codeql

mirror of https://github.com/github/codeql.git synced 2026-05-24 16:17:07 +02:00

Author	SHA1	Message	Date
Aditya Sharad	eec7b926b0	JS: Add `this` reference for clarity No behaviour change.	2022-01-18 16:23:03 +00:00
Aditya Sharad	0a003edaa7	JS: Improve performance of Xss::isOptionallySanitizedEdge When join-ordering and evaluating this conjunction, it is preferable to start with the relatively small set of `sanitizer` calls, then compute the set of SSA variables accessed as the arguments of those sanitizer calls, then reason about how those variables are used in phi nodes. Use directional binding pragmas to encourage this join order by picking `sanitizer` first, and discourage picking the opposite join order starting with `phi`. This impacts performance of the ATM XSS queries on large databases like Node, where computing all variable accesses from phi nodes leads to 435M+ tuples.	2022-01-18 16:23:03 +00:00
Aditya Sharad	b7852cec7a	JS: Improve performance of ClassifyFiles::isTestFile One of the heuristics for test files looks for source files of the form `base.ext`, then looks for sibling test files of the form `base.test.ext` or `base.spec.ext`. On large databases, the result join order computed all source files, the containers of those files, then all other files within those containers, before computing the test file names and filtering using those names. The product of all files with all other files in the same containers is of the same order of magnitude as the product of the `files` table with itself, which on large DBs like Node can be 12M+ tuples. As a performance optimisation, factor out a helper predicate that computes the likely test file names for each source file, so these can be determined with a single join against the files table. This results in much better join orders, such as computing the set of files and their containers, then the test file names, then the sibling files with those names. This loses some flexibility because the set of 'test' extension names is hardcoded in the library rather than provided by the caller predicate. The original predicate remains to avoid breaking other callers, but could eventually be deprecated.	2022-01-18 16:23:03 +00:00
Andrew Eisenberg	07228672df	Merge branch 'main' into aeisenberg/remove-upgrades	2022-01-11 11:25:27 -08:00
Asger F	c9fcdb8261	Apply suggestions from code review Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2022-01-06 11:51:27 +01:00
Asger Feldthaus	a7698b8727	JS: Fix double space	2022-01-05 14:35:02 +01:00
Asger Feldthaus	486beda2fa	JS: Factor out common regexp in AccessPathToken	2022-01-05 14:35:02 +01:00
Asger Feldthaus	21928bee6c	JS: Rename padded -> inversePad	2022-01-05 14:35:01 +01:00
Asger Feldthaus	1989d51942	JS: Update documentation in Impl.qll	2022-01-05 14:35:01 +01:00
Asger Feldthaus	3ced5c9269	JS: Resolve first N tokens instead of constructing each prefix	2022-01-05 14:35:01 +01:00
Asger Feldthaus	772681d249	JS: Initial support for models as data	2022-01-05 14:34:52 +01:00
Dave Bartolomeo	83ceb822aa	Move upgrades into standard library packs Move upgrade to new location Remove incorrectly merged files Fix upgrades section	2022-01-04 11:30:25 -08:00
Erik Krogh Kristensen	b9964799f3	Merge pull request #7458 from erik-krogh/modelling QL: add "modelling/modeling" to `ql/non-us-spelling`	2022-01-04 13:33:54 +01:00
Dave Bartolomeo	ded3c52a34	Merge pull request #7407 from github/post-release-prep/codeql-cli-2.7.4 Post-release preparation for codeql-cli-2.7.4	2022-01-03 17:09:58 -05:00
github-actions[bot]	1334d207fa	Post-release version bumps	2022-01-03 20:11:15 +00:00
Alex Ford	3da98ecb73	Bump a date	2021-12-22 16:38:16 +00:00
Alex Ford	a2104de8a0	Move CryptoAlgorithms::AlgorithmsName into a separate internal/CryptoAlgorithmNames.qll	2021-12-22 16:38:15 +00:00
Alex Ford	f16d77615d	Remove unused isStrongBlockMode predicate from CryptoAlgorithms.qll	2021-12-22 16:38:15 +00:00
Alex Ford	d3af687767	Add more encryption algorithms and modes to CryptoAlgorithms::AlgorithmNames Strong encryption algorithms: ARIA, IDEA, SEED, SM4 Strong block modes: CBC, CFB, CTR, OFB	2021-12-22 16:38:15 +00:00
Alex Ford	bdb2d8ba16	Ruby: split OpenSSL parts from CryptoALgorithms.qll and sync with JS/Python version	2021-12-22 16:38:15 +00:00
Erik Krogh Kristensen	8019b52838	run the non-us patch with "modelled/modeled"	2021-12-20 17:47:15 +01:00
Erik Krogh Kristensen	d17879e1f9	run the non-us patch	2021-12-20 16:24:41 +01:00
Nick Rolfe	28912c508f	Fix non-US spelling of 'behavior'	2021-12-17 15:29:31 +00:00
CodeQL CI	de4b655ddb	Merge pull request #7327 from asgerf/js/handlebars-more-raw-interpolation Approved by erik-krogh	2021-12-17 14:07:57 +00:00
CodeQL CI	39ec7132af	Merge pull request #7049 from asgerf/js/routing-trees Approved by erik-krogh	2021-12-17 12:26:38 +00:00
Asger Feldthaus	89775428b4	JS: Autoformat	2021-12-17 10:32:02 +01:00
Asger Feldthaus	e2c6dd7d56	JS: Recognize {{& ... }} as an XSS sink	2021-12-17 10:31:50 +01:00
Asger Feldthaus	0e9c2377e3	JS: Use a field in RouterHandlerParameter	2021-12-16 10:26:35 +01:00
CodeQL CI	f274f06d9b	Merge pull request #7409 from asgerf/js/track-functions-with-methods Approved by erik-krogh	2021-12-16 09:01:42 +00:00
CodeQL CI	acbf7913b2	Merge pull request #7408 from asgerf/js/trusted-types-sinks Approved by esbena	2021-12-16 08:59:51 +00:00
Asger F	784991cce5	Update javascript/ql/lib/semmle/javascript/Routing.qll Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2021-12-15 16:38:38 +01:00
Asger Feldthaus	79e6dcaf68	JS: Rename getValueAtAccessPath->getValueImplicitlyStoredInAccessPath	2021-12-15 16:37:28 +01:00
Asger Feldthaus	8aa4d8227e	JS: Rename RouteHandlerInput->RouteHandlerParameter	2021-12-15 16:32:18 +01:00
Asger Feldthaus	218b746f6f	JS: Rename getAUseSite -> getRouteInstallation	2021-12-15 16:21:41 +01:00
Asger Feldthaus	615b2ec539	JS: Fix handling of fastify-plugin	2021-12-15 16:04:46 +01:00
Asger Feldthaus	b226f767ad	JS: Fix tracking of fastify server instance	2021-12-15 16:04:45 +01:00
Asger Feldthaus	0ca9feb854	JS: Always treat routers as resuming dispatch	2021-12-15 16:01:59 +01:00
Asger F	1b20506947	Update javascript/ql/lib/semmle/javascript/frameworks/Fastify.qll Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2021-12-15 16:00:19 +01:00
Asger F	c1bb40f439	Update javascript/ql/lib/semmle/javascript/frameworks/Express.qll Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2021-12-15 16:00:19 +01:00
Asger Feldthaus	b2016bddac	JS: Merge concepts of client/database in MongoDB model	2021-12-15 16:00:19 +01:00
Asger Feldthaus	e64a6dc12a	JS: Add qldoc	2021-12-15 12:47:23 +01:00
Asger Feldthaus	43ec721a87	JS: Add link to MDN docs for trusted types	2021-12-15 11:52:58 +01:00
github-actions[bot]	59da2cdf69	Release preparation for version 2.7.4	2021-12-14 21:35:09 +00:00
Dave Bartolomeo	a62f181d42	Move new change notes to appropriate packs	2021-12-14 12:05:15 -05:00
Asger Feldthaus	7e947b2a65	JS: Use return value of trusted type policy callback as a sink	2021-12-14 13:28:46 +01:00
Ian Wright	1c79d1f985	Merge pull request #7352 from github/esbena/atm-endpoint-polish ATM Endpoint filtering improvements	2021-12-14 08:19:23 +00:00
Erik Krogh Kristensen	de4458346f	Merge pull request #7344 from SZFsir/main JS: Improve inter-procedural type inference for FunctionExpr	2021-12-13 21:58:53 +01:00
Andrew Eisenberg	0669ef505e	Fix semver for upgrades references Ensure the version range is flexible enough to handle future version changes.	2021-12-13 09:03:33 -08:00
JrXnm	efc9e67ec2	Update javascript/ql/lib/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll Fix multiple declare may mismatch issue Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2021-12-13 18:36:06 +08:00
JrXnm	fad95d8935	Update javascript/ql/lib/semmle/javascript/dataflow/internal/InterProceduralTypeInference.qll Commit coding style suggestion Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>	2021-12-13 18:32:11 +08:00

1 2 3 4 5 ...

291 Commits