hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 20:56:33 +01:00
Code Issues Packages Projects Releases Wiki Activity
50,146 Commits 1,673 Branches 157 Tags
aba744029383c3fb3e705bcf157c96ffab1c59cd
Commit Graph

1236 Commits

Author SHA1 Message Date
github-actions[bot]
b0315119c6 Release preparation for version 2.12.3 2023-02-16 11:49:06 +00:00
Rasmus Wriedt Larsen
c72dbc49fc Merge pull request #12165 from RasmusWL/crypto-updates 
Python/Ruby/JS Crypto: Add a few algorithms + block modes
 2023-02-15 14:35:40 +01:00
Erik Krogh Kristensen
2f8c9a5a2c Merge pull request #12171 from erik-krogh/reg-dot 
JS: dont recognize regexps that match dot as sanitizers
 2023-02-14 14:10:44 +01:00
Erik Krogh Kristensen
e3e2df3247 Merge pull request #12166 from erik-krogh/more-html-san 
JS: add `HtmlSanitizer` as a sanitizer DOMBasedXss
 2023-02-14 14:09:56 +01:00
Erik Krogh Kristensen
028fcc7edf Merge pull request #11959 from erik-krogh/ssrfSan 
JS: add encodeURIComponent as a sanitizer for request-forgery
 2023-02-14 13:39:53 +01:00
Erik Krogh Kristensen
a498936f16 Merge pull request #12170 from erik-krogh/more-lib 
JS: More library inputs
 2023-02-14 13:38:00 +01:00
erik-krogh
c17d057520 default to index.js when no main: is specified in package.json, and recognize more classes as library inputs 2023-02-13 21:24:41 +01:00
erik-krogh
68656274f4 dont recognize regexps that match dot as sanitizers 2023-02-13 17:36:51 +01:00
erik-krogh
b85bfc8ba6 add HtmlSanitizer as a sanitizer for DOMBasedXss 2023-02-13 11:57:29 +01:00
Rasmus Wriedt Larsen
5235964b07 sync files 2023-02-13 10:44:12 +01:00
erik-krogh
91393a7bc8 add change-note 2023-02-12 23:28:01 +01:00
erik-krogh
6474cfd4c8 add support for express-ws 2023-02-12 23:25:27 +01:00
github-actions[bot]
faf21f3edb Post-release preparation for codeql-cli-2.12.2 2023-02-02 23:01:04 +00:00
github-actions[bot]
a4fa984792 Release preparation for version 2.12.2 2023-02-02 14:34:55 +00:00
yoff
7ae389bb28 Merge pull request #12026 from erik-krogh/nodePty 
JS: add code-injection sink for node-pty
 2023-01-31 13:27:32 +01:00
erik-krogh
0cefa98490 add missing word to the change-note 2023-01-31 11:53:17 +01:00
erik-krogh
95c19698c7 add change-note 2023-01-31 11:09:07 +01:00
erik-krogh
e5e8496084 fix QL-for-QL warnings 2023-01-31 10:55:27 +01:00
erik-krogh
02da718786 add code-injection sink for node-pty 2023-01-30 15:14:25 +01:00
erik-krogh
e3455a9b21 add support for axios used as a global variable 2023-01-29 22:55:20 +01:00
Erik Krogh Kristensen
99bad77972 Merge pull request #11906 from erik-krogh/moreStem 
JS: expand what is parsed as the stem of a pathexpr
 2023-01-25 08:44:44 +01:00
Erik Krogh Kristensen
fc66c905ff Merge pull request #11859 from erik-krogh/moreShell 
JS: slightly broaden the regular expression that recognizes bad string-concats used as shell commands
 2023-01-23 22:26:17 +01:00
erik-krogh
11894144aa remove regular expression that did nothing 2023-01-23 16:38:09 +01:00
erik-krogh
3cece50f78 add encodeURIComponent as a sanitizer for request-forgery 2023-01-23 13:53:53 +01:00
Michael Nebel
69a42d8b1f Merge pull request #11931 from michaelnebel/csharp/refactor 
Remove the Csv postfix of some predicate names.
 2023-01-23 09:09:48 +01:00
github-actions[bot]
b62cb6ba84 Post-release preparation for codeql-cli-2.12.1 2023-01-20 19:49:56 +00:00
github-actions[bot]
005b3e4a47 Release preparation for version 2.12.1 2023-01-20 12:03:19 +00:00
Michael Nebel
dc223cb82e Sync files and make corresponding changes for other languages. 2023-01-19 15:14:06 +01:00
erik-krogh
4b74dec18f expand what is parsed as the stem of a pathexpr 2023-01-17 21:28:21 +01:00
Erik Krogh Kristensen
8ccc384043 Merge pull request #11858 from erik-krogh/moreSpawn 
JS: track shell:true more in js/shell-command-constructed-from-input
 2023-01-16 13:24:50 +01:00
erik-krogh
71af8ab022 simplifications inspired by review 2023-01-13 13:18:52 +01:00
erik-krogh
7ae27bcc34 fix errors in JS printAst 2023-01-12 15:37:52 +01:00
Erik Krogh Kristensen
54c780bdf9 Merge pull request #11853 from erik-krogh/assignMore 
JS: add local flow when recognizing Object.assign calls for library-inputs
 2023-01-10 17:04:29 +01:00
Tony Torralba
72a11e737d Merge pull request #11775 from atorralba/atorralba/all/omittable-exists 
All: Remove omittable exists variables
 2023-01-10 16:07:06 +01:00
erik-krogh
62b69bbd3e autoformat 2023-01-10 15:38:13 +01:00
Erik Krogh Kristensen
ce8836fb65 Update javascript/ql/lib/semmle/javascript/PackageExports.qll 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2023-01-10 15:30:44 +01:00
erik-krogh
43696f5e27 add explicit this 2023-01-10 15:27:37 +01:00
erik-krogh
23a847b1cf track shell:true more in js/shell-command-constructed-from-input 2023-01-10 15:27:37 +01:00
erik-krogh
5c388c554c fix that the TypeTracker was unrestricted for the base-case of nonFirstLocationType 2023-01-10 13:39:50 +01:00
Tony Torralba
3b6dae41cd JavaScript: Remove omittable exists variables 2023-01-10 13:37:21 +01:00
erik-krogh
79e161e046 slightly broaden the regular expression that recognizes bad string-concats used as shell commands 2023-01-10 12:49:37 +01:00
erik-krogh
9f100ef2c6 add local flow when recognizing Object.assign calls for library-inputs 2023-01-09 17:44:11 +01:00
erik-krogh
90f9e3f825 recognize an infinite repetition of a char-class like regex as a char-class like regex 2023-01-09 17:25:08 +01:00
github-actions[bot]
cdb8f67601 Post-release preparation for codeql-cli-2.12.0 2023-01-06 10:36:34 +00:00
Jeroen Ketema
170242f79c Apply suggestions from code review 2023-01-05 17:57:19 +01:00
github-actions[bot]
b6a8193785 Release preparation for version 2.12.0 2023-01-05 16:32:14 +00:00
Aditya Sharad
ed73875fac Merge pull request #11747 from adityasharad/tutorial/library-pack 
Tutorial: Move QL detective tutorial library into shared `codeql/tutorial` library pack
 2023-01-04 08:24:53 -08:00
Erik Krogh Kristensen
cedc9c0bff Merge pull request #11582 from erik-krogh/heuristics 
JS: Add experimental variants of common security queries with more sources
 2023-01-04 10:46:19 +01:00
Aditya Sharad
ed29b3e4d6 Shared packs: Depend on codeql/tutorial from all language libraries 
This allows `import tutorial` from queries targeting
any language, just like before, while removing the
duplicate copies of `tutorial.qll`.
 2022-12-19 15:52:11 -08:00
erik-krogh
66be8cda06 remove more of the implementation into ConditionalBypassQuery.qll 2022-12-19 14:37:19 +01:00