hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-13 13:41:08 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,886 Commits 1,690 Branches 160 Tags
7cd820ea868545d2dd8df5dfb2d4c07f39698cfc
Commit Graph

1119 Commits

Author SHA1 Message Date
Napalys Klicius
fa47174013 CWE-020: Lower security-severity for OverlyLargeRange queries to 4.0 2025-10-22 11:32:33 +00:00
Napalys Klicius
7b6720ce2c JS: Align DOM XSS query severity with other XSS queries 2025-10-22 11:30:34 +00:00
Owen Mansel-Chan
0bcdb91639 Improve qhelp for broken crypto algo queries 
Previously it focussed too much on the risk of data being decrypted,
and didn't explain why using weak algorithms is a problem in other
contexts.
 2025-10-08 14:10:54 +01:00
Ian Lynagh
d0091e1b3c javascript: Fix spelling error in documentation 
Corrects the spelling of "occurrences" in the Incomplete Multi-Character
Sanitization documentation to improve clarity.
 2025-09-15 14:53:22 +01:00
Napalys Klicius
d3d608fa33 Updated query description and added a sanitizer 2025-09-04 13:16:37 +00:00
Napalys Klicius
791a7e242e Updated qhelp for cors permissive configuration 2025-07-31 11:31:10 +02:00
Napalys Klicius
358617f533 Move CORS misconfiguration query from experimental to Security 2025-07-30 10:22:59 +00:00
Asger F
76b7228160 JS: Remove js/actions/command-injection 
Superseded by actions/command-injection/{medium,critical}
 2025-06-23 14:41:26 +02:00
Asger F
9dcb61e771 JS: Remove js/actions/actions-artifact-leak 
Superseded by actions/secrets-in-artifacts
 2025-06-23 14:39:28 +02:00
Michael Nebel
03ecd24469 Lower the precision of a range of harcoded password queries to remove them from query suites. 2025-05-19 09:26:45 +02:00
Napalys Klicius
d1e769ba54 Merge pull request #19422 from Napalys/js/shelljs 
JS: Modeling of `ShellJS` functions
 2025-05-02 14:18:44 +02:00
Napalys Klicius
d4b5ef6a66 Refactor process.env handling in CleartextLogging and IndirectCommandInjection modules to use ThreatModelSource 2025-05-01 11:14:15 +02:00
Owen Mansel-Chan
cf614a596d Fix cwe tags to include leading zero 2025-04-30 16:43:03 +01:00
Napalys
e16a20e69f Updated SocketClass to use API Graphs. 2025-04-04 08:47:27 +02:00
Asger F
78b25388ca JS: Protect against bad join in BadRandomness 
This code resulted in bad join orders in response to certain library
changes. The actual library changes have to be split into smaller pieces
but I'd like to ensure I don't run into the bad join again.
 2025-04-02 10:14:07 +02:00
Anders Schack-Mulligen
db1ed67e52 JS: Simplify config in PrototypePollutingFunction.ql. 2025-02-04 10:47:01 +01:00
Asger F
f8694a34e5 Merge pull request #18397 from aegilops/angular-sources-sinks 
JavaScript CodeQL library updates: new Angular sink(s)
 2025-01-29 09:09:23 +01:00
erik-krogh
37a1727043 fix example in clear-text-logging qhelp to actually be bad 2025-01-27 11:31:28 +01:00
aegilops
d248551e88 Updated expected test result files using HEAD version of codeql 2025-01-24 15:46:09 +00:00
aegilops
522f3d1337 Merge 2025-01-23 17:00:56 +00:00
erik-krogh
2f1bd75ee9 remove redundant cast 2025-01-21 09:51:14 +01:00
erik-krogh
17afab7d0f support that two indexOf() calls use the same string-concatenation in getAnEquivalentIndexOfCall() 2025-01-21 09:43:57 +01:00
erik-krogh
d5529e3a7e ensure an indexOf call is equivalent with itself. (getAUse() is used later to find matching indexOf calls) 2025-01-21 09:42:30 +01:00
Asger F
8fe622f572 JS: Update PrototypePollutingFunction.ql 2025-01-20 11:20:29 +01:00
Asger F
fd763a0883 JS: Auto-patch diff informed queries 2025-01-20 11:20:27 +01:00
Asger F
0cdda87161 JS: Restrict AP length in prototype-polluting function 2025-01-06 14:33:41 +01:00
Asger F
3acd4814de Merge branch 'main' into js/shared-dataflow-merge-main 2024-12-19 10:14:38 +01:00
Asger F
73af3f3536 JS: Migrate PrototypePollutingFunction 2024-12-16 15:35:40 +01:00
Asger F
4e25036cdc JS: Follow naming convention in InsecureModuleFlow module 2024-12-13 11:09:59 +01:00
Asger F
04a3a6707f JS: Update a reference to AdditionalSanitizerGuardNode 
Unlike most other references to this class, we're not subclassing it here, we're
just trying to reuse some standard barrier guards but with a different flow state.
 2024-12-03 14:30:22 +01:00
Napalys
9d4e737bc2 JS: follow proper code standards for get predicates 
Co-authored-by: asgerf <asgerf@github.com>
 2024-11-29 11:32:10 +01:00
Napalys
3171f38cdd JS: fixed bad alert messages when it came to incomplete sanitization for new RegExp objects 2024-11-29 11:14:45 +01:00
Napalys
98fd97799c JS: imcomplete sanization now handles properly maybe global 2024-11-28 11:26:50 +01:00
Napalys
1ae174849f JS: incomplete sanitization now also works with RegExp objects 2024-11-28 11:26:48 +01:00
Napalys Klicius
d6372aebc7 Update javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2024-11-25 12:12:12 +01:00
Napalys
e38b63ebcd JS: previously js/case-sensitive-middleware-path was not taking into consideration unknown flags 2024-11-25 11:56:06 +01:00
Asger F
d52bc971b8 Merge branch 'main' into js/shared-dataflow-merge-main 2024-11-20 14:05:03 +01:00
Napalys Klicius
c8c15a0899 Merge pull request #17910 from Napalys/napalys/matchAll-support 
JS: Support for matchAll
 2024-11-14 15:36:20 +01:00
Mikaël Barbero
881fe0ba57 fix: add "actions" tag to ActionsArtifactLeak 
Similar to javascript/ql/src/Security/CWE-094/ExpressionInjection.ql
 2024-11-05 15:58:46 +01:00
Napalys Klicius
5e8b1b061f Update javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2024-11-05 10:29:22 +01:00
Napalys
ccee34d6d3 Added support for matchAll in CWE-020 including new test cases 2024-11-05 08:51:24 +01:00
Asger F
1cd00a118c Merge branch 'main' into js/shared-dataflow-merge-main 2024-09-18 14:57:50 +02:00
Alvaro Muñoz
5d1da861a2 fix: Use YamlScalar for booleans 2024-09-06 23:21:41 +02:00
Alvaro Muñoz
5df3af2272 Fix alert message 2024-09-06 23:06:57 +02:00
Alvaro Muñoz
d9e8792d33 [javascript] Query to detect GITHUB_TOKEN leaked in artifacts 2024-09-06 22:55:58 +02:00
Asger F
c54f5858b1 Merge branch 'main' into js/shared-dataflow-merge-main 2024-08-22 13:22:05 +02:00
Kristen Newbury
e84dda4fa6 Update JS helmet model structure 2024-08-15 16:08:48 -04:00
Asger F
df64388d79 Merge branch 'main' into js/shared-dataflow-merge-main 2024-08-02 13:18:38 +02:00
aegilops
79980a98a2 Added links to eventual location of CUSTOMIZING.md 2024-07-12 14:21:50 +01:00
Paul Hodgkinson
11249e7182 Apply suggestions from code review - docs tweaks of CUSTOMIZING.md 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2024-07-12 14:20:03 +01:00