5030 Commits

Author	SHA1	Message	Date
jarlob	9c7eecf547	Add support for composite actions	2023-04-06 22:53:59 +02:00
jarlob	baefeab2d1	fix tests	2023-04-06 19:11:04 +02:00
jarlob	0a878d4db9	Support yAml extensions	2023-04-06 19:07:38 +02:00
jarlob	eef1973b93	Change UI message	2023-04-05 10:05:24 +02:00
jarlob	5c5b9f99a8	Add simple taint tracking for env variables	2023-04-05 10:03:46 +02:00
jarlob	39ff3c72a2	Remove label sanitizer because it is prone to race conditions	2023-04-03 23:28:31 +02:00
jarlob	8ea418216c	Look for script injections in actions/github-script	2023-04-03 23:13:28 +02:00
jarlob	c6eaf194a5	Remove empty.js as it is not needed anymore	2023-04-03 15:09:40 +02:00
jarlob	99d634c8a4	Add more sources, more unit tests, fixes to the GitHub Actions injection query	2023-04-03 15:02:02 +02:00
Erik Krogh Kristensen	b382465078	Merge pull request #12679 from ctbellanti/improved-certificate-validation ... JS: Improved coverage for disabled certificate validation	2023-03-30 16:24:33 +02:00
erik-krogh	47783326c2	add test for https.createServer in DisablingCertificateValidation.ql	2023-03-30 14:15:25 +02:00
Asger F	43174cfe3a	Merge pull request #12668 from asgerf/js/jquery-callback-sinks ... JS: fix handling of jQuery sinks involving callback	2023-03-30 12:42:53 +02:00
Erik Krogh Kristensen	451f6f01bb	Merge pull request #12633 from erik-krogh/more-global-flow ... JS: better callgraph support for global variables	2023-03-28 15:19:50 +02:00
Erik Krogh Kristensen	d3c3f2dc90	Merge pull request #12628 from erik-krogh/betterReDoS ... ReDoS: better super-linear algorithm	2023-03-27 15:26:49 +02:00
Asger F	92a681213d	JS: Step through jQuery callback return values	2023-03-27 11:17:27 +02:00
Asger F	bc2a772f3b	JS: Add test case showing false negative	2023-03-27 11:08:39 +02:00
erik-krogh	e189b36e3f	materialize less strings when ranking states	2023-03-23 10:35:58 +01:00
erik-krogh	0462e2a6ea	update some expected output	2023-03-22 20:47:53 +01:00
Alex Ford	0f267e012a	Merge pull request #12631 from alexrford/js/weak-cryptographic-algorithm_space ... JS: add a missing space in alert message for `js/weak-cryptographic-algorithm`	2023-03-22 14:12:35 +00:00
erik-krogh	2bba9057a0	better callgraph support for global variables	2023-03-22 13:49:33 +01:00
Alex Ford	b000b9b5c0	JS: add a missing space in alert message for js/weak-cryptographic-algorithm	2023-03-22 11:12:13 +00:00
erik-krogh	b071d3557e	JS/PY/RB: add a worst-case test, that now performs OK	2023-03-22 10:13:18 +01:00
erik-krogh	801e0ff050	ReDoS: implement a better super-linear algorithm, with better worst-case performance	2023-03-22 10:13:16 +01:00
erik-krogh	34fe1a8f5e	use SSA in the GetLaterAccess module	2023-03-21 15:19:15 +01:00
Erik Krogh Kristensen	0f813ce2e8	Merge pull request #12543 from erik-krogh/reg-perf ... ReDoS: restrict the edges considered in polynomial-redos for complex regular expressions	2023-03-20 15:48:35 +01:00
Erik Krogh Kristensen	540542ceb5	Merge pull request #12518 from erik-krogh/more-express-sources ... JS: recognize more express URL related sources	2023-03-20 08:49:11 +01:00
Asger F	d537f86324	Merge pull request #12555 from asgerf/js/block-modes ... JS: Include weak block modes as sink in weak crypto algorithm	2023-03-17 13:23:23 +01:00
erik-krogh	a63739915d	add test confirming support for const type parameters	2023-03-16 22:37:35 +01:00
erik-krogh	2c1c41d8a3	add test confirming end-to-end support for well-typed decorators with the new TS 5.0 type ClassMethodDecoratorContext	2023-03-16 22:37:35 +01:00
Asger F	86a06bde72	JS: Flag crypto operations with weak block mode	2023-03-16 14:52:52 +01:00
Asger F	e907d685f4	JS: Add crypto test with AES-ECB	2023-03-16 14:52:18 +01:00
erik-krogh	54ec047433	ReDoS: put an artificial limitation on the analysis in polynomial-redos for large regular expressions	2023-03-16 12:20:53 +01:00
erik-krogh	a72436f6f1	recognize more express URL related sources	2023-03-15 10:14:31 +01:00
Asger F	feb7c49006	Merge pull request #12382 from asgerf/js/import-assertion ... JS: Support import assertions	2023-03-14 14:56:32 +01:00
Asger F	d953ad63fe	Merge pull request #12445 from asgerf/js/react-forward-ref ... JS: Handle forwardRef in React	2023-03-14 13:21:16 +01:00
Asger F	8ab3f39b5e	Merge pull request #12423 from asgerf/js/trusted-types-global-flow ... JS: Track trusted types policy callbacks	2023-03-14 13:09:50 +01:00
Asger F	41dd63adc7	Handle forwardRef in React	2023-03-13 11:30:18 +01:00
Asger F	856b50735d	JS: Expand test case	2023-03-07 13:04:26 +01:00
Asger F	d4b4d22378	JS: Step through HTML sanitizers in SQL injection query	2023-03-06 15:10:26 +01:00
Asger F	f4b13e0955	JS: Update printAst expected output	2023-03-03 13:42:42 +01:00
Asger F	7a55b003d2	JS: Fix location of assert clause	2023-03-03 12:21:20 +01:00
Asger F	38194c6ae7	JS: Extract import assertions to DB	2023-03-03 12:21:20 +01:00
erik-krogh	a6c9af4182	add the html argument to the jQuery functions as an XSS sink	2023-03-03 11:09:53 +01:00
erik-krogh	94870b838f	add failing test	2023-03-03 11:08:33 +01:00
Erik Krogh Kristensen	50aa5e072a	Merge pull request #12177 from erik-krogh/alias-html ... JS: More precise type-test sanitizer guards in unsafe-html-construction	2023-02-27 18:16:11 +01:00
Erik Krogh Kristensen	927c322b7b	Merge pull request #11769 from erik-krogh/moreSan ... JS: Sanitizer for `sanitizer(x) === true`	2023-02-27 15:48:34 +01:00
Alex Ford	7c85448cba	Merge pull request #12080 from alexrford/js-use-shared-cryptography ... JS: Use shared `CryptographicOperation` concept	2023-02-27 12:26:38 +00:00
erik-krogh	0e60fc5512	Merge branch 'main' into alias-html	2023-02-27 09:16:25 +01:00
Erik Krogh Kristensen	f8f926ad50	Merge pull request #12175 from erik-krogh/reg-input ... JS: add process.env and process.argv etc. as source for `js/regex-injection`	2023-02-27 09:12:02 +01:00
Alex Ford	1556b1a728	Merge branch 'main' into js-use-shared-cryptography	2023-02-15 17:13:53 +00:00