88 Commits

Author	SHA1	Message	Date
Asger F	7adf1d9958	Merge pull request #631 from esben-semmle/js/bad-url-regexing ... JS: add query: js/incomplete-url-regexp	2018-12-17 11:53:22 +00:00
Max Schaefer	e194021c3b	Merge pull request #629 from esben-semmle/js/persistent-read-taint ... JS: add persistent storage taint steps	2018-12-13 08:24:42 +00:00
Max Schaefer	e8c8360ad1	Merge pull request #659 from esben-semmle/js/more-constant-string-usage ... JS: replace StringLiteral with ConstantString in two queries	2018-12-13 08:19:22 +00:00
Asger F	a96c53f9b8	JS: restrict when a variable reference is considered a source	2018-12-12 12:28:26 +00:00
Esben Sparre Andreasen	376ed7a4d2	JS: generalize js/command-line-injection to handle ConstantString	2018-12-11 13:39:15 +01:00
Esben Sparre Andreasen	a1d92bfa50	JS: generalize js/incomplete-sanitization to handle ConstantString	2018-12-11 13:39:15 +01:00
Esben Sparre Andreasen	ab519d4abf	JS: rename query ... "Incomplete URL regular expression" -> "Incomplete regular expression for hostnames".	2018-12-10 22:22:54 +01:00
Esben Sparre Andreasen	994fe1bea5	JS: address non-semantic review comments	2018-12-10 22:21:02 +01:00
Esben Sparre Andreasen	d4e4bc6a0b	JS: sharpen js/incomplete-url-regexp by not matching .* or .+	2018-12-10 22:21:02 +01:00
Esben Sparre Andreasen	52ca696ff4	JS: add query js/incomplete-url-regexp	2018-12-10 22:20:29 +01:00
semmle-qlci	9e73ed71b9	Merge pull request #623 from esben-semmle/js/incomplete-url-sanitization ... Approved by mc-semmle	2018-12-06 20:46:37 +00:00
Esben Sparre Andreasen	4f53411397	JS: recognize HTTP URLs in js/incomplete-url-sanitization	2018-12-06 15:53:20 +01:00
Esben Sparre Andreasen	229eea00dc	JS: add query js/incomplete-url-substring-sanitization	2018-12-06 15:53:20 +01:00
semmle-qlci	3397533045	Merge pull request #628 from xiemaisi/js/setUnsafeHTML ... Approved by esben-semmle	2018-12-06 13:58:52 +00:00
Esben Sparre Andreasen	28b4a78430	JS: introduce DOM::PersistentWebStorage	2018-12-06 14:53:22 +01:00
Max Schaefer	ef347b3870	JavaScript: Teach Xss query about WinJS HTML injection functions.	2018-12-06 09:13:21 +00:00
Asger F	374f7ab65d	JS: address comments	2018-12-03 11:23:02 +00:00
Asger F	0462eb4b50	JS: add IncorrectSuffixCheck query	2018-12-03 11:23:02 +00:00
Max Schaefer	10166be535	JavaScript: Add new query DoubleEscaping.	2018-11-30 09:39:00 +00:00
Esben Sparre Andreasen	b780f82869	JS: sharpen js/clear-text-logging (ODASA-7485)	2018-11-22 13:38:43 +01:00
Asger F	6ec13feab4	JS: recognize sanitizing slashes in URL redirection queries	2018-11-16 10:43:25 +00:00
Max Schaefer	9221b62ded	JavaScript: Update expectd test output for security path queries to include nodes and edges query predicates.	2018-11-14 09:32:31 +00:00
Max Schaefer	d57b5d9628	JavaScript: Remove ReflectdXssPath.ql, which is now spurious.	2018-11-14 09:16:40 +00:00
semmle-qlci	86e31a584e	Merge pull request #447 from esben-semmle/js/indirect-sanitization ... Approved by asger-semmle	2018-11-13 09:14:28 +00:00
Esben Sparre Andreasen	ffc3d6ba49	JS: simplify test (move alerts four lines up)	2018-11-12 10:21:41 +01:00
Max Schaefer	bdfe938d02	JavaScript: Improve StackTraceExposure query. ... It now also flags exposure of the entire exception object (not just the `stack` property).	2018-11-09 09:42:09 +00:00
Asger F	e0d5557ef4	JS: add email HTML body as XSS sink	2018-11-07 11:31:40 +00:00
Max Schaefer	c75d785684	JavaScript: Fix modelling of _.partial. ... Like `Function.prototype.bind` (but unlike `ramda.partial`) it takes the curried arguments as rest arguments, not as an array; cf. https://lodash.com/docs/4.17.10#partial and https://underscorejs.org/#partial.	2018-10-31 06:31:59 -04:00
Max Schaefer	7702b58794	Merge pull request #305 from asger-semmle/json-taint-kind ... JS: Add flow label for tainted objects and sharpen NosqlInjection	2018-10-22 11:58:50 +01:00
semmle-qlci	1da873e819	Merge pull request #315 from esben-semmle/js/conditional-bypass-early-return ... Approved by xiemaisi	2018-10-17 08:25:55 +01:00
Esben Sparre Andreasen	ffbbb807f4	JS: avoid flagging early returns in js/user-controlled-bypass	2018-10-16 08:39:59 +02:00
semmle-qlci	16b29b2d08	Merge pull request #299 from asger-semmle/nosql-sinks ... Approved by xiemaisi	2018-10-12 07:12:05 +01:00
Asger F	9b10254cd4	JS: support label-specific sanitizer guards	2018-10-10 18:27:14 +01:00
Asger F	5e720486d5	JS: recognize req.query.x as deep object taint	2018-10-10 17:15:56 +01:00
Asger F	d72d7345b8	JS: make NosqlInjection use object taint	2018-10-10 17:05:59 +01:00
Esben Sparre Andreasen	6687dfd558	JS: improve model of express' req.sendFile	2018-10-10 15:46:43 +02:00
Esben Sparre Andreasen	358b6c3413	JS: change "remote request" to "network request"	2018-10-10 15:34:39 +02:00
Esben Sparre Andreasen	3b2440e850	JS: remove useless externs definitions for tests	2018-10-10 12:12:54 +02:00
Esben Sparre Andreasen	b00aa36cdc	JS: polish HttpToFileAccess.ql	2018-10-10 12:12:54 +02:00
Esben Sparre Andreasen	d261915598	JS: polish FileAccessToHttp.ql	2018-10-10 12:12:54 +02:00
Asger F	74f115fa40	JS: add test case	2018-10-10 10:46:40 +01:00
Asger F	030bae9454	JS: Canonicalize ThisNode	2018-10-09 08:53:41 +01:00
Asger F	d2af4ab94a	Merge pull request #227 from xiemaisi/js/taint-kinds ... JavaScript: Add support for state-based taint tracking.	2018-10-08 15:09:12 +01:00
Max Schaefer	017ae4990d	JavaScript: Use custom flow labels in ClientSideUrlRedirect.	2018-10-03 15:49:02 +01:00
Denis Levin	e147e690ee	Merge branch 'master' into denisl/js/HttpToFileAccessTest	2018-10-02 15:13:35 -07:00
semmle-qlci	b35f450b01	Merge pull request #162 from asger-semmle/partial-calls ... Approved by esben-semmle, xiemaisi	2018-10-02 11:24:02 +01:00
semmle-qlci	829a5cc451	Merge pull request #259 from asger-semmle/open-redirect-expr ... Approved by xiemaisi	2018-10-02 08:32:48 +01:00
Denis Levin	9c487bc6d9	Merge branch 'master'	2018-10-01 14:51:56 -07:00
Denis Levin	82d8b4e371	Adding the source link to the test case samples	2018-10-01 11:45:38 -07:00
Asger F	9f07b1011d	JS: bugfix in server-side redirect query	2018-10-01 12:34:13 +01:00