hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,540 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.8
Commit Graph

5030 Commits

Author SHA1 Message Date
Asger F
09ca6652fb JS: Support return value of x++ 2018-11-29 11:22:13 +00:00
Asger F
a374540c55 JS: Range analysis library 2018-11-29 11:22:13 +00:00
Max Schaefer
8637eaf100 JavaScript: Address review comments. 2018-11-29 10:48:44 +00:00
Max Schaefer
5f16406ad7 JavaScript: Add new query HardcodedDataInterpretedAsCode. 2018-11-29 09:52:31 +00:00
Max Schaefer
94a5722c2a JavaScript: Model taint propagation through new Buffer and Buffer.from. 2018-11-29 09:52:31 +00:00
Max Schaefer
4091cf410d JavaScript: Improve detection of require calls. 2018-11-29 09:52:31 +00:00
Esben Sparre Andreasen
f3889e715e JS: simplify isReactImportForJSX to isReactForJSX 2018-11-28 15:06:53 +01:00
Max Schaefer
fb78e14db1 JavaScript: Add support for sanitising dynamic property accesses. 
This generalises our previous handling of sanitisers operating on property accesses to support dynamic property accesses where the property name is an SSA variable by representing them as access paths.
 2018-11-28 12:37:53 +00:00
Esben Sparre Andreasen
54e2215db4 JS: support require in isReactImportForJSX 2018-11-28 13:16:55 +01:00
Max Schaefer
f1c538a97b JavaScript: Restrict RemotePropertyInjection query to avoid double-reporting. 
This query now only flags user-controlled property and header writes, method calls are handled by the new unsafe/unvalidated method call queries.
 2018-11-28 08:16:31 +00:00
Max Schaefer
2889e07eb8 JavaScript: Add new query UnvalidatedDynamicMethodCall. 2018-11-28 08:16:31 +00:00
Aditya Sharad
5d5bfc215e Merge rc/1.19 into next. 2018-11-27 12:04:46 +00:00
Max Schaefer
8e54c7ab6c Merge pull request #503 from asger-semmle/unsafe-global-object-access 
JS: add method name injection query
 2018-11-26 15:56:20 +00:00
Esben Sparre Andreasen
2d7f09d321 JS(ql): support nullish coalescing operators 2018-11-26 10:31:19 +01:00
Aditya Sharad
c20b688a3f Merge master into next. 2018-11-23 16:36:31 +00:00
semmle-qlci
04c2b23abd Merge pull request #520 from esben-semmle/js/clear-text-logging-taint-kinds 
Approved by asger-semmle
 2018-11-23 12:40:40 +00:00
Esben Sparre Andreasen
b780f82869 JS: sharpen js/clear-text-logging (ODASA-7485) 2018-11-22 13:38:43 +01:00
Asger F
61ef6552c3 JS: handle both data() and taint() source labels 2018-11-22 09:59:31 +00:00
semmle-qlci
4e72a08b8d Merge pull request #507 from esben-semmle/js/mixed-static-intance-this-access-inheritance 
Approved by xiemaisi
 2018-11-21 16:07:25 +00:00
semmle-qlci
f5d3274655 Merge pull request #508 from esben-semmle/js/indirect-global-call-with-default-arguments 
Approved by xiemaisi
 2018-11-21 16:06:46 +00:00
Esben Sparre Andreasen
72c4ef4d90 JS: fixup optional chaining on CallWithNonLocalAnalyzedReturnFlow 2018-11-21 14:18:14 +01:00
Asger F
4ae2493798 JS: rename query to Unsafe Dynamic Method Access 2018-11-21 12:34:18 +00:00
Esben Sparre Andreasen
caea6212ed JS: use inheritance in js/mixed-static-instance-this-access 2018-11-21 09:48:37 +01:00
Esben Sparre Andreasen
01ad9ed8bc JS: address review comments 2018-11-21 09:19:20 +01:00
Esben Sparre Andreasen
41b45352aa JS(ql): support optional chaining 2018-11-21 08:57:10 +01:00
Asger F
7d80847832 JS: add qhelp example to test suite 2018-11-20 18:44:18 +00:00
Asger F
49cd2876c9 JS: use StringConcatenation library in ConcatSanitizer 2018-11-20 18:12:07 +00:00
semmle-qlci
b21b066255 Merge pull request #499 from xiemaisi/js/target-blank-location 
Approved by esben-semmle
 2018-11-20 17:16:05 +00:00
Asger F
8aff66616b JS: suppress similar alerts from RemotePropertyInjection 2018-11-20 15:57:18 +00:00
Asger F
2239f863f7 JS: add query MethodNameInjection 2018-11-20 15:57:18 +00:00
Asger F
bc3b983768 JS: move CodeInjection tests into subfolder 2018-11-20 14:24:37 +00:00
semmle-qlci
1c1d2e943a Merge pull request #496 from esben-semmle/js/yui-directives 
Approved by xiemaisi
 2018-11-20 12:59:55 +00:00
semmle-qlci
8333f72030 Merge pull request #470 from esben-semmle/custom-abstract-values-only 
Approved by xiemaisi
 2018-11-20 12:59:35 +00:00
Max Schaefer
c1690a69e5 JavaScript: Make TargetBlank only highlight the first line of the link. 
Otherwise alerts for multi-line `<a>` elements end up looking very red.

I also took the opportunity to improve the tests slightly.
 2018-11-20 12:53:27 +00:00
Esben Sparre Andreasen
82fc8ae32a JS: support indirection with extra args in js/missing-this-qualifier 2018-11-20 11:29:03 +01:00
Esben Sparre Andreasen
54fea1a4cb JS: support "xyz:nomunge" YUI compressor directives 2018-11-20 09:00:33 +01:00
Esben Sparre Andreasen
ee7a6af7c7 JS: address review comments 2018-11-20 08:37:23 +01:00
Pavel Avgustinov
16ec9f1aa4 Merge remote-tracking branch 'origin/next' into bump/master-next 2018-11-19 10:37:07 +00:00
Asger F
6ec13feab4 JS: recognize sanitizing slashes in URL redirection queries 2018-11-16 10:43:25 +00:00
semmle-qlci
0647743333 Merge pull request #467 from xiemaisi/js/amd-imports 
Approved by asger-semmle
 2018-11-16 09:31:50 +00:00
semmle-qlci
4a14bef507 Merge pull request #466 from xiemaisi/js/more-data-flow-predicates 
Approved by asger-semmle
 2018-11-14 16:07:59 +00:00
Max Schaefer
6f6b3b0d5e JavaScript: Add a convenience method to SourceNode and use it in a few places. 2018-11-14 11:58:45 +00:00
Max Schaefer
a441bfb751 JavaScript: Add a convenience method to AMDModuleDefinition. 2018-11-14 11:36:40 +00:00
Aditya Sharad
f0715b09e1 Merge master into next. 2018-11-14 10:06:27 +00:00
Max Schaefer
9221b62ded JavaScript: Update expectd test output for security path queries to include nodes and edges query predicates. 2018-11-14 09:32:31 +00:00
Max Schaefer
d57b5d9628 JavaScript: Remove ReflectdXssPath.ql, which is now spurious. 2018-11-14 09:16:40 +00:00
Max Schaefer
a499009f59 Merge pull request #395 from esben-semmle/js/useless-defensive-code 
JS: add query: js/useless-defensive-code
 2018-11-13 16:55:59 +00:00
Max Schaefer
4fdfbb77cc Merge pull request #444 from esben-semmle/js/browser-based-client-requests 
JS: add models of $.ajax, $.getJSON and XMLHttpRequst
 2018-11-13 16:53:52 +00:00
Esben Sparre Andreasen
daed0653cb JS: support property tracking of custom abstract values 2018-11-13 11:42:09 +01:00
Esben Sparre Andreasen
1d87c580b3 JS: introduce DefinedCustomAbstractValue 2018-11-13 11:40:31 +01:00