hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 19:29:28 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,235 Commits 1,758 Branches 167 Tags
9c136264de06d9f1187daae096877053801748c3
Commit Graph

72 Commits

Author SHA1 Message Date
BazookaMusic
9c136264de remove guardrails sanitizer for now 2026-05-13 13:37:44 +02:00
BazookaMusic
34da804aee Move structurally typed prompt injection sinks to Models as Data 
Move OpenAI, Anthropic, Google GenAI, and LangChain sinks that are
structurally typed (identified by API name alone) into MaD YAML files.

Role-filtered sinks that require inspecting a sibling 'role' property
remain in QL code since MaD cannot express conditional logic.

Use two distinct sink kinds:
- user-prompt-injection: picked up by UserPromptInjection.ql
- system-prompt-injection: picked up by SystemPromptInjection.ql

New files:
- javascript/ql/lib/ext/openai.model.yml
- javascript/ql/lib/ext/anthropic.model.yml
- javascript/ql/lib/ext/google-genai.model.yml
- javascript/ql/lib/ext/langchain.model.yml
 2026-05-13 11:08:25 +02:00
Napalys Klicius
6cfc950159 JS: Model GraphQLObjectType resolve params as sources 2025-09-19 14:39:36 +02:00
Napalys Klicius
4f8166a661 Merge pull request #20450 from Napalys/js/graph-ql-ench 
JS: Improve graphql flow
 2025-09-17 16:32:01 +02:00
Napalys Klicius
7affcf40c2 JS: Add variableValues to the previous summaryModel to enchance the flow. 2025-09-17 12:24:14 +02:00
Napalys Klicius
4282005e32 JS: Add summary model for graphql's rootValue 2025-09-17 11:48:44 +02:00
Napalys Klicius
4df8db0d7e Renamed AWS-V3-Common to @aws-sdk/client.Client 2025-09-17 10:21:29 +02:00
Napalys Klicius
10f3a83fcb Fixed model type names 
Co-authored-by: asgerf <asgerf@users.noreply.github.com>
 2025-09-17 10:21:23 +02:00
Napalys Klicius
9ca4773227 Added modeling for CreatePreparedStatementCommand 2025-09-17 10:21:10 +02:00
Napalys Klicius
801a34f6a1 Moved typeModel at the start of the file 2025-09-17 10:20:24 +02:00
Napalys Klicius
9beac51586 Unified aws-db modeling into singular file 2025-09-17 10:20:10 +02:00
Napalys Klicius
5b31350e83 Added tests and modeling of database-access-result 2025-09-17 10:20:01 +02:00
Napalys Klicius
e5f02852e1 Added modeling of rds v2 and v3 for sql injections 2025-09-17 10:19:22 +02:00
Napalys Klicius
0e6bac73a7 Added modeling of athena v2 and v3 for sql injections 2025-09-17 10:18:58 +02:00
Napalys Klicius
ee1af432fe Added modeling of client-s3 v2 and v3 2025-09-17 10:16:25 +02:00
Napalys Klicius
06ab918985 Added modeling for V2 of dynamoDB 2025-09-17 10:15:19 +02:00
Napalys Klicius
ae2e8b1292 Added modeling of dynamodb v3 for sql injections 2025-09-17 10:13:24 +02:00
Napalys Klicius
3a75500f54 JS: Add modeling for call-me-maybe 2025-09-15 17:15:31 +02:00
Napalys Klicius
d8c4d6deb4 Rename cors-misconfiguration to cors-origin. 2025-09-05 11:30:07 +02:00
Napalys Klicius
4dac80a998 Replace complex wrapper classes with MaD 2025-09-04 12:19:22 +00:00
Napalys Klicius
fd4233e30e Moved apollo modeling to MaD 2025-07-31 10:58:38 +02:00
Asger F
980d0f46fa JS: Add model for react 'use' 2025-06-23 15:27:21 +02:00
Napalys Klicius
40d176a770 Added model for shelljs.env 2025-05-01 11:09:47 +02:00
Napalys Klicius
73309fb9dd Updated modeling of aws-sdk with MaD 2025-04-28 14:00:12 +02:00
Napalys
ce2fc25cdb Added make-dir model as data 2025-04-09 14:42:29 +02:00
Napalys Klicius
f02783a9c6 Merge pull request #19210 from Napalys/js/mkdirp 
JS: Modeling of `mkdirp` functions
 2025-04-09 13:43:37 +02:00
Napalys
b8802a29f4 Added open package model as data. 2025-04-08 08:12:30 +02:00
Napalys
04a39eb735 Removed old mkdirp modeling and replaced it with MaD. 2025-04-03 10:45:16 +02:00
Napalys
3fa24d6026 Add sink model for mkdirp and update tests for path injection alerts. 2025-04-03 10:45:14 +02:00
Napalys
b16b407f89 Add rimraf model and update tests for path injection vulnerabilities 2025-04-02 12:49:48 +02:00
Napalys
d0e2aa8192 Added sources from hana db as MaD. 2025-03-28 14:55:17 +01:00
Napalys
f3af23e855 Refactored hana's DB client to use GuardedRouteHandler, improving precision. 2025-03-28 13:58:37 +01:00
Napalys Klicius
f7264d82d4 Merge branch 'main' into js/hana_db_client 2025-03-28 13:21:15 +01:00
Napalys
4cdc40d115 Added SQL injection detection for exec method embeded Express client from hdbext. 2025-03-25 18:39:54 +01:00
Napalys
7cc0634f57 Added createProcStatement as potential sql sink. 2025-03-25 14:50:38 +01:00
Napalys
0285cb6c7a Added @sap/hdbext.loadProccedure as sql sink. 2025-03-25 14:48:40 +01:00
Napalys
e595def8b0 Modeled execute as potential hana's sink. 2025-03-25 14:44:37 +01:00
Napalys
d28af9508a Added sink models for hana's client prepare function. 2025-03-25 14:42:27 +01:00
Napalys
9229962096 Add sink model for SQL injection detection in exec clients. 2025-03-25 14:36:13 +01:00
Napalys Klicius
0689cf7f5e Update javascript/ql/lib/ext/axios.model.yml 
Co-authored-by: Asger F <asgerf@github.com>
 2025-03-25 10:56:01 +01:00
Napalys
1ee3fde214 Added support for axios.interceptors.response. 2025-03-25 10:55:34 +01:00
Napalys
10498bbaa4 Added support for axios.interceptors.request. 2025-03-25 10:54:56 +01:00
Napalys Klicius
7bd1c4d2ae Merge pull request #19060 from Napalys/js/apollo-server 
JS: model `ApolloServer`
 2025-03-21 10:00:31 +01:00
Napalys
3a243d221d Added aliases for @apollo/server. 2025-03-20 13:09:42 +01:00
Napalys
ca53e97de4 Adressed comments. 2025-03-20 12:37:06 +01:00
Napalys Klicius
221cc1977d Merge branch 'main' into js/underscore-string 2025-03-20 12:26:00 +01:00
Napalys
f4ca2dc1f3 Restricted taint to array elements. 2025-03-20 12:24:49 +01:00
Napalys
752f02f04d Fixed map modeling and added test cases. 2025-03-20 12:18:28 +01:00
Napalys
cb18408502 Added data as model for ApolloServer. 2025-03-19 13:36:06 +01:00
Asger F
53ba588993 JS: Use ArrayElement instead of AnyMember 
The use of AnyMember was a workaround until the bugfix in this PR landed.
 2025-03-18 09:26:02 +01:00