2100 Commits

Author	SHA1	Message	Date
Paul Hodgkinson	c9af53f050	Merge branch 'main' into aegilops/polyfill-io-compromised-script	2024-07-12 12:53:44 +01:00
aegilops	d71be8aeaf	Moved from experimental into default queries	2024-07-11 11:44:01 +01:00
aegilops	86afd54a9b	Moved new query to 'experimental' ... Moved lists of domains to data extensions, including adding those to the overall qlpack.yml Expanded scope of new query to further domains operated by the untrusted owners of polyfill.io	2024-07-09 16:38:01 +01:00
aegilops	e2b37f97b0	Added dot to end of test message	2024-07-01 17:41:26 +01:00
aegilops	a1b0703690	Added detection for specific Polyfill.io CDN compromise - edited existing library and added new query and tests	2024-07-01 16:21:34 +01:00
aegilops	f22778960b	Fixed expected test results for Helmet query	2024-06-26 11:31:57 +01:00
Paul Hodgkinson	65dfd4c860	Merge branch 'main' into aegilops/js/insecure-helmet-middleware	2024-05-21 14:46:49 +01:00
aegilops	bda794fde7	Fixed wrong filenames in the InsecureHelmet tests	2024-05-21 14:34:58 +01:00
aegilops	8300aeb0a0	Tests for InsecureHelmet	2024-05-20 12:05:42 +01:00
Asger F	499c4df79b	Merge pull request #13554 from am0o0/amammad-js-bombs ... JS: Decompression Bombs	2024-05-16 13:25:41 +02:00
erik-krogh	39a8b49222	add qhelp recommendation that you can use an obvious placeholder value	2024-05-03 19:37:31 +02:00
erik-krogh	b209fc67cb	test the change to hardcoded-credentials	2024-05-03 19:34:18 +02:00
Asger F	a0b49b23f5	JS: Add UseServer and UseClient directives	2024-03-26 09:39:39 +01:00
erik-krogh	129286aa1c	allow more flow through .filter()	2024-03-13 12:03:00 +01:00
erik-krogh	bf22f4a870	update expected output	2024-02-22 13:21:11 +01:00
Asger F	75a95ffcd1	Merge pull request #15602 from asgerf/js/block-logical-and-flow ... JS: Fix flow through &&	2024-02-14 12:29:40 +01:00
Asger F	f5c437694c	Update UselessConditional.expected	2024-02-13 18:31:24 +01:00
erik-krogh	94b7bda3dc	exclude tagged template literals from js/superfluous-trailing-arguments	2024-02-06 09:36:30 +01:00
Sid Shankar	b1d7a635f5	Renames diagnostic query files and tests ... This commit renames the files relating to the diagnostic query that produces information on the number of files extracted. The files have been renamed from "SuccessfullExtractedFiles.*" to "ExtractedFiles.*". All related tests and test files have been renamed too. The `@tags` and `@id` attributes of the queries have been left untouched, consistent with the `@tags` and `@id` for similar queries in other languages.	2024-01-29 20:19:20 +00:00
erik-krogh	396da117bb	remove an FP in overly-large-range for [@-Z]	2024-01-25 14:15:06 +01:00
GitHub Security Lab	df10a7e7f0	Merge branch 'main' into amammad-js-bombs	2024-01-25 11:23:38 +01:00
Sid Shankar	2d71294f61	Merge pull request #15256 from sidshank/change/adjust-extracted-files-diagnostics ... Js/Py/Rb: Report any extracted file as successfully extracted	2024-01-17 11:04:06 -05:00
erik-krogh	1a8a70dc1b	mark the range [0-?] as good in the overly-large-range query	2024-01-17 13:11:57 +01:00
Sid Shankar	59098be8c4	Merge branch 'main' into change/adjust-extracted-files-diagnostics	2024-01-16 21:51:41 -05:00
Sid Shankar	e30a0d1e83	JS: Report any extracted file as successfully extracted	2024-01-08 22:19:33 +00:00
erik-krogh	a9f2b3fad6	promote PropsTaintStep to a PreCallGraphStep	2024-01-04 10:45:22 +01:00
Rafael	1a05c2e704	Added Django test	2023-11-29 08:26:49 +01:00
Max Schaefer	dfffa1e237	Apply suggestions from code review ... Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>	2023-11-21 10:07:11 +00:00
Max Schaefer	d147faba4e	Update qhelp for js/path-injection.	2023-11-20 11:58:00 +00:00
Rasmus Wriedt Larsen	43d9d2ceb7	Merge pull request #14603 from github/max-schaefer/broken-crypto-algorithm-link ... JavaScript/Python/Ruby: Improve alert message for `*/weak-cryptographic-algorithm`.	2023-11-08 14:29:24 +01:00
erik-krogh	688afddaf2	Re-order expected test output of all JS tests	2023-10-31 16:38:22 +01:00
Max Schaefer	104700f6d3	Address review comment.	2023-10-27 10:19:28 +01:00
Max Schaefer	741735cc83	Port changes to JavaScript.	2023-10-26 14:47:24 +01:00
Max Schaefer	2c7291336d	Move test files into right directory.	2023-10-26 12:16:52 +01:00
Max Schaefer	bb146a1758	JavaScript: Add support for rateLimit export from express-rate-limit package.	2023-10-26 12:14:57 +01:00
amammad	6f73e9c3ba	revert for in additional steps	2023-10-10 22:12:37 +02:00
amammad	aff6f00450	comments improvement,separate module file, fix tests	2023-10-07 12:02:39 +02:00
amammad	5a49f6bb9b	fix tests	2023-10-06 22:10:57 +02:00
Max Schaefer	e722e3288f	Merge pull request #13771 from github/max-schaefer/server-side-url-redirect-help ... JavaScript: Improve query help for `js/server-side-unvalidated-url-redirection`.	2023-09-13 13:20:48 +01:00
Max Schaefer	a9e81672f0	Make suggestion to replace example.com more explicit.	2023-09-12 16:54:05 +01:00
Max Schaefer	a02f373e79	Use better sanitiser.	2023-09-06 14:06:16 +01:00
Max Schaefer	87364137df	Use more sensible validator in example.	2023-08-21 15:14:01 +01:00
erik-krogh	0bce42410a	support arbitrary codepoints in NfaUtils.qll	2023-08-08 22:14:51 +02:00
erik-krogh	92db7b047c	escape unicode chars in the output for the ReDoS queries	2023-08-08 00:15:54 +02:00
Max Schaefer	7823ff968c	JavaScript: Improve query help for js/server-side-unvalidated-url-redirection.	2023-07-19 13:23:25 +01:00
Asger F	d57276ca35	Merge pull request #13719 from asgerf/js/barrier-inout ... JS: Replace barrier edges with barrier nodes	2023-07-13 16:36:52 +02:00
Asger F	944a2ca825	JS: Replace ClearTextLogging::isSanitizerEdge with a node	2023-07-11 14:20:17 +02:00
Asger F	27085b1fd0	JS: Fix whitespace	2023-07-10 12:07:13 +02:00
Asger F	fe90146a16	JS: Add test for path.join with spread argument	2023-07-10 12:07:07 +02:00
Asger F	06bc0f6957	JS: Add test for fs/promises	2023-07-10 12:05:03 +02:00