hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
14,540 Commits 1,672 Branches 157 Tags
656ff9c441861021e54b55f9299b3157d8f5163d
Commit Graph

4126 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
656ff9c441 autoformat 2020-08-11 15:40:30 +02:00
Erik Krogh Kristensen
dc5167bbe7 autoformat 2020-08-10 11:52:45 +00:00
Erik Krogh Kristensen
85de5aa16b add deprecated modifier 
Co-authored-by: Asger F <asgerf@github.com>
 2020-08-10 10:51:21 +02:00
Erik Krogh Kristensen
410b696562 add deprecated aliases getId() forwarding to getIdentifier() 2020-08-10 09:11:38 +02:00
Erik Krogh Kristensen
f1dc36244c update tests and queries that used getId() 2020-08-05 14:32:09 +00:00
Erik Krogh Kristensen
0867c5567e rename getId() to getIdentifier() 2020-08-04 13:22:19 +02:00
CodeQL CI
8855ab8c8c Merge pull request #3835 from Raz0r/js/xss-protocol-sinks 
Approved by erik-krogh
 2020-08-03 15:40:05 +01:00
CodeQL CI
a4f8b19ae4 Merge pull request #3876 from erik-krogh/CWE078-Correctness 
Approved by esbena
 2020-08-03 15:38:51 +01:00
CodeQL CI
c8e5db189a Merge pull request #3913 from erik-krogh/topmost 
Approved by asgerf
 2020-08-03 13:18:22 +01:00
Erik Krogh Kristensen
f5cc14f980 fix typo 2020-08-03 13:49:21 +02:00
CodeQL CI
0bbdc70cdb Merge pull request #3864 from erik-krogh/exprString 
Approved by asgerf, esbena
 2020-08-03 09:25:17 +01:00
Arthur Baars
7e72ef350e Merge pull request #3975 from aibaars/lgtm-suites 
CodeQL: complete LGTM suites
 2020-07-30 18:39:01 +02:00
Arthur Baars
5bad003c0c Add qlpack.yml files for example queries 2020-07-29 16:57:04 +02:00
Arthur Baars
c4041e55ba CodeQL: complete LGTM suites 2020-07-28 20:40:44 +02:00
Max Schaefer
91762ec274 JavaScript: Add partial model for opener. 
3.5M weekly downloads.

Note that we do not treat the first argument as a command-injection sink. While it is possible to inject commands that way, it is more likely to cause false positives where the user input is concatenated with some prefix that makes the opening heuristic decide to treat it as a URL.
 2020-07-27 11:42:32 +01:00
Max Schaefer
9aa26fa4bc JavaScript: Add model for foreground-child. 
>1M weekly downloads, so seems worth doing.
 2020-07-27 11:37:06 +01:00
Max Schaefer
2f842042ea JavaScript: Model another execa function relevant for command injection. 2020-07-27 11:34:04 +01:00
semmle-qlci
e167b87150 Merge pull request #3932 from max-schaefer/portals-additions 
Approved by esbena
 2020-07-09 11:43:45 +01:00
Max Schaefer
7a1410e0d5 JavaScript: Update and expand tests. 2020-07-09 09:25:52 +01:00
Max Schaefer
1c47260bde JavaScript: Add support for global variables to portals. 2020-07-09 09:12:56 +01:00
Max Schaefer
c40ef0556a JavaScript: Broaden scope of imports considered relevant to portals. 
Previously, we only considered an import relevant to portals if the path it imported was declared as a dependency. This falls down for deep imports where a specific module inside the package is imported rather than the default entry point, for imports of built-in modules like `fs`, and in cases where a developer simply forgets to declare a dependency.

So instead we now consider all imports relevant whose path does not start with a dot or a slash.
 2020-07-09 09:09:44 +01:00
Max Schaefer
8b4b5781e6 JavaScript: Add utility predicate getBasePortal(i). 
This iterates the existing `getBasePortal()` predicate `i` times.
 2020-07-09 09:08:18 +01:00
Erik Krogh Kristensen
022cafebd3 make sure the consisntecy-checking library does not mix configurations 2020-07-08 10:28:41 +02:00
Erik Krogh Kristensen
ec38df69b3 update consistency comments for CWE-918 2020-07-08 10:24:55 +02:00
Erik Krogh Kristensen
c5285f7418 update inconsistency comment for CWE-843 2020-07-08 10:16:43 +02:00
Erik Krogh Kristensen
45b6906a0d move comments to match alert location for CWE-834 2020-07-08 10:16:04 +02:00
Erik Krogh Kristensen
71a3d49d2b update comments to match alert location for CWE-807 2020-07-08 10:15:26 +02:00
Erik Krogh Kristensen
d814e73023 update comment position to match alert location for CWE-798 2020-07-08 10:12:12 +02:00
Erik Krogh Kristensen
bcffc97de7 update comment position to match alert location for CWE-776 2020-07-08 10:10:31 +02:00
Erik Krogh Kristensen
2235634347 update consistency comments for CWE-754 2020-07-08 10:08:51 +02:00
Erik Krogh Kristensen
0d64a0f2c8 update consistency comment for CWE-730 2020-07-08 10:07:34 +02:00
Erik Krogh Kristensen
5a87628478 update consistency comments for CWE-611 2020-07-08 10:03:03 +02:00
Erik Krogh Kristensen
1f1c09af02 update consistency comments for CWE-601 2020-07-08 10:02:29 +02:00
Erik Krogh Kristensen
ce6a211340 update inconsistency comment for CWE-506 2020-07-08 10:01:40 +02:00
Erik Krogh Kristensen
bf36137834 update inconsistency comment for CWE-346 2020-07-08 10:01:04 +02:00
Erik Krogh Kristensen
16b0427dc4 update inconsistency comment for CWE-338 2020-07-08 10:00:19 +02:00
Erik Krogh Kristensen
9bcbedde46 update consistency comment in passwords.js 2020-07-08 09:55:00 +02:00
Erik Krogh Kristensen
664c5e64b4 add [INCONSISTENCY] comment in CodeInjection test 2020-07-08 09:48:12 +02:00
Erik Krogh Kristensen
00e900f1b1 only include named topmost package.json files for js/shell-command-constructed-from-input 2020-07-08 09:25:08 +02:00
Raz0r
3487ec17d0 add tests 2020-07-07 16:26:14 +03:00
Erik Krogh Kristensen
d85d9b9b5b autoformat 2020-07-07 16:21:03 +03:00
Arseny Reutov
b46b49586a Apply suggestions from code review 
`interpretsValueAsJavaScript` -> `interpretsValueAsJavaScriptUrl`

Co-authored-by: Asger F <asgerf@github.com>
 2020-07-07 16:21:03 +03:00
Raz0r
54db6c4a39 [js/client-side-unvalidated-url-redirection] add interpretsValueAsJavaScript predicate 2020-07-07 16:21:03 +03:00
Anders Schack-Mulligen
67db1df00c C++/C#/JavaScript/Python: Port Location qldoc update. 2020-07-07 11:39:27 +02:00
Erik Krogh Kristensen
442ee8d1cc add consistency-checking for CWE-089 2020-07-06 19:02:50 +02:00
semmle-qlci
fe0c5a9ea6 Merge pull request #3892 from asger-semmle/js/redirect-starts-with-sanitizer 
Approved by esbena
 2020-07-06 17:04:30 +01:00
semmle-qlci
6d80445f24 Merge pull request #3851 from erik-krogh/queryStuff 
Approved by esbena
 2020-07-06 14:40:41 +01:00
Erik Krogh Kristensen
9a944625d1 autoformat 2020-07-06 15:17:15 +02:00
Erik Krogh Kristensen
2a8b37e004 update consistency comments in unsafe-jquery-plugin.js 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2020-07-06 14:15:23 +02:00
Erik Krogh Kristensen
c986f3bb7c add consistency checking for CWE-079 2020-07-06 13:42:35 +02:00