hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-27 22:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
564 Commits 1,673 Branches 157 Tags
473251371ba2bbffbfeed2add4e750397f6fde9e
Commit Graph

564 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alvaro Muñoz
473251371b feat(queries): Improve Output Clobbering query 
Add support for clobbering of `set-output` workflow command
 2024-08-07 13:17:36 +02:00
Alvaro Muñoz
c442f1b96b Bump qlpack versions 2024-08-06 23:30:47 +02:00
Alvaro Muñoz
ff41cda8fc Merge pull request #71 from github/query/secret_handling 
feat(query): New queries for incorrect secrets handling
 2024-08-06 23:29:41 +02:00
Alvaro Muñoz
6842babd16 feat(query): New queries for incorrect secrets handling 
ExcessiveSecretsExposure: Reports when all secrets are passed to the
workflow runner since that violates the principle of least privelege.
UnmaskedSecretExposure: Reports when secrets are derived from a JSON
secret since they wont get masked by the workflow runner
 2024-08-06 23:08:52 +02:00
Alvaro Muñoz
9f79e51e89 Bump qlpack versions 2024-08-06 12:46:28 +02:00
Alvaro Muñoz
76210f53c8 Merge pull request #69 from github/improve_cache_poisoning 
Improve Cache Poisoning Query
 2024-08-06 12:45:51 +02:00
Alvaro Muñoz
d18179850d Split Cache Poisoning queries in 3 
Split them into 3 queries depending of how the cache can be poisoned:
- control of cached files
- execution of controlled code
- code injection

Remove `setup-XXX` actions from CacheWriting class since the cached
files are not in the CWD
 2024-08-06 12:04:34 +02:00
Alvaro Muñoz
fbc2e1e7e8 Remove caching actions that cache files outside of the CWD 2024-08-06 10:47:12 +02:00
Alvaro Muñoz
14f1672e74 Fix query message 2024-08-05 23:54:26 +02:00
Alvaro Muñoz
2273aadb4b Improve Cache Poisoning query 
The untrusted files path is compared with the path written to the cache
to check if the cache can really be poisoned
 2024-08-05 23:47:00 +02:00
Alvaro Muñoz
34b48d559b Add expected tests results 2024-08-05 23:45:51 +02:00
Alvaro Muñoz
c5314aeb6c Add new tests 2024-08-05 23:44:27 +02:00
Alvaro Muñoz
397eb2a762 Add getPath() to PRHeadCheckout and CacheWriting classes 
Add getPath() methods to get the path where a checkout step writes the
code and where a Cache write reads the files from.
 2024-08-05 23:44:20 +02:00
Alvaro Muñoz
0990774302 feat(poisonable_steps): Add python -m pip install 2024-08-05 18:53:53 +02:00
Alvaro Muñoz
ffe700c204 Merge pull request #68 from github/cat_env 
feat(bash): Add support for `cat hazelcast/.github/java-config.env >> $GITHUB_ENV`
 2024-08-02 15:49:19 +02:00
Alvaro Muñoz
8cf1a6afa7 feat(bash): Add support for cat hazelcast/.github/java-config.env >> $GITHUB_ENV 2024-08-02 15:48:57 +02:00
Alvaro Muñoz
90efdc7deb Bump qlpack versions 2024-08-02 12:47:16 +02:00
Alvaro Muñoz
4d7c985027 Merge pull request #67 from github/bash_script_parsing 
feat(bash): Improve bash command parsing
 2024-08-02 12:46:04 +02:00
Alvaro Muñoz
41fade5feb feat(bash): Improve bash command parsing 2024-08-02 12:44:43 +02:00
Alvaro Muñoz
c4d70e66e1 Bump qlpack versions 2024-08-01 17:49:13 +02:00
Alvaro Muñoz
822a326a4b Merge pull request #66 from github/tee_support 
feat(bash): Add support for tee as a way to write to GITHUB special files
 2024-08-01 17:47:55 +02:00
Alvaro Muñoz
f457537b34 feat(bash): Add support for tee as a way to write to GITHUB special files 2024-08-01 17:47:23 +02:00
Alvaro Muñoz
def170425a Bump qlpack versions 2024-08-01 11:43:48 +02:00
Alvaro Muñoz
e043cf3a54 Merge branch 'master' of https://github.com/github/codeql-actions 2024-08-01 11:38:55 +02:00
Alvaro Muñoz
c9b7340718 Bump qlpack versions 2024-08-01 11:38:46 +02:00
Alvaro Muñoz
5006b81565 Merge pull request #65 from github/query/vulnerable_versions 
feat(queries): Improve Use Of Vulnerable Actions query
 2024-08-01 11:37:24 +02:00
Alvaro Muñoz
6cfec0d245 feat(queries): Improve Use Of Vulnerable Actions query 
Move all info to a MaD config file so its easier to mantain
Add other vulnerable actions
 2024-08-01 11:37:00 +02:00
Alvaro Muñoz
a05dd49b74 Merge pull request #64 from github/query/path_traversal 
query/path traversal
 2024-07-31 23:14:48 +02:00
Alvaro Muñoz
5f1884aa32 feat(queries): Add new queries to report path traversal via artifact poisoning 2024-07-31 23:03:34 +02:00
Alvaro Muñoz
483f6229ff refactor: Create abstract class for known vulnerable actions 2024-07-31 23:02:52 +02:00
Alvaro Muñoz
4334524ac4 Merge pull request #63 from github/cwe_1395 
feat(queries): Add query to report vulnerable 3rd party actions
 2024-07-31 18:30:27 +02:00
Alvaro Muñoz
2b55d79c93 feat(queries): Add query to report vulnerable 3rd party actions 2024-07-31 18:29:17 +02:00
Alvaro Muñoz
a69fa5cb83 Merge pull request #62 from github/actions_download_artifact 
feat(queries): Add actions/download-artifact as a source of Artifact Poisoning
 2024-07-31 16:31:54 +02:00
Alvaro Muñoz
d548aef3e0 feat(queries): Add actions/download-artifact as a source of Artifact Poisoning 2024-07-31 16:31:15 +02:00
Alvaro Muñoz
80d2bbdc9b Merge pull request #61 from github/missing_permissions 
fix(queries): Fix Missing Permissions query
 2024-07-31 11:45:54 +02:00
Alvaro Muñoz
ab8dd599b7 fix(queries): Fix Missing Permissions query 
If a job is only triggered by `workflow_call`, we dont report any issues
since they should be reported on the calling workflows
 2024-07-31 11:45:30 +02:00
Alvaro Muñoz
8ffac2935e Bump qlpack versions 2024-07-30 18:22:20 +02:00
Alvaro Muñoz
65ad387543 fix: Add printf as an equivalent to echo 2024-07-30 18:18:22 +02:00
Alvaro Muñoz
bf10603b5f Bump qlpack versions 2024-07-30 10:28:15 +02:00
Alvaro Muñoz
f5261237a4 feat(suites): Add a bughalla-specific query suite 2024-07-30 10:27:28 +02:00
Alvaro Muñoz
da36924bb1 feat(queries): Add Output Clobbering query 2024-07-30 10:26:41 +02:00
Alvaro Muñoz
06ec94e731 Bump qlpack versions 2024-07-29 22:38:42 +02:00
Alvaro Muñoz
e3df12d77b Update Query suite 2024-07-29 22:37:47 +02:00
Alvaro Muñoz
eaf034e8cb feat(config): Add pipx as poisonable step 2024-07-25 11:09:02 +02:00
Alvaro Muñoz
28cc06e136 Bump qlpack versions 2024-07-24 18:28:09 +02:00
Alvaro Muñoz
ba6ab04dfc feat(suite): Remove severity:warning queries from CodeScanning suite 2024-07-24 18:27:39 +02:00
Alvaro Muñoz
bb78bb6f57 refactor(queries): update severity level for workflow permissions 2024-07-24 18:27:00 +02:00
Alvaro Muñoz
da28f7dc0a feat(config): add asv to poisonable steps list 2024-07-24 15:56:47 +02:00
Alvaro Muñoz
12e78ac4fe fix(regex): update pattern to match both gh and hub commands 2024-07-23 23:37:04 +02:00
Alvaro Muñoz
2dffb865d0 Bump qlpack versions 2024-07-22 12:45:34 +02:00