codeql

mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00

Author	SHA1	Message	Date
Erik Krogh Kristensen	69365ccd03	remove false positive in missingSpaceInAppend by requring the presence of a word-like fragment	2019-09-26 12:59:05 +02:00
semmle-qlci	825a3d2917	Merge pull request #1954 from asger-semmle/type-tracking-through-captured-vars Approved by xiemaisi	2019-09-23 12:10:30 +01:00
semmle-qlci	e2c941c577	Merge pull request #1916 from erik-krogh/taintedLength Approved by asger-semmle, xiemaisi	2019-09-23 11:47:48 +01:00
Max Schaefer	149ae5d7ab	JavaScript: Fix IllegalInvocation. This fixes false positives that arise when a call such as `f.apply` can either be interpreted as a reflective invocation of `f`, or a normal call to method `apply` of `f`.	2019-09-23 07:44:14 +01:00
Asger F	1ce0a48996	JS: Update tests	2019-09-20 15:41:36 +01:00
semmle-qlci	6f2e485ace	Merge pull request #1950 from xiemaisi/js/rate-limiter-flexible Approved by esben-semmle	2019-09-19 12:45:45 +01:00
Max Schaefer	3970ead7ab	JavaScript: Add support for `rate-limiter-flexible` package.	2019-09-18 12:25:33 +01:00
Esben Sparre Andreasen	ac6554b7da	Merge branch 'master' into js/improve-getAResponseDataNode	2019-09-17 13:18:41 +02:00
Esben Sparre Andreasen	a5645e168a	JS: exclude keys from whitelist	2019-09-16 10:13:18 +02:00
Esben Sparre Andreasen	0e2d2f8662	JS: whitelist some hardcoded dummy-passwords in two queries	2019-09-16 10:11:43 +02:00
Esben Sparre Andreasen	aa3f4a7048	JS: change passwords in tests	2019-09-16 10:09:59 +02:00
Erik Krogh Kristensen	9dc9adda64	fix capitalization in test case Co-Authored-By: shati-patel <42641846+shati-patel@users.noreply.github.com>	2019-09-13 14:54:18 +01:00
Erik Krogh Kristensen	3fb64abb09	fix consistency and spelling in the documentation suggestions from the documentation team Co-Authored-By: shati-patel <42641846+shati-patel@users.noreply.github.com>	2019-09-13 14:52:11 +01:00
Erik Krogh Kristensen	c4f27ed4cc	rename TaintedLength to LoopBoundInjection	2019-09-13 11:12:01 +01:00
Erik Krogh Kristensen	5b2b60f132	change DOS to DoS, and other small documentation fixes Co-Authored-By: Max Schaefer <max@semmle.com>	2019-09-13 10:26:01 +01:00
Erik Krogh Kristensen	119b1ffb80	changes based on review from max	2019-09-12 16:30:42 +01:00
Erik Krogh Kristensen	3d359bc8dc	Merge remote-tracking branch 'upstream/master' into taintedLength	2019-09-12 15:24:36 +01:00
Erik Krogh Kristensen	30f1bcf5bc	updated query ID and expected output	2019-09-12 15:24:33 +01:00
semmle-qlci	72db219c13	Merge pull request #1910 from xiemaisi/js/unused-index-variable Approved by esben-semmle, shati-semmle	2019-09-11 14:33:32 +01:00
Max Schaefer	500cde68c3	JavaScript: Add new query `UnusedIndexVariable`.	2019-09-11 11:36:50 +01:00
Erik Krogh Kristensen	bec522f0df	small changes based on review feedback	2019-09-11 11:26:59 +01:00
semmle-qlci	16c95d8c5e	Merge pull request #1876 from esben-semmle/js/more-delimiter-stripping-whitelisting Approved by xiemaisi	2019-09-11 09:16:57 +01:00
Esben Sparre Andreasen	f3de75ae07	JS: update a js/code-injection test	2019-09-11 09:45:54 +02:00
Esben Sparre Andreasen	f7bfc472c1	JS: treat server responses as untrusted for command injections	2019-09-11 09:38:18 +02:00
Erik Krogh Kristensen	97fc10e669	Add query for detecting potential DOS form a tainted .length property	2019-09-10 14:59:48 +01:00
semmle-qlci	df1bf4a95b	Merge pull request #1907 from asger-semmle/mongoose-types Approved by xiemaisi	2019-09-10 12:05:57 +01:00
Max Schaefer	bdba647bf5	Merge pull request #1893 from erik-semmle/addXLinkHref JS: add xlink:href as xss target when using setAttribute	2019-09-09 15:56:47 +01:00
Asger F	ad5abc61cc	JS: Move typed test into separate test	2019-09-09 15:35:26 +01:00
Asger F	ea446f2aa1	JS: Use type info in mongodb/mongoose model	2019-09-09 15:35:26 +01:00
Asger F	8e397ad203	JS: Use type tracking in mongodb/mongoose model	2019-09-09 15:35:23 +01:00
semmle-qlci	e899250e87	Merge pull request #1894 from asger-semmle/fp-incorrect-suffix-check Approved by xiemaisi	2019-09-09 15:33:47 +01:00
semmle-qlci	89cba089b4	Merge pull request #1892 from asger-semmle/event-handler-sink Approved by esben-semmle	2019-09-09 15:33:21 +01:00
Asger F	61e1d793df	JS: Fixes in DeadStoreOfLocal	2019-09-09 10:51:21 +01:00
Asger F	5573279580	JS: regression test for DeadStoreOfLocal	2019-09-09 10:51:21 +01:00
Erik Krogh Kristensen	2729566bbf	add setAttributeNS('xlink', 'href',..) example in XSS test	2019-09-09 09:41:08 +01:00
Erik Krogh Kristensen	c780956f0d	add setAttributeNS method in the XSS test	2019-09-06 21:56:29 +01:00
Asger F	7007698de4	JS: Fix the FP	2019-09-06 15:39:40 +01:00
Asger F	ebd7875cae	JS: Add regression test	2019-09-06 15:38:55 +01:00
Erik Krogh Kristensen	ccdc821c5d	add xlink:href as xss target when using setAttribute	2019-09-06 14:43:47 +01:00
Asger F	f7654d6f1c	JS: Add test	2019-09-06 14:42:07 +01:00
Anders Schack-Mulligen	ca45fb5a60	JavaScript: Autoformat.	2019-09-06 09:04:51 +02:00
Esben Sparre Andreasen	a9665f53b8	JS: whitelist quote stripping for js/incomplete-sanitization	2019-09-05 09:47:49 +01:00
Asger F	5aa948cd17	JS: Add angular.merge sink to prototype pollution query	2019-09-04 16:14:51 +01:00
Asger F	89b91af6db	JS: Make getDocumentation handle chain assignments	2019-08-30 18:20:54 +01:00
Max Schaefer	b6220998d1	JavaScript: Restrict `setAttribute` sink to potentially dangerous attribute names.	2019-08-30 11:57:29 +01:00
Max Schaefer	78ce290de3	JavaScript: Fix `DomMethodCallExpr.interpretsArgumentsAsHTML`.	2019-08-28 11:22:03 +01:00
Pavel Avgustinov	cc854dd937	Merge branch 'master' of github.com:Semmle/ql into attribute	2019-08-23 09:55:35 +01:00
Asger F	45d4b83fc8	TS: Extract type args to tagged template exprs	2019-08-22 18:07:29 +01:00
Pavel Avgustinov	ca951f1669	Add jquery-datatables license to make it clear which option we choose	2019-08-17 16:31:18 +01:00
Asger F	5397da7579	JS: Handle implicit return in getImmediatePredecessor	2019-08-02 20:35:22 +01:00

1 2 3 4 5 ...

506 Commits