hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
83,294 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.3
Commit Graph

11858 Commits

Author SHA1 Message Date
Napalys Klicius
bca1bc7153 JS: Enhance isDomProperty to check for getAPropertyRead on DOM nodes 2025-06-02 14:56:45 +02:00
Napalys Klicius
9b2ef8be10 JS: add test for DOM access where expression appears to have no side effects 2025-06-02 14:54:46 +02:00
Napalys Klicius
c981c4fe30 Update javascript/ql/lib/change-notes/2025-05-30-url-package-taint-step.md 
Co-authored-by: Asger F <asgerf@github.com>
 2025-06-02 13:34:47 +02:00
Napalys Klicius
298ef9ab12 Now able to track error handler registration via instance properties 2025-06-02 11:01:41 +02:00
Napalys Klicius
0b6a747737 Added change note 2025-05-30 18:33:59 +02:00
Napalys Klicius
b9b62fa1c1 JS: Add URL from url package constructor taint step for request forgery detection 2025-05-30 18:32:02 +02:00
Napalys Klicius
19cc3e335f JS: Add test case for RequestForgery with url wrapped via package URL 2025-05-30 18:26:47 +02:00
Napalys Klicius
f843cc02f6 Fix false positives in stream pipe analysis by improving error handler tracking via property access. 2025-05-30 18:08:04 +02:00
Napalys Klicius
d3b2a57fbf Fixed ql warning Expression can be replaced with a cast 2025-05-28 17:34:16 +02:00
Napalys Klicius
2e2b9a9d63 Make predicates private and clarify stream reference naming. 2025-05-28 17:23:55 +02:00
Napalys Klicius
f8f5d8f561 Exclude .pipe detection which are in a test file. 2025-05-28 17:18:39 +02:00
Napalys Klicius
5bb29b6e33 Now flags only .pipe calls which have an error somewhere down the stream, but not on the source stream. 2025-05-28 17:17:43 +02:00
github-actions[bot]
d2c6875eac Post-release preparation for codeql-cli-2.21.4 2025-05-27 18:16:21 +00:00
github-actions[bot]
bfb91e95e3 Release preparation for version 2.21.4 2025-05-27 17:22:05 +00:00
Asger F
076e4a49d5 JS: Mark AngularJS $location as client-side remote flow source 2025-05-27 09:47:43 +02:00
Napalys Klicius
5214cc0407 Excluded ngrx, datorama, angular, react and langchain from stream pipe query. 2025-05-27 09:45:37 +02:00
Napalys Klicius
1f6b3ad929 Update javascript/ql/src/codeql-suites/javascript-security-and-quality.qls 
Co-authored-by: Michael Nebel <michaelnebel@github.com>
 2025-05-27 09:38:24 +02:00
Napalys Klicius
e964b175e6 Added maintainability and error-handling tags 2025-05-26 14:23:20 +02:00
Napalys Klicius
37024ade85 JS: Move query suite selector logic to javascript-security-and-quality.qls 2025-05-26 11:00:48 +02:00
Napalys Klicius
000e69fd48 Replaced fuzzy NonNodeStream MaD to a ql predicate to deal easier with submodules 2025-05-23 13:55:40 +02:00
Napalys Klicius
248f83c4db Added qhelp for UnhandledStreamPipe query 2025-05-23 13:35:36 +02:00
Napalys Klicius
c6db32ed73 Add exceptions for arktype, execa, and highland to prevent them from being flagged by unhandled pipe error query 2025-05-23 12:34:11 +02:00
Napalys Klicius
15ff7cb41a Added more test cases which common js libraries uses .pipe() 2025-05-23 12:30:49 +02:00
Anders Schack-Mulligen
1d30103559 SSA: Distinguish between has and controls branch edge. 2025-05-23 09:56:22 +02:00
Napalys Klicius
b10a9481f3 Fixed false positives from strapi and rxjs/testing as well as when one passes function as second arg to pipe 2025-05-22 18:50:02 +02:00
Napalys Klicius
e6ae8bbde4 Added test cases where second parameter passed to pipe is a function and some popular library ones 2025-05-22 18:50:01 +02:00
Napalys Klicius
ac24fdd348 Add predicate to detect non-stream-like usage in sources of pipe calls 2025-05-22 18:49:59 +02:00
Napalys Klicius
5b1af0c0bd Added detection of custom gulp-plumber sanitizer, thus one would not flag such instances. 2025-05-22 18:49:53 +02:00
Asger F
9202a1b084 Merge pull request #19516 from asgerf/js/npm-package-name-join 
JS: More efficient nested package naming
 2025-05-22 12:46:43 +02:00
Napalys Klicius
b1048719aa Added UnhandledStreamPipe to javascript-security-and-quality.qls and javascript-code-quality.qls 2025-05-22 12:42:56 +02:00
Napalys Klicius
09220fce84 Fixed issue where pipe calls from rxjs package would been identified as pipe calls on streams 2025-05-22 12:33:36 +02:00
Napalys Klicius
d7f86db76c Enhance PipeCall to exclude non-function and non-object arguments in pipe method detection 2025-05-22 12:31:27 +02:00
Napalys Klicius
4332de464a Eliminate false positives by detecting non-stream objects returned from pipe() calls based on accessed properties 2025-05-22 12:31:26 +02:00
Napalys Klicius
5710f0cf51 Add test cases for non-stream field accesses and methods before and after pipe operations 2025-05-22 12:31:19 +02:00
Napalys Klicius
03d1f9a7d3 Restrict pipe detection to calls with 1-2 arguments 2025-05-21 11:41:22 +02:00
Napalys Klicius
30f2815503 Fixed issue where a custom pipe method which returns non stream would be flagged by the query 2025-05-21 11:41:19 +02:00
Napalys Klicius
ef1bde554a Fixed issue where streams would not be tracked via chainable methods 2025-05-21 11:40:35 +02:00
Napalys Klicius
f39bf62fc6 test: Add edge cases for stream pipe error handling 
Add tests for chained stream methods and non-stream pipe objects
 2025-05-21 11:39:03 +02:00
Napalys Klicius
c27157f021 Add UnhandledStreamPipee Quality query and tests to detect missing error handlers in Node.js streams 2025-05-21 11:38:57 +02:00
Asger F
d644f80921 JS: Remove obsolete meta query 2025-05-20 16:20:49 +02:00
Asger F
b698b4e5e2 JS: Add test for missing type flow through generics 2025-05-20 13:20:38 +02:00
Asger F
11607e5f62 JS: Update TRAP after extractor change 2025-05-20 13:20:36 +02:00
Asger F
9bcc62002d JS: Fix regression from global declare vars 2025-05-20 13:20:35 +02:00
Asger F
27979c6a2f JS: Add regression tests for declared globals 2025-05-20 13:20:34 +02:00
Asger F
b610e10122 JS: Accept change in handling of variable resolution in face of ambient declarations 
This test enforced the opinion that ambient declarations should have no impact on data flow, which is no longer the case. For now I'm just updating the test output.
 2025-05-20 13:20:33 +02:00
Asger F
22a41142de JS: Accept regression in overload resolution 
Overload resolution has little impact on data flow analysis, because there we care about the concrete implementation of the function, which is the same for all overloads. It can affect the return type, which in turn can affect the call graph we generate, but we'll just have to accept this as overload resolution is too hard without negative recursion.
 2025-05-20 13:20:31 +02:00
Asger F
de7d851195 JS: Update output of old HasUnderlyingType test 2025-05-20 13:20:30 +02:00
Asger F
bba872a3a4 JS: Make jump-to-def behave nicer 2025-05-20 13:20:28 +02:00
Asger F
b8dc1b3125 JS: Remove redundant casts 2025-05-20 13:20:27 +02:00
Asger F
fbafd6fff1 JS: Update to avoid deprecations after import resolution change 2025-05-20 13:20:26 +02:00