hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,246 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.0
Commit Graph

4951 Commits

Author SHA1 Message Date
Asger F
0d0eaa21a1 Merge pull request #20302 from asgerf/js/simpler-locations 
JS: Remove synthetic locations
 2025-09-01 09:46:13 +02:00
Asger F
cc8fe10801 JS: Update locations in expected files 2025-08-29 12:03:11 +02:00
Napalys Klicius
bafe22c50c Merge pull request #20048 from Napalys/js/xml_bomb_sinks 
JS: Exclude patched libraries from `xml-bomb` sink
 2025-08-29 08:10:55 +02:00
Napalys Klicius
b19d1e0f57 Merge pull request #20151 from Napalys/js/command-line-libs 
JS: Enhance command injection detection for CLI argument parsing libraries
 2025-08-18 09:32:29 +02:00
Napalys Klicius
b2346183d6 Merge pull request #20148 from Napalys/js/reg-exp-env-variable-threat-model 
JS: Exclude environment variables from `js/regex-injection` query by default
 2025-08-18 09:32:15 +02:00
Tom Hvitved
eb3c054b0f JS: Generate legacy flow steps for all flow summaries 2025-08-06 09:38:49 +02:00
Napalys Klicius
ae4077db72 add taint flow for arg/command-line-args with custom argv option 2025-08-01 13:34:08 +02:00
Napalys Klicius
d6508f34b6 Add taint flow for Commander.js direct property access and action callbacks 2025-08-01 13:24:19 +02:00
Napalys Klicius
39170f327c Added couple more test cases for commander js 2025-08-01 13:14:39 +02:00
Napalys Klicius
6b4e34dd39 Added a step from parse to opts for commander js 2025-08-01 13:12:43 +02:00
Napalys Klicius
e980798ede Added step through yargs/yargs constructor and chained methods. 2025-08-01 12:01:30 +02:00
Napalys Klicius
e8eb9be3f6 Add command injection tests for CLI argument parsing libraries 2025-08-01 11:02:59 +02:00
Napalys Klicius
d28a6e6352 Added new test cases for regexp injection with enviromental variable threat model enabled 2025-07-31 13:20:37 +02:00
Napalys Klicius
8583257574 Created new folder for test with threat models disabled 2025-07-31 13:20:30 +02:00
Napalys Klicius
5f538209c9 Exlucde environmental variables from default detection in regexp injection 2025-07-31 12:09:30 +02:00
Napalys Klicius
1851deb929 Removed libxmljs from being marked as sink for xml-bomb. 2025-07-15 09:33:11 +02:00
Asger F
47a90c8b32 Merge branch 'main' into js/no-type-extraction 2025-07-02 13:18:05 +02:00
Asger F
7c38c48fd7 Merge pull request #19769 from trailofbits/VF/Nest-improvements 
Improve NestJS sources and dependency injection
 2025-06-30 10:42:18 +02:00
Asger F
3247babfa5 Merge pull request #19762 from trailofbits/VF/type-orm-model-improvements 
Improve TypeORM model
 2025-06-30 10:40:38 +02:00
Asger F
c8b2674206 JS: Add support for index expressions 2025-06-25 14:31:22 +02:00
Asger F
b1d4776b17 JS: Handle name resolution through dynamic imports 2025-06-25 14:31:20 +02:00
Asger F
7cc248703a JS: Add test for dynamic imports 2025-06-25 14:31:17 +02:00
Napalys Klicius
3d9e2f5438 Merge pull request #19858 from Napalys/js/execa 
JS: moved `execa` out of experimental
 2025-06-25 10:34:52 +02:00
Asger F
d39b68cd41 Merge pull request #19849 from asgerf/js/remove-legacy-actions-queries 
JS: Remove legacy actions queries
 2025-06-25 09:18:33 +02:00
Asger F
853fc1a7cf Merge pull request #19852 from asgerf/js/react-use-server 
JS: Model React 'use' and 'use server'
 2025-06-25 09:13:56 +02:00
Napalys Klicius
0902ca0605 JS: address copilot suggestions 2025-06-24 11:37:07 +02:00
Asger F
d428eaeef8 Merge pull request #19655 from GeekMasher/js-clientrests-axios 
JS: ClientRequests Axios Instance support
 2025-06-24 10:35:51 +02:00
Napalys Klicius
d05de1ba4e JS: moved execa test cases outside experimental 2025-06-24 09:08:13 +02:00
Napalys Klicius
ef51ab172f JS: exclude sinon module from regexp match calls 2025-06-23 20:25:17 +02:00
Napalys Klicius
584b4f51aa JS: add false positive test cases for hostname regex detection 2025-06-23 20:25:10 +02:00
Asger F
61887beae0 JS: Add test case for false positive 2025-06-23 16:03:41 +02:00
Asger F
cc1a28ac7e JS: Add parameters of server functions as remote flow sources 2025-06-23 16:03:39 +02:00
Asger F
d9f4e4a90d JS: Add tests for functions with "use server" directive 2025-06-23 16:03:38 +02:00
Asger F
7dd7246cd4 JS: Update tests.expected 
Mostly noise due to renamed predicates and reordered result sets
 2025-06-23 16:03:35 +02:00
Asger F
180b023c7c JS: Add inline expectations to React test 2025-06-23 16:03:33 +02:00
Asger F
1787d4dce8 JS: Enable inline expectations in test 
Will update files in next commit
 2025-06-23 16:03:32 +02:00
Asger F
1a18e68364 JS: Remove reactLibraryRef 
This is not testing anything interesting, and is noisy when adding inline expectations
 2025-06-23 16:03:30 +02:00
Asger F
99fb6b62ad JS: Remove test_ prefix from query predicates 2025-06-23 16:03:29 +02:00
Asger F
8ff7182f3a JS: Move React test predicates into one file 2025-06-23 15:37:15 +02:00
Asger F
980d0f46fa JS: Add model for react 'use' 2025-06-23 15:27:21 +02:00
Asger F
768ccc6a54 JS: Add test for react 'use' function 2025-06-23 15:26:08 +02:00
Asger F
76b7228160 JS: Remove js/actions/command-injection 
Superseded by actions/command-injection/{medium,critical}
 2025-06-23 14:41:26 +02:00
Asger F
9dcb61e771 JS: Remove js/actions/actions-artifact-leak 
Superseded by actions/secrets-in-artifacts
 2025-06-23 14:39:28 +02:00
Asger F
3a00e8d1c5 JS: Remove js/actions/pull-request-target 
Superseded by actions/untrusted-checkout/{medium,high,critical}
 2025-06-23 14:37:21 +02:00
Asger F
f5f12c2f81 JS: Delete or simplify TypeScript type-specific tests 2025-06-23 12:55:15 +02:00
Asger F
fb92d9b034 JS: Update type usage in UnreachableMethodOverloads 
This query depended on the cons-hashing performed by type extraction to determine if two types are the same.

This is not trivial to restore, but not important enough to reimplement right now, so for now just simplifying the query's ability to recognise that two types are the same.
 2025-06-23 12:55:06 +02:00
Asger F
b71d09630a JS: Update type usage in Electron model 2025-06-23 12:55:03 +02:00
Napalys Klicius
3fbe348f99 Merge pull request #19784 from Napalys/js/express_middleware 
JS: Improve Express middleware taint tracking
 2025-06-20 15:36:26 +02:00
Napalys Klicius
bca536c5b6 Merge remote-tracking branch 'origin/main' into js/quality/loop_shift 2025-06-20 11:30:20 +02:00
Napalys Klicius
f80651e78a Merge pull request #19750 from Napalys/js/remove_encodeURI 
JS: remove `encodeURI` from sanitizer list of request forgery
 2025-06-19 14:12:52 +02:00