hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 12:46:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
78,334 Commits 1,673 Branches 157 Tags
ginsbach/OverlayLocalJava
Commit Graph

2078 Commits

Author SHA1 Message Date
Paul Hodgkinson
c9af53f050 Merge branch 'main' into aegilops/polyfill-io-compromised-script 2024-07-12 12:53:44 +01:00
aegilops
0aab2aef3b Formatting of QLL 2024-07-09 18:16:37 +01:00
aegilops
dae2aeb7d3 QLDoc 2024-07-09 18:16:02 +01:00
aegilops
86afd54a9b Moved new query to 'experimental' 
Moved lists of domains to data extensions, including adding those to the overall qlpack.yml

Expanded scope of new query to further domains operated by the untrusted owners of polyfill.io
 2024-07-09 16:38:01 +01:00
Paul Hodgkinson
d896fdf9fa Merge branch 'main' into aegilops/js/insecure-helmet-middleware 2024-07-08 11:25:47 +01:00
aegilops
1fe14e26b1 Split out "compromised" functionality 2024-07-08 10:56:12 +01:00
aegilops
73fc6bcdb1 Added some missing QLDoc 2024-07-01 17:10:24 +01:00
aegilops
a1b0703690 Added detection for specific Polyfill.io CDN compromise - edited existing library and added new query and tests 2024-07-01 16:21:34 +01:00
am0o0
6ecd8b7ee8 add new default cred kind 2024-07-01 14:42:34 +02:00
am0o0
fa8c457015 move the TextEncoder and Buffer jose.base64url taint steps to a local query taint step 2024-07-01 12:11:53 +02:00
am0o0
60aa711005 implement TextEncoderStep taint step with globalVarRef predicate 2024-07-01 11:59:05 +02:00
am0o0
65fdb8ccce move jose SharedTaintStep to a local taint step, add more additional steps with test cases, update test cases and expected test results 2024-07-01 11:38:17 +02:00
Asger F
1d267efb6b JS: Fix missing qldoc 2024-06-28 14:30:56 +02:00
Asger F
1c730bc66e JS: Fix compilation error in DataFlowImplConsistency.qll 2024-06-27 12:47:15 +02:00
Asger F
df0488a470 Ensure Member tokens from flow summaries are seen in PropertyName 2024-06-27 10:22:14 +02:00
Asger F
c52a4b0621 JS: Provide RenderSummarizedCallable 2024-06-27 09:44:45 +02:00
Asger F
e53c0cdce7 Fix unknown Parameter/Argument decoding 2024-06-27 09:39:06 +02:00
Asger F
88edc06517 Avoid bad join in compatibleTypesCached 
This is identical to the code in Ruby and seems to prevent a bad join ordering
in a cached version of this predicate in DataFlowCommon
 2024-06-26 13:51:41 +02:00
Asger F
fc7c2c5b17 Remove unused code 2024-06-26 13:51:40 +02:00
Asger F
e67e89dd70 Implement decodeUnknownArgument/ParameterPosition 2024-06-26 13:51:39 +02:00
Asger F
3bebd709b3 Handle AnyMemberDeep and ArrayElementDeep in encodeContent 2024-06-26 13:51:38 +02:00
Asger F
6c0c67dce4 Implement encodeWith/WithoutContent 2024-06-26 13:51:37 +02:00
Asger F
b0ea81276b Implement encodeReturn 2024-06-26 13:51:36 +02:00
Asger F
5811a3c5a6 Port getMadStringFromContentSet -> encodeContent 2024-06-26 13:51:35 +02:00
Asger F
8c4e5e8876 Boilerplate implementation of default predicates from FlowSummaryImpl.qll 2024-06-26 13:51:34 +02:00
Asger F
6b35a766a6 Migrate to shared FlowSummary library 2024-06-25 14:43:29 +02:00
Asger F
dd7aff555d Instantiate shared FlowSummary library 2024-06-25 13:35:49 +02:00
Asger F
f0d7c3a7f0 Remove bindingsets 2024-06-25 13:33:06 +02:00
Asger F
6e32f27652 Rename predicates to be consistent with qlpack 
In preparation for migrating to the FlowSummary module in the qlpack,
rename predicates to be consistent with the qlpack.
 2024-06-25 13:30:33 +02:00
Asger F
6c8fb61f60 Js: Update FlowSummaryImpl.qll to make things compile 2024-06-25 13:10:24 +02:00
Asger F
64a9598b89 JS: Update interface for isUnreachableInCall 2024-06-25 13:01:23 +02:00
Asger F
505c532af7 JS: Implement totalorder() 2024-06-25 12:58:35 +02:00
Asger F
102ca77acf Switch to getLocation() in DataFlowCall 2024-06-25 11:49:19 +02:00
Asger F
ecf418b8f6 Merge branch 'main' into js/shared-dataflow 2024-06-25 11:48:41 +02:00
Asger F
f43a189f06 JS: Make CaptureNode.toString() more explicit 2024-06-25 09:56:39 +02:00
aegilops
252c9e9416 Added data extension to set defaults, updated help, added README to explain customization 2024-06-19 17:27:17 +01:00
Rasmus Wriedt Larsen
3f2befc3e5 JS: Support spread arguments in array.splice 2024-06-14 15:33:17 +02:00
Rasmus Wriedt Larsen
ec18786488 JS: Provide better model for Array.splice 2024-06-12 16:29:21 +02:00
Rasmus Wriedt Larsen
1027ca266d JS: Allow many Array steps to be used in type-tracking 2024-06-12 16:14:13 +02:00
Anders Schack-Mulligen
0c47203580 Javascript: Add support for pretty-printed provenace in tests. 2024-06-07 11:47:49 +02:00
am0o0
ee05ec0386 remove sanitnzer and add a where condition instead 
use a simpler where condition(the former sanitizer) for overcoming performance problems
 2024-06-06 14:16:41 +02:00
am0o0
61a11c6512 Or to or in docs 2024-06-06 14:10:15 +02:00
am0o0
c2f96a1352 fix a document 2024-05-25 19:35:20 +02:00
Am
2226f5126b Merge branch 'main' into amammad-js-hardcodedJWTKey 2024-05-25 13:40:46 +03:30
am0o0
c299b5657a Revert "stash" 
This reverts commit bdee99ae88.
 2024-05-25 12:03:00 +02:00
Asger F
3b211089d6 JS: Remove redundant import 2024-05-21 14:40:17 +02:00
Asger F
43abc72780 JS: Add TypeModel.isTypeUsed 
f
 2024-05-21 14:19:56 +02:00
Joe Farebrother
01a6c5e82f Merge pull request #16446 from joefarebrother/shared-sensitive-heuristics 
Ruby/Python/JS/Swift: Add category of Private information to shared sensitive data heuristics
 2024-05-21 09:07:13 +01:00
Erik Krogh Kristensen
03cf9b702c Merge pull request #14291 from am0o0/amammad-js-CodeInjection_Shelljs 
JS: Shelljs improvement
 2024-05-17 11:14:11 +02:00
am0o0
42a9962519 make shellJSMember predicate private, improve predicate document 2024-05-16 14:05:06 +02:00