hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-10 01:10:09 +02:00
Code Issues Packages Projects Releases Wiki Activity
74,208 Commits 1,754 Branches 167 Tags
e382ffc5d23e90d98448f0bd6bb4edbefdbeb015
Commit Graph

1023 Commits

Author SHA1 Message Date
Asger Feldthaus
f132b4a279 JS: Add type confusion sink for prototype pollution checks 2020-12-07 10:16:38 +00:00
Asger Feldthaus
479dcf56ad JS: Update to use more inclusive language 2020-12-07 10:16:38 +00:00
Asger Feldthaus
ca38a1c8b9 JS: Update CWE tags 2020-12-07 10:16:38 +00:00
Asger Feldthaus
25161ed338 JS: Move all prototype pollution queries to CWE-915 2020-12-07 10:16:38 +00:00
Asger Feldthaus
877b4b0752 JS: Move and rename other prototype pollution queries 2020-12-07 10:16:38 +00:00
Asger Feldthaus
972c4d61e5 JS: Add PrototypePollutingAssignment 2020-12-07 10:16:38 +00:00
Asger Feldthaus
f0516dd9e0 JS: Address review comments 2020-12-04 09:07:44 +00:00
CodeQL CI
edbbc846d0 Merge pull request #4753 from max-schaefer/js/more-nosql-query-args 
Approved by asgerf, mchammer01
 2020-12-03 08:46:47 +00:00
Asger Feldthaus
412939d071 JS: Autoformat 2020-12-02 13:08:32 +00:00
Asger Feldthaus
5561e8f1f6 JS: Delete old query and update qhelp 2020-12-01 17:05:48 +00:00
Asger Feldthaus
1459d9197d JS: Adjust alert message for template sinks 2020-12-01 17:05:48 +00:00
Erik Krogh Kristensen
6f29a877fa move logInjection out of experimental 2020-12-01 09:18:40 +01:00
Max Schaefer
978d2db252 JavaScript: Add models for more Mongoose methods. 2020-11-30 16:32:13 +00:00
Anders Schack-Mulligen
8f2094f0bf Autoformat. 2020-11-30 14:42:38 +01:00
Erik Krogh Kristensen
f03429a4b8 change description for source root folder 2020-11-23 23:46:44 +01:00
Erik Krogh Kristensen
f7f9beeefd avoid reporting empty names in js/exposure-of-private-files 2020-11-23 14:24:42 +01:00
Erik Krogh Kristensen
02d5fbf46b remove superfluous space 2020-11-23 14:22:16 +01:00
Asger Feldthaus
16429c8ca4 JS: followed -> followed by 2020-11-20 14:44:25 +00:00
Asger Feldthaus
f737f34dcd JS: Add UntrustedDataToExternalApi query 2020-11-19 13:42:25 +00:00
CodeQL CI
da58306f2d Merge pull request #4506 from asgerf/js/separate-jquery-config 
Approved by esbena
 2020-10-21 03:13:42 -07:00
Erik Krogh Kristensen
e061c6a006 add support for more custom CSRF checking middlewares 2020-10-20 15:16:14 +02:00
Asger Feldthaus
c91cdb5194 JS: Address review comments 2020-10-20 12:00:02 +01:00
Asger Feldthaus
50a015c73e JS: Move $() sink into separate dataflow config 2020-10-20 10:52:33 +01:00
Erik Krogh Kristensen
ce95676130 add express.csrf as an CSRF protecting middleware 2020-10-19 15:39:02 +02:00
Erik Krogh Kristensen
27a2cd310d inline value in nodeLeadingToCsrfWrite 2020-10-16 14:21:49 +02:00
Erik Krogh Kristensen
017c73dce3 Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2020-10-16 14:20:40 +02:00
Erik Krogh Kristensen
4d1a9740f0 add support for home made CSRF protection middlewares in js/missing-token-validation 2020-10-15 14:50:59 +02:00
CodeQL CI
339c0721c5 Merge pull request #4344 from esbena/js/fixup-cwe-20-to-cwe-020 
Approved by erik-krogh
 2020-10-05 12:30:53 -07:00
Chris Smowton
578ea1ae43 Fix OWASP broken links 2020-10-01 13:09:52 +01:00
Erik Krogh Kristensen
e04404b713 also recognize cookie writes are leading to cookie access 2020-09-28 21:17:25 +02:00
Esben Sparre Andreasen
ba0a2e1665 JS: tag consistency: replace cwe-20 with cwe-020 2020-09-25 10:28:05 +02:00
CodeQL CI
9a306866c5 Merge pull request #4282 from erik-krogh/es2021 
Approved by esbena
 2020-09-22 05:34:35 -07:00
Erik Krogh Kristensen
b09015380a add support for String.prototype.replaceAll 2020-09-21 10:50:04 +02:00
Erik Krogh Kristensen
ae228cb5b2 move new predicates to a more fitting location 2020-09-20 22:15:03 +02:00
Erik Krogh Kristensen
43e5c0212c add basic support for indirect route handlers 2020-09-18 09:26:33 +02:00
Erik Krogh Kristensen
6fccf5aa70 use isLikelyIntentionalHtmlSink in the sink instead of in the where clause 2020-09-04 09:26:03 +02:00
Esben Sparre Andreasen
d27442e846 Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2020-08-26 20:18:54 +02:00
Esben Sparre Andreasen
89305865d0 JS: make sanitization a "common" technique rather than "important" 2020-08-26 15:41:54 +02:00
Erik Krogh Kristensen
15a74493e0 more permissive path elements in js/incomplete-url-substring-sanitization 2020-08-13 11:46:13 +02:00
Erik Krogh Kristensen
1d111c3e1f expand what urls are detected by js/incomplete-url-substring-sanitization 2020-08-12 14:25:35 +02:00
Erik Krogh Kristensen
cc5ef4d5e1 rename JsonSerializeCall to JsonStringifyCall 2020-08-05 13:22:41 +02:00
Erik Krogh Kristensen
5a3f67a682 introduce model for JSON.stringify and similar libraries 2020-08-05 12:14:51 +02:00
semmle-qlci
13c3513d76 Merge pull request #3905 from erik-krogh/unsafeShellTypo 
Approved by esbena
 2020-07-06 11:41:56 +01:00
Erik Krogh Kristensen
8585312271 fix typo in js/shell-command-constructed-from-input 2020-07-06 10:33:49 +02:00
Esben Sparre Andreasen
80981ec8f5 Update UnsafeHtmlExpansion-transformed.html 2020-06-30 12:01:02 +02:00
Erik Krogh Kristensen
3f8881a334 don't report insecure randomness when the insecure random is just a fallback 2020-06-23 15:53:19 +02:00
semmle-qlci
0d61443915 Merge pull request #3753 from asger-semmle/js/xss-dom-exception-rephrasing 
Approved by erik-krogh
 2020-06-23 13:01:41 +01:00
Asger F
ca06f6dfb4 Merge branch 'js-team-sprint' into js/insecure-http-options 2020-06-23 00:16:02 +01:00
Asger F
7d54b02fb9 Merge branch 'js-team-sprint' into js/delay-slow-query-merge 2020-06-22 16:34:49 +01:00
Esben Sparre Andreasen
9a0bbb31f4 Revert "Merge pull request #3702 from esbena/js/memory-exhaustion" 
This reverts commit eca5e2df8a, reversing
changes made to 1548eca994.
 2020-06-22 14:46:51 +02:00