hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-10 01:10:09 +02:00
Code Issues Packages Projects Releases Wiki Activity
8,719 Commits 1,754 Branches 167 Tags
6fbaa7a5eaddd326616799428342bfcc813282ae
Commit Graph

1309 Commits

Author SHA1 Message Date
Max Schaefer
6fbaa7a5ea JavaScript: Make File not extend Locatable anymore. 
Files have strange `:0:0:0:0` locations for... reasons. This makes the predicates inherited from `Locatable` meaningless. A particularly bad case is `getNumLines()`, which will always return one. The right predicate to use is, of course, `getNumberOfLines()`, which is defined in `File` itself.
 2019-11-22 11:57:06 +00:00
Esben Sparre Andreasen
03c83c9c9d JS: model React's getDerivedStateFromError 2019-11-21 13:18:43 +01:00
semmle-qlci
77c869f528 Merge pull request #2220 from erik-krogh/processEnvTaint 
Approved by esbena, max-schaefer
 2019-11-20 13:16:43 +00:00
Erik Krogh Kristensen
0a428a8f44 typo 
Co-Authored-By: Esben Sparre Andreasen <esbena@github.com>
 2019-11-19 13:05:13 +01:00
Erik Krogh Kristensen
8ff515a58d address review feedback on MaskingReplacer 2019-11-16 15:20:42 +01:00
Erik Krogh Kristensen
4ec2070e48 remove property reads on process.env as a taint step, and add a barrier for masking replace calls 2019-11-16 15:20:42 +01:00
Erik Krogh Kristensen
052a331395 rename ProcessEnvLabel to PartiallySensitiveMap 2019-11-16 15:20:42 +01:00
Erik Krogh Kristensen
2bd48db8cd refactor isSanitizerEdge in clear-text-logging 2019-11-16 15:20:42 +01:00
Erik Krogh Kristensen
92dc759cf9 remove type cast, and fix expected test results 2019-11-16 15:20:42 +01:00
Erik Krogh Kristensen
850278c62f some changes based on review. And change to only flag unknown reads of process.env 2019-11-16 15:20:42 +01:00
Erik Krogh Kristensen
68c30aaef3 add flowlabels to js/clear-text-logging 2019-11-16 15:20:42 +01:00
Erik Krogh Kristensen
14e4decffa changes based on review feedback. No flow-labels yet 2019-11-16 15:20:42 +01:00
Erik Krogh Kristensen
1766f6a6d8 simplify global var "process" 
Co-Authored-By: Esben Sparre Andreasen <esbena@github.com>
 2019-11-16 15:20:41 +01:00
Erik Krogh Kristensen
297c71a64b add process.env as source for js/clear-text-logging 2019-11-16 15:20:41 +01:00
Erik Krogh Kristensen
b12e255fd8 add indirect calls to logging methods as logging methods 2019-11-16 15:20:41 +01:00
Erik Krogh Kristensen
ddd217628f Merge pull request #2347 from esbena/js/fix-mjs-check 
JS: fix the check for an "mjs" extension on an extensionless file
 2019-11-15 17:39:10 +01:00
Esben Sparre Andreasen
8e8215893f JS: fix mjs check for extensionless files 2019-11-15 14:38:27 +01:00
Erik Krogh Kristensen
f813e06680 Merge pull request #2345 from Semmle/esbena-patch-3 
Update FlowSteps.qll
 2019-11-15 14:04:14 +01:00
semmle-qlci
2f63b89941 Merge pull request #2338 from esbena/js/model-get-them-args 
Approved by max-schaefer
 2019-11-15 11:50:45 +00:00
Esben Sparre Andreasen
a3deb7d4e0 Update FlowSteps.qll 2019-11-15 12:44:04 +01:00
Esben Sparre Andreasen
c3fdfdecab JS: rename DefaultParsedCommandLineArgumentsAsSource 2019-11-15 10:40:15 +01:00
Asger F
607aed37ee Update javascript/ql/src/semmle/javascript/Expr.qll 
Co-Authored-By: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2019-11-15 09:27:21 +00:00
Asger F
2242df920f JS: More qldoc 2019-11-15 09:27:20 +00:00
Asger F
dc6c15cbb9 Update javascript/ql/src/semmle/javascript/Regexp.qll 
Co-Authored-By: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2019-11-15 09:27:20 +00:00
Asger F
dd9274e42c JS: Docs regarding regexp terms in string literals 2019-11-15 09:27:20 +00:00
Asger F
20fb7717d8 JS: Use type inference to refine regexp string tracking 2019-11-15 09:27:20 +00:00
Asger F
8bc89ee254 JS: Update semi-anchored regex query 2019-11-15 09:27:19 +00:00
Asger F
c21d095d38 JS: Restrict RegExp queries to actual regular expressions 2019-11-15 09:27:19 +00:00
Asger F
b6c1c174a9 JS: Deabstractify RegExpTerm classes 2019-11-15 09:27:19 +00:00
Asger F
e0bdc777b9 JS: Make ReDoS check string-based regexes 2019-11-15 09:27:19 +00:00
Asger F
57de6382cd JS: Update QL API 2019-11-15 09:27:19 +00:00
Esben Sparre Andreasen
8e6a19b3d3 JS: add DefaultParsedCommandLineArgumentsAsSource 2019-11-15 08:42:02 +01:00
Esben Sparre Andreasen
cc768345d0 JS: add security tests for malicious torrents 2019-11-14 13:54:19 +01:00
Esben Sparre Andreasen
bea59ec8ad JS: add some parsed torrent properties as remote flow sources 2019-11-14 13:54:19 +01:00
Erik Krogh Kristensen
538690eee6 remove duplicate reflectiveCallNode method, and removing redundant getExpr() method 2019-11-13 15:53:21 +01:00
semmle-qlci
b11a7427c2 Merge pull request #2270 from erik-krogh/reflectiveExpr 
Approved by max-schaefer
 2019-11-13 13:08:40 +00:00
semmle-qlci
6c9f92666e Merge pull request #2285 from asger-semmle/dataflow-syntax-examples 
Approved by max-schaefer
 2019-11-12 16:50:29 +00:00
Asger F
a2ff4e9494 JS: member -> property 2019-11-08 16:23:59 +00:00
Asger F
2a473fb9e7 Update javascript/ql/src/semmle/javascript/dataflow/Nodes.qll 
Co-Authored-By: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2019-11-08 16:15:08 +00:00
Asger F
4ad03a9061 Update javascript/ql/src/semmle/javascript/dataflow/DataFlow.qll 
Co-Authored-By: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2019-11-08 16:14:53 +00:00
Asger F
53d470da2f JS: Add syntax examples to DataFlow classes 2019-11-08 15:51:26 +00:00
Esben Sparre Andreasen
9b346b1d52 Merge pull request #2260 from max-schaefer/js/_min 
JavaScript: Classify files with names ending in `_min` as minified.
 2019-11-08 13:52:33 +01:00
semmle-qlci
867ed16777 Merge pull request #2276 from asger-semmle/inclusion-test 
Approved by max-schaefer
 2019-11-08 10:57:11 +00:00
semmle-qlci
e65271dfad Merge pull request #2251 from asger-semmle/barrier-guard-improvements 
Approved by esbena
 2019-11-07 15:50:23 +00:00
semmle-qlci
f79c2a7630 Merge pull request #2224 from asger-semmle/access-paths-with-source-node-root 
Approved by max-schaefer
 2019-11-07 15:46:14 +00:00
Asger F
8544850945 JS: Generalize StringOps::Includes to ::InclusionTest 2019-11-07 14:35:17 +00:00
Erik Krogh Kristensen
e4f6f41634 add DataFlow::getEnclosingExpr to get the an Expr from a potentially reflective call 2019-11-07 14:29:31 +01:00
Max Schaefer
e314869e5c JavaScript: Classify files with names ending in _min as minified. 
We already do the same for `-min` and `.min`. [Here](https://github.com/antoniogarrote/rdfstore-js/blob/master/dist/rdfstore_min.js) is a real-world example.
 2019-11-07 10:33:47 +00:00
semmle-qlci
f73caac88d Merge pull request #2254 from asger-semmle/for-of-propread 
Approved by max-schaefer
 2019-11-06 13:44:55 +00:00
Asger F
3ec95881b4 Update javascript/ql/src/semmle/javascript/GlobalAccessPaths.qll 
Co-Authored-By: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2019-11-06 11:58:06 +00:00