7163 Commits

Author	SHA1	Message	Date
Stephan Brandauer	b170422c22	add changenotes for functionality from untrusted source query	2022-02-22 11:41:52 +01:00
Stephan Brandauer	6722c17bb0	JS: Functionality from untrusted sources query (CWE-830)	2022-02-22 11:41:52 +01:00
Asger Feldthaus	1be47db2e6	JS: Factor out more JS-specific code	2022-02-22 09:51:56 +01:00
Asger Feldthaus	2d509eb345	JS: Make Impl.qll determine the location of AccessPathSyntax.qll	2022-02-22 09:51:52 +01:00
Asger Feldthaus	42a3d8c689	JS: Treat Member[x] as a language-specific token ... In Ruby it is ambiguous whether Member[foo] means x.foo or x::foo	2022-02-22 09:51:52 +01:00
Asger Feldthaus	acf95d6178	JS: Move summary resolution into JS-specific code	2022-02-22 09:51:52 +01:00
Asger Feldthaus	ab1642dd3f	JS: Rename {Shared,Impl} -> ApiGraphModels{,Specific}	2022-02-22 09:51:48 +01:00
Erik Krogh Kristensen	e8df6a14ca	add lodash.{clone, cloneDeep} as a clone step	2022-02-21 22:27:29 +01:00
Henry Mercer	5a3daa9e3f	JS: Add CWE tags for ML-powered queries ... - Cross-site scripting: CWE-79 - Path injection: CWE-22, CWE-23, CWE-36, CWE-73, CWE-99 - NoSQL injection: CWE-943 - SQL injection: CWE-89	2022-02-21 16:18:33 +00:00
Henry Mercer	a89882c14e	JS: Update lockfiles for ML-powered queries packs	2022-02-21 16:03:05 +00:00
Asger Feldthaus	8194c041cc	JS: Merge sources to one class	2022-02-21 16:26:02 +01:00
Asger F	00ed72ed83	Apply suggestions from code review ... Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2022-02-21 16:24:50 +01:00
Henry Mercer	6fb9895367	JS: Separate the ML-powered queries model into its own pack ... This allows users to more easily get started with development. Running `codeql pack install` from the `-queries` pack will now install the ML model.	2022-02-21 15:05:57 +00:00
Tom Bolton	0108642464	Merge pull request #8148 from github/tombolton/modify-counting-query ... Update counting query to match end-to-end results	2022-02-21 15:02:43 +00:00
tombolton	e02319be9f	add end to end predicate to result counting query	2022-02-21 14:35:58 +00:00
Erik Krogh Kristensen	1407b49a8f	fix some instances of ql/pred-doc-style for JS	2022-02-21 15:02:21 +01:00
Asger F	02c4966109	Merge pull request #7878 from asgerf/dot-separated-access-paths ... Shared: Switch to dot-separated access paths in summary specs	2022-02-21 13:29:09 +01:00
Esben Sparre Andreasen	1d437dd722	Merge pull request #8043 from github/esbena/sharpen-hardcoded-credentials ... JS: Sharpen hardcoded credentials	2022-02-21 10:02:58 +01:00
Erik Krogh Kristensen	5f9bd7a4a1	Merge pull request #7984 from erik-krogh/fix-ql-for-ql-js ... JS: fix most ql-for-ql warnings	2022-02-21 09:15:06 +01:00
Asger Feldthaus	d7f07167ac	Shared: Remove getLastToken again	2022-02-21 08:21:53 +01:00
Asger Feldthaus	2c2a82a070	Shared: allow spaces between arguments in a token	2022-02-21 08:21:53 +01:00
Asger Feldthaus	7fcbdbeada	Shared: sync AccessPathSyntax.qll and FlowSummaryImpl.qll	2022-02-21 08:21:52 +01:00
Asger Feldthaus	2907d53e17	Shared: sync AccessPathSyntax.qll and FlowSummaryImpl.qll	2022-02-21 08:21:52 +01:00
Asger Feldthaus	c189df2341	Revert "JS: Add support for " of " syntax to help during transition" ... This reverts commit 9bf522b3048c3b11f7e6d734ed797a613614a095.	2022-02-21 08:21:51 +01:00
Asger Feldthaus	753c557dbe	Java: use AccessPathSyntax.qll to parse input/output summary specs	2022-02-21 08:16:54 +01:00
Asger Feldthaus	53935db6c6	JS: Add support for " of " syntax to help during transition	2022-02-21 08:16:54 +01:00
Asger Feldthaus	30254686d8	JS: Move ".."-parsing trick into AccessPathSyntax.qll	2022-02-21 08:16:54 +01:00
Asger Feldthaus	7c2cff3227	JS: Factor out AccessPathSyntax.qll	2022-02-21 08:16:54 +01:00
Asger Feldthaus	e2cbf47b16	JS: Fix accidental recursion	2022-02-21 08:16:53 +01:00
Asger Feldthaus	69995d5750	Shared: rephrase request forgery name and description	2022-02-17 09:07:08 +01:00
Asger Feldthaus	51442ddf47	JS: Add change note	2022-02-17 09:07:08 +01:00
Asger Feldthaus	3496ae131b	JS: Factor out <recommendation> part of qhelp	2022-02-17 09:07:08 +01:00
Asger Feldthaus	8ac0ec8dfc	JS: Write help for ClientSideRequestForgery	2022-02-16 18:33:31 +01:00
Asger Feldthaus	91c64152d2	JS: Rephrase the qhelp for SSRF query	2022-02-16 13:35:01 +01:00
Asger Feldthaus	cf66d01e80	JS: Add consistency test	2022-02-16 13:35:01 +01:00
Asger Feldthaus	3103cfd925	JS: Rename to tests to clientSide.js and serverSide.js	2022-02-16 13:35:01 +01:00
Asger Feldthaus	3fbc3a4d70	JS: Add ClientSideRequestForgery to RequestForgery test	2022-02-16 13:35:01 +01:00
Asger Feldthaus	260638c68b	JS: Add ClientSideRequestForgery and split request-forgery results between the two	2022-02-16 13:35:01 +01:00
Esben Sparre Andreasen	f08a140505	update tests for password patterns	2022-02-16 13:22:19 +01:00
Esben Sparre Andreasen	816d79692b	ignore deliberately hardcoded password strings	2022-02-16 09:47:01 +01:00
Esben Sparre Andreasen	78744a0182	add additional tests	2022-02-16 09:44:56 +01:00
Esben Sparre Andreasen	e67c09f9ab	change example passwords in test	2022-02-16 08:56:00 +01:00
Arthur Baars	ebb87c4b36	Merge pull request #7975 from github/post-release-prep/codeql-cli-2.8.1 ... Post-release preparation for codeql-cli-2.8.1	2022-02-15 20:17:35 +01:00
CodeQL CI	8f8621f82c	Merge pull request #8022 from asgerf/js/url-parse-qs ... Approved by esbena	2022-02-15 09:34:21 +01:00
Asger Feldthaus	8b55a24e7c	JS: Add url-parse.qs as an alias for the querystringify library	2022-02-14 15:29:50 +01:00
Asger Feldthaus	f7108506f2	JS: Raise precision tag of js/request-forgery	2022-02-14 14:20:41 +01:00
Chuan-kai Lin	9b4dbb9dd8	Merge pull request #7895 from github/cklin/upgrades-initial-dbscheme ... Upgrade scripts testing: set initial dbschemes	2022-02-11 11:06:12 -08:00
Erik Krogh Kristensen	a1c5724be7	fix most ql-for-ql warnings in JS	2022-02-11 17:57:37 +01:00
github-actions[bot]	21bf29353f	Post-release preparation for codeql-cli-2.8.1	2022-02-11 11:07:31 +00:00
Taus	327e0dad72	Merge pull request #7674 from erik-krogh/dbTypeInNonLib ... QL: Use of db-type outside language core.	2022-02-11 12:00:14 +01:00