hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-06 15:49:08 +01:00
Code Issues Packages Projects Releases Wiki Activity
815 Commits 1,703 Branches 162 Tags
be8a49228f3de26952beece271a747bcbb62778c
Commit Graph

100 Commits

Author SHA1 Message Date
Dave Bartolomeo
be8a49228f Delete dbscheme 
Update after merge
 2024-11-13 13:42:57 -05:00
Dave Bartolomeo
14119c7d84 Merge remote-tracking branch 'origin/master' into dbartol/move-to-codeql 2024-11-13 13:28:00 -05:00
Dave Bartolomeo
1f3bab2b65 Move data extensions to use codeql org 2024-11-07 11:15:52 -05:00
Kylie Stradley
0e94777b13 Merge branch 'master' into immutable-actions 2024-11-04 11:57:06 -05:00
Alvaro Muñoz
ea20e9b337 fix: Add versioned python binaries to poisonable steps 2024-11-03 22:29:20 +01:00
Alvaro Muñoz
0211902116 models: add models for zentered/issue-forms-parser 2024-10-31 13:38:17 +01:00
Alvaro Muñoz
ebd45ace50 feat: add source model for peter-murra/issue-forms-body-parser 2024-10-31 10:59:05 +01:00
Alvaro Muñoz
792e8555af fix: remove context 2 events mappings 
client_paylaod (dispatch), commits (push), head_commit (push) and
merge_group are not under external attacker control so remove them
 2024-10-28 11:56:59 +01:00
Kylie Stradley
f8be8e768f Merge branch 'master' into immutable-actions 2024-10-24 15:25:31 -04:00
Alvaro Muñoz
b6a26e76d4 New azure models 2024-10-23 22:03:11 +02:00
Alvaro Muñoz
fef37b6025 Remove pull_request from context event map so that accesss to github.event.pull_request are not considered a source for pull_request triggers 2024-10-23 12:15:26 +02:00
Alvaro Muñoz
a057b9dd44 Add poisonable step for azure/powershell 2024-10-23 09:39:34 +02:00
Alvaro Muñoz
02c5f74f20 New gh CLI sources 2024-10-22 14:57:59 +02:00
Alvaro Muñoz
da10ee74d3 Add workflow_dispatch and scheduled to the list of privileged and external (user interaction) events 2024-10-22 11:18:42 +02:00
Alvaro Muñoz
229d42b515 Add sonar-scanner-action as a poisonable step 2024-10-21 11:05:06 +02:00
Kylie Stradley
cf9b853a8f unversioned immutable actions wip 2024-10-17 16:14:03 -04:00
Alvaro Muñoz
b49cd3b916 Better handling of EnvVar Injection and Argument Injection 2024-10-16 08:48:32 +02:00
Alvaro Muñoz
1e749ae6d5 Add new poisonable step 2024-10-11 12:20:39 +02:00
Alvaro Muñoz
d558ff80c3 New Command sources for git and GITHUB_EVENT_PATH 2024-10-11 12:20:03 +02:00
Alvaro Muñoz
8052696836 Add new Poisonable step for bun 2024-10-02 12:34:10 +02:00
Alvaro Muñoz
c58246363e Add new Argument Injection sinks 2024-10-02 12:34:01 +02:00
Alvaro Muñoz
4b74adec4b Account for branches filter as a way to prevent workflow_run to trigger on PRs from forks 2024-10-02 12:31:59 +02:00
Alvaro Muñoz
010ad359d7 Add new sources and summary steps 2024-09-27 10:28:44 +02:00
Alvaro Muñoz
16f1a53584 Add new sources for github.event.changes 2024-09-25 18:21:54 +02:00
Alvaro Muñoz
4f075f3f36 feat: Improve sanitizer checks 2024-09-19 13:38:08 +02:00
Alvaro Muñoz
b199fdc3e2 Add new models for file listing actions 2024-09-11 10:25:10 +02:00
Alvaro Muñoz
0990774302 feat(poisonable_steps): Add python -m pip install 2024-08-05 18:53:53 +02:00
Alvaro Muñoz
6cfec0d245 feat(queries): Improve Use Of Vulnerable Actions query 
Move all info to a MaD config file so its easier to mantain
Add other vulnerable actions
 2024-08-01 11:37:00 +02:00
Alvaro Muñoz
eaf034e8cb feat(config): Add pipx as poisonable step 2024-07-25 11:09:02 +02:00
Alvaro Muñoz
da28f7dc0a feat(config): add asv to poisonable steps list 2024-07-24 15:56:47 +02:00
Alvaro Muñoz
f623f73f16 feat(models): Add dotenv models 
Envvar-injection sinks
 2024-07-12 12:43:25 +02:00
Alvaro Muñoz
8289bf97b9 feat(models): Add support for artifact to step output 2024-07-12 11:10:01 +02:00
Alvaro Muñoz
29d2b287c9 tests: Organize tests 2024-07-12 10:14:39 +02:00
Alvaro Muñoz
89024ad604 fix(models): Reuse command delimiter regexps 2024-07-11 22:58:20 +02:00
Alvaro Muñoz
eb66114d8b feat(models): New ArgInj sink 2024-07-11 11:35:44 +02:00
Alvaro Muñoz
adbb236465 fix(query): Better identification of argument injection commands 2024-07-11 10:45:49 +02:00
Alvaro Muñoz
732f0dc29f feat(queries): Argument Injection 
Make argument injection sinks congigurable with MaD
 2024-07-11 10:04:43 +02:00
Alvaro Muñoz
73c77bc93b Initial implementation 
Pending work: complete the regular expression
 2024-07-11 10:04:43 +02:00
Alvaro Muñoz
f4dd771d1c feat(models): Add models for ssh-action 2024-07-10 11:49:18 +02:00
Alvaro Muñoz
8231261ccf New poisonable steps 2024-07-09 17:28:04 +02:00
Alvaro Muñoz
ee265c4879 fix(models): Slash-command-action 
Do not consider slash-command-action command-arguments as a remote flow source if it requires write or admin permissions
 2024-07-08 22:38:53 +02:00
Alvaro Muñoz
a2af3c654b Account for all npm and pnpm subcommands 
Exclude args such as `npm -v`
 2024-07-08 20:46:29 +02:00
Alvaro Muñoz
1657af60df Model get-workflow-origin action 2024-07-08 12:59:36 +02:00
Alvaro Muñoz
e5064f8090 Improve poisonable steps 2024-07-05 18:16:50 +02:00
Alvaro Muñoz
45d51a4d00 Add more poisonable steps 2024-07-02 23:29:53 +02:00
Alvaro Muñoz
a485528ebe Refactor bash script parsing to improve coverage of env var injection 2024-06-28 12:31:43 +02:00
Alvaro Muñoz
c57e4929cb New code injection sink 2024-06-27 17:32:21 +02:00
Alvaro Muñoz
31fe5952dc New poisonable steps 2024-06-27 17:32:03 +02:00
Alvaro Muñoz
04c4cedb41 New code injection sink 2024-06-27 17:26:04 +02:00
Alvaro Muñoz
682236e432 New poisonable steps 2024-06-27 17:25:55 +02:00