hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-01 00:27:24 +01:00
Code Issues Packages Projects Releases Wiki Activity
58,143 Commits 1,673 Branches 157 Tags
bc6a0fc776fca2ab76db877adab967b9a4e05d81
Commit Graph

944 Commits

Author SHA1 Message Date
erik-krogh
5ffce86768 change the defaults in the qhelp for missing-rate-limit to something more reasonable 2023-08-10 13:40:17 +02:00
Max Schaefer
5124310f14 Update javascript/ql/src/Security/CWE-730/ServerCrash.qhelp 
Co-authored-by: Asger F <asgerf@github.com>
 2023-08-01 17:03:05 +01:00
Max Schaefer
9432fec612 JavaScript: Improve qhelp for js/server-crash. 
The examples now use `fs.access` instead of the deprecated `fs.exists`. I have also rewritten the async/await example, since as of Node.js v15 the default behaviour for uncaught exceptions has changed to terminating the process instead of logging a warning, making the previous advice incorrect.
 2023-07-17 14:44:23 +01:00
Max Schaefer
ae237247f2 Apply suggestions from code review 
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
 2023-07-13 12:10:57 +01:00
Max Schaefer
63c45a0da3 Add another example of when and how to use shell-quote. 2023-07-10 14:02:17 +01:00
Max Schaefer
1d3e3440f2 Add example of manual sanitisation. 2023-07-06 12:54:30 +01:00
Max Schaefer
240e0799b0 Fix spurious character in code example. 2023-07-06 12:54:03 +01:00
Max Schaefer
83a854c3ff Update javascript/ql/src/Security/CWE-078/IndirectCommandInjection.qhelp 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-07-06 12:47:06 +01:00
Max Schaefer
6fb41adc61 Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-07-06 12:02:44 +01:00
Max Schaefer
f89992eb16 Address more review feedback. 2023-07-05 12:02:11 +01:00
Max Schaefer
921d8de8dc Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-07-05 11:19:30 +01:00
Max Schaefer
5fb6b5810f Clarify that splitting arguments on space is not safe. 2023-07-04 15:58:37 +01:00
Max Schaefer
74af0b1f05 Improve command-injection example and provide a fixed version. 2023-07-04 15:58:37 +01:00
Adrien Pessu
e332a4348d Update javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-06-21 12:55:33 +01:00
Adrien Pessu
4d1bbe36a9 Merge branch 'main' into main 2023-06-21 09:11:57 +01:00
Adrien Pessu
7dfb404fd7 clean examples 2023-06-21 08:11:39 +00:00
Adrien Pessu
e85987bfc5 remove useless phrase 2023-06-21 07:59:24 +00:00
Adrien Pessu
2a2f6de78c fixed text not in a tag 2023-06-20 17:27:37 +00:00
Adrien Pessu
36cb60c746 Add fixed proposition for NodeJS 2023-06-20 17:22:56 +00:00
Tiago Pascoal
150854603b Single quote was preventing the shell from expanding the BODY variable 
While this prevents the attack highlighted in the query help it also prevents it from working.

Double quotes will allow the expansion of the variable while still preventing the attack
 2023-06-20 11:38:27 +01:00
Adrien Pessu
eb28266bcb improv example the help file 2023-06-19 17:00:52 +00:00
Tony Torralba
8f6d2ed2f9 Adjust ZipSlip query description according to review suggestions. 2023-06-19 10:27:41 +02:00
Tony Torralba
3c4d938cf1 Apply code review suggestions. 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-19 10:20:19 +02:00
Tony Torralba
3e96fe60c5 Go/Java/JS/Python/Ruby: Update the description and qhelp of the ZipSlip query 
All filesystem operations, not just writes, with paths built from untrusted archive entry names are dangerous
 2023-06-16 08:52:44 +02:00
erik-krogh
3cb2ec4e87 fix nits from doc review 2023-06-05 19:06:07 +02:00
erik-krogh
9aeba4f31e changes based on review 2023-06-01 17:24:44 +02:00
erik-krogh
1e08105863 less duplicated headers in the sql-injection samples 2023-05-31 18:04:34 +02:00
erik-krogh
98820780af show how to use mysql.escape in the sql-injection qhelp 2023-05-31 18:04:34 +02:00
erik-krogh
7d801e05ee add an example of using dollar eq 2023-05-31 18:04:23 +02:00
erik-krogh
e24b45b423 elaborate on both SQL and NoSQL injection in the js/sql-injection qhelp 2023-05-31 09:57:38 +02:00
erik-krogh
b343dcaadd put string/object in the alert-message for sql-injection 2023-05-31 08:06:04 +02:00
erik-krogh
2ebce99eae add another example of how to fix the prototype pollution issue 2023-05-15 17:24:02 +02:00
erik-krogh
7a338c408e fix typo, the variable in the example is called items 2023-05-15 17:23:40 +02:00
Asger F
20e8ee8423 Merge pull request #12748 from JarLob/yi 
JS: Add more sources, more unit tests, fixes to the GitHub Actions injection query
 2023-05-15 11:03:00 +02:00
Max Schaefer
5dfe52afd0 Merge pull request #13152 from github/max-schaefer/unsafe-shell-command-construction-examples-sync 
JavaScript: Use synchronous APIs in examples for js/shell-command-constructed-from-input.
 2023-05-12 16:50:25 +01:00
Max Schaefer
2e7eb50319 JavaScript: Use synchronous APIs in examples for js/shell-command-constructed-from-input. 2023-05-12 14:42:11 +01:00
Max Schaefer
a4f6ccf2fc JavaScript: Use gender-neutral language in qhelp for js/user-controlled-bypass 2023-05-12 14:21:40 +01:00
Jaroslav Lobačevski
5aa71352dc Update javascript/ql/src/Security/CWE-094/ExpressionInjection.qhelp 
Co-authored-by: Asger F <asgerf@github.com>
 2023-05-09 12:23:52 +02:00
Kasper Svendsen
67950c8e6b JS: Make implicit this receivers explicit 2023-05-03 15:31:00 +02:00
jarlob
6e9f54ef55 Use double curly braces 2023-04-21 19:03:38 +02:00
smiddy007
e4ec1ae261 Update InsufficientPasswordHash.qhelp 
change file name to original
 2023-04-17 13:18:47 -04:00
smiddy007
88d2f65c5f Rename InsufficientPasswordHash_NodeJS_fixed.js to InsufficientPasswordHash_fixed.js 2023-04-17 13:17:13 -04:00
smiddy007
cbe45f7e55 Rename InsufficientPasswordHash_NodeJS.js to InsufficientPasswordHash.js 2023-04-17 13:16:57 -04:00
smiddy007
36d7370998 Delete InsufficientPasswordHash_CryptoJS_fixed 
file not used in qhelp
 2023-04-17 13:16:25 -04:00
smiddy007
e65daaae49 Delete InsufficientPasswordHash_CryptoJS.js 
not used in qhelp file
 2023-04-17 13:15:10 -04:00
jarlob
e9dee3a185 Move actions/github-script out of Actions.qll 2023-04-14 14:26:23 +02:00
jarlob
3724ea1a7b Extract where parts into predicates 2023-04-14 10:49:56 +02:00
jarlob
ac1c20673d Encapsulate github-script 2023-04-14 10:23:49 +02:00
jarlob
d80c541da6 Encapsulate composite actions 2023-04-14 10:06:35 +02:00
jarlob
94065764d5 Make predicate name clearer 2023-04-14 01:05:21 +02:00