hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-13 22:44:48 +01:00
Code Issues Packages Projects Releases Wiki Activity
14,897 Commits 1,679 Branches 158 Tags
83260740ff7150bf246e96d357c79d74de8ee32b
Commit Graph

4158 Commits

Author SHA1 Message Date
CodeQL CI
29183fa0a1 Merge pull request #4067 from erik-krogh/noBin 
Approved by esbena
 2020-08-20 23:07:02 +01:00
Erik Krogh Kristensen
cef681d009 bump extractor version (again) 2020-08-20 15:58:44 +02:00
Erik Krogh Kristensen
68f7942820 Merge branch 'main' into noBin 2020-08-20 15:58:15 +02:00
Erik Krogh Kristensen
fa8edeed6a change StoredXss example to use TypeTracking 2020-08-20 15:05:38 +02:00
Erik Krogh Kristensen
906705f84c add SourceNode example to the TrackedNode deprecation description 2020-08-20 15:01:40 +02:00
Erik Krogh Kristensen
bf88c81f78 bump extractor version 2020-08-20 12:57:48 +02:00
Erik Krogh Kristensen
a347569385 inline StandardCharsets.UTF_8 2020-08-20 12:57:05 +02:00
Erik Krogh Kristensen
410ef8fe0e exit early if the default encoding is not UTF-8 2020-08-20 12:50:43 +02:00
Erik Krogh Kristensen
fe41521e0c add tutorial for how to get around TrackedNodes deprecation 2020-08-20 12:46:17 +02:00
Erik Krogh Kristensen
8f68f512df deprecate TrackedNodes.qll 2020-08-20 11:26:22 +02:00
Erik Krogh Kristensen
3d5c1560e4 basic support for .cjs files 2020-08-19 10:53:57 +02:00
Erik Krogh Kristensen
103f739d16 add test for types of modules 2020-08-19 10:52:38 +02:00
Erik Krogh Kristensen
246d9b8c70 update expected trap files 2020-08-18 12:51:36 +02:00
Erik Krogh Kristensen
03cb95c82b bump extractor version 2020-08-18 11:20:04 +02:00
Erik Krogh Kristensen
d1b3963e2d correctly treat ES2015 modules as being in strict-mode in the extractor 2020-08-18 10:13:20 +02:00
Erik Krogh Kristensen
c28889225a skip binary files when extracting JavaScript 2020-08-17 15:21:15 +02:00
CodeQL CI
c917cd02bd Merge pull request #4054 from erik-krogh/urlIncludes 
Approved by esbena
 2020-08-17 13:54:25 +01:00
Erik Krogh Kristensen
15a74493e0 more permissive path elements in js/incomplete-url-substring-sanitization 2020-08-13 11:46:13 +02:00
Erik Krogh Kristensen
3fb9c28806 adjust comment about slash position 2020-08-13 11:46:13 +02:00
Erik Krogh Kristensen
2c7bb8c51f adjust error message when files have been found while extracting 2020-08-13 11:18:27 +02:00
CodeQL CI
66541f260b Merge pull request #4012 from erik-krogh/getId 
Approved by asgerf, esbena
 2020-08-12 13:28:18 +01:00
Erik Krogh Kristensen
1d111c3e1f expand what urls are detected by js/incomplete-url-substring-sanitization 2020-08-12 14:25:35 +02:00
Erik Krogh Kristensen
656ff9c441 autoformat 2020-08-11 15:40:30 +02:00
intrigus-lgtm
5a3acc231e Fix typo 2020-08-11 01:01:53 +02:00
Erik Krogh Kristensen
dc5167bbe7 autoformat 2020-08-10 11:52:45 +00:00
Erik Krogh Kristensen
85de5aa16b add deprecated modifier 
Co-authored-by: Asger F <asgerf@github.com>
 2020-08-10 10:51:21 +02:00
Erik Krogh Kristensen
410b696562 add deprecated aliases getId() forwarding to getIdentifier() 2020-08-10 09:11:38 +02:00
CodeQL CI
7c4e10df17 Merge pull request #4014 from erik-krogh/stringify 
Approved by esbena
 2020-08-10 07:50:21 +01:00
Erik Krogh Kristensen
aab2e6f803 update name of test file 2020-08-07 18:20:22 +02:00
Erik Krogh Kristensen
f1dc36244c update tests and queries that used getId() 2020-08-05 14:32:09 +00:00
Erik Krogh Kristensen
cc5ef4d5e1 rename JsonSerializeCall to JsonStringifyCall 2020-08-05 13:22:41 +02:00
Erik Krogh Kristensen
f70cb2e7b3 add test for new JSON serializers 2020-08-05 12:14:56 +02:00
Erik Krogh Kristensen
5a3f67a682 introduce model for JSON.stringify and similar libraries 2020-08-05 12:14:51 +02:00
Erik Krogh Kristensen
67c4320287 make JumpStmt non abstract 2020-08-05 10:03:46 +02:00
Erik Krogh Kristensen
016bdc1614 make ControlStmt non abstract 2020-08-05 09:59:30 +02:00
Erik Krogh Kristensen
5727e6f9f8 make CompoundAssignExpr non-abstract 2020-08-04 16:17:08 +02:00
Erik Krogh Kristensen
cf3f275aa1 make DestructuringPattern non-abstract 2020-08-04 16:02:32 +02:00
Erik Krogh Kristensen
0867c5567e rename getId() to getIdentifier() 2020-08-04 13:22:19 +02:00
CodeQL CI
8855ab8c8c Merge pull request #3835 from Raz0r/js/xss-protocol-sinks 
Approved by erik-krogh
 2020-08-03 15:40:05 +01:00
CodeQL CI
a4f8b19ae4 Merge pull request #3876 from erik-krogh/CWE078-Correctness 
Approved by esbena
 2020-08-03 15:38:51 +01:00
CodeQL CI
c8e5db189a Merge pull request #3913 from erik-krogh/topmost 
Approved by asgerf
 2020-08-03 13:18:22 +01:00
Erik Krogh Kristensen
f5cc14f980 fix typo 2020-08-03 13:49:21 +02:00
CodeQL CI
0bbdc70cdb Merge pull request #3864 from erik-krogh/exprString 
Approved by asgerf, esbena
 2020-08-03 09:25:17 +01:00
Arthur Baars
7e72ef350e Merge pull request #3975 from aibaars/lgtm-suites 
CodeQL: complete LGTM suites
 2020-07-30 18:39:01 +02:00
Arthur Baars
5bad003c0c Add qlpack.yml files for example queries 2020-07-29 16:57:04 +02:00
Arthur Baars
c4041e55ba CodeQL: complete LGTM suites 2020-07-28 20:40:44 +02:00
Max Schaefer
91762ec274 JavaScript: Add partial model for opener. 
3.5M weekly downloads.

Note that we do not treat the first argument as a command-injection sink. While it is possible to inject commands that way, it is more likely to cause false positives where the user input is concatenated with some prefix that makes the opening heuristic decide to treat it as a URL.
 2020-07-27 11:42:32 +01:00
Max Schaefer
9aa26fa4bc JavaScript: Add model for foreground-child. 
>1M weekly downloads, so seems worth doing.
 2020-07-27 11:37:06 +01:00
Max Schaefer
2f842042ea JavaScript: Model another execa function relevant for command injection. 2020-07-27 11:34:04 +01:00
semmle-qlci
e167b87150 Merge pull request #3932 from max-schaefer/portals-additions 
Approved by esbena
 2020-07-09 11:43:45 +01:00