2976 Commits

Author	SHA1	Message	Date
Rasmus Wriedt Larsen	414764ccee	Concepts: Minor rewrite in qldoc ... As suggested by @hmac	2022-03-22 10:33:58 +01:00
Rasmus Wriedt Larsen	e50a9421a6	JS: Update dataflow import in ConceptsImports.qll ... Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2022-03-22 10:32:20 +01:00
Erik Krogh Kristensen	099d91ba6f	update qldoc	2022-03-22 10:27:21 +01:00
Harry Maclean	c2d4bc50c9	Add missing file doc comment	2022-03-22 11:10:09 +13:00
Harry Maclean	91a7e9405c	Share HttpToFileAccessQuery between JS and Ruby ... There's so little in this query that it may not be worth sharing, but it's an interesting exercise in figuring out how we do it nicely.	2022-03-22 11:10:08 +13:00
Harry Maclean	6c18e1d7ac	Merge pull request #8272 from hmac/hmac/tainted-format-string	2022-03-22 08:37:47 +13:00
github-actions[bot]	a3e74efc21	Post-release preparation for codeql-cli-2.8.4	2022-03-21 19:36:47 +00:00
Erik Krogh Kristensen	c8385a1e80	js/xss-through-dom: filter away reads of .src that end in a URL sink	2022-03-21 16:48:59 +01:00
github-actions[bot]	dedc8c2254	Release preparation for version 2.8.4	2022-03-21 13:25:49 +00:00
Alex Ford	c891c53835	Merge pull request #8395 from alexrford/ruby/clear-text-storage ... Ruby: add `rb/clear-text-storage-sensitive-data` query	2022-03-21 10:05:39 +00:00
CodeQL CI	b04c46f96d	Merge pull request #8478 from asgerf/js/store-load-flow-context-sensitivity-bug ... Approved by erik-krogh	2022-03-21 08:54:51 +00:00
Harry Maclean	0cfe37dff4	Share TaintedFormatString between Ruby and JS	2022-03-21 12:51:46 +13:00
Arthur Baars	bf888f0f0b	Merge remote-tracking branch 'upstream/main' into incomplete-url-string-sanitization ... Conflicts: config/identical-files.json javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll	2022-03-18 16:09:20 +01:00
Arthur Baars	431b60506e	Merge remote-tracking branch 'upstream/main' into incomplete-hostname	2022-03-18 13:05:34 +01:00
Asger F	929419abba	Merge pull request #8254 from asgerf/ruby/mad-prototype ... Ruby: initial prototype of models-as-data	2022-03-18 10:48:33 +01:00
Asger Feldthaus	8753632193	JS: Fix bug in reachableFromStoreBase	2022-03-17 17:30:46 +01:00
Rasmus Wriedt Larsen	2b9408b0c3	Concepts: Add some architecture documentation	2022-03-17 13:49:10 +01:00
Harry Maclean	36c421346b	Introduce ConceptsShared.qll	2022-03-17 13:49:10 +01:00
Erik Krogh Kristensen	879680057e	fix all ql/unused-field warnings	2022-03-17 09:41:42 +01:00
Erik Krogh Kristensen	daed33f5af	JS: fix more instances of ql/missing-parameter-qldoc	2022-03-16 22:58:28 +01:00
Erik Krogh Kristensen	efba220b45	JS: fix most ql/missing-parameter-qldoc issues	2022-03-16 22:56:52 +01:00
Erik Krogh Kristensen	aa8b7c8679	update reference to deprecated class name	2022-03-16 22:32:54 +01:00
Erik Krogh Kristensen	d8a5947a08	simplify TaintedUrlSuffix::source() to only consider window.location based sources	2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen	b3de5d94a6	move PrefixStringSanitizer to the Query.qll file, and have it extend LabeledSanitizerGuardNode	2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen	562dce57e8	rename isXSSSink to isXssSink	2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen	f083e87fa1	refactor the js/xss query to use three flowlabels and one configuration	2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen	87842bb8b7	add client-side-url sinks that may execute JavaScript as XSS sinks	2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen	b471fec149	split interpretsArgumentsAsURL out of interpretsArgumentsAsHTML, and use it to generalize AttributeUrlSink	2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen	2576e1f655	add utility predicate to get client-side remote-flow-sources that contain a URL query/fragment	2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen	67e6a4c716	add a isXSSSink predicate to the client-side-url-redirection sinks	2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen	559f03ebbc	remove unnecessary module qualifier	2022-03-16 22:32:07 +01:00
Erik Krogh Kristensen	2d9d383c55	remove unused import	2022-03-16 22:32:07 +01:00
Asger Feldthaus	e1976da7f9	JS: Autoformat	2022-03-16 15:01:17 +01:00
Asger F	228570129e	Merge branch 'main' into ruby/mad-prototype	2022-03-16 13:50:31 +01:00
Asger Feldthaus	e168da4c5f	Shared: make a predicate private	2022-03-16 13:48:56 +01:00
Asger Feldthaus	e3fbaf5d8f	Shared: prefer exists(var) instead of var = any(string s)	2022-03-16 13:37:08 +01:00
Asger Feldthaus	102540072e	Shared: remove documentation prone to falling out of date	2022-03-16 13:32:55 +01:00
Arthur Baars	ab93b3784b	Merge remote-tracking branch 'upstream/main' into incomplete-hostname	2022-03-16 12:31:12 +01:00
Arthur Baars	852f05bfb7	Address comment	2022-03-16 12:26:39 +01:00
Asger Feldthaus	f140c13261	JS: Sync ApiGraphModels.qll and update accordingly	2022-03-16 12:04:41 +01:00
Asger Feldthaus	d8b4bc81ff	JS: Rename EntryPoint.getNode -> getANode	2022-03-16 12:04:39 +01:00
Erik Krogh Kristensen	cd9d61c1fc	Merge pull request #8450 from erik-krogh/importAs ... disallow lowercase import-as aliases	2022-03-16 11:32:37 +01:00
Asger Feldthaus	ecf7073bf1	Shared: codeql -> ql in code blocks	2022-03-16 11:00:24 +01:00
Erik Krogh Kristensen	b45f56ac08	Merge pull request #8431 from erik-krogh/deadCode ... Delete dead code	2022-03-15 20:09:06 +01:00
Erik Krogh Kristensen	89af50f6d5	rename all lower-case import-as statements	2022-03-15 14:40:38 +01:00
Erik Krogh Kristensen	3067231b1a	Merge pull request #8253 from erik-krogh/domWrite ... JS: merge hasDominatingWrite and hasDominatingAssignment	2022-03-15 13:37:00 +01:00
Asger Feldthaus	82750638c6	JS: Verify models even if package is not used in database	2022-03-15 10:51:44 +01:00
Asger Feldthaus	a19f06ffc0	JS: Port checks to JS	2022-03-15 10:35:49 +01:00
Asger Feldthaus	97ca1155c3	JS: Sync ApiGraphModels.qll and test	2022-03-15 09:29:34 +01:00
Erik Krogh Kristensen	c7509c4dd3	Merge branch 'main' into deadCode	2022-03-15 09:19:14 +01:00