Artem Smotrakov
|
6b66323ac3
|
Simplified JexlInjectionLib.qll and removed LocalUserInput
|
2021-03-02 21:22:46 +01:00 |
|
Robert Marsh
|
dbd8432884
|
C++: autoformat
|
2021-03-02 12:11:12 -08:00 |
|
Andrew Eisenberg
|
9982112b61
|
Documentation: Update C/C++ Element::fromSource() docs
The previous documentation was not correct. This
documentation is adapted from File::fromSource().
|
2021-03-02 08:57:17 -08:00 |
|
Aditya Sharad
|
648910e974
|
Merge pull request #5285 from adityasharad/actions/docs-review
Actions: Add workflow to request docs review
|
2021-03-02 08:52:32 -08:00 |
|
Joe Farebrother
|
81ff76814f
|
Remove incorrect expectaton
|
2021-03-02 16:35:34 +00:00 |
|
Francis Alexander
|
173c4b7f2f
|
More Play stubs improvements
|
2021-03-02 20:39:25 +05:30 |
|
Mathias Vorreiter Pedersen
|
eb4f1e1ba0
|
C++: Restore some of the lost test results by doing operand -> instruction taint steps in IR TaintTracking.
|
2021-03-02 15:45:40 +01:00 |
|
Erik Krogh Kristensen
|
95a1edcabc
|
refactor FunctionStyleClass to get a better join-order
|
2021-03-02 15:22:38 +01:00 |
|
Anders Schack-Mulligen
|
0eb2c06e20
|
Merge pull request #3945 from porcupineyhairs/structsDevMode
Java: Add query to detect Apache Struts enabled Devmode
|
2021-03-02 15:22:20 +01:00 |
|
Erik Krogh Kristensen
|
4d33407f6c
|
optimize getACalleeValue
|
2021-03-02 15:21:36 +01:00 |
|
Tamas Vajk
|
714e1dc686
|
Add change note
|
2021-03-02 15:08:07 +01:00 |
|
Asger F
|
919ee38049
|
Update javascript/ql/src/semmle/javascript/security/dataflow/DeepObjectResourceExhaustionCustomizations.qll
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
|
2021-03-02 14:02:35 +00:00 |
|
Asger F
|
6c884f86d2
|
Apply suggestions from code review
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
|
2021-03-02 14:01:59 +00:00 |
|
Asger Feldthaus
|
6e0322dc60
|
JS: Add DeepResourceExhaustion test
|
2021-03-02 13:56:43 +00:00 |
|
Asger Feldthaus
|
88e5348da9
|
JS: Move RemotePropertyInjection test into subfolder
|
2021-03-02 13:56:39 +00:00 |
|
Asger Feldthaus
|
5d27cd934d
|
JS: Move Source def into customizations lib
|
2021-03-02 13:52:33 +00:00 |
|
Asger Feldthaus
|
d916118ea4
|
JS: Move ExceptionXss source into Xss.qll
|
2021-03-02 13:16:10 +00:00 |
|
Erik Krogh Kristensen
|
47f4faa4e2
|
use local dataflow instead of type-inference for mayHaveBooleanValue
|
2021-03-02 14:06:38 +01:00 |
|
Erik Krogh Kristensen
|
ae56285331
|
use callgraph instead of type-inference for array taint-steps
|
2021-03-02 14:06:09 +01:00 |
|
Erik Krogh Kristensen
|
b20ce8bfca
|
use callgraph instead of TypeInference in Testing.qll
|
2021-03-02 14:04:23 +01:00 |
|
Porcuiney Hairs
|
beb15e27eb
|
remove tests
|
2021-03-02 18:13:33 +05:30 |
|
Mathias Vorreiter Pedersen
|
23d3109071
|
C++: Use taintedWithPath in more tests. This is the predicate that's currently hooked up to the new IR taint tracking library.
|
2021-03-02 13:40:39 +01:00 |
|
Asger Feldthaus
|
fd9604c5ef
|
JS: Update expected output for poly ReDoS
|
2021-03-02 12:39:05 +00:00 |
|
Asger Feldthaus
|
31721b5fe3
|
JS: Fix missing qldoc
|
2021-03-02 12:39:05 +00:00 |
|
Asger Feldthaus
|
05594f2936
|
JS: Change note
|
2021-03-02 12:39:05 +00:00 |
|
Asger Feldthaus
|
0bd60c1989
|
JS: Autoformat
|
2021-03-02 12:39:05 +00:00 |
|
Asger Feldthaus
|
12079cd1e4
|
JS: Recognize RegExps in JSON schemas
|
2021-03-02 12:39:04 +00:00 |
|
Asger Feldthaus
|
7afa755597
|
JS: Add ajv error as source of ExceptionXss
|
2021-03-02 12:39:04 +00:00 |
|
Asger Feldthaus
|
24199a5499
|
JS: Add query for resource exhaustion from deep object handling
|
2021-03-02 12:39:04 +00:00 |
|
Asger Feldthaus
|
b978359803
|
JS: Add schema validation as TaintedObject sanitizer
|
2021-03-02 12:39:04 +00:00 |
|
Tamas Vajk
|
fa2f345611
|
Revert "Simplify MissingCallTarget for calli"
This reverts commit 3b82abd7c7.
|
2021-03-02 12:58:42 +01:00 |
|
Erik Krogh Kristensen
|
55985c969b
|
add change note
|
2021-03-02 12:25:50 +01:00 |
|
Erik Krogh Kristensen
|
ecccb8a409
|
only flag React elements in ClientSideUrlRedirect if it's a HTML element, or known link class
|
2021-03-02 12:25:50 +01:00 |
|
Erik Krogh Kristensen
|
36049f05f8
|
update Next.js xss example such that the attack is viable
|
2021-03-02 12:25:50 +01:00 |
|
Erik Krogh Kristensen
|
1f02594ccc
|
rename and move getAPropertyNameInterpretedAsJavaScriptUrl
|
2021-03-02 12:25:50 +01:00 |
|
Erik Krogh Kristensen
|
5b5baced9a
|
add support for replace in Next.js router
|
2021-03-02 12:25:49 +01:00 |
|
Erik Krogh Kristensen
|
97032f8627
|
add ClientSideUrlRedirect sink for Next.js routers
|
2021-03-02 12:25:49 +01:00 |
|
Erik Krogh Kristensen
|
a79c30a818
|
support NextJS API endpoints
|
2021-03-02 12:25:49 +01:00 |
|
Erik Krogh Kristensen
|
0e7e3e6178
|
support Next.js pages that export React components
|
2021-03-02 12:25:49 +01:00 |
|
Erik Krogh Kristensen
|
1fdbbb682d
|
support Next.js page request/response objects
|
2021-03-02 12:25:49 +01:00 |
|
Erik Krogh Kristensen
|
a5cf024c9f
|
add support for getServerSideProps in Next.js
|
2021-03-02 12:25:49 +01:00 |
|
Erik Krogh Kristensen
|
af262a035d
|
add support for getInitialProps in Next.js
|
2021-03-02 12:25:49 +01:00 |
|
Erik Krogh Kristensen
|
d63fcaf7f1
|
add step from getStaticProps to the component render function
|
2021-03-02 12:25:49 +01:00 |
|
Erik Krogh Kristensen
|
9d7bb57d8a
|
add parameter values from Next as a RemoteFlowSource
|
2021-03-02 12:25:49 +01:00 |
|
Erik Krogh Kristensen
|
41a0c0b55e
|
support React links in js/client-side-unvalidated-url-redirection
|
2021-03-02 12:25:49 +01:00 |
|
Francis Alexander
|
4384f78595
|
Play stubs improvements, cleanup and return values
|
2021-03-02 16:50:16 +05:30 |
|
CodeQL CI
|
79839d2304
|
Merge pull request #5267 from erik-krogh/httpProxy
Approved by asgerf
|
2021-03-02 02:46:50 -08:00 |
|
Owen Mansel-Chan
|
6460ce3f83
|
Add @codeql-go as code owners for the shared data-flow library files
|
2021-03-02 10:39:47 +00:00 |
|
Anders Schack-Mulligen
|
b0fa8dfeae
|
Merge pull request #4214 from porcupineyhairs/springViewManipulation
[Java] Add QL for detecting Spring View Manipulation Vulnerabilities.
|
2021-03-02 11:31:42 +01:00 |
|
Mathias Vorreiter Pedersen
|
6ba35f4aac
|
C++: Fix function renaming and accept test change.
|
2021-03-02 11:31:24 +01:00 |
|