codeql

mirror of https://github.com/github/codeql.git synced 2026-03-06 07:36:47 +01:00

Author	SHA1	Message	Date
Dave Bartolomeo	99a49fb27f	Move packs to `codeql` org	2024-11-07 10:43:05 -05:00
Brandon Stewart	6a1e814cde	Merge pull request #106 from github/advanced-config Add rule to detect cases where CodeQL default setup could be used instead of advanced setup	2024-11-06 15:21:31 -05:00
Alvaro Muñoz	ae6856ab5a	models: add new control check model	2024-11-04 14:44:13 +01:00
Alvaro Muñoz	4f62573d17	Bump qlpack versions	2024-11-04 10:11:52 +01:00
Alvaro Muñoz	80f2b24eeb	Bump qlpack versions	2024-11-03 22:29:50 +01:00
Alvaro Muñoz	ea20e9b337	fix: Add versioned python binaries to poisonable steps	2024-11-03 22:29:20 +01:00
Brandon Stewart	0b7de6e86a	add rule to detect if default setup would be more appropriate	2024-10-31 15:28:55 +00:00
Alvaro Muñoz	230b2ff4d8	Bump qlpack versions	2024-10-31 14:17:44 +01:00
Alvaro Muñoz	0211902116	models: add models for zentered/issue-forms-parser	2024-10-31 13:38:17 +01:00
Alvaro Muñoz	d85ca10772	fix: account for tojson(expr) expressions	2024-10-31 13:36:59 +01:00
Alvaro Muñoz	ebd45ace50	feat: add source model for peter-murra/issue-forms-body-parser	2024-10-31 10:59:05 +01:00
Alvaro Muñoz	0157bf3297	fix: improve JS require/import poisonable step to account for cwd	2024-10-30 22:12:17 +01:00
Alvaro Muñoz	a2f162e482	Bump qlpack versions	2024-10-30 12:43:44 +01:00
Alvaro Muñoz	263582c796	feat: Add sanitizers for bash test commands	2024-10-30 12:43:19 +01:00
Alvaro Muñoz	685c9e97cc	Bump qlpack versions	2024-10-29 21:17:55 +01:00
Alvaro Muñoz	fcc7efbc5c	Bump qlpack versions	2024-10-29 19:19:06 +01:00
Alvaro Muñoz	58f060234a	fix: count(text.splitAt()) does not account for all lines, use max(text.splitAt(,i)) instead	2024-10-29 19:17:24 +01:00
Alvaro Muñoz	ee7e50c1cf	Bump qlpack versions	2024-10-29 13:42:02 +01:00
Alvaro Muñoz	0ad7f08c9f	fix: do not require github.event.workflow_run.id as an argument for gh run download	2024-10-28 16:15:47 +01:00
Alvaro Muñoz	aecb478e1c	Bump qlpack versions	2024-10-28 11:58:45 +01:00
Alvaro Muñoz	792e8555af	fix: remove context 2 events mappings client_paylaod (dispatch), commits (push), head_commit (push) and merge_group are not under external attacker control so remove them	2024-10-28 11:56:59 +01:00
Alvaro Muñoz	62d9302e8b	chore: remove leftover commented out code	2024-10-28 11:55:44 +01:00
Alvaro Muñoz	e34835f71a	fix: AstNode.getATriggerEvent() getATriggerEvent did not work for nodes outside a Job. If there is no enclosing job, get the trigger from the enclosing workflow	2024-10-28 11:55:23 +01:00
Alvaro Muñoz	6136a98764	Add getEvent to RemoteFlowSource for events able to trigger the source	2024-10-28 11:54:04 +01:00
Alvaro Muñoz	fe9c908880	Bump qlpack versions	2024-10-25 14:18:20 +02:00
Alvaro Muñoz	922ae57aba	Fix LabelIf ControlCheck so that it recognizes checks not at the beginning of the expression	2024-10-25 10:26:47 +02:00
Alvaro Muñoz	d8f79818d6	Improve extraction of Output/Env assignments	2024-10-25 10:25:47 +02:00
Alvaro Muñoz	6802cd2398	Improve checkout trigger events checks	2024-10-25 10:25:18 +02:00
Alvaro Muñoz	dbcf113546	Bump qlpack versions	2024-10-23 22:04:01 +02:00
Alvaro Muñoz	b6a26e76d4	New azure models	2024-10-23 22:03:11 +02:00
Alvaro Muñoz	ae6309daf6	Account for tar -C option to specify path	2024-10-23 22:02:58 +02:00
Alvaro Muñoz	674afc5edd	Improve labelgate accuracy	2024-10-23 15:48:42 +02:00
Alvaro Muñoz	9a0795cc75	Bump qlpack versions	2024-10-23 12:16:32 +02:00
Alvaro Muñoz	315ffdff8d	Improve env var injection sanitizers	2024-10-23 12:15:54 +02:00
Alvaro Muñoz	fef37b6025	Remove pull_request from context event map so that accesss to github.event.pull_request are not considered a source for pull_request triggers	2024-10-23 12:15:26 +02:00
Alvaro Muñoz	c9bb42a46c	Enforce a checkout kind of trigger to consider gh pr/gh api ... pulls as a source of untrusted data	2024-10-23 12:14:20 +02:00
Alvaro Muñoz	6298f2520e	Bump qlpack versions	2024-10-23 10:37:33 +02:00
Alvaro Muñoz	d1d92ae68a	Create getATriggerEvent for Steps and refactor the code to use it	2024-10-23 10:13:20 +02:00
Alvaro Muñoz	b2a3aaacfd	Bump qlpack versions	2024-10-23 09:40:25 +02:00
Alvaro Muñoz	a057b9dd44	Add poisonable step for azure/powershell	2024-10-23 09:39:34 +02:00
Alvaro Muñoz	0738a66380	Add trigger event checks for all checkout models	2024-10-23 09:37:01 +02:00
Alvaro Muñoz	0cacb6feaf	Bump qlpack versions	2024-10-22 22:42:51 +02:00
Alvaro Muñoz	42d4bb577c	Better identification of checkout of untrusted code depending on the triggering events	2024-10-22 22:42:11 +02:00
Alvaro Muñoz	02c5f74f20	New gh CLI sources	2024-10-22 14:57:59 +02:00
Alvaro Muñoz	54338f4f35	Bump qlpack versions	2024-10-22 11:19:48 +02:00
Alvaro Muñoz	da10ee74d3	Add workflow_dispatch and scheduled to the list of privileged and external (user interaction) events	2024-10-22 11:18:42 +02:00
Alvaro Muñoz	6dbbfa9672	Bump qlpack versions	2024-10-21 12:12:37 +02:00
Alvaro Muñoz	229d42b515	Add sonar-scanner-action as a poisonable step	2024-10-21 11:05:06 +02:00
Alvaro Muñoz	fc5a6703b3	Add github.event.sender.login as an Actor source	2024-10-19 17:01:47 +02:00
Alvaro Muñoz	e03ba55812	Account for checkout path on Untrusted Checkout Critical	2024-10-19 17:01:29 +02:00

1 2 3 4 5 ...

464 Commits