6276 Commits

Author	SHA1	Message	Date
Esben Sparre Andreasen	15123da0b7	JS: minor fixup: only traverse LogNotExprs	2018-11-13 08:19:38 +01:00
Esben Sparre Andreasen	8ea9fd4cca	JS: address review comments	2018-11-13 08:19:38 +01:00
Esben Sparre Andreasen	7d4cf49545	JS: fixup double reporting of alerts	2018-11-13 08:19:38 +01:00
Esben Sparre Andreasen	f440c9221a	JS: replace some Expr.stripParens with Expr.getUnderlyingValue	2018-11-13 08:19:38 +01:00
Esben Sparre Andreasen	358e6188d9	JS: downgrade other alerts to js/useless-defensive-code	2018-11-13 08:19:38 +01:00
Esben Sparre Andreasen	e29c57a58e	JS: add whitelist to js/useless-defensive-code	2018-11-13 08:19:38 +01:00
Esben Sparre Andreasen	b073fcfca2	JS: add query: js/useless-defensive-code	2018-11-13 08:19:38 +01:00
Esben Sparre Andreasen	7b215ecb2b	JS: recognize defensive programming patterns using typeof	2018-11-13 08:19:38 +01:00
Esben Sparre Andreasen	c403416fef	JS: recognize defensive expressions that prevents exceptions	2018-11-13 08:19:38 +01:00
Esben Sparre Andreasen	6e77489a3b	JS: add utilities for expression guards to DefensiveProgramming.qll	2018-11-13 08:19:38 +01:00
Esben Sparre Andreasen	a2ecf40878	JS: recognize defensive expressions for null/undefined	2018-11-13 08:19:38 +01:00
Esben Sparre Andreasen	2b6ef24bc2	JS: add utilities to DefensiveProgramming.qll	2018-11-13 08:19:38 +01:00
Esben Sparre Andreasen	8086e88587	JS: add utilities to DefensiveProgramming.qll	2018-11-13 08:19:38 +01:00
Esben Sparre Andreasen	a5eeba3c3a	JS: prepare DefensiveProgramming.qll for additions	2018-11-13 08:19:38 +01:00
Esben Sparre Andreasen	c2fb14640e	JS: move isDefensiveInit to DefensiveProgramming.qll	2018-11-13 08:19:38 +01:00
Esben Sparre Andreasen	ce0dd241f6	JS: add models of $.ajax, $.getJSON and XMLHttpRequst	2018-11-13 08:14:51 +01:00
Max Schaefer	663bdd60a0	Merge pull request #396 from esben-semmle/js/unconditional-property-override ... JS: add query: js/unconditional-property-override	2018-11-12 17:10:32 +00:00
Aditya Sharad	271628c280	Version: Bump to 1.18.3 dev.	2018-11-12 14:55:26 +00:00
Jonas Jensen	1500237009	Merge remote-tracking branch 'upstream/master' into mergeback-20181112	2018-11-12 13:24:27 +01:00
Esben Sparre Andreasen	eaad84bb4f	JS: add support for dis- and conjunctions in SanitizingFunction	2018-11-12 10:23:52 +01:00
Esben Sparre Andreasen	6d0c93b6a8	JS: introduce TaintTracking::AdditionalSanitizingCall	2018-11-12 10:21:39 +01:00
Esben Sparre Andreasen	2033bf81cc	JS: address docstring review comments	2018-11-12 10:03:08 +01:00
semmle-qlci	c9d77a2d6d	Merge pull request #443 from xiemaisi/js/improve-stack-trace-exposure ... Approved by asger-semmle	2018-11-12 08:40:26 +00:00
Aditya Sharad	761e5efd60	Merge master into next. ... JavaScript semantic conflicts fixed by referring to the `LegacyLanguage` enum. C++ conflicts fixed by accepting Qltest output.	2018-11-09 18:49:35 +00:00
Max Schaefer	fa8736adbc	JavaScript: Introduce aliases for compatibility with other language libraries.	2018-11-09 11:27:14 +00:00
Max Schaefer	bdfe938d02	JavaScript: Improve StackTraceExposure query. ... It now also flags exposure of the entire exception object (not just the `stack` property).	2018-11-09 09:42:09 +00:00
semmle-qlci	a7290e5aeb	Merge pull request #434 from esben-semmle/js/type-confusion-with-taint-kinds ... Approved by asger-semmle	2018-11-09 08:25:55 +00:00
semmle-qlci	c19747803b	Merge pull request #425 from xiemaisi/js/lodash-recognition-extensible ... Approved by esben-semmle	2018-11-09 08:08:40 +00:00
Esben Sparre Andreasen	ca215391b4	JS: substitute Assignment for DataFlow::PropWrite	2018-11-08 13:23:19 +01:00
Esben Sparre Andreasen	b7f424df41	JS: introduce DataFlow::PropWrite::getWriteNode	2018-11-08 13:23:19 +01:00
Esben Sparre Andreasen	d813a7cad2	JS: push negation	2018-11-08 13:23:19 +01:00
Esben Sparre Andreasen	470c241c82	JS: use range instead of ad hoc LT/GT	2018-11-08 13:23:19 +01:00
Esben Sparre Andreasen	1389009388	JS: naming and doc cleanups	2018-11-08 13:23:19 +01:00
Esben Sparre Andreasen	33a297c829	JS: add query: js/useless-assignment-to-property	2018-11-08 13:23:19 +01:00
Esben Sparre Andreasen	6ee47c437e	JS: generalize and move DeadStoreOfLocal.qhelp to DeadStore.qhelp	2018-11-08 13:23:19 +01:00
Esben Sparre Andreasen	cacb8fdee0	JS: move DeadStoreOfLocal::isDefaultInit to separate module	2018-11-08 13:23:19 +01:00
semmle-qlci	3c49bc6e67	Merge pull request #407 from asger-semmle/email-xss ... Approved by xiemaisi	2018-11-08 10:53:10 +00:00
semmle-qlci	29cabc0e09	Merge pull request #424 from esben-semmle/js/syntactic-nullOrUndefined ... Approved by asger-semmle	2018-11-08 10:52:44 +00:00
semmle-qlci	990c7e057f	Merge pull request #419 from xiemaisi/js/fix-mixed-whitespace ... Approved by esben-semmle	2018-11-07 23:47:48 +00:00
Aditya Sharad	ed49c623f1	Version: Bump to 1.18.2 release.	2018-11-07 14:36:40 +00:00
Asger F	e0d5557ef4	JS: add email HTML body as XSS sink	2018-11-07 11:31:40 +00:00
Esben Sparre Andreasen	f0343d0678	JS: use isUserControlledObject in js/type-confusion-through-parameter-tampering	2018-11-07 12:18:46 +01:00
Esben Sparre Andreasen	a2df4f9bfe	JS: mark Koa params as user-controlled objects	2018-11-07 12:18:46 +01:00
Aditya Sharad	194042348a	Eclipse plugins: Remove plugin metadata. ... This is only needed to build QL for Eclipse, and will be moved into the internal Semmle repository.	2018-11-07 11:01:05 +00:00
Max Schaefer	b058854964	JavaScript: Teach type inference about AMD imports.	2018-11-07 09:18:21 +00:00
Max Schaefer	22640f891e	JavaScript: Make lodash/underscore recognition extensible.	2018-11-07 09:02:17 +00:00
Esben Sparre Andreasen	e6a190c06e	JS: replace .stripParens query uses w. .getUnderlyingReference	2018-11-07 09:32:02 +01:00
Esben Sparre Andreasen	f04293f73c	JS: replace .stripParens library uses w. .getUnderlyingReference	2018-11-07 09:32:02 +01:00
Esben Sparre Andreasen	43e215c7af	JS: replace .stripParens query uses w. .getUnderlyingValue	2018-11-07 09:32:02 +01:00
Esben Sparre Andreasen	030d9202de	JS: replace .stripParens library uses w. .getUnderlyingValue	2018-11-07 09:32:02 +01:00