hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
21,517 Commits 1,672 Branches 157 Tags
sauyon/java-spring-stringutils
Commit Graph

5316 Commits

Author SHA1 Message Date
ubuntu
92f9f320f9 Added new example of an unsafe event.origin verification 2020-06-10 23:07:05 +02:00
Erik Krogh Kristensen
aa3482cbae improve detection of duplicate results with js/code-injection 2020-06-10 22:58:02 +02:00
Erik Krogh Kristensen
5142670138 don't import AdditionalSinks, refactor sink out in new HeuristicSinks instead 2020-06-10 22:30:45 +02:00
Esben Sparre Andreasen
d6ae905eac JS: remove speculative property access sink from js/server-crash 2020-06-10 21:40:12 +02:00
semmle-qlci
b841cacb83 Merge pull request #3676 from max-schaefer/js/global-access-paths-minor-fixes 
Approved by erik-krogh
 2020-06-10 20:02:55 +01:00
Erik Krogh Kristensen
373a437d71 add query to detect improperly sanitized code 2020-06-10 19:50:12 +02:00
Erik Krogh Kristensen
5c31b94761 autoformat and update expected output 2020-06-10 18:00:56 +02:00
Max Schaefer
0f2186c844 JavaScript: Fix a few typos. 2020-06-10 16:44:24 +01:00
Asger Feldthaus
f23c6030aa JS: Restrict domValueRef to known DOM property names 2020-06-10 15:14:23 +01:00
Asger Feldthaus
bb2b7fb6fb JS: Add test with class stored in global variable 2020-06-10 15:14:23 +01:00
Asger Feldthaus
36c4803694 JS: Add test 2020-06-10 14:08:33 +01:00
Asger Feldthaus
07e90ff65f JS: Autoformat 2020-06-10 14:03:01 +01:00
semmle-qlci
df79f2adc5 Merge pull request #3655 from asger-semmle/js/string-ops-regexp-test-fix 
Approved by esbena
 2020-06-10 13:35:22 +01:00
Esben Sparre Andreasen
1d396524a3 JS: add initial version of ServerCrash.ql 2020-06-10 14:25:56 +02:00
Erik Krogh Kristensen
c4f61134f1 include the source of cryptographically random number in alert message 2020-06-10 13:32:46 +02:00
Erik Krogh Kristensen
7e8fd80327 use steps from InsecureRandomness, and use small-steps 2020-06-10 12:27:50 +02:00
Erik Krogh Kristensen
9029dbacf5 refactor isAdditionalTaintStep to a utility predicate in InsecureRandomness 2020-06-10 10:55:30 +02:00
Erik Krogh Kristensen
9189f23403 add support for secure-random 2020-06-10 10:39:02 +02:00
Erik Krogh Kristensen
16ec405724 add explanations about modulo by power of 2 2020-06-10 10:38:47 +02:00
Erik Krogh Kristensen
111f6d406c introduce query to detect biased random number generators 2020-06-10 10:00:10 +02:00
Erik Krogh Kristensen
733e04c1eb Move rest-pattern inside property-pattern step to a taint-step 2020-06-10 09:02:22 +02:00
Erik Krogh Kristensen
2f9124f754 add missing qldoc 2020-06-09 23:32:58 +02:00
Erik Krogh Kristensen
eb00da5b31 improve readability 
Co-authored-by: Asger F <asgerf@github.com>
 2020-06-09 20:02:46 +02:00
Asger Feldthaus
a923a404ab JS: Explicitly handle export declarations in PackageExports 2020-06-09 18:28:15 +01:00
Asger Feldthaus
806c9a372e JS: Resolve package.json main module differently 2020-06-09 18:28:15 +01:00
Erik Krogh Kristensen
b8a9ac39f4 add lValueFlowStep for rest-pattern nested inside a property-pattern (and removed old incorrect approach) 2020-06-09 18:16:00 +02:00
Erik Krogh Kristensen
b6e0e6645f Merge pull request #3645 from erik-krogh/infExposure 
JS: add query to detect accidential leak of private files
 2020-06-09 17:38:31 +02:00
Erik Krogh Kristensen
a7f6f045d2 add taint-steps for copying properties of an object 2020-06-09 17:16:13 +02:00
Erik Krogh Kristensen
7050d9d7bb remove dead FlowLabel 2020-06-09 17:15:55 +02:00
Erik Krogh Kristensen
2af8739bb6 simplify web.DefinePlugin sink 2020-06-09 17:15:35 +02:00
Erik Krogh Kristensen
90596167b1 add taint-step for Array.reduce 2020-06-09 17:15:00 +02:00
Erik Krogh Kristensen
be71ddf7bb introduce basic BuildArtifactLeak query 2020-06-09 15:27:55 +02:00
Erik Krogh Kristensen
896a9b05f6 refactor CleartextLogging to allow for reuse 2020-06-09 15:03:07 +02:00
Erik Krogh Kristensen
b510e470b1 support rest-patterns inside property patterns 2020-06-09 13:28:56 +02:00
Erik Krogh Kristensen
b04d7015ae fix test 2020-06-09 11:23:46 +02:00
Asger Feldthaus
0345036420 JS: Fix 'match' call in StringOps::RegExpTest 2020-06-09 10:07:36 +01:00
Erik Krogh Kristensen
c2fbcea96f base the chaining on yargs on the methods that are NOT chained 2020-06-09 10:22:25 +02:00
Esben Sparre Andreasen
2d2468463b JS: initial version of IncompleteMultiCharacterSanitization.ql 2020-06-09 08:59:59 +02:00
Erik Krogh Kristensen
167239e745 add query to detect accidential leak of private files 2020-06-08 23:41:14 +02:00
ubuntu
ab65ec40c0 Add Codeql to detect missing 'Message.origin' validation when using postMessage API 2020-06-08 20:18:34 +02:00
Erik Krogh Kristensen
0f06f04e32 extend support for yargs for js/indirect-command-line-injection 2020-06-08 16:45:09 +02:00
Asger Feldthaus
53280a6b11 JS: Add test demonstrating new flow 2020-06-08 14:25:21 +01:00
Asger Feldthaus
2d9b9fa584 JS: Use PreCallGraphStep in select array steps 2020-06-08 13:45:28 +01:00
Asger Feldthaus
3d2bbbd3db JS: Add PreCallGraphStep extension point 2020-06-08 13:45:28 +01:00
Asger Feldthaus
1f2ab605bd JS: Add store/load steps to AdditionalTypeTrackingStep 2020-06-08 13:45:28 +01:00
Esben Sparre Andreasen
872ee13ba6 JS: formatting 2020-06-08 10:04:37 +02:00
Esben Sparre Andreasen
fa35a6a694 JS: formatting 2020-06-08 08:13:58 +02:00
semmle-qlci
ff6936caa7 Merge pull request #3625 from erik-krogh/CVE714 
Approved by asgerf
 2020-06-05 12:21:10 +01:00
semmle-qlci
69a1e11c06 Merge pull request #3609 from erik-krogh/CredFN 
Approved by asgerf, esbena
 2020-06-05 10:49:01 +01:00
Erik Krogh Kristensen
82cf53897f TypeOfCheck -> TypeOfUndefinedSanitizer 
Co-authored-by: Asger F <asgerf@github.com>
 2020-06-05 11:35:39 +02:00