hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-18 05:26:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
29,088 Commits 1,714 Branches 162 Tags
b4eadefb925b5594aea6b77830daa9caeca17e56
Commit Graph

2954 Commits

Author SHA1 Message Date
Asger Feldthaus
f14f9449ee JS: Use getAMatchedString instead of getConstantString 2021-11-08 15:35:35 +01:00
Asger Feldthaus
b3e64f1669 JS: Add test 2021-11-08 15:32:43 +01:00
CodeQL CI
6f80387ac1 Merge pull request #6993 from asgerf/js/tainted-path-regexp-contains-check 
Approved by erik-krogh
 2021-11-08 01:52:28 -08:00
CodeQL CI
2895428d5b Merge pull request #6714 from valeria-meli/javascript/ssrf 
Approved by asgerf
 2021-11-04 03:10:27 -07:00
Asger Feldthaus
08bc80ffdb JS: Block prototype pollution assignment flows through .replace() 2021-11-03 13:24:29 +01:00
Asger Feldthaus
5f4c1dd19b JS: Support regexp-based path traversal check 2021-11-02 14:12:05 +01:00
Asger Feldthaus
83edcf515b JS: Add test for regexp-based sanitizer 2021-11-02 14:12:04 +01:00
Erik Krogh Kristensen
7a96b8e9e1 Merge branch 'main' into ldap 2021-11-02 12:47:28 +01:00
CodeQL CI
5d62aa5b29 Merge pull request #6994 from erik-krogh/redundant-cast 
Approved by RasmusWL, aschackmull, esbena, geoffw0, hvitved, nickrolfe
 2021-11-02 03:45:48 -07:00
CodeQL CI
dde493259a Merge pull request #7003 from asgerf/js/mixed-this-fp 
Approved by erik-krogh
 2021-11-01 09:13:21 +00:00
Asger Feldthaus
d52b2bd863 JS: Fix FP in ˚MixedStaticInstanceThisAccess 2021-10-29 14:16:54 +02:00
Asger Feldthaus
afa6424d67 JS: Add test with FP 2021-10-29 14:16:54 +02:00
Erik Krogh Kristensen
6fffdf6101 Merge pull request #6855 from erik-krogh/secCookie 
JS: Move cookie queries out of experimental.
 2021-10-29 10:23:48 +02:00
Erik Krogh Kristensen
15c90adec5 remove redundant cast where the type is enforced by an equality comparison 2021-10-28 18:08:20 +02:00
Erik Krogh Kristensen
e75448ebb0 remove redundant inline casts 2021-10-28 16:35:53 +02:00
Erik Krogh Kristensen
71cca6d644 Merge branch 'main' into ldap 2021-10-27 19:06:06 +02:00
Erik Krogh Kristensen
038438edca assume that setting the secure/httpOnly flag to some unknown value is good 2021-10-26 13:47:28 +02:00
Erik Krogh Kristensen
311df4d2b7 add test for the cookie npm package 2021-10-26 13:46:59 +02:00
Erik Krogh Kristensen
834d5ec6ad add session{key,id} as sensitive info 2021-10-26 13:46:59 +02:00
Erik Krogh Kristensen
1e1e549847 update tests so it's clear which cookies are insecure 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
283b8231cb add more cookie models 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
2cb3d2c53f documentation overhaul on client-exposed-cookie (and restricting it to server-side) 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
ab23ffff3d documentation overhaul for clear-text-cookie 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
f36accf3e6 only report clear-text cookies for sensitive cookies 2021-10-26 13:46:58 +02:00
Erik Krogh Kristensen
53b4337795 combine test files 2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen
6858acc6a9 port experimental cookie models to non-experimental 2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen
44db920f10 refactor, cleanup, and improvements in experimental cookie queries 2021-10-26 13:46:57 +02:00
Erik Krogh Kristensen
a3c55c2aec use set literal instead of big disjunction of literals 2021-10-26 12:55:25 +02:00
Anders Schack-Mulligen
57cb300759 C++/C#/Java/JavaScript/Python: Remove singleton set literals. 2021-10-14 11:34:22 +02:00
yoff
f6122c8a6c Merge pull request #6734 from erik-krogh/regBehind 
JS/PY: do not filter away regular expressions with lookbehinds
 2021-10-10 13:54:26 +02:00
Asger Feldthaus
c8e7df7900 JS: Add test case 2021-10-01 12:02:40 +02:00
Erik Krogh Kristensen
6a9277b5ce recognize string sanitizers for ldap-injection 2021-10-01 09:01:29 +02:00
Erik Krogh Kristensen
2062afc868 add calls to parseDN as sinks for ldap-injection 2021-10-01 09:01:28 +02:00
Erik Krogh Kristensen
c55b7bcd85 model ldap filters as taint steps 2021-10-01 09:00:10 +02:00
Erik Krogh Kristensen
9b5ff66b68 naively port tests from ldap examples 2021-10-01 09:00:10 +02:00
luciaromeroML
1f2618b893 new test case for unknown base url 2021-09-27 17:37:11 -03:00
Erik Krogh Kristensen
805d1d170c do not filter away regular expressions with lookbehinds 2021-09-22 17:14:29 +02:00
valeria-meli
054218a381 Merge branch 'main' into javascript/ssrf 2021-09-17 17:08:52 -03:00
CodeQL CI
b228398b87 Merge pull request #6587 from erik-krogh/ts44 
Approved by asgerf
 2021-09-15 04:00:13 -07:00
CodeQL CI
220f2ded85 Merge pull request #6698 from asgerf/js/template-self-assignment 
Approved by esbena
 2021-09-15 01:08:39 -07:00
Asger Feldthaus
b5db4047a0 JS: Exclude template files in SelfAssignment 2021-09-15 08:59:47 +02:00
Erik Krogh Kristensen
fdbf5f73b1 add JS support for static initializers 2021-09-14 20:40:46 +02:00
Erik Krogh Kristensen
e3ed6c2523 refactor StaticInitializer into it's own class 2021-09-14 20:40:45 +02:00
Erik Krogh Kristensen
ffd51e725f add getter for static initializer blocks 2021-09-14 20:40:45 +02:00
Erik Krogh Kristensen
9585481d0b add support for static initializer blocks in TypeScript 2021-09-14 20:40:45 +02:00
Erik Krogh Kristensen
59f15eb4eb add tests for TypeScript 4.4 types 2021-09-14 20:40:45 +02:00
Erik Krogh Kristensen
8569d261f7 add test 2021-09-13 20:43:31 +02:00
Erik Krogh Kristensen
05cc6bcf8a adjust regexp libraries to how unpaired surrogate are parsed now 2021-09-13 14:02:05 +01:00
Chris Smowton
f24d7c4212 Acknowledge new FPs due to the extractor using U+FFFD for unpaired surrogates 
These were already misinterpreted, but the ReDoS code ignored them as they previously appeared to be `?` characters.
 2021-09-13 14:02:05 +01:00
Chris Smowton
487ebdf173 Add test for Javascript literal with an unpaired surrogate character 2021-09-13 14:02:05 +01:00