hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
32,907 Commits 1,672 Branches 157 Tags
codeql-cli-2.8.2
Commit Graph

3136 Commits

Author SHA1 Message Date
Asger Feldthaus
144d04f3ce JS: Add test exposing source location of attribute after line break 2021-01-21 11:25:39 +00:00
Asger Feldthaus
7c6704a63f JS: Shift line numbers in test case 2021-01-21 11:09:36 +00:00
CodeQL CI
30015ee995 Merge pull request #4942 from esbena/js/reintroduce-resource-exhaustion 
Approved by erik-krogh
 2021-01-21 01:21:33 -08:00
Esben Sparre Andreasen
b90dd89746 JS: move js/resource-exhaustion to experimental 2021-01-21 09:09:01 +01:00
Erik Krogh Kristensen
a44aefa6c9 add test for top-level closure modules - and simplify 2021-01-20 19:47:32 +01:00
Erik Krogh Kristensen
bf518f1c90 flag less overly general functions with js/unneeded-defensive-code 2021-01-20 15:48:12 +01:00
Erik Krogh Kristensen
2e024c3c61 fix that type inference assumed every compound-assignment have type number 2021-01-20 15:26:39 +01:00
Erik Krogh Kristensen
fbfbe70deb add support for unnamed/default exports in PackageExports.qll 2021-01-19 22:40:45 +01:00
CodeQL CI
bdfb81064d Merge pull request #4969 from asgerf/js/angular-dom-santizier-from-core 
Approved by erik-krogh
 2021-01-19 08:45:15 -08:00
Erik Krogh Kristensen
2a8a2832e2 Merge pull request #4946 from erik-krogh/libRedos 
JS: Add library input as source for `js/polynomial-redos`
 2021-01-19 17:30:20 +01:00
Esben Sparre Andreasen
3015dcd310 JS: reformulate js/server-crash. Support promises and shorter paths. 2021-01-19 09:08:52 +01:00
Erik Krogh Kristensen
01900d7ca2 remove false positive due to "\n" not being in the relevant relation 2021-01-18 14:47:29 +01:00
CodeQL CI
fc2fe6cccb Merge pull request #4928 from esbena/js/rewrite-multi-sanitization 
Approved by asgerf
 2021-01-18 05:11:42 -08:00
Asger Feldthaus
fbb5d14263 JS: Update angular test output 2021-01-18 12:19:09 +00:00
Asger Feldthaus
2a7b4487f1 JS: More auto format 2021-01-18 12:19:09 +00:00
Asger Feldthaus
c8901b62f5 JS: Add test for $any step 2021-01-18 12:19:08 +00:00
Asger Feldthaus
2ba98da107 JS: Only extract local vars in TemplateTopLevel 
Angular template expressions cannot refer to global variables, any
unqualified identifier is a reference to a property provided by the
component.

We extract them as implicitly declared local variables which the
QL model can then connect with data flow steps.
 2021-01-18 12:19:08 +00:00
Asger Feldthaus
8848ee2d10 JS: Extract HTML from inline templates 2021-01-18 12:19:08 +00:00
Asger Feldthaus
6bf9345258 JS: Add test for class with locally-unused field 2021-01-18 12:19:08 +00:00
Asger Feldthaus
cc952bd2a4 JS: Reorganize test a bit 2021-01-18 12:19:08 +00:00
Asger Feldthaus
1ab36dc81f JS: Flow through *ngFor loops 2021-01-18 12:19:08 +00:00
Asger Feldthaus
0da207a5f9 JS: Update test with pipes 2021-01-18 12:18:27 +00:00
Asger Feldthaus
ed27c8b13f JS: Add test and fix bug in pipe parser 2021-01-18 12:16:13 +00:00
Asger Feldthaus
3db6069372 JS: Add test for new sink 2021-01-18 10:55:34 +00:00
Asger Feldthaus
2752b4ba64 JS: Shift line numbers in test 2021-01-18 10:54:39 +00:00
Erik Krogh Kristensen
401e516654 update expected output, and update PackageExports test 2021-01-15 17:40:47 +01:00
Erik Krogh Kristensen
26783b6ab0 make getTopmostPackageJSON public again, and update PackageExports test 2021-01-15 16:05:49 +01:00
Erik Krogh Kristensen
1506ac09e5 limit the number of characters produced by getAThreewayIntersect 2021-01-15 13:54:16 +01:00
Erik Krogh Kristensen
c5595f4cbd improve alert message for js/polynomial-redos 2021-01-14 13:48:26 +01:00
Erik Krogh Kristensen
86e33d9d79 select the shortest possible reason 2021-01-14 13:38:37 +01:00
Erik Krogh Kristensen
a520a51d42 highlight the use of the regular expression, instead of the sink for user input 2021-01-14 11:22:20 +01:00
CodeQL CI
4229f556cb Merge pull request #4751 from erik-krogh/logInjection 
Approved by asgerf, mchammer01
 2021-01-14 00:32:46 -08:00
Esben Sparre Andreasen
1bc7d68a50 Update javascript/ql/test/query-tests/Security/CWE-730/server-crash.js 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2021-01-13 14:49:42 +01:00
Erik Krogh Kristensen
d71adff079 dont sanitize global replacements where the regexp is a char class 2021-01-13 10:12:12 +01:00
Esben Sparre Andreasen
d591c519a8 JS: reformulate js/server-crash as a path problem 2021-01-13 00:08:28 +01:00
Erik Krogh Kristensen
eaee5c2d87 add library input as source for js/polynomial-redos 2021-01-12 20:21:33 +01:00
Esben Sparre Andreasen
3c9c79a550 JS: remove flow labels from js/resource-exhaustion 2021-01-12 13:20:20 +01:00
Esben Sparre Andreasen
5965035c09 JS: add query js/resource-exhaustion 2021-01-12 13:20:20 +01:00
CodeQL CI
1c8547c897 Merge pull request #4774 from erik-krogh/forms 
Approved by asgerf
 2021-01-12 02:01:38 -08:00
Esben Sparre Andreasen
847687974f JS: only select non-nullable terms in the broken sanitizer 2021-01-12 08:50:19 +01:00
Esben Sparre Andreasen
40cfbab335 JS: address review feedback 2021-01-12 08:49:08 +01:00
Max Schaefer
3853da0969 JavaScript: Teach API-graphs about bound arguments. 2021-01-11 13:53:46 +00:00
Max Schaefer
ecab17a626 JavaScript: Teach API graphs to handle promisify. 
Following a suggestion by Asger, we track use nodes through calls to `promisify`. When we see a call to a promisified function, we introduce a new synthetic API-graph node representing the callback argument synthesised by the promisification, and track the result of the call to an `await` (or other promise resolution), which is then considered to be a use of the first parameter of the synthetic callback (the zeroth parameter being an error code, which we do not model yet).
 2021-01-11 13:53:46 +00:00
Esben Sparre Andreasen
2dbd762bd9 JS: reintroduce reverted js/server-crash 
This reverts commit 0a8d15ccc4.
 2021-01-11 14:13:41 +01:00
Esben Sparre Andreasen
580a24e982 JS: rewrite js/incomplete-multi-character-sanitization 2021-01-11 11:26:45 +01:00
CodeQL CI
807fc94627 Merge pull request #4921 from erik-krogh/moreShellSan 
Approved by esbena
 2021-01-08 00:58:26 -08:00
CodeQL CI
c193d9f375 Merge pull request #4823 from erik-krogh/furtherReDoS 
Approved by esbena
 2021-01-07 05:24:07 -08:00
Erik Krogh Kristensen
2aa59a3f8b support sanitizers that sanitize individual chars in js/shell-command-constructed-from-input 2021-01-07 13:58:25 +01:00
Erik Krogh Kristensen
bfd8d1b1e9 Merge branch 'main' into revertSum 2021-01-06 23:04:08 +01:00
CodeQL CI
9d4cd0aa85 Merge pull request #4862 from erik-krogh/shellSanitizer 
Approved by esbena
 2021-01-06 11:16:12 -08:00