hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,644 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.1
Commit Graph

11808 Commits

Author SHA1 Message Date
Esben Sparre Andreasen
4ce7ec1661 JS: add XSS vector for Vue's v-html 2019-02-25 12:17:56 +01:00
Esben Sparre Andreasen
4c5e48fbbc JS: introduce DataFlow::HtmlAttributeNode 2019-02-25 12:17:56 +01:00
Esben Sparre Andreasen
da1ffcfd1b JS: introduce Vue Template Element 2019-02-25 12:17:33 +01:00
Esben Sparre Andreasen
9f4f945975 JS: introduce Vue::InstanceHeapStep 2019-02-25 12:17:33 +01:00
Asger F
614ba92fac JS: add ClassContainsTwo.expected 2019-02-25 09:51:40 +00:00
Asger F
86153be64b JS: fix qldoc 2019-02-25 09:51:31 +00:00
semmle-qlci
014d4b9ed0 Merge pull request #934 from asger-semmle/module-import 
Approved by xiemaisi
 2019-02-25 09:46:52 +00:00
Max Schaefer
d4dbe3bfb6 JavaScript: Back out parsing of qualified XML identifiers. 
Their syntax conflicts with the proposed function-bind operator, which is more important to support.
 2019-02-24 21:30:59 +00:00
Max Schaefer
6a90459d6a JavaScript: Add upgrade script. 2019-02-24 21:06:29 +00:00
Max Schaefer
7491b5ea53 JavaScript: Add a comment. 2019-02-24 21:02:12 +00:00
Max Schaefer
f726125b71 JavaScript: Restrict E4X processing instruction disambiguation to the <?xml ...?> case. 2019-02-24 20:56:43 +00:00
Max Schaefer
cc216ad250 JavaScript: Buffer recoverable syntax errors during speculative parsing. 
Analogous to how we buffer tokens, we need to delay reporting these errors until we have committed to a parse.
 2019-02-24 20:45:41 +00:00
Max Schaefer
c7e428eb27 JavaScript: Handle E4X/Flow lexical ambiguity. 2019-02-24 20:45:41 +00:00
Max Schaefer
d6deefed86 JavaScript: Accept CDATA in E4X content. 2019-02-24 20:45:41 +00:00
Max Schaefer
81b86d9a0f JavaScript: Skip XML processing instructions in E4X content. 2019-02-24 20:45:41 +00:00
Max Schaefer
be67d5129a JavaScript: Add QL library support for E4X. 2019-02-24 20:45:41 +00:00
Max Schaefer
5a89024507 JavaScript: Be more lenient about keywords used as identifiers. 2019-02-24 20:45:41 +00:00
Max Schaefer
dbbb961b48 JavaScript: Accept let expressions with an object literal as their body. 2019-02-24 20:45:41 +00:00
Max Schaefer
63ed569724 JavaScript: Recover from missing initializers in const/destructuring declarations. 2019-02-24 20:45:41 +00:00
Max Schaefer
fbf2774bb3 JavaScript: Accept expression-bodied function declarations in experimental mode. 2019-02-24 20:45:41 +00:00
Max Schaefer
a42bec7f44 JavaScript: Accept comments in E4X XML literals (but not in JSX HTML literals). 2019-02-24 20:45:41 +00:00
Max Schaefer
b2366c7a68 JavaScript: Refactor parsing of JSX element content. 2019-02-24 20:45:41 +00:00
Max Schaefer
88be67a4fc JavaScript: Add support for for-each-in comprehensions. 2019-02-24 20:45:41 +00:00
Max Schaefer
d3ae2954ff JavaScript: Add support for parsing postfix generator comprehensions. 2019-02-24 20:45:41 +00:00
Max Schaefer
bb93cef20a JavaScript: Refactor parsing of parenthesised expressions. 2019-02-24 20:45:41 +00:00
Max Schaefer
92c8501e67 JavaScript: Refactor parsing of generator/array comprehensions. 2019-02-24 20:45:41 +00:00
Max Schaefer
f3ea810c21 JavaScript: Add parser support for E4X. 2019-02-24 20:45:41 +00:00
Max Schaefer
1ad4867f2a JavaScript: Make parsing of decorators more restrictive. 
As per [the proposal](https://tc39.github.io/proposal-decorators/#sec-new-syntax), decorators can only contain identifiers or parenthesised expressions, optionally followed by property accesses and arguments.
 2019-02-24 20:45:41 +00:00
Max Schaefer
c6fc4e4764 JavaScript: Address review comments. 2019-02-23 21:43:13 +00:00
Max Schaefer
e7c95bae49 JavaScript: Add flow steps modelling Electron IPC. 2019-02-23 21:43:13 +00:00
Max Schaefer
a4e4957f31 JavaScript: Model webContents property. 2019-02-23 21:43:13 +00:00
Max Schaefer
ff83e600dc JavaScript: Track Electron browser objects inter-procedurally. 2019-02-23 21:43:13 +00:00
Max Schaefer
d59c12e6eb JavaScript: Recognise Electron browser objects based on TypeScript types when available. 2019-02-23 21:43:13 +00:00
Max Schaefer
143bb711f9 JavaScript: Slightly restructure Electron BrowserWindow class hierarchy. 2019-02-23 21:43:13 +00:00
Max Schaefer
20d41b85de JavaScript: Delete an unused package.json in a test. 
While this file is part of the project used in the tutorial, it isn't necessary for the queries to work. It also specifies a dependency on a vulnerable version of Express, causing it to be (spuriously) flagged by security scanners.
 2019-02-23 13:59:18 +00:00
Max Schaefer
db9ac72e7a Merge pull request #957 from esben-semmle/js/another-autobinder-model 
JS: model one more 'autobind' for js/unbound-event-handler-receiver
 2019-02-22 20:58:17 +00:00
Max Schaefer
12ed2ca000 Merge pull request #958 from esben-semmle/js/improve-tainted-path 
JS: add taint steps for fs.realpath and fs.realpathSync
 2019-02-22 20:55:39 +00:00
Esben Sparre Andreasen
6c1b29e4b6 JS: add missing flowstep for unused parameter field initializers 2019-02-21 21:44:28 +01:00
Esben Sparre Andreasen
6766716867 JS: add PropWrite tests for parameter field initializers 2019-02-21 21:44:28 +01:00
Esben Sparre Andreasen
bdd8691e65 JS: add type inference for the return value of captured method calls 2019-02-21 21:44:28 +01:00
Esben Sparre Andreasen
8af501d4d5 JS: avoid double reporting dead code with js/unused-variable 2019-02-21 21:44:28 +01:00
Esben Sparre Andreasen
91dccc3356 JS: add query js/unused-property 2019-02-21 21:44:28 +01:00
Esben Sparre Andreasen
0cf2eaec5e JS: introduce CapturedSource 2019-02-21 21:44:28 +01:00
Esben Sparre Andreasen
305a249280 JS: add taint steps for fs.realpath and fs.realpathSync 2019-02-21 09:48:35 +01:00
Esben Sparre Andreasen
27cae0c190 JS: model one more 'autobind' for js/unbound-event-handler-receiver 2019-02-21 08:23:54 +01:00
james
50ad8a4089 update link in vue.qll 2019-02-20 16:43:56 +00:00
semmle-qlci
f5e419e774 Merge pull request #933 from xiemaisi/js/createContextualFragment 
Approved by asger-semmle
 2019-02-20 12:42:27 +00:00
Asger F
e7e29101e4 JS: add StringOps::Concatenation 2019-02-15 16:57:26 +00:00
Asger F
c115451b9d JS: Fix copy-pasta bug 2019-02-15 16:48:42 +00:00
Asger F
ab0ed66266 JS: Add EndsWith::Range 2019-02-15 16:48:15 +00:00