Skip to content

JS: Model as Data open package #19256

New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom
Merged
merged 3 commits into from
Apr 9, 2025
Merged

JS: Model as Data open package #19256

merged 3 commits into from
Apr 9, 2025
+31 −0

Conversation

Napalys
Copy link
Contributor

@Napalys Napalys commented Apr 8, 2025

Added model as data for open package.

@Napalys Napalys marked this pull request as ready for review April 9, 2025 06:10
@Copilot Copilot AI review requested due to automatic review settings April 9, 2025 06:10
@Napalys Napalys requested a review from a team as a code owner April 9, 2025 06:10
Copilot
Copilot AI reviewed Apr 9, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds model-as-data support for the "open" package to address potential path injection issues by extending CodeQL's JavaScript sink model. Key changes include:

  • Adding a new test file for the "open" package demonstrating its use.
  • Introducing a new model file (open.model.yml) to provide sink definitions.
  • Including a change note for documentation of the update.

Reviewed Changes

Copilot reviewed 3 out of 4 changed files in this pull request and generated no comments.

File Description
javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/open.js Adds test cases triggering alerts for the "open" and "openApp" functions.
javascript/ql/lib/ext/open.model.yml Introduces sink model data for the "open" package to detect path injection.
javascript/ql/lib/change-notes/2025-04-07-open-package.md Documents the minor analysis update for supporting the "open" package.
Files not reviewed (1)
  • javascript/ql/test/query-tests/Security/CWE-022/TaintedPath/TaintedPath.expected: Language not supported

@Napalys Napalys merged commit 0751d73 into github:main Apr 9, 2025
14 checks passed
# for free to join this conversation on GitHub. Already have an account? # to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@asgerf asgerf asgerf approved these changes

Assignees
No one assigned
Labels
documentation JS
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Napalys @asgerf