10432 Commits

Author	SHA1	Message	Date
Napalys Klicius	c6db32ed73	Add exceptions for arktype, execa, and highland to prevent them from being flagged by unhandled pipe error query	2025-05-23 12:34:11 +02:00
Napalys Klicius	15ff7cb41a	Added more test cases which common js libraries uses .pipe()	2025-05-23 12:30:49 +02:00
Napalys Klicius	b10a9481f3	Fixed false positives from strapi and rxjs/testing as well as when one passes function as second arg to pipe	2025-05-22 18:50:02 +02:00
Napalys Klicius	e6ae8bbde4	Added test cases where second parameter passed to pipe is a function and some popular library ones	2025-05-22 18:50:01 +02:00
Napalys Klicius	ac24fdd348	Add predicate to detect non-stream-like usage in sources of pipe calls	2025-05-22 18:49:59 +02:00
Napalys Klicius	5b1af0c0bd	Added detection of custom gulp-plumber sanitizer, thus one would not flag such instances.	2025-05-22 18:49:53 +02:00
Napalys Klicius	b1048719aa	Added UnhandledStreamPipe to javascript-security-and-quality.qls and javascript-code-quality.qls	2025-05-22 12:42:56 +02:00
Napalys Klicius	09220fce84	Fixed issue where pipe calls from rxjs package would been identified as pipe calls on streams	2025-05-22 12:33:36 +02:00
Napalys Klicius	d7f86db76c	Enhance PipeCall to exclude non-function and non-object arguments in pipe method detection	2025-05-22 12:31:27 +02:00
Napalys Klicius	4332de464a	Eliminate false positives by detecting non-stream objects returned from pipe() calls based on accessed properties	2025-05-22 12:31:26 +02:00
Napalys Klicius	5710f0cf51	Add test cases for non-stream field accesses and methods before and after pipe operations	2025-05-22 12:31:19 +02:00
Napalys Klicius	03d1f9a7d3	Restrict pipe detection to calls with 1-2 arguments	2025-05-21 11:41:22 +02:00
Napalys Klicius	30f2815503	Fixed issue where a custom pipe method which returns non stream would be flagged by the query	2025-05-21 11:41:19 +02:00
Napalys Klicius	ef1bde554a	Fixed issue where streams would not be tracked via chainable methods	2025-05-21 11:40:35 +02:00
Napalys Klicius	f39bf62fc6	test: Add edge cases for stream pipe error handling ... Add tests for chained stream methods and non-stream pipe objects	2025-05-21 11:39:03 +02:00
Napalys Klicius	c27157f021	Add UnhandledStreamPipee Quality query and tests to detect missing error handlers in Node.js streams	2025-05-21 11:38:57 +02:00
Napalys Klicius	d1e769ba54	Merge pull request #19422 from Napalys/js/shelljs ... JS: Modeling of `ShellJS` functions	2025-05-02 14:18:44 +02:00
Napalys Klicius	871e93d9fe	Update javascript/ql/lib/semmle/javascript/frameworks/ShellJS.qll ... Co-authored-by: Asger F <asgerf@github.com>	2025-05-02 13:39:46 +02:00
Tamás Vajk	cb1c3736fe	Merge pull request #19413 from tamasvajk/quality/query-suite-selector ... Add code quality suite selector and use that in the code quality suites	2025-05-02 08:18:48 +02:00
Owen Mansel-Chan	e0549483fd	Merge pull request #19429 from owen-mc/fix-cwe-tags-missing-leading-zero ... Fix cwe tags to include leading zero	2025-05-01 14:09:54 +01:00
Owen Mansel-Chan	0863c87572	Add change notes	2025-05-01 10:33:24 +01:00
Napalys Klicius	68a9dd9f9e	Address comments	2025-05-01 11:19:41 +02:00
Napalys Klicius	d4b5ef6a66	Refactor process.env handling in CleartextLogging and IndirectCommandInjection modules to use ThreatModelSource	2025-05-01 11:14:15 +02:00
Napalys Klicius	33d8ffa83e	Added test cases for shelljs.env	2025-05-01 11:11:29 +02:00
Napalys Klicius	602500e280	Added change note	2025-05-01 11:09:56 +02:00
Napalys Klicius	40d176a770	Added model for shelljs.env	2025-05-01 11:09:47 +02:00
Owen Mansel-Chan	cf614a596d	Fix cwe tags to include leading zero	2025-04-30 16:43:03 +01:00
Napalys Klicius	9624a413e4	Added change note	2025-04-30 14:57:00 +02:00
Napalys Klicius	71f1b82a56	Added support for fastify.all	2025-04-30 14:54:09 +02:00
Napalys Klicius	6d61766366	Added test case for fastify.all	2025-04-30 14:50:35 +02:00
Asger F	8ebbfb198e	Merge pull request #19412 from asgerf/js/promise-all ... JS: Better type-tracking through Promise.all()	2025-04-30 14:19:12 +02:00
Napalys Klicius	18cea2d6a5	Added support for shelljs.cmd and async-shelljs.asyncExec	2025-04-30 13:37:02 +02:00
Napalys Klicius	25d04f1cdd	Added support for shelljs.which	2025-04-30 13:35:17 +02:00
Napalys Klicius	f6fae7ad60	Added test cases for cmd, which and asyncExec	2025-04-30 13:33:31 +02:00
Asger F	da5d799152	JS: Change note	2025-04-30 11:59:47 +02:00
Napalys Klicius	6de38b1827	Merge pull request #19300 from Napalys/js/fastify ... JS: Added support for `fastify.addHook`	2025-04-29 18:32:25 +02:00
Tamas Vajk	d56c5225f6	Use code-quality-selectors in JS suite	2025-04-29 16:23:08 +02:00
Asger F	eae1e1cb02	JS: Make API graphs rely on type-tracking steps in general	2025-04-29 15:08:19 +02:00
Asger F	e40b93b8a3	JS: Add type-tracking step through simple Promise.all() calls	2025-04-29 15:08:18 +02:00
Nick Rolfe	50f7ee1158	Merge pull request #19401 from github/post-release-prep/codeql-cli-2.21.2 ... Post-release preparation for codeql-cli-2.21.2	2025-04-28 16:16:21 +01:00
github-actions[bot]	2e0699ab2b	Post-release preparation for codeql-cli-2.21.2	2025-04-28 14:03:28 +00:00
Napalys Klicius	8b53f8f2a6	Fix, prevent addHook return values from being treated as XSS sinks	2025-04-28 14:22:51 +02:00
Napalys Klicius	73309fb9dd	Updated modeling of aws-sdk with MaD	2025-04-28 14:00:12 +02:00
Napalys Klicius	654177daa7	Fixed naming acronyms to be PascalCase	2025-04-28 14:00:12 +02:00
Napalys Klicius	f7f9fb823a	Updated takesConfigurationObject with API graphs	2025-04-28 14:00:12 +02:00
Napalys Klicius	42d5b80e81	Added support for AWS.Credentials hardcoded credentials	2025-04-28 14:00:12 +02:00
Napalys Klicius	f69037c176	Added ability to detect direct write to global AWS.config	2025-04-28 14:00:12 +02:00
Napalys Klicius	05e4677fd1	Added ability to detect new AWS.ServiceName cases with hardcoded credentials	2025-04-28 14:00:12 +02:00
Napalys Klicius	e6450a17ec	Added test cases for individual AWS services, direct modification of global credentials and AWS.Credentials	2025-04-28 14:00:12 +02:00
github-actions[bot]	625354c46e	Release preparation for version 2.21.2	2025-04-28 10:55:22 +00:00