835 Commits

Author	SHA1	Message	Date
Erik Krogh Kristensen	51b56a9e28	add cwe 090 (ldap injection) and cwe 943 (Improper Neutralization of Special Elements in Data Query Logic) to SqlInjection.ql	2021-10-01 09:01:29 +02:00
Rasmus Wriedt Larsen	987b573709	Fix hasLocationInfo URL reference ... Follow up to https://github.com/github/codeql/pull/5830	2021-09-29 13:47:58 +02:00
Erik Krogh Kristensen	aafae24ef2	update qhelp	2021-09-28 23:11:02 +02:00
Erik Krogh Kristensen	99ed4a1a89	add a bad-tag-filter query for Python and JavaScript	2021-09-21 15:04:03 +02:00
Erik Krogh Kristensen	3f736d3eb8	Merge pull request #6694 from erik-krogh/owasp-fixes ... JS/Java: use the correct cwe tags	2021-09-15 13:46:35 +02:00
Erik Krogh Kristensen	b936a04826	add some fitting CWEs to existing queries	2021-09-14 14:59:24 +02:00
Erik Krogh Kristensen	6d12c4aab1	use the correct cwe tags	2021-09-14 14:42:23 +02:00
Erik Krogh Kristensen	5fe6671cc5	making it more explicit what character class matching is used for	2021-08-23 08:30:50 +02:00
Erik Krogh Kristensen	4cc2ac9d35	exclude char classes that match everything	2021-08-18 08:59:17 +00:00
Erik Krogh Kristensen	5d4c434d34	restrict char class matches to alpha-numeric chars	2021-08-17 15:10:30 +02:00
Erik Krogh Kristensen	59f0a41665	support more regular expressions in js/incomplete-multi-character-sanitization	2021-08-17 15:10:20 +02:00
Asger Feldthaus	cb0075f15a	JS: Remove use of deprecated API	2021-08-12 09:30:43 +02:00
Asger Feldthaus	f6da030572	JS: Migrate to *Query.qll convention	2021-08-12 09:30:18 +02:00
Erik Krogh Kristensen	87c0c60c22	don't report dummy authentication headers as hardcoded-crendentials	2021-08-02 22:56:14 +02:00
CodeQL CI	081fd28090	Merge pull request #6102 from RasmusWL/js-qhelp-fixup ... Approved by erik-krogh	2021-06-18 04:52:48 -07:00
Rasmus Wriedt Larsen	968a0921d4	JS: Fix secure example inclusion in InsecureDownload.qhelp	2021-06-18 12:12:06 +02:00
Calum Grant	771e686946	Update security-severity scores	2021-06-15 13:25:17 +01:00
Calum Grant	a594afb828	Add security-severity metadata	2021-06-10 20:11:08 +01:00
Erik Krogh Kristensen	1ad08677c2	model serve-handler in js/exposure-of-private-files	2021-06-08 09:52:56 +02:00
Ishaq Mohammed	96150a455d	Update javascript/ql/src/Security/CWE-352/MissingCsrfMiddleware.qhelp ... Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2021-06-01 13:47:43 +05:30
Ishaq Mohammed	975355de4a	Adding reference link for csurf	2021-06-01 13:41:25 +05:30
Erik Krogh Kristensen	646bf99489	rewrite the qhelp to focus more on documenting unsafe functions	2021-05-10 10:48:40 +02:00
Erik Krogh Kristensen	b53759c5a0	corrections after code review	2021-05-06 22:49:25 +02:00
Erik Krogh Kristensen	2d1ba59e6d	Apply suggestions from code review ... Co-authored-by: Esben Sparre Andreasen <esbena@github.com>	2021-05-06 21:55:30 +02:00
Erik Krogh Kristensen	7ef641e7b2	add qhelp	2021-05-06 11:05:02 +02:00
Erik Krogh Kristensen	e86a3b5e57	add js/html-constructed-from-input query	2021-05-06 11:04:49 +02:00
Chris Smowton	455b840712	Fix all dead qhelp links ... For those documents with no obvious new home I've pointed the links to the Internet Archive.	2021-04-23 15:20:21 +01:00
Erik Krogh Kristensen	172d6139e2	support all ClientRequests in js/disabling-certificate-validation	2021-04-12 15:06:10 +02:00
Erik Krogh Kristensen	3b6b40489f	Merge branch 'main' into topPack	2021-03-25 09:58:15 +01:00
Asger Feldthaus	f8f3770a58	JS: BadRandomness can just use type-tracking now	2021-03-23 14:53:14 +00:00
Erik Krogh Kristensen	d998d06b94	add link to source in alert-message for js/shell-command-constructed-from-input	2021-03-18 13:37:18 +01:00
Asger Feldthaus	96c6e4d8d8	JS: Update with new AdditionalTaintStep subclasses	2021-03-17 13:29:16 +00:00
Erik Krogh Kristensen	b039267b76	Apply suggestions from code review ... Co-authored-by: Asger F <asgerf@github.com>	2021-03-15 12:39:56 +01:00
Erik Krogh Kristensen	70b8cdee9b	add qhelp	2021-03-09 16:17:33 +01:00
Erik Krogh Kristensen	b30484dd69	behaviour preserving refactorization into modules	2021-03-09 16:17:29 +01:00
Erik Krogh Kristensen	caf1dbdc46	move TemplateObjectInjection out of experimental	2021-03-09 11:29:45 +01:00
Marcono1234	5a8ffa5a85	Use .inc.qhelp extension for included help files	2021-03-04 22:04:48 +01:00
Asger Feldthaus	d916118ea4	JS: Move ExceptionXss source into Xss.qll	2021-03-02 13:16:10 +00:00
Asger Feldthaus	7afa755597	JS: Add ajv error as source of ExceptionXss	2021-03-02 12:39:04 +00:00
Asger Feldthaus	24199a5499	JS: Add query for resource exhaustion from deep object handling	2021-03-02 12:39:04 +00:00
CodeQL CI	527c41520e	Merge pull request #4951 from esbena/js/reintroduce-server-crash ... Approved by erik-krogh	2021-01-22 06:37:50 -08:00
Esben Sparre Andreasen	3f3962f7a9	Update javascript/ql/src/Security/CWE-730/examples/server-crash.GOOD-B.js ... Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2021-01-22 14:03:21 +01:00
Esben Sparre Andreasen	718f6eb3fd	JS: update and prettify examples	2021-01-22 13:17:38 +01:00
Esben Sparre Andreasen	9e3cc3b1b2	JS: add qhelp and changenotes for js/server-crash	2021-01-21 08:43:13 +01:00
Esben Sparre Andreasen	3015dcd310	JS: reformulate js/server-crash. Support promises and shorter paths.	2021-01-19 09:08:52 +01:00
CodeQL CI	fc2fe6cccb	Merge pull request #4928 from esbena/js/rewrite-multi-sanitization ... Approved by asgerf	2021-01-18 05:11:42 -08:00
CodeQL CI	4229f556cb	Merge pull request #4751 from erik-krogh/logInjection ... Approved by asgerf, mchammer01	2021-01-14 00:32:46 -08:00
Esben Sparre Andreasen	12b985be87	Update javascript/ql/src/Security/CWE-730/ServerCrash.ql ... Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2021-01-13 14:49:29 +01:00
Erik Krogh Kristensen	c98dacf842	changes based on doc review	2021-01-13 10:38:19 +01:00
Esben Sparre Andreasen	d591c519a8	JS: reformulate js/server-crash as a path problem	2021-01-13 00:08:28 +01:00