Esben Sparre Andreasen
|
54e2215db4
|
JS: support require in isReactImportForJSX
|
2018-11-28 13:16:55 +01:00 |
|
Esben Sparre Andreasen
|
737a816e6f
|
JS: refactor isReactImportForJSX
|
2018-11-28 13:16:55 +01:00 |
|
Max Schaefer
|
9c98aaf4bd
|
JavaScript: Refactor a few predicates to avoid materialisations.
|
2018-11-28 10:51:29 +00:00 |
|
Max Schaefer
|
39f1c7904b
|
JavaScript: Address review comments.
|
2018-11-28 09:44:58 +00:00 |
|
Max Schaefer
|
f1c538a97b
|
JavaScript: Restrict RemotePropertyInjection query to avoid double-reporting.
This query now only flags user-controlled property and header writes, method calls are handled by the new unsafe/unvalidated method call queries.
|
2018-11-28 08:16:31 +00:00 |
|
Max Schaefer
|
2889e07eb8
|
JavaScript: Add new query UnvalidatedDynamicMethodCall.
|
2018-11-28 08:16:31 +00:00 |
|
Aditya Sharad
|
5d5bfc215e
|
Merge rc/1.19 into next.
|
2018-11-27 12:04:46 +00:00 |
|
Max Schaefer
|
cf1e7cff3f
|
JavaScript: Move an auxiliary predicate into shared library.
|
2018-11-27 12:03:25 +00:00 |
|
Max Schaefer
|
8e54c7ab6c
|
Merge pull request #503 from asger-semmle/unsafe-global-object-access
JS: add method name injection query
|
2018-11-26 15:56:20 +00:00 |
|
Esben Sparre Andreasen
|
2d7f09d321
|
JS(ql): support nullish coalescing operators
|
2018-11-26 10:31:19 +01:00 |
|
Esben Sparre Andreasen
|
a2a798e59c
|
JS(extractor): support nullish coalescing operators
|
2018-11-26 09:45:19 +01:00 |
|
Aditya Sharad
|
c20b688a3f
|
Merge master into next.
|
2018-11-23 16:36:31 +00:00 |
|
semmle-qlci
|
04c2b23abd
|
Merge pull request #520 from esben-semmle/js/clear-text-logging-taint-kinds
Approved by asger-semmle
|
2018-11-23 12:40:40 +00:00 |
|
Esben Sparre Andreasen
|
b780f82869
|
JS: sharpen js/clear-text-logging (ODASA-7485)
|
2018-11-22 13:38:43 +01:00 |
|
Asger F
|
61ef6552c3
|
JS: handle both data() and taint() source labels
|
2018-11-22 09:59:31 +00:00 |
|
semmle-qlci
|
4e72a08b8d
|
Merge pull request #507 from esben-semmle/js/mixed-static-intance-this-access-inheritance
Approved by xiemaisi
|
2018-11-21 16:07:25 +00:00 |
|
semmle-qlci
|
f5d3274655
|
Merge pull request #508 from esben-semmle/js/indirect-global-call-with-default-arguments
Approved by xiemaisi
|
2018-11-21 16:06:46 +00:00 |
|
Asger F
|
27c9326e70
|
JS: address doc review
|
2018-11-21 14:19:14 +00:00 |
|
Esben Sparre Andreasen
|
72c4ef4d90
|
JS: fixup optional chaining on CallWithNonLocalAnalyzedReturnFlow
|
2018-11-21 14:18:14 +01:00 |
|
Asger F
|
8c7e19567b
|
JS: fix string value of taint configuration
|
2018-11-21 12:35:35 +00:00 |
|
Asger F
|
4ae2493798
|
JS: rename query to Unsafe Dynamic Method Access
|
2018-11-21 12:34:18 +00:00 |
|
Asger F
|
cb832b1de9
|
Merge branch 'unsafe-global-object-access' of github.com:asger-semmle/ql into unsafe-global-object-access
|
2018-11-21 11:14:21 +00:00 |
|
Asger F
|
84d642612e
|
JS: more comments
|
2018-11-21 11:14:13 +00:00 |
|
Max Schaefer
|
fa761c07bd
|
Update javascript/ql/src/Security/CWE-094/MethodNameInjection.ql
Co-Authored-By: asger-semmle <42069257+asger-semmle@users.noreply.github.com>
|
2018-11-21 10:55:38 +00:00 |
|
Esben Sparre Andreasen
|
caea6212ed
|
JS: use inheritance in js/mixed-static-instance-this-access
|
2018-11-21 09:48:37 +01:00 |
|
Esben Sparre Andreasen
|
01ad9ed8bc
|
JS: address review comments
|
2018-11-21 09:19:20 +01:00 |
|
Esben Sparre Andreasen
|
41b45352aa
|
JS(ql): support optional chaining
|
2018-11-21 08:57:10 +01:00 |
|
Esben Sparre Andreasen
|
00587ba7b4
|
JS(extractor): support optional chaining
|
2018-11-21 08:57:10 +01:00 |
|
Asger F
|
7d80847832
|
JS: add qhelp example to test suite
|
2018-11-20 18:44:18 +00:00 |
|
Asger F
|
4138f814d8
|
JS: expand example
|
2018-11-20 18:42:49 +00:00 |
|
Asger F
|
260ae36cf8
|
JS: document the shared module
|
2018-11-20 18:27:02 +00:00 |
|
Asger F
|
3902f752d0
|
JS: share detection of objects with unsafe methods
|
2018-11-20 18:26:20 +00:00 |
|
Asger F
|
b16072a7be
|
JS: share ConcatSanitizer in common module
|
2018-11-20 18:24:52 +00:00 |
|
Asger F
|
49cd2876c9
|
JS: use StringConcatenation library in ConcatSanitizer
|
2018-11-20 18:12:07 +00:00 |
|
Asger F
|
1c06f45046
|
JS: address some comments
|
2018-11-20 18:11:46 +00:00 |
|
semmle-qlci
|
b21b066255
|
Merge pull request #499 from xiemaisi/js/target-blank-location
Approved by esben-semmle
|
2018-11-20 17:16:05 +00:00 |
|
Asger F
|
8aff66616b
|
JS: suppress similar alerts from RemotePropertyInjection
|
2018-11-20 15:57:18 +00:00 |
|
Asger F
|
2239f863f7
|
JS: add query MethodNameInjection
|
2018-11-20 15:57:18 +00:00 |
|
Asger F
|
bc3b983768
|
JS: move CodeInjection tests into subfolder
|
2018-11-20 14:24:37 +00:00 |
|
semmle-qlci
|
1c1d2e943a
|
Merge pull request #496 from esben-semmle/js/yui-directives
Approved by xiemaisi
|
2018-11-20 12:59:55 +00:00 |
|
semmle-qlci
|
8333f72030
|
Merge pull request #470 from esben-semmle/custom-abstract-values-only
Approved by xiemaisi
|
2018-11-20 12:59:35 +00:00 |
|
Max Schaefer
|
c1690a69e5
|
JavaScript: Make TargetBlank only highlight the first line of the link.
Otherwise alerts for multi-line `<a>` elements end up looking very red.
I also took the opportunity to improve the tests slightly.
|
2018-11-20 12:53:27 +00:00 |
|
Esben Sparre Andreasen
|
82fc8ae32a
|
JS: support indirection with extra args in js/missing-this-qualifier
|
2018-11-20 11:29:03 +01:00 |
|
Esben Sparre Andreasen
|
54fea1a4cb
|
JS: support "xyz:nomunge" YUI compressor directives
|
2018-11-20 09:00:33 +01:00 |
|
Esben Sparre Andreasen
|
ee7a6af7c7
|
JS: address review comments
|
2018-11-20 08:37:23 +01:00 |
|
semmle-qlci
|
26a248b14a
|
Merge pull request #487 from xiemaisi/js/lint-join-order
Approved by esben-semmle
|
2018-11-20 06:51:33 +00:00 |
|
semmle-qlci
|
7df397f8ab
|
Merge pull request #486 from xiemaisi/js/lower-severities
Approved by asger-semmle
|
2018-11-20 06:39:23 +00:00 |
|
Max Schaefer
|
6021d2499d
|
JavaScript: Remove accidentally committed .actual file.
|
2018-11-19 12:24:19 +00:00 |
|
Pavel Avgustinov
|
16ec9f1aa4
|
Merge remote-tracking branch 'origin/next' into bump/master-next
|
2018-11-19 10:37:07 +00:00 |
|
Max Schaefer
|
73ad3f5c8a
|
JavaScript: Tweak JSLint library to avoid bad join order.
|
2018-11-19 09:12:02 +00:00 |
|