hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,540 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.8
Commit Graph

186 Commits

Author SHA1 Message Date
Napalys Klicius
3a75500f54 JS: Add modeling for call-me-maybe 2025-09-15 17:15:31 +02:00
Napalys Klicius
0d23ab07db JS: Add data flow modeling for promisified user-defined functions 2025-09-15 17:13:13 +02:00
Napalys Klicius
2c6db00cbc JS: Add modeling for util promisify* 2025-09-15 17:09:28 +02:00
Napalys Klicius
e002f2088f JS: Add modeling for es6-promisify 2025-09-15 17:04:34 +02:00
Napalys Klicius
35c75c00ba JS: Add modeling for @gar/promisify 2025-09-15 16:58:11 +02:00
Napalys Klicius
312471e9db JS: Add modeling for @google-cloud/promisify 2025-09-15 16:55:27 +02:00
Napalys Klicius
d37425ae3e JS: Treat promisify(obj).member as obj.member 2025-09-15 16:51:19 +02:00
Napalys Klicius
d6a14e63ba JS: Add test cases for promisification libraries. 2025-09-15 16:21:12 +02:00
Asger F
cc8fe10801 JS: Update locations in expected files 2025-08-29 12:03:11 +02:00
Napalys Klicius
ae4077db72 add taint flow for arg/command-line-args with custom argv option 2025-08-01 13:34:08 +02:00
Napalys Klicius
d6508f34b6 Add taint flow for Commander.js direct property access and action callbacks 2025-08-01 13:24:19 +02:00
Napalys Klicius
39170f327c Added couple more test cases for commander js 2025-08-01 13:14:39 +02:00
Napalys Klicius
6b4e34dd39 Added a step from parse to opts for commander js 2025-08-01 13:12:43 +02:00
Napalys Klicius
e980798ede Added step through yargs/yargs constructor and chained methods. 2025-08-01 12:01:30 +02:00
Napalys Klicius
e8eb9be3f6 Add command injection tests for CLI argument parsing libraries 2025-08-01 11:02:59 +02:00
Napalys Klicius
0902ca0605 JS: address copilot suggestions 2025-06-24 11:37:07 +02:00
Napalys Klicius
d05de1ba4e JS: moved execa test cases outside experimental 2025-06-24 09:08:13 +02:00
Napalys Klicius
d4b5ef6a66 Refactor process.env handling in CleartextLogging and IndirectCommandInjection modules to use ThreatModelSource 2025-05-01 11:14:15 +02:00
Napalys Klicius
33d8ffa83e Added test cases for shelljs.env 2025-05-01 11:11:29 +02:00
Michael Nebel
2e0ce44fde Javascript: Update test files. 2025-04-23 15:41:41 +02:00
Asger F
017f458534 Update javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/uselesscat.js 
Co-authored-by: Napalys Klicius <napalys@github.com>
 2025-03-10 14:18:22 +01:00
Asger F
24c9b2ef9b Update javascript/ql/test/query-tests/Security/CWE-078/UselessUseOfCat/uselesscat.js 
Co-authored-by: Napalys Klicius <napalys@github.com>
 2025-03-10 14:18:02 +01:00
Asger F
2a194a53af raw test output 2025-02-28 13:29:39 +01:00
Asger F
64d39da5f8 JS: Accept Sources/Sink tags 2025-02-28 13:29:30 +01:00
Asger F
576dbcb020 JS: Stop overriding entire module.exports object in test 
Doing `module.exports = blah` prevents other exports from being seen as library inputs.
 2025-02-28 13:28:09 +01:00
Asger F
b095fe2a19 JS: Fix some bugs in a test case 
'args' was a redeclared block-level variable, and 'myArgs' was not used when clearly intended to be used
 2025-02-28 13:27:59 +01:00
Asger F
e026b9e048 JS: Mark regressions due to lack of local field steps 2025-02-28 13:27:52 +01:00
Asger F
07a876b4e9 JS: Accept some alerts at the SystemCommandExecution location 2025-02-28 13:27:46 +01:00
Asger F
10a7294327 JS: Accept trivial test changes 
This adds Alert annotations for alerts that seem intentional by the test
but has not been annotated with 'NOT OK', or the comment was in the wrong
place.

In a few cases I included 'Source' expectations to make it easier to see
what happened. Other 'Source' expectations will be added in bulk a later
commit.
 2025-02-28 13:27:43 +01:00
Asger F
86932c51bc JS: Move some alerts to their correct location 
One of the diffs look confusing but:
Previously parameter {2,3} where flagged, now parameter {1,2} are flagged.

Note that for command injection, the SystemCommandExecution is flagged
despite the test file claiming otherwise.
 2025-02-28 13:27:40 +01:00
Asger F
f5911c9e5a JS: Accept raw test output 2025-02-28 13:27:38 +01:00
Asger F
d0ce53ed82 JS: Enable post-processing for all .qlref files 2025-02-28 13:27:33 +01:00
Asger F
426edd55f2 JS: Update output after line number change 
Some OK-style comments had to be moved to the following line, shifting line numbers.

In selected range also included the comments themselves.

Lastly, the result sets were reordered by the CLI in some cases.
 2025-02-28 13:27:31 +01:00
Asger F
9be041e27d JS: Update OK-style comments to $-style 2025-02-28 13:27:28 +01:00
Asger F
7e5c24a8ec JS: Remove uses of old inline expectation test library 2025-02-28 13:27:26 +01:00
Asger F
d79f429978 JS: Update changes to nodes/edges/subpaths 
No changes in actual alerts
 2025-02-17 10:36:05 +01:00
Asger F
b2d62a080b JS: Move a test failure explanation into the test suite 
We have an issue for fixing the underlying problem
 2025-01-09 09:57:44 +01:00
Asger F
f8dc7eb25b JS: Update output from tests that changed on main 2024-12-19 15:25:47 +01:00
Asger F
3acd4814de Merge branch 'main' into js/shared-dataflow-merge-main 2024-12-19 10:14:38 +01:00
Michael Nebel
c3fe3e468c Javascript: Update all test util paths to point to the new location. 2024-12-12 13:54:25 +01:00
Asger F
08d25c122d JS: Deprecate more uses of ConsistencyConfiguration 2024-12-03 14:30:27 +01:00
Asger F
0ce1fe767d JS: Deprecate ConsistencyChecking to avoid deprecation warnings 2024-12-03 14:30:23 +01:00
Napalys
a0df33c3ac JS: UnsafeShellCommand Using unknown flags in the RegExp object is no longer flagged as bad sanitization to reduce false positives. 2024-11-28 11:26:43 +01:00
Napalys
155f1fca85 JS: Added test cases for unsafe shell command sanitization with RegExpr Object, instead of literal 2024-11-28 11:26:42 +01:00
Asger F
8818fcc207 JS: Benign test output changes 2024-11-26 15:47:13 +01:00
Asger F
52ba91a7f8 JS: Updates to nodes/edges in tests 
Only changes to nodes/edges for various reasons, no actual result changes
 2024-10-29 08:32:13 +01:00
Asger F
12e316b99d JS: Update test output after merging in 'main' 
- Paths are now relative to the test case, not the qlpack
- Paths going through an implicit reads have changed slightly
 2024-10-08 10:11:15 +02:00
Asger F
cf90c83604 JS: Accept changes to nodes/edges results 2024-09-12 13:42:19 +02:00
Asger F
2e2181be2c JS: Update test output that only affects nodes/edges/subpaths 2024-08-27 11:35:33 +02:00
Asger F
ee10702e73 JS: Another provanance test output update 2024-06-27 11:56:01 +02:00