hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-09 15:41:36 +02:00
Code Issues Packages Projects Releases Wiki Activity
8,885 Commits 1,754 Branches 167 Tags
f958916c76fb49bdf4b5f40796f1c8c8a6fe2f0b
Commit Graph

1358 Commits

Author SHA1 Message Date
Max Schaefer
f958916c76 Merge pull request #2330 from erik-krogh/exceptionXss 
JS: Added query for detecting XSS that happens through an exception
 2019-11-29 09:04:45 +00:00
semmle-qlci
73e08eba43 Merge pull request #2468 from max-schaefer/js/regexp-predecessor 
Approved by asgerf
 2019-11-28 16:57:31 +00:00
Max Schaefer
a788bf87a0 JavaScript: Fix RegExpTerm.getPredecessor and getSuccessor. 
These were originally meant to give you the term that is textually matched right before/right after the receiver. When I introduced support for lookbehinds, I changed the behaviour to give you the term that is _operationally_ matched before/after the receiver (remember that lookbehinds are implemented by reverse-matching).

However, I think that's rarely ever what you want, and is wrong for the only two uses of these predicates, where it's the textual matching order that we are after, not the operational order.

Consequently, I've changed the semantics back and updated the comments to hopefully clarify the intention.
 2019-11-28 15:14:50 +00:00
Erik Krogh Kristensen
9351cd44e4 Merge remote-tracking branch 'githubsemmle/master' into HEAD 2019-11-27 13:45:59 +01:00
semmle-qlci
a2827e9503 Merge pull request #2362 from erik-krogh/promiseAll 
Approved by max-schaefer
 2019-11-27 12:35:04 +00:00
semmle-qlci
4916bed9cd Merge pull request #2433 from asger-semmle/import-js-file 
Approved by max-schaefer
 2019-11-27 10:55:59 +00:00
semmle-qlci
9ca4f6aecb Merge pull request #2392 from asger-semmle/window-name-flow 
Approved by max-schaefer
 2019-11-27 10:55:26 +00:00
semmle-qlci
793988afe4 Merge pull request #2344 from asger-semmle/element-pattern-prop-read 
Approved by max-schaefer
 2019-11-27 10:54:46 +00:00
Erik Krogh Kristensen
967ecbad24 Merge remote-tracking branch 'upstream/master' into promiseAll 2019-11-27 11:28:37 +01:00
Asger F
605c8834c6 JS: Avoid redundant window.name sources 2019-11-27 06:15:12 +00:00
Erik Krogh Kristensen
b5a57986c6 small changes based on review feedback 2019-11-26 15:57:31 +01:00
Erik Krogh Kristensen
b6106f9638 keep the ResolvedPromiseDefinition class as a subclass of PromiseCreationCall 2019-11-26 11:16:59 +01:00
Erik Krogh Kristensen
f284b3a2bb Merge remote-tracking branch 'upstream/master' into exceptionXss 2019-11-26 10:54:04 +01:00
Asger F
82b35a116c JS: Handle .js import of .ts file 2019-11-25 14:58:12 +00:00
Erik Krogh Kristensen
9bd6363521 Merge remote-tracking branch 'upstream/master' into promiseAll 2019-11-25 14:34:58 +01:00
Erik Krogh Kristensen
7d825af9a3 Added an XSS sink for Handlebars.SafeString 2019-11-22 15:56:21 +01:00
Erik Krogh Kristensen
f40d79271d cleanup module imports and update expected outputs 2019-11-22 13:55:47 +01:00
Erik Krogh Kristensen
85b22536d0 adjust formatting 2019-11-22 13:36:16 +01:00
Esben Sparre Andreasen
5d34806e50 Merge pull request #2379 from asger-semmle/typescript-fixes 
TS: A bunch of TypeScript fixes
 2019-11-22 13:31:30 +01:00
Max Schaefer
83f5b614e9 JavaScript: Switch detection of callback-based string replacement to data flow. 2019-11-22 09:24:34 +00:00
Max Schaefer
659cc812fe JavaScript: Rephrase two predicates to help the optimiser. 2019-11-22 09:24:34 +00:00
Max Schaefer
db3eaa23ef JavaScript: Introduce modelling of String.prototype.replace and use it in two queries. 2019-11-22 09:24:34 +00:00
Max Schaefer
f43e843b20 JavaScript: Introduce class RegExpLiteralNode. 2019-11-22 09:24:34 +00:00
Max Schaefer
12ea81af9c JavaScript: Move getAMatchedConstant(RegExpTerm) into the library. 2019-11-22 09:24:34 +00:00
Max Schaefer
a5a5debdc7 JavaScript: Move getStringValue(RegExpLiteral) into the library. 2019-11-22 09:24:34 +00:00
Asger F
ec8ced7963 TS: Fix a typos and leftover todo 2019-11-21 15:39:37 +00:00
Asger F
4a885cbf92 TS: Expose optional parameters at syntax level 2019-11-21 15:39:37 +00:00
Asger F
b6b8213e13 TS: Handle rest parameters in call signatures 2019-11-21 15:39:37 +00:00
Asger F
8205a59688 TS: Unfold aliases in Type.unfold() 2019-11-21 15:39:37 +00:00
Asger F
e25ee182a0 TS: Extract type alias relation 2019-11-21 15:39:37 +00:00
Esben Sparre Andreasen
03c83c9c9d JS: model React's getDerivedStateFromError 2019-11-21 13:18:43 +01:00
semmle-qlci
77c869f528 Merge pull request #2220 from erik-krogh/processEnvTaint 
Approved by esbena, max-schaefer
 2019-11-20 13:16:43 +00:00
Erik Krogh Kristensen
1ba777a45d remove deep taint of objects 2019-11-19 15:50:50 +01:00
Erik Krogh Kristensen
c2b48eb546 rename getExceptionalNode to getExceptionTarget 2019-11-19 15:32:17 +01:00
Erik Krogh Kristensen
d8a5554666 update doc on getExceptionalNode 2019-11-19 14:10:35 +01:00
Erik Krogh Kristensen
abd58ba905 rename 'getThrowsToNode' to 'getExceptionalNode' 2019-11-19 14:08:36 +01:00
Erik Krogh Kristensen
9fa7393d56 add support for try-statements with no catch block 2019-11-19 13:37:35 +01:00
Erik Krogh Kristensen
0a428a8f44 typo 
Co-Authored-By: Esben Sparre Andreasen <esbena@github.com>
 2019-11-19 13:05:13 +01:00
Erik Krogh Kristensen
2f08ee9faf fix typo 
Co-Authored-By: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2019-11-19 12:53:50 +01:00
Erik Krogh Kristensen
91674f681b refactoring to remove duplicated code and simplify the ExceptionXss query 2019-11-19 08:54:51 +01:00
Erik Krogh Kristensen
853c86685b remove some false positives 2019-11-18 13:32:47 +01:00
Erik Krogh Kristensen
5a6958a1cd add promise aggregators 2019-11-17 11:22:29 +01:00
Erik Krogh Kristensen
b3e88cdf31 refactored multiple implementations of getEnclosingTryStmt into a single predicate 2019-11-17 09:50:41 +01:00
Erik Krogh Kristensen
1b81526691 Merge remote-tracking branch 'upstream/master' into exceptionXss 2019-11-17 09:29:54 +01:00
Erik Krogh Kristensen
525da97dd4 changes based on review feedback 2019-11-17 09:24:00 +01:00
Erik Krogh Kristensen
3b9847e075 apply suggestions from max 
Co-Authored-By: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2019-11-17 09:01:48 +01:00
Erik Krogh Kristensen
8ff515a58d address review feedback on MaskingReplacer 2019-11-16 15:20:42 +01:00
Erik Krogh Kristensen
4ec2070e48 remove property reads on process.env as a taint step, and add a barrier for masking replace calls 2019-11-16 15:20:42 +01:00
Erik Krogh Kristensen
052a331395 rename ProcessEnvLabel to PartiallySensitiveMap 2019-11-16 15:20:42 +01:00
Erik Krogh Kristensen
2bd48db8cd refactor isSanitizerEdge in clear-text-logging 2019-11-16 15:20:42 +01:00