hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
36,895 Commits 1,671 Branches 157 Tags
4f54bb66b807ee4b22f6be28cfbb71d21b901b10
Commit Graph

7544 Commits

Author SHA1 Message Date
Asger Feldthaus
22ba43fff6 JS: Minor fixup in the client-side request forgery qhelp 2022-02-23 10:54:26 +01:00
Erik Krogh Kristensen
203212657e recognize modules imported by AMD imports as library inputs 2022-02-23 10:39:45 +01:00
Stephan Brandauer
c17d8b145a Merge pull request #8054 from asgerf/js/split-request-forgery 
JS: split request forgery query into server-side and client-side variants
 2022-02-23 10:27:16 +01:00
Esben Sparre Andreasen
58e0d54744 Merge pull request #8168 from github/esbena/hapi-reflected-xss 
JS: model hapi handler returns as reflected-xss sinks
 2022-02-23 08:53:15 +01:00
Erik Krogh Kristensen
73f2e89f3e Merge pull request #8165 from erik-krogh/protoWrite 
JS: support more property writes in js/prototype-pollution-utility
 2022-02-22 21:30:22 +01:00
Erik Krogh Kristensen
b6b93065ff Merge pull request #8157 from erik-krogh/lodash-clone 
JS: add lodash.{clone, cloneDeep} as a clone step
 2022-02-22 18:12:10 +01:00
Erik Krogh Kristensen
c487bb73a7 Merge pull request #8143 from erik-krogh/pred-ql-style 
QL: add ql-for-ql query for detecting bad predicate qldoc
 2022-02-22 17:49:12 +01:00
Stephan Brandauer
6a9186cdef update ATM NosqlInjection and SqlInjection query docs 2022-02-22 16:56:18 +01:00
Esben Sparre Andreasen
2c527f7b35 model hapi handler returns as reflected-xss sinks 2022-02-22 14:12:01 +01:00
Erik Krogh Kristensen
517e17d422 support more property writes in js/prototype-pollution-utility, and generalize ObjectDefinePropertyAsPropWrite 2022-02-22 13:23:34 +01:00
Henry Mercer
4f7604f0dd Merge pull request #8151 from github/henrymercer/separate-atm-model-pack 2022-02-22 11:47:35 +00:00
Stephan Brandauer
2278e7f6e6 CWE 830 polish error messages 2022-02-22 11:41:54 +01:00
Stephan Brandauer
82330391c3 CWE-830 add support for setting attributes via setAttribute method 2022-02-22 11:41:54 +01:00
Stephan Brandauer
d80cd1aeb5 CWE 830 test where both branches in a ternary are unsafe 2022-02-22 11:41:53 +01:00
Stephan Brandauer
2934aa1a3a rewrite docs, improve error messages, etc 2022-02-22 11:41:53 +01:00
Stephan Brandauer
d2335b65d5 stylistic improvements after review 2022-02-22 11:41:53 +01:00
Stephan Brandauer
9aec4437e2 polish qhelp for CWE-830 and add test file 2022-02-22 11:41:53 +01:00
Stephan Brandauer
44d86569ac remove illegal chars from comments 2022-02-22 11:41:53 +01:00
Stephan Brandauer
fd77e27ed9 replace taint tracking by type tracking and merge remaining queries for CWE-830 2022-02-22 11:41:53 +01:00
Stephan Brandauer
8cafa6d562 improve error message in CWE-830 2022-02-22 11:41:53 +01:00
Stephan Brandauer
780fa97869 always require integrity checking for certain CDNs 2022-02-22 11:41:53 +01:00
Stephan Brandauer
83764df4f5 rename tests for CW-830 to clarify responsibilities 2022-02-22 11:41:52 +01:00
Stephan Brandauer
8d397fea09 JS: query to find dynamic creations of DOM elements that use untrusted sources 2022-02-22 11:41:52 +01:00
Stephan Brandauer
b35c70994f permit http urls to 127.0.0.1 and others 2022-02-22 11:41:52 +01:00
Stephan Brandauer
dd2b779a3c add CWE 830 link to references 2022-02-22 11:41:52 +01:00
Stephan Brandauer
b170422c22 add changenotes for functionality from untrusted source query 2022-02-22 11:41:52 +01:00
Stephan Brandauer
6722c17bb0 JS: Functionality from untrusted sources query (CWE-830) 2022-02-22 11:41:52 +01:00
Asger Feldthaus
1be47db2e6 JS: Factor out more JS-specific code 2022-02-22 09:51:56 +01:00
Asger Feldthaus
2d509eb345 JS: Make Impl.qll determine the location of AccessPathSyntax.qll 2022-02-22 09:51:52 +01:00
Asger Feldthaus
42a3d8c689 JS: Treat Member[x] as a language-specific token 
In Ruby it is ambiguous whether Member[foo] means x.foo or x::foo
 2022-02-22 09:51:52 +01:00
Asger Feldthaus
acf95d6178 JS: Move summary resolution into JS-specific code 2022-02-22 09:51:52 +01:00
Asger Feldthaus
ab1642dd3f JS: Rename {Shared,Impl} -> ApiGraphModels{,Specific} 2022-02-22 09:51:48 +01:00
Erik Krogh Kristensen
e8df6a14ca add lodash.{clone, cloneDeep} as a clone step 2022-02-21 22:27:29 +01:00
Henry Mercer
5a3daa9e3f JS: Add CWE tags for ML-powered queries 
- Cross-site scripting: CWE-79
- Path injection: CWE-22, CWE-23, CWE-36, CWE-73, CWE-99
- NoSQL injection: CWE-943
- SQL injection: CWE-89
 2022-02-21 16:18:33 +00:00
Henry Mercer
a89882c14e JS: Update lockfiles for ML-powered queries packs 2022-02-21 16:03:05 +00:00
Asger Feldthaus
8194c041cc JS: Merge sources to one class 2022-02-21 16:26:02 +01:00
Asger F
00ed72ed83 Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-02-21 16:24:50 +01:00
Henry Mercer
6fb9895367 JS: Separate the ML-powered queries model into its own pack 
This allows users to more easily get started with development. Running
`codeql pack install` from the `-queries` pack will now install the ML
model.
 2022-02-21 15:05:57 +00:00
Tom Bolton
0108642464 Merge pull request #8148 from github/tombolton/modify-counting-query 
Update counting query to match end-to-end results
 2022-02-21 15:02:43 +00:00
tombolton
e02319be9f add end to end predicate to result counting query 2022-02-21 14:35:58 +00:00
Erik Krogh Kristensen
cd4685c4c5 cache RegExpCreationNode::getAReference 2022-02-21 15:04:00 +01:00
Erik Krogh Kristensen
1407b49a8f fix some instances of ql/pred-doc-style for JS 2022-02-21 15:02:21 +01:00
Asger F
02c4966109 Merge pull request #7878 from asgerf/dot-separated-access-paths 
Shared: Switch to dot-separated access paths in summary specs
 2022-02-21 13:29:09 +01:00
Esben Sparre Andreasen
1d437dd722 Merge pull request #8043 from github/esbena/sharpen-hardcoded-credentials 
JS: Sharpen hardcoded credentials
 2022-02-21 10:02:58 +01:00
Erik Krogh Kristensen
5f9bd7a4a1 Merge pull request #7984 from erik-krogh/fix-ql-for-ql-js 
JS: fix most ql-for-ql warnings
 2022-02-21 09:15:06 +01:00
Asger Feldthaus
d7f07167ac Shared: Remove getLastToken again 2022-02-21 08:21:53 +01:00
Asger Feldthaus
2c2a82a070 Shared: allow spaces between arguments in a token 2022-02-21 08:21:53 +01:00
Asger Feldthaus
7fcbdbeada Shared: sync AccessPathSyntax.qll and FlowSummaryImpl.qll 2022-02-21 08:21:52 +01:00
Asger Feldthaus
2907d53e17 Shared: sync AccessPathSyntax.qll and FlowSummaryImpl.qll 2022-02-21 08:21:52 +01:00
Asger Feldthaus
c189df2341 Revert "JS: Add support for " of " syntax to help during transition" 
This reverts commit 9bf522b3048c3b11f7e6d734ed797a613614a095.
 2022-02-21 08:21:51 +01:00