hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
35,614 Commits 1,671 Branches 157 Tags
c20ee76826e10318f8f39c6fae901b743c2e8254
Commit Graph

7497 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
51a0b6d501 remove client-side remote-flow from js/resource-exhaustion 2022-04-13 23:05:59 +02:00
Jean Helie
1e39a9caae ML: update regression test output following fix to getAnUnknown predicate 2022-04-13 18:14:16 +02:00
Jean Helie
f87cd164ce ML: add defensive check to ensure Unknown endpoints cannot also be NotASink 2022-04-13 18:14:16 +02:00
Jean Helie
f2b813a6e7 ML: add regression test for effective sink that is also NotASink 2022-04-13 18:14:16 +02:00
Jean Helie
407a8a7715 ML: fix ATM expected tests outputs 2022-04-13 14:02:12 +02:00
Erik Krogh Kristensen
41bdd8f4da minor fixes 2022-04-13 10:11:07 +02:00
Erik Krogh Kristensen
b13e7c055b move the sanitizer-guard to the Query.qll file 2022-04-13 09:58:33 +02:00
Erik Krogh Kristensen
96e4633dfe remove more code that did nothing 2022-04-13 09:57:32 +02:00
Erik Krogh Kristensen
a9595af01e update expected output 2022-04-13 09:43:21 +02:00
Erik Krogh Kristensen
d35604ed82 remove the length sanitizer from loop-bound-injection - it did nothing 2022-04-13 09:43:21 +02:00
Erik Krogh Kristensen
dd28157d0a add test of a length check 2022-04-13 09:43:21 +02:00
Erik Krogh Kristensen
8e47a9b242 add sanitizer step for .length in js/resource-exhaustion 2022-04-13 09:30:09 +02:00
Stephan Brandauer
fb66ccff39 handlebars taint step: conservatively assume unknown templates have no flow to helpers 2022-04-13 09:27:59 +02:00
Erik Krogh Kristensen
a2d2626c9c add security severity 2022-04-12 16:34:00 +02:00
Erik Krogh Kristensen
d64df30724 reintroduce the reverted qhelp 2022-04-12 16:33:06 +02:00
Erik Krogh Kristensen
ebf9ba7250 remove the type-overloaded new Buffer() as a sink 2022-04-12 16:29:58 +02:00
Erik Krogh Kristensen
e2b7f7d05d reintroduce the number sinks 2022-04-12 16:26:10 +02:00
Erik Krogh Kristensen
029459cc35 reorganize CWE-770 tests 2022-04-12 16:15:40 +02:00
Erik Krogh Kristensen
688b2b6898 use the Query.qll pattern 2022-04-12 15:52:52 +02:00
Erik Krogh Kristensen
8fb54c3f32 move js/resource-exhaustion out of experimental 2022-04-12 15:51:36 +02:00
Erik Krogh Kristensen
df295e69d6 add change-note 2022-04-12 14:37:51 +02:00
Erik Krogh Kristensen
bca4d14129 rename files 2022-04-12 14:37:43 +02:00
Erik Krogh Kristensen
591fcda862 various improvements to the js/missing-origin-verification query 2022-04-12 14:20:41 +02:00
Erik Krogh Kristensen
2d6d304d7c add InclusionTest to PostMessageEventSanitizer 2022-04-12 14:12:36 +02:00
Erik Krogh Kristensen
e2badab251 update expected output after test reorganization 2022-04-12 10:39:28 +02:00
Erik Krogh Kristensen
ec9c308d06 reorganize the tests in CWE-020 2022-04-12 10:39:28 +02:00
Erik Krogh Kristensen
18532bae54 move js/missing-postmessageorigin-verification out of experimental 2022-04-12 10:39:27 +02:00
CodeQL CI
a43f3a21a8 Merge pull request #8550 from erik-krogh/classJoin 
Approved by asgerf
 2022-04-12 09:23:58 +01:00
Erik Krogh Kristensen
34abef8a6c Merge branch 'main' into dragAndDrop 2022-04-11 23:59:46 +02:00
bananabr
57fac949fd included ClipboardEvent and DragEvent as XSS sources 2022-04-11 16:37:00 -05:00
Erik Krogh Kristensen
aafa8ddc9f add support for domNode.onpaste for copy-paste events 2022-04-11 20:10:56 +02:00
Erik Krogh Kristensen
6713b2c671 add support for domNode.ondrop for drag-and-drop events 2022-04-11 20:06:12 +02:00
bananabr
121aad7fd2 updated change notes 2022-04-11 12:45:37 -05:00
CodeQL CI
9c8dee2a4d Merge pull request #8687 from asgerf/js/missing-flow-fixes 
Approved by erik-krogh
 2022-04-11 14:08:15 +01:00
bananabr
0f1582f3f6 included JavaScript drag and drop API Xss sources 2022-04-09 22:33:30 -05:00
Edoardo Pirovano
f25618eed6 Bump minor version of all packs 2022-04-08 15:38:58 +01:00
Edoardo Pirovano
ce82c54b94 Merge branch 'main' into edoardo/3.5-mergeback 2022-04-08 15:30:58 +01:00
annarailton
8ae905aef9 Update endpointTypeEncoded -> label 
Fixes https://github.com/github/ml-ql-adaptive-threat-modeling/issues/1821
 2022-04-08 10:22:13 +01:00
annarailton
b0ab7218db Add test for query mappings 2022-04-08 10:22:13 +01:00
annarailton
4808eb9926 Change encoding -> label and description -> labelName 
Fixes https://github.com/github/ml-ql-adaptive-threat-modeling/issues/1820
 2022-04-08 10:22:13 +01:00
annarailton
de4e01a8f2 Change NotASinkType to NegativeType 
Fixes https://github.com/github/ml-ql-adaptive-threat-modeling/issues/1819
 2022-04-08 10:22:13 +01:00
Asger Feldthaus
b85739cb7e JS: Update test output 2022-04-07 13:23:26 +02:00
Asger Feldthaus
81cf3d4574 JS: Use Class#getAnInstanceReference 2022-04-07 10:43:29 +02:00
Asger Feldthaus
2a67085d9d JS: Change note 2022-04-07 10:02:21 +02:00
Asger Feldthaus
4eda6f643f JS: Recognize subclasses of HTMLElement in domValueRef 2022-04-07 09:57:31 +02:00
Asger Feldthaus
cff8dc0537 JS: Improve flow through Array.prototype.reduce 2022-04-07 09:57:31 +02:00
Erik Krogh Kristensen
943af17d10 Merge pull request #8619 from erik-krogh/atmSteps 
JS-ML: fix isKnownStepSrc such that it recognizes taint-steps
 2022-04-06 12:56:53 +02:00
Erik Krogh Kristensen
0435cee57f add a taint-step through URL.createObjectURL for js/xss-through-dom 2022-04-06 12:18:47 +02:00
Erik Krogh Kristensen
b11d48e749 add files in the DOM as a source for js/xss-through-dom 2022-04-06 12:09:07 +02:00
Asger F
de169277cb Merge pull request #8576 from asgerf/js/decorated-method-or-class 
JS: Add decorator edges in API graphs and corresponding MaD tokens
 2022-04-04 12:49:28 +02:00