6874 Commits

Author	SHA1	Message	Date
Erik Krogh Kristensen	c3f5a6dcac	introduce API::Node::getACall()	2020-09-29 18:23:10 +02:00
Erik Krogh Kristensen	69f4ac25c4	renamings based on review	2020-09-29 18:23:10 +02:00
Erik Krogh Kristensen	1596436f7e	rename getASourceUse to getAReference	2020-09-29 18:23:10 +02:00
Erik Krogh Kristensen	adc05022f3	update comment in test case ... Co-authored-by: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>	2020-09-29 18:21:41 +02:00
Erik Krogh Kristensen	3857331657	avoid .getReturn().getAUse().(DataFlow::InvokeNode) in the SQL model	2020-09-29 17:08:09 +02:00
Erik Krogh Kristensen	deae9256dd	add convenience method to API graphs	2020-09-29 17:08:00 +02:00
CodeQL CI	d7add29dc2	Merge pull request #4359 from erik-krogh/cookieWrites ... Approved by esbena	2020-09-29 06:32:01 -07:00
CodeQL CI	910c19e613	Merge pull request #4348 from erik-krogh/needle ... Approved by esbena	2020-09-29 02:57:32 -07:00
CodeQL CI	11f39a9d88	Merge pull request #4342 from erik-krogh/track-where-prop ... Approved by asgerf	2020-09-29 02:09:53 -07:00
Erik Krogh Kristensen	52d94f6177	use getABoundCallbackParameter instead of getCallback and getParameter.	2020-09-29 10:12:46 +02:00
CodeQL CI	060c19a063	Merge pull request #4352 from erik-krogh/destructing-redirect ... Approved by esbena	2020-09-28 12:31:42 -07:00
Erik Krogh Kristensen	e04404b713	also recognize cookie writes are leading to cookie access	2020-09-28 21:17:25 +02:00
Max Schaefer	dfc4436012	JavaScript: Teach API graphs to recognise arguments supplied in partial function applications.	2020-09-28 17:52:57 +01:00
Esben Sparre Andreasen	c0a67a8d7b	JS: another CWE-20 -> CWE-020	2020-09-28 14:27:10 +02:00
CodeQL CI	75262ddace	Merge pull request #4328 from erik-krogh/indirect-fix2 ... Approved by esbena	2020-09-28 04:55:19 -07:00
CodeQL CI	18bdc054cd	Merge pull request #4347 from max-schaefer/js/handle-empty-pkgjson ... Approved by asgerf	2020-09-28 02:42:21 -07:00
Erik Krogh Kristensen	664342dd0f	change SimpleParameter to Parameter in the express model to support destructuring parameters	2020-09-26 21:31:06 +02:00
CodeQL CI	ea5feb2b0a	Merge pull request #4331 from erik-krogh/DVNA-files ... Approved by esbena	2020-09-25 05:21:03 -07:00
Erik Krogh Kristensen	6b9aea82ca	model method calls in the needle library	2020-09-25 14:13:31 +02:00
Erik Krogh Kristensen	a22ddb145b	model calls to needle	2020-09-25 13:53:22 +02:00
Max Schaefer	0ccbaf9e88	JavaScript: Handle empty package.json files gracefully.	2020-09-25 12:12:39 +01:00
Esben Sparre Andreasen	ba0a2e1665	JS: tag consistency: replace cwe-20 with cwe-020	2020-09-25 10:28:05 +02:00
CodeQL CI	7b1dbb4364	Merge pull request #4337 from max-schaefer/js/fix-indirect-command-injection ... Approved by asgerf	2020-09-25 00:18:55 -07:00
Erik Krogh Kristensen	b8154d41b1	type-track objects where the "$where" property has been written	2020-09-24 20:55:25 +02:00
CodeQL CI	19316930cd	Merge pull request #4310 from asgerf/js/extract-xml-with-codeql ... Approved by aibaars, esbena	2020-09-24 10:14:46 -07:00
Erik Krogh Kristensen	6163e6cf5f	adjust test case for XML entity expansion	2020-09-24 09:53:06 +02:00
Erik Krogh Kristensen	83f0514475	add req.files as a RequestInputAccess in the Express model	2020-09-23 15:50:59 +02:00
Max Schaefer	dc7b447895	JavaScript: Make alert locations for command injection more precise.	2020-09-23 14:07:36 +01:00
Max Schaefer	439aadf0b6	JavaScript: Do even more type tracking in command injection.	2020-09-23 14:07:36 +01:00
Max Schaefer	ef18b39124	JavaScript: Fix use of type backtracker in IndirectCommandArgument.qll.	2020-09-23 14:07:36 +01:00
Max Schaefer	825fc2228b	JavaScript: Add two new command-injection tests.	2020-09-23 14:07:36 +01:00
Erik Krogh Kristensen	ec2b3f0b6c	better join-order fix in HTTP	2020-09-22 21:02:26 +02:00
CodeQL CI	475519c9ee	Merge pull request #4267 from asgerf/js/log-typescript-memory ... Approved by esbena	2020-09-22 08:51:51 -07:00
CodeQL CI	036a36a474	Merge pull request #4317 from max-schaefer/js/api-node-depth ... Approved by asgerf	2020-09-22 05:58:48 -07:00
Erik Krogh Kristensen	717ea2369c	Merge pull request #4311 from erik-krogh/indirect-fix ... JS: improve join-order for HTTP::isDecoratedCall	2020-09-22 14:35:50 +02:00
CodeQL CI	9a306866c5	Merge pull request #4282 from erik-krogh/es2021 ... Approved by esbena	2020-09-22 05:34:35 -07:00
Asger Feldthaus	d34bd51f61	JS: Call codeql.exe instead of codeql.cmd	2020-09-22 10:28:40 +01:00
Asger Feldthaus	bc09bc45bc	JS: Concatenate paths properly	2020-09-22 10:17:30 +01:00
Erik Krogh Kristensen	32b0f1b480	add code example to isDecoratedCall	2020-09-22 10:42:49 +02:00
Max Schaefer	dafd45f0f4	JavaScript: Add a few metric queries for API graphs.	2020-09-22 09:30:19 +01:00
Max Schaefer	46ba4a1fa8	JavaScript: Expose another useful predicate on API-graph nodes.	2020-09-22 09:30:12 +01:00
Erik Krogh Kristensen	ec49c444ef	Apply suggestions from code review ... Co-authored-by: Esben Sparre Andreasen <esbena@github.com>	2020-09-22 10:15:30 +02:00
Erik Krogh Kristensen	4243504c8b	improve join-order for HTTP::isDecoratedCall	2020-09-21 23:20:16 +02:00
Asger Feldthaus	e70bb20f34	JS: Support XML extraction when run with codeql	2020-09-21 17:21:54 +01:00
Erik Krogh Kristensen	4bc91c4439	add support for Promise.any	2020-09-21 10:50:06 +02:00
Erik Krogh Kristensen	9f1b3d61b9	add test for numeric separators	2020-09-21 10:50:06 +02:00
Erik Krogh Kristensen	b09015380a	add support for String.prototype.replaceAll	2020-09-21 10:50:04 +02:00
Erik Krogh Kristensen	0dbdbfa659	bump extractor version	2020-09-21 10:49:50 +02:00
Erik Krogh Kristensen	87d4e13584	added support for ES2021 assignment operators	2020-09-21 10:49:50 +02:00
Erik Krogh Kristensen	4dfc0680e2	support non SourceNode receiver for partialInvoke in routeHandlerStep	2020-09-21 10:42:19 +02:00