hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
29,624 Commits 1,671 Branches 157 Tags
codeql-cli-2.7.3
Commit Graph

6736 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
8569d261f7 add test 2021-09-13 20:43:31 +02:00
Erik Krogh Kristensen
8e98dcefb1 add clipboard data as a RemoteFlowSource 2021-09-13 20:43:31 +02:00
Erik Krogh Kristensen
3983aceb48 recognize types of the form "HTML%Element" as dom values 2021-09-13 20:43:31 +02:00
Erik Krogh Kristensen
bac80bf686 delete ClipboardXss.ql experimental query 2021-09-13 20:43:31 +02:00
Erik Krogh Kristensen
05cc6bcf8a adjust regexp libraries to how unpaired surrogate are parsed now 2021-09-13 14:02:05 +01:00
Chris Smowton
f24d7c4212 Acknowledge new FPs due to the extractor using U+FFFD for unpaired surrogates 
These were already misinterpreted, but the ReDoS code ignored them as they previously appeared to be `?` characters.
 2021-09-13 14:02:05 +01:00
Chris Smowton
487ebdf173 Add test for Javascript literal with an unpaired surrogate character 2021-09-13 14:02:05 +01:00
CodeQL CI
e8fc3c8ead Merge pull request #5888 from erik-krogh/casting 
Approved by asgerf
 2021-09-10 09:11:39 -07:00
CodeQL CI
27f2d417c1 Merge pull request #6652 from asgerf/js/type-tracking-through-callback 
Approved by erik-krogh
 2021-09-10 04:11:14 -07:00
Erik Krogh Kristensen
a756ffa3a6 use the new instanceof syntax for NodeJSClientRequest 2021-09-10 09:30:37 +02:00
rhysd
97ed9edd32 JS: Detect untrusted inputs in 'discussion' and 'discussion_comment' payloads 2021-09-10 10:42:58 +09:00
CodeQL CI
cd26d97dd7 Merge pull request #6549 from erik-krogh/moreDom 
Approved by asgerf
 2021-09-08 05:10:47 -07:00
Asger Feldthaus
db1de18cc2 JS: Support transitive callback-passing 2021-09-08 13:08:16 +02:00
Asger Feldthaus
ceaf2b3727 JS: Rename FlowSteps::callback -> exploratoryCallbackStep 2021-09-08 13:08:12 +02:00
Asger Feldthaus
7c94dd94e9 JS: Add type-tracking steps through callback args 2021-09-08 13:08:05 +02:00
Asger Feldthaus
1f6df4e70d JS: Add callback type tracking test 2021-09-08 13:08:04 +02:00
CodeQL CI
5b229e9392 Merge pull request #6574 from asgerf/js/vue-api-graphs 
Approved by erik-krogh
 2021-09-07 05:53:30 -07:00
Erik Krogh Kristensen
85e1c87d14 use the new non-extending-subtypes syntax 2021-09-06 11:19:50 +02:00
Erik Krogh Kristensen
8d4af3ad81 convert field based range pattern to casting based range pattern 2021-09-06 11:05:23 +02:00
Andrew Eisenberg
6a47fcaf1f Packaging: Normalize all qlpack.yml files for all languages 
This commit ensures consistency among all of our qlpacks. Here are the
changes:

1. Ensure only modern references are used (codeql-{lang} is converted to
   codeql/{lang}-all or codeql/{lang}-queries where appropriate).
2. Use consistent version numbers. All languages are at 0.0.2 except
   javascript, which is 0.0.3.
3. Convert all `libraryPathDependencies` to `dependencies` with version
   constraints
4. Dependencies from query packs to other packs are always `"*"` since
   these dependencies are always from source and we should get the
   latest.
5. Dependencies from codeql/{lang}-lib to codeql/{lang}-upgrades must
   be strict since there is a tight connection between the libary
   and its relevant upgrades.
 2021-09-03 11:53:28 -07:00
Asger Feldthaus
7149ad8ac4 JS: Also mark uses of the exports object as an export in PackageExports 2021-09-03 13:35:30 +02:00
Nati Pesaresi
629efb85fb ternary operator 2021-09-02 17:55:09 -03:00
CodeQL CI
b4963c7538 Merge pull request #6558 from erik-krogh/redosCasing 
Approved by esbena, yoff
 2021-09-02 12:20:08 +01:00
Erik Krogh Kristensen
1ad204d89e make after and TState private in ReDoSUtil 2021-09-02 09:15:43 +02:00
Asger Feldthaus
cc838326e1 JS: Remove old bulk export access getAnExportedModule 2021-09-01 13:28:54 +02:00
Asger Feldthaus
7daa6481e3 JS: Check property name in NodeJSModule.getABulkExportedNode 2021-09-01 13:25:14 +02:00
Asger Feldthaus
4b1f918feb JS: Extend getABulkExportedNode and use it in PackageExports 2021-09-01 13:24:23 +02:00
Asger Feldthaus
cce3c0256e JS: Update some comments in Vue 2021-09-01 13:04:40 +02:00
Erik Krogh Kristensen
537450606e use a consistent comment about the ignore case flag 2021-09-01 12:46:50 +02:00
Erik Krogh Kristensen
ff74fe1e03 rename hasChildThatMatchesIgnoringCasing to hasChildThatMatchesIgnoringCasingFlags 2021-09-01 12:45:20 +02:00
Erik Krogh Kristensen
75a3f34e86 use if-else in ReDoSUtil::getCanonicalizationFlags 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2021-09-01 12:44:02 +02:00
Erik Krogh Kristensen
f8d46677b9 add RequestExpr as an alias to NodeJSLib::RequestExpr in Connect.qll 2021-09-01 10:11:05 +02:00
Erik Krogh Kristensen
98d018ce26 remove redundant extends clause 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2021-09-01 10:09:40 +02:00
Erik Krogh Kristensen
28dce6e95a fix non-monotonic recursion in js/missing-rate-limiting 2021-08-31 14:23:23 +02:00
Erik Krogh Kristensen
83252e5ba2 change note 2021-08-31 14:23:23 +02:00
Erik Krogh Kristensen
cecb6c7bdd add model for live-server 2021-08-31 14:23:23 +02:00
Erik Krogh Kristensen
b509627113 add tests for connect 2021-08-31 14:23:23 +02:00
Erik Krogh Kristensen
3d6ab81ab8 refactor the tests for connect 2021-08-31 14:23:23 +02:00
Erik Krogh Kristensen
c6399dbdf4 simplify the connect model by reusing NodeJSLib::RouteHandler 2021-08-31 14:23:23 +02:00
Asger Feldthaus
27f10123c7 JS: Autoformat 2021-08-31 11:19:11 +02:00
Asger Feldthaus
8833ff7854 JS: Use Vue model in Vuex model 2021-08-31 11:19:10 +02:00
Asger Feldthaus
ebf17e10d6 JS: Fixup in getComponentRef() 2021-08-31 11:19:09 +02:00
Asger Feldthaus
607f2d66b8 JS: Rename getASelfRef to getAnInstanceRef 2021-08-31 11:19:08 +02:00
Asger Feldthaus
999f22f548 JS: Fix getOwnOptionsObject 2021-08-31 11:19:08 +02:00
Asger Feldthaus
9f02ae29ec JS: Autoformat 2021-08-31 11:19:07 +02:00
Asger Feldthaus
7dd65d8ac6 JS: Clean up taint step definitions 
These are Unit types and so should be kept private as you can't
use them for anything other than getting all taint steps of a certain
type.

Also factors out accesses to 'this'.
 2021-08-31 11:19:06 +02:00
Asger Feldthaus
5b0e26c814 JS: Use API graphs a few more places 2021-08-31 11:19:06 +02:00
Asger Feldthaus
4ff135e827 JS: Port class-based components to API graphs 2021-08-31 11:19:05 +02:00
Asger Feldthaus
5cd0996d92 JS: Deprecate getOwnOptionsObject() 2021-08-31 11:19:04 +02:00
Asger Feldthaus
7be4b76abb JS: Simplify getABoundFunction 2021-08-31 11:19:04 +02:00