hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-15 15:34:49 +01:00
Code Issues Packages Projects Releases Wiki Activity
32,322 Commits 1,680 Branches 158 Tags
aa95dd4ec718aa162f2c7b508a3f363f72a189ce
Commit Graph

683 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
aa95dd4ec7 fix typo 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2022-02-08 00:19:40 +01:00
Erik Krogh Kristensen
6f28cb9201 lower the precision of js/unsafe-code-construction 2022-02-07 13:35:29 +01:00
Erik Krogh Kristensen
eb133f59f6 update qhelp to focus on properly documenting potentially unsafe library functions 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
d77c28f6a7 add qhelp for unsafe-code-construction 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
198a464346 add js/unsafe-code-construction query 2022-02-07 13:34:18 +01:00
Naman Jain
aea7054938 modified query and added tests 2022-02-02 19:39:08 +05:30
Erik Krogh Kristensen
0f85a52f09 Merge pull request #7773 from erik-krogh/CWE-367 
JS: add a js/file-system-race query
 2022-02-01 15:36:13 +01:00
Erik Krogh Kristensen
a51f892a99 move dot in qhelp 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2022-02-01 14:34:30 +01:00
Erik Krogh Kristensen
e6c90670e6 Merge pull request #7740 from erik-krogh/CWE-347 
JS: promote the js/jwt-missing-verification query out of experimental
 2022-02-01 13:10:35 +01:00
Erik Krogh Kristensen
8dcec2e037 apply suggestions from doc review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2022-01-31 13:17:26 +01:00
Erik Krogh Kristensen
ec1a8cc826 apply suggestions from doc review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2022-01-31 12:32:12 +01:00
Erik Krogh Kristensen
7aa59ca233 Merge pull request #7633 from erik-krogh/CWE-300 
JS: add js/http-dependency query
 2022-01-28 12:10:14 +01:00
Erik Krogh Kristensen
b5198bdaca apply suggestions from doc review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2022-01-28 10:46:27 +01:00
Erik Krogh Kristensen
bf9bcc9600 add a js/file-system-race query 2022-01-28 09:41:12 +01:00
Erik Krogh Kristensen
179c26da9a apply suggestions from review 2022-01-28 09:37:46 +01:00
Erik Krogh Kristensen
e75dc2116f add CWE-184 to incomplete-scheme-check and bad-tag-filter 2022-01-26 16:13:13 +01:00
Erik Krogh Kristensen
abd87615ff update qhelp with suggestions 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2022-01-26 11:03:05 +01:00
Erik Krogh Kristensen
de633940fe promote the js/jwt-missing-verification query out of exeprimental 2022-01-26 09:35:54 +01:00
Erik Krogh Kristensen
cc527bdecd Merge pull request #7721 from erik-krogh/CWE-1275 
JS: add a js/samesite-none-cookie cookie
 2022-01-25 13:28:08 +01:00
Erik Krogh Kristensen
9f9dee5d18 apply documentation suggestions 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2022-01-25 12:14:16 +01:00
CodeQL CI
8d1e22bc38 Merge pull request #7632 from erik-krogh/CWE-862 
Approved by esbena, felicitymay
 2022-01-24 12:47:16 -08:00
Erik Krogh Kristensen
d4bac887cf add a js/samesite-none-cookie cookie 2022-01-24 21:39:41 +01:00
Erik Krogh Kristensen
75f389749a Merge pull request #7719 from erik-krogh/cwe-219 
JS: add CWE-219 to js/exposure-of-private-files
 2022-01-24 17:06:09 +01:00
Erik Krogh Kristensen
bb786bc557 fix good/bad mixup in ClientExposedCookie qhelp 2022-01-24 15:34:30 +01:00
Erik Krogh Kristensen
148b0c33a9 update the empty-password-in-config-file qhelp 2022-01-24 13:39:54 +01:00
Erik Krogh Kristensen
ab0d67a573 update query name and description 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2022-01-24 13:37:25 +01:00
Erik Krogh Kristensen
823cadecd5 add CWE-219 to js/exposure-of-private-files 2022-01-24 13:22:06 +01:00
Erik Krogh Kristensen
ab1bc685bb add CWE-80 to queries that detect bad HTML sanitizers 2022-01-24 11:01:17 +01:00
Erik Krogh Kristensen
f9d5cbf017 update qhelp 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2022-01-21 11:26:58 +01:00
Erik Krogh Kristensen
debebb2b8c rewrite the qhelp for js/insecure-dependency 2022-01-21 10:41:08 +01:00
Erik Krogh Kristensen
5780161b2c fix most issues found by ql/class-doc-style in JS 2022-01-20 15:10:16 +01:00
Erik Krogh Kristensen
cb9e14f544 add cwe-471 to js/prototype-pollution 2022-01-19 14:54:57 +01:00
Erik Krogh Kristensen
e4203a4109 add CWE-471 to the prototype-pollution queries 2022-01-19 14:26:34 +01:00
Erik Krogh Kristensen
ef2eacebce add a js/empty-password-in-configuration-file query 2022-01-19 10:48:45 +01:00
Erik Krogh Kristensen
b7a0b8765e add js/http-dependency query 2022-01-19 10:05:39 +01:00
Edoardo Pirovano
f2818ebb5e Merge pull request #7489 from edoardopirovano/fix-example 
Fix example in JavaScript query
 2022-01-14 08:58:28 +00:00
Edoardo Pirovano
081765cbe8 Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2022-01-04 10:07:34 +00:00
yoff
5ba70ff3b6 Merge pull request #7369 from RasmusWL/filter-tag-cwe 
JS/Py/Ruby: Add more CWEs to bad-tag-filter queries
 2022-01-04 10:11:03 +01:00
Edoardo Pirovano
a616059761 Fix example in JavaScript query 2021-12-29 12:01:09 +00:00
CodeQL CI
39ec7132af Merge pull request #7049 from asgerf/js/routing-trees 
Approved by erik-krogh
 2021-12-17 12:26:38 +00:00
Asger Feldthaus
8aa4d8227e JS: Rename RouteHandlerInput->RouteHandlerParameter 2021-12-15 16:32:18 +01:00
Asger Feldthaus
218b746f6f JS: Rename getAUseSite -> getRouteInstallation 2021-12-15 16:21:41 +01:00
Rasmus Wriedt Larsen
1e45fa9ed4 JS/Py/Ruby: Add more CWEs to bad-tag-filter queries 
CWE-185: Incorrect Regular Expression

The software specifies a regular expression in a way that causes data to
be improperly matched or compared.

https://cwe.mitre.org/data/definitions/185.html

CWE-186: Overly Restrictive Regular Expression

> A regular expression is overly restrictive, which prevents dangerous values from being detected.
>
> (...) [this CWE] is about a regular expression that does not match all
> values that are intended. (...)

https://cwe.mitre.org/data/definitions/186.html

From my understanding,
CWE-625: Permissive Regular Expression, is not applicable. (since this
is about accepting a regex match where there should not be a match).
 2021-12-13 10:23:24 +01:00
Asger Feldthaus
23480b2d8f JS: Remove stray TODO 2021-12-07 10:49:14 +01:00
Asger Feldthaus
5f8ea3965d JS: Do not flag auth endpoints that are immune to Login CSRF 2021-12-07 10:46:17 +01:00
Asger Feldthaus
66b1612e5e JS: Treat non-cookie based auth as CSRF preventer 2021-12-07 10:46:17 +01:00
Asger Feldthaus
b73219392b JS: Improve precision of missing CSRF middleware 2021-12-07 10:46:17 +01:00
Asger Feldthaus
5269933461 JS: Port missing rate limiting query 2021-12-07 10:44:19 +01:00
Asger Feldthaus
389a3c9073 JS: Port CSRF query 2021-12-07 10:43:06 +01:00
Rasmus Wriedt Larsen
7ae1047fda JS: Tag queries with CWE-328 
CWE-328: Use of Weak Hash, see https://cwe.mitre.org/data/definitions/328.html
 2021-12-06 14:02:24 +01:00