Asger Feldthaus
ff49aaa684
JS: Do not capture own variables
2021-07-02 13:17:32 +02:00
Asger Feldthaus
8befb03cb9
JS: Add test case with spurious call/return flow
2021-07-02 13:17:32 +02:00
CodeQL CI
38f763dd6a
Merge pull request #6192 from asgerf/js/string-literals-as-source-nodes
...
Approved by esbena
2021-07-02 03:47:20 -07:00
Chris Smowton
6823855e9c
Merge pull request #6203 from smowton/smowton/admin/avoid-config-imports-from-qlls
...
Java: Reduce DataFlow Configuration pollution from Random.qll and JexlInjection.qll
2021-07-02 11:27:27 +01:00
Chris Smowton
ca1bf7791e
Merge pull request #6210 from tamasvajk/fix/large-coverage-comment
...
Fix markdown link in framework coverage PR comment
2021-07-02 11:27:17 +01:00
Tamás Vajk
4a5fe75d8c
Merge pull request #6207 from github/workflow/coverage/update
...
Update CSV framework coverage reports
2021-07-02 12:00:31 +02:00
Asger Feldthaus
c3b7d85341
JS: Update test output after rebasing
2021-07-02 11:57:45 +02:00
Tamas Vajk
f3f069fed5
Fix markdown link in framework coverage PR comment
2021-07-02 11:56:00 +02:00
Asger Feldthaus
7249d2892a
JS: Add comment to VueTemplateSink class
2021-07-02 11:55:56 +02:00
Asger Feldthaus
0105b829c4
JS: Update test output
2021-07-02 11:55:56 +02:00
Asger Feldthaus
6d9b96f6e8
JS: Dont use getALocalSource() when marking Vue template sinks
2021-07-02 11:55:56 +02:00
Asger Feldthaus
472b41f5e1
JS: Update React to handle string literals being SourceNodes
2021-07-02 11:55:56 +02:00
Asger Feldthaus
39c204ac39
JS: Treat string literals as source nodes
2021-07-02 11:55:56 +02:00
Chris Smowton
a51154a8ef
Deduplicate Jexl configuration
2021-07-02 10:02:28 +01:00
Chris Smowton
d022c57903
Add change note
2021-07-02 10:02:28 +01:00
Chris Smowton
bbd3ecb768
Add docs to RandomQuery.qll
2021-07-02 10:02:28 +01:00
Chris Smowton
e661fc08d3
Split Android XSS sink defintions out of XSS.qll
...
This removes one of the routes by which XSS.qll is always in scope, and so its dataflow configuration is too -- however it is still always in scope because JaxWS.qll imports it.
2021-07-02 10:02:25 +01:00
Chris Smowton
747a8e4157
Split up JexlInjection.qll
...
This avoids a DataFlow2::Configuration being in scope for all queries via the import from ExternalFlow.qll
2021-07-02 10:01:51 +01:00
Chris Smowton
643f7dfb87
Split up Random.qll
...
This prevents bringing a dataflow config into scope from utility libraries.
2021-07-02 10:00:49 +01:00
Anders Schack-Mulligen
80124df78e
Merge pull request #5487 from joefarebrother/sql-sinks
...
Java: Convert SQL sinks to CSV format
2021-07-02 10:51:09 +02:00
CodeQL CI
61ee193dc0
Merge pull request #6197 from asgerf/js/recompose
...
Approved by esbena
2021-07-02 00:58:06 -07:00
Esben Sparre Andreasen
0cf9c95981
Merge pull request #6193 from esbena/esbena/mootools-xss
...
JS: add Mootools XSS sinks
2021-07-02 09:24:56 +02:00
Anders Schack-Mulligen
4e1155cfd2
Merge pull request #6202 from smowton/smowton/admin/cleanup-duplicated-experimental-query
...
Deduplicate shared body of regular and experimental versions of `java/command-line-injection` query.
2021-07-02 09:23:50 +02:00
Anders Schack-Mulligen
f9da044e54
Merge pull request #6185 from aschackmull/java/perf-fix-request-forgery
...
Java: Fix bad magic.
2021-07-02 09:07:07 +02:00
github-actions[bot]
55aff21587
Add changed framework coverage reports
2021-07-02 00:09:02 +00:00
Taus
f151338def
Merge pull request #6198 from RasmusWL/fix-cleartext-logging
...
Python: Some minor fixes to `py/clear-text-logging-sensitive-data`
2021-07-01 18:28:25 +02:00
Chris Smowton
8b7db8a8cc
Merge pull request #5408 from p0wn4j/urlclassloader-webclient-ssrf-sinks
...
Java: Add URLClassLoader, WebClient SSRF sinks
2021-07-01 16:14:22 +01:00
Tamás Vajk
05842dcdb3
Merge pull request #6181 from tamasvajk/feature/test-options-files
...
C#: Start using 'options' files in tests
2021-07-01 17:03:27 +02:00
Joe Farebrother
1e82c607ef
Mark failing tests as missing
2021-07-01 15:29:47 +01:00
Tamas Vajk
5e2770339f
Add adjusted expected files
2021-07-01 16:09:11 +02:00
Tamas Vajk
03d1a3e0ad
Trim test files + remove duplicate newlines
2021-07-01 16:09:11 +02:00
Tamas Vajk
4900ecfabe
Manual fixes
2021-07-01 16:09:11 +02:00
Tamas Vajk
c29d11087b
C#: Start using 'options' files in tests
2021-07-01 16:08:47 +02:00
Chris Smowton
e0a7f6e14f
Fix URLClassLoader test
2021-07-01 15:03:38 +01:00
Chris Smowton
d5a9f3d87b
Deduplicate shared body of regular and experimental versions of java/command-line-injection query.
2021-07-01 14:53:56 +01:00
Joe Farebrother
160f3b4312
Remove ArrayElement from sink specifications
2021-07-01 14:41:39 +01:00
Joe Farebrother
4bea33402c
Rename test labels for more clarity
2021-07-01 14:38:20 +01:00
Joe Farebrother
1a06c132be
Use ArrayElement of to handle arargs case in SpringJdbc.qll
2021-07-01 14:38:20 +01:00
Joe Farebrother
29f82fc81f
Use ArrayElementOf in Android sinks
2021-07-01 14:38:19 +01:00
Joe Farebrother
f4a59cc2e3
Convert tainted arrays to arrays of tainted elements in tests
2021-07-01 14:38:19 +01:00
Joe Farebrother
865477d020
Convert android tests to inline expectations
2021-07-01 14:38:19 +01:00
Joe Farebrother
95d8018a43
Include overrides for SQLiteQueryBuilder sinks
2021-07-01 14:38:19 +01:00
Joe Farebrother
0d4f8aedb8
Use Argument ranges in CSV rows
2021-07-01 14:38:19 +01:00
Joe Farebrother
7926d16844
Convert SQL sinks to CSV format
2021-07-01 14:38:19 +01:00
Chris Smowton
44e8dd9ec5
Add change note
2021-07-01 13:36:00 +01:00
Anders Schack-Mulligen
cda5c22f6e
Merge pull request #5590 from github/sauyon/java-spring-errors
...
Add models for Spring validation.Errors
2021-07-01 14:29:49 +02:00
Asger Feldthaus
993cc29275
JS: Autoformat
2021-07-01 14:22:44 +02:00
Anders Schack-Mulligen
37f8794d01
Merge pull request #6165 from edoardopirovano/fix-regression
...
Performance: Improve join order in data flow library
2021-07-01 14:13:18 +02:00
Rasmus Wriedt Larsen
b0309dd321
Python: Limit SensitiveDataSources to prevent _some_ cross-talk
2021-07-01 12:08:12 +02:00
Rasmus Wriedt Larsen
f64e58a21c
Python: Fix a QLDoc for SensitiveDataSources
2021-07-01 12:05:59 +02:00
