6371 Commits

Author	SHA1	Message	Date
Alessio Della Libera	67fccac8a9	Update javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.qll ... Co-authored-by: Esben Sparre Andreasen <esbena@github.com>	2020-08-16 14:13:03 +02:00
Erik Krogh Kristensen	15a74493e0	more permissive path elements in js/incomplete-url-substring-sanitization	2020-08-13 11:46:13 +02:00
Erik Krogh Kristensen	fd9eb1d40b	use Identifier instead of just a plain string when getting tuple-element-names	2020-08-12 16:55:55 +02:00
CodeQL CI	66541f260b	Merge pull request #4012 from erik-krogh/getId ... Approved by asgerf, esbena	2020-08-12 13:28:18 +01:00
Erik Krogh Kristensen	1d111c3e1f	expand what urls are detected by js/incomplete-url-substring-sanitization	2020-08-12 14:25:35 +02:00
Erik Krogh Kristensen	26dcd2faae	add support for getting the name from named tuple elements	2020-08-12 10:33:49 +02:00
Erik Krogh Kristensen	b101305248	autoformat	2020-08-12 09:27:43 +02:00
Erik Krogh Kristensen	e1ecc4662c	fix typo ... Co-authored-by: Asger F <asgerf@github.com>	2020-08-11 20:00:22 +02:00
Erik Krogh Kristensen	656ff9c441	autoformat	2020-08-11 15:40:30 +02:00
Erik Krogh Kristensen	a1394c363a	more consistent naming of predicates	2020-08-11 14:49:51 +02:00
Erik Krogh Kristensen	2974c4923f	introduce and use isAPropertyWrite	2020-08-11 14:43:25 +02:00
Erik Krogh Kristensen	8f6721e087	add explanation for purity-check in getANodeAfterWrite/getANodeBeforeWrite and move them into an internal module	2020-08-11 14:40:13 +02:00
Erik Krogh Kristensen	9e768375ce	mention purity check in docstring for maybeAssignsAccessedPropInBlock	2020-08-11 14:40:02 +02:00
Erik Krogh Kristensen	374b1b7b97	apply manual magic in both cases in maybeAssignsAccessedPropInBlock	2020-08-11 14:24:49 +02:00
Erik Krogh Kristensen	d2c87d0a2e	add support for the new assign expression in TypeScript 4	2020-08-11 13:57:11 +02:00
intrigus-lgtm	5a3acc231e	Fix typo	2020-08-11 01:01:53 +02:00
Erik Krogh Kristensen	dc5167bbe7	autoformat	2020-08-10 11:52:45 +00:00
Erik Krogh Kristensen	34778578db	fill in docstring	2020-08-10 13:34:36 +02:00
Erik Krogh Kristensen	9bcac10d9e	summarize exceptions thrown by immidiatly awaited function calls	2020-08-10 13:28:25 +02:00
Erik Krogh Kristensen	85de5aa16b	add deprecated modifier ... Co-authored-by: Asger F <asgerf@github.com>	2020-08-10 10:51:21 +02:00
Erik Krogh Kristensen	410b696562	add deprecated aliases getId() forwarding to getIdentifier()	2020-08-10 09:11:38 +02:00
CodeQL CI	7c4e10df17	Merge pull request #4014 from erik-krogh/stringify ... Approved by esbena	2020-08-10 07:50:21 +01:00
Erik Krogh Kristensen	244052f419	autoformat	2020-08-08 21:20:20 +02:00
Erik Krogh Kristensen	2680afcdc9	deduplicate some implementation in storeStep and loadStep	2020-08-07 19:16:28 +02:00
Erik Krogh Kristensen	54fd7d97c0	share implementation instead of copy-pasting	2020-08-07 18:00:10 +02:00
Erik Krogh Kristensen	94cf3a8ddb	correct copy-paste note after refactorings	2020-08-07 17:48:55 +02:00
Erik Krogh Kristensen	0edb46c20d	improve precision for load/store steps with async functions	2020-08-07 17:39:59 +02:00
Erik Krogh Kristensen	26ef2f34da	add precise return-flow for async functions	2020-08-07 17:33:26 +02:00
Erik Krogh Kristensen	cc94c5ec60	remove imprecise return-flow from async functions	2020-08-07 17:33:24 +02:00
Erik Krogh Kristensen	0004c28fe8	introduce and use FunctionReturnNode	2020-08-07 17:32:25 +02:00
Erik Krogh Kristensen	f1dc36244c	update tests and queries that used getId()	2020-08-05 14:32:09 +00:00
Erik Krogh Kristensen	cc5ef4d5e1	rename JsonSerializeCall to JsonStringifyCall	2020-08-05 13:22:41 +02:00
Erik Krogh Kristensen	5a3f67a682	introduce model for JSON.stringify and similar libraries	2020-08-05 12:14:51 +02:00
Erik Krogh Kristensen	67c4320287	make JumpStmt non abstract	2020-08-05 10:03:46 +02:00
Erik Krogh Kristensen	016bdc1614	make ControlStmt non abstract	2020-08-05 09:59:30 +02:00
Erik Krogh Kristensen	5727e6f9f8	make CompoundAssignExpr non-abstract	2020-08-04 16:17:08 +02:00
Erik Krogh Kristensen	cf3f275aa1	make DestructuringPattern non-abstract	2020-08-04 16:02:32 +02:00
Erik Krogh Kristensen	0867c5567e	rename getId() to getIdentifier()	2020-08-04 13:22:19 +02:00
Erik Krogh Kristensen	eccfade928	rewrite parts of the DeadStoreOfProperty query	2020-08-04 10:25:05 +02:00
Erik Krogh Kristensen	e629e6bbb0	changes based on review	2020-08-04 10:25:05 +02:00
Erik Krogh Kristensen	8131618382	revert making rankedAccessPath private	2020-08-04 10:25:05 +02:00
Erik Krogh Kristensen	97aa3cc8a3	rewrite DeadStoreOfProperty to improve worst-case complexity	2020-08-04 10:25:05 +02:00
CodeQL CI	8855ab8c8c	Merge pull request #3835 from Raz0r/js/xss-protocol-sinks ... Approved by erik-krogh	2020-08-03 15:40:05 +01:00
CodeQL CI	a4f8b19ae4	Merge pull request #3876 from erik-krogh/CWE078-Correctness ... Approved by esbena	2020-08-03 15:38:51 +01:00
CodeQL CI	c8e5db189a	Merge pull request #3913 from erik-krogh/topmost ... Approved by asgerf	2020-08-03 13:18:22 +01:00
CodeQL CI	0bbdc70cdb	Merge pull request #3864 from erik-krogh/exprString ... Approved by asgerf, esbena	2020-08-03 09:25:17 +01:00
Arthur Baars	7e72ef350e	Merge pull request #3975 from aibaars/lgtm-suites ... CodeQL: complete LGTM suites	2020-07-30 18:39:01 +02:00
Arthur Baars	c4041e55ba	CodeQL: complete LGTM suites	2020-07-28 20:40:44 +02:00
Max Schaefer	91762ec274	JavaScript: Add partial model for opener. ... 3.5M weekly downloads. Note that we do not treat the first argument as a command-injection sink. While it is possible to inject commands that way, it is more likely to cause false positives where the user input is concatenated with some prefix that makes the opening heuristic decide to treat it as a URL.	2020-07-27 11:42:32 +01:00
Max Schaefer	9aa26fa4bc	JavaScript: Add model for foreground-child. ... >1M weekly downloads, so seems worth doing.	2020-07-27 11:37:06 +01:00