hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,275 Commits 1,672 Branches 157 Tags
tausbn/python-refine-location-of-flask-request-sources
Commit Graph

1012 Commits

Author SHA1 Message Date
github-actions[bot]
99928b82ed Post-release preparation for codeql-cli-2.17.2 2024-04-30 12:15:35 +00:00
github-actions[bot]
5228d94d42 Release preparation for version 2.17.2 2024-04-30 10:25:51 +00:00
Erik Krogh Kristensen
7e839792da Merge pull request #16330 from erik-krogh/del-deps-apr-2024 
All: delete outdated deprecations
 2024-04-30 10:43:39 +02:00
Harry Maclean
8b23f6db10 Ruby: Add URI.open example to rb/kernel-open qhelp 2024-04-27 09:53:54 +01:00
erik-krogh
baa31e1469 delete outdated deprecations 2024-04-25 22:19:28 +02:00
github-actions[bot]
622e176a16 Post-release preparation for codeql-cli-2.17.1 2024-04-16 14:21:32 +00:00
github-actions[bot]
9bfe4ea90a Release preparation for version 2.17.1 2024-04-15 17:34:47 +00:00
Joe Farebrother
5cebcadc56 Merge pull request #15987 from joefarebrother/ruby-mass-reassignment 
Ruby: Add query for insecure mass assignment
 2024-04-12 10:18:41 +01:00
Anders Schack-Mulligen
6991f5452f Ruby: Add alert provenance plumbing. 2024-04-12 09:20:04 +02:00
Erik Krogh Kristensen
c00e2075a4 Merge pull request #16111 from erik-krogh/rb-url 
RB: Improve QHelp for `rb/url-redirect`, and fix an FP.
 2024-04-11 13:03:35 +02:00
erik-krogh
4ae25c2d34 don't mention arrays in the qhelp for rb/shell-command-constructed-from-input, because there are no array 2024-04-10 14:26:00 +02:00
erik-krogh
59c72b683c update the url-redirect QHelp 2024-04-08 12:00:27 +02:00
Erik Krogh Kristensen
0cfac605bd Merge pull request #16100 from erik-krogh/fix-js-rb-typo 
RB: fix language specifier typo in qhelp for rb/multi-char-san
 2024-04-04 15:42:45 +02:00
erik-krogh
ec32bdce63 fix unsanitized -> sanitized typo, and don't add a new variable just to remove newlines 2024-04-03 09:19:18 +02:00
erik-krogh
572d3ba542 fix language specifier typo in qhelp for rb/multi-char-san 2024-04-02 19:40:46 +02:00
Harry Maclean
409f46ef7b Merge pull request #14308 from hmac/hmac-rb-csrf-not-enabled 
Ruby: Add a query for CSRF protection not enabled
 2024-04-02 11:30:36 +01:00
github-actions[bot]
8e61c6625b Post-release preparation for codeql-cli-2.17.0 2024-04-01 15:27:42 +00:00
github-actions[bot]
ec97d9a304 Release preparation for version 2.17.0 2024-04-01 13:46:57 +00:00
Henry Mercer
0646744928 Merge branch 'main' into henrymercer/merge-back-rc-3.13 2024-03-26 12:59:12 +00:00
github-actions[bot]
f67b5f9158 Post-release preparation for codeql-cli-2.16.6 2024-03-25 18:17:15 +00:00
github-actions[bot]
71ab804274 Release preparation for version 2.16.6 2024-03-25 16:58:08 +00:00
Joe Farebrother
fb19288981 Address review comments - Fix docs typo and add a reference 2024-03-25 15:46:45 +00:00
Joe Farebrother
a6ee19ca2d Fix query id 2024-03-22 14:36:47 +00:00
Joe Farebrother
01f712476b Add change note and update severity 2024-03-22 14:07:11 +00:00
Joe Farebrother
a8aac318d0 Add qhelp 2024-03-22 14:04:52 +00:00
Joe Farebrother
0f45a53adc Add mass assignment query 2024-03-22 14:04:52 +00:00
Arthur Baars
c219b1a3c7 Merge pull request #16013 from github/rc/3.13 
Merge rc/3.13 into main
 2024-03-21 16:04:58 +01:00
Henry Mercer
4e3a6e2140 Merge pull request #15874 from github/henrymercer/mark-loc-as-telemetry 
Show lines of code data in debug mode only
 2024-03-21 12:20:09 +00:00
Henry Mercer
a76832f4e0 Mark LOC queries as debug instead 2024-03-20 21:18:55 +00:00
github-actions[bot]
aebe9f6992 Post-release preparation for codeql-cli-2.16.5 2024-03-18 12:16:26 +00:00
github-actions[bot]
0a6243d07b Release preparation for version 2.16.5 2024-03-18 10:14:07 +00:00
Harry Maclean
806f42ef72 Ruby: Update change note 2024-03-13 09:54:17 +00:00
Henry Mercer
c325ff8a23 Mark lines of code queries as telemetry queries 
The new file coverage metrics are available in all supported GHES
versions. This PR tags lines of code queries as telemetry queries. Lines
of code information will still be available in the SARIF file, but it
will no longer be displayed in the logging output of the CLI.

The one exception is the metric queries for Java/Kotlin that provides
separate lines of code information for Java and Kotlin. I've kept these
since separate file coverage information for languages like Java and
Kotlin is only available for GHES 3.12 and later.
 2024-03-11 16:40:31 +00:00
github-actions[bot]
dc9092c9ec Post-release preparation for codeql-cli-2.16.4 2024-03-06 22:19:33 +00:00
github-actions[bot]
2f058ffb4d Release preparation for version 2.16.4 2024-03-06 20:56:51 +00:00
Angela P Wen
ce31f8641a Revert "Release preparation for version 2.16.4" 2024-03-06 12:07:33 -08:00
github-actions[bot]
661e68dab5 Release preparation for version 2.16.4 2024-03-05 18:13:58 +00:00
Angela P Wen
967963a653 Revert "Release preparation for version 2.16.4" 2024-03-05 08:53:33 -08:00
github-actions[bot]
a67218a027 Release preparation for version 2.16.4 2024-03-04 17:42:08 +00:00
Peter Stöckli
3418ec8a81 Ruby: Update method code injection sinks change note 
Co-authored-by: Harry Maclean <hmac@github.com>
 2024-03-01 15:54:58 +01:00
Peter Stöckli
e43c368222 Ruby: change note for methode code injection sinks 2024-03-01 15:20:32 +01:00
Harry Maclean
b86643fab2 Ruby: doc fixes 2024-02-26 12:57:21 +00:00
Harry Maclean
8a670fe9a2 Ruby: formatting 2024-02-26 12:26:04 +00:00
amammad
32f5667bb6 revert YAML.qll and yaml sinks to previous PR, make a separate experimental query only for yaml 2024-02-26 12:12:03 +00:00
Harry Maclean
081c1201ed Ruby: Make csrf query more specific 
CSRF protection only needs to be explicitly enabled on Rails
applications < 5.2 _or_ those that don't include a `load_defaults` call
with a version >= 5.2.
 2024-02-23 11:13:17 +00:00
Harry Maclean
32b775fdc3 Ruby: reduce duplicate alerts for csrf query 
Only generate an alert on the top-most vulnerable Rails controller in
the controller tree.
 2024-02-23 11:13:17 +00:00
Harry Maclean
0597b2ed1b Ruby: recognise csrf_meta_tag 
csrf_meta_tag is an alias for csrf_meta_tags, retained for backwards
compatibility.
 2024-02-23 11:13:16 +00:00
Harry Maclean
3c69ab10f2 Ruby: Restrict rb/csrf-protection-not-enabled 
This query only applies to codebases using Ruby on Rails < 5.2, or where
there is no call to `csrf_meta_tags` in the base ERb template.
 2024-02-23 11:13:15 +00:00
Harry Maclean
581072721c Ruby: Add change note 2024-02-23 11:13:15 +00:00
Harry Maclean
6d6f8ba512 Ruby: Make CSRF query more sensitive 
Generate an alert for every controller class that doesn't have or
inherity a `protect_from_forgery` setting.
 2024-02-23 11:13:15 +00:00