6736 Commits

Author	SHA1	Message	Date
Erik Krogh Kristensen	d36c66cfca	remove redundant inline casts in arguments where the type is inferred by the call target	2021-10-29 14:37:56 +02:00
Asger Feldthaus	d52b2bd863	JS: Fix FP in ˚MixedStaticInstanceThisAccess	2021-10-29 14:16:54 +02:00
Asger Feldthaus	afa6424d67	JS: Add test with FP	2021-10-29 14:16:54 +02:00
Max Schaefer	bc91f664ac	JavaScript: Teach API graphs to handle some forms of property copying. ... In particular, copied promises are now handled better.	2021-10-29 11:19:54 +01:00
Erik Krogh Kristensen	6fffdf6101	Merge pull request #6855 from erik-krogh/secCookie ... JS: Move cookie queries out of experimental.	2021-10-29 10:23:48 +02:00
Erik Krogh Kristensen	cfc5629435	apply all doc fixes ... Co-authored-by: hubwriter <hubwriter@github.com>	2021-10-28 18:19:37 +02:00
Erik Krogh Kristensen	15c90adec5	remove redundant cast where the type is enforced by an equality comparison	2021-10-28 18:08:20 +02:00
Erik Krogh Kristensen	e75448ebb0	remove redundant inline casts	2021-10-28 16:35:53 +02:00
Erik Krogh Kristensen	c34b089bc5	autoformat	2021-10-28 16:02:36 +02:00
Erik Krogh Kristensen	4f6e5c903b	filter out writes to number indexes	2021-10-28 14:27:07 +02:00
Erik Krogh Kristensen	12305aae42	extract regexp literals from string concatenations	2021-10-28 10:44:33 +02:00
Erik Krogh Kristensen	96b6f670d9	filter away paths that start with libary inputs and end with a fixed-property write	2021-10-27 21:01:11 +02:00
Erik Krogh Kristensen	78371894f4	update import after rebasing on main	2021-10-27 20:47:06 +02:00
Erik Krogh Kristensen	a9a9e34265	recognize delete expresssions as a sink for js/prototype-polluting-assignment	2021-10-27 20:37:42 +02:00
Erik Krogh Kristensen	1243c736dd	use ConcatenationNode::isCoercion	2021-10-27 20:37:42 +02:00
Erik Krogh Kristensen	2dedfb302a	remove paths without unmatched returns from js/prototype-polluting-assignment	2021-10-27 20:37:42 +02:00
Erik Krogh Kristensen	0c9c9bbde7	detect library input when the arguments object is converted to an array	2021-10-27 20:37:41 +02:00
Erik Krogh Kristensen	fa9e9dd847	split out predicates in ClassifyFiles to avoid unnecessary computations	2021-10-27 20:35:38 +02:00
Erik Krogh Kristensen	3d124cf95e	add change-note	2021-10-27 20:35:38 +02:00
Erik Krogh Kristensen	d1238dfd8b	update alert message to distinguish between library input and remote flow	2021-10-27 20:35:38 +02:00
Erik Krogh Kristensen	6e183af383	ignore test files for the `prototypeLessObject' predicate	2021-10-27 20:35:37 +02:00
Erik Krogh Kristensen	e94b0f5913	recognize inclusion based sanitizers for js/prototype-polluting-assignment	2021-10-27 20:35:37 +02:00
Erik Krogh Kristensen	2a808b2cd6	track taint through string coercions for js/prototype-polluting-assignment	2021-10-27 20:35:37 +02:00
Erik Krogh Kristensen	2d65aa17db	recognize exported functions that use the arguments object	2021-10-27 20:35:37 +02:00
Erik Krogh Kristensen	78774233c7	add library input as source to js/prototype-polluting-assignment	2021-10-27 20:35:36 +02:00
Erik Krogh Kristensen	0372ccce02	simplify regexp ... Co-authored-by: Esben Sparre Andreasen <esbena@github.com>	2021-10-27 20:04:24 +02:00
Erik Krogh Kristensen	af64b319ee	update documentation strings ... Co-authored-by: Esben Sparre Andreasen <esbena@github.com>	2021-10-27 19:54:52 +02:00
Erik Krogh Kristensen	71cca6d644	Merge branch 'main' into ldap	2021-10-27 19:06:06 +02:00
Erik Krogh Kristensen	2e912ee28e	rename LDAP to Ldap	2021-10-27 19:05:56 +02:00
Erik Krogh Kristensen	c1ab49fe8a	rename LDapFilterStep to TaintPreservingLDapFilterStep	2021-10-27 19:05:00 +02:00
Erik Krogh Kristensen	44afa34e37	Merge branch 'main' of github.com:github/codeql into htmlReg	2021-10-26 14:46:27 +02:00
CodeQL CI	e5e1046c81	Merge pull request #6962 from asgerf/js/template-db-constraint-err ... Approved by erik-krogh	2021-10-26 13:43:57 +01:00
Erik Krogh Kristensen	8ba545999e	add change-note	2021-10-26 14:13:56 +02:00
Anders Schack-Mulligen	90bebaa5a9	Merge pull request #6960 from erik-krogh/useSetLiteral ... use set literal instead of big disjunction of literals	2021-10-26 14:06:05 +02:00
Erik Krogh Kristensen	090fb2df10	Merge pull request #6857 from erik-krogh/fixPipes ... JS: skip pipes and other special files when determining which files to extract	2021-10-26 13:59:40 +02:00
Erik Krogh Kristensen	9c8a51bca6	cache SensitiveExpr	2021-10-26 13:47:28 +02:00
Erik Krogh Kristensen	038438edca	assume that setting the secure/httpOnly flag to some unknown value is good	2021-10-26 13:47:28 +02:00
Erik Krogh Kristensen	5228196f79	fix typos and update docs	2021-10-26 13:47:21 +02:00
Erik Krogh Kristensen	311df4d2b7	add test for the cookie npm package	2021-10-26 13:46:59 +02:00
Erik Krogh Kristensen	92d59aa11c	refactor most of the isSensitive predicates into a common helper predicate	2021-10-26 13:46:59 +02:00
Erik Krogh Kristensen	834d5ec6ad	add session{key,id} as sensitive info	2021-10-26 13:46:59 +02:00
Erik Krogh Kristensen	1e1e549847	update tests so it's clear which cookies are insecure	2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen	283b8231cb	add more cookie models	2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen	2cb3d2c53f	documentation overhaul on client-exposed-cookie (and restricting it to server-side)	2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen	ab23ffff3d	documentation overhaul for clear-text-cookie	2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen	f36accf3e6	only report clear-text cookies for sensitive cookies	2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen	53b4337795	combine test files	2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen	9193984f1b	delete the experimental query library for cookie queries	2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen	6858acc6a9	port experimental cookie models to non-experimental	2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen	26a24a3895	prepare move to non-experimental	2021-10-26 13:46:57 +02:00