4272 Commits

Author	SHA1	Message	Date
Max Schaefer	aaa70e4ad3	JavaScript: Make API-graph edge labels accessible outside ApiGraphs.qll.	2020-09-03 22:28:09 +01:00
Max Schaefer	7239f1fb6f	JavaScript: Distinguish more carefully between def and use nodes in API graphs. ... In particular, we now have two different kinds of module features: module definitions and module uses. For the most part, `API::Definition`s correspond to right-hand sides in the data-flow graph, and `API::Use`s correspond to references. However, module definitions can have references (via the CommonJS `module` variable), and so can their exports (via `module.exports` or `exports`). Note that this is different from references to uses of the module, which are simply imports.	2020-09-03 22:28:09 +01:00
Max Schaefer	d8fbf60cbf	JavaScript: Weaken a few types to stay under BDD node limit. ... `SourceNode` in cached layers seems particularly problematic.	2020-09-03 14:29:04 +01:00
Max Schaefer	e77948103f	JavaScript: Remove AdditionalFeature from ApiGraphs. ... I ended up not using it for flow summaries, so at this point it is purely speculative generality. We can reintroduce it later if we need to.	2020-09-03 14:29:04 +01:00
Max Schaefer	924ef6ae5d	Apply suggestions from code review ... Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2020-09-03 14:04:23 +01:00
Max Schaefer	ec3c1f114c	JavaScript: Simplify steps through promises.	2020-09-02 21:40:34 +01:00
Max Schaefer	702192c316	JavaScript: Make implicit inits of module and exports source nodes. ... This is instead of making every access to those variables source nodes, and fixes a regression in `DeadStoreOfProperty`.	2020-09-02 19:52:13 +01:00
Max Schaefer	9840a7ddfb	JavaScript: Add utility predicate SSA::implicitInit.	2020-09-02 19:46:59 +01:00
Max Schaefer	d81d80430e	JavaScript: Add a regression test for DeadStoreOfProperty.	2020-09-02 19:45:27 +01:00
Max Schaefer	df49818152	JavaScript: Address review comments.	2020-09-02 19:45:27 +01:00
Max Schaefer	82d92dc726	JavaScript: Avoid bad join order. ... The optimiser decided that it would be a great idea to start the pipeline with `getReturn().getAUse().(DataFlow::InvokeNode)`. It's not.	2020-09-02 17:42:33 +01:00
Max Schaefer	500f7bd8fa	JavaScript: Reduce complexity of SystemCommandExecutors charpred.	2020-09-02 17:42:32 +01:00
Max Schaefer	e3a9906071	JavaScript: Switch MissingRateLimiting.qll to API graphs. ... The added test shows how this helps us avoid false positives.	2020-09-02 17:35:47 +01:00
Max Schaefer	e34a821cc6	JavaScript: Switch system-command executor modelling from source nodes to API graphs.	2020-09-02 17:35:47 +01:00
Max Schaefer	6d68036d85	JavaScript: Add test demonstrating more SQL flow.	2020-09-02 17:35:47 +01:00
Max Schaefer	68b3ccdc65	JavaScript: Switch SQL modelling from source nodes to API graphs.	2020-09-02 17:35:47 +01:00
Max Schaefer	f3e9104be4	JavaScript: Add implementation of API graphs.	2020-09-02 17:35:47 +01:00
Max Schaefer	22ccae6006	JavaScript: Make PromiseFlow module public.	2020-08-31 11:55:10 +01:00
Erik Krogh Kristensen	f4060723bb	add stats for new properties	2020-08-28 12:43:26 +02:00
Erik Krogh Kristensen	038cca814a	Merge branch 'main' into ts4	2020-08-28 10:27:49 +02:00
CodeQL CI	80cb8be405	Merge pull request #4155 from asger-semmle/js/lower-duplicate-element-id-precision ... Approved by esbena	2020-08-28 08:52:58 +01:00
CodeQL CI	ac94869978	Merge pull request #3978 from dellalibera/js/insecure-cookies ... Approved by esbena	2020-08-28 08:31:38 +01:00
Asger Feldthaus	e7a0bc6be6	JS: Lower precision of ambiguous HTML ID attribute	2020-08-27 15:51:34 +01:00
Esben Sparre Andreasen	9aa1404646	JS: fix formatting of InsecureCookie.qll	2020-08-27 09:44:45 +02:00
Esben Sparre Andreasen	67278d9c93	Merge pull request #4141 from esbena/js/clarify-sanitization ... JS: make sanitization a "common" technique rather than "important"	2020-08-27 08:08:17 +02:00
ubuntu	cd1d50b637	Update expected output	2020-08-26 23:50:15 +02:00
Alessio Della Libera	dcf51c75e9	Update javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.ql ... Co-authored-by: Esben Sparre Andreasen <esbena@github.com>	2020-08-26 23:33:52 +02:00
Esben Sparre Andreasen	d27442e846	Apply suggestions from code review ... Co-authored-by: Felicity Chapman <felicitymay@github.com>	2020-08-26 20:18:54 +02:00
Esben Sparre Andreasen	89305865d0	JS: make sanitization a "common" technique rather than "important"	2020-08-26 15:41:54 +02:00
Alessio Della Libera	e027c8cc13	Update javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.qll ... Co-authored-by: Esben Sparre Andreasen <esbena@github.com>	2020-08-26 01:48:05 +02:00
Alessio Della Libera	a1f64e26cf	Update javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.qll ... Co-authored-by: Esben Sparre Andreasen <esbena@github.com>	2020-08-26 01:47:52 +02:00
Alessio Della Libera	3bd7615a75	Update javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.qll ... Co-authored-by: Esben Sparre Andreasen <esbena@github.com>	2020-08-26 01:47:37 +02:00
Alessio Della Libera	57cf447188	Update javascript/ql/src/experimental/Security/CWE-614/InsecureCookie.qll ... Co-authored-by: Esben Sparre Andreasen <esbena@github.com>	2020-08-26 01:46:59 +02:00
CodeQL CI	722b1a24f6	Merge pull request #4087 from erik-krogh/thisJsx ... Approved by asgerf	2020-08-25 10:20:32 +01:00
CodeQL CI	844abc51e8	Merge pull request #4108 from erik-krogh/packType ... Approved by asgerf	2020-08-25 10:17:28 +01:00
Erik Krogh Kristensen	b0d4e79653	split out trap tests to avoid "package.json" naming conflict in trap test	2020-08-24 21:36:34 +02:00
ubuntu	22f5ae4ad4	Format code	2020-08-24 18:53:37 +02:00
CodeQL CI	e2c6a01c00	Merge pull request #4097 from erik-krogh/createRequire ... Approved by esbena	2020-08-24 15:57:10 +01:00
Erik Krogh Kristensen	309346841a	Merge branch 'main' into packType	2020-08-24 12:44:24 +02:00
Erik Krogh Kristensen	5acfd92e0f	bump the extractor version	2020-08-24 12:42:19 +02:00
Erik Krogh Kristensen	d633410e3c	make the extractor not crash on invalid "package.json" files	2020-08-24 12:42:08 +02:00
Erik Krogh Kristensen	eb84f97e7f	Merge branch 'main' into ts4	2020-08-24 12:20:48 +02:00
Erik Krogh Kristensen	db57f3661e	Merge branch 'main' into ts4	2020-08-21 15:08:30 +02:00
Erik Krogh Kristensen	65a1769d43	Merge branch 'main' into asyncCalls	2020-08-21 14:58:27 +02:00
Erik Krogh Kristensen	1b655f9046	use threadsafe cache stored in ExtractorState	2020-08-21 14:45:24 +02:00
Erik Krogh Kristensen	7aca84cd45	search directly for "package.json" instead of iterating through the files in a folder	2020-08-21 14:31:49 +02:00
Erik Krogh Kristensen	3f0f2c796c	pass extension instead of locationManager to isAlways*Module	2020-08-21 14:27:47 +02:00
Erik Krogh Kristensen	bbbb0a2c5e	specialize module.createRequire support to ES2015 modules	2020-08-21 14:14:05 +02:00
Erik Krogh Kristensen	e00951edf0	update TypeScript to 4.0.2	2020-08-21 09:50:27 +02:00
CodeQL CI	29183fa0a1	Merge pull request #4067 from erik-krogh/noBin ... Approved by esbena	2020-08-20 23:07:02 +01:00