Rasmus Wriedt Larsen
43d9d2ceb7
Merge pull request #14603 from github/max-schaefer/broken-crypto-algorithm-link
...
JavaScript/Python/Ruby: Improve alert message for `*/weak-cryptographic-algorithm`.
2023-11-08 14:29:24 +01:00
Geoffrey White
e8a466a02c
Update dead link.
2023-11-07 09:26:07 +00:00
Arthur Baars
5cc94e1105
Express.js: add req.path as remote input source
2023-10-31 12:44:26 +01:00
Harry Maclean
083be305e1
Shared: Add neutralModel extensible predicate
...
The neutralModel extensible predicate already exists in Java and C#, so
this change brings the dynamic languages more in line with static
languages. The Model Editor uses this predicate to mark endpoints as
"not interesting" from a data flow perspective.
2023-10-30 11:31:57 +00:00
Max Schaefer
08cc8b8e80
Autoformat.
2023-10-26 15:36:06 +01:00
Max Schaefer
abef8483bd
Merge pull request #14600 from github/max-schaefer/express-rate-limit
...
JavaScript: Add support for importing `express-rate-limit` using a named import.
2023-10-26 15:15:22 +01:00
Max Schaefer
741735cc83
Port changes to JavaScript.
2023-10-26 14:47:24 +01:00
Max Schaefer
aff848b038
Update javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll
...
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com >
2023-10-26 13:06:52 +01:00
Max Schaefer
bb146a1758
JavaScript: Add support for rateLimit export from express-rate-limit package.
2023-10-26 12:14:57 +01:00
flyboss
ee813c1e61
Update UnsafeHtmlConstructionQuery.qll
...
add a deprecated alias in case anyone depends on the misspelled name.
2023-10-20 17:57:23 +08:00
flyboss
86336565eb
fix typo
2023-10-19 02:34:31 +00:00
Arthur Baars
0e3369f93f
Merge pull request #14484 from aibaars/ts53-js
...
JS: Support import attributes
2023-10-16 10:47:49 +02:00
Arthur Baars
a9a21aa313
Rename DynamicImportExpr::getImport{Attributes => Options}
2023-10-12 13:00:39 +02:00
Arthur Baars
c28004f2a6
Rename 'getImportAssertion()' to 'getImportAttributes()' in QL library
2023-10-12 13:00:39 +02:00
Erik Krogh Kristensen
85bb14f04f
Merge pull request #14405 from erik-krogh/tagCall
...
JS: recognize tagged template literals as `DataFlow::CallNode`
2023-10-11 11:25:34 +02:00
Erik Krogh Kristensen
6377e92067
Update javascript/ql/lib/semmle/javascript/dataflow/DataFlow.qll
...
Co-authored-by: Asger F <asgerf@github.com >
2023-10-11 09:52:48 +02:00
erik-krogh
f48b47c656
JavaScript: add import that populate the shared abstract classes
2023-10-09 09:14:55 +02:00
erik-krogh
c2942b37a7
JS: delete various outdated deprecations
2023-10-09 09:14:55 +02:00
erik-krogh
0d992a3d1f
delete old deprecated aliases of various regex libraries
2023-10-09 09:14:54 +02:00
erik-krogh
56e9eda2b9
fix performance by caching getArgument
2023-10-07 13:06:45 +02:00
erik-krogh
18e6a5491c
recognize tagged templates as DataFlow::CallNode
2023-10-06 21:14:00 +02:00
Asger F
162c477236
JS: Add AmdModuleDefinition::Range
2023-10-04 20:38:37 +02:00
Anders Schack-Mulligen
855c89667d
JavaScript: Use shared FileSystem library.
2023-09-28 08:58:55 +02:00
erik-krogh
a7d92b3473
add JS support the using keyword
2023-08-24 20:30:26 +02:00
Asger F
dec6039469
JS: Follow immediate predecessors in path resolution
2023-08-23 09:53:51 +02:00
yoff
7f2f6f14e7
Merge pull request #13729 from yoff/python/model-aws-lambdas
...
Python/JavaScript: Shared module for serverless functions
2023-08-16 15:14:08 +02:00
Asger F
c38cbe859d
Merge pull request #13737 from asgerf/dynamic/fuzzy-models
...
Dynamic: add Fuzzy token
2023-08-03 09:58:24 +02:00
Jeongsoo Lee
4529d8b75a
Add support for log injection in MaD
2023-07-28 22:37:56 +00:00
Asger F
d57276ca35
Merge pull request #13719 from asgerf/js/barrier-inout
...
JS: Replace barrier edges with barrier nodes
2023-07-13 16:36:52 +02:00
Asger F
f3fab587a9
JS: Add Fuzzy token in identifying access path
2023-07-13 14:01:06 +02:00
Asger F
7c9e1ad6ec
JS: Fix accidental recursion in Vue model
...
The API graph entry point depended on API::Node.
This was due to depending on the the TComponent newtype which has a branch that depends on API::Node
2023-07-13 13:41:21 +02:00
Rasmus Lerchedahl Petersen
02c41f3dcf
JavaScript: Use shared library for serverless
2023-07-12 16:46:34 +02:00
Asger F
c7abd4c2af
JS: Remove the unused edge-sanitizer hook in UnvalidatedDynamicMethodCall
2023-07-12 09:26:37 +02:00
Asger F
1a395c5b34
JS: Use sanitizerOut in PrototypePollutingAssignment
2023-07-11 15:24:10 +02:00
Asger F
b09ed4b0e3
JS: Update UnsafeJQueryPlugin
2023-07-11 15:01:33 +02:00
Asger F
a1d8a05bcb
JS: Update ResourceExhaustion
2023-07-11 14:56:53 +02:00
Asger F
58a557b18e
JS: Update InsecureRandomness
2023-07-11 14:56:43 +02:00
Asger F
e863e2376d
JS: Use sanitizerIn in ExtenralAPIUsedWithUntrustedData
2023-07-11 14:50:29 +02:00
Asger F
094302a27b
JS: Replace sanitizing prefix edge with node
2023-07-11 14:48:13 +02:00
Asger F
944a2ca825
JS: Replace ClearTextLogging::isSanitizerEdge with a node
2023-07-11 14:20:17 +02:00
Asger F
68584e549e
JS: Replace isOptionallySanitizedEdge with a node
2023-07-11 12:57:33 +02:00
Asger F
0841677b14
JS: Add isSanitizerX variants in TaintTracking
2023-07-11 11:14:37 +02:00
Asger F
d53beb3784
JS: Embed check for in/out barriers in edge barrier check
2023-07-11 11:04:28 +02:00
Asger F
4964d811a5
JS: Add interface for isBarrier in/out
2023-07-11 11:04:28 +02:00
Asger F
965ca169e5
JS: Recognise fs/promises
2023-07-07 14:14:49 +02:00
Asger F
d49359a95c
JS: Add step through spread arg to path.join()
2023-07-07 14:10:50 +02:00
Erik Krogh Kristensen
b2a60bf3d1
Merge pull request #13642 from erik-krogh/san-script
...
JS/RB: Fix FP in incomplete-multi-character-sanitization
2023-07-06 15:38:39 +02:00
Chuan-kai Lin
6912f7ed3a
Merge pull request #13638 from cklin/remove-pragma-assume-small-delta
...
Remove pragma[assume_small_delta]
2023-07-03 07:00:36 -07:00
Asger F
4c9501eba5
Merge pull request #13529 from jorgectf/seclab/webix-modeling
...
JS: Add models for `webix`
2023-07-03 12:03:18 +02:00
erik-krogh
f9eee906cf
fix FP by requiring that the regular expression mention on of the chars important in the prefix
2023-07-01 20:30:09 +02:00
