Napalys Klicius
|
fa47174013
|
CWE-020: Lower security-severity for OverlyLargeRange queries to 4.0
|
2025-10-22 11:32:33 +00:00 |
|
Owen Mansel-Chan
|
cf614a596d
|
Fix cwe tags to include leading zero
|
2025-04-30 16:43:03 +01:00 |
|
erik-krogh
|
2f1bd75ee9
|
remove redundant cast
|
2025-01-21 09:51:14 +01:00 |
|
erik-krogh
|
17afab7d0f
|
support that two indexOf() calls use the same string-concatenation in getAnEquivalentIndexOfCall()
|
2025-01-21 09:43:57 +01:00 |
|
erik-krogh
|
d5529e3a7e
|
ensure an indexOf call is equivalent with itself. (getAUse() is used later to find matching indexOf calls)
|
2025-01-21 09:42:30 +01:00 |
|
Asger F
|
d52bc971b8
|
Merge branch 'main' into js/shared-dataflow-merge-main
|
2024-11-20 14:05:03 +01:00 |
|
Napalys Klicius
|
5e8b1b061f
|
Update javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
|
2024-11-05 10:29:22 +01:00 |
|
Napalys
|
ccee34d6d3
|
Added support for matchAll in CWE-020 including new test cases
|
2024-11-05 08:51:24 +01:00 |
|
Asger F
|
c408ab9e6a
|
Merge branch 'main' into js/shared-dataflow
|
2024-05-02 19:43:34 +02:00 |
|
erik-krogh
|
baa31e1469
|
delete outdated deprecations
|
2024-04-25 22:19:28 +02:00 |
|
Asger F
|
8e95a90d03
|
JS: Port UntrustedDataToExternalAPI
|
2023-10-13 13:15:04 +02:00 |
|
Kasper Svendsen
|
67950c8e6b
|
JS: Make implicit this receivers explicit
|
2023-05-03 15:31:00 +02:00 |
|
Anders Schack-Mulligen
|
8d97fe9ed3
|
JavaScript: Autoformat
|
2023-03-10 09:41:20 +01:00 |
|
Erik Krogh Kristensen
|
cedc9c0bff
|
Merge pull request #11582 from erik-krogh/heuristics
JS: Add experimental variants of common security queries with more sources
|
2023-01-04 10:46:19 +01:00 |
|
erik-krogh
|
442749bb7f
|
JS: add heuristic variants of queries that use RemoteFlowSource
|
2022-12-19 12:01:22 +01:00 |
|
erik-krogh
|
35e8d6afd4
|
move getACommonTld into a utility module without parameters
|
2022-12-18 17:23:45 +01:00 |
|
erik-krogh
|
26c5480ee6
|
share {js,rb}/regex/missing-regexp-anchor
|
2022-12-18 17:23:41 +01:00 |
|
erik-krogh
|
355499ea52
|
move getACommonTld to the shared pack
|
2022-12-17 17:26:18 +01:00 |
|
erik-krogh
|
f67d0bc8c0
|
put the shared HostnameRegexp code in the shared regex pack
|
2022-12-17 17:26:18 +01:00 |
|
erik-krogh
|
6b5cd9abc3
|
use RegExpTreeView insteaed of RegexTreeView in JS
|
2022-11-22 12:55:48 +01:00 |
|
erik-krogh
|
e18ceba49e
|
port the JS regex/redos queries to use the shared pack
|
2022-11-15 17:14:38 +01:00 |
|
Erik Krogh Kristensen
|
0adb588fe8
|
Merge pull request #9712 from erik-krogh/badRange
JS/RB/PY/Java: add suspicious range query
|
2022-08-15 13:55:44 +02:00 |
|
Erik Krogh Kristensen
|
0abbd50ca1
|
apply changes based on docs review
|
2022-08-09 13:51:40 +02:00 |
|
Erik Krogh Kristensen
|
a4262f8d91
|
add some more references to the overly-large-range qhelp
|
2022-07-13 11:20:24 +02:00 |
|
Erik Krogh Kristensen
|
a49d34cf0f
|
Merge branch 'main' into missDocParam
|
2022-07-13 09:58:04 +02:00 |
|
Erik Krogh Kristensen
|
220ff3cb2e
|
convert tabs to spaces in qhelp
|
2022-07-12 16:02:50 +02:00 |
|
Erik Krogh Kristensen
|
ff25451699
|
rename query to overly-large-range, and rewrite the @description
|
2022-07-12 16:02:46 +02:00 |
|
Erik Krogh Kristensen
|
a343ceaf8b
|
add suspicious-regexp-range query
|
2022-06-28 09:49:27 +02:00 |
|
Erik Krogh Kristensen
|
ed907f6f63
|
add CWE-940 to js/missing-origin-check
|
2022-05-25 14:15:48 +02:00 |
|
Erik Krogh Kristensen
|
d58fe8e193
|
add explicit this
|
2022-05-24 10:59:13 +02:00 |
|
Erik Krogh Kristensen
|
58db9226dc
|
add missing word in qhelp
|
2022-05-05 14:24:45 +02:00 |
|
Erik Krogh Kristensen
|
2d7c7ff372
|
apply suggestions from doc review
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
|
2022-05-05 13:03:35 +02:00 |
|
Erik Krogh Kristensen
|
0a26e891a2
|
include startsWith/endsWith checks in js/missing-origin-check
|
2022-04-25 15:28:50 +02:00 |
|
Erik Krogh Kristensen
|
fe3d71ebc2
|
fix qhelp: the window, not the origin, is sending the message
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
|
2022-04-25 14:07:01 +02:00 |
|
Erik Krogh Kristensen
|
bca4d14129
|
rename files
|
2022-04-12 14:37:43 +02:00 |
|
Erik Krogh Kristensen
|
591fcda862
|
various improvements to the js/missing-origin-verification query
|
2022-04-12 14:20:41 +02:00 |
|
Erik Krogh Kristensen
|
18532bae54
|
move js/missing-postmessageorigin-verification out of experimental
|
2022-04-12 10:39:27 +02:00 |
|
Arthur Baars
|
15c54f6100
|
Merge pull request #8354 from aibaars/incomplete-url-string-sanitization
Incomplete url string sanitization
|
2022-03-31 10:59:51 +02:00 |
|
Erik Krogh Kristensen
|
cf94c93b1a
|
Merge pull request #8481 from erik-krogh/schemeChain
JS: recognize string replacement chains as scheme checks in js/incomplete-url-scheme-check
|
2022-03-25 11:13:10 +01:00 |
|
Arthur Baars
|
bf888f0f0b
|
Merge remote-tracking branch 'upstream/main' into incomplete-url-string-sanitization
Conflicts:
config/identical-files.json
javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll
ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll
|
2022-03-18 16:09:20 +01:00 |
|
Arthur Baars
|
4a27928728
|
Ruby/JS add missing ^ in qhelp
|
2022-03-18 14:00:10 +01:00 |
|
Erik Krogh Kristensen
|
235aa9c24e
|
recognize string replacement chains as scheme checks in js/incomplete-url-scheme-check
|
2022-03-18 10:37:20 +01:00 |
|
Erik Krogh Kristensen
|
efba220b45
|
JS: fix most ql/missing-parameter-qldoc issues
|
2022-03-16 22:56:52 +01:00 |
|
Arthur Baars
|
ab93b3784b
|
Merge remote-tracking branch 'upstream/main' into incomplete-hostname
|
2022-03-16 12:31:12 +01:00 |
|
Arthur Baars
|
cf4b834536
|
Address comments
|
2022-03-11 14:25:34 +01:00 |
|
Erik Krogh Kristensen
|
69353bb014
|
patch upper-case acronyms to be PascalCase
|
2022-03-11 11:10:33 +01:00 |
|
Arthur Baars
|
747c7f6b5e
|
JS/Ruby: share implementation of IncompleteUrlSubstringSanitization query
|
2022-03-09 12:11:14 +01:00 |
|
Erik Krogh Kristensen
|
4734f1916e
|
Merge pull request #7598 from erik-krogh/fieldOnlyUsedInCharPred
QL: field only used in charPred
|
2022-03-08 11:25:57 +01:00 |
|
Arthur Baars
|
98f56f4d60
|
Js/Ruby: Share IncompleteHostnameRegExp.ql
|
2022-03-07 16:10:08 +01:00 |
|
Arthur Baars
|
9e8930c192
|
Ruby: IncompleteHostnameRegExp.ql
|
2022-03-07 16:10:08 +01:00 |
|