hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 04:06:37 +01:00
Code Issues Packages Projects Releases Wiki Activity
73,009 Commits 1,672 Branches 157 Tags
cbae2cf7faba4eafdd52fbd38bf0167af03f26f0
Commit Graph

25 Commits

Author SHA1 Message Date
erik-krogh
54a1c25276 change the precision of the js/unsafe-external-link query to low 2024-03-21 10:32:15 +01:00
Rafael
286e3951bf Detect Django template URLs 
Django URLs are currently not detected, but flask and nunjucks URL are. (See https://github.com/github/codeql/issues/12267)
 2023-11-28 22:22:07 +01:00
Kasper Svendsen
67950c8e6b JS: Make implicit this receivers explicit 2023-05-03 15:31:00 +02:00
erik-krogh
368f84785b fix some more style-guide violations in the alert-messages 2022-10-07 11:22:22 +02:00
Erik Krogh Kristensen
f719e0ca1b remove nunjucks template URLs from the target-blank query 2021-08-02 22:46:59 +02:00
Calum Grant
771e686946 Update security-severity scores 2021-06-15 13:25:17 +01:00
Calum Grant
a594afb828 Add security-severity metadata 2021-06-10 20:11:08 +01:00
Asger Feldthaus
d8c9dba990 JS: Autoformat 2021-01-18 12:19:09 +00:00
Asger Feldthaus
3c0867125b JS: Remove FP in TargetBlank 2021-01-18 12:19:08 +00:00
Erik Krogh Kristensen
d6dc4bb655 allow flask url_for urls in TargetBlank.ql 2020-10-05 21:40:24 +02:00
Erik Krogh Kristensen
1f9749fbfe revert mailto: change in TargetBlank.ql 2020-09-03 09:39:01 +02:00
Erik Krogh Kristensen
f0a0f41c3c allow urls that are prefixed with # or ? in js/unsafe-external-link 2020-09-02 10:19:42 +02:00
Erik Krogh Kristensen
f7edf28d0d allow mailto links in js/unsafe-external-link 2020-08-31 16:01:28 +02:00
Asger Feldthaus
e7a0bc6be6 JS: Lower precision of ambiguous HTML ID attribute 2020-08-27 15:51:34 +01:00
Max Schaefer
a803120414 Lower precision for a number of queries. 
These queries are currently run by default, but don't have their results displayed.

Looking through results on LGTM.com, they are either false positives (e.g., `BitwiseSignCheck` which flags many perfectly harmless operations and `CompareIdenticalValues` which mostly flags NaN checks) or harmless results that developers are unlikely to care about (e.g., `EmptyArrayInit` or `MisspelledIdentifier`).

With this PR, the only queries that are still run but not displayed are security queries, where different considerations may apply.
 2020-05-19 13:43:17 +01:00
Esben Sparre Andreasen
c4eb258f5b JS: lower precision of js/conflicting-html-attribute 2019-08-05 09:22:10 +02:00
Max Schaefer
cf22761ccc JavaScript: Add CWE-1022 to TargetBlank. 2019-05-21 12:16:32 +01:00
Max Schaefer
41eb1ff9d0 JavaScript: Drop precision of AmbiguousIdAttribute to 'high'. 2019-02-12 16:31:29 +00:00
Max Schaefer
25f95d9fb1 JavaScript: Be more conservative about templates in AmbiguousIdAttribute. 
Previously, we only excluded attributes where the value of the attribute itself suggests templating happening. Now we exclude all attributes in documents where _any_ attribute value suggests templating.
 2019-02-12 16:31:01 +00:00
Max Schaefer
31bb39a810 JavaScript: Autoformat all QL files. 2019-01-07 10:15:45 +00:00
Max Schaefer
0a2df6c00d JavaScript: Highlight id attribute (not entire element) in AmbiguousIdAttribute. 2019-01-02 11:44:02 +00:00
semmle-qlci
b21b066255 Merge pull request #499 from xiemaisi/js/target-blank-location 
Approved by esben-semmle
 2018-11-20 17:16:05 +00:00
Max Schaefer
c1690a69e5 JavaScript: Make TargetBlank only highlight the first line of the link. 
Otherwise alerts for multi-line `<a>` elements end up looking very red.

I also took the opportunity to improve the tests slightly.
 2018-11-20 12:53:27 +00:00
Max Schaefer
1b59a28be0 JavaScript: Downgrade a few "error" rules to "warning". 
For all of these queries, the results we tend to see in practice are certainly worth investigating, but aren't crashing bugs, so making them warnings seems more appropriate.
 2018-11-19 09:09:26 +00:00
Pavel Avgustinov
b55526aa58 QL code and tests for C#/C++/JavaScript. 2018-08-02 17:53:23 +01:00