hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 20:56:33 +01:00
Code Issues Packages Projects Releases Wiki Activity
8,895 Commits 1,673 Branches 157 Tags
ceb9fff70cf00a08acbe5be4684ea1336d0c2205
Commit Graph

2559 Commits

Author SHA1 Message Date
semmle-qlci
ceb9fff70c Merge pull request #2479 from max-schaefer/localTaintStep 
Approved by asgerf
 2019-12-02 11:35:43 +00:00
Max Schaefer
aeda2d68f8 JavaScript: Introduce localTaintStep predicate. 
It's sometimes useful for exploratory queries, and the other languages have it as well.
 2019-12-02 09:43:08 +00:00
Max Schaefer
f958916c76 Merge pull request #2330 from erik-krogh/exceptionXss 
JS: Added query for detecting XSS that happens through an exception
 2019-11-29 09:04:45 +00:00
semmle-qlci
73e08eba43 Merge pull request #2468 from max-schaefer/js/regexp-predecessor 
Approved by asgerf
 2019-11-28 16:57:31 +00:00
semmle-qlci
198b3b34a3 Merge pull request #2432 from asger-semmle/install-typescript-deps 
Approved by max-schaefer
 2019-11-28 16:08:46 +00:00
Max Schaefer
a788bf87a0 JavaScript: Fix RegExpTerm.getPredecessor and getSuccessor. 
These were originally meant to give you the term that is textually matched right before/right after the receiver. When I introduced support for lookbehinds, I changed the behaviour to give you the term that is _operationally_ matched before/after the receiver (remember that lookbehinds are implemented by reverse-matching).

However, I think that's rarely ever what you want, and is wrong for the only two uses of these predicates, where it's the textual matching order that we are after, not the operational order.

Consequently, I've changed the semantics back and updated the comments to hopefully clarify the intention.
 2019-11-28 15:14:50 +00:00
Erik Krogh Kristensen
9351cd44e4 Merge remote-tracking branch 'githubsemmle/master' into HEAD 2019-11-27 13:45:59 +01:00
semmle-qlci
a2827e9503 Merge pull request #2362 from erik-krogh/promiseAll 
Approved by max-schaefer
 2019-11-27 12:35:04 +00:00
semmle-qlci
4916bed9cd Merge pull request #2433 from asger-semmle/import-js-file 
Approved by max-schaefer
 2019-11-27 10:55:59 +00:00
semmle-qlci
9ca4f6aecb Merge pull request #2392 from asger-semmle/window-name-flow 
Approved by max-schaefer
 2019-11-27 10:55:26 +00:00
semmle-qlci
793988afe4 Merge pull request #2344 from asger-semmle/element-pattern-prop-read 
Approved by max-schaefer
 2019-11-27 10:54:46 +00:00
Erik Krogh Kristensen
967ecbad24 Merge remote-tracking branch 'upstream/master' into promiseAll 2019-11-27 11:28:37 +01:00
Erik Krogh Kristensen
e27a69960d update description 2019-11-27 11:17:19 +01:00
Asger F
6eb2c26ea4 TS: Pass --no-default-rc and --non-interactive to yarn 2019-11-27 06:42:03 +00:00
Asger F
605c8834c6 JS: Avoid redundant window.name sources 2019-11-27 06:15:12 +00:00
Erik Krogh Kristensen
b5a57986c6 small changes based on review feedback 2019-11-26 15:57:31 +01:00
Erik Krogh Kristensen
b6106f9638 keep the ResolvedPromiseDefinition class as a subclass of PromiseCreationCall 2019-11-26 11:16:59 +01:00
Erik Krogh Kristensen
f284b3a2bb Merge remote-tracking branch 'upstream/master' into exceptionXss 2019-11-26 10:54:04 +01:00
Erik Krogh Kristensen
7ee12a3420 change doc based on review feedback 2019-11-26 10:48:24 +01:00
semmle-qlci
fb44aa18bd Merge pull request #2428 from erik-krogh/useOfReturnlessFunctionSuperCalls 
Approved by max-schaefer
 2019-11-26 09:14:08 +00:00
Asger F
df97ab2cb8 TS: Add INDEX prefix to env variables 2019-11-25 17:10:00 +00:00
Asger F
7e515aeb72 TS: Verify yarn installation 2019-11-25 16:22:21 +00:00
Asger F
e5ba80b18c JS: Add test 2019-11-25 15:05:33 +00:00
Asger F
82b35a116c JS: Handle .js import of .ts file 2019-11-25 14:58:12 +00:00
Asger F
b306eeeb6e TS: Option to install dependencies 2019-11-25 14:42:17 +00:00
Erik Krogh Kristensen
9bd6363521 Merge remote-tracking branch 'upstream/master' into promiseAll 2019-11-25 14:34:58 +01:00
Erik Krogh Kristensen
4efc71b7a2 remove FP in use-of-returnless-function FP related to calls to super() 2019-11-25 11:48:16 +01:00
Erik Krogh Kristensen
7d825af9a3 Added an XSS sink for Handlebars.SafeString 2019-11-22 15:56:21 +01:00
semmle-qlci
5c3c8eb35d Merge pull request #2406 from erik-krogh/returnlessFp 
Approved by asgerf
 2019-11-22 13:06:03 +00:00
Erik Krogh Kristensen
f40d79271d cleanup module imports and update expected outputs 2019-11-22 13:55:47 +01:00
Erik Krogh Kristensen
85b22536d0 adjust formatting 2019-11-22 13:36:16 +01:00
Esben Sparre Andreasen
5d34806e50 Merge pull request #2379 from asger-semmle/typescript-fixes 
TS: A bunch of TypeScript fixes
 2019-11-22 13:31:30 +01:00
Max Schaefer
83f5b614e9 JavaScript: Switch detection of callback-based string replacement to data flow. 2019-11-22 09:24:34 +00:00
Max Schaefer
1951461f55 JavaScript: Simplify DoubleEscaping. 
Undo previous work on generalising the concept of a replacement, which did not work out.
 2019-11-22 09:24:34 +00:00
Max Schaefer
ff002a7af4 JavaScript: Whitelist more harmless incomplete escapes. 2019-11-22 09:24:34 +00:00
Max Schaefer
659cc812fe JavaScript: Rephrase two predicates to help the optimiser. 2019-11-22 09:24:34 +00:00
Max Schaefer
db3eaa23ef JavaScript: Introduce modelling of String.prototype.replace and use it in two queries. 2019-11-22 09:24:34 +00:00
Max Schaefer
f43e843b20 JavaScript: Introduce class RegExpLiteralNode. 2019-11-22 09:24:34 +00:00
Max Schaefer
12ea81af9c JavaScript: Move getAMatchedConstant(RegExpTerm) into the library. 2019-11-22 09:24:34 +00:00
Max Schaefer
a5a5debdc7 JavaScript: Move getStringValue(RegExpLiteral) into the library. 2019-11-22 09:24:34 +00:00
Max Schaefer
0edb70f373 JavaScript: Deal with escape-unescape-escape (and similar) chains. 2019-11-22 09:24:34 +00:00
Max Schaefer
cb54618a5d JavaScript: Deal with (un-)escaping on captured variables. 2019-11-22 09:24:34 +00:00
Max Schaefer
61aa075e8d JavaScript: Fix regexes for escaping schemes. 2019-11-22 09:24:34 +00:00
Max Schaefer
4f899a9b0d JavaScript: Recognize string escaping using .replace with a callback. 2019-11-22 09:24:34 +00:00
Max Schaefer
5dcf55e113 JavaScript: Refactor DoubleEscaping.ql. 2019-11-22 09:24:34 +00:00
semmle-qlci
62859d140d Merge pull request #2394 from esbena/js/support-getDerivedFromError 
Approved by max-schaefer
 2019-11-22 07:45:45 +00:00
semmle-qlci
2c623372b6 Merge pull request #2405 from esbena/js/another-bind-model 
Approved by asgerf
 2019-11-22 07:35:58 +00:00
Erik Krogh Kristensen
94e9c0203d add test for exceptional taint-flow 2019-11-21 17:16:13 +01:00
semmle-qlci
8cca9b05ea Merge pull request #2393 from max-schaefer/js/improve-incomplete-sanitization-docs 
Approved by mchammer01
 2019-11-21 16:04:19 +00:00
Asger F
ec8ced7963 TS: Fix a typos and leftover todo 2019-11-21 15:39:37 +00:00