hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-06 19:20:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
724 Commits 1,675 Branches 157 Tags
6bf3eb79a9aa809bc38ead6ccf3687aaab4bdae3
Commit Graph

208 Commits

Author SHA1 Message Date
Alvaro Muñoz
b072cfa1f7 Add pwsh as the default shell for windows runners 2024-10-17 10:40:33 +02:00
Alvaro Muñoz
c5c3cd1726 Clean imports 2024-10-16 11:47:35 +02:00
Alvaro Muñoz
b49cd3b916 Better handling of EnvVar Injection and Argument Injection 2024-10-16 08:48:32 +02:00
Alvaro Muñoz
e2e1dddb36 Move arg injection sinks to ShellScript class 2024-10-15 09:48:01 +02:00
Alvaro Muñoz
2e5379f289 Update expected tests 2024-10-14 15:10:31 +02:00
Alvaro Muñoz
ff17d1dcb1 Add CmdI test 2024-10-14 12:50:11 +02:00
Alvaro Muñoz
be87eccbe7 Refactor Script support 2024-10-14 12:04:20 +02:00
Alvaro Muñoz
99e92af034 Update tests 2024-10-11 12:20:57 +02:00
Alvaro Muñoz
860eda9c04 Improve control checks to better account for toctou issues 2024-10-04 18:04:13 +02:00
Alvaro Muñoz
7d2cbc1f50 Improve Bash script parser 2024-10-03 14:13:27 +02:00
Alvaro Muñoz
531f3d40c0 Add tests for new bash parser 2024-10-02 12:35:09 +02:00
Alvaro Muñoz
6b98a5b5b1 Update tests 2024-10-02 12:34:27 +02:00
Alvaro Muñoz
853fdf0d35 Merge pull request #97 from github/rasmuswl/avoid-duplicate-code-injection-alerts 
Suppress `actions/cache-poisoning/code-injection` alerts covered by `actions/code-injection/critical`
 2024-10-01 11:47:41 +02:00
Rasmus Wriedt Larsen
726392c8b7 Suppress actions/cache-poisoning/code-injection alerts covered by actions/code-injection/critical 2024-10-01 09:48:16 +02:00
Alvaro Muñoz
e0a2eb93d6 fix: Repository checks do not protect workflow_run triggered jobs 2024-09-30 15:27:15 +02:00
Alvaro Muñoz
f2c5a14883 Fix: ControlChecks protects/dominates only work with Steps. A sink can be in a sub-step node (eg: ScalarValue) 2024-09-28 23:57:32 +02:00
Alvaro Muñoz
4fffde2fc5 Add remote flow sources as a mutable ref source for untrusted checkouts 2024-09-27 21:38:38 +02:00
Alvaro Muñoz
9d26a8da26 Improve path checks for Artifact and Cache poisoning queries 2024-09-27 18:22:35 +02:00
Alvaro Muñoz
86c1d9c30f Improve artifact poisoning query 
Better check of download path
Add downloading to /tmp as a sanitizer
 2024-09-27 12:35:10 +02:00
Alvaro Muñoz
16f1a53584 Add new sources for github.event.changes 2024-09-25 18:21:54 +02:00
Alvaro Muñoz
b1ddbc9d13 Improve Control Checks 2024-09-25 15:25:56 +02:00
Alvaro Muñoz
153fb492f7 Update tests 2024-09-24 23:14:37 +02:00
Alvaro Muñoz
f095622a9b Update expected test results 2024-09-24 21:50:59 +02:00
Alvaro Muñoz
e8a667fdc6 Add new tests 2024-09-24 21:43:31 +02:00
Alvaro Muñoz
fe06c9e5fa d /Users/pwntester/src/github.com/github/codeql-actions/ql 2024-09-24 12:12:09 +02:00
Alvaro Muñoz
53f82d3d6c Control Checks in Run/Uses steps also protect Jobs that depend on them 2024-09-23 12:29:35 +02:00
Alvaro Muñoz
df59e6f5d2 Consider a Reusable Workflow privileged if a caller is 2024-09-23 10:18:29 +02:00
Alvaro Muñoz
d44e7aee0a Cross remote Reusable Workflow analysis 2024-09-22 22:05:39 +02:00
Alvaro Muñoz
c20e407c16 Modify UnpinnedActionsTag report node 2024-09-20 11:52:44 +02:00
Alvaro Muñoz
4f075f3f36 feat: Improve sanitizer checks 2024-09-19 13:38:08 +02:00
Alvaro Muñoz
5fe81ddb08 Update tests 2024-09-11 18:07:25 +02:00
Alvaro Muñoz
15bb4d851d Add new test for flow through matrix 2024-09-11 10:25:31 +02:00
Alvaro Muñoz
25a210734b Update tests 2024-09-10 13:58:36 +02:00
Alvaro Muñoz
a9a297ab78 Update tests 2024-09-10 09:52:21 +02:00
Alvaro Muñoz
2720aaf097 Add new test for secrets in artifact query 2024-09-06 23:36:29 +02:00
Alvaro Muñoz
72e0851e91 Update metadata for Secrets in Artifact query 2024-09-06 22:53:16 +02:00
Alvaro Muñoz
0e3097d604 Merge pull request #79 from github/secrets-in-artifacts 
feat: New query to report GITHUB_TOKEN exposed in artifacts
 2024-09-06 17:32:49 +02:00
Alvaro Muñoz
6eef51e415 fix: add path checks 2024-09-06 17:22:44 +02:00
Alvaro Muñoz
fefeae4469 feat: New query to report GITHUB_TOKEN exposed in artifacts 2024-09-06 17:00:15 +02:00
Rasmus Wriedt Larsen
2f68e6f26e Add missing test file 2024-09-06 14:53:46 +02:00
Rasmus Wriedt Larsen
4820626f29 Add SyntaxError query 
This can be used by autofix, but might also be nice to help find YAML syntax errors 🤷
 2024-09-06 14:04:46 +02:00
Alvaro Muñoz
4f57aade35 Improve accuracy of actions/download-artifact as a source 
If upload is on the same workflow, it needs to be triggered by a priv
workflow
 2024-09-06 10:49:27 +02:00
Alvaro Muñoz
569e80b678 Fix ImproperAccess query 2024-08-09 17:17:18 +02:00
Alvaro Muñoz
f4f18f38cc Move Argument injection queries to its own CWE 2024-08-09 17:04:32 +02:00
Alvaro Muñoz
1750ebac18 fix(controlcheck): Improve checks for actors 2024-08-07 17:09:50 +02:00
Alvaro Muñoz
e4559e19d8 Move Output Clobbering to CWE-074 2024-08-07 13:46:27 +02:00
Alvaro Muñoz
473251371b feat(queries): Improve Output Clobbering query 
Add support for clobbering of `set-output` workflow command
 2024-08-07 13:17:36 +02:00
Alvaro Muñoz
6842babd16 feat(query): New queries for incorrect secrets handling 
ExcessiveSecretsExposure: Reports when all secrets are passed to the
workflow runner since that violates the principle of least privelege.
UnmaskedSecretExposure: Reports when secrets are derived from a JSON
secret since they wont get masked by the workflow runner
 2024-08-06 23:08:52 +02:00
Alvaro Muñoz
d18179850d Split Cache Poisoning queries in 3 
Split them into 3 queries depending of how the cache can be poisoned:
- control of cached files
- execution of controlled code
- code injection

Remove `setup-XXX` actions from CacheWriting class since the cached
files are not in the CWD
 2024-08-06 12:04:34 +02:00
Alvaro Muñoz
14f1672e74 Fix query message 2024-08-05 23:54:26 +02:00