hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 12:46:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
19,208 Commits 1,673 Branches 157 Tags
0e059cea56c52dea88f1fc91d6e24f0053e2796d
Commit Graph

5281 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
11f35a5193 Update javascript/ql/src/semmle/javascript/security/performance/ReDoSUtil.qll 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2021-01-21 23:11:50 +01:00
Erik Krogh Kristensen
62746bbbac skip analyzing regular expressions in minified files for ReDoS 2021-01-21 22:31:42 +01:00
CodeQL CI
d0b70d15f0 Merge pull request #4996 from esbena/js/nodejs-client-request-event-emitter 
Approved by erik-krogh
 2021-01-21 12:37:00 -08:00
Esben Sparre Andreasen
cb25f2ab20 JS: add docstring with source examples 2021-01-21 20:46:34 +01:00
CodeQL CI
b83c949109 Merge pull request #4986 from erik-krogh/logInf 
Approved by esbena
 2021-01-21 06:02:50 -08:00
Esben Sparre Andreasen
1c100bbbc2 JS: recognize event emitters in nodejs client requests 2021-01-21 14:14:00 +01:00
Erik Krogh Kristensen
a9a901d1e2 add change note 2021-01-21 11:08:39 +01:00
Erik Krogh Kristensen
dafec3ceaa rename to AnalyzedCompoundNumericAssignExpr 2021-01-21 11:06:46 +01:00
CodeQL CI
30015ee995 Merge pull request #4942 from esbena/js/reintroduce-resource-exhaustion 
Approved by erik-krogh
 2021-01-21 01:21:33 -08:00
Esben Sparre Andreasen
b90dd89746 JS: move js/resource-exhaustion to experimental 2021-01-21 09:09:01 +01:00
Erik Krogh Kristensen
a44aefa6c9 add test for top-level closure modules - and simplify 2021-01-20 19:47:32 +01:00
Erik Krogh Kristensen
2e024c3c61 fix that type inference assumed every compound-assignment have type number 2021-01-20 15:26:39 +01:00
Erik Krogh Kristensen
fbfbe70deb add support for unnamed/default exports in PackageExports.qll 2021-01-19 22:40:45 +01:00
CodeQL CI
bdfb81064d Merge pull request #4969 from asgerf/js/angular-dom-santizier-from-core 
Approved by erik-krogh
 2021-01-19 08:45:15 -08:00
Erik Krogh Kristensen
2a8a2832e2 Merge pull request #4946 from erik-krogh/libRedos 
JS: Add library input as source for `js/polynomial-redos`
 2021-01-19 17:30:20 +01:00
Erik Krogh Kristensen
01900d7ca2 remove false positive due to "\n" not being in the relevant relation 2021-01-18 14:47:29 +01:00
CodeQL CI
fc2fe6cccb Merge pull request #4928 from esbena/js/rewrite-multi-sanitization 
Approved by asgerf
 2021-01-18 05:11:42 -08:00
Asger Feldthaus
3db6069372 JS: Add test for new sink 2021-01-18 10:55:34 +00:00
Asger Feldthaus
2752b4ba64 JS: Shift line numbers in test 2021-01-18 10:54:39 +00:00
Asger Feldthaus
ff1d0cc4c7 JS: Recognize DomSanitizer from @angular/core 2021-01-18 10:54:27 +00:00
Erik Krogh Kristensen
401e516654 update expected output, and update PackageExports test 2021-01-15 17:40:47 +01:00
Erik Krogh Kristensen
26783b6ab0 make getTopmostPackageJSON public again, and update PackageExports test 2021-01-15 16:05:49 +01:00
Erik Krogh Kristensen
1506ac09e5 limit the number of characters produced by getAThreewayIntersect 2021-01-15 13:54:16 +01:00
Erik Krogh Kristensen
0117a0fac1 specialize the getAValueExportedBy predicate to only topmost package.jsons 2021-01-15 13:54:16 +01:00
Erik Krogh Kristensen
0c9d46a7f9 changes based on review 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2021-01-15 13:54:05 +01:00
Erik Krogh Kristensen
c106b09d49 change-note 2021-01-14 14:17:32 +01:00
Erik Krogh Kristensen
c5595f4cbd improve alert message for js/polynomial-redos 2021-01-14 13:48:26 +01:00
Erik Krogh Kristensen
86e33d9d79 select the shortest possible reason 2021-01-14 13:38:37 +01:00
Erik Krogh Kristensen
03d8aeb7b6 refactor PolynomialBackTrackingTerm, to allow getting the pump string and the prefix-message 2021-01-14 13:35:32 +01:00
Erik Krogh Kristensen
a520a51d42 highlight the use of the regular expression, instead of the sink for user input 2021-01-14 11:22:20 +01:00
Erik Krogh Kristensen
e8ea720650 adjust description to not mention user-provided values 2021-01-14 10:36:10 +01:00
CodeQL CI
4229f556cb Merge pull request #4751 from erik-krogh/logInjection 
Approved by asgerf, mchammer01
 2021-01-14 00:32:46 -08:00
Erik Krogh Kristensen
c98dacf842 changes based on doc review 2021-01-13 10:38:19 +01:00
Erik Krogh Kristensen
d71adff079 dont sanitize global replacements where the regexp is a char class 2021-01-13 10:12:12 +01:00
Erik Krogh Kristensen
0a17b04650 refactor copy-pasted code into getAnLibraryInputParameter 2021-01-12 20:21:37 +01:00
Erik Krogh Kristensen
eaee5c2d87 add library input as source for js/polynomial-redos 2021-01-12 20:21:33 +01:00
Esben Sparre Andreasen
3c9c79a550 JS: remove flow labels from js/resource-exhaustion 2021-01-12 13:20:20 +01:00
Esben Sparre Andreasen
5965035c09 JS: add query js/resource-exhaustion 2021-01-12 13:20:20 +01:00
CodeQL CI
1c8547c897 Merge pull request #4774 from erik-krogh/forms 
Approved by asgerf
 2021-01-12 02:01:38 -08:00
Esben Sparre Andreasen
847687974f JS: only select non-nullable terms in the broken sanitizer 2021-01-12 08:50:19 +01:00
Esben Sparre Andreasen
40cfbab335 JS: address review feedback 2021-01-12 08:49:08 +01:00
Esben Sparre Andreasen
580a24e982 JS: rewrite js/incomplete-multi-character-sanitization 2021-01-11 11:26:45 +01:00
CodeQL CI
807fc94627 Merge pull request #4921 from erik-krogh/moreShellSan 
Approved by esbena
 2021-01-08 00:58:26 -08:00
Erik Krogh Kristensen
6423c32990 Update javascript/ql/src/semmle/javascript/security/dataflow/UnsafeShellCommandConstructionCustomizations.qll 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2021-01-07 22:02:39 +01:00
CodeQL CI
c193d9f375 Merge pull request #4823 from erik-krogh/furtherReDoS 
Approved by esbena
 2021-01-07 05:24:07 -08:00
Erik Krogh Kristensen
7eab08511b add source code examples to blocksCharInAccess 2021-01-07 13:58:26 +01:00
Erik Krogh Kristensen
8b03ab0c01 update docstring for getAShellChar 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2021-01-07 13:58:26 +01:00
Erik Krogh Kristensen
2aa59a3f8b support sanitizers that sanitize individual chars in js/shell-command-constructed-from-input 2021-01-07 13:58:25 +01:00
Erik Krogh Kristensen
7e21081b70 add comment about regexp detected by js/polynomial-redos 2021-01-07 12:06:12 +01:00
Erik Krogh Kristensen
bfd8d1b1e9 Merge branch 'main' into revertSum 2021-01-06 23:04:08 +01:00