hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-31 15:22:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
34,797 Commits 1,684 Branches 159 Tags
488a4ede949098d45ca9f2125728583791204510
Commit Graph

7391 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
8fcbaea273 Merge branch 'main' into labelNaming 2022-04-22 13:19:44 +02:00
Khang. Võ Vĩ
f4581ae866 fix PrototypePollutingAssignment examples 2022-04-22 11:55:45 +07:00
Tom Hvitved
bd09c61504 Merge pull request #8786 from hvitved/ruby/dataflow/argument-tokens 
Ruby: Implement `Argument[any]` and `Argument[n..]`
 2022-04-21 16:31:24 +02:00
Erik Krogh Kristensen
9927a82520 Merge pull request #8789 from erik-krogh/apiIpaBranches 
JS/PY: mention newtype constructors in API graph label classes
 2022-04-20 23:39:46 +02:00
Erik Krogh Kristensen
ff5b873557 Merge pull request #8773 from erik-krogh/exhaustion 
JS: promote `js/resource-exhaustion` out of experimental
 2022-04-20 19:33:42 +02:00
Erik Krogh Kristensen
ef51b46795 JS: mention newtype constructors in API graph label classes 2022-04-20 18:37:19 +02:00
Tom Hvitved
ea229d361c Sync files 2022-04-20 13:55:18 +02:00
Erik Krogh Kristensen
10130eef6d Merge pull request #8678 from erik-krogh/fileSource 
JS: Add files as a source for `js/xss-through-dom`
 2022-04-20 09:18:38 +02:00
Stephan Brandauer
2fb3147b7b Merge pull request #8430 from kaeluka/js/CVE-2022-24718 
JS: Add taint step for handlebars model
 2022-04-19 15:57:58 +01:00
Erik Krogh Kristensen
8669bbd948 update expected output of rate-limit query after test reorg 2022-04-19 14:27:24 +02:00
Erik Krogh Kristensen
6799232009 fix typo in qldoc 2022-04-19 11:09:27 +02:00
Erik Krogh Kristensen
4b6d8e6865 add missing qldoc 2022-04-19 10:56:58 +02:00
Erik Krogh Kristensen
8e5a7bcd76 add change-note 2022-04-19 10:53:48 +02:00
Erik Krogh Kristensen
2e5d435bea add CWE-400, and add a reference to DoS attacks 2022-04-14 18:37:50 +02:00
Jean Helie
d094bbc06d Merge pull request #8546 from github/jhelie/enforce-unknown-incompatibiliy-with-notasink 
ML: add defensive check to ensure Unknown endpoints cannot also be NotASink
 2022-04-14 11:21:18 +02:00
Erik Krogh Kristensen
4c97f68a3d remove postmessage events as source for js/resource-exhaustion 2022-04-13 23:14:42 +02:00
Erik Krogh Kristensen
51a0b6d501 remove client-side remote-flow from js/resource-exhaustion 2022-04-13 23:05:59 +02:00
Jean Helie
1e39a9caae ML: update regression test output following fix to getAnUnknown predicate 2022-04-13 18:14:16 +02:00
Jean Helie
f87cd164ce ML: add defensive check to ensure Unknown endpoints cannot also be NotASink 2022-04-13 18:14:16 +02:00
Jean Helie
f2b813a6e7 ML: add regression test for effective sink that is also NotASink 2022-04-13 18:14:16 +02:00
Jean Helie
407a8a7715 ML: fix ATM expected tests outputs 2022-04-13 14:02:12 +02:00
Erik Krogh Kristensen
41bdd8f4da minor fixes 2022-04-13 10:11:07 +02:00
Erik Krogh Kristensen
b13e7c055b move the sanitizer-guard to the Query.qll file 2022-04-13 09:58:33 +02:00
Erik Krogh Kristensen
96e4633dfe remove more code that did nothing 2022-04-13 09:57:32 +02:00
Erik Krogh Kristensen
a9595af01e update expected output 2022-04-13 09:43:21 +02:00
Erik Krogh Kristensen
d35604ed82 remove the length sanitizer from loop-bound-injection - it did nothing 2022-04-13 09:43:21 +02:00
Erik Krogh Kristensen
dd28157d0a add test of a length check 2022-04-13 09:43:21 +02:00
Erik Krogh Kristensen
8e47a9b242 add sanitizer step for .length in js/resource-exhaustion 2022-04-13 09:30:09 +02:00
Stephan Brandauer
fb66ccff39 handlebars taint step: conservatively assume unknown templates have no flow to helpers 2022-04-13 09:27:59 +02:00
Erik Krogh Kristensen
a2d2626c9c add security severity 2022-04-12 16:34:00 +02:00
Erik Krogh Kristensen
d64df30724 reintroduce the reverted qhelp 2022-04-12 16:33:06 +02:00
Erik Krogh Kristensen
ebf9ba7250 remove the type-overloaded new Buffer() as a sink 2022-04-12 16:29:58 +02:00
Erik Krogh Kristensen
e2b7f7d05d reintroduce the number sinks 2022-04-12 16:26:10 +02:00
Erik Krogh Kristensen
029459cc35 reorganize CWE-770 tests 2022-04-12 16:15:40 +02:00
Erik Krogh Kristensen
688b2b6898 use the Query.qll pattern 2022-04-12 15:52:52 +02:00
Erik Krogh Kristensen
8fb54c3f32 move js/resource-exhaustion out of experimental 2022-04-12 15:51:36 +02:00
CodeQL CI
a43f3a21a8 Merge pull request #8550 from erik-krogh/classJoin 
Approved by asgerf
 2022-04-12 09:23:58 +01:00
CodeQL CI
9c8dee2a4d Merge pull request #8687 from asgerf/js/missing-flow-fixes 
Approved by erik-krogh
 2022-04-11 14:08:15 +01:00
Edoardo Pirovano
f25618eed6 Bump minor version of all packs 2022-04-08 15:38:58 +01:00
Edoardo Pirovano
ce82c54b94 Merge branch 'main' into edoardo/3.5-mergeback 2022-04-08 15:30:58 +01:00
Asger Feldthaus
b85739cb7e JS: Update test output 2022-04-07 13:23:26 +02:00
Asger Feldthaus
81cf3d4574 JS: Use Class#getAnInstanceReference 2022-04-07 10:43:29 +02:00
Asger Feldthaus
2a67085d9d JS: Change note 2022-04-07 10:02:21 +02:00
Asger Feldthaus
4eda6f643f JS: Recognize subclasses of HTMLElement in domValueRef 2022-04-07 09:57:31 +02:00
Asger Feldthaus
cff8dc0537 JS: Improve flow through Array.prototype.reduce 2022-04-07 09:57:31 +02:00
Erik Krogh Kristensen
943af17d10 Merge pull request #8619 from erik-krogh/atmSteps 
JS-ML: fix isKnownStepSrc such that it recognizes taint-steps
 2022-04-06 12:56:53 +02:00
Erik Krogh Kristensen
0435cee57f add a taint-step through URL.createObjectURL for js/xss-through-dom 2022-04-06 12:18:47 +02:00
Erik Krogh Kristensen
b11d48e749 add files in the DOM as a source for js/xss-through-dom 2022-04-06 12:09:07 +02:00
Asger F
de169277cb Merge pull request #8576 from asgerf/js/decorated-method-or-class 
JS: Add decorator edges in API graphs and corresponding MaD tokens
 2022-04-04 12:49:28 +02:00
github-actions[bot]
6af568b16d Post-release preparation for codeql-cli-2.8.5 2022-04-01 16:22:14 +00:00