Am
0043d93fc1
Merge branch 'github:main' into am0o0-python-codeExec
2024-05-09 23:15:56 +02:00
Sarita Iyer
aab5da0435
Merge pull request #16320 from github/subatoi/deprecate-codeql-for-vs-code
...
[8th May 2024] Add deprecation notices to CodeQL for VS Code documentation
2024-05-08 17:00:42 -04:00
Joe Farebrother
ab23d0ad23
Merge branch 'main' into python-promote-header-injection
2024-05-08 13:49:00 +01:00
amammad
6b9cc1a278
update Twisted document link
2024-05-06 14:36:10 +02:00
amammad
c4a38d0a2f
add twisted SSH client as secondary server command injection sinks, add proper test cases
2024-05-06 14:36:10 +02:00
amammad
0a765cc94a
add jsonpickle and pexpect libs in case of unsafe decoding and secondary command execution, add proper test cases
2024-05-06 14:36:10 +02:00
amammad
7e93102097
finalize Secondary server command injection queries and tests.
2024-05-06 14:36:10 +02:00
amammad
ead247469d
add ssh client libraries, add SecondaryServerCmdInjectionCustomizations
2024-05-06 14:36:10 +02:00
amammad
4df73f9975
continue to convert paramiko query to a more general query,
...
the proxy command is not a secondary command execution
so we can add proxy command to SystemCommandExecution::Range, update QLDocs,
add a proper Paramiko test case
fix a typo
2024-05-06 14:36:10 +02:00
amammad
5fea71e5d6
convert paramiko query to SecondaryServerCmdInjection query, Add inline tests
2024-05-06 14:36:10 +02:00
Felicity Chapman
6eb07a7a7e
Apply suggestions from code review
...
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com >
2024-05-02 11:05:39 +01:00
github-actions[bot]
99928b82ed
Post-release preparation for codeql-cli-2.17.2
2024-04-30 12:15:35 +00:00
github-actions[bot]
5228d94d42
Release preparation for version 2.17.2
2024-04-30 10:25:51 +00:00
erik-krogh
baa31e1469
delete outdated deprecations
2024-04-25 22:19:28 +02:00
Ben Ahmady
8cba276b87
Deprecate the CodeQL for VS Code docs in favour of docs.github.com version
2024-04-25 07:59:33 +00:00
Joe Farebrother
1dce2eb325
Rename to response splitting
2024-04-24 14:05:40 +01:00
Joe Farebrother
f57ba3e642
Add change note
2024-04-24 14:05:40 +01:00
Joe Farebrother
9d56f3eb68
Fix qldoc formatting
2024-04-24 14:05:39 +01:00
Joe Farebrother
cf8db4e425
Update instances of experimental concept to the main one, and anotate missing experimental test results.
2024-04-24 14:05:39 +01:00
Joe Farebrother
daa31b5bb7
Add documentation
2024-04-24 14:05:38 +01:00
Joe Farebrother
8636a50190
Fix qldoc + remove deprecation from experimental concepts (as they are still used in another experimental query)
2024-04-24 14:05:38 +01:00
Joe Farebrother
a88ad62c00
Implemented sinks for bulk header updates, and added corresponding tests.
2024-04-24 14:05:38 +01:00
Joe Farebrother
68d90918cf
Add to header write concept a specification of whether the name or value arg allows newlines.
...
Ported sink defenitions from Flask and Werzeug from experimental to main.
Removed experimental sink definitions for Django, as neither name nor value are vulnerable.
2024-04-24 14:05:37 +01:00
Joe Farebrother
6021d9238c
Move headers injection query and concept from experimental to main
2024-04-24 14:05:37 +01:00
Taus
b484aee39e
Python: Autoformat everything
...
Of course, `StringLiteral` being much longer than `StrConst` meant a
bunch of files changed formatting.
2024-04-22 12:00:09 +00:00
Taus
1c68c987b0
Python: Change all remaining occurrences of StrConst
...
Done using
```
git grep StrConst | xargs sed -i 's/StrConst/StringLiteral/g'
```
2024-04-22 12:00:09 +00:00
github-actions[bot]
622e176a16
Post-release preparation for codeql-cli-2.17.1
2024-04-16 14:21:32 +00:00
github-actions[bot]
9bfe4ea90a
Release preparation for version 2.17.1
2024-04-15 17:34:47 +00:00
Anders Schack-Mulligen
a8fc100108
Python: Add alert provenance plumbing.
2024-04-12 09:20:08 +02:00
Sylwia Budzynska
112992585a
Add change note
2024-04-05 14:56:06 +02:00
github-actions[bot]
8e61c6625b
Post-release preparation for codeql-cli-2.17.0
2024-04-01 15:27:42 +00:00
github-actions[bot]
ec97d9a304
Release preparation for version 2.17.0
2024-04-01 13:46:57 +00:00
Henry Mercer
0646744928
Merge branch 'main' into henrymercer/merge-back-rc-3.13
2024-03-26 12:59:12 +00:00
github-actions[bot]
f67b5f9158
Post-release preparation for codeql-cli-2.16.6
2024-03-25 18:17:15 +00:00
github-actions[bot]
71ab804274
Release preparation for version 2.16.6
2024-03-25 16:58:08 +00:00
Arthur Baars
c219b1a3c7
Merge pull request #16013 from github/rc/3.13
...
Merge rc/3.13 into main
2024-03-21 16:04:58 +01:00
Henry Mercer
4e3a6e2140
Merge pull request #15874 from github/henrymercer/mark-loc-as-telemetry
...
Show lines of code data in debug mode only
2024-03-21 12:20:09 +00:00
Henry Mercer
a76832f4e0
Mark LOC queries as debug instead
2024-03-20 21:18:55 +00:00
Dave Bartolomeo
311ba8ea1b
Merge from main to resolve conflicts
2024-03-19 10:41:31 -04:00
yoff
f025430431
Merge pull request #15319 from Sim4n6/main
...
[Python] Add Unicode DoS (qhelp, tests and the query)
2024-03-19 10:00:30 +01:00
yoff
44ab36f238
Merge pull request #15729 from yoff/python/hardcoded-credentials-without-pointsto
...
python: Rewrite `HardcodedCredentials` away from `PointsTo`
2024-03-18 20:48:30 +01:00
github-actions[bot]
aebe9f6992
Post-release preparation for codeql-cli-2.16.5
2024-03-18 12:16:26 +00:00
github-actions[bot]
0a6243d07b
Release preparation for version 2.16.5
2024-03-18 10:14:07 +00:00
Sim4n6
26a16b7857
use of a single var "op" of type Cmpop
2024-03-15 14:17:23 +01:00
Sim4n6
a717bf1b9d
Fix p tag in UnicodeDoS.qhelp
2024-03-15 14:17:23 +01:00
Sim4n6
af19a0342e
Fix UnicodeDoS vulnerability in CWE-770 code
2024-03-15 14:17:23 +01:00
Sim4n6
085d803b14
Fix UnicodeDoS vulnerability in CWE-770
2024-03-15 14:17:23 +01:00
Sim4n6
31dc542111
Update request parameter name in good_1() function
2024-03-15 14:17:23 +01:00
Sim4n6
70ebc58b4c
Refactor Unicode normalization code
2024-03-15 14:17:23 +01:00
Sim4n6${{7*'7'}}
658b88e62f
Update python/ql/src/experimental/Security/CWE-770/UnicodeDoS.ql
...
update the Config API
Co-authored-by: yoff <lerchedahl@gmail.com >
2024-03-15 14:17:23 +01:00
