1639 Commits

Author	SHA1	Message	Date
Asger Feldthaus	7afa755597	JS: Add ajv error as source of ExceptionXss	2021-03-02 12:39:04 +00:00
Asger Feldthaus	b978359803	JS: Add schema validation as TaintedObject sanitizer	2021-03-02 12:39:04 +00:00
Erik Krogh Kristensen	ecccb8a409	only flag React elements in ClientSideUrlRedirect if it's a HTML element, or known link class	2021-03-02 12:25:50 +01:00
Erik Krogh Kristensen	36049f05f8	update Next.js xss example such that the attack is viable	2021-03-02 12:25:50 +01:00
Erik Krogh Kristensen	97032f8627	add ClientSideUrlRedirect sink for Next.js routers	2021-03-02 12:25:49 +01:00
Erik Krogh Kristensen	a79c30a818	support NextJS API endpoints	2021-03-02 12:25:49 +01:00
Erik Krogh Kristensen	1fdbbb682d	support Next.js page request/response objects	2021-03-02 12:25:49 +01:00
Erik Krogh Kristensen	41a0c0b55e	support React links in js/client-side-unvalidated-url-redirection	2021-03-02 12:25:49 +01:00
Max Schaefer	2e252ba3e4	JavaScript: Learn that receivers of DOM event handlers are themselves DOM nodes.	2021-02-25 09:06:58 +00:00
Max Schaefer	ae2a5da63f	JavaScript: Add new tests for recognising receiver of event handler as DOM element.	2021-02-25 09:04:46 +00:00
Asger F	b8e1987cad	Update javascript/ql/test/query-tests/DOM/HTML/DuplicateAttributes.html ... Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2021-02-22 10:08:56 +00:00
Asger Feldthaus	e964771e9c	JS: Add test	2021-02-22 09:47:21 +00:00
CodeQL CI	8716cbd7ee	Merge pull request #5140 from erik-krogh/mark ... Approved by asgerf	2021-02-17 11:50:11 -08:00
CodeQL CI	b5143dbdb4	Merge pull request #5117 from erik-krogh/parseForm ... Approved by asgerf	2021-02-15 04:30:59 -08:00
Erik Krogh Kristensen	69d8aa143c	add taint step for the snarkdown libary	2021-02-11 16:16:46 +01:00
Erik Krogh Kristensen	d14586de56	add two non ReDoS regular expressions to the ReDoS test suite ... Adds the regular expression from #5145	2021-02-11 14:41:45 +01:00
Erik Krogh Kristensen	010d580f8e	add model for multiparty	2021-02-11 09:34:04 +01:00
Erik Krogh Kristensen	61b4ffec3d	add remote flow from the Formidable library	2021-02-11 09:34:04 +01:00
Erik Krogh Kristensen	a03f4ed3cd	add remote flow source for busboy	2021-02-11 09:34:02 +01:00
Erik Krogh Kristensen	e2fbf8a68c	add files uploaded with multer as RemoteFlowSource	2021-02-11 09:33:15 +01:00
Erik Krogh Kristensen	7cff1f441b	add model for the unified and remark libraries	2021-02-10 18:13:01 +01:00
Erik Krogh Kristensen	0d497e8b9a	add model for the showdown library	2021-02-10 17:22:42 +01:00
Erik Krogh Kristensen	f76018c039	add taint step for the markdown-table library	2021-02-10 15:11:41 +01:00
Erik Krogh Kristensen	b4704f7016	add taint-step for the marked library	2021-02-10 14:51:08 +01:00
Erik Krogh Kristensen	101d4358a9	detect DOM nodes from event callbacks	2021-02-10 14:17:49 +01:00
Erik Krogh Kristensen	be9636491b	add source for react-hook-form in xss-through-dom	2021-02-10 14:17:49 +01:00
Erik Krogh Kristensen	65d93c9061	detect for DOM elements from DOM events in React	2021-02-10 14:17:49 +01:00
Erik Krogh Kristensen	458dda9d25	add xss-through-dom source from react-final-form	2021-02-10 14:17:49 +01:00
Erik Krogh Kristensen	ff3950ce98	add model for formik	2021-02-10 14:17:49 +01:00
CodeQL CI	653c900d62	Merge pull request #4987 from erik-krogh/defensiveFunctions ... Approved by esbena	2021-02-02 14:47:23 -08:00
CodeQL CI	209fe8d7e5	Merge pull request #5049 from erik-krogh/singleQuote ... Approved by esbena	2021-02-02 13:48:42 -08:00
CodeQL CI	4fdbda3543	Merge pull request #5056 from erik-krogh/react ... Approved by asgerf	2021-02-02 01:40:08 -08:00
Erik Krogh Kristensen	ca435763b0	separate message for double and single quotes	2021-02-01 23:54:12 +01:00
Esben Sparre Andreasen	9678534f25	JS: add tests for some syntactic XSS vector obfuscations	2021-02-01 10:20:23 +01:00
Erik Krogh Kristensen	aae69c6537	update expected output	2021-02-01 09:33:52 +01:00
Erik Krogh Kristensen	c9ec983cd8	add js/client-side-unvalidated-url-redirection test for script tags inside react code	2021-01-29 12:50:43 +01:00
Erik Krogh Kristensen	39591687ba	add js/code-injection sink for script tags in React	2021-01-29 12:50:17 +01:00
Erik Krogh Kristensen	3f1e81533c	support html attribute concatenations with single quotes	2021-01-29 10:37:37 +01:00
Erik Krogh Kristensen	0ba610f7db	Merge pull request #5013 from erik-krogh/asmWhitespace ... JS: remove benign result for js/whitespace-contradicts-precedence related to " | 0" expressions	2021-01-25 13:29:07 +01:00
Erik Krogh Kristensen	d86705fe7a	remove benign result for js/whitespace-contradicts-precedence related to " | 0" expressions	2021-01-25 10:43:39 +01:00
CodeQL CI	527c41520e	Merge pull request #4951 from esbena/js/reintroduce-server-crash ... Approved by erik-krogh	2021-01-22 06:37:50 -08:00
CodeQL CI	b83c949109	Merge pull request #4986 from erik-krogh/logInf ... Approved by esbena	2021-01-21 06:02:50 -08:00
Erik Krogh Kristensen	a44aefa6c9	add test for top-level closure modules - and simplify	2021-01-20 19:47:32 +01:00
Erik Krogh Kristensen	bf518f1c90	flag less overly general functions with js/unneeded-defensive-code	2021-01-20 15:48:12 +01:00
Erik Krogh Kristensen	2e024c3c61	fix that type inference assumed every compound-assignment have type number	2021-01-20 15:26:39 +01:00
Erik Krogh Kristensen	fbfbe70deb	add support for unnamed/default exports in PackageExports.qll	2021-01-19 22:40:45 +01:00
CodeQL CI	bdfb81064d	Merge pull request #4969 from asgerf/js/angular-dom-santizier-from-core ... Approved by erik-krogh	2021-01-19 08:45:15 -08:00
Erik Krogh Kristensen	2a8a2832e2	Merge pull request #4946 from erik-krogh/libRedos ... JS: Add library input as source for `js/polynomial-redos`	2021-01-19 17:30:20 +01:00
Esben Sparre Andreasen	3015dcd310	JS: reformulate js/server-crash. Support promises and shorter paths.	2021-01-19 09:08:52 +01:00
Erik Krogh Kristensen	01900d7ca2	remove false positive due to "\n" not being in the relevant relation	2021-01-18 14:47:29 +01:00