpCreationNode maybeGlobal predicate for more convenience. 2024-11-28 12:03:51 +01:00
Napalys
1d2e08a3b6 JS: now Reg Exp injection treats unknownFlags as sanitization, MetacharEscapeSanitizer 2024-11-28 11:26:58 +01:00
Napalys
e673348ed3 JS: now RegExp with unknown flags is not flagged as an issue within password Clear text storage of sensitive information 2024-11-28 11:26:56 +01:00
Napalys
a2c46749c6 JS: fixed issue where MaskingReplacer would work only with regexp literals but not objects 2024-11-28 11:26:55 +01:00
Napalys
c71778f1aa JS: xss does not flag anymore replace with RegExp unknown flags 2024-11-28 11:26:53 +01:00
Napalys
875478c1c6 JS: Fixed path query not flagging new RegExp with DotRemovingReplaceCall 2024-11-28 11:26:45 +01:00
Napalys
a0df33c3ac JS: UnsafeShellCommand Using unknown flags in the RegExp object is no longer flagged as bad sanitization to reduce false positives. 2024-11-28 11:26:43 +01:00
Napalys
23b18aeca9 JS: Now unknown flags are not flagged in taint paths 2024-11-28 11:26:41 +01:00
Napalys
eca7a88615 JS: Fixed docs description 2024-11-28 11:26:40 +01:00
Napalys
7db6f7c721 JS: Added test cases with new RegExp for Tainted paths, currently works only with literals 2024-11-28 11:26:39 +01:00
Napalys
faef9dd877 JS: protyte poluting now treats unknownFlags as potentially good sanitization. 2024-11-28 11:26:38 +01:00
Napalys
18c7b18f82 JS: Now BadHtmlSanitizers new RegExp with unknown flags is also flagged. 2024-11-28 11:26:36 +01:00
Napalys
38be0e4c0a JS: Now BadHtmlSanitizers also flags new RegExp as potential issue 2024-11-28 11:26:34 +01:00
Asger F
805fd0b46e JS: Refine speculative step definition 2024-11-26 15:56:56 +01:00
Asger F
c94a01e6b6 JS: Remove reference to argsParseStep 
This was removed as part of the PR that introduced threat models.
 2024-11-26 15:36:47 +01:00
Asger F
bf62582f53 JS: Implement 'speculativeTaintStep' 
It is a mandatory part of the interface now; just providing a bare-bones implementation for rather than 'none()'
 2024-11-26 15:36:46 +01:00
Asger F
82d61e4194 Merge branch 'js/shared-dataflow-branch' into js/shared-dataflow-merge-main 2024-11-26 15:36:16 +01:00
Napalys Klicius
61e00861e5 Merge pull request #18008 from Napalys/napalys/ES2024-group-functions 
JS: Added support for [Object, Map].groupBy ES2024 feature
 2024-11-21 19:03:57 +01:00
Alexander Eyers-Taylor
c0474c4e45 Revert "Revert "Post-release preparation for codeql-cli-2.19.4"" 2024-11-21 15:37:52 +00:00
Alexander Eyers-Taylor
4effe9e364 Revert "Post-release preparation for codeql-cli-2.19.4" 2024-11-21 14:43:15 +00:00
Napalys Klicius
7ee0a7b398 Update javascript/ql/lib/semmle/javascript/Collections.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2024-11-21 14:02:42 +01:00
Napalys Klicius
edb9b47111 Merge pull request #18047 from Napalys/napalys/ES2023-string-protytpe-toWellFormed 
JS: Added taint-step String.prototype.toWellFormed ES2023 feature
 2024-11-21 14:01:21 +01:00
Asger F
9dad2d62d7 JS: Update DataFlowConsistency 2024-11-21 12:54:11 +01:00
Asger F
ce00bd2cc9 JS: More docs 2024-11-21 11:06:43 +01:00
Asger F
4e62a512c5 JS: Only apply exception propagator when no other summary applies 
Previously a few Promise-related methods were special-cased, which is no longer needed.
 2024-11-21 11:01:05 +01:00
Asger F
948d21ca07 JS: Propagate exceptions from summarized callables by default 2024-11-21 10:24:31 +01:00
Asger F
dcdb2e5133 JS: Fix callback check so it works without parameters 2024-11-21 10:24:29 +01:00
Napalys Klicius
82ca369dce Merge pull request #18005 from Napalys/napalys/ES2022-find-functions 
JS: Added support for Array.prototype.[findLastIndex, findLast] ES2022 feature
 2024-11-21 08:01:19 +01:00
Napalys
43eda58f83 Added change notes 2024-11-20 17:44:36 +01:00
Napalys
afc2d3e6d2 JS: Add: String.protytpe.toWellFormed to StringManipulationTaintStep 2024-11-20 17:42:25 +01:00
Napalys
64c45debdb JS: removed unnecessary getALocalSource from ArrayCallBackDataFlowStep 2024-11-20 14:57:00 +01:00
Napalys
9dbf7d1828 JS: removed unnecessary getALocalSource from ArrayCallBackDataTaintStep 2024-11-20 14:54:06 +01:00
Napalys
cdf43f7118 Added change notes 2024-11-20 14:06:44 +01:00
Asger F
d52bc971b8 Merge branch 'main' into js/shared-dataflow-merge-main 2024-11-20 14:05:03 +01:00
Napalys Klicius
a957e00fe5 Merge branch 'main' into napalys/ES2024-group-functions 2024-11-20 14:03:31 +01:00
Napalys
58faa2d71e JS: Add: dataflow step for static method of groupBy from Map. 2024-11-20 13:34:11 +01:00
github-actions[bot]
3909df75dc Post-release preparation for codeql-cli-2.19.4 2024-11-19 17:54:03 +00:00
Alex Eyers-Taylor
ef3fc5e29f Fix broken changelog. 2024-11-19 16:34:30 +00:00
github-actions[bot]
9783a11565 Release preparation for version 2.19.4 2024-11-19 16:21:37 +00:00
Napalys
28ead4011a JS: Add: taint step to handle propagation of data flow from the array to callback 2024-11-19 14:15:15 +01:00
Asger F
d1c9e47d23 JS: More aggressive test file classification 2024-11-19 13:23:32 +01:00
Asger F
01669908f2 JS: Block InsecureRandomness flow into test files 2024-11-19 13:23:31 +01:00
Asger F
80a5a5909e JS: Use getUnderlyingValue() a few places in VariableCapture 2024-11-19 13:23:29 +01:00
Napalys
c03d69af1e JS: Add: dataflow step for find, findLast, findLastIndex callback functions 2024-11-19 09:42:11 +01:00
Napalys
1b0f8aa657 JS: removed unnecessary findlast module import 2024-11-19 09:30:05 +01:00
Napalys
72a69cfa17 Added change notes 2024-11-19 08:24:36 +01:00
Asger F
023dcce400 JS: Disable variable capture heuristic 
Bailing out can be more expensive as the resulting jump steps themselves
cause perf issues. The limit of 100 variables per scope has also been
added in the interim, which handles the cases that this needed to cover.
 2024-11-18 13:44:10 +01:00
Asger F
37676f41aa JS: Remove jump steps from IIFE steps 2024-11-18 13:38:34 +01:00
Asger F
7acc5689cf JS: Port exception steps to a universal summary 2024-11-18 13:27:58 +01:00
Napalys
213ce225e0 JS: Add: taint step for Object.groupBy function, fixed test cases from 8ae05d8be4 2024-11-18 12:58:07 +01:00