codeql

mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00

Author	SHA1	Message	Date
CodeQL CI	f274f06d9b	Merge pull request #7409 from asgerf/js/track-functions-with-methods Approved by erik-krogh	2021-12-16 09:01:42 +00:00
CodeQL CI	acbf7913b2	Merge pull request #7408 from asgerf/js/trusted-types-sinks Approved by esbena	2021-12-16 08:59:51 +00:00
Asger Feldthaus	53b3581ed0	JS: Add test to stress flow through properties	2021-12-15 17:16:56 +01:00
Asger F	784991cce5	Update javascript/ql/lib/semmle/javascript/Routing.qll Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2021-12-15 16:38:38 +01:00
Asger Feldthaus	79e6dcaf68	JS: Rename getValueAtAccessPath->getValueImplicitlyStoredInAccessPath	2021-12-15 16:37:28 +01:00
Asger Feldthaus	8aa4d8227e	JS: Rename RouteHandlerInput->RouteHandlerParameter	2021-12-15 16:32:18 +01:00
Asger Feldthaus	218b746f6f	JS: Rename getAUseSite -> getRouteInstallation	2021-12-15 16:21:41 +01:00
Asger Feldthaus	4d85799fc7	JS: Add test for fastify-rate-limit	2021-12-15 16:18:22 +01:00
Asger Feldthaus	615b2ec539	JS: Fix handling of fastify-plugin	2021-12-15 16:04:46 +01:00
Asger Feldthaus	b226f767ad	JS: Fix tracking of fastify server instance	2021-12-15 16:04:45 +01:00
Asger Feldthaus	0ca9feb854	JS: Always treat routers as resuming dispatch	2021-12-15 16:01:59 +01:00
Asger F	1b20506947	Update javascript/ql/lib/semmle/javascript/frameworks/Fastify.qll Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2021-12-15 16:00:19 +01:00
Asger Feldthaus	995e33158f	JS: Add test for res.locals flow to template	2021-12-15 16:00:19 +01:00
Asger Feldthaus	04bdba85ea	JS: Shift line numbers in test expectations	2021-12-15 16:00:19 +01:00
Asger F	c1bb40f439	Update javascript/ql/lib/semmle/javascript/frameworks/Express.qll Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2021-12-15 16:00:19 +01:00
Asger Feldthaus	b2016bddac	JS: Merge concepts of client/database in MongoDB model	2021-12-15 16:00:19 +01:00
Asger Feldthaus	e64a6dc12a	JS: Add qldoc	2021-12-15 12:47:23 +01:00
Asger Feldthaus	43ec721a87	JS: Add link to MDN docs for trusted types	2021-12-15 11:52:58 +01:00
github-actions[bot]	59da2cdf69	Release preparation for version 2.7.4	2021-12-14 21:35:09 +00:00
Dave Bartolomeo	a62f181d42	Move new change notes to appropriate packs	2021-12-14 12:05:15 -05:00
Asger Feldthaus	7e947b2a65	JS: Use return value of trusted type policy callback as a sink	2021-12-14 13:28:46 +01:00
Ian Wright	1c79d1f985	Merge pull request #7352 from github/esbena/atm-endpoint-polish ATM Endpoint filtering improvements	2021-12-14 08:19:23 +00:00
Esben Sparre Andreasen	1949a4e59a	autoformat	2021-12-13 22:21:52 +01:00
Erik Krogh Kristensen	de4458346f	Merge pull request #7344 from SZFsir/main JS: Improve inter-procedural type inference for FunctionExpr	2021-12-13 21:58:53 +01:00
Andrew Eisenberg	0669ef505e	Fix semver for upgrades references Ensure the version range is flexible enough to handle future version changes.	2021-12-13 09:03:33 -08:00
Esben Sparre Andreasen	c66d29998e	update test output for additional DatabaseAccesses	2021-12-13 13:42:28 +01:00
JrXnm	efc9e67ec2	Update javascript/ql/lib/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll Fix multiple declare may mismatch issue Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2021-12-13 18:36:06 +08:00
JrXnm	fad95d8935	Update javascript/ql/lib/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll Commit coding style suggestion Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2021-12-13 18:32:11 +08:00
Rasmus Wriedt Larsen	1e45fa9ed4	JS/Py/Ruby: Add more CWEs to bad-tag-filter queries CWE-185: Incorrect Regular Expression The software specifies a regular expression in a way that causes data to be improperly matched or compared. https://cwe.mitre.org/data/definitions/185.html CWE-186: Overly Restrictive Regular Expression > A regular expression is overly restrictive, which prevents dangerous values from being detected. > > (...) [this CWE] is about a regular expression that does not match all > values that are intended. (...) https://cwe.mitre.org/data/definitions/186.html From my understanding, CWE-625: Permissive Regular Expression, is not applicable. (since this is about accepting a regex match where there should not be a match).	2021-12-13 10:23:24 +01:00
Aditya Sharad	1857de1f33	JS: Speed up detection of jQuery marker comments Combine two regexes into a single one. This saves up to 5s on large databases by reducing the number of separate scans of the comments table before regex matching. The combined regex is slightly more permissive than the original two, since it allows a combination of the two matched formats. A string that matches one of the original regexes will match the combined regex.	2021-12-10 15:30:02 -08:00
Aditya Sharad	6a1aea740f	JS: Avoid scanning individual comment lines to find generated code markers Some subclasses of GeneratedCodeMarkerComment regex match against `getLine(_)`. When evaluated, this results in multiple scans (one per subclass that uses it) of all comment lines in the database, before regex matching against those lines. To make these scans smaller, regex match against the entire comment text without splitting them into lines. This is achieved using `?m` (multiline) and line boundaries in the regexes.	2021-12-10 11:41:54 -08:00
Aditya Sharad	c9a87234ef	JS: Factor helper predicate to improve SensitiveWrite performance	2021-12-10 11:41:53 -08:00
Andrew Eisenberg	66c1629974	Merge pull request #7285 from github/post-release-prep-2.7.3-ddd4ccbb Post-release preparation 2.7.3	2021-12-10 09:59:45 -08:00
Henry Mercer	a46787ea07	Merge pull request #7351 from github/henrymercer/js-atm-heuristic-sinks-improvements JS: Improve handling of heuristic sinks in endpoint filters	2021-12-10 14:56:45 +00:00
Esben Sparre Andreasen	13288be7fc	make ATM anti sink model for dojo.require	2021-12-10 15:07:51 +01:00
Esben Sparre Andreasen	9ffc02944d	add file write model for express-fileupload mv	2021-12-10 15:05:34 +01:00
Esben Sparre Andreasen	cfd2dcffa0	recognize more modelled database accesses	2021-12-10 14:54:59 +01:00
Esben Sparre Andreasen	b0f6cf1491	expose more marsdb calls as database accesses	2021-12-10 13:46:19 +01:00
Esben Sparre Andreasen	9df1ac7f75	treat redis and ioredis usage as database access	2021-12-10 13:26:26 +01:00
Esben Sparre Andreasen	10498c3643	treat jQuery as fully modelled	2021-12-10 12:51:45 +01:00
Esben Sparre Andreasen	a1ee900f50	treat Base64 manipulations as non-sinks	2021-12-10 12:37:44 +01:00
Henry Mercer	6e167040f5	Merge pull request #7307 from adityasharad/atm/perf-debugging JS/ATM: Various compilation fixes and performance improvements	2021-12-10 11:00:27 +00:00
Asger Feldthaus	b336c29283	JS: Track functions with methods	2021-12-10 09:38:29 +01:00
Asger Feldthaus	4ef2a5f4f1	JS: Add test	2021-12-10 09:38:29 +01:00
Aditya Sharad	271b23ba8f	JS: Expand explanatory comment about version placeholders	2021-12-09 13:43:08 -08:00
Aditya Sharad	0c3daabc51	JS: Fix broken regex matching predicate The receiver string and the regex were in the wrong order, leading to test failures when looking for matching comments.	2021-12-09 13:42:33 -08:00
Erik Krogh Kristensen	e7209d1ee1	Merge pull request #7216 from erik-krogh/ts45 JS: Add support for TypeScript 4.5	2021-12-09 20:33:52 +01:00
JrXnm	1a1a7413c2	JS: Improv inter-procedural type inference for FunctionExpr	2021-12-10 01:09:49 +08:00
Henry Mercer	f08f07e19e	JS: Improve handling of heuristic sinks in endpoint filters Previously heuristic sinks were always included, to avoid us filtering them out due to not being an argument to an external library call. In this commit we move the argument to an external library call filtering to the query-specific endpoint filters. This lets us filter out heuristic sinks if they match one of the other endpoint filters, reducing FPs.	2021-12-09 15:00:54 +00:00
Erik Krogh Kristensen	1956405d17	Merge pull request #7284 from erik-krogh/myApply-part1 JS: remove paths without unmatched returns from polynomial-redos	2021-12-08 10:46:03 +01:00

... 12 13 14 15 16 ...

6849 Commits