hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,347 Commits 1,672 Branches 157 Tags
hmac/command-injection-from-library-inputs
Commit Graph

7163 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
2d65aa17db recognize exported functions that use the arguments object 2021-10-27 20:35:37 +02:00
Erik Krogh Kristensen
78774233c7 add library input as source to js/prototype-polluting-assignment 2021-10-27 20:35:36 +02:00
Erik Krogh Kristensen
0372ccce02 simplify regexp 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2021-10-27 20:04:24 +02:00
Erik Krogh Kristensen
af64b319ee update documentation strings 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2021-10-27 19:54:52 +02:00
Erik Krogh Kristensen
71cca6d644 Merge branch 'main' into ldap 2021-10-27 19:06:06 +02:00
Erik Krogh Kristensen
2e912ee28e rename LDAP to Ldap 2021-10-27 19:05:56 +02:00
Erik Krogh Kristensen
c1ab49fe8a rename LDapFilterStep to TaintPreservingLDapFilterStep 2021-10-27 19:05:00 +02:00
Erik Krogh Kristensen
44afa34e37 Merge branch 'main' of github.com:github/codeql into htmlReg 2021-10-26 14:46:27 +02:00
CodeQL CI
e5e1046c81 Merge pull request #6962 from asgerf/js/template-db-constraint-err 
Approved by erik-krogh
 2021-10-26 13:43:57 +01:00
Erik Krogh Kristensen
8ba545999e add change-note 2021-10-26 14:13:56 +02:00
Anders Schack-Mulligen
90bebaa5a9 Merge pull request #6960 from erik-krogh/useSetLiteral 
use set literal instead of big disjunction of literals
 2021-10-26 14:06:05 +02:00
Erik Krogh Kristensen
090fb2df10 Merge pull request #6857 from erik-krogh/fixPipes 
JS: skip pipes and other special files when determining which files to extract
 2021-10-26 13:59:40 +02:00
Erik Krogh Kristensen
9c8a51bca6 cache SensitiveExpr 2021-10-26 13:47:28 +02:00
Erik Krogh Kristensen
038438edca assume that setting the secure/httpOnly flag to some unknown value is good 2021-10-26 13:47:28 +02:00
Erik Krogh Kristensen
5228196f79 fix typos and update docs 2021-10-26 13:47:21 +02:00
Erik Krogh Kristensen
311df4d2b7 add test for the cookie npm package 2021-10-26 13:46:59 +02:00
Erik Krogh Kristensen
92d59aa11c refactor most of the isSensitive predicates into a common helper predicate 2021-10-26 13:46:59 +02:00
Erik Krogh Kristensen
834d5ec6ad add session{key,id} as sensitive info 2021-10-26 13:46:59 +02:00
Erik Krogh Kristensen
1e1e549847 update tests so it's clear which cookies are insecure 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
283b8231cb add more cookie models 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
2cb3d2c53f documentation overhaul on client-exposed-cookie (and restricting it to server-side) 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
ab23ffff3d documentation overhaul for clear-text-cookie 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
f36accf3e6 only report clear-text cookies for sensitive cookies 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
53b4337795 combine test files 2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen
9193984f1b delete the experimental query library for cookie queries 2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen
6858acc6a9 port experimental cookie models to non-experimental 2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen
26a24a3895 prepare move to non-experimental 2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen
44db920f10 refactor, cleanup, and improvements in experimental cookie queries 2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen
a3c55c2aec use set literal instead of big disjunction of literals 2021-10-26 12:55:25 +02:00
Erik Krogh Kristensen
dbd1148bd6 apply range pattern patch to javascript 2021-10-25 19:38:00 +02:00
Henry Mercer
7e0e35f364 Rename ATM query pack for consistency with other packs 2021-10-25 17:32:25 +01:00
CodeQL CI
b5554da496 Merge pull request #6924 from asgerf/js/skip-files-with-unsupported-encoding 
Approved by esbena
 2021-10-25 14:48:38 +01:00
Asger Feldthaus
bfb1da55d6 JS: Bump extractor version string 2021-10-25 11:49:56 +02:00
Asger Feldthaus
f3e2b0b946 JS: Avoid using non-existent attribute as parent 2021-10-25 11:49:56 +02:00
Asger Feldthaus
ac62379b17 JS: Add TRAP test 2021-10-25 11:49:39 +02:00
Henry Mercer
02b1fe27d2 Merge pull request #6907 from github/henrymercer/add-experimental-atm-libraries 
JS: [Internal only] Add experimental libraries and queries for adaptive threat modeling
 2021-10-22 11:02:09 +01:00
Asger Feldthaus
fa0ce5380b JS: Skip files with unsupported file encoding 2021-10-20 12:16:50 +02:00
Henry Mercer
548a344d34 JS: Implement suggestions from review 
Co-authored-by: Andrew Eisenberg <aeisenberg@github.com>
 2021-10-19 12:00:40 +01:00
Henry Mercer
4d7a8285ad JS: Initial commit of Adaptive Threat Modeling 2021-10-18 17:24:24 +01:00
Geoffrey White
a0e501c3a9 Sync identical files. 2021-10-15 14:34:02 +01:00
Geoffrey White
8f30b8b586 Autoformat. 2021-10-14 16:00:23 +01:00
Geoffrey White
f08d2ee759 Merge branch 'main' into setliterals 2021-10-14 14:39:39 +01:00
Geoffrey White
b9cce57db4 JS: Fix mistake. 2021-10-14 14:22:43 +01:00
Geoffrey White
882adc8e50 JS: Set literals. 2021-10-14 14:22:42 +01:00
Anders Schack-Mulligen
8b6baa250c Merge pull request #6878 from aschackmull/remove-singleton-setliteral 
C++/C#/Java/JavaScript/Python: Remove singleton set literals.
 2021-10-14 14:53:05 +02:00
Mathias Vorreiter Pedersen
47a85bbb1d Merge pull request #6869 from MathiasVP/fix-prefix/suffix-equality 
Java/JS/Python: Replace '.prefix'/'.suffix' with '.matches'
 2021-10-14 13:47:03 +01:00
Erik Krogh Kristensen
047aee313c add pragma[noinline] to predicates where the qldoc mentions join-order 2021-10-14 12:34:25 +02:00
Tom Hvitved
f5420333e2 Sync shared files 2021-10-14 11:49:02 +02:00
Anders Schack-Mulligen
57cb300759 C++/C#/Java/JavaScript/Python: Remove singleton set literals. 2021-10-14 11:34:22 +02:00
Mathias Vorreiter Pedersen
a2371370ff Merge pull request #6865 from MathiasVP/fix-if-none 
C++/C#/JS/Python: Replace 'if p() then q() else none()' with a conjunction
 2021-10-13 19:47:55 +01:00