hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-27 01:21:23 +02:00
Code Issues Packages Projects Releases Wiki Activity
76,795 Commits 1,761 Branches 168 Tags
4ddc425156403bd565b6d166330dc2de3e32bfe1
Commit Graph

10827 Commits

Author SHA1 Message Date
Napalys
fe28657c7d JS: add test cases with unknown flags for double escaping, works as expected. 2024-11-28 11:26:51 +01:00
Napalys
98fd97799c JS: imcomplete sanization now handles properly maybe global 2024-11-28 11:26:50 +01:00
Napalys
1ae174849f JS: incomplete sanitization now also works with RegExp objects 2024-11-28 11:26:48 +01:00
Napalys
76318035ff JS: Add test cases for RegExp object usage in replace within incomplete sanitization 2024-11-28 11:26:47 +01:00
Napalys
9c2366a660 JS: Added tests for ReDos with unknownFlags, everything seems to be good 2024-11-28 11:26:46 +01:00
Napalys
875478c1c6 JS: Fixed path query not flagging new RegExp with DotRemovingReplaceCall 2024-11-28 11:26:45 +01:00
Napalys
aa557cf950 JS: Added tests for DotRemovingReplaceCall with RegExp Object. 2024-11-28 11:26:44 +01:00
Napalys
a0df33c3ac JS: UnsafeShellCommand Using unknown flags in the RegExp object is no longer flagged as bad sanitization to reduce false positives. 2024-11-28 11:26:43 +01:00
Napalys
155f1fca85 JS: Added test cases for unsafe shell command sanitization with RegExpr Object, instead of literal 2024-11-28 11:26:42 +01:00
Napalys
23b18aeca9 JS: Now unknown flags are not flagged in taint paths 2024-11-28 11:26:41 +01:00
Napalys
eca7a88615 JS: Fixed docs description 2024-11-28 11:26:40 +01:00
Napalys
7db6f7c721 JS: Added test cases with new RegExp for Tainted paths, currently works only with literals 2024-11-28 11:26:39 +01:00
Napalys
faef9dd877 JS: protyte poluting now treats unknownFlags as potentially good sanitization. 2024-11-28 11:26:38 +01:00
Napalys
41fef0f2b3 JS: Added test cases which cover new RegExp creation with replace on protytpe pulluting 2024-11-28 11:26:37 +01:00
Napalys
18c7b18f82 JS: Now BadHtmlSanitizers new RegExp with unknown flags is also flagged. 2024-11-28 11:26:36 +01:00
Napalys
89f3b6f8d3 JS: Added test case for bad sanitizer with unknown flags, currently not flagged. 2024-11-28 11:26:35 +01:00
Napalys
38be0e4c0a JS: Now BadHtmlSanitizers also flags new RegExp as potential issue 2024-11-28 11:26:34 +01:00
Napalys
41f21d429b JS: Added test case which is not flagged but should be abusing new RegExp with global flag 2024-11-28 11:26:33 +01:00
Asger F
805fd0b46e JS: Refine speculative step definition 2024-11-26 15:56:56 +01:00
Asger F
8818fcc207 JS: Benign test output changes 2024-11-26 15:47:13 +01:00
Asger F
c94a01e6b6 JS: Remove reference to argsParseStep 
This was removed as part of the PR that introduced threat models.
 2024-11-26 15:36:47 +01:00
Asger F
bf62582f53 JS: Implement 'speculativeTaintStep' 
It is a mandatory part of the interface now; just providing a bare-bones implementation for rather than 'none()'
 2024-11-26 15:36:46 +01:00
Asger F
82d61e4194 Merge branch 'js/shared-dataflow-branch' into js/shared-dataflow-merge-main 2024-11-26 15:36:16 +01:00
Asger F
f073f3b791 JS: Rename file to foo.test.js 2024-11-26 13:44:00 +01:00
Asger F
65da9b41b5 JS: Add cross-file test in InsecureRandom 2024-11-26 13:43:24 +01:00
Josh Brown
52d7a3bb99 Merge remote-tracking branch 'origin/main' into jb1/isLibraryFile-nomagic 2024-11-26 03:43:07 -08:00
Asger F
b4bd8e701c JS: Add test for file classification change 2024-11-26 12:33:39 +01:00
Napalys Klicius
e9dff4d68f Merge pull request #17953 from Napalys/napalys/ts57 
JS: upgrade TypeScript to 5.7
 2024-11-25 14:16:40 +01:00
Napalys Klicius
d6372aebc7 Update javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2024-11-25 12:12:12 +01:00
Napalys
e38b63ebcd JS: previously js/case-sensitive-middleware-path was not taking into consideration unknown flags 2024-11-25 11:56:06 +01:00
Napalys
178da21fb8 JS: Added test case for CWE-178 RegExp with unknown flags 2024-11-25 11:53:00 +01:00
Napalys
f8d623e905 JS: Bumped TS version to 5.7.2 2024-11-25 09:08:51 +01:00
Dilan Bhalla
eb56cb94b0 metadata fixes 2024-11-22 14:29:43 -08:00
Dilan Bhalla
e3a04757d7 msft extractor queries 2024-11-22 14:11:02 -08:00
Josh Brown
e60df2c50e Merge branch 'main' into jb1/isLibraryFile-nomagic 2024-11-22 14:56:11 +11:00
Josh Brown
15f92fcda8 No magic isLibraryFile 2024-11-21 19:52:03 -08:00
Napalys Klicius
61e00861e5 Merge pull request #18008 from Napalys/napalys/ES2024-group-functions 
JS: Added support for [Object, Map].groupBy ES2024 feature
 2024-11-21 19:03:57 +01:00
Alex Eyers-Taylor
602f52f09b Fix broken changelog. 2024-11-21 16:57:41 +00:00
github-actions[bot]
f7448f5b43 Release preparation for version 2.19.4 2024-11-21 16:55:07 +00:00
Alex Eyers-Taylor
50ec400fe4 Revert "Merge pull request #18036 from github/release-prep/2.19.4" 
This reverts commit aa4cc72f30, reversing
changes made to e5951516b8.
 2024-11-21 15:41:08 +00:00
Alexander Eyers-Taylor
c0474c4e45 Revert "Revert "Post-release preparation for codeql-cli-2.19.4"" 2024-11-21 15:37:52 +00:00
Alexander Eyers-Taylor
4effe9e364 Revert "Post-release preparation for codeql-cli-2.19.4" 2024-11-21 14:43:15 +00:00
Napalys Klicius
7ee0a7b398 Update javascript/ql/lib/semmle/javascript/Collections.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2024-11-21 14:02:42 +01:00
Napalys Klicius
edb9b47111 Merge pull request #18047 from Napalys/napalys/ES2023-string-protytpe-toWellFormed 
JS: Added taint-step String.prototype.toWellFormed ES2023 feature
 2024-11-21 14:01:21 +01:00
Asger F
930a7b6e28 JS: Update output changes to nodes/edges/subpaths 2024-11-21 13:33:39 +01:00
Asger F
7a77432024 JS: Update lost result in insecure-download 
The VariableCapture library consumes one component of the access path limit, which means we lose this result
 2024-11-21 13:33:10 +01:00
Asger F
1ac7591faf JS: Update missed flow in capture-flow.js 
We previously caught this flow because of a heuristic in capture flow. We'll have to fix it properly later.
 2024-11-21 12:57:34 +01:00
Asger F
9dad2d62d7 JS: Update DataFlowConsistency 2024-11-21 12:54:11 +01:00
Asger F
ce00bd2cc9 JS: More docs 2024-11-21 11:06:43 +01:00
Asger F
4e62a512c5 JS: Only apply exception propagator when no other summary applies 
Previously a few Promise-related methods were special-cased, which is no longer needed.
 2024-11-21 11:01:05 +01:00