hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
83,294 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.3
Commit Graph

2686 Commits

Author SHA1 Message Date
Napalys Klicius
bca1bc7153 JS: Enhance isDomProperty to check for getAPropertyRead on DOM nodes 2025-06-02 14:56:45 +02:00
Napalys Klicius
9b2ef8be10 JS: add test for DOM access where expression appears to have no side effects 2025-06-02 14:54:46 +02:00
Napalys Klicius
298ef9ab12 Now able to track error handler registration via instance properties 2025-06-02 11:01:41 +02:00
Napalys Klicius
b9b62fa1c1 JS: Add URL from url package constructor taint step for request forgery detection 2025-05-30 18:32:02 +02:00
Napalys Klicius
19cc3e335f JS: Add test case for RequestForgery with url wrapped via package URL 2025-05-30 18:26:47 +02:00
Napalys Klicius
f843cc02f6 Fix false positives in stream pipe analysis by improving error handler tracking via property access. 2025-05-30 18:08:04 +02:00
Napalys Klicius
5bb29b6e33 Now flags only .pipe calls which have an error somewhere down the stream, but not on the source stream. 2025-05-28 17:17:43 +02:00
Napalys Klicius
5214cc0407 Excluded ngrx, datorama, angular, react and langchain from stream pipe query. 2025-05-27 09:45:37 +02:00
Napalys Klicius
000e69fd48 Replaced fuzzy NonNodeStream MaD to a ql predicate to deal easier with submodules 2025-05-23 13:55:40 +02:00
Napalys Klicius
c6db32ed73 Add exceptions for arktype, execa, and highland to prevent them from being flagged by unhandled pipe error query 2025-05-23 12:34:11 +02:00
Napalys Klicius
15ff7cb41a Added more test cases which common js libraries uses .pipe() 2025-05-23 12:30:49 +02:00
Napalys Klicius
b10a9481f3 Fixed false positives from strapi and rxjs/testing as well as when one passes function as second arg to pipe 2025-05-22 18:50:02 +02:00
Napalys Klicius
e6ae8bbde4 Added test cases where second parameter passed to pipe is a function and some popular library ones 2025-05-22 18:50:01 +02:00
Napalys Klicius
ac24fdd348 Add predicate to detect non-stream-like usage in sources of pipe calls 2025-05-22 18:49:59 +02:00
Napalys Klicius
5b1af0c0bd Added detection of custom gulp-plumber sanitizer, thus one would not flag such instances. 2025-05-22 18:49:53 +02:00
Napalys Klicius
09220fce84 Fixed issue where pipe calls from rxjs package would been identified as pipe calls on streams 2025-05-22 12:33:36 +02:00
Napalys Klicius
d7f86db76c Enhance PipeCall to exclude non-function and non-object arguments in pipe method detection 2025-05-22 12:31:27 +02:00
Napalys Klicius
4332de464a Eliminate false positives by detecting non-stream objects returned from pipe() calls based on accessed properties 2025-05-22 12:31:26 +02:00
Napalys Klicius
5710f0cf51 Add test cases for non-stream field accesses and methods before and after pipe operations 2025-05-22 12:31:19 +02:00
Napalys Klicius
03d1f9a7d3 Restrict pipe detection to calls with 1-2 arguments 2025-05-21 11:41:22 +02:00
Napalys Klicius
30f2815503 Fixed issue where a custom pipe method which returns non stream would be flagged by the query 2025-05-21 11:41:19 +02:00
Napalys Klicius
ef1bde554a Fixed issue where streams would not be tracked via chainable methods 2025-05-21 11:40:35 +02:00
Napalys Klicius
f39bf62fc6 test: Add edge cases for stream pipe error handling 
Add tests for chained stream methods and non-stream pipe objects
 2025-05-21 11:39:03 +02:00
Napalys Klicius
c27157f021 Add UnhandledStreamPipee Quality query and tests to detect missing error handlers in Node.js streams 2025-05-21 11:38:57 +02:00
Asger F
9bcc62002d JS: Fix regression from global declare vars 2025-05-20 13:20:35 +02:00
Asger F
27979c6a2f JS: Add regression tests for declared globals 2025-05-20 13:20:34 +02:00
Asger F
bba872a3a4 JS: Make jump-to-def behave nicer 2025-05-20 13:20:28 +02:00
Asger F
57811edc44 JS: Some test updates 2025-05-20 13:20:16 +02:00
Asger F
169ae19015 Merge pull request #19391 from asgerf/js/typescript-path-resolution 
JS: Overhaul import resolution
 2025-05-13 15:46:38 +02:00
Asger F
aea676df3c Merge pull request #19445 from asgerf/js/summaries-with-fallback 
JS: Generate flow summaries from summaryModels; only generate steps as a fallback
 2025-05-13 14:49:38 +02:00
Napalys Klicius
d1e769ba54 Merge pull request #19422 from Napalys/js/shelljs 
JS: Modeling of `ShellJS` functions
 2025-05-02 14:18:44 +02:00
Asger F
16fc8c3d9e JS: Benign test updates 2025-05-02 11:09:19 +02:00
Napalys Klicius
d4b5ef6a66 Refactor process.env handling in CleartextLogging and IndirectCommandInjection modules to use ThreatModelSource 2025-05-01 11:14:15 +02:00
Napalys Klicius
33d8ffa83e Added test cases for shelljs.env 2025-05-01 11:11:29 +02:00
Napalys Klicius
71f1b82a56 Added support for fastify.all 2025-04-30 14:54:09 +02:00
Napalys Klicius
6d61766366 Added test case for fastify.all 2025-04-30 14:50:35 +02:00
Napalys Klicius
6de38b1827 Merge pull request #19300 from Napalys/js/fastify 
JS: Added support for `fastify.addHook`
 2025-04-29 18:32:25 +02:00
Asger F
70a5ec5607 JS: Add package.json files in tests relying on node_modules 
We don't extract node_modules folders by default so these tests aren't
that relevant anymore, and we no longer follow node_modules resolution
rules directly.

Instead, these imports are resolved based on the monorepo support which
simply requires a package.json file to exist. There is not a good enough
reason to support node_modules directly, so we're accepting some
minor regression in these tests.
 2025-04-29 16:06:38 +02:00
Napalys Klicius
73309fb9dd Updated modeling of aws-sdk with MaD 2025-04-28 14:00:12 +02:00
Napalys Klicius
42d5b80e81 Added support for AWS.Credentials hardcoded credentials 2025-04-28 14:00:12 +02:00
Napalys Klicius
f69037c176 Added ability to detect direct write to global AWS.config 2025-04-28 14:00:12 +02:00
Napalys Klicius
05e4677fd1 Added ability to detect new AWS.ServiceName cases with hardcoded credentials 2025-04-28 14:00:12 +02:00
Napalys Klicius
e6450a17ec Added test cases for individual AWS services, direct modification of global credentials and AWS.Credentials 2025-04-28 14:00:12 +02:00
Michael Nebel
2e0ce44fde Javascript: Update test files. 2025-04-23 15:41:41 +02:00
Napalys
fdfdcc0d93 Undo unnecessary name tracking for request, response objects 2025-04-22 14:16:45 +02:00
Asger F
00661b62dc JS: Add isMiddlewareSetup() hook to Routing model 2025-04-22 12:00:02 +02:00
Napalys
5c3556da66 Add user-controlled property tracking and update code injection alerts in Fastify hooks 2025-04-15 09:41:52 +02:00
Napalys
9b194ea613 Added addHook to RouteSetup thus now it is recognized now as rouute handler 2025-04-15 09:37:13 +02:00
Napalys
c175081698 Added test cases for fastify.addHook 2025-04-15 09:33:41 +02:00
Napalys Klicius
86313715a4 Merge pull request #19184 from Napalys/js/request_handlers 
JS: Support for `Request` and `NextRequest`
 2025-04-14 08:07:24 +02:00