hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 10:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity
13,281 Commits 1,741 Branches 165 Tags
3f67e90374e8d07161037e6537ce621798fd174e
Commit Graph

3782 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
c4f61134f1 include the source of cryptographically random number in alert message 2020-06-10 13:32:46 +02:00
Erik Krogh Kristensen
7e8fd80327 use steps from InsecureRandomness, and use small-steps 2020-06-10 12:27:50 +02:00
Erik Krogh Kristensen
9029dbacf5 refactor isAdditionalTaintStep to a utility predicate in InsecureRandomness 2020-06-10 10:55:30 +02:00
Erik Krogh Kristensen
9189f23403 add support for secure-random 2020-06-10 10:39:02 +02:00
Erik Krogh Kristensen
16ec405724 add explanations about modulo by power of 2 2020-06-10 10:38:47 +02:00
Erik Krogh Kristensen
111f6d406c introduce query to detect biased random number generators 2020-06-10 10:00:10 +02:00
Erik Krogh Kristensen
733e04c1eb Move rest-pattern inside property-pattern step to a taint-step 2020-06-10 09:02:22 +02:00
Asger Feldthaus
a923a404ab JS: Explicitly handle export declarations in PackageExports 2020-06-09 18:28:15 +01:00
Asger Feldthaus
806c9a372e JS: Resolve package.json main module differently 2020-06-09 18:28:15 +01:00
Erik Krogh Kristensen
b8a9ac39f4 add lValueFlowStep for rest-pattern nested inside a property-pattern (and removed old incorrect approach) 2020-06-09 18:16:00 +02:00
Erik Krogh Kristensen
b6e0e6645f Merge pull request #3645 from erik-krogh/infExposure 
JS: add query to detect accidential leak of private files
 2020-06-09 17:38:31 +02:00
Erik Krogh Kristensen
b510e470b1 support rest-patterns inside property patterns 2020-06-09 13:28:56 +02:00
Erik Krogh Kristensen
b04d7015ae fix test 2020-06-09 11:23:46 +02:00
Asger Feldthaus
0345036420 JS: Fix 'match' call in StringOps::RegExpTest 2020-06-09 10:07:36 +01:00
Erik Krogh Kristensen
c2fbcea96f base the chaining on yargs on the methods that are NOT chained 2020-06-09 10:22:25 +02:00
Esben Sparre Andreasen
2d2468463b JS: initial version of IncompleteMultiCharacterSanitization.ql 2020-06-09 08:59:59 +02:00
Erik Krogh Kristensen
167239e745 add query to detect accidential leak of private files 2020-06-08 23:41:14 +02:00
Erik Krogh Kristensen
0f06f04e32 extend support for yargs for js/indirect-command-line-injection 2020-06-08 16:45:09 +02:00
semmle-qlci
ff6936caa7 Merge pull request #3625 from erik-krogh/CVE714 
Approved by asgerf
 2020-06-05 12:21:10 +01:00
semmle-qlci
69a1e11c06 Merge pull request #3609 from erik-krogh/CredFN 
Approved by asgerf, esbena
 2020-06-05 10:49:01 +01:00
Erik Krogh Kristensen
82cf53897f TypeOfCheck -> TypeOfUndefinedSanitizer 
Co-authored-by: Asger F <asgerf@github.com>
 2020-06-05 11:35:39 +02:00
Erik Krogh Kristensen
05d7be8e23 autoformat 2020-06-05 09:59:45 +02:00
Erik Krogh Kristensen
96ca4cf7eb add missing quote 2020-06-04 19:45:24 +00:00
Erik Krogh Kristensen
815671f5d0 add sanitizer guard for typeof undefined 2020-06-04 21:32:26 +02:00
Max Schaefer
9549b01e3c JavaScript: Turn on experimental language features for two tests. 
All other tests already pass with experimental features turned on, so once this is merged we can do so by default.
 2020-06-04 11:27:31 +01:00
semmle-qlci
70131e6ac8 Merge pull request #3598 from asger-semmle/js/regexp-test 
Approved by esbena
 2020-06-04 09:05:21 +01:00
Erik Krogh Kristensen
a90c8769ee update expected output 2020-06-03 15:24:04 +02:00
Erik Krogh Kristensen
7c26efbc12 case insensitive authorization header 2020-06-03 15:23:51 +02:00
Erik Krogh Kristensen
b508ad41c8 don't have a separate fetch module 2020-06-03 15:20:06 +02:00
Erik Krogh Kristensen
46cd0143d8 Update javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2020-06-03 15:18:10 +02:00
Erik Krogh Kristensen
28a1900612 treat all writes to Authorization as a CredentialsExpr 2020-06-03 13:55:49 +02:00
Erik Krogh Kristensen
6466ab19a0 Update javascript/ql/src/semmle/javascript/frameworks/ClientRequests.qll 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-06-03 13:51:04 +02:00
Erik Krogh Kristensen
f8caec76ab move the Fetch module to ClientRequests 2020-06-03 13:37:34 +02:00
Erik Krogh Kristensen
aa463d8298 mention fetch instead of node-fetch 2020-06-03 13:33:43 +02:00
Erik Krogh Kristensen
1b53cd4bd9 update docstring of FetchAuthorization 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-06-03 13:31:16 +02:00
Erik Krogh Kristensen
a1940979ba support credentials in a Buffer 2020-06-03 12:02:00 +02:00
Erik Krogh Kristensen
ba44ebe8a8 better support for browser based fetch API 2020-06-03 11:51:24 +02:00
Erik Krogh Kristensen
3622fb8716 support more variants of the Headers API 2020-06-03 11:50:10 +02:00
Erik Krogh Kristensen
3c802007a3 add support for string concatenations and base64-encoding of hardcoded credentials 2020-06-02 23:15:13 +02:00
Erik Krogh Kristensen
b6dc94fccb add fetch.Headers.Authorization as a CredentialsExpr 2020-06-02 23:02:16 +02:00
Erik Krogh Kristensen
14f0d1687a factor fetch import into NodeJSLib 2020-06-02 22:45:47 +02:00
Asger Feldthaus
8342981799 JS: Make isCoercedToBoolean private 2020-06-02 17:16:55 +01:00
Asger Feldthaus
8a38633639 JS: Handle exec() == undefined 2020-06-02 16:52:07 +01:00
Asger Feldthaus
7d5384b723 JS: Autoformat 2020-06-02 16:38:40 +01:00
Asger Feldthaus
945db4d86c JS: Fix test output 2020-06-02 16:38:21 +01:00
Esben Sparre Andreasen
f9ed64fc45 Merge branch 'master' into js/membershiptest 2020-06-02 08:54:44 +02:00
semmle-qlci
7265e94028 Merge pull request #3578 from erik-krogh/HtmlGuard 
Approved by asgerf
 2020-06-01 13:25:02 +01:00
Asger Feldthaus
707b0f33a0 JS: Use in ContainsHTMLGuard 2020-06-01 12:06:40 +01:00
Asger Feldthaus
fa1a6eefa7 JS: Add StringOps::RegExpTest 2020-06-01 11:43:50 +01:00
semmle-qlci
14be4fedf7 Merge pull request #3594 from erik-krogh/CachedExprStringValue 
Approved by asgerf
 2020-05-30 16:56:40 +01:00