hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,894 Commits 1,671 Branches 157 Tags
tausbn/python-add-support-for-template-string-literals
Commit Graph

11950 Commits

Author SHA1 Message Date
Asger F
21494fbdff JS: Refactor BarrierGuardLegacy pattern to not depend on SanitizerGuardNode 
Previously our barrier guard classes were direct descendents of SanitizerGuardNode which made it hard to deprecate that class.

Now our barrier guards are not descending from any shared class. Instead they are contributed to SanitizerGuardNode via a private helper class we can remove in the future.
 2024-12-03 14:30:29 +01:00
Asger F
a574ff1669 JS: Remove use of MakeLegacyBarrierGuard in experimental SSRF 2024-12-03 14:30:28 +01:00
Asger F
08d25c122d JS: Deprecate more uses of ConsistencyConfiguration 2024-12-03 14:30:27 +01:00
Asger F
75ab4856b8 Remove unsupported features from PoI 2024-12-03 14:30:25 +01:00
Asger F
e6680dec8f JS: Avoid use of LabeledSanitizerGuardNode in TaintedObject 
Drive-by bugfix: Rename sanitizes -> blocksExpr.
This fixes a bug that caused the sanitizer guard not to work in df2.

The test output reflects the fact that the barrier guard works now.
 2024-12-03 14:30:24 +01:00
Asger F
0ce1fe767d JS: Deprecate ConsistencyChecking to avoid deprecation warnings 2024-12-03 14:30:23 +01:00
Asger F
04a3a6707f JS: Update a reference to AdditionalSanitizerGuardNode 
Unlike most other references to this class, we're not subclassing it here, we're
just trying to reuse some standard barrier guards but with a different flow state.
 2024-12-03 14:30:22 +01:00
Asger F
834d35bc42 JS: Port experimental DecompressionBombs to ConfigSig 2024-12-03 14:30:21 +01:00
Asger F
871bc3b84a JS: Port experimental CorsPermissiveConfiguration to ConfigSig 
The tests show a new (source, sink) pair for an already-flagged sink.

Not sure why it was not flagged originally since the data flow path seems valid, given the steps provided by our models.
 2024-12-03 14:30:20 +01:00
Asger F
f5a6485ef2 JS: Port experimental decodeJwtWithoutVerificationLocalSource 2024-12-03 14:30:19 +01:00
Asger F
72e522631d JS: Port experimental jwtDecodeWithoutVerification to ConfigSig 2024-12-03 14:30:18 +01:00
Asger F
7e162f5451 JS: Port experimental EnvValueInjection to ConfigSig 2024-12-03 14:30:17 +01:00
Asger F
4f839070a0 JS: Port experimental EnvValueAndKeyInjection to ConfigSig 2024-12-03 14:30:16 +01:00
Asger F
8887ca1722 JS: Port an experimental CodeInjection variant to ConfigSig 2024-12-03 14:30:15 +01:00
Asger F
1832e93766 JS: Port FormParsers test to ConfigSig 2024-12-03 14:30:14 +01:00
Asger F
4d7401a074 JS: Deprecate tests for deprecated APIs 
Mainly adds 'deprecated' in front of a bunch of tests for deprecated APIs.
 2024-12-03 14:30:12 +01:00
Asger F
3548544970 JS: Avoid some uses of deprecated guard classes in tests 2024-12-03 14:30:11 +01:00
Asger F
a568d8c086 JS: Port threat-model test to ConfigSig 2024-12-03 14:30:10 +01:00
Asger F
f758b67d30 JS: Openly recommend SummarizedCallable 2024-12-03 14:30:09 +01:00
Asger F
249104b8ae JS: Update comments referring to old Configuration style 
Also avoid the term "analysis-specific" because it's not a term we use anywhere else.
 2024-12-03 14:30:08 +01:00
Asger F
13ee597848 JS: Add some proper documentation to SummarizedCallable 2024-12-03 14:30:07 +01:00
Asger F
988fa9c0ef JS: Deprecate AdditionalSanitizerGuardNode 
We're deprecating the class through an alias, but it is still the base class for a non-deprecated class, for backwards compatibility. For this reason we're also deprecating all of its member predicates so we can remove those in the future.
 2024-12-03 14:30:06 +01:00
Asger F
0b1e859e70 JS: Remove uses of AdditionalSanitizerGuardNode 2024-12-03 14:30:05 +01:00
Asger F
c2abb0fbd0 JS: Remove reference to AdditionalSanitizerGuard from CachedStages 2024-12-03 14:30:04 +01:00
Asger F
82682d9a62 JS: Remove a non-deprecated reference to SanitizerGuardNode 2024-12-03 14:30:03 +01:00
Asger F
bc7753de29 JS: Remove non-deprecated reference to AdditionalBarrierGuardNode 2024-12-03 14:30:02 +01:00
Asger F
0cd2e3f9eb JS: Deprecate old data flow library, except some guard-related nodes 2024-12-03 14:30:01 +01:00
Asger F
071189a9e9 Merge pull request #18175 from asgerf/jss/documentation 
JS: Update data flow documentation and tutorials for JavaScript
 2024-12-03 14:23:29 +01:00
Asger F
054558d7b5 JS: Include content properties in type-tracker properties 
Reminder: we have two PropertyName classes because the one in Contents.qll can't depend on DataFlow::Node.
 2024-12-03 09:58:54 +01:00
Asger F
8bca66493f JS: Add test showing lack of inclusion in PropertyName 2024-12-03 09:57:02 +01:00
Napalys Klicius
1e1674a08a Merge pull request #18089 from Napalys/napalys/regexp-unknown-flags 
JS: RegExp unknown flags support and enhanced compatibility with RegExp objects
 2024-12-03 09:43:13 +01:00
Napalys Klicius
08ef0dc1f2 Update javascript/ql/lib/change-notes/2024-11-28-regexp-unknown-flags.md 
Co-authored-by: Asger F <asgerf@github.com>
 2024-12-02 13:35:52 +01:00
Asger F
2db89c1b02 JS: Update query17 from intro tutorial 2024-12-02 10:04:09 +01:00
Asger F
103a6ea8a6 JS: Port tutorial query5 2024-12-02 10:04:07 +01:00
Asger F
02c5e49de8 JS: Port tutorial query4 2024-12-02 10:04:05 +01:00
Asger F
1f6335f9ba JS: Port tutorial query3 2024-12-02 10:04:04 +01:00
Asger F
3319870d00 JS: Port tutorial query2 2024-12-02 10:04:02 +01:00
Asger F
32f020ee6f JS: Port tutorial query1 2024-12-02 10:04:00 +01:00
Asger F
cab8a40d00 JS: Fix accidental recursion 2024-11-29 14:23:57 +01:00
Asger F
9c6b6981e2 JS: Add test to restrict dependencies 2024-11-29 14:23:56 +01:00
Asger F
2f0c80a98b JS: Include summary steps in type tracking 2024-11-29 14:23:55 +01:00
Asger F
440cbb7f0a JS: Add inline-expectation test for type tracking 2024-11-29 14:23:54 +01:00
Asger F
6349903110 JS: Move FlowSummary/Summaries.qll into testUtilities 2024-11-29 14:23:52 +01:00
Asger F
e34064e3b5 JS: Initial instantiation of sumamry type tracking 
Instantiates the library without using it yet.
 2024-11-29 14:23:50 +01:00
Asger F
df12f255ac JS: Rename propagatesFlowExt -> propagatesFlow 2024-11-29 14:23:49 +01:00
Napalys
9d4e737bc2 JS: follow proper code standards for get predicates 
Co-authored-by: asgerf <asgerf@github.com>
 2024-11-29 11:32:10 +01:00
Napalys
3171f38cdd JS: fixed bad alert messages when it came to incomplete sanitization for new RegExp objects 2024-11-29 11:14:45 +01:00
Napalys Klicius
13afd6310b Update javascript/ql/lib/change-notes/2024-11-28-regexp-unknown-flags.md 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2024-11-29 08:26:04 +01:00
Napalys
d2de9a2238 Fixed change notes 2024-11-28 14:24:27 +01:00
Napalys Klicius
9ca0fe4cbf Update RegExp handling and add test case 
Co-authored-by: erik-krogh <erik-krogh@github.com>
 2024-11-28 14:13:40 +01:00