1554 Commits

Author	SHA1	Message	Date
Rasmus Wriedt Larsen	c0ad9ba529	Merge branch 'main' into js-threat-models	2024-11-01 10:48:32 +01:00
Tom Hvitved	1259b7e8e7	JS: Post-processing query for inline test expectations	2024-10-29 13:35:38 +01:00
Rasmus Wriedt Larsen	1726287bf4	JS: Add e2e threat-model test	2024-10-25 15:03:44 +02:00
Tom Hvitved	d0ca39fb03	JS: Update expected test output	2024-10-04 08:35:33 +02:00
Sid Gawri	e8c68fff7f	resolve id conflict with dom based xss test ql	2024-09-25 10:01:59 -04:00
Alvaro Muñoz	5d1da861a2	fix: Use YamlScalar for booleans	2024-09-06 23:21:41 +02:00
Alvaro Muñoz	d9e8792d33	[javascript] Query to detect GITHUB_TOKEN leaked in artifacts	2024-09-06 22:55:58 +02:00
Asger F	09aca6b47e	Merge pull request #17212 from mbaluda/main ... Add support for importing NPM modules in XSJS sources	2024-08-22 10:54:33 +02:00
Asger F	7a7ab457a9	JS: Delete unneeded test code (and shift line numbers)	2024-08-16 14:38:54 +02:00
Asger F	9ee7599aeb	JS: Move AngularJSTemplateUrlSink to ClientSideUrlRedirection query ... This is not perfect but at least we can be consistent about keeping URLs-that-lead-to-xss in the same query	2024-08-16 14:37:13 +02:00
Asger F	699d3a0a0a	JS: Update a RegExp injection test ... RegExpInjection does not use client-side sources, but one of its tests was using postMessage events as the taint source. Updating the test to use a different taint source.	2024-08-16 14:20:34 +02:00
Mauro Baluda	be0a60a7f6	Add support for importing NPM modules in XSJS sources	2024-08-13 14:45:03 +02:00
Erik Krogh Kristensen	41506fbfef	Merge pull request #14666 from am0o0/amammad-js-hardcodedJWTKey ... JS: Extends CredentialsNode class mostly related to JWT authentication packages	2024-08-08 10:20:45 +02:00
am0o0	354fcbe7fe	apply changes from @erik-krogh	2024-08-01 20:14:36 +02:00
Paul Hodgkinson	c9af53f050	Merge branch 'main' into aegilops/polyfill-io-compromised-script	2024-07-12 12:53:44 +01:00
aegilops	d71be8aeaf	Moved from experimental into default queries	2024-07-11 11:44:01 +01:00
aegilops	86afd54a9b	Moved new query to 'experimental' ... Moved lists of domains to data extensions, including adding those to the overall qlpack.yml Expanded scope of new query to further domains operated by the untrusted owners of polyfill.io	2024-07-09 16:38:01 +01:00
aegilops	e2b37f97b0	Added dot to end of test message	2024-07-01 17:41:26 +01:00
aegilops	a1b0703690	Added detection for specific Polyfill.io CDN compromise - edited existing library and added new query and tests	2024-07-01 16:21:34 +01:00
am0o0	b360c8adb8	Update hardcodedCredentials query file to only exclude 'jwt key' kind from with the isTestFile predicate. ... According to expected test results, with a new query, the jwt sinks of __test__/ dir have been exluded from query results.	2024-07-01 15:00:08 +02:00
am0o0	5a1877547f	update test cases of __tests__/ dir ... since we want to check if a jwt related sink is in this dir or not	2024-07-01 14:50:07 +02:00
am0o0	6ecd8b7ee8	add new default cred kind	2024-07-01 14:42:34 +02:00
am0o0	65fdb8ccce	move jose SharedTaintStep to a local taint step, add more additional steps with test cases, update test cases and expected test results	2024-07-01 11:38:17 +02:00
aegilops	f22778960b	Fixed expected test results for Helmet query	2024-06-26 11:31:57 +01:00
am0o0	5a69bbf6b0	use isTestFile from ClassifyFiles module file instead previous where condition, update tests accordingly	2024-06-07 06:11:48 +02:00
am0o0	e4ffdb848e	add tests for new where condition, update expected test results	2024-06-06 14:30:06 +02:00
am0o0	d77513579f	update tests	2024-05-25 12:15:25 +02:00
Paul Hodgkinson	65dfd4c860	Merge branch 'main' into aegilops/js/insecure-helmet-middleware	2024-05-21 14:46:49 +01:00
aegilops	bda794fde7	Fixed wrong filenames in the InsecureHelmet tests	2024-05-21 14:34:58 +01:00
aegilops	8300aeb0a0	Tests for InsecureHelmet	2024-05-20 12:05:42 +01:00
Asger F	499c4df79b	Merge pull request #13554 from am0o0/amammad-js-bombs ... JS: Decompression Bombs	2024-05-16 13:25:41 +02:00
erik-krogh	39a8b49222	add qhelp recommendation that you can use an obvious placeholder value	2024-05-03 19:37:31 +02:00
erik-krogh	b209fc67cb	test the change to hardcoded-credentials	2024-05-03 19:34:18 +02:00
erik-krogh	129286aa1c	allow more flow through .filter()	2024-03-13 12:03:00 +01:00
erik-krogh	bf22f4a870	update expected output	2024-02-22 13:21:11 +01:00
erik-krogh	396da117bb	remove an FP in overly-large-range for [@-Z]	2024-01-25 14:15:06 +01:00
GitHub Security Lab	df10a7e7f0	Merge branch 'main' into amammad-js-bombs	2024-01-25 11:23:38 +01:00
erik-krogh	1a8a70dc1b	mark the range [0-?] as good in the overly-large-range query	2024-01-17 13:11:57 +01:00
erik-krogh	a9f2b3fad6	promote PropsTaintStep to a PreCallGraphStep	2024-01-04 10:45:22 +01:00
Max Schaefer	dfffa1e237	Apply suggestions from code review ... Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>	2023-11-21 10:07:11 +00:00
Max Schaefer	d147faba4e	Update qhelp for js/path-injection.	2023-11-20 11:58:00 +00:00
Rasmus Wriedt Larsen	43d9d2ceb7	Merge pull request #14603 from github/max-schaefer/broken-crypto-algorithm-link ... JavaScript/Python/Ruby: Improve alert message for `*/weak-cryptographic-algorithm`.	2023-11-08 14:29:24 +01:00
Max Schaefer	104700f6d3	Address review comment.	2023-10-27 10:19:28 +01:00
Max Schaefer	741735cc83	Port changes to JavaScript.	2023-10-26 14:47:24 +01:00
Max Schaefer	2c7291336d	Move test files into right directory.	2023-10-26 12:16:52 +01:00
Max Schaefer	bb146a1758	JavaScript: Add support for rateLimit export from express-rate-limit package.	2023-10-26 12:14:57 +01:00
amammad	6f73e9c3ba	revert for in additional steps	2023-10-10 22:12:37 +02:00
amammad	aff6f00450	comments improvement,separate module file, fix tests	2023-10-07 12:02:39 +02:00
amammad	5a49f6bb9b	fix tests	2023-10-06 22:10:57 +02:00
Max Schaefer	e722e3288f	Merge pull request #13771 from github/max-schaefer/server-side-url-redirect-help ... JavaScript: Improve query help for `js/server-side-unvalidated-url-redirection`.	2023-09-13 13:20:48 +01:00