hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 21:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity
820 Commits 1,747 Branches 166 Tags
b80d3d56a364d7ddcd718126ba7ac559a3fcae64
Commit Graph

820 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alvaro Muñoz
b80d3d56a3 exclude Simple refereces from GitHub context 2024-12-09 21:47:09 +01:00
Alvaro Muñoz
f6d20195b1 When trigger event is not known, do not check context trigger maps 2024-12-09 17:33:13 +01:00
Alvaro Muñoz
f3ada4a92b Update CompositeActionSources expected file 2024-12-09 17:32:26 +01:00
Alvaro Muñoz
3591db9e9c Remove artifact source as a source of PR refs 2024-12-09 17:32:09 +01:00
Alvaro Muñoz
ef713ff13b Extract GitHub context access expression into its own class 2024-12-09 17:30:10 +01:00
Alvaro Muñoz
1fa00f1065 Capture the event name rathen than the whole event 2024-12-09 14:31:10 +01:00
Alvaro Muñoz
9a137db12b Bump qlpack versions 2024-11-20 15:36:20 +01:00
Alvaro Muñoz
082b4c3ca2 Add poisonable step for pip install . 2024-11-20 15:35:49 +01:00
Alvaro Muñoz
afb7967a0c Delete .actual test files 2024-11-19 11:31:59 +01:00
Alvaro Muñoz
3ce3cf43be refactor common code to identify untrusted checkouts 2024-11-19 11:31:35 +01:00
Alvaro Muñoz
064c983b47 Merge branch 'master' of https://github.com/github/codeql-actions 2024-11-09 10:40:14 +01:00
Alvaro Muñoz
44fd14caaf Bump qlpack versions 2024-11-09 10:40:04 +01:00
Kylie Stradley
0110988b1c Merge pull request #105 from github/immutable-actions 
Add CodeQL rule for Immutable actions, do not detect immutable actions in unpinned tag rule
 2024-11-08 12:15:54 -05:00
Kylie Stradley
d6e38d5e83 Do not detect immutable actions in UnpinnedActionsTag 
* these should be handles by the UseOfUnversionedImmutableAction.qll query instead
* factor out immutableAction detection for reuse in both queries
* octokit should not longer ping in UnpinnedActionsTag
 2024-11-08 11:51:25 -05:00
Kylie Stradley
e8ee798ffa add temporary immutable actions doc page 2024-11-07 15:29:28 -05:00
Brandon Stewart
6a1e814cde Merge pull request #106 from github/advanced-config 
Add rule to detect cases where CodeQL default setup could be used instead of advanced setup
 2024-11-06 15:21:31 -05:00
Brandon Stewart
686e30a52a add qlhelp 2024-11-06 20:20:26 +00:00
Kylie Stradley
0e94777b13 Merge branch 'master' into immutable-actions 2024-11-04 11:57:06 -05:00
Kylie Stradley
5bf02e73ea Update ql/src/Security/CWE-829/UnpinnedActionsTag.ql 
Co-authored-by: Alvaro Muñoz <pwntester@github.com>
 2024-11-04 11:30:29 -05:00
Alvaro Muñoz
ae6856ab5a models: add new control check model 2024-11-04 14:44:13 +01:00
Alvaro Muñoz
4f62573d17 Bump qlpack versions 2024-11-04 10:11:52 +01:00
Alvaro Muñoz
55476af179 Merge pull request #107 from github/query_if 
query: split if expression is always true query
 2024-11-04 10:11:14 +01:00
Alvaro Muñoz
db6f174b79 query: split if expression is always true query 
critical - if the if statement contains a known control check
high - otherwise
 2024-11-04 10:10:47 +01:00
Alvaro Muñoz
80f2b24eeb Bump qlpack versions 2024-11-03 22:29:50 +01:00
Alvaro Muñoz
ea20e9b337 fix: Add versioned python binaries to poisonable steps 2024-11-03 22:29:20 +01:00
Brandon Stewart
0b7de6e86a add rule to detect if default setup would be more appropriate 2024-10-31 15:28:55 +00:00
Alvaro Muñoz
230b2ff4d8 Bump qlpack versions 2024-10-31 14:17:44 +01:00
Alvaro Muñoz
c6048a6fa1 tests: Update tests 2024-10-31 14:16:56 +01:00
Alvaro Muñoz
45b7547016 chore: clean up partial.ql debug query 2024-10-31 13:38:38 +01:00
Alvaro Muñoz
0211902116 models: add models for zentered/issue-forms-parser 2024-10-31 13:38:17 +01:00
Alvaro Muñoz
d85ca10772 fix: account for tojson(expr) expressions 2024-10-31 13:36:59 +01:00
Alvaro Muñoz
ebd45ace50 feat: add source model for peter-murra/issue-forms-body-parser 2024-10-31 10:59:05 +01:00
Alvaro Muñoz
0157bf3297 fix: improve JS require/import poisonable step to account for cwd 2024-10-30 22:12:17 +01:00
Alvaro Muñoz
a2f162e482 Bump qlpack versions 2024-10-30 12:43:44 +01:00
Alvaro Muñoz
263582c796 feat: Add sanitizers for bash test commands 2024-10-30 12:43:19 +01:00
Alvaro Muñoz
f76d4d67d9 tests: update tests 2024-10-29 22:31:15 +01:00
Alvaro Muñoz
685c9e97cc Bump qlpack versions 2024-10-29 21:17:55 +01:00
Alvaro Muñoz
fcc7efbc5c Bump qlpack versions 2024-10-29 19:19:06 +01:00
Alvaro Muñoz
58f060234a fix: count(text.splitAt()) does not account for all lines, use max(text.splitAt(,i)) instead 2024-10-29 19:17:24 +01:00
Alvaro Muñoz
871193095a feat: Add trigger event to cache poisoning queries 2024-10-29 19:04:02 +01:00
Alvaro Muñoz
ee7e50c1cf Bump qlpack versions 2024-10-29 13:42:02 +01:00
Alvaro Muñoz
24a3df0386 tests: new tests for Code Injection 2024-10-29 13:41:23 +01:00
Alvaro Muñoz
31a9346d2d feat: show trigger event on query results 2024-10-29 11:59:59 +01:00
Alvaro Muñoz
0ad7f08c9f fix: do not require github.event.workflow_run.id as an argument for gh run download 2024-10-28 16:15:47 +01:00
Alvaro Muñoz
aecb478e1c Bump qlpack versions 2024-10-28 11:58:45 +01:00
Alvaro Muñoz
18137f58c2 fix: take trigger events into consideration 
Code Injection remote flow sources should be triggerable by the
privileged event
 2024-10-28 11:58:14 +01:00
Alvaro Muñoz
792e8555af fix: remove context 2 events mappings 
client_paylaod (dispatch), commits (push), head_commit (push) and
merge_group are not under external attacker control so remove them
 2024-10-28 11:56:59 +01:00
Alvaro Muñoz
62d9302e8b chore: remove leftover commented out code 2024-10-28 11:55:44 +01:00
Alvaro Muñoz
e34835f71a fix: AstNode.getATriggerEvent() 
getATriggerEvent did not work for nodes outside a Job.
If there is no enclosing job, get the trigger from the enclosing
workflow
 2024-10-28 11:55:23 +01:00
Alvaro Muñoz
6136a98764 Add getEvent to RemoteFlowSource for events able to trigger the source 2024-10-28 11:54:04 +01:00