hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,246 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.0
Commit Graph

2871 Commits

Author SHA1 Message Date
github-actions[bot]
79be301984 Post-release preparation for codeql-cli-2.19.0 2024-09-16 14:09:32 +00:00
github-actions[bot]
acdafd9646 Release preparation for version 2.19.0 2024-09-16 10:56:10 +00:00
Dave Bartolomeo
485fc04029 Initial merge from main 2024-09-15 08:55:31 -04:00
Asger F
1df69ec1d2 JS: Actually don't propagate into array element 0 
Preserving tainted-url-suffix into array element 0 seemed like a good idea, but didn't work out so well.
 2024-09-12 13:42:36 +02:00
Asger F
0e4e0f4fdd JS: Preverse tainted-url-suffix when stepping into prefix 
A URL of form https://example.com?evil#bar will contain '?evil' after splitting out the '#' suffix, and vice versa.
 2024-09-12 13:42:28 +02:00
Asger F
74ab346348 JS: Do not include taint steps in TaintedUrlSuffix::step 
TaintedUrlSuffix is currently only used in TaintTracking configs meaning it is already propagated
by taint steps. The inclusion of these taint steps here however meant that implicit reads could appear prior to any of these steps.

This was is problematic for PropRead steps as an expression like x[0] could spuriously read from array element 1 via the path:

x [element 1]
x [empty access path] (after implicit read)
x[0] (taint step through PropRead)
 2024-09-12 13:42:25 +02:00
Asger F
2712bf821a JS: Fix a bug in isSafeClientSideUrlProperty 2024-09-12 13:42:23 +02:00
Asger F
bc04131c72 JS: Disallow implicit reads before an optional step 2024-09-12 13:42:22 +02:00
Asger F
3b09bc548e JS: Add taint step for shift() 2024-09-12 13:42:17 +02:00
Asger F
3fcf4ef7a1 JS: More precise model of .shift() 
Array.prototype.shift only returns the first array element.

The mutation of Argument[this] is not yet modelled, and is better handled when we have use-use flow.
 2024-09-12 13:42:15 +02:00
Asger F
e4f7560bcd JS: Add missing qldoc 2024-09-12 13:42:14 +02:00
Asger F
15fc450a9e JS: Add reminder to update ClientSideUrlRedirect 2024-09-12 13:42:13 +02:00
Asger F
da696817a3 JS: Convert 'split' taint step to legacy taint step 2024-09-12 13:42:05 +02:00
Asger F
133b016c7c JS: Remove old 'split' handling from TaintedUrlSuffix 2024-09-12 13:41:56 +02:00
Asger F
e87e543850 JS: Ensure optional steps/barriers are computed in the correct stage 2024-09-12 13:35:38 +02:00
Asger F
7790f68fe2 JS: Make the TaintedUrlSuffix library use optional steps/barriers 2024-09-12 13:35:36 +02:00
Asger F
3b34cd72f2 JS: Handle split() with '#' or '?' separator in a separate summary 
This summary uses the notion of optional steps/barriers so it becomes configurable whether there is flow into the zero'th array element.

Also makes sure we handle the second-argument version of split().
 2024-09-12 13:35:33 +02:00
Asger F
24983a5836 JS: Add OptionalStep and OptionalBarrier MaD tokens 
OptionalStep[foo] and OptionalBarrier[foo] contribute steps/barriers that are not active by default, but can be opted into by specific queries or for specific flow states.

(Will be used in the following commits)
 2024-09-12 13:30:39 +02:00
Sid Shankar
bc70d5ceb1 Adds change note 2024-09-11 00:52:21 +00:00
Asger F
87454a4f11 JS: Remove unused predicate 2024-09-10 14:44:49 +02:00
github-actions[bot]
97edff3f70 Post-release preparation for codeql-cli-2.18.4 2024-09-09 18:45:46 +00:00
github-actions[bot]
91537cdf9a Release preparation for version 2.18.4 2024-09-09 16:08:48 +00:00
Asger F
3d4287b7cc JS: Remove ContentSet#asArrayIndex() 
For ContentSet it is ambiguous whether asArrayIndex() should get a singleton content set, or the KnownArrayElement content set. The user will now have to choose between asSingleton().asArrayIndex() or ContentSet::arrayElementKnown.
 2024-09-09 13:28:32 +02:00
Asger F
013d226ae3 JS: Update comment 2024-09-09 13:26:27 +02:00
Asger F
55d4e7e742 JS: Use ArrayElementKnown when reading a constant array index 2024-09-09 13:26:25 +02:00
Asger F
094112c905 Merge pull request #17213 from asgerf/jss/spread-argument 
JS: Improve handling of spread arguments and rest parameters [shared data flow branch]
 2024-09-09 13:15:22 +02:00
Asger F
fb9732a33f JS: Add another test and TODO about an issue with constant array indices 2024-09-06 08:43:11 +02:00
Asger F
a9a8351cce JS: Fix one case of missing handling of unknown array index 2024-09-06 08:43:09 +02:00
Asger F
92bb4b3da8 JS: Address some comments from hvitved 2024-09-05 11:32:07 +02:00
erik-krogh
e2b16bd8f9 add some change-notes 2024-09-03 22:06:07 +02:00
erik-krogh
0fdd06fff5 use my script to delete outdated deprecations 2024-09-03 20:30:58 +02:00
Henry Mercer
3490067316 Merge branch 'main' into henrymercer/rc-3.15-mergeback 2024-08-29 19:48:01 +01:00
Asger F
4568967a76 JS: Do not use legacy taint steps in TaintedUrlSuffix 
Tainted URL suffix steps are added as configuration-specific additional
steps, which means implicit reads may occur before any of these steps.

These steps accidentally included the legacy taint steps which include
a step from 'arguments' to all positional parameters. Combined with the
implicit read, arguments could escape their array index and flow to
any parameter while in the tainted-url flow state.
 2024-08-29 13:48:30 +02:00
Asger F
a2d53c261b JS: Update test output and add related TODO in model of 'async' 2024-08-27 11:35:35 +02:00
Asger F
837a8be1b8 JS: Update test output and add related TODO in 'markdown-table' model 2024-08-27 11:35:34 +02:00
Asger F
371f7ef551 JS: Add implicit taint read of array elements 2024-08-27 11:35:31 +02:00
Asger F
4389b5c999 JS: Fix issue for .apply() calls 2024-08-27 11:35:28 +02:00
Asger F
34e6864fa3 JS: Note issue with .apply() calls 2024-08-27 11:35:27 +02:00
Asger F
ac1dd1850e JS: Remove taint step from array element to whole array 2024-08-27 11:35:26 +02:00
Asger F
895cb872ad JS: Add taint into dynamic argument array 2024-08-27 11:35:24 +02:00
Asger F
6a083136d7 JS: Hide some nodes 2024-08-27 11:35:22 +02:00
Asger F
acdc896c04 JS: Support for dynamic args to flow summaries 2024-08-27 11:35:21 +02:00
Asger F
53a2a66dd0 Add new nodes to early stage 2024-08-27 11:35:20 +02:00
Asger F
60c3d077b2 Update DataFlowImplConsistency.qll 2024-08-27 11:35:17 +02:00
Asger F
bbb1c8c374 Remove old arguments-array position 2024-08-27 11:35:16 +02:00
Asger F
ed33a6e91b JS: Add explicit model of .join() 2024-08-27 11:35:15 +02:00
Asger F
fa7ad03068 JS: Add store/load steps for the new argument arrays 2024-08-27 11:35:15 +02:00
Asger F
623dbda77d Do not pass regular positional args into the rest parameter 2024-08-27 11:35:14 +02:00
Asger F
a72f79576a JS: Add corresponding argument positions 2024-08-27 11:35:13 +02:00
Asger F
6c7d745a2b JS: Add nodes for static/dynamic argument/parameter arrays 2024-08-27 11:35:12 +02:00