hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
81,482 Commits 1,671 Branches 157 Tags
move-cors-query-from-experimental2
Commit Graph

2635 Commits

Author SHA1 Message Date
Asger F
69b2d197e6 JS: Move an alert and add RelatedLocations 2025-02-28 13:28:48 +01:00
Asger F
360c76514c JS: Accept some suboptimal alert locations 
Not perfect alert locations, but not important enough to fix right now
 2025-02-28 13:28:47 +01:00
Asger F
dbc079c880 JS: Accept a spurious alert 
Unlike the previous case 'isLocalUrl' actually resolves to a function in this case, but we don't recognise the sanitiser used in it. Fixing it is out of scope for this PR.
 2025-02-28 13:28:46 +01:00
Asger F
29659647ea JS: Fix barrier guards for ServerSideUrlRedirect 
The barrier guards for ServerSideUrlRedirect were lost when it was ported to ConfigSig, and the aforementioned spurious alert was a result of that.

The query had two guards: a proper barrier guard and a heuristic one for functions named 'isLocalURL'. We should move away from the heuristic name-based sanitiser guards, so I'm only reinstating the proper barrier guard.

Therefore updating the test to test the real barrier guard.
 2025-02-28 13:28:43 +01:00
Asger F
38be524b6a JS: Temporarily accept a spurious alert 
This was due to a bug that will be fixed in the following commit
 2025-02-28 13:28:41 +01:00
Asger F
7c2394fab4 JS: Accept some alerts 2025-02-28 13:28:40 +01:00
Asger F
b734a3d804 JS: Fix a test case bug due to a typo 
We got a missing result on that line
 2025-02-28 13:28:39 +01:00
Asger F
1ee93cf51b JS: Manually fix two comments in JSX 2025-02-28 13:28:37 +01:00
Asger F
0f23c33d3c JS: Fix a comment 
Apparently this comment used to say 'NOT OK' but clearly 'OK' was meant
 2025-02-28 13:28:36 +01:00
Asger F
cd788bc509 JS: Mark what seems to be missing alerts for fflate 
The query doesn't seem to model or even mention fflate. Not sure if the library is safe or just not modeled.
 2025-02-28 13:28:35 +01:00
Asger F
3f7f74b925 JS: Accept alerts for DecompressionBomb 2025-02-28 13:28:33 +01:00
Asger F
48760d66b2 JS: Accept alerts for HardcodedDataInterpretedAsCode 2025-02-28 13:28:32 +01:00
Asger F
260c66b3cf JS: Mark a spurious alert in missing-x-frame-options 2025-02-28 13:28:30 +01:00
Asger F
cea53371f2 JS: Accept alerts for missing-x-frame-options 2025-02-28 13:28:29 +01:00
Asger F
cded75766f JS: Add a query ID 2025-02-28 13:28:28 +01:00
Asger F
a0f8e28790 JS: Accept a fixed FN 2025-02-28 13:28:27 +01:00
Asger F
1fcebcec87 JS: Move some ReDoS alerts 2025-02-28 13:28:25 +01:00
Asger F
266ac09637 JS: Add query iDs 2025-02-28 13:28:24 +01:00
Asger F
082e16b3d3 JS: More Alert comments in ReDoS/tst.js based on variable naming 
Again just trying to translate the original intent behind the test, without taking actual query results into account
 2025-02-28 13:28:23 +01:00
Asger F
607b184a7f JS: Fix a bug in test case 2025-02-28 13:28:22 +01:00
Asger F
51fb3dad74 JS: Accept ReDoS alerts in regexplib 2025-02-28 13:28:21 +01:00
Asger F
d298d8740f JS: Accept some exponenital redos alerts in the polynomial redos test suite 2025-02-28 13:28:19 +01:00
Asger F
283b14207d JS: Accept some ReDoS alerts 2025-02-28 13:28:18 +01:00
Asger F
92c3939457 JS: Accept InsecureRandomness alerts 2025-02-28 13:28:17 +01:00
Asger F
0f8e85fa2f JS: Accept alerts for InsufficientKeySize 2025-02-28 13:28:15 +01:00
Asger F
fc95702341 JS: Accept some more alerts from CleartextStorage 2025-02-28 13:28:14 +01:00
Asger F
51b45598c4 JS: Move an alert and add query ID 2025-02-28 13:28:13 +01:00
Asger F
e91a046a17 JS: Mark a spurious alert 2025-02-28 13:28:12 +01:00
Asger F
b54ff3b5b3 JS: Accept an alert 2025-02-28 13:28:10 +01:00
Asger F
576dbcb020 JS: Stop overriding entire module.exports object in test 
Doing `module.exports = blah` prevents other exports from being seen as library inputs.
 2025-02-28 13:28:09 +01:00
Asger F
f72cd21a55 JS: Some more test changes in SpuriousArguments 2025-02-28 13:28:08 +01:00
Asger F
d3de6d18a4 JS: Accept other changes to UnusedVariable 2025-02-28 13:28:07 +01:00
Asger F
e745f42291 JS: Remove alert expectation from step 
This is just a step on the path, not a sink
 2025-02-28 13:28:06 +01:00
Asger F
319ee2ccd5 JS: Track deep flow through qs.stringify 2025-02-28 13:28:04 +01:00
Asger F
c593853710 JS: Record some missing alerts in FileAccessToHttp 2025-02-28 13:28:03 +01:00
Asger F
cf33db78cc JS: Fix the spurious flow 2025-02-28 13:28:02 +01:00
Asger F
c051b4c98d JS: Add spurious alert marker 2025-02-28 13:28:00 +01:00
Asger F
b095fe2a19 JS: Fix some bugs in a test case 
'args' was a redeclared block-level variable, and 'myArgs' was not used when clearly intended to be used
 2025-02-28 13:27:59 +01:00
Asger F
22c218d665 JS: Mark a 'good' test as 'bad' and add Alert marker 
The lack of whitespace around '&&' is problematic
 2025-02-28 13:27:58 +01:00
Asger F
a9b263f465 JS: Remove incorrect alert expectation 
This is not flagged and AFAICT it shouldn't be
 2025-02-28 13:27:57 +01:00
Asger F
287753187e JS: Remove invalid syntax from test 
TS decorators may not appear on functions and enums
 2025-02-28 13:27:56 +01:00
Asger F
426a871405 JS: Remove incorrect Alert marker 
This is expected, based on a comment earlier in the file about the 'y' variable
 2025-02-28 13:27:54 +01:00
Asger F
2c46e10678 JS: Mark an alert as missing 2025-02-28 13:27:53 +01:00
Asger F
e026b9e048 JS: Mark regressions due to lack of local field steps 2025-02-28 13:27:52 +01:00
Asger F
e5bee19b19 JS: Accept a double-flagged line 
This is flagged by two queries but for two separate issues. Seems valid to flag it twice.
 2025-02-28 13:27:51 +01:00
Asger F
68fae9ded8 JS: Accept alerts about newline replacement 2025-02-28 13:27:49 +01:00
Asger F
1f3c49638b JS: Accept some less obvious alerts 
These are listed in a function called 'good' but it's difficult to say in isolation whether they should be flagged or not. Accepting the changes as they seem reasonable.
 2025-02-28 13:27:48 +01:00
Asger F
f395651807 JS: Mark alert as MISSING 
See https://github.com/github/codeql-javascript-team/issues/447
 2025-02-28 13:27:47 +01:00
Asger F
07a876b4e9 JS: Accept some alerts at the SystemCommandExecution location 2025-02-28 13:27:46 +01:00
Asger F
10a7294327 JS: Accept trivial test changes 
This adds Alert annotations for alerts that seem intentional by the test
but has not been annotated with 'NOT OK', or the comment was in the wrong
place.

In a few cases I included 'Source' expectations to make it easier to see
what happened. Other 'Source' expectations will be added in bulk a later
commit.
 2025-02-28 13:27:43 +01:00