hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-27 09:45:15 +02:00
Code Issues Packages Projects Releases Wiki Activity
69,914 Commits 1,741 Branches 165 Tags
aa8bd332bf351ae58a5dbe2cf1487bf43d25ceac
Commit Graph

1661 Commits

Author SHA1 Message Date
Asger F
19ba9fed99 Handle externs 2024-01-30 17:13:02 +01:00
Asger F
1737ba1a6b JS: Add library for naming endpoints 2024-01-30 16:36:51 +01:00
Asger F
8930ce74af JS: Do not view packages as nested in a private package 2024-01-30 13:20:57 +01:00
Asger F
2d8d11fa78 JS: Restrict type-only exports in API graphs 2024-01-30 13:20:57 +01:00
Asger F
0e0fb0e52d JS: Remove API graph edge causing ambiguity 2024-01-30 13:20:56 +01:00
Asger F
e441dd472b JS: Expose hasBothNamedAndDefaultExports() 2024-01-30 13:20:55 +01:00
erik-krogh
8be7eadace delete outdated deprecations 2024-01-22 09:11:35 +01:00
Asger F
96f8a02a72 JS: Treat private-field methods as private 2024-01-15 13:00:39 +01:00
Asger F
59c9ac735a Merge pull request #15295 from asgerf/js/type-model-export 
JS: Include sink nodes as base-case when resolving types
 2024-01-11 20:47:32 +01:00
Erik Krogh Kristensen
d782bd9b1f Merge pull request #13624 from jorgectf/seclab/dotjs 
JS: Add `dot.js` support
 2024-01-11 14:57:19 +01:00
Asger F
82cee61999 JS: Include sink nodes as base-case when resolving types 2024-01-11 13:41:21 +01:00
Erik Krogh Kristensen
3000b4b9b3 rename PropsTaintStep to PropsFlowStep 
Co-authored-by: Asger F <asgerf@github.com>
 2024-01-10 09:45:29 +01:00
erik-krogh
a9f2b3fad6 promote PropsTaintStep to a PreCallGraphStep 2024-01-04 10:45:22 +01:00
Jorge
f8cfd698fa Merge branch 'main' into seclab/dotjs 2023-12-19 10:44:52 +01:00
Remco Vermeulen
133a243298 Add support for XML attributes in the data flow graph 2023-12-14 11:33:53 -08:00
Tom Hvitved
a46964dfe8 Address review comments 2023-12-12 13:55:52 +01:00
Tom Hvitved
28373e0fdf JS: Adapt to changes in shared code 2023-12-10 11:25:43 +01:00
erik-krogh
e8f9e366d5 remove redundant imports for JS 2023-12-08 16:56:54 +01:00
Jorge
8abd1d9855 Merge branch 'main' into seclab/dotjs 2023-11-30 19:42:18 +01:00
erik-krogh
abb8d65483 Merge branch 'main' into amammad-js-SQLI 2023-11-23 21:17:58 +01:00
amammad
60b422a35c fix second round of code review. improve documents, fix better-sqlite3 method 2023-11-23 14:01:38 +01:00
amammad
0328a2986d move TypeORM library file and tests to experimental 
add inline tests :)
Fix TypeORM fuzzy method according to Review
 2023-11-21 19:59:06 +01:00
amammad
999ec7053e fix Query class docstring 2023-11-21 18:56:05 +01:00
Rasmus Wriedt Larsen
43d9d2ceb7 Merge pull request #14603 from github/max-schaefer/broken-crypto-algorithm-link 
JavaScript/Python/Ruby: Improve alert message for `*/weak-cryptographic-algorithm`.
 2023-11-08 14:29:24 +01:00
Geoffrey White
e8a466a02c Update dead link. 2023-11-07 09:26:07 +00:00
amammad
c858e4974d fix Sqlite and BetterSqlite3 issues according to Review 2023-11-06 14:57:40 +01:00
amammad
e1d42fad2c move new secret key sinks to existing CredentialsNode class, 
add new additional global taint and dataflow steps
update tests of CWE-798
add a new sanitizer for `semmle.javascript.security.dataflow.HardcodedCredentialsQuery`
 2023-11-02 16:09:01 +01:00
Arthur Baars
5cc94e1105 Express.js: add req.path as remote input source 2023-10-31 12:44:26 +01:00
Harry Maclean
083be305e1 Shared: Add neutralModel extensible predicate 
The neutralModel extensible predicate already exists in Java and C#, so
this change brings the dynamic languages more in line with static
languages. The Model Editor uses this predicate to mark endpoints as
"not interesting" from a data flow perspective.
 2023-10-30 11:31:57 +00:00
Max Schaefer
08cc8b8e80 Autoformat. 2023-10-26 15:36:06 +01:00
Max Schaefer
abef8483bd Merge pull request #14600 from github/max-schaefer/express-rate-limit 
JavaScript: Add support for importing `express-rate-limit` using a named import.
 2023-10-26 15:15:22 +01:00
Max Schaefer
741735cc83 Port changes to JavaScript. 2023-10-26 14:47:24 +01:00
Max Schaefer
aff848b038 Update javascript/ql/lib/semmle/javascript/security/dataflow/MissingRateLimiting.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-10-26 13:06:52 +01:00
Max Schaefer
bb146a1758 JavaScript: Add support for rateLimit export from express-rate-limit package. 2023-10-26 12:14:57 +01:00
amammad
e3dbdc3887 add custom query builder and active record querybuilder support 2023-10-22 21:39:59 +02:00
flyboss
ee813c1e61 Update UnsafeHtmlConstructionQuery.qll 
add a deprecated alias in case anyone depends on the misspelled name.
 2023-10-20 17:57:23 +08:00
flyboss
86336565eb fix typo 2023-10-19 02:34:31 +00:00
Arthur Baars
0e3369f93f Merge pull request #14484 from aibaars/ts53-js 
JS: Support import attributes
 2023-10-16 10:47:49 +02:00
Asger F
3c7c5377ec JS: Add content approximation 
This seems to fix a performance issue for RegExpInjection in angular
 2023-10-13 13:15:08 +02:00
Asger F
5775fe6d6e JS: Use TAnyType in FlowSummaryPrivate 2023-10-13 13:15:08 +02:00
Asger F
9faf300dd0 JS: Use type-pruning to restrict callback flow 2023-10-13 13:15:08 +02:00
Asger F
d3f5169e66 JS: Lower field-flow branch limit on Polynomial ReDoS 2023-10-13 13:15:08 +02:00
Asger F
51dec79401 JS: Lower access path limit to 2 2023-10-13 13:15:08 +02:00
Asger F
24bab27ffe JS: Add TODO for dynamic import step 2023-10-13 13:15:08 +02:00
Asger F
b5ad36686e JS: Block flow into window.location 2023-10-13 13:15:08 +02:00
Asger F
0d10aba67d Revert "JS: Add global post-update steps" 
This resulted in huge performance issues from too much global flow
 2023-10-13 13:15:07 +02:00
Asger F
50aace3fa3 JS: Add global post-update steps 2023-10-13 13:15:07 +02:00
Asger F
c55300d4b0 JS: Port PolynomialReDoS 2023-10-13 13:15:06 +02:00
Asger F
b8847dbc5d JS: Port Xxe 2023-10-13 13:15:06 +02:00
Asger F
c2d170b4fd JS: Port XpathInjection 2023-10-13 13:15:06 +02:00