hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
17,999 Commits 1,671 Branches 157 Tags
query-help-tests-lgtm
Commit Graph

3856 Commits

Author SHA1 Message Date
Asger Feldthaus
961554eb6f JS: Autoformat 2020-09-04 10:42:26 +01:00
Erik Krogh Kristensen
b18f51806c regain the lost property presence result 2020-09-04 10:30:38 +02:00
Asger F
0704be4d41 Update javascript/ql/src/semmle/javascript/TypeScript.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-09-04 08:55:31 +01:00
Erik Krogh Kristensen
6fccf5aa70 use isLikelyIntentionalHtmlSink in the sink instead of in the where clause 2020-09-04 09:26:03 +02:00
CodeQL CI
58f51899c9 Merge pull request #4173 from erik-krogh/targetBlankFP 
Approved by esbena
 2020-09-04 08:21:22 +01:00
Max Schaefer
58702e4c52 JavaScript: Rename EntryPoint.getADef to getARhs. 2020-09-03 22:28:09 +01:00
Max Schaefer
985399f4cf JavaScript: Move ApiGraphs library to semmle.javascript and import it from javascript.qll. 2020-09-03 22:28:09 +01:00
Max Schaefer
aaa70e4ad3 JavaScript: Make API-graph edge labels accessible outside ApiGraphs.qll. 2020-09-03 22:28:09 +01:00
Max Schaefer
7239f1fb6f JavaScript: Distinguish more carefully between def and use nodes in API graphs. 
In particular, we now have two different kinds of module features: module definitions and module uses.

For the most part, `API::Definition`s correspond to right-hand sides in the data-flow graph, and `API::Use`s correspond to references. However, module definitions can have references (via the CommonJS `module` variable), and so can their exports (via `module.exports` or `exports`). Note that this is different from references to uses of the module, which are simply imports.
 2020-09-03 22:28:09 +01:00
CodeQL CI
f180497554 Merge pull request #4192 from max-schaefer/js/ssa__implicitinit 
Approved by asgerf
 2020-09-03 16:46:56 +01:00
Max Schaefer
d8fbf60cbf JavaScript: Weaken a few types to stay under BDD node limit. 
`SourceNode` in cached layers seems particularly problematic.
 2020-09-03 14:29:04 +01:00
Max Schaefer
e77948103f JavaScript: Remove AdditionalFeature from ApiGraphs. 
I ended up not using it for flow summaries, so at this point it is purely speculative generality. We can reintroduce it later if we need to.
 2020-09-03 14:29:04 +01:00
Max Schaefer
924ef6ae5d Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-09-03 14:04:23 +01:00
Asger Feldthaus
bfcc434a61 JS: Use both local and global names in hasQualifiedName 2020-09-03 14:01:13 +01:00
Asger Feldthaus
f7552a77c3 JS: Add metric for number of types with qualified names 2020-09-03 14:01:13 +01:00
Erik Krogh Kristensen
ed54fdcb06 Merge pull request #4118 from dellalibera/js/ldap 
[javascript] CodeQL to detect LDAP Injection
 2020-09-03 14:50:03 +02:00
Alessio Della Libera
116e7d006d Update javascript/ql/src/experimental/Security/CWE-090/LdapInjection.qhelp 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-09-03 10:32:18 +02:00
Alessio Della Libera
bfae0ef5d5 Update javascript/ql/src/experimental/Security/CWE-090/LdapInjection.qhelp 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-09-03 10:32:08 +02:00
CodeQL CI
2ba84be565 Merge pull request #4185 from erik-krogh/unusedArrDestruct 
Approved by esbena
 2020-09-03 09:18:15 +01:00
Erik Krogh Kristensen
1f9749fbfe revert mailto: change in TargetBlank.ql 2020-09-03 09:39:01 +02:00
Erik Krogh Kristensen
d7a96d685a simplify implementation of getDelimiterMatchingRegexp 2020-09-03 09:37:43 +02:00
Erik Krogh Kristensen
ec21236bba update docstring for isNonLastDestructedArrayElement 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-09-03 08:51:10 +02:00
Erik Krogh Kristensen
fb3148a7a8 autoformat 2020-09-03 08:17:08 +02:00
Max Schaefer
ec3c1f114c JavaScript: Simplify steps through promises. 2020-09-02 21:40:34 +01:00
Max Schaefer
702192c316 JavaScript: Make implicit inits of module and exports source nodes. 
This is instead of making every access to those variables source nodes, and fixes a regression in `DeadStoreOfProperty`.
 2020-09-02 19:52:13 +01:00
Max Schaefer
9840a7ddfb JavaScript: Add utility predicate SSA::implicitInit. 2020-09-02 19:46:59 +01:00
Max Schaefer
df49818152 JavaScript: Address review comments. 2020-09-02 19:45:27 +01:00
Max Schaefer
82d92dc726 JavaScript: Avoid bad join order. 
The optimiser decided that it would be a great idea to start the pipeline with `getReturn().getAUse().(DataFlow::InvokeNode)`. It's not.
 2020-09-02 17:42:33 +01:00
Max Schaefer
500f7bd8fa JavaScript: Reduce complexity of SystemCommandExecutors charpred. 2020-09-02 17:42:32 +01:00
Max Schaefer
e3a9906071 JavaScript: Switch MissingRateLimiting.qll to API graphs. 
The added test shows how this helps us avoid false positives.
 2020-09-02 17:35:47 +01:00
Max Schaefer
e34a821cc6 JavaScript: Switch system-command executor modelling from source nodes to API graphs. 2020-09-02 17:35:47 +01:00
Max Schaefer
68b3ccdc65 JavaScript: Switch SQL modelling from source nodes to API graphs. 2020-09-02 17:35:47 +01:00
Max Schaefer
f3e9104be4 JavaScript: Add implementation of API graphs. 2020-09-02 17:35:47 +01:00
Arthur Baars
90f013d74f Merge pull request #4176 from aibaars/missing-qhelp 
Add missing QHelp files
 2020-09-02 16:12:42 +02:00
Asger F
2c0e9f0c86 Merge pull request #4186 from github/rc/1.25 
Mergeback: 1.25 -> main
 2020-09-02 15:12:25 +01:00
Max Schaefer
cd64ce7b1a JavaScript: Add utility predicate SSA::implicitInit. 2020-09-02 14:34:52 +01:00
CodeQL CI
c017308505 Merge pull request #4134 from erik-krogh/genCalls 
Approved by asgerf
 2020-09-02 14:23:39 +01:00
Alessio Della Libera
785f335ab8 Update javascript/ql/src/experimental/Security/CWE-090/LdapInjectionCustomizations.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-09-02 15:22:33 +02:00
Alessio Della Libera
548cb65a64 Update javascript/ql/src/experimental/Security/CWE-090/LdapInjectionCustomizations.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-09-02 15:22:23 +02:00
Alessio Della Libera
26046a4847 Update javascript/ql/src/experimental/Security/CWE-090/LdapInjectionCustomizations.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-09-02 15:22:07 +02:00
Alessio Della Libera
6ad88bf93f Update javascript/ql/src/experimental/Security/CWE-090/LdapInjection.ql 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-09-02 15:21:55 +02:00
Erik Krogh Kristensen
a24db09418 only flag unused array-destructs if it is the last variable 2020-09-02 11:40:35 +02:00
CodeQL CI
48a1ee6233 Merge pull request #4130 from erik-krogh/bbFix 
Approved by asgerf
 2020-09-02 10:38:50 +01:00
Erik Krogh Kristensen
f0a0f41c3c allow urls that are prefixed with # or ? in js/unsafe-external-link 2020-09-02 10:19:42 +02:00
ubuntu
042d07161c Rename getQueryCall to getQueryCallSink 2020-09-01 22:43:31 +02:00
ubuntu
15562e4814 Update LdapjsSearchOptions 2020-09-01 22:28:58 +02:00
ubuntu
e2e55455c1 Update LdapjsSearchOptions and getQueryCall 2020-09-01 22:23:07 +02:00
Alessio Della Libera
8f00acd4e2 Update javascript/ql/src/experimental/Security/CWE-090/Ldapjs.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-09-01 21:00:49 +02:00
Alessio Della Libera
78ebcee570 Update javascript/ql/src/experimental/Security/CWE-090/Ldapjs.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-09-01 21:00:38 +02:00
Alessio Della Libera
b86b9ba510 Update javascript/ql/src/experimental/Security/CWE-090/LdapInjectionCustomizations.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2020-09-01 21:00:21 +02:00