hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-21 15:06:46 +01:00
Code Issues Packages Projects Releases Wiki Activity
3,162 Commits 1,712 Branches 163 Tags
9dae08bbcf2a62806fb69baa3f787c5e1993394a
Commit Graph

114 Commits

Author SHA1 Message Date
semmle-qlci
b4b37b3a7b Merge pull request #880 from esben-semmle/js/better-alert-message-1 
Approved by xiemaisi
 2019-02-07 08:01:21 +00:00
semmle-qlci
a2691b32b5 Merge pull request #851 from xiemaisi/js/post-message-star 
Approved by esben-semmle
 2019-02-06 09:57:04 +00:00
Esben Sparre Andreasen
b72441f9c2 JS: use StringOps:: in js/incomplete-url-substring-sanitization 2019-02-05 15:17:55 +01:00
Max Schaefer
aeb8cc62b2 JavaScript: Reclassify PostMessageStar as CWE-201. 2019-01-31 08:08:52 +00:00
Max Schaefer
769e407c24 JavaScript: Add new query PostMessageStar. 2019-01-30 10:26:43 +00:00
Esben Sparre Andreasen
321b3f1ab5 JS: use ports to sharpen js/incomplete-url-substring-sanitization 2019-01-30 10:18:00 +01:00
Taus
9adb19f3a9 Merge branch 'master' into python-incomplete-url-sanitize 2019-01-29 14:17:37 +01:00
Mark Shannon
3850f87879 Make qhelp for 'Incomplete URL substring sanitization' consistent across languages. 2019-01-25 16:47:23 +00:00
Max Schaefer
43f4fe1a7e Update DoubleEscaping.qhelp 
Somewhat ironic, considering the object of the query.
 2019-01-21 18:48:22 +08:00
semmle-qlci
04c15028ab Merge pull request #750 from aschackmull/javascript/autoformat 
Approved by xiemaisi
 2019-01-11 16:35:38 +00:00
Anders Schack-Mulligen
e58094c732 Javascript: Autoformat. 2019-01-11 11:02:42 +01:00
Max Schaefer
3d44f0c6e0 JavaScript: Autoformat new libraries. 2019-01-09 09:13:14 +00:00
Max Schaefer
e960bd967f JavaScript: Make configuration IDs explicit in the API. 2019-01-09 09:10:45 +00:00
Max Schaefer
132570940a JavaScript: Add support for annotation comments specifying additional sources and sinks. 2019-01-09 09:09:58 +00:00
Max Schaefer
bdf29d010a JavaScript: Allow summary details to be omitted. 
If a summary does not specify a configuration, it is taken to apply to all configurations without custom sanitisers/barriers.

If a source summary does not specify a flow label, `data` is assumed.

If a sink summary does not specify a flow label, both `data` and `taint` are assumed.

Flow step summaries cannot omit flow labels.

Note that the standard extraction queries always provide explicit configurations and flow labels, and hence do not exercise this functionality.
 2019-01-09 09:09:58 +00:00
Max Schaefer
7c87c43511 JavaScript: Import flow summaries through external predicates. 2019-01-09 09:09:58 +00:00
Max Schaefer
90ad8e3858 JavaScript: Import flow summaries from CSV data. 2019-01-09 09:09:58 +00:00
Max Schaefer
f4fed3657d JavaScript: Add flow summary extraction queries. 2019-01-09 09:09:58 +00:00
Max Schaefer
31bb39a810 JavaScript: Autoformat all QL files. 2019-01-07 10:15:45 +00:00
Max Schaefer
b4f400fb23 Merge remote-tracking branch 'upstream/next' into qlucie/master 2019-01-04 10:35:57 +00:00
Max Schaefer
a9844b2eda JavaScript: Fix performance regression in IncorrectSuffixCheck. 2019-01-02 10:23:16 +00:00
Jonas Jensen
5ac5aa0c2a Merge remote-tracking branch 'upstream/master' into mergeback-20181217 2018-12-17 13:42:45 +01:00
Esben Sparre Andreasen
4a631b42d4 JS: use .lastIndexOf in js/incomplete-url-substring-sanitization 2018-12-17 13:22:31 +01:00
Asger F
7adf1d9958 Merge pull request #631 from esben-semmle/js/bad-url-regexing 
JS: add query: js/incomplete-url-regexp
 2018-12-17 11:53:22 +00:00
Esben Sparre Andreasen
487b8c52c6 JS: fix <p></p> issue 2018-12-14 13:04:10 +01:00
Esben Sparre Andreasen
bb3e3a541d JS: address doc review comments 2018-12-14 10:24:30 +01:00
Aditya Sharad
f71e5ac338 Merge master into next. 2018-12-13 17:57:31 +00:00
Aditya Sharad
f92456fcad Merge master into next. 
Conflict in `cpp/ql/test/library-tests/sideEffects/functions/sideEffects.expected`,
resolved by accepting test output (combining changes).
 2018-12-12 17:26:18 +00:00
Esben Sparre Andreasen
a1d92bfa50 JS: generalize js/incomplete-sanitization to handle ConstantString 2018-12-11 13:39:15 +01:00
Esben Sparre Andreasen
1bc73ab592 JS: address review comments 2018-12-11 13:03:17 +01:00
Esben Sparre Andreasen
ab519d4abf JS: rename query 
"Incomplete URL regular expression" -> "Incomplete regular expression for hostnames".
 2018-12-10 22:22:54 +01:00
Esben Sparre Andreasen
7c6e28d917 JS: introduce near-empty RegularExpressions.qll 2018-12-10 22:22:54 +01:00
Esben Sparre Andreasen
994fe1bea5 JS: address non-semantic review comments 2018-12-10 22:21:02 +01:00
Esben Sparre Andreasen
d4e4bc6a0b JS: sharpen js/incomplete-url-regexp by not matching .* or .+ 2018-12-10 22:21:02 +01:00
Esben Sparre Andreasen
52ca696ff4 JS: add query js/incomplete-url-regexp 2018-12-10 22:20:29 +01:00
semmle-qlci
9e73ed71b9 Merge pull request #623 from esben-semmle/js/incomplete-url-sanitization 
Approved by mc-semmle
 2018-12-06 20:46:37 +00:00
Esben Sparre Andreasen
4f53411397 JS: recognize HTTP URLs in js/incomplete-url-sanitization 2018-12-06 15:53:20 +01:00
Esben Sparre Andreasen
229eea00dc JS: add query js/incomplete-url-substring-sanitization 2018-12-06 15:53:20 +01:00
semmle-qlci
3397533045 Merge pull request #628 from xiemaisi/js/setUnsafeHTML 
Approved by esben-semmle
 2018-12-06 13:58:52 +00:00
Max Schaefer
ef347b3870 JavaScript: Teach Xss query about WinJS HTML injection functions. 2018-12-06 09:13:21 +00:00
Max Schaefer
a1f210df67 JavaScript: Address review comments. 2018-12-05 14:10:06 +00:00
Max Schaefer
22502e7a10 JavaScript: Add query help for FileAccessToHttp query. 2018-12-05 13:12:52 +00:00
Max Schaefer
92c1e655dd JavaScript: Add query help for HttpToFileAccess query. 2018-12-05 12:58:38 +00:00
Asger F
7121a18eba JS: address comments 2018-12-04 10:40:43 +00:00
Asger F
1130d0c6f9 JS: add comment about arrays 2018-12-03 11:23:02 +00:00
Asger F
374f7ab65d JS: address comments 2018-12-03 11:23:02 +00:00
Asger F
c4d7672ea7 JS: fix typo in method name 2018-12-03 11:23:02 +00:00
Asger F
0462eb4b50 JS: add IncorrectSuffixCheck query 2018-12-03 11:23:02 +00:00
Max Schaefer
10166be535 JavaScript: Add new query DoubleEscaping. 2018-11-30 09:39:00 +00:00
Asger F
f85e30aa6c Merge pull request #571 from xiemaisi/js/numeric-constant-interpreted-as-code 
JavaScript: Add new query `HardcodedDataInterpretedAsCode`.
 2018-11-29 17:07:48 +00:00