hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 02:44:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,894 Commits 1,672 Branches 157 Tags
tausbn/python-add-support-for-template-string-literals
Commit Graph

11950 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
971f53870e JS: Include fs externs 
Makes a difference due to the modeling of NodeJSFileSystemAccessRead depending on these, see
412e841d69/javascript/ql/lib/semmle/javascript/frameworks/NodeJSLib.qll (L479-L488)

File copied from 7cef4322e7/javascript/externs/nodejs/fs.js
 2024-10-31 13:51:22 +01:00
Rasmus Wriedt Larsen
b47fa77dc6 JS: Add tests for stdin threat-model sources 2024-10-31 12:59:21 +01:00
Rasmus Wriedt Larsen
2b6c27eb60 JS: Add initial file threat-model support 
However, as indicated by the `MISSING` annotations, we could do better.
 2024-10-29 15:14:39 +01:00
Rasmus Wriedt Larsen
3656864695 JS: Add database threat-model source modeling 2024-10-29 15:11:09 +01:00
Tom Hvitved
1259b7e8e7 JS: Post-processing query for inline test expectations 2024-10-29 13:35:38 +01:00
Rasmus Wriedt Larsen
7c7420a9a4 JS: Add change-note 2024-10-29 11:35:56 +01:00
Rasmus Wriedt Larsen
84f6b89ced JS: Minor improvements to threat-model Concepts 
Mirroring what was done for Python
 2024-10-29 11:29:48 +01:00
Asger F
6aef571c17 JS: Bump extractor version string 2024-10-29 11:28:06 +01:00
Asger F
3cc6b11e6b JS: Expand attribute regex to include some Vue attributes 2024-10-29 11:19:01 +01:00
Asger F
560b3da851 JS: Add test with some special Vue attributes 2024-10-29 11:18:17 +01:00
Asger F
2fb108419c JS: Only parameter-calls as lambda calls 2024-10-29 08:32:15 +01:00
Asger F
1e9e57e46e JS: Fix missing qldoc 2024-10-29 08:32:14 +01:00
Asger F
52ba91a7f8 JS: Updates to nodes/edges in tests 
Only changes to nodes/edges for various reasons, no actual result changes
 2024-10-29 08:32:13 +01:00
Asger F
1243188825 JS: Update CleartextLogging with fixed FP 2024-10-29 08:32:11 +01:00
Asger F
18b39460f5 JS: Add regained results in UnsafeJQueryPlugin 
These were marked as 'NOT OK' in the test file, but weren't previously flagged for some reason
 2024-10-29 08:32:10 +01:00
Asger F
d3e70c1e97 JS: Add in-barrier to XSS query 
This is a bit of a bandaid to cover issues with the push() method on next/router being
treated as an array push, which causes it to flow into other taint sources.
 2024-10-29 08:32:08 +01:00
Asger F
1b85feb1fa JS: Add imprecise post-update steps for when a captured var/this is not tracked precisely 
With the capture library we sometimes bails out of handling certain functions for scalability reasons.

This means we have a notion of "captured but imprecisely-tracked" variables and 'this'. In these cases we go back to propagating flow from a post-update node to the local source.
 2024-10-29 08:32:07 +01:00
Asger F
d557c7689c JS: Update a test that now has more precise output 2024-10-29 08:32:06 +01:00
Asger F
1efef2ca3c JS: Change rule for getPostUpdateForStore 
This causes less wobbles in test outputs
 2024-10-29 08:32:05 +01:00
Asger F
ad52b71922 JS: Update immutable.js test to clarify why it stopped working 
The Immutable model uses the 'd' and 'f' properties to model Map content, but the test doesn't actually mention those properties, so they were missing from the PropertyName class.

The flow was previously found spuriously by the regular Map model, which also adds flow through the  get/set calls. This flow is however no longer found since it relied on a step from post-update back to getALocalSource which is no longer present.
 2024-10-29 08:32:03 +01:00
Asger F
c0997c28cb JS: Reveal issue with immutable.js test 
Fixed in the next commit
 2024-10-29 08:32:02 +01:00
Asger F
4473e6d977 JS: Update test with some post-update consistency checks gone 
For a constructor call, the return value acts as the post-update node for the 'this' argument. The fact that constructor calls are sometimes PostUpdateNodes causes some of these harmless alerts.

The warnings have disappeared in some cases because we no longer target getALocalSource() so the target is no longer the constructor call.
 2024-10-29 08:32:01 +01:00
Asger F
cb874945bf Test updates from introduction of implicit 'this' 2024-10-29 08:31:59 +01:00
Asger F
bd94fe1574 JS: Explain false positive in test case 2024-10-29 08:31:58 +01:00
Asger F
e05e077b33 JS: Block jump steps through 'this' now that the capture lib handles 'this' 2024-10-29 08:31:57 +01:00
Asger F
16b08b74eb JS: Add test showing potential for FPs when handling refinement guards 2024-10-29 08:31:55 +01:00
erik-krogh
2ee88f6774 fix the RAM setting on Windows 2024-10-28 20:39:34 +01:00
Rasmus Wriedt Larsen
1726287bf4 JS: Add e2e threat-model test 2024-10-25 15:03:44 +02:00
Rasmus Wriedt Larsen
d3ae4c930e JS: Model newer yargs command-line parsing pattern 2024-10-25 15:03:43 +02:00
Rasmus Wriedt Larsen
3448751b4c JS: Consolidate command-line argument modeling 
Such that we can reuse the existing modeling, but have it globally
applied as a threat-model as well.

I Basically just moved the modeling. One important aspect is that this
changes is that the previously query-specific `argsParseStep` is now a
globally applied taint-step. This seems reasonable, if someone applied
the argument parsing to any user-controlled string, it seems correct to
propagate that taint for _any_ query.
 2024-10-25 15:03:43 +02:00
Rasmus Wriedt Larsen
412e841d69 JS: Add environment threat-model source 2024-10-25 15:03:43 +02:00
Rasmus Wriedt Larsen
f733ac19a9 JS: Make (most) queries use ActiveThreatModelSource 
7 cases looks something like this:

```
class RemoteFlowSourceAsSource extends Source instanceof RemoteFlowSource {
  RemoteFlowSourceAsSource() { not this instanceof ClientSideRemoteFlowSource }
}
```

(some have variations like `not this.(ClientSideRemoteFlowSource).getKind().isPathOrUrl()`)

javascript/ql/lib/semmle/javascript/security/dataflow/ClientSideUrlRedirectCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/CommandInjectionCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/CorsMisconfigurationForCredentialsCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/RegExpInjectionCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/RequestForgeryCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/ResourceExhaustionCustomizations.qll
javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll
 2024-10-25 15:03:42 +02:00
Rasmus Wriedt Larsen
4b1c027359 JS: Integrate RemoteFlowSource with ThreatModelSource 2024-10-25 14:52:49 +02:00
Rasmus Wriedt Larsen
dbfbd2c00a JS: Remove 'response' from default threat-models 
I didn't want to put the configuration file in
`semmle/javascript/frameworks/**/*.model.yml`, so created `ext/` as in other
languages
 2024-10-25 14:52:49 +02:00
Rasmus Wriedt Larsen
05dce8a0be JS: Add test showing default active threat-models 2024-10-25 14:50:59 +02:00
Rasmus Wriedt Larsen
17a6d54e4d JS: Setup basic support for threat-models 
Integration with RemoteFlowSource is not straightforward, so postponing
that for later

Naming in other languages:
- `SourceNode` (for QL only modeling)
- `ThreatModelFlowSource` (for active sources from QL or data-extensions)

However, since we use `LocalSourceNode` in Python, and `SourceNode` in
JS (for local source nodes), it seems a bit confusing to follow the same
naming convention as other languages, and instead I came up with new names.
 2024-10-25 14:50:59 +02:00
erik-krogh
073d6d8c14 have getId always return null if skipExtractingTypes is set 2024-10-23 16:50:23 +02:00
Asger F
958602e43e JS: Cache getARead (as per instructions in the SSA library) 2024-10-22 12:46:20 +02:00
Asger F
e784813c3b JS: Make barrier guards work with use-use flow 2024-10-22 12:46:19 +02:00
Asger F
67fdd864c9 JS: Add TODO 2024-10-22 12:46:18 +02:00
Asger F
81af9a1658 Fix missing flow through super calls 2024-10-22 12:46:17 +02:00
Asger F
12370e9210 JS: Use VariableOrThis in variable capture as well 2024-10-22 12:46:16 +02:00
Asger F
0ebe8bdd91 JS: Add test for missing capture flow for 'this' 2024-10-22 12:46:15 +02:00
Asger F
d31499d727 JS: introduce implicit this uses in general 2024-10-22 12:46:14 +02:00
Asger F
8dc0505f84 JS: Add test for missing flow into 'this' in field initializers 2024-10-22 12:46:13 +02:00
Asger F
c3c003b275 JS: Fix post-update flow into 'this' 2024-10-22 12:46:11 +02:00
Asger F
9fc99d6f9d JS: Fix store into object literals that have a post-update node 2024-10-22 12:46:11 +02:00
Asger F
d626e79ed3 JS: Add two test cases for missing flow 2024-10-22 12:46:10 +02:00
Asger F
992c144559 JS: Add qldoc to file 2024-10-22 12:46:09 +02:00
Asger F
beaacf96b3 JS: Rename Internal -> Cached since whole file is internal now 2024-10-22 12:46:08 +02:00