Asger F
023dcce400
JS: Disable variable capture heuristic
...
Bailing out can be more expensive as the resulting jump steps themselves
cause perf issues. The limit of 100 variables per scope has also been
added in the interim, which handles the cases that this needed to cover.
2024-11-18 13:44:10 +01:00
Asger F
37676f41aa
JS: Remove jump steps from IIFE steps
2024-11-18 13:38:34 +01:00
Asger F
7acc5689cf
JS: Port exception steps to a universal summary
2024-11-18 13:27:58 +01:00
Asger F
80ee372ddf
JS: Replace an unused value with _
2024-11-12 11:24:17 +01:00
Asger F
637baabe37
JS: Clarify why there are no SSA definitions
2024-11-12 11:23:35 +01:00
Asger F
2fb108419c
JS: Only parameter-calls as lambda calls
2024-10-29 08:32:15 +01:00
Asger F
1e9e57e46e
JS: Fix missing qldoc
2024-10-29 08:32:14 +01:00
Asger F
d3e70c1e97
JS: Add in-barrier to XSS query
...
This is a bit of a bandaid to cover issues with the push() method on next/router being
treated as an array push, which causes it to flow into other taint sources.
2024-10-29 08:32:08 +01:00
Asger F
1b85feb1fa
JS: Add imprecise post-update steps for when a captured var/this is not tracked precisely
...
With the capture library we sometimes bails out of handling certain functions for scalability reasons.
This means we have a notion of "captured but imprecisely-tracked" variables and 'this'. In these cases we go back to propagating flow from a post-update node to the local source.
2024-10-29 08:32:07 +01:00
Asger F
1efef2ca3c
JS: Change rule for getPostUpdateForStore
...
This causes less wobbles in test outputs
2024-10-29 08:32:05 +01:00
Asger F
e05e077b33
JS: Block jump steps through 'this' now that the capture lib handles 'this'
2024-10-29 08:31:57 +01:00
Asger F
958602e43e
JS: Cache getARead (as per instructions in the SSA library)
2024-10-22 12:46:20 +02:00
Asger F
e784813c3b
JS: Make barrier guards work with use-use flow
2024-10-22 12:46:19 +02:00
Asger F
67fdd864c9
JS: Add TODO
2024-10-22 12:46:18 +02:00
Asger F
81af9a1658
Fix missing flow through super calls
2024-10-22 12:46:17 +02:00
Asger F
12370e9210
JS: Use VariableOrThis in variable capture as well
2024-10-22 12:46:16 +02:00
Asger F
d31499d727
JS: introduce implicit this uses in general
2024-10-22 12:46:14 +02:00
Asger F
c3c003b275
JS: Fix post-update flow into 'this'
2024-10-22 12:46:11 +02:00
Asger F
9fc99d6f9d
JS: Fix store into object literals that have a post-update node
2024-10-22 12:46:11 +02:00
Asger F
992c144559
JS: Add qldoc to file
2024-10-22 12:46:09 +02:00
Asger F
beaacf96b3
JS: Rename Internal -> Cached since whole file is internal now
2024-10-22 12:46:08 +02:00
Asger F
3fca27bee2
JS: Fix indentation
...
Only formatting changes
2024-10-22 12:46:07 +02:00
Asger F
ed0af958a9
JS: Add Public module and only expose that
...
Indentation will be fixed in next commit
2024-10-22 12:46:06 +02:00
Asger F
3b663bd2f6
JS: Remove BasicBlockInternal module and mark relevant predicates as public
...
This exposes the predicates publicly, but will be hidden again in the next commit.
2024-10-22 12:46:04 +02:00
Asger F
211b42d0ce
JS: Move BasicBlocks.qll -> internal/BasicBlocksInternal.qll
2024-10-22 12:46:03 +02:00
Asger F
9e600424cc
JS: Remove unused predicate
2024-10-22 12:46:02 +02:00
Asger F
78e961cef3
JS: Add use-use flow
2024-10-22 12:46:01 +02:00
Asger F
7363b578b1
JS: Instantiate shared SSA library
...
JS: Remove with statement comment
2024-10-22 12:45:58 +02:00
Asger F
a258489551
JS: Refactor some internal methods to make them easier to alias
...
We need these to return the dominator instead of declaring it in the parameter list, so that we can use it directly to fulfill part of the signature for the SSA library.
We can't rewrite it with an inline predicate since the SSA module calls with a transitive closure '*', which does not permit inline predicates.
2024-10-22 12:45:57 +02:00
Asger F
443987b484
Merge branch 'main' into js/shared-dataflow-merge-main
2024-10-22 10:30:53 +02:00
github-actions[bot]
079ab77a38
Post-release preparation for codeql-cli-2.19.2
2024-10-15 12:16:59 +00:00
github-actions[bot]
255f55cf1a
Release preparation for version 2.19.2
2024-10-15 10:29:25 +00:00
Asger F
e2e91ac7d9
Merge branch 'main' into js/shared-dataflow-merge-main
2024-10-08 09:28:26 +02:00
Asger F
6cbe04dcb7
JS: Consistently use the shared XSS barrier guards in the XSS queries
...
Previously only reflected XSS used shared barrier guards.
2024-10-02 14:44:17 +02:00
Asger F
341bacfe55
JS: Fix bug causing re-evaluation of cached barriers
2024-10-02 14:43:18 +02:00
github-actions[bot]
e97878ed63
Post-release preparation for codeql-cli-2.19.1
2024-09-30 19:49:00 +00:00
github-actions[bot]
455c8c5953
Release preparation for version 2.19.1
2024-09-30 17:59:48 +00:00
Asger F
1cd00a118c
Merge branch 'main' into js/shared-dataflow-merge-main
2024-09-18 14:57:50 +02:00
Asger F
7ba6995854
JS: Clarify a comment
2024-09-17 15:59:04 +02:00
github-actions[bot]
79be301984
Post-release preparation for codeql-cli-2.19.0
2024-09-16 14:09:32 +00:00
github-actions[bot]
acdafd9646
Release preparation for version 2.19.0
2024-09-16 10:56:10 +00:00
Dave Bartolomeo
485fc04029
Initial merge from main
2024-09-15 08:55:31 -04:00
Asger F
1df69ec1d2
JS: Actually don't propagate into array element 0
...
Preserving tainted-url-suffix into array element 0 seemed like a good idea, but didn't work out so well.
2024-09-12 13:42:36 +02:00
Asger F
0e4e0f4fdd
JS: Preverse tainted-url-suffix when stepping into prefix
...
A URL of form https://example.com?evil#bar will contain '?evil' after splitting out the '#' suffix, and vice versa.
2024-09-12 13:42:28 +02:00
Asger F
74ab346348
JS: Do not include taint steps in TaintedUrlSuffix::step
...
TaintedUrlSuffix is currently only used in TaintTracking configs meaning it is already propagated
by taint steps. The inclusion of these taint steps here however meant that implicit reads could appear prior to any of these steps.
This was is problematic for PropRead steps as an expression like x[0] could spuriously read from array element 1 via the path:
x [element 1]
x [empty access path] (after implicit read)
x[0] (taint step through PropRead)
2024-09-12 13:42:25 +02:00
Asger F
2712bf821a
JS: Fix a bug in isSafeClientSideUrlProperty
2024-09-12 13:42:23 +02:00
Asger F
bc04131c72
JS: Disallow implicit reads before an optional step
2024-09-12 13:42:22 +02:00
Asger F
3b09bc548e
JS: Add taint step for shift()
2024-09-12 13:42:17 +02:00
Asger F
3fcf4ef7a1
JS: More precise model of .shift()
...
Array.prototype.shift only returns the first array element.
The mutation of Argument[this] is not yet modelled, and is better handled when we have use-use flow.
2024-09-12 13:42:15 +02:00
Asger F
e4f7560bcd
JS: Add missing qldoc
2024-09-12 13:42:14 +02:00