hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
35,614 Commits 1,671 Branches 157 Tags
c20ee76826e10318f8f39c6fae901b743c2e8254
Commit Graph

6849 Commits

Author SHA1 Message Date
Tom Hvitved
9440a45015 Merge branch 'main' into post-release-prep/codeql-cli-2.8.0 2022-02-09 09:40:33 +01:00
Chuan-kai Lin
a7f1ee574c Upgrade scripts testing: set initial dbschemes 
This commit sets initial dbschemes for cpp, csharp, java, javascript, and
python so that automated testing for upgrade scripts would also cover legacy
upgrades.
 2022-02-08 11:11:41 -08:00
Erik Krogh Kristensen
4bbb7ad320 Merge pull request #7876 from erik-krogh/zipRelative 
JS: recognize more startswith sanitizers for path-injection queries
 2022-02-08 15:22:39 +01:00
Erik Krogh Kristensen
28ba78cb76 add explicit this 2022-02-08 12:20:21 +01:00
Erik Krogh Kristensen
d73b2effa0 rename maybeGetJoinArg maybeGetPathSuffix 2022-02-08 10:42:06 +01:00
Erik Krogh Kristensen
cc3f9bf2a8 fix performance issue by inlining a simpler version of getASourceProp 2022-02-08 00:22:01 +01:00
Erik Krogh Kristensen
aa95dd4ec7 fix typo 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2022-02-08 00:19:40 +01:00
Erik Krogh Kristensen
b59c7911a3 update locations of expected output 2022-02-07 15:23:26 +01:00
Erik Krogh Kristensen
ca5f91e587 recognize more startswith sanitizers for path-injection queries 2022-02-07 14:19:13 +01:00
Erik Krogh Kristensen
6f28cb9201 lower the precision of js/unsafe-code-construction 2022-02-07 13:35:29 +01:00
Erik Krogh Kristensen
06f9924194 add change note 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
896d2bad0e update expected output now that JSON.stringify() is seen as a sanitizer 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
d1d4ebb3b5 add values written to the global scope as exports 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
91b03f56ad move .qll files from src to lib 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
eb133f59f6 update qhelp to focus on properly documenting potentially unsafe library functions 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
a9f7756788 reuse utility predicate 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
681179dcbb add comment about parameters named "code" 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
53315e6ab6 ignore sources named "code" 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
59cc099008 add missing qldoc 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
d77c28f6a7 add qhelp for unsafe-code-construction 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
d790f3ccbb add test for unsafe-code-construction query 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
198a464346 add js/unsafe-code-construction query 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
955ad8c458 add JSON.stringify as a code-injection sanitizer 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
68a5c1f5b5 add code-injection sink for calls to node 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
0584a6acaf recognize a nodejs re-exports in a loop 2022-02-07 10:12:38 +01:00
github-actions[bot]
b4ab86c020 Post-release preparation for codeql-cli-2.8.0 2022-02-06 23:34:07 +00:00
Erik Krogh Kristensen
ab2d3a7ca0 Merge pull request #7828 from Naman-ntc/main 
JS: Adding model for `.get` function of `Map` in Unvalidated Dynamic Method Call
 2022-02-04 20:19:02 +01:00
Erik Krogh Kristensen
f00d723c49 Merge pull request #7843 from erik-krogh/CVE-2021-23484 
JS: add file sources from `jszip` to `js/zip-slip`
 2022-02-04 20:17:43 +01:00
Ian Wright
6c3daf49f9 Merge pull request #7785 from github/z80coder/impose-length-restriction 
Restrict AST nodes according to string length
 2022-02-04 16:35:04 +00:00
Ian Wright
be5e8dae05 Update javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/FunctionBodyFeatures.qll 
Co-authored-by: Henry Mercer <henrymercer@github.com>
 2022-02-04 15:41:50 +00:00
Ian Wright
e57a0e0e2f Update javascript/ql/experimental/adaptivethreatmodeling/lib/experimental/adaptivethreatmodeling/FunctionBodyFeatures.qll 
Co-authored-by: Henry Mercer <henrymercer@github.com>
 2022-02-04 15:21:56 +00:00
Ian Wright
b38335a6c2 add QL comment; inline a predicate; restore a comment 2022-02-04 15:21:09 +00:00
Erik Krogh Kristensen
edcb3ba902 add file sources from jszip to js/zip-slip 2022-02-04 14:39:49 +01:00
Naman Jain
009c95774e update expected files 2022-02-04 12:28:17 +00:00
Naman Jain
5e1ca3154f Update javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCallGood3.js 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-02-04 16:13:05 +05:30
Naman Jain
5121414a53 Update javascript/ql/test/query-tests/Security/CWE-754/UnvalidatedDynamicMethodCallGood4.js 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2022-02-04 16:12:58 +05:30
Esben Sparre Andreasen
d08c0f7852 Merge pull request #7817 from github/esbena-patch-7 
Document and format event-stream-orig.js
 2022-02-04 10:26:30 +01:00
Esben Sparre Andreasen
72b5edc144 Document and format event-stream-orig.js 
Some anti-virus products (rightfully) flag this event-stream-orig.js as a malicious file.
This change does two things:
- neutralises the file such that the code can not be run accidentally
- documents the purpose of the file
 2022-02-04 09:27:47 +01:00
Henry Mercer
224d7a7ce0 Merge pull request #7801 from github/henrymercer/js-atm-migrate-tests 
JS: Migrate CodeQL tests for ML-powered queries
 2022-02-03 10:17:19 +00:00
Ian Wright
dca03d7b5d reinstate the AST node limit to minimize change to feature values 2022-02-03 09:45:35 +00:00
Ian Wright
d5ab119039 actually count the number of chars 2022-02-03 09:41:51 +00:00
Naman Jain
9809d30f00 file renaming and updated expected file 2022-02-03 09:35:17 +00:00
Naman Jain
adc8bf37fe fixed mistake in examples 2022-02-03 09:29:42 +00:00
Henry Mercer
a586be956e JS: Remove versions from packs we don't intend to publish 2022-02-02 18:10:57 +00:00
Naman Jain
aea7054938 modified query and added tests 2022-02-02 19:39:08 +05:30
Henry Mercer
7018f6ad40 JS: Add missing @id for endpoint types query 2022-02-02 13:15:15 +00:00
Henry Mercer
fbcb8d6857 JS: Migrate CodeQL tests for ML-powered queries 2022-02-02 13:15:04 +00:00
Arthur Baars
33b97f3e0c Update synchronized files 2022-02-02 13:30:45 +01:00
Henry Mercer
14601316a5 JS: Autoformat 2022-02-01 17:08:21 +00:00
Henry Mercer
368839edfc JS: Fix QLDoc style in ExtractMisclassifiedEndpointFeatures.ql 2022-02-01 15:39:15 +00:00