codeql

mirror of https://github.com/github/codeql.git synced 2026-02-15 14:33:40 +01:00

Author	SHA1	Message	Date
aegilops	d248551e88	Updated expected test result files using HEAD version of codeql	2025-01-24 15:46:09 +00:00
aegilops	522f3d1337	Merge	2025-01-23 17:00:56 +00:00
erik-krogh	2f1bd75ee9	remove redundant cast	2025-01-21 09:51:14 +01:00
erik-krogh	17afab7d0f	support that two `indexOf()` calls use the same string-concatenation in `getAnEquivalentIndexOfCall()`	2025-01-21 09:43:57 +01:00
erik-krogh	d5529e3a7e	ensure an `indexOf` call is equivalent with itself. (`getAUse()` is used later to find matching `indexOf` calls)	2025-01-21 09:42:30 +01:00
Asger F	8fe622f572	JS: Update PrototypePollutingFunction.ql	2025-01-20 11:20:29 +01:00
Asger F	fd763a0883	JS: Auto-patch diff informed queries	2025-01-20 11:20:27 +01:00
Asger F	0cdda87161	JS: Restrict AP length in prototype-polluting function	2025-01-06 14:33:41 +01:00
Asger F	3acd4814de	Merge branch 'main' into js/shared-dataflow-merge-main	2024-12-19 10:14:38 +01:00
Asger F	73af3f3536	JS: Migrate PrototypePollutingFunction	2024-12-16 15:35:40 +01:00
Asger F	4e25036cdc	JS: Follow naming convention in InsecureModuleFlow module	2024-12-13 11:09:59 +01:00
Asger F	04a3a6707f	JS: Update a reference to AdditionalSanitizerGuardNode Unlike most other references to this class, we're not subclassing it here, we're just trying to reuse some standard barrier guards but with a different flow state.	2024-12-03 14:30:22 +01:00
Napalys	9d4e737bc2	JS: follow proper code standards for get predicates Co-authored-by: asgerf <asgerf@github.com>	2024-11-29 11:32:10 +01:00
Napalys	3171f38cdd	JS: fixed bad alert messages when it came to incomplete sanitization for new RegExp objects	2024-11-29 11:14:45 +01:00
Napalys	98fd97799c	JS: imcomplete sanization now handles properly maybe global	2024-11-28 11:26:50 +01:00
Napalys	1ae174849f	JS: incomplete sanitization now also works with RegExp objects	2024-11-28 11:26:48 +01:00
Napalys Klicius	d6372aebc7	Update javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2024-11-25 12:12:12 +01:00
Napalys	e38b63ebcd	JS: previously js/case-sensitive-middleware-path was not taking into consideration unknown flags	2024-11-25 11:56:06 +01:00
Asger F	d52bc971b8	Merge branch 'main' into js/shared-dataflow-merge-main	2024-11-20 14:05:03 +01:00
Napalys Klicius	c8c15a0899	Merge pull request #17910 from Napalys/napalys/matchAll-support JS: Support for matchAll	2024-11-14 15:36:20 +01:00
Mikaël Barbero	881fe0ba57	fix: add "actions" tag to ActionsArtifactLeak Similar to javascript/ql/src/Security/CWE-094/ExpressionInjection.ql	2024-11-05 15:58:46 +01:00
Napalys Klicius	5e8b1b061f	Update javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2024-11-05 10:29:22 +01:00
Napalys	ccee34d6d3	Added support for matchAll in CWE-020 including new test cases	2024-11-05 08:51:24 +01:00
Asger F	1cd00a118c	Merge branch 'main' into js/shared-dataflow-merge-main	2024-09-18 14:57:50 +02:00
Alvaro Muñoz	5d1da861a2	fix: Use YamlScalar for booleans	2024-09-06 23:21:41 +02:00
Alvaro Muñoz	5df3af2272	Fix alert message	2024-09-06 23:06:57 +02:00
Alvaro Muñoz	d9e8792d33	[javascript] Query to detect GITHUB_TOKEN leaked in artifacts	2024-09-06 22:55:58 +02:00
Asger F	c54f5858b1	Merge branch 'main' into js/shared-dataflow-merge-main	2024-08-22 13:22:05 +02:00
Kristen Newbury	e84dda4fa6	Update JS helmet model structure	2024-08-15 16:08:48 -04:00
Asger F	df64388d79	Merge branch 'main' into js/shared-dataflow-merge-main	2024-08-02 13:18:38 +02:00
aegilops	79980a98a2	Added links to eventual location of CUSTOMIZING.md	2024-07-12 14:21:50 +01:00
Paul Hodgkinson	11249e7182	Apply suggestions from code review - docs tweaks of CUSTOMIZING.md Co-authored-by: Felicity Chapman <felicitymay@github.com>	2024-07-12 14:20:03 +01:00
Paul Hodgkinson	c9af53f050	Merge branch 'main' into aegilops/polyfill-io-compromised-script	2024-07-12 12:53:44 +01:00
aegilops	61df4d2f04	Merge branch 'aegilops/polyfill-io-compromised-script' of https://github.com/aegilops/codeql into aegilops/polyfill-io-compromised-script	2024-07-12 12:49:18 +01:00
aegilops	00d91dc6ba	Created guide on customizing these queries, and referenced it in the query help	2024-07-12 12:49:09 +01:00
aegilops	040f948e65	Added a note that SRI can be considered for some dynamic services	2024-07-12 12:48:36 +01:00
Paul Hodgkinson	3f37fe6add	Apply suggestions from code review - docs and wording Docs suggestions accepted, thank you 🙏 Co-authored-by: Felicity Chapman <felicitymay@github.com>	2024-07-12 11:48:39 +01:00
aegilops	d71be8aeaf	Moved from `experimental` into default queries	2024-07-11 11:44:01 +01:00
aegilops	86afd54a9b	Moved new query to 'experimental' Moved lists of domains to data extensions, including adding those to the overall qlpack.yml Expanded scope of new query to further domains operated by the untrusted owners of polyfill.io	2024-07-09 16:38:01 +01:00
aegilops	2aff2a7385	Fixed code markup	2024-07-08 11:31:06 +01:00
aegilops	c003f265b0	Fixed missing li closing tag	2024-07-08 10:58:06 +01:00
aegilops	b4d8c4889a	Fixed wrong name for example HTML	2024-07-01 16:58:03 +01:00
aegilops	1744a98017	Added full stop to end of message	2024-07-01 16:53:22 +01:00
aegilops	ceda46e317	Fixed ending <p> tags	2024-07-01 16:52:28 +01:00
aegilops	a1b0703690	Added detection for specific Polyfill.io CDN compromise - edited existing library and added new query and tests	2024-07-01 16:21:34 +01:00
aegilops	fc6fba8d06	Fixed CWE tags	2024-07-01 14:25:47 +01:00
aegilops	d1d082982a	More external references	2024-07-01 14:25:29 +01:00
Asger F	ecf418b8f6	Merge branch 'main' into js/shared-dataflow	2024-06-25 11:48:41 +02:00
aegilops	1ecd72727d	Renamed README to CUSTOMIZING, removed details from qhelp and referenced md doc instead	2024-06-19 17:59:43 +01:00
aegilops	a07639f4f6	Set severity to 7.0, in line with other configuration queries	2024-06-19 17:43:41 +01:00

1 2 3 4 5 ...

1101 Commits