hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-27 14:16:34 +01:00
Code Issues Packages Projects Releases Wiki Activity
705 Commits 1,673 Branches 157 Tags
d558ff80c3a63fa113a0befa2d09334c48d8e64f
Commit Graph

246 Commits

Author SHA1 Message Date
Alvaro Muñoz
d558ff80c3 New Command sources for git and GITHUB_EVENT_PATH 2024-10-11 12:20:03 +02:00
Alvaro Muñoz
d4a24dfdd1 Refactor FlowSteps 2024-10-11 12:19:22 +02:00
Alvaro Muñoz
6a99845ecf Remove old code to handle redirections to GITHUB_ENV 
Redirections to GITHUB_ENV are better handled now by the Bash module
----
 2024-10-10 22:22:56 +02:00
Alvaro Muñoz
860eda9c04 Improve control checks to better account for toctou issues 2024-10-04 18:04:13 +02:00
Alvaro Muñoz
350b354fb3 remmove leftover comments 2024-10-03 14:17:45 +02:00
Alvaro Muñoz
7d2cbc1f50 Improve Bash script parser 2024-10-03 14:13:27 +02:00
Alvaro Muñoz
a5075e5216 Change queries to use the new bash parser 2024-10-02 12:33:42 +02:00
Alvaro Muñoz
2727bf5e2f Add improved Bash script parser 2024-10-02 12:33:05 +02:00
Alvaro Muñoz
4b74adec4b Account for branches filter as a way to prevent workflow_run to trigger on PRs from forks 2024-10-02 12:31:59 +02:00
Alvaro Muñoz
e0a2eb93d6 fix: Repository checks do not protect workflow_run triggered jobs 2024-09-30 15:27:15 +02:00
Alvaro Muñoz
f2c5a14883 Fix: ControlChecks protects/dominates only work with Steps. A sink can be in a sub-step node (eg: ScalarValue) 2024-09-28 23:57:32 +02:00
Alvaro Muñoz
4fffde2fc5 Add remote flow sources as a mutable ref source for untrusted checkouts 2024-09-27 21:38:38 +02:00
Alvaro Muñoz
9d26a8da26 Improve path checks for Artifact and Cache poisoning queries 2024-09-27 18:22:35 +02:00
Alvaro Muñoz
86c1d9c30f Improve artifact poisoning query 
Better check of download path
Add downloading to /tmp as a sanitizer
 2024-09-27 12:35:10 +02:00
Alvaro Muñoz
b1ddbc9d13 Improve Control Checks 2024-09-25 15:25:56 +02:00
Alvaro Muñoz
356c200158 Composite Action steps's getEnclosingJob should return the calling job 2024-09-24 23:03:55 +02:00
Alvaro Muñoz
4fc9e3f0f1 Add Composite action's outputs as a return node 2024-09-24 21:43:10 +02:00
Alvaro Muñoz
7c2386bbee Simplify callable/call matches 2024-09-24 21:42:52 +02:00
Alvaro Muñoz
ef549ef795 Add Outputs nodes as CFG/DFG nodes 2024-09-24 21:41:03 +02:00
Alvaro Muñoz
ffbddb1073 Simplify Callable/call match 2024-09-24 21:40:15 +02:00
Alvaro Muñoz
090d22fa7a Add GetRepoRoot helper function 2024-09-24 21:38:42 +02:00
Alvaro Muñoz
abd49d5b11 Improve privilege workflow detection 2024-09-24 12:12:29 +02:00
Alvaro Muñoz
fe06c9e5fa d /Users/pwntester/src/github.com/github/codeql-actions/ql 2024-09-24 12:12:09 +02:00
Alvaro Muñoz
2bfb156508 d /Users/pwntester/src/github.com/github/codeql-actions/ql 2024-09-23 23:08:58 +02:00
Alvaro Muñoz
53f82d3d6c Control Checks in Run/Uses steps also protect Jobs that depend on them 2024-09-23 12:29:35 +02:00
Alvaro Muñoz
df59e6f5d2 Consider a Reusable Workflow privileged if a caller is 2024-09-23 10:18:29 +02:00
Alvaro Muñoz
d44e7aee0a Cross remote Reusable Workflow analysis 2024-09-22 22:05:39 +02:00
Alvaro Muñoz
116d83da5f Improve reusable workflow calls 2024-09-20 15:40:41 +02:00
Alvaro Muñoz
c20e407c16 Modify UnpinnedActionsTag report node 2024-09-20 11:52:44 +02:00
Alvaro Muñoz
db328f0b16 Improve Association check 2024-09-19 18:24:08 +02:00
Alvaro Muñoz
4f075f3f36 feat: Improve sanitizer checks 2024-09-19 13:38:08 +02:00
Alvaro Muñoz
69818c5bb5 Remove bindingset from DataFlow's compatibleTypes 2024-09-12 09:58:21 +02:00
Alvaro Muñoz
ef41db3ce5 Extract simple reference expression from ORed disjuncts 2024-09-10 13:58:24 +02:00
Alvaro Muñoz
147da50cb9 Use Taint Tracking to track PR refs to checkout's ref argument 2024-09-10 09:52:09 +02:00
Alvaro Muñoz
bd0c762781 Refactor: Do not use PRHeadCheckoutStep on any dependency of TaintTracking 
Problem is that there are StoreSteps that depend on PRHeadCheckout so
there is a non-monotic recursion error since PRHeadCheckout depends on
TaintTracking module, but this module depends on PRHeadCheckout
 2024-09-10 09:51:32 +02:00
Alvaro Muñoz
42b487b348 Match callers and callees when root is not the repo root 
When running codeql test run, the root of the database is not the root
of the original repo (the directory containing .github and .git)
therefore calls to reusable workflows are not correctly matched.
 2024-09-10 09:49:43 +02:00
Alvaro Muñoz
4f57aade35 Improve accuracy of actions/download-artifact as a source 
If upload is on the same workflow, it needs to be triggered by a priv
workflow
 2024-09-06 10:49:27 +02:00
Alvaro Muñoz
1750ebac18 fix(controlcheck): Improve checks for actors 2024-08-07 17:09:50 +02:00
Alvaro Muñoz
473251371b feat(queries): Improve Output Clobbering query 
Add support for clobbering of `set-output` workflow command
 2024-08-07 13:17:36 +02:00
Alvaro Muñoz
6842babd16 feat(query): New queries for incorrect secrets handling 
ExcessiveSecretsExposure: Reports when all secrets are passed to the
workflow runner since that violates the principle of least privelege.
UnmaskedSecretExposure: Reports when secrets are derived from a JSON
secret since they wont get masked by the workflow runner
 2024-08-06 23:08:52 +02:00
Alvaro Muñoz
fbc2e1e7e8 Remove caching actions that cache files outside of the CWD 2024-08-06 10:47:12 +02:00
Alvaro Muñoz
397eb2a762 Add getPath() to PRHeadCheckout and CacheWriting classes 
Add getPath() methods to get the path where a checkout step writes the
code and where a Cache write reads the files from.
 2024-08-05 23:44:20 +02:00
Alvaro Muñoz
8cf1a6afa7 feat(bash): Add support for cat hazelcast/.github/java-config.env >> $GITHUB_ENV 2024-08-02 15:48:57 +02:00
Alvaro Muñoz
41fade5feb feat(bash): Improve bash command parsing 2024-08-02 12:44:43 +02:00
Alvaro Muñoz
f457537b34 feat(bash): Add support for tee as a way to write to GITHUB special files 2024-08-01 17:47:23 +02:00
Alvaro Muñoz
6cfec0d245 feat(queries): Improve Use Of Vulnerable Actions query 
Move all info to a MaD config file so its easier to mantain
Add other vulnerable actions
 2024-08-01 11:37:00 +02:00
Alvaro Muñoz
d548aef3e0 feat(queries): Add actions/download-artifact as a source of Artifact Poisoning 2024-07-31 16:31:15 +02:00
Alvaro Muñoz
65ad387543 fix: Add printf as an equivalent to echo 2024-07-30 18:18:22 +02:00
Alvaro Muñoz
da36924bb1 feat(queries): Add Output Clobbering query 2024-07-30 10:26:41 +02:00
Alvaro Muñoz
12e78ac4fe fix(regex): update pattern to match both gh and hub commands 2024-07-23 23:37:04 +02:00