hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-18 05:24:01 +02:00
Code Issues Packages Projects Releases Wiki Activity
77,281 Commits 1,740 Branches 165 Tags
ab1f9292284a49233ab7e59de7b6d0bcbc66ecee
Commit Graph

11071 Commits

Author SHA1 Message Date
Asger F
ab1f929228 JS: Add downgrade script 2025-03-27 11:52:08 +01:00
Asger F
02ee8cfe2d JS: Add upgrade script 2025-03-27 11:51:27 +01:00
Asger F
da269c6fb1 JS: More test updates 2025-03-27 11:51:25 +01:00
Asger F
50202d574f JS: Update some deprecated calls to getName() 2025-03-27 11:51:24 +01:00
Asger F
c8817d9667 JS: Parse with proper locations 2025-03-27 11:51:23 +01:00
Asger F
cc2bec0808 JS: Ensure correct value is used in parseNameExpression() 
The call to expect() below here updates 'token' and 'value' to that of the NEXT token (not the name).

The code happened to work because the 'value' field is only updated if a token with a relevant value is found. E.g. if a name token could be followed by another name, then we would have seen the wrong name here.
 2025-03-27 11:51:21 +01:00
Asger F
6868f66108 JS: Restrict size of hasNameParts 
Test updates look OK. Some intermediate results are omitted but the
qualified name of the final type names are still present.
 2025-03-27 11:51:20 +01:00
Asger F
b1554443d8 JS: Update TRAP output 2025-03-27 11:51:19 +01:00
Asger F
328bf753b4 JS: Benign test updates 2025-03-27 11:51:17 +01:00
Asger F
fa53ff9f3e JS: Update extractor version string 2025-03-27 11:51:16 +01:00
Asger F
3a6089740e JS: Separate JSDoc qualified names into individual identifiers 2025-03-27 11:51:14 +01:00
Asger F
c61454b5ca JS: Remove unused 'spec' field 2025-03-27 11:51:13 +01:00
Asger F
d9c158923a Merge pull request #19069 from asgerf/js/jsdoc-parser 
JS: Use StringBuilder when building up type name in JSDoc
 2025-03-20 16:17:58 +01:00
Asger F
bf9d7484e4 JS: Use StringBuilder when building up type name 
This code was a bit of a performance cringe. It copied every character
into a temporary array, copied that into a String, and slow-appended
that onto another String.

Note that the call to Characters.toChars is redundant here as advance()
doesn't return a code point; it returns -1 or a UTF-16 char. The -1 case
is checked for before reaching the call, so we can just cast it to
a char and use it directly.

We use a StringBuilder to accumulate the string. Normally it's faster
to track the start/end indices and do a substring(), but that won't
work in the JSDoc extractor because of the star-skipping logic in
advance().
 2025-03-20 09:43:10 +01:00
Chris Smowton
9a2a13ed55 Merge remote-tracking branch 'origin/main' into smowton/admin/merge-rc317-into-main 2025-03-19 16:01:29 +00:00
Asger F
1324c11044 Merge pull request #19012 from asgerf/js/api-graph-array-element 
JS: Make API graphs use steps from summaries
 2025-03-18 18:03:43 +01:00
Asger F
53ba588993 JS: Use ArrayElement instead of AnyMember 
The use of AnyMember was a workaround until the bugfix in this PR landed.
 2025-03-18 09:26:02 +01:00
github-actions[bot]
51cdeefafb Post-release preparation for codeql-cli-2.20.7 2025-03-17 13:00:41 +00:00
Asger F
1516029cf5 JS: Avoid generating ArrayElement edges for extend-like patterns 2025-03-17 13:48:27 +01:00
Asger F
125e732c4c JS: Fix bad join order 2025-03-17 13:44:33 +01:00
github-actions[bot]
2d64a618e6 Release preparation for version 2.20.7 2025-03-17 12:15:54 +00:00
Napalys Klicius
749a0560b4 Merge pull request #19027 from Napalys/js/escape 
JS: Add support for `escape`
 2025-03-17 10:48:44 +01:00
Napalys Klicius
478e32cbe5 Update javascript/ql/lib/semmle/javascript/security/dataflow/TaintedPathCustomizations.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2025-03-17 10:17:39 +01:00
Napalys Klicius
9134f79fd2 Merge pull request #18984 from Napalys/js/extractor_error_handler 
JS: Extractor handle error instead of exiting.
 2025-03-17 10:11:26 +01:00
Asger F
cd3909245d JS: Bugfix in Array constructor summary 2025-03-14 23:08:22 +01:00
Asger F
fe1bdf2468 JS: Update a test 2025-03-14 23:08:20 +01:00
Asger F
ab74898bbb JS: Deprecate getUnknownMember() and replace its uses with getArrayElement() 
Although they mean slightly different things, every single call site
of getUnknownMember() just used it as a way to get array elements.

Since there is no known use-case for the original meaning of
getUnknownMember() I am deprecating it for now.
 2025-03-14 23:08:19 +01:00
Asger F
4c1c0b79a6 JS: Make API-graphs use Content internally, and use steps from flow summaries 2025-03-14 23:08:16 +01:00
Asger F
cc95c77cbc JS: Add failing test 2025-03-14 23:04:10 +01:00
Napalys
c93be70053 Rename validation methods for type expressions and added recursive call for type validation. 
Co-authored-by: Asgerf <asgerf@github.com>
 2025-03-14 14:58:27 +01:00
Napalys
4a691b778b Added escape as UriEncodingSanitizer 2025-03-14 14:53:21 +01:00
Napalys
37e02e4261 Added escape as StringManipulationTaintStep. 2025-03-14 14:49:45 +01:00
Napalys
4c77ee2f4f Added change note. 2025-03-14 14:27:14 +01:00
Napalys
933f3c6f77 Refactor Tanstack integration: remove Tanstack framework and added model as data for it instead. 2025-03-14 13:52:05 +01:00
Napalys
d40ef0ddae Changed from taint to value steps. 
Co-authored-by: Asgerf <asgerf@github.com>
 2025-03-14 13:48:15 +01:00
Napalys
1468e81c55 Ensure interface extends valid expr. 2025-03-14 13:41:37 +01:00
Napalys
dc262236f4 Enhance taint tracking by including escape and unescape in TaintedPath customizations. 2025-03-14 11:43:22 +01:00
Napalys
c4b717b86c Added test case for escape. 2025-03-14 11:40:23 +01:00
Napalys
66737402c2 Updated test ouput with fixes from main. 2025-03-14 10:50:10 +01:00
Napalys Klicius
908f48a22f Merge branch 'main' into js/vue_tanstack_model 2025-03-14 10:45:42 +01:00
Asger F
9a8cb1a55b Merge pull request #19007 from asgerf/js/api-graph-awaited-return 
JS: Fix bug in API graphs getPromised() missing async function returns
 2025-03-14 10:36:16 +01:00
Napalys
0df2069575 Added change note. 2025-03-13 13:47:46 +01:00
Napalys
de5c7efd63 Added test case for unescape. 2025-03-13 13:47:42 +01:00
Asger F
08ee51cbc4 JS: Move some promise-related store steps into PromiseFlow::storeStep 
API graphs calls PromiseFlow::storeStep to propagate promises, which means it missed a store steps added elsewhere in the old promise library model.

We want API graphs to rely on type-tracking steps in general, like in Ruby, but for now just fixing the bug.
 2025-03-13 12:53:04 +01:00
Napalys
5dff23de6b Added change note. 2025-03-13 12:45:27 +01:00
Napalys
3640e5e425 Added model for tanstack-react useQueries 2025-03-13 12:45:26 +01:00
Napalys
03330ef24d Added test cases for tanstack-react useQueries. 2025-03-13 12:45:25 +01:00
Napalys
6c9aa0e872 Added modeling of tanstack-vue useQueries. 2025-03-13 12:45:23 +01:00
Napalys
4917d64ce7 Added test cases for tanstack-vue useQueries. 2025-03-13 12:45:05 +01:00
Napalys
0c0158899e Added tanstack-vue useQuery modeling 2025-03-13 12:25:07 +01:00