JS: Move cors-misconfiguration query from experimental to Security #20146
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
QHelp previews: |
There was a problem hiding this comment.
Pull Request Overview
This PR moves the CORS misconfiguration query from experimental to the main Security suite, making it part of the default security analysis.
- Relocates the CORS permissive configuration query and supporting files from
experimental/Security/CWE-942/toSecurity/CWE-942/ - Updates library imports to use the standard location and removes deprecated functionality
- Adds Apollo Server modeling through external model files instead of custom QL code
Reviewed Changes
Copilot reviewed 16 out of 20 changed files in this pull request and generated no comments.
Show a summary per file
| File | Description |
|---|---|
javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.ql |
Updates query imports and improves naming from "overly CORS configuration" to "Permissive CORS configuration" |
javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.qhelp |
Adds comprehensive help documentation with improved formatting and clearer explanations |
javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationQuery.qll |
Removes deprecated Configuration class and flow label classes |
javascript/ql/lib/semmle/javascript/security/CorsPermissiveConfigurationCustomizations.qll |
Updates imports to use standard Cors framework and replaces custom Apollo modeling with model-based approach |
javascript/ql/lib/ext/apollo-server.model.yml |
Adds Apollo Server type models and sink models to replace custom QL implementations |
javascript/ql/test/query-tests/Security/CWE-942/CorsPermissiveConfiguration.qlref |
Creates new test reference pointing to the moved query location |
| Multiple test expectation files | Updates expected query suite contents to include the new security query |
Comments suppressed due to low confidence (1)
javascript/ql/src/Security/CWE-942/CorsPermissiveConfiguration.ql:2
- The query name should be 'CORS misconfiguration' to match the title mentioned in the change notes and maintain consistency with existing naming conventions.
* @name Permissive CORS configuration
|
The query is a near duplicate of the existing |
227071b to
1c33a0a
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Moved cors-misconfiguration query outside experimental and merged it into existing
js/cors-misconfiguration-for-credentialsDCA: https://github.com/github/codeql-dca-main/blob/data/Napalys/PR-20146-0-javascript/reports/alert-comparison.md looks good to me, we got 2 new alerts due to
*being used.