codeql

mirror of https://github.com/github/codeql.git synced 2026-03-05 23:26:51 +01:00

Author	SHA1	Message	Date
Asger F	c8b2674206	JS: Add support for index expressions	2025-06-25 14:31:22 +02:00
Asger F	b1d4776b17	JS: Handle name resolution through dynamic imports	2025-06-25 14:31:20 +02:00
Asger F	7cc248703a	JS: Add test for dynamic imports	2025-06-25 14:31:17 +02:00
Asger F	f5f12c2f81	JS: Delete or simplify TypeScript type-specific tests	2025-06-23 12:55:15 +02:00
Asger F	fb92d9b034	JS: Update type usage in UnreachableMethodOverloads This query depended on the cons-hashing performed by type extraction to determine if two types are the same. This is not trivial to restore, but not important enough to reimplement right now, so for now just simplifying the query's ability to recognise that two types are the same.	2025-06-23 12:55:06 +02:00
Asger F	b71d09630a	JS: Update type usage in Electron model	2025-06-23 12:55:03 +02:00
Napalys Klicius	3fbe348f99	Merge pull request #19784 from Napalys/js/express_middleware JS: Improve Express middleware taint tracking	2025-06-20 15:36:26 +02:00
Napalys Klicius	bca536c5b6	Merge remote-tracking branch 'origin/main' into js/quality/loop_shift	2025-06-20 11:30:20 +02:00
Napalys Klicius	f80651e78a	Merge pull request #19750 from Napalys/js/remove_encodeURI JS: remove `encodeURI` from sanitizer list of request forgery	2025-06-19 14:12:52 +02:00
Napalys Klicius	53cae4fa97	Merge remote-tracking branch 'origin/main' into js/quality/loop_shift	2025-06-19 10:21:52 +02:00
Napalys Klicius	060b98d36c	JS: enchance middleware taint tracking via local source	2025-06-17 08:30:19 +02:00
Napalys Klicius	da21a064ac	JS: add `_parsedUrl` as remote input source	2025-06-16 16:28:30 +02:00
Napalys Klicius	67aac7abfa	JS: add test cases for middleware property assignment tracking	2025-06-16 16:26:08 +02:00
Napalys Klicius	bdbc49c63f	JS: Removed `encodeURI` from request forgery sanitizer list	2025-06-16 13:08:11 +02:00
Napalys Klicius	deb715a517	JS: Add test case with `encodeURI` for request forgery	2025-06-16 10:49:29 +02:00
Napalys Klicius	5a107ec33b	JS: track taint through `serialize-javascript` calls with object arguments	2025-06-16 10:38:20 +02:00
Napalys Klicius	a96ea182c7	JS: add test cases for `serialize-javascript` with tainted object properties	2025-06-16 09:30:52 +02:00
Napalys Klicius	0906d85b39	Merge pull request #19726 from Napalys/js/quality/string_interpolation JS: Promote `js/template-syntax-in-string-literal` to the Code Quality suite.	2025-06-13 13:36:53 +02:00
Napalys Klicius	28ae39694f	Merge pull request #19741 from Napalys/js/quality/suspicious_method_names JS: Promote `js/suspicious-method-name-declaration` to the Code Quality suite.	2025-06-12 15:30:13 +02:00
Napalys Klicius	66d66fe87d	JS: fix false positives for splice with conditional index decrement	2025-06-12 14:51:10 +02:00
Napalys Klicius	7292a76ee4	JS: add test cases for false positives in `loop-iteration-skipped-due-to-shifting`	2025-06-12 14:39:47 +02:00
Napalys Klicius	923aff2439	JS: Fixed false positive on manual string interpolation.	2025-06-12 11:35:33 +02:00
Napalys Klicius	bafe7e66ad	JS: Fix template literal detection in string concatination	2025-06-12 11:18:20 +02:00
Napalys Klicius	861e4ee11e	JS: Added test cases including manual interpolation and string concatination.	2025-06-12 11:15:36 +02:00
Napalys Klicius	41f4236b86	JS: expanded `suspicious-method-name-declaration` test suite	2025-06-12 09:29:30 +02:00
Asger F	423ffc78db	Merge pull request #19078 from asgerf/js/name-resolution JS: QL-side type/name resolution for TypeScript and JSDoc	2025-06-11 14:17:11 +02:00
Napalys Klicius	6811cad687	Merge pull request #19711 from Napalys/js/quality/promote_duplicate_char_class JS: Promote `js/regex/duplicate-in-character-class` to quality	2025-06-11 11:05:07 +02:00
Napalys Klicius	51b83dbce5	Merge pull request #19579 from Napalys/js/dom_property_access JS: Improve `useless-expression` query to avoid duplicate alerts on compound expressions	2025-06-10 15:17:13 +02:00
Napalys Klicius	a0db250dc3	Update javascript/ql/test/query-tests/RegExp/DuplicateCharacterInCharacterClass/tst.js Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>	2025-06-10 12:50:07 +02:00
Napalys Klicius	42a880bf58	Improved test coverage for `js/regex/duplicate-in-character-class`	2025-06-10 11:07:22 +02:00
Napalys Klicius	c97da2eda5	Exclude expressions that are part of a conditional expression	2025-06-10 10:56:11 +02:00
Napalys Klicius	b7f7092ab3	Added test cases for better test coverage	2025-06-10 09:37:40 +02:00
Asger F	42f762a140	JS: Update test output now that 'satisfies' is a SourceNode	2025-06-09 16:22:30 +02:00
Asger F	691fdb106e	JS: Nicer jump-to-def for function declarations	2025-06-04 22:17:42 +02:00
Asger F	57fad7e6c9	JS: Add SatisfiesExpr	2025-06-04 22:17:40 +02:00
Asger F	79101fd121	JS: Add test with type casts	2025-06-04 22:17:39 +02:00
Napalys Klicius	aac56e089a	JavaScript: Fix false positive on Flow type annotations in `ExprHasNoEffect`	2025-06-03 15:26:22 +02:00
Napalys Klicius	46b5ded862	JS: Enhance void context propagation	2025-06-03 15:20:55 +02:00
Napalys Klicius	bf48b59874	JS: Removed exclusion of `FunctionExpr` from compound statements.	2025-06-03 15:12:26 +02:00
Napalys Klicius	8521c53a40	Renamed test directory to match the query name Co-Authored-By: Asger F <316427+asgerf@users.noreply.github.com>	2025-06-03 14:12:12 +02:00
Napalys Klicius	d1869941c2	Renamed `UnhandledStreamPipe.ql` to a better fitting name and ID As a side effect of merge `security-and-quality` does not contain anymore related new query. Co-Authored-By: Asger F <316427+asgerf@users.noreply.github.com>	2025-06-03 13:57:10 +02:00
Napalys Klicius	f6e7059589	Merge branch 'main' into js/quality/stream_pipe	2025-06-03 13:48:41 +02:00
Napalys Klicius	bca1bc7153	JS: Enhance `isDomProperty` to check for `getAPropertyRead` on DOM nodes	2025-06-02 14:56:45 +02:00
Napalys Klicius	9b2ef8be10	JS: add test for DOM access where expression appears to have no side effects	2025-06-02 14:54:46 +02:00
Napalys Klicius	298ef9ab12	Now able to track error handler registration via instance properties	2025-06-02 11:01:41 +02:00
Napalys Klicius	b9b62fa1c1	JS: Add `URL` from `url` package constructor taint step for request forgery detection	2025-05-30 18:32:02 +02:00
Napalys Klicius	19cc3e335f	JS: Add test case for `RequestForgery` with url wrapped via package `URL`	2025-05-30 18:26:47 +02:00
Napalys Klicius	f843cc02f6	Fix false positives in stream pipe analysis by improving error handler tracking via property access.	2025-05-30 18:08:04 +02:00
Napalys Klicius	5bb29b6e33	Now flags only `.pipe` calls which have an error somewhere down the stream, but not on the source stream.	2025-05-28 17:17:43 +02:00
Napalys Klicius	5214cc0407	Excluded `ngrx`, `datorama`, `angular`, `react` and `langchain` from stream pipe query.	2025-05-27 09:45:37 +02:00

1 2 3 4 5 ...

4900 Commits