hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
976 Commits 1,671 Branches 157 Tags
c21a0472d4a1dcbb98d60bc57cb15463204ed0c1
Commit Graph

302 Commits

Author SHA1 Message Date
Esben Sparre Andreasen
c21a0472d4 JS: implement getADataNode for AxiosUrlRequest 2018-10-16 08:50:56 +02:00
Esben Sparre Andreasen
1e115bce2c JS: add SourceNode support for chained method calls 2018-10-16 08:48:09 +02:00
semmle-qlci
1e7696664e Merge pull request #302 from xiemaisi/js/google-spanner 
Approved by esben-semmle
 2018-10-16 06:48:43 +01:00
Max Schaefer
6835815673 JavaScript: Address review comments. 2018-10-15 20:14:40 +01:00
semmle-qlci
7543fa4a10 Merge pull request #298 from asger-semmle/partial-calls-merged 
Approved by xiemaisi
 2018-10-15 14:58:22 +01:00
semmle-qlci
16b29b2d08 Merge pull request #299 from asger-semmle/nosql-sinks 
Approved by xiemaisi
 2018-10-12 07:12:05 +01:00
Max Schaefer
cd284b2f97 JavaScript: Add support for Google Cloud Spanner. 2018-10-11 09:30:39 +01:00
Esben Sparre Andreasen
6687dfd558 JS: improve model of express' req.sendFile 2018-10-10 15:46:43 +02:00
Esben Sparre Andreasen
358b6c3413 JS: change "remote request" to "network request" 2018-10-10 15:34:39 +02:00
Esben Sparre Andreasen
e93545d16e JS: address more review comments 2018-10-10 15:28:42 +02:00
Esben Sparre Andreasen
c885490c7e JS: address review comments 2018-10-10 12:18:30 +02:00
Esben Sparre Andreasen
0da1ac4d75 JS: naming and documentation cleanup for NodeJS file system accesses 2018-10-10 12:12:54 +02:00
Esben Sparre Andreasen
64b0d39390 JS: polish HttpToFileAccess.qll 2018-10-10 12:12:54 +02:00
Esben Sparre Andreasen
df72492f16 JS: polish FileAccessToHttp.qll 2018-10-10 12:12:54 +02:00
Esben Sparre Andreasen
43f98a7ef8 JS: refactor NodeJSFileSystemRead* to FileStreamRead 2018-10-10 12:12:54 +02:00
Esben Sparre Andreasen
30f7f41dff JS: refactor NodeJSFileSystemWrite to FileStreamWrite 2018-10-10 12:12:54 +02:00
Esben Sparre Andreasen
e99b9d34c5 JS: polish characters of NodeJSFileSystemAccess*Call 2018-10-10 12:12:54 +02:00
Esben Sparre Andreasen
4e4597a24d JS: replace HTTP::RequestBody with ClientRequest.getADataNode 2018-10-10 12:12:54 +02:00
Esben Sparre Andreasen
0fc56e443e JS: introduce ClientRequest.getADataNode 2018-10-10 12:12:54 +02:00
Esben Sparre Andreasen
3b2440e850 JS: remove useless externs definitions for tests 2018-10-10 12:12:54 +02:00
Esben Sparre Andreasen
a3ec739210 JS: restructure FileSystemWriteAccess/FileSystemReadAccess API 2018-10-10 12:12:54 +02:00
Esben Sparre Andreasen
b00aa36cdc JS: polish HttpToFileAccess.ql 2018-10-10 12:12:54 +02:00
Esben Sparre Andreasen
d261915598 JS: polish FileAccessToHttp.ql 2018-10-10 12:12:54 +02:00
Asger F
74f115fa40 JS: add test case 2018-10-10 10:46:40 +01:00
Asger F
2a87d53db4 JS: Add additional Mongoose/MongoDB sinks 2018-10-10 10:11:18 +01:00
Asger F
4e7f171f54 JavaScript: do not cache AdditionalPartialInvokeNode 2018-10-10 09:40:49 +01:00
Max Schaefer
8d8148d58e Merge pull request #294 from asger-semmle/canonical-this-source 
JS: Canonicalize 'this' in the data-flow graph
 2018-10-10 08:10:53 +01:00
Max Schaefer
355786c2d8 Merge pull request #296 from esben-semmle/js/more-array-creation 
JS: use DataFlow::ArrayCreationNode in additional places
 2018-10-10 08:10:17 +01:00
Asger F
9fb73f41c9 JS: rename ReactComponent::getAThisAccess -> getAThisNode 2018-10-09 08:54:44 +01:00
Asger F
fd58039753 JS: update additional QL test output 2018-10-09 08:54:14 +01:00
Asger F
030bae9454 JS: Canonicalize ThisNode 2018-10-09 08:53:41 +01:00
Asger F
3bc5e3bfdf JS: Replace some uses AnalyzedValueNode with AnalyzedNode 2018-10-09 08:53:41 +01:00
Max Schaefer
e354694173 Merge pull request #273 from asger-semmle/csrf-sources 
JS: add RemoteFlowSource.isThirdPartyControllable()
 2018-10-08 15:09:38 +01:00
Asger F
d2af4ab94a Merge pull request #227 from xiemaisi/js/taint-kinds 
JavaScript: Add support for state-based taint tracking.
 2018-10-08 15:09:12 +01:00
Esben Sparre Andreasen
70cd03d3bc JS: use DataFlow::ArrayCreationNode in additional places 2018-10-08 15:47:11 +02:00
Esben Sparre Andreasen
a668f906bc JS: recognize binding decorators on classes 2018-10-08 07:58:12 +02:00
semmle-qlci
98254e87e1 Merge pull request #132 from denislevin/denisl/js/HttpToFileAccessTest 
Approved by xiemaisi
 2018-10-04 14:06:46 +01:00
Asger F
c2a5f99d9c JS: include referer header as reflected XSS source 2018-10-04 10:53:10 +01:00
Asger F
dc26bdc5e7 JS: Move isThirdPartyControllable into RequestInputAccess 2018-10-04 10:36:49 +01:00
semmle-qlci
bea86e52fb Merge pull request #275 from xiemaisi/js/workaround-for-nested-imports 
Approved by asger-semmle
 2018-10-04 08:25:52 +01:00
Max Schaefer
e326dd4688 JavaScript: Add TaintKind as an alias to FlowLabel. 2018-10-03 15:54:58 +01:00
Max Schaefer
86ee58d019 JavaScript: Address review comments. 2018-10-03 15:49:02 +01:00
Max Schaefer
a8a8754c89 JavaScript: Restrict default sink flow labels to StandardFlowLabel. 2018-10-03 15:49:02 +01:00
Max Schaefer
5727b2a5f4 JavaScript: Properly handle value-preserving paths. 
When constructing a path through a property write/read pair, we want to make sure that we only use value-preserving steps to track the base object. However, the value flowing in from the right-hand side of the assignment may have a different flow label (such as `taint()`), so we cannot use the normal `append` predicate to construct the composite path.
 2018-10-03 15:49:02 +01:00
Max Schaefer
910d6de47d JavaScript: Add new tests. 2018-10-03 15:49:02 +01:00
Max Schaefer
3affe922e3 JavaScript: Make PathSummary.toString more useful. 2018-10-03 15:49:02 +01:00
Max Schaefer
dad13c9b64 JavaScript: Simplify onPath predicate. 2018-10-03 15:49:02 +01:00
Max Schaefer
8d471f01ef JavaScript: Simplify a few helper predicates. 2018-10-03 15:49:02 +01:00
Max Schaefer
017ae4990d JavaScript: Use custom flow labels in ClientSideUrlRedirect. 2018-10-03 15:49:02 +01:00
Max Schaefer
f4ea8bc82a JavaScript: Introduce flow labels. 2018-10-03 15:49:02 +01:00