hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
35,614 Commits 1,671 Branches 157 Tags
c20ee76826e10318f8f39c6fae901b743c2e8254
Commit Graph

654 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
b1bad271d5 only activate the PrefixString label in Query.qll files 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
8a5b1668f9 move initialization of sanitizer-guards to Query.qll files 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
73dbe44824 remove dead import 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
8d3bd9d7cd move the ExceptionXss sources into the Customizations file 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
25708c5091 move the XssThroughDom sources into the Customizations file 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
ad14bbae90 create a customizations file for StoredXss 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
162a4992a5 move the ReflectedXss sources/sinks into the Customizations file 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
173e1d0262 move the DomBasedXss sources/sinks into the Customizations file 2022-04-20 18:10:53 +02:00
Erik Krogh Kristensen
9631b68de9 move LocalUrlSanitizingGuard out of the customizations file 2022-04-20 18:10:52 +02:00
Tom Hvitved
ea229d361c Sync files 2022-04-20 13:55:18 +02:00
Asger Feldthaus
fec2837c1e JS: Ensure accessors do not appear to be calls 2022-04-20 11:14:42 +02:00
Asger Feldthaus
37a76f4441 JS: PropWrite is not a SourceNode 2022-04-20 11:14:41 +02:00
Asger Feldthaus
7d5c80433d JS: Handle accessor-calls to static accessors 2022-04-20 11:14:41 +02:00
Asger Feldthaus
37b3a6e5c0 JS: Add ClassNode.getStaticMember 2022-04-20 11:14:41 +02:00
Erik Krogh Kristensen
10130eef6d Merge pull request #8678 from erik-krogh/fileSource 
JS: Add files as a source for `js/xss-through-dom`
 2022-04-20 09:18:38 +02:00
Stephan Brandauer
2fb3147b7b Merge pull request #8430 from kaeluka/js/CVE-2022-24718 
JS: Add taint step for handlebars model
 2022-04-19 15:57:58 +01:00
Erik Krogh Kristensen
4b6d8e6865 add missing qldoc 2022-04-19 10:56:58 +02:00
Erik Krogh Kristensen
e0b5197d3c a slight refactor 2022-04-18 22:21:41 +02:00
Erik Krogh Kristensen
7f592a6c64 merge Clipboard.qll and DragAndDrop.qll, and support InputEvent 2022-04-18 22:17:31 +02:00
Erik Krogh Kristensen
4c97f68a3d remove postmessage events as source for js/resource-exhaustion 2022-04-13 23:14:42 +02:00
Erik Krogh Kristensen
51a0b6d501 remove client-side remote-flow from js/resource-exhaustion 2022-04-13 23:05:59 +02:00
Erik Krogh Kristensen
41bdd8f4da minor fixes 2022-04-13 10:11:07 +02:00
Erik Krogh Kristensen
b13e7c055b move the sanitizer-guard to the Query.qll file 2022-04-13 09:58:33 +02:00
Erik Krogh Kristensen
96e4633dfe remove more code that did nothing 2022-04-13 09:57:32 +02:00
Erik Krogh Kristensen
d35604ed82 remove the length sanitizer from loop-bound-injection - it did nothing 2022-04-13 09:43:21 +02:00
Erik Krogh Kristensen
8e47a9b242 add sanitizer step for .length in js/resource-exhaustion 2022-04-13 09:30:09 +02:00
Stephan Brandauer
fb66ccff39 handlebars taint step: conservatively assume unknown templates have no flow to helpers 2022-04-13 09:27:59 +02:00
Erik Krogh Kristensen
ebf9ba7250 remove the type-overloaded new Buffer() as a sink 2022-04-12 16:29:58 +02:00
Erik Krogh Kristensen
e2b7f7d05d reintroduce the number sinks 2022-04-12 16:26:10 +02:00
Erik Krogh Kristensen
2d6d304d7c add InclusionTest to PostMessageEventSanitizer 2022-04-12 14:12:36 +02:00
CodeQL CI
a43f3a21a8 Merge pull request #8550 from erik-krogh/classJoin 
Approved by asgerf
 2022-04-12 09:23:58 +01:00
Erik Krogh Kristensen
34abef8a6c Merge branch 'main' into dragAndDrop 2022-04-11 23:59:46 +02:00
bananabr
57fac949fd included ClipboardEvent and DragEvent as XSS sources 2022-04-11 16:37:00 -05:00
Erik Krogh Kristensen
aafa8ddc9f add support for domNode.onpaste for copy-paste events 2022-04-11 20:10:56 +02:00
Erik Krogh Kristensen
6713b2c671 add support for domNode.ondrop for drag-and-drop events 2022-04-11 20:06:12 +02:00
bananabr
121aad7fd2 updated change notes 2022-04-11 12:45:37 -05:00
CodeQL CI
9c8dee2a4d Merge pull request #8687 from asgerf/js/missing-flow-fixes 
Approved by erik-krogh
 2022-04-11 14:08:15 +01:00
bananabr
0f1582f3f6 included JavaScript drag and drop API Xss sources 2022-04-09 22:33:30 -05:00
Edoardo Pirovano
f25618eed6 Bump minor version of all packs 2022-04-08 15:38:58 +01:00
Edoardo Pirovano
ce82c54b94 Merge branch 'main' into edoardo/3.5-mergeback 2022-04-08 15:30:58 +01:00
Asger Feldthaus
81cf3d4574 JS: Use Class#getAnInstanceReference 2022-04-07 10:43:29 +02:00
Asger Feldthaus
4eda6f643f JS: Recognize subclasses of HTMLElement in domValueRef 2022-04-07 09:57:31 +02:00
Asger Feldthaus
cff8dc0537 JS: Improve flow through Array.prototype.reduce 2022-04-07 09:57:31 +02:00
Erik Krogh Kristensen
0435cee57f add a taint-step through URL.createObjectURL for js/xss-through-dom 2022-04-06 12:18:47 +02:00
Erik Krogh Kristensen
b11d48e749 add files in the DOM as a source for js/xss-through-dom 2022-04-06 12:09:07 +02:00
Asger F
de169277cb Merge pull request #8576 from asgerf/js/decorated-method-or-class 
JS: Add decorator edges in API graphs and corresponding MaD tokens
 2022-04-04 12:49:28 +02:00
github-actions[bot]
6af568b16d Post-release preparation for codeql-cli-2.8.5 2022-04-01 16:22:14 +00:00
github-actions[bot]
ee746d20df Release preparation for version 2.8.5 2022-04-01 10:39:31 +00:00
Stephan Brandauer
2cbb25acaa another review fix 2022-03-31 16:04:04 +02:00
Tom Hvitved
46d69cf544 Regex: Further tweaks to concretise computations 2022-03-31 12:52:43 +02:00