hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
77,098 Commits 1,671 Branches 157 Tags
66737402c20fc83b3d3a654dcccf4b26c901b100
Commit Graph

26 Commits

Author SHA1 Message Date
Asger F
a1796bda8a JS: Accept some new alerts in HardcodedCredentials 
I think these were just missing 'NOT OK' comments
 2025-02-28 13:28:54 +01:00
Asger F
2bed3a40bf JS: Mark some missing alerts in HardcodedCredentials 
Not sure why
 2025-02-28 13:28:52 +01:00
Asger F
9ef5a97b4e JS: Accept alerts in HardcodedCredentials and add Sink tags 
This query now uses the source as the primary alert location, and some old comments appeared at the sink.

To make the change easier to verify, this commit migrates the test to include Sink tags. (Source/Sink tags in general are added later)
 2025-02-28 13:28:51 +01:00
Asger F
9be041e27d JS: Update OK-style comments to $-style 2025-02-28 13:27:28 +01:00
am0o0
65fdb8ccce move jose SharedTaintStep to a local taint step, add more additional steps with test cases, update test cases and expected test results 2024-07-01 11:38:17 +02:00
am0o0
d77513579f update tests 2024-05-25 12:15:25 +02:00
am0o0
4e365e242c fix conflict 2024-05-25 12:08:05 +02:00
am0o0
20c087ce39 update tests 2024-05-25 12:06:07 +02:00
am0o0
1860af075d fix conflict 2024-05-25 12:01:12 +02:00
amammad
e1d42fad2c move new secret key sinks to existing CredentialsNode class, 
add new additional global taint and dataflow steps
update tests of CWE-798
add a new sanitizer for `semmle.javascript.security.dataflow.HardcodedCredentialsQuery`
 2023-11-02 16:09:01 +01:00
erik-krogh
0a5ff1b79a recognize another kind of dummy passwords to fix an FP in hardcoded-credentials 2022-09-29 21:25:40 +02:00
Esben Sparre Andreasen
78744a0182 add additional tests 2022-02-16 09:44:56 +01:00
Esben Sparre Andreasen
e67c09f9ab change example passwords in test 2022-02-16 08:56:00 +01:00
Erik Krogh Kristensen
87c0c60c22 don't report dummy authentication headers as hardcoded-crendentials 2021-08-02 22:56:14 +02:00
Erik Krogh Kristensen
5ecae55e77 add keys used by jsonwebtoken as CredentialsExpr 2020-11-10 10:41:39 +01:00
Erik Krogh Kristensen
d814e73023 update comment position to match alert location for CWE-798 2020-07-08 10:12:12 +02:00
Erik Krogh Kristensen
a1940979ba support credentials in a Buffer 2020-06-03 12:02:00 +02:00
Erik Krogh Kristensen
ba44ebe8a8 better support for browser based fetch API 2020-06-03 11:51:24 +02:00
Erik Krogh Kristensen
3622fb8716 support more variants of the Headers API 2020-06-03 11:50:10 +02:00
Erik Krogh Kristensen
3c802007a3 add support for string concatenations and base64-encoding of hardcoded credentials 2020-06-02 23:15:13 +02:00
Erik Krogh Kristensen
b6dc94fccb add fetch.Headers.Authorization as a CredentialsExpr 2020-06-02 23:02:16 +02:00
Esben Sparre Andreasen
a5645e168a JS: exclude keys from whitelist 2019-09-16 10:13:18 +02:00
Esben Sparre Andreasen
aa3f4a7048 JS: change passwords in tests 2019-09-16 10:09:59 +02:00
Asger F
378b0bfb74 JS: Do not treat the empty string as a credential 2019-07-30 17:29:12 +01:00
Asger F
3245142203 JS: Dont flag empty string as hardcoded username 2019-01-28 13:01:52 +00:00
Pavel Avgustinov
b55526aa58 QL code and tests for C#/C++/JavaScript. 2018-08-02 17:53:23 +01:00