hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
21,517 Commits 1,671 Branches 157 Tags
sauyon/java-spring-stringutils
Commit Graph

5849 Commits

Author SHA1 Message Date
Asger F
cf8c327a10 JS: make TypeAnnotation extend Locatable 2019-04-26 16:56:04 +01:00
Max Schaefer
c44f99a204 Update javascript/ql/src/semmle/javascript/Variables.qll 
Co-Authored-By: asger-semmle <42069257+asger-semmle@users.noreply.github.com>
 2019-04-26 16:56:04 +01:00
Asger F
6eb8c692b1 JS: Add partial backwards compatibility with ASTNode 2019-04-26 16:56:04 +01:00
Asger F
e295c3a224 JS: Add JSDoc test 2019-04-26 16:56:04 +01:00
Asger F
6b2b64cb2e JS: test case with unresolved types in TS 2019-04-26 16:56:04 +01:00
Asger F
c9c9a32a37 JS: hasQualifiedName 2019-04-26 16:56:04 +01:00
Asger F
454fff1398 JS: Implement getAnUnderlyingType(). 2019-04-26 16:56:04 +01:00
Asger F
8458a64642 JS: implement isXXX methods in JSDocTypeExpr classes 2019-04-26 16:56:04 +01:00
Asger F
c92a6b72b5 JS: Update getTypeAnnotation() to return TypeAnnotations 2019-04-26 16:56:04 +01:00
Asger F
be5d90d4e7 JS: Make use of JSDocParamTag 2019-04-26 16:56:04 +01:00
Asger F
967752c6c1 JS: Add TypeAnnotations class 2019-04-26 16:56:04 +01:00
Max Schaefer
e2666a9203 Update javascript/ql/src/semmle/javascript/frameworks/SocketIO.qll 
Co-Authored-By: esben-semmle <42067045+esben-semmle@users.noreply.github.com>
 2019-04-26 11:58:40 +02:00
Esben Sparre Andreasen
27f88c38ac JS: help the optimizer with NPMPackage/File relations 2019-04-26 11:49:07 +02:00
semmle-qlci
3231b60e6b Merge pull request #1272 from asger-semmle/access-path-capture 
Approved by xiemaisi
 2019-04-25 11:32:54 +01:00
Asger F
47ba7d3004 Merge pull request #1278 from xiemaisi/js/symbolic-constants 
JavaScript: Generalise `ConstantComparison` sanitisers.
 2019-04-25 11:17:22 +01:00
Max Schaefer
a8470a984a JavaScript: Generalise ConstantComparison sanitisers. 
In addition to treating comparisons with literals as sanitisers, we now
also treat comparisons with variables that have a single assignment as
sanitisers.

Proving that such a variable is actually a constant is not easy, but for
this use case a simple approximation works fine.
 2019-04-25 07:38:31 +01:00
semmle-qlci
a504ad4261 Merge pull request #1270 from xiemaisi/odasa/7904 
Approved by esben-semmle
 2019-04-24 21:50:07 +01:00
Asger F
a16753c125 JS: Add documentation 2019-04-24 10:12:55 +01:00
Aditya Sharad
4121e7245b TS extractor: Allow the Node.js runtime to be configured via environment variables. 
`SEMMLE_TYPESCRIPT_NODE_RUNTIME` can be used to provide the path to the Node.js runtime executable.
If this is omitted, the extractor defaults to the current behaviour of looking for `node` on the PATH.

`SEMMLE_TYPESCRIPT_NODE_RUNTIME_EXTRA_ARGS` can be used to provide additional arguments to the
Node.js runtime. These are passed first, before the arguments supplied by the extractor.

These changes are designed to allow TypeScript extraction in controlled customer environments where
we cannot control the PATH, or must use custom Node.js executables with certain arguments set.
 2019-04-23 15:04:14 -07:00
Max Schaefer
7faa4fd938 JavaScript: Add test case exposing two bugs in data flow library. 
This test case exposes two bugs in our data flow library (fixed by the
two previous commits):

  - the charpreds of `SourcePathNode` and `SinkPathNode` only ensured
    that they were on a path from a source to a sink, not that they
    actually were the source/sink themselves;
  - function summarization would allow for non-level paths; in the
    test case, this meant that one of the summaries for `source`
    represented the path returning from `source` on line 13 and then
    flowing back into the call on line 15, in the process transforming
    the parity of the flow label and hence causing a spurious flow.
 2019-04-23 13:16:30 +01:00
Max Schaefer
465be47574 JavaScript: Only follow level flow steps when summarising functions. 
It is not only wasteful to consider paths with unmatched calls/returns,
but also wrong; see test case in next commit.
 2019-04-23 13:16:30 +01:00
Max Schaefer
455dbccd05 JavaScript: Fix definitions of SourcePathNode and SinkPathNode. 
Their charpreds previously only ensured that they were on a path from a
source to a sink, not that they actually were the source and sink,
respectively. See two commits further for a test case.
 2019-04-23 13:15:47 +01:00
Asger F
08bc29cddb TS: fix analysis of export= statements 2019-04-23 13:09:40 +01:00
Esben Sparre Andreasen
ac0913c878 JS: add newline removal whitelist for js/incomplete-sanitization 2019-04-23 08:38:23 +02:00
Esben Sparre Andreasen
bdbd00e046 JS: add newline removal tests for js/incomplete-sanitization 2019-04-23 08:37:39 +02:00
Asger F
f3c80c738e JS: Unify access paths for captured variables 2019-04-18 11:27:15 +01:00
Asger F
e543097c45 JS: Add test 2019-04-18 11:26:39 +01:00
Max Schaefer
76e01f0055 JavaScript: Update TypeTracker to align with TypeBackTracker. 
It now also has `step` and `smallstep` predicates. In the usual case,
however, I think I prefer the `SourceNode::track` API, so I left the
recommended style in the qldoc alone (and adjusted the one for
`TypeBackTracker` to match).
 2019-04-18 09:08:09 +01:00
Max Schaefer
a61ca489f1 Merge pull request #1258 from asger-semmle/prototype-pollution 
JS: prototype pollution query template
 2019-04-17 12:58:05 +01:00
semmle-qlci
f36eafce3f Merge pull request #1246 from xiemaisi/js/hardcoded-password 
Approved by asger-semmle
 2019-04-17 08:54:09 +01:00
Asger F
48ca4ae0d8 JS: prototype pollution query template 2019-04-16 17:40:41 +01:00
Asger F
fafdd5bbcd TS: Dont extract redirect SourceFiles 2019-04-16 10:17:45 +01:00
semmle-qlci
ff25a3ee5a Merge pull request #1243 from asger-semmle/access-path-refinements 
Approved by xiemaisi
 2019-04-16 09:57:51 +01:00
Max Schaefer
65e508ae3b Merge pull request #1252 from esben-semmle/mb/1.20-master 
Mergeback: rc/1.20 into Semmle/master
 2019-04-16 09:27:50 +01:00
semmle-qlci
aeebc3692d Merge pull request #1247 from asger-semmle/tscrash 
Approved by xiemaisi
 2019-04-16 07:59:02 +01:00
semmle-qlci
97018f7c3a Merge pull request #1248 from asger-semmle/ts-full-default 
Approved by xiemaisi
 2019-04-16 07:56:50 +01:00
Max Schaefer
7af4baf57f Merge pull request #1220 from esben-semmle/js/another-getAPropertyAttribut-performance-fix 
JS: inline CallToObjectDefineProperty::getAPropertyAttribute
 2019-04-16 07:55:53 +01:00
Esben Sparre Andreasen
c80ee3df01 Mergeback: rc/1.20 into Semmle/master 2019-04-16 08:46:15 +02:00
Asger F
abbfe2d5ce TS: Dont extract redirect SourceFiles 2019-04-15 18:57:02 +01:00
Max Schaefer
4c9edafef3 Merge pull request #1211 from esben-semmle/js/type-tracking-for-incomplete-hostname-regexp 
JS: type tracking for js/incomplete-hostname-regexp
 2019-04-15 12:19:46 +01:00
Asger F
b6ea121808 TS: Make full TS extraction the default in AutoBuild 2019-04-15 12:11:05 +01:00
Max Schaefer
1d5bb97121 JavaScript: Refine PasswordInConfigurationFile to avoid FPs. 
We now exclude passwords that look like they might be filled in via
templating or shell substitution.
 2019-04-15 12:10:21 +01:00
Max Schaefer
ce53a7d575 Merge pull request #1175 from psygnisfive/NullSensitiveContext 
[JS] Null Sensitive Context (new library)
 2019-04-15 08:50:14 +01:00
Rebecca Valentine
fb40548be5 fixes semicolon issues 2019-04-12 10:56:31 -07:00
Rebecca Valentine
a66d1c0e09 fixes test errors 2019-04-12 10:39:34 -07:00
Rebecca Valentine
d4f2172bdc void exprs are also ok 2019-04-12 10:39:20 -07:00
Asger F
b8ec7083d4 JS: Update isBarrier test output 2019-04-12 16:35:01 +01:00
Asger F
b36075ca46 JS: step through refinements in AccessPaths 2019-04-12 11:12:50 +01:00
Asger F
720555be45 JS: Add test case 2019-04-12 11:11:26 +01:00
Esben Sparre Andreasen
9c65277b53 JS: reformulate js/incomplete-hostname-regexp with type tracking 2019-04-12 08:51:28 +02:00