7544 Commits

Author	SHA1	Message	Date
Erik Krogh Kristensen	099d91ba6f	update qldoc	2022-03-22 10:27:21 +01:00
Harry Maclean	c2d4bc50c9	Add missing file doc comment	2022-03-22 11:10:09 +13:00
Harry Maclean	91a7e9405c	Share HttpToFileAccessQuery between JS and Ruby ... There's so little in this query that it may not be worth sharing, but it's an interesting exercise in figuring out how we do it nicely.	2022-03-22 11:10:08 +13:00
Harry Maclean	6c18e1d7ac	Merge pull request #8272 from hmac/hmac/tainted-format-string	2022-03-22 08:37:47 +13:00
github-actions[bot]	a3e74efc21	Post-release preparation for codeql-cli-2.8.4	2022-03-21 19:36:47 +00:00
Erik Krogh Kristensen	c8385a1e80	js/xss-through-dom: filter away reads of .src that end in a URL sink	2022-03-21 16:48:59 +01:00
github-actions[bot]	dedc8c2254	Release preparation for version 2.8.4	2022-03-21 13:25:49 +00:00
Alex Ford	c891c53835	Merge pull request #8395 from alexrford/ruby/clear-text-storage ... Ruby: add `rb/clear-text-storage-sensitive-data` query	2022-03-21 10:05:39 +00:00
CodeQL CI	b04c46f96d	Merge pull request #8478 from asgerf/js/store-load-flow-context-sensitivity-bug ... Approved by erik-krogh	2022-03-21 08:54:51 +00:00
Harry Maclean	0cfe37dff4	Share TaintedFormatString between Ruby and JS	2022-03-21 12:51:46 +13:00
Arthur Baars	bf888f0f0b	Merge remote-tracking branch 'upstream/main' into incomplete-url-string-sanitization ... Conflicts: config/identical-files.json javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll	2022-03-18 16:09:20 +01:00
Arthur Baars	4a27928728	Ruby/JS add missing ^ in qhelp	2022-03-18 14:00:10 +01:00
Arthur Baars	431b60506e	Merge remote-tracking branch 'upstream/main' into incomplete-hostname	2022-03-18 13:05:34 +01:00
Asger Feldthaus	26b7edccd4	JS: Change note	2022-03-18 11:59:36 +01:00
Erik Krogh Kristensen	693c77f3df	add test for string replacement chains of URL schemes	2022-03-18 11:05:59 +01:00
Asger F	929419abba	Merge pull request #8254 from asgerf/ruby/mad-prototype ... Ruby: initial prototype of models-as-data	2022-03-18 10:48:33 +01:00
Erik Krogh Kristensen	235aa9c24e	recognize string replacement chains as scheme checks in js/incomplete-url-scheme-check	2022-03-18 10:37:20 +01:00
Asger Feldthaus	8753632193	JS: Fix bug in reachableFromStoreBase	2022-03-17 17:30:46 +01:00
Asger Feldthaus	8c6ca6582e	JS: Add test showing missing flow	2022-03-17 17:30:46 +01:00
Rasmus Wriedt Larsen	2b9408b0c3	Concepts: Add some architecture documentation	2022-03-17 13:49:10 +01:00
Harry Maclean	36c421346b	Introduce ConceptsShared.qll	2022-03-17 13:49:10 +01:00
Erik Krogh Kristensen	879680057e	fix all ql/unused-field warnings	2022-03-17 09:41:42 +01:00
Erik Krogh Kristensen	aa8b7c8679	update reference to deprecated class name	2022-03-16 22:32:54 +01:00
Erik Krogh Kristensen	6cdc38748c	update expected output	2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen	d8a5947a08	simplify TaintedUrlSuffix::source() to only consider window.location based sources	2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen	b3de5d94a6	move PrefixStringSanitizer to the Query.qll file, and have it extend LabeledSanitizerGuardNode	2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen	562dce57e8	rename isXSSSink to isXssSink	2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen	f083e87fa1	refactor the js/xss query to use three flowlabels and one configuration	2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen	87842bb8b7	add client-side-url sinks that may execute JavaScript as XSS sinks	2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen	b471fec149	split interpretsArgumentsAsURL out of interpretsArgumentsAsHTML, and use it to generalize AttributeUrlSink	2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen	2576e1f655	add utility predicate to get client-side remote-flow-sources that contain a URL query/fragment	2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen	67e6a4c716	add a isXSSSink predicate to the client-side-url-redirection sinks	2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen	fc79242674	add tests	2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen	559f03ebbc	remove unnecessary module qualifier	2022-03-16 22:32:07 +01:00
Erik Krogh Kristensen	2d9d383c55	remove unused import	2022-03-16 22:32:07 +01:00
Asger Feldthaus	e1976da7f9	JS: Autoformat	2022-03-16 15:01:17 +01:00
Asger F	228570129e	Merge branch 'main' into ruby/mad-prototype	2022-03-16 13:50:31 +01:00
Asger Feldthaus	e168da4c5f	Shared: make a predicate private	2022-03-16 13:48:56 +01:00
Asger Feldthaus	e3fbaf5d8f	Shared: prefer exists(var) instead of var = any(string s)	2022-03-16 13:37:08 +01:00
Asger Feldthaus	102540072e	Shared: remove documentation prone to falling out of date	2022-03-16 13:32:55 +01:00
Arthur Baars	ab93b3784b	Merge remote-tracking branch 'upstream/main' into incomplete-hostname	2022-03-16 12:31:12 +01:00
Arthur Baars	852f05bfb7	Address comment	2022-03-16 12:26:39 +01:00
Asger Feldthaus	f140c13261	JS: Sync ApiGraphModels.qll and update accordingly	2022-03-16 12:04:41 +01:00
Asger Feldthaus	d8b4bc81ff	JS: Rename EntryPoint.getNode -> getANode	2022-03-16 12:04:39 +01:00
Erik Krogh Kristensen	f53df255b9	Merge pull request #8459 from erik-krogh/addSeverities ... JS: add missing @security-severity to JS queries	2022-03-16 12:03:19 +01:00
Erik Krogh Kristensen	cd9d61c1fc	Merge pull request #8450 from erik-krogh/importAs ... disallow lowercase import-as aliases	2022-03-16 11:32:37 +01:00
Asger Feldthaus	ecf7073bf1	Shared: codeql -> ql in code blocks	2022-03-16 11:00:24 +01:00
Erik Krogh Kristensen	2442beaf9a	add missing severities to JS queries	2022-03-16 10:40:34 +01:00
Erik Krogh Kristensen	b45f56ac08	Merge pull request #8431 from erik-krogh/deadCode ... Delete dead code	2022-03-15 20:09:06 +01:00
Anna Railton	a08246a2a7	Merge pull request #8448 from github/annarailton-patch-1 ... Add docstring to `ExtractEndpointMapping.ql`	2022-03-15 14:54:45 +00:00