hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,531 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.7
Commit Graph

11940 Commits

Author SHA1 Message Date
semmle-qlci
9c41b214ee Merge pull request #748 from esben-semmle/js/fix/js/useless-assignment-to-property 
Approved by xiemaisi
 2019-01-13 21:40:35 +00:00
Esben Sparre Andreasen
64346e1321 JS: bump extractor version for improved support for Flow 2019-01-13 22:10:56 +01:00
Esben Sparre Andreasen
c26ae26f53 JS: support explicit type arguments for Flow 2019-01-13 22:10:56 +01:00
Esben Sparre Andreasen
45a4026385 JS: support additional export statements for Flow 2019-01-13 22:10:56 +01:00
Esben Sparre Andreasen
c6f9a043ca JS: support additional import statements for Flow 2019-01-13 22:10:56 +01:00
semmle-qlci
04c15028ab Merge pull request #750 from aschackmull/javascript/autoformat 
Approved by xiemaisi
 2019-01-11 16:35:38 +00:00
Anders Schack-Mulligen
db9407bae5 Javascript: Update .expected files. 2019-01-11 14:27:16 +01:00
semmle-qlci
b0dd3dfeb1 Merge pull request #502 from xiemaisi/js/summaries 
Approved by asger-semmle
 2019-01-11 10:27:03 +00:00
Max Schaefer
f9d704bdcf JavaScript: Add example of indirect command injection. 2019-01-11 10:24:41 +00:00
Anders Schack-Mulligen
e58094c732 Javascript: Autoformat. 2019-01-11 11:02:42 +01:00
Max Schaefer
7d2d33840a JavaScript: Track flow through forwarding higher-order calls. 2019-01-11 09:15:58 +00:00
Max Schaefer
59bac829b1 JavaScript: Refactor flowsIntoHigherOrderCall predicate. 2019-01-11 08:34:09 +00:00
Max Schaefer
edc5117dfd JavaScript: Track flow into (simple) higher-order function calls. 
The only case we support for now are functions that invoke one of their arguments, passing another argument as input.
 2019-01-11 08:11:15 +00:00
Max Schaefer
414ab8ea8c JavaScript: Refactor argumentPassing. 2019-01-11 07:57:58 +00:00
Esben Sparre Andreasen
d0372dd290 JS: reuse a variable 2019-01-11 08:34:17 +01:00
Esben Sparre Andreasen
d3543b74c0 JS: fixup: use the basic block of the actual write (ODASA-7636) 2019-01-11 08:34:17 +01:00
Asger F
2b803693f1 JS: add comment about how to generate isLodashMember 2019-01-10 14:00:20 +00:00
semmle-qlci
f474fdd0f9 Merge pull request #731 from xiemaisi/js/performance-fiddling 
Approved by asger-semmle, esben-semmle
 2019-01-10 10:01:02 +00:00
Max Schaefer
583734a4e2 JavaScript: Fix semantic merge conflict. 
https://github.com/Semmle/ql/pull/698 removed `document.cookie` as a remote flow source, which some of the tests relied on. We now use `location.search` instead.
 2019-01-09 16:09:06 +00:00
Max Schaefer
97e6c75b94 JavaScript: Remove a few other deprecated predicates and classes. 2019-01-09 09:23:59 +00:00
Max Schaefer
db8e436046 JavaScript: Remove deprecated flow tracking predicates. 2019-01-09 09:23:59 +00:00
Max Schaefer
8a93c6aa65 JavaScript: Remove a few deprecated classes. 2019-01-09 09:23:59 +00:00
Max Schaefer
5d1d94ebf1 JavaScript: Remove deprecated old call graph library. 2019-01-09 09:23:59 +00:00
Max Schaefer
db713fb359 JavaScript: Remove deprecated backward-compatibility layer in security libraries. 2019-01-09 09:23:59 +00:00
Max Schaefer
feb9693fea JavaScript: Remove old data flow library. 2019-01-09 09:23:59 +00:00
Max Schaefer
3d44f0c6e0 JavaScript: Autoformat new libraries. 2019-01-09 09:13:14 +00:00
Max Schaefer
fb53a69880 Revert "JavaScript: Add ImportFromCSV to javascript.qll." 
This reverts commit d03f82beb1f7d4634615f527b3d275043eeda1c5.
 2019-01-09 09:10:45 +00:00
Max Schaefer
e960bd967f JavaScript: Make configuration IDs explicit in the API. 2019-01-09 09:10:45 +00:00
Max Schaefer
8f1c5db8be JavaScript: Change encoding of member and parameter portals for readability. 2019-01-09 09:10:45 +00:00
Max Schaefer
a7ea7309d4 JavaScript: Fold a predicate to improve performance in the presence of many configurations with many sources/sinks. 2019-01-09 09:10:44 +00:00
Max Schaefer
9a64224344 JavaScript: Cache portal computation. 2019-01-09 09:09:58 +00:00
Max Schaefer
2295353b56 JavaScript: Add ImportFromCSV to javascript.qll. 2019-01-09 09:09:58 +00:00
Max Schaefer
94242b3b94 JavaScript: Exclude step summary query from flow-summaries suite. 
In its current form, this query produces way too many results.
 2019-01-09 09:09:58 +00:00
Max Schaefer
fae419c5d2 JavaScript: Add guide to using summaries. 2019-01-09 09:09:58 +00:00
Max Schaefer
8e36c60326 JavaScript: Add a few examples that cause cyclic portals. 2019-01-09 09:09:58 +00:00
Max Schaefer
132570940a JavaScript: Add support for annotation comments specifying additional sources and sinks. 2019-01-09 09:09:58 +00:00
Max Schaefer
bdf29d010a JavaScript: Allow summary details to be omitted. 
If a summary does not specify a configuration, it is taken to apply to all configurations without custom sanitisers/barriers.

If a source summary does not specify a flow label, `data` is assumed.

If a sink summary does not specify a flow label, both `data` and `taint` are assumed.

Flow step summaries cannot omit flow labels.

Note that the standard extraction queries always provide explicit configurations and flow labels, and hence do not exercise this functionality.
 2019-01-09 09:09:58 +00:00
Max Schaefer
7c87c43511 JavaScript: Import flow summaries through external predicates. 2019-01-09 09:09:58 +00:00
Max Schaefer
90ad8e3858 JavaScript: Import flow summaries from CSV data. 2019-01-09 09:09:58 +00:00
Max Schaefer
f4fed3657d JavaScript: Add flow summary extraction queries. 2019-01-09 09:09:58 +00:00
Max Schaefer
6d893d4be7 JavaScript: Allow additional sources, sinks and steps to specify flow labels. 2019-01-09 09:09:57 +00:00
Max Schaefer
98a763ae4b JavaScript: Add QL library for modelling portals between npm packages. 2019-01-09 09:06:55 +00:00
Max Schaefer
7e7899faba JavaScript: Add predicate DataFlow::Node.getTopLevel(). 2019-01-09 09:05:11 +00:00
Max Schaefer
3e56e9eaf9 JavaScript: Add predicate AbstractCallable.getDefinition. 2019-01-09 09:05:09 +00:00
Asger F
45a5d0ee3a JS: autoformat 2019-01-08 12:30:07 +00:00
Asger F
6816f33a3d JS: Handle case-insensitive lodash imports 2019-01-08 12:29:28 +00:00
Max Schaefer
8951eaead3 JavaScript: Improve caching of getACallee and related predicates. 2019-01-08 09:42:44 +00:00
Max Schaefer
627583fffa JavaScript: Refactor UselessConditional for performance. 2019-01-08 09:40:49 +00:00
Max Schaefer
de429752d1 JavaScript: Restructure implementation of DataFlow::SourceNode. 
It now uses a facade pattern similar to `InvokeNode`: the range of the class is defined by an abstract class `DataFlow::SourceNode::Range`, while the actual behaviour is defined by the (no longer abstract) `SourceNode` class itself.

Clients that want to add new source nodes need to extend `DataFlow::SourceNode::Range`, those that want to refine the behaviour of existing source nodes should extend `DataFlow::SourceNode` itself.

While this is technically a breaking API change, I think separating the two aspects in this way is cleaner and makes it easier to use, and improves performance as well.
 2019-01-08 08:01:20 +00:00
Max Schaefer
31bb39a810 JavaScript: Autoformat all QL files. 2019-01-07 10:15:45 +00:00