codeql

mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00

Author	SHA1	Message	Date
Esben Sparre Andreasen	737a816e6f	JS: refactor isReactImportForJSX	2018-11-28 13:16:55 +01:00
Max Schaefer	9c98aaf4bd	JavaScript: Refactor a few predicates to avoid materialisations.	2018-11-28 10:51:29 +00:00
Max Schaefer	39f1c7904b	JavaScript: Address review comments.	2018-11-28 09:44:58 +00:00
Max Schaefer	f1c538a97b	JavaScript: Restrict `RemotePropertyInjection` query to avoid double-reporting. This query now only flags user-controlled property and header writes, method calls are handled by the new unsafe/unvalidated method call queries.	2018-11-28 08:16:31 +00:00
Max Schaefer	2889e07eb8	JavaScript: Add new query `UnvalidatedDynamicMethodCall`.	2018-11-28 08:16:31 +00:00
Aditya Sharad	5d5bfc215e	Merge rc/1.19 into next.	2018-11-27 12:04:46 +00:00
Max Schaefer	cf1e7cff3f	JavaScript: Move an auxiliary predicate into shared library.	2018-11-27 12:03:25 +00:00
Max Schaefer	8e54c7ab6c	Merge pull request #503 from asger-semmle/unsafe-global-object-access JS: add method name injection query	2018-11-26 15:56:20 +00:00
Esben Sparre Andreasen	2d7f09d321	JS(ql): support nullish coalescing operators	2018-11-26 10:31:19 +01:00
Esben Sparre Andreasen	a2a798e59c	JS(extractor): support nullish coalescing operators	2018-11-26 09:45:19 +01:00
Aditya Sharad	c20b688a3f	Merge master into next.	2018-11-23 16:36:31 +00:00
semmle-qlci	04c2b23abd	Merge pull request #520 from esben-semmle/js/clear-text-logging-taint-kinds Approved by asger-semmle	2018-11-23 12:40:40 +00:00
Esben Sparre Andreasen	b780f82869	JS: sharpen `js/clear-text-logging` (ODASA-7485)	2018-11-22 13:38:43 +01:00
Asger F	61ef6552c3	JS: handle both data() and taint() source labels	2018-11-22 09:59:31 +00:00
semmle-qlci	4e72a08b8d	Merge pull request #507 from esben-semmle/js/mixed-static-intance-this-access-inheritance Approved by xiemaisi	2018-11-21 16:07:25 +00:00
semmle-qlci	f5d3274655	Merge pull request #508 from esben-semmle/js/indirect-global-call-with-default-arguments Approved by xiemaisi	2018-11-21 16:06:46 +00:00
Asger F	27c9326e70	JS: address doc review	2018-11-21 14:19:14 +00:00
Esben Sparre Andreasen	72c4ef4d90	JS: fixup optional chaining on `CallWithNonLocalAnalyzedReturnFlow`	2018-11-21 14:18:14 +01:00
Asger F	8c7e19567b	JS: fix string value of taint configuration	2018-11-21 12:35:35 +00:00
Asger F	4ae2493798	JS: rename query to Unsafe Dynamic Method Access	2018-11-21 12:34:18 +00:00
Asger F	cb832b1de9	Merge branch 'unsafe-global-object-access' of github.com:asger-semmle/ql into unsafe-global-object-access	2018-11-21 11:14:21 +00:00
Asger F	84d642612e	JS: more comments	2018-11-21 11:14:13 +00:00
Max Schaefer	fa761c07bd	Update javascript/ql/src/Security/CWE-094/MethodNameInjection.ql Co-Authored-By: asger-semmle <42069257+asger-semmle@users.noreply.github.com>	2018-11-21 10:55:38 +00:00
Esben Sparre Andreasen	caea6212ed	JS: use inheritance in `js/mixed-static-instance-this-access`	2018-11-21 09:48:37 +01:00
Esben Sparre Andreasen	01ad9ed8bc	JS: address review comments	2018-11-21 09:19:20 +01:00
Esben Sparre Andreasen	41b45352aa	JS(ql): support optional chaining	2018-11-21 08:57:10 +01:00
Esben Sparre Andreasen	00587ba7b4	JS(extractor): support optional chaining	2018-11-21 08:57:10 +01:00
Asger F	4138f814d8	JS: expand example	2018-11-20 18:42:49 +00:00
Asger F	260ae36cf8	JS: document the shared module	2018-11-20 18:27:02 +00:00
Asger F	3902f752d0	JS: share detection of objects with unsafe methods	2018-11-20 18:26:20 +00:00
Asger F	b16072a7be	JS: share ConcatSanitizer in common module	2018-11-20 18:24:52 +00:00
Asger F	49cd2876c9	JS: use StringConcatenation library in ConcatSanitizer	2018-11-20 18:12:07 +00:00
Asger F	1c06f45046	JS: address some comments	2018-11-20 18:11:46 +00:00
semmle-qlci	b21b066255	Merge pull request #499 from xiemaisi/js/target-blank-location Approved by esben-semmle	2018-11-20 17:16:05 +00:00
Asger F	8aff66616b	JS: suppress similar alerts from RemotePropertyInjection	2018-11-20 15:57:18 +00:00
Asger F	2239f863f7	JS: add query MethodNameInjection	2018-11-20 15:57:18 +00:00
semmle-qlci	1c1d2e943a	Merge pull request #496 from esben-semmle/js/yui-directives Approved by xiemaisi	2018-11-20 12:59:55 +00:00
semmle-qlci	8333f72030	Merge pull request #470 from esben-semmle/custom-abstract-values-only Approved by xiemaisi	2018-11-20 12:59:35 +00:00
Max Schaefer	c1690a69e5	JavaScript: Make `TargetBlank` only highlight the first line of the link. Otherwise alerts for multi-line `<a>` elements end up looking very red. I also took the opportunity to improve the tests slightly.	2018-11-20 12:53:27 +00:00
Esben Sparre Andreasen	82fc8ae32a	JS: support indirection with extra args in js/missing-this-qualifier	2018-11-20 11:29:03 +01:00
Esben Sparre Andreasen	54fea1a4cb	JS: support "xyz:nomunge" YUI compressor directives	2018-11-20 09:00:33 +01:00
Esben Sparre Andreasen	ee7a6af7c7	JS: address review comments	2018-11-20 08:37:23 +01:00
semmle-qlci	26a248b14a	Merge pull request #487 from xiemaisi/js/lint-join-order Approved by esben-semmle	2018-11-20 06:51:33 +00:00
semmle-qlci	7df397f8ab	Merge pull request #486 from xiemaisi/js/lower-severities Approved by asger-semmle	2018-11-20 06:39:23 +00:00
Max Schaefer	6021d2499d	JavaScript: Remove accidentally committed `.actual` file.	2018-11-19 12:24:19 +00:00
Pavel Avgustinov	16ec9f1aa4	Merge remote-tracking branch 'origin/next' into bump/master-next	2018-11-19 10:37:07 +00:00
Max Schaefer	73ad3f5c8a	JavaScript: Tweak `JSLint` library to avoid bad join order.	2018-11-19 09:12:02 +00:00
Max Schaefer	1b59a28be0	JavaScript: Downgrade a few "error" rules to "warning". For all of these queries, the results we tend to see in practice are certainly worth investigating, but aren't crashing bugs, so making them warnings seems more appropriate.	2018-11-19 09:09:26 +00:00
Asger F	c06c9a02f7	JS: fix copy pasta and test output	2018-11-16 10:47:02 +00:00
Asger F	dd5f485fff	JS: use original sanitizer for SSRF query	2018-11-16 10:46:14 +00:00

... 90 91 92 93 94 ...

5056 Commits