hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-18 11:21:07 +02:00
Code Issues Packages Projects Releases Wiki Activity
36,894 Commits 1,778 Branches 169 Tags
ea9aa596271b2497786ee429b00931ac7e465b0e
Commit Graph

53 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
2550988006 change @id from js/actions/injection to js/actions/command-injection 2022-05-17 09:25:05 +02:00
Nick Rolfe
1115227f9d Merge remote-tracking branch 'origin/main' into nickrolfe/misspelling 2022-05-12 16:10:27 +01:00
Nick Rolfe
2ed42c327c JS: fix typos in comments 2022-05-12 16:02:19 +01:00
Erik Krogh Kristensen
fef4455ccc apply suggestion from doc review 
Co-authored-by: Steve Guntrip <12534592+stevecat@users.noreply.github.com>
 2022-05-12 13:28:45 +02:00
Erik Krogh Kristensen
0c0e280637 update the qhelp to mention that the GITHUB_TOKEN only sometimes has write-access 2022-05-05 12:12:29 +02:00
Erik Krogh Kristensen
c0152a46bc rename getAReferencedExpression to getASimpleReferenceExpression and add examples of what it can parse 2022-05-05 11:02:47 +02:00
Erik Krogh Kristensen
8e2b00d209 make the big disjunctions more readable by using a set literal 2022-05-04 16:15:17 +02:00
Erik Krogh Kristensen
31a4de902e add missing security severity 2022-05-04 16:15:17 +02:00
Erik Krogh Kristensen
df4bfef8c7 expand the qhelp for js/actions/injection 2022-05-04 16:14:59 +02:00
Erik Krogh Kristensen
48fb01f9f7 set js/actions/injection as a high precision warning query 2022-05-04 16:14:54 +02:00
Erik Krogh Kristensen
2a65d1d3ec move js/actions/injection out of experimental 2022-05-04 16:14:19 +02:00
Erik Krogh Kristensen
2442beaf9a add missing severities to JS queries 2022-03-16 10:40:34 +01:00
Ethan Palm
2f7f9d9032 Move explanation of example above sample code 2022-02-09 10:45:24 -08:00
Erik Krogh Kristensen
aa95dd4ec7 fix typo 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2022-02-08 00:19:40 +01:00
Erik Krogh Kristensen
6f28cb9201 lower the precision of js/unsafe-code-construction 2022-02-07 13:35:29 +01:00
Erik Krogh Kristensen
eb133f59f6 update qhelp to focus on properly documenting potentially unsafe library functions 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
d77c28f6a7 add qhelp for unsafe-code-construction 2022-02-07 13:34:18 +01:00
Erik Krogh Kristensen
198a464346 add js/unsafe-code-construction query 2022-02-07 13:34:18 +01:00
Asger Feldthaus
3a20ca96c4 JS: Update CWE tags and severity score of code injection query 
The derived security-severity score of the JS code injection query
was much lower than for other languages (6.1 versus 9.3), possibly due
some differences in CWE tags, such as the inclusion of CWE-079.

We also add the more specific CWE-095 ("eval injection") for consistency
with other languages. It is a child of CWE-094 ("code injection") which
was already tagged.
 2021-10-05 10:12:19 +02:00
Asger Feldthaus
f6da030572 JS: Migrate to *Query.qll convention 2021-08-12 09:30:18 +02:00
Calum Grant
771e686946 Update security-severity scores 2021-06-15 13:25:17 +01:00
Calum Grant
a594afb828 Add security-severity metadata 2021-06-10 20:11:08 +01:00
Asger Feldthaus
96c6e4d8d8 JS: Update with new AdditionalTaintStep subclasses 2021-03-17 13:29:16 +00:00
Asger Feldthaus
f0516dd9e0 JS: Address review comments 2020-12-04 09:07:44 +00:00
Asger Feldthaus
412939d071 JS: Autoformat 2020-12-02 13:08:32 +00:00
Asger Feldthaus
5561e8f1f6 JS: Delete old query and update qhelp 2020-12-01 17:05:48 +00:00
Asger Feldthaus
1459d9197d JS: Adjust alert message for template sinks 2020-12-01 17:05:48 +00:00
Erik Krogh Kristensen
a465fef7aa shorten sentence in qhelp 2020-06-17 17:24:18 +02:00
Erik Krogh Kristensen
abd9aab109 code-injection -> code injection 2020-06-17 17:20:46 +02:00
Erik Krogh Kristensen
45e2b94eb5 Apply suggestions from doc review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2020-06-17 17:19:44 +02:00
Erik Krogh Kristensen
5ce17bea60 add qhelp for js/bad-code-sanitization 2020-06-16 16:23:41 +02:00
Erik Krogh Kristensen
a0951f76b6 add additional taint steps when type-tracking RemoteFlowSource 2020-06-16 14:55:07 +02:00
Erik Krogh Kristensen
adabd2daca add qldoc and customizations module 2020-06-12 11:26:49 +02:00
Erik Krogh Kristensen
aa3482cbae improve detection of duplicate results with js/code-injection 2020-06-10 22:58:02 +02:00
Erik Krogh Kristensen
5142670138 don't import AdditionalSinks, refactor sink out in new HeuristicSinks instead 2020-06-10 22:30:45 +02:00
Erik Krogh Kristensen
373a437d71 add query to detect improperly sanitized code 2020-06-10 19:50:12 +02:00
Max Schaefer
31bb39a810 JavaScript: Autoformat all QL files. 2019-01-07 10:15:45 +00:00
Asger F
27c9326e70 JS: address doc review 2018-11-21 14:19:14 +00:00
Asger F
4ae2493798 JS: rename query to Unsafe Dynamic Method Access 2018-11-21 12:34:18 +00:00
Asger F
cb832b1de9 Merge branch 'unsafe-global-object-access' of github.com:asger-semmle/ql into unsafe-global-object-access 2018-11-21 11:14:21 +00:00
Asger F
84d642612e JS: more comments 2018-11-21 11:14:13 +00:00
Max Schaefer
fa761c07bd Update javascript/ql/src/Security/CWE-094/MethodNameInjection.ql 
Co-Authored-By: asger-semmle <42069257+asger-semmle@users.noreply.github.com>
 2018-11-21 10:55:38 +00:00
Asger F
4138f814d8 JS: expand example 2018-11-20 18:42:49 +00:00
Asger F
1c06f45046 JS: address some comments 2018-11-20 18:11:46 +00:00
Asger F
2239f863f7 JS: add query MethodNameInjection 2018-11-20 15:57:18 +00:00
Max Schaefer
3fcd02ab0e JavaScript: Rename hasPathFlow to hasFlowPath for consistency with other languages. 2018-11-14 11:23:17 +00:00
Max Schaefer
52ae757279 JavaScript: Select Nodes (instead of PathNodes) everywhere. 2018-11-14 09:16:40 +00:00
Max Schaefer
e365b722ee JavaScript: Select source and sink in all path queries. 2018-11-14 09:16:40 +00:00
Max Schaefer
11d6259dbf JavaScript: Move from Node to PathNode. 2018-11-14 09:16:40 +00:00
Max Schaefer
8d87f556e1 JavaScript: Add import DataFlow::PathGraph. 2018-11-14 09:16:40 +00:00