hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
71,144 Commits 1,671 Branches 157 Tags
15bc417a17b0c968408b45793cabd3446119119d
Commit Graph

2118 Commits

Author SHA1 Message Date
Tom Hvitved
d0ca39fb03 JS: Update expected test output 2024-10-04 08:35:33 +02:00
Sid Gawri
e8c68fff7f resolve id conflict with dom based xss test ql 2024-09-25 10:01:59 -04:00
Alvaro Muñoz
5d1da861a2 fix: Use YamlScalar for booleans 2024-09-06 23:21:41 +02:00
Alvaro Muñoz
d9e8792d33 [javascript] Query to detect GITHUB_TOKEN leaked in artifacts 2024-09-06 22:55:58 +02:00
Asger F
09aca6b47e Merge pull request #17212 from mbaluda/main 
Add support for importing NPM modules in XSJS sources
 2024-08-22 10:54:33 +02:00
Asger F
7a7ab457a9 JS: Delete unneeded test code (and shift line numbers) 2024-08-16 14:38:54 +02:00
Asger F
9ee7599aeb JS: Move AngularJSTemplateUrlSink to ClientSideUrlRedirection query 
This is not perfect but at least we can be consistent about keeping URLs-that-lead-to-xss in the same query
 2024-08-16 14:37:13 +02:00
Asger F
699d3a0a0a JS: Update a RegExp injection test 
RegExpInjection does not use client-side sources, but one of its tests was using postMessage events
as the taint source. Updating the test to use a different taint source.
 2024-08-16 14:20:34 +02:00
Mauro Baluda
be0a60a7f6 Add support for importing NPM modules in XSJS sources 2024-08-13 14:45:03 +02:00
Erik Krogh Kristensen
41506fbfef Merge pull request #14666 from am0o0/amammad-js-hardcodedJWTKey 
JS: Extends CredentialsNode class mostly related to JWT authentication packages
 2024-08-08 10:20:45 +02:00
am0o0
354fcbe7fe apply changes from @erik-krogh 2024-08-01 20:14:36 +02:00
Paul Hodgkinson
c9af53f050 Merge branch 'main' into aegilops/polyfill-io-compromised-script 2024-07-12 12:53:44 +01:00
aegilops
d71be8aeaf Moved from experimental into default queries 2024-07-11 11:44:01 +01:00
aegilops
86afd54a9b Moved new query to 'experimental' 
Moved lists of domains to data extensions, including adding those to the overall qlpack.yml

Expanded scope of new query to further domains operated by the untrusted owners of polyfill.io
 2024-07-09 16:38:01 +01:00
aegilops
e2b37f97b0 Added dot to end of test message 2024-07-01 17:41:26 +01:00
aegilops
a1b0703690 Added detection for specific Polyfill.io CDN compromise - edited existing library and added new query and tests 2024-07-01 16:21:34 +01:00
am0o0
b360c8adb8 Update hardcodedCredentials query file to only exclude 'jwt key' kind from with the isTestFile predicate. 
According to expected test results, with a new query, the jwt sinks of __test__/ dir have been exluded from query results.
 2024-07-01 15:00:08 +02:00
am0o0
5a1877547f update test cases of __tests__/ dir 
since we want to check if a jwt related sink is in this dir or not
 2024-07-01 14:50:07 +02:00
am0o0
6ecd8b7ee8 add new default cred kind 2024-07-01 14:42:34 +02:00
am0o0
65fdb8ccce move jose SharedTaintStep to a local taint step, add more additional steps with test cases, update test cases and expected test results 2024-07-01 11:38:17 +02:00
aegilops
f22778960b Fixed expected test results for Helmet query 2024-06-26 11:31:57 +01:00
am0o0
5a69bbf6b0 use isTestFile from ClassifyFiles module file instead previous where condition, update tests accordingly 2024-06-07 06:11:48 +02:00
am0o0
e4ffdb848e add tests for new where condition, update expected test results 2024-06-06 14:30:06 +02:00
am0o0
d77513579f update tests 2024-05-25 12:15:25 +02:00
Paul Hodgkinson
65dfd4c860 Merge branch 'main' into aegilops/js/insecure-helmet-middleware 2024-05-21 14:46:49 +01:00
aegilops
bda794fde7 Fixed wrong filenames in the InsecureHelmet tests 2024-05-21 14:34:58 +01:00
aegilops
8300aeb0a0 Tests for InsecureHelmet 2024-05-20 12:05:42 +01:00
Asger F
499c4df79b Merge pull request #13554 from am0o0/amammad-js-bombs 
JS: Decompression Bombs
 2024-05-16 13:25:41 +02:00
erik-krogh
39a8b49222 add qhelp recommendation that you can use an obvious placeholder value 2024-05-03 19:37:31 +02:00
erik-krogh
b209fc67cb test the change to hardcoded-credentials 2024-05-03 19:34:18 +02:00
Asger F
a0b49b23f5 JS: Add UseServer and UseClient directives 2024-03-26 09:39:39 +01:00
erik-krogh
129286aa1c allow more flow through .filter() 2024-03-13 12:03:00 +01:00
erik-krogh
bf22f4a870 update expected output 2024-02-22 13:21:11 +01:00
Asger F
75a95ffcd1 Merge pull request #15602 from asgerf/js/block-logical-and-flow 
JS: Fix flow through &&
 2024-02-14 12:29:40 +01:00
Asger F
f5c437694c Update UselessConditional.expected 2024-02-13 18:31:24 +01:00
erik-krogh
94b7bda3dc exclude tagged template literals from js/superfluous-trailing-arguments 2024-02-06 09:36:30 +01:00
Sid Shankar
b1d7a635f5 Renames diagnostic query files and tests 
This commit renames the files relating to the diagnostic query that produces information on the number of files extracted. The files have been renamed from "SuccessfullExtractedFiles.*" to "ExtractedFiles.*". All related tests and test files have been renamed too.

The `@tags` and `@id` attributes of the queries have been left untouched, consistent with the `@tags` and `@id` for similar queries in other languages.
 2024-01-29 20:19:20 +00:00
erik-krogh
396da117bb remove an FP in overly-large-range for [@-Z] 2024-01-25 14:15:06 +01:00
GitHub Security Lab
df10a7e7f0 Merge branch 'main' into amammad-js-bombs 2024-01-25 11:23:38 +01:00
Sid Shankar
2d71294f61 Merge pull request #15256 from sidshank/change/adjust-extracted-files-diagnostics 
Js/Py/Rb: Report any extracted file as successfully extracted
 2024-01-17 11:04:06 -05:00
erik-krogh
1a8a70dc1b mark the range [0-?] as good in the overly-large-range query 2024-01-17 13:11:57 +01:00
Sid Shankar
59098be8c4 Merge branch 'main' into change/adjust-extracted-files-diagnostics 2024-01-16 21:51:41 -05:00
Sid Shankar
e30a0d1e83 JS: Report any extracted file as successfully extracted 2024-01-08 22:19:33 +00:00
erik-krogh
a9f2b3fad6 promote PropsTaintStep to a PreCallGraphStep 2024-01-04 10:45:22 +01:00
Rafael
1a05c2e704 Added Django test 2023-11-29 08:26:49 +01:00
Max Schaefer
dfffa1e237 Apply suggestions from code review 
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
 2023-11-21 10:07:11 +00:00
Max Schaefer
d147faba4e Update qhelp for js/path-injection. 2023-11-20 11:58:00 +00:00
Rasmus Wriedt Larsen
43d9d2ceb7 Merge pull request #14603 from github/max-schaefer/broken-crypto-algorithm-link 
JavaScript/Python/Ruby: Improve alert message for `*/weak-cryptographic-algorithm`.
 2023-11-08 14:29:24 +01:00
erik-krogh
688afddaf2 Re-order expected test output of all JS tests 2023-10-31 16:38:22 +01:00
Max Schaefer
104700f6d3 Address review comment. 2023-10-27 10:19:28 +01:00