hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,246 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.0
Commit Graph

2871 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
6007dfa101 fix qldoc in StoredXssCustomizations 
Co-authored-by: Asger F <asgerf@github.com>
 2022-04-21 09:11:08 +02:00
Erik Krogh Kristensen
b9a7c563d1 fix typo in change note 
Co-authored-by: Asger F <asgerf@github.com>
 2022-04-21 09:09:56 +02:00
Erik Krogh Kristensen
9927a82520 Merge pull request #8789 from erik-krogh/apiIpaBranches 
JS/PY: mention newtype constructors in API graph label classes
 2022-04-20 23:39:46 +02:00
Erik Krogh Kristensen
7e73ecceab add change-note 2022-04-20 23:31:42 +02:00
Erik Krogh Kristensen
ff5b873557 Merge pull request #8773 from erik-krogh/exhaustion 
JS: promote `js/resource-exhaustion` out of experimental
 2022-04-20 19:33:42 +02:00
Erik Krogh Kristensen
9c5f3e9406 remove leftover debug comments 2022-04-20 18:42:46 +02:00
Erik Krogh Kristensen
ef51b46795 JS: mention newtype constructors in API graph label classes 2022-04-20 18:37:19 +02:00
Erik Krogh Kristensen
06394c8dc6 move storedXss sources to the Customizations file 2022-04-20 18:17:49 +02:00
Erik Krogh Kristensen
1c5d59f885 fix an instance of ql/acronyms-should-be-pascal-case 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
ea6b68fc59 add missing qldoc 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
12e60c7a06 move TypeTestGuard to the Query.qll file 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
b1bad271d5 only activate the PrefixString label in Query.qll files 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
8a5b1668f9 move initialization of sanitizer-guards to Query.qll files 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
73dbe44824 remove dead import 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
8d3bd9d7cd move the ExceptionXss sources into the Customizations file 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
25708c5091 move the XssThroughDom sources into the Customizations file 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
ad14bbae90 create a customizations file for StoredXss 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
162a4992a5 move the ReflectedXss sources/sinks into the Customizations file 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
173e1d0262 move the DomBasedXss sources/sinks into the Customizations file 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
9631b68de9 move LocalUrlSanitizingGuard out of the customizations file 2022-04-20 18:10:52 +02:00
Tom Hvitved
ea229d361c Sync files 2022-04-20 13:55:18 +02:00
Asger Feldthaus
fec2837c1e JS: Ensure accessors do not appear to be calls 2022-04-20 11:14:42 +02:00
Asger Feldthaus
37a76f4441 JS: PropWrite is not a SourceNode 2022-04-20 11:14:41 +02:00
Asger Feldthaus
7d5c80433d JS: Handle accessor-calls to static accessors 2022-04-20 11:14:41 +02:00
Asger Feldthaus
37b3a6e5c0 JS: Add ClassNode.getStaticMember 2022-04-20 11:14:41 +02:00
Erik Krogh Kristensen
10130eef6d Merge pull request #8678 from erik-krogh/fileSource 
JS: Add files as a source for `js/xss-through-dom`
 2022-04-20 09:18:38 +02:00
Stephan Brandauer
2fb3147b7b Merge pull request #8430 from kaeluka/js/CVE-2022-24718 
JS: Add taint step for handlebars model
 2022-04-19 15:57:58 +01:00
Erik Krogh Kristensen
4b6d8e6865 add missing qldoc 2022-04-19 10:56:58 +02:00
Erik Krogh Kristensen
e0b5197d3c a slight refactor 2022-04-18 22:21:41 +02:00
Erik Krogh Kristensen
7f592a6c64 merge Clipboard.qll and DragAndDrop.qll, and support InputEvent 2022-04-18 22:17:31 +02:00
Erik Krogh Kristensen
4c97f68a3d remove postmessage events as source for js/resource-exhaustion 2022-04-13 23:14:42 +02:00
Erik Krogh Kristensen
51a0b6d501 remove client-side remote-flow from js/resource-exhaustion 2022-04-13 23:05:59 +02:00
Erik Krogh Kristensen
41bdd8f4da minor fixes 2022-04-13 10:11:07 +02:00
Erik Krogh Kristensen
b13e7c055b move the sanitizer-guard to the Query.qll file 2022-04-13 09:58:33 +02:00
Erik Krogh Kristensen
96e4633dfe remove more code that did nothing 2022-04-13 09:57:32 +02:00
Erik Krogh Kristensen
d35604ed82 remove the length sanitizer from loop-bound-injection - it did nothing 2022-04-13 09:43:21 +02:00
Erik Krogh Kristensen
8e47a9b242 add sanitizer step for .length in js/resource-exhaustion 2022-04-13 09:30:09 +02:00
Stephan Brandauer
fb66ccff39 handlebars taint step: conservatively assume unknown templates have no flow to helpers 2022-04-13 09:27:59 +02:00
Erik Krogh Kristensen
ebf9ba7250 remove the type-overloaded new Buffer() as a sink 2022-04-12 16:29:58 +02:00
Erik Krogh Kristensen
e2b7f7d05d reintroduce the number sinks 2022-04-12 16:26:10 +02:00
Erik Krogh Kristensen
2d6d304d7c add InclusionTest to PostMessageEventSanitizer 2022-04-12 14:12:36 +02:00
CodeQL CI
a43f3a21a8 Merge pull request #8550 from erik-krogh/classJoin 
Approved by asgerf
 2022-04-12 09:23:58 +01:00
Erik Krogh Kristensen
34abef8a6c Merge branch 'main' into dragAndDrop 2022-04-11 23:59:46 +02:00
bananabr
57fac949fd included ClipboardEvent and DragEvent as XSS sources 2022-04-11 16:37:00 -05:00
Erik Krogh Kristensen
aafa8ddc9f add support for domNode.onpaste for copy-paste events 2022-04-11 20:10:56 +02:00
Erik Krogh Kristensen
6713b2c671 add support for domNode.ondrop for drag-and-drop events 2022-04-11 20:06:12 +02:00
bananabr
121aad7fd2 updated change notes 2022-04-11 12:45:37 -05:00
CodeQL CI
9c8dee2a4d Merge pull request #8687 from asgerf/js/missing-flow-fixes 
Approved by erik-krogh
 2022-04-11 14:08:15 +01:00
bananabr
0f1582f3f6 included JavaScript drag and drop API Xss sources 2022-04-09 22:33:30 -05:00
Edoardo Pirovano
f25618eed6 Bump minor version of all packs 2022-04-08 15:38:58 +01:00