1986 Commits

Author	SHA1	Message	Date
Napalys Klicius	b19d1e0f57	Merge pull request #20151 from Napalys/js/command-line-libs ... JS: Enhance command injection detection for CLI argument parsing libraries	2025-08-18 09:32:29 +02:00
Napalys Klicius	ae4077db72	add taint flow for arg/command-line-args with custom argv option	2025-08-01 13:34:08 +02:00
Napalys Klicius	d6508f34b6	Add taint flow for Commander.js direct property access and action callbacks	2025-08-01 13:24:19 +02:00
Napalys Klicius	39170f327c	Added couple more test cases for commander js	2025-08-01 13:14:39 +02:00
Napalys Klicius	6b4e34dd39	Added a step from parse to opts for commander js	2025-08-01 13:12:43 +02:00
Napalys Klicius	e980798ede	Added step through yargs/yargs constructor and chained methods.	2025-08-01 12:01:30 +02:00
Napalys Klicius	e8eb9be3f6	Add command injection tests for CLI argument parsing libraries	2025-08-01 11:02:59 +02:00
Napalys Klicius	d28a6e6352	Added new test cases for regexp injection with enviromental variable threat model enabled	2025-07-31 13:20:37 +02:00
Napalys Klicius	8583257574	Created new folder for test with threat models disabled	2025-07-31 13:20:30 +02:00
Napalys Klicius	5f538209c9	Exlucde environmental variables from default detection in regexp injection	2025-07-31 12:09:30 +02:00
Napalys Klicius	3d9e2f5438	Merge pull request #19858 from Napalys/js/execa ... JS: moved `execa` out of experimental	2025-06-25 10:34:52 +02:00
Asger F	d39b68cd41	Merge pull request #19849 from asgerf/js/remove-legacy-actions-queries ... JS: Remove legacy actions queries	2025-06-25 09:18:33 +02:00
Asger F	853fc1a7cf	Merge pull request #19852 from asgerf/js/react-use-server ... JS: Model React 'use' and 'use server'	2025-06-25 09:13:56 +02:00
Napalys Klicius	0902ca0605	JS: address copilot suggestions	2025-06-24 11:37:07 +02:00
Napalys Klicius	d05de1ba4e	JS: moved execa test cases outside experimental	2025-06-24 09:08:13 +02:00
Napalys Klicius	ef51ab172f	JS: exclude sinon module from regexp match calls	2025-06-23 20:25:17 +02:00
Napalys Klicius	584b4f51aa	JS: add false positive test cases for hostname regex detection	2025-06-23 20:25:10 +02:00
Asger F	61887beae0	JS: Add test case for false positive	2025-06-23 16:03:41 +02:00
Asger F	76b7228160	JS: Remove js/actions/command-injection ... Superseded by actions/command-injection/{medium,critical}	2025-06-23 14:41:26 +02:00
Asger F	9dcb61e771	JS: Remove js/actions/actions-artifact-leak ... Superseded by actions/secrets-in-artifacts	2025-06-23 14:39:28 +02:00
Napalys Klicius	3fbe348f99	Merge pull request #19784 from Napalys/js/express_middleware ... JS: Improve Express middleware taint tracking	2025-06-20 15:36:26 +02:00
Napalys Klicius	f80651e78a	Merge pull request #19750 from Napalys/js/remove_encodeURI ... JS: remove `encodeURI` from sanitizer list of request forgery	2025-06-19 14:12:52 +02:00
Napalys Klicius	060b98d36c	JS: enchance middleware taint tracking via local source	2025-06-17 08:30:19 +02:00
Napalys Klicius	da21a064ac	JS: add _parsedUrl as remote input source	2025-06-16 16:28:30 +02:00
Napalys Klicius	67aac7abfa	JS: add test cases for middleware property assignment tracking	2025-06-16 16:26:08 +02:00
Napalys Klicius	bdbc49c63f	JS: Removed encodeURI from request forgery sanitizer list	2025-06-16 13:08:11 +02:00
Napalys Klicius	deb715a517	JS: Add test case with encodeURI for request forgery	2025-06-16 10:49:29 +02:00
Napalys Klicius	5a107ec33b	JS: track taint through serialize-javascript calls with object arguments	2025-06-16 10:38:20 +02:00
Napalys Klicius	a96ea182c7	JS: add test cases for serialize-javascript with tainted object properties	2025-06-16 09:30:52 +02:00
Asger F	423ffc78db	Merge pull request #19078 from asgerf/js/name-resolution ... JS: QL-side type/name resolution for TypeScript and JSDoc	2025-06-11 14:17:11 +02:00
Napalys Klicius	b9b62fa1c1	JS: Add URL from url package constructor taint step for request forgery detection	2025-05-30 18:32:02 +02:00
Napalys Klicius	19cc3e335f	JS: Add test case for RequestForgery with url wrapped via package URL	2025-05-30 18:26:47 +02:00
Asger F	9bcc62002d	JS: Fix regression from global declare vars	2025-05-20 13:20:35 +02:00
Asger F	27979c6a2f	JS: Add regression tests for declared globals	2025-05-20 13:20:34 +02:00
Asger F	57811edc44	JS: Some test updates	2025-05-20 13:20:16 +02:00
Asger F	aea676df3c	Merge pull request #19445 from asgerf/js/summaries-with-fallback ... JS: Generate flow summaries from summaryModels; only generate steps as a fallback	2025-05-13 14:49:38 +02:00
Napalys Klicius	d1e769ba54	Merge pull request #19422 from Napalys/js/shelljs ... JS: Modeling of `ShellJS` functions	2025-05-02 14:18:44 +02:00
Asger F	16fc8c3d9e	JS: Benign test updates	2025-05-02 11:09:19 +02:00
Napalys Klicius	d4b5ef6a66	Refactor process.env handling in CleartextLogging and IndirectCommandInjection modules to use ThreatModelSource	2025-05-01 11:14:15 +02:00
Napalys Klicius	33d8ffa83e	Added test cases for shelljs.env	2025-05-01 11:11:29 +02:00
Napalys Klicius	71f1b82a56	Added support for fastify.all	2025-04-30 14:54:09 +02:00
Napalys Klicius	6d61766366	Added test case for fastify.all	2025-04-30 14:50:35 +02:00
Napalys Klicius	6de38b1827	Merge pull request #19300 from Napalys/js/fastify ... JS: Added support for `fastify.addHook`	2025-04-29 18:32:25 +02:00
Napalys Klicius	73309fb9dd	Updated modeling of aws-sdk with MaD	2025-04-28 14:00:12 +02:00
Napalys Klicius	42d5b80e81	Added support for AWS.Credentials hardcoded credentials	2025-04-28 14:00:12 +02:00
Napalys Klicius	f69037c176	Added ability to detect direct write to global AWS.config	2025-04-28 14:00:12 +02:00
Napalys Klicius	05e4677fd1	Added ability to detect new AWS.ServiceName cases with hardcoded credentials	2025-04-28 14:00:12 +02:00
Napalys Klicius	e6450a17ec	Added test cases for individual AWS services, direct modification of global credentials and AWS.Credentials	2025-04-28 14:00:12 +02:00
Michael Nebel	2e0ce44fde	Javascript: Update test files.	2025-04-23 15:41:41 +02:00
Napalys	fdfdcc0d93	Undo unnecessary name tracking for request, response objects	2025-04-22 14:16:45 +02:00