hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-16 16:53:25 +01:00
Code Issues Packages Projects Releases Wiki Activity
81,807 Commits 1,671 Branches 157 Tags
d6f845ee178bb07ee9a412f2296a59df89f69d02
Commit Graph

11701 Commits

Author SHA1 Message Date
Napalys Klicius
b19d1e0f57 Merge pull request #20151 from Napalys/js/command-line-libs 
JS: Enhance command injection detection for CLI argument parsing libraries
 2025-08-18 09:32:29 +02:00
Napalys Klicius
b2346183d6 Merge pull request #20148 from Napalys/js/reg-exp-env-variable-threat-model 
JS: Exclude environment variables from `js/regex-injection` query by default
 2025-08-18 09:32:15 +02:00
Tom Hvitved
874f951727 Merge pull request #20172 from hvitved/shared/concepts-final-aliases 
Shared: Use `final` aliases in `ConcentsShared.qll`
 2025-08-11 10:14:55 +02:00
Tom Hvitved
eb3c054b0f JS: Generate legacy flow steps for all flow summaries 2025-08-06 09:38:49 +02:00
Tom Hvitved
11dcd90435 Shared: Use final aliases in ConcentsShared.qll 2025-08-05 14:53:52 +02:00
github-actions[bot]
fb4b0aac53 Post-release preparation for codeql-cli-2.22.3 2025-08-04 17:18:08 +00:00
github-actions[bot]
fd82aeb1f8 Release preparation for version 2.22.3 2025-08-04 15:47:57 +00:00
Napalys Klicius
881ea7631e Added change note 2025-08-01 14:34:25 +02:00
Napalys Klicius
ae4077db72 add taint flow for arg/command-line-args with custom argv option 2025-08-01 13:34:08 +02:00
Napalys Klicius
d6508f34b6 Add taint flow for Commander.js direct property access and action callbacks 2025-08-01 13:24:19 +02:00
Napalys Klicius
39170f327c Added couple more test cases for commander js 2025-08-01 13:14:39 +02:00
Napalys Klicius
6b4e34dd39 Added a step from parse to opts for commander js 2025-08-01 13:12:43 +02:00
Napalys Klicius
e980798ede Added step through yargs/yargs constructor and chained methods. 2025-08-01 12:01:30 +02:00
Napalys Klicius
e8eb9be3f6 Add command injection tests for CLI argument parsing libraries 2025-08-01 11:02:59 +02:00
Napalys Klicius
3f9061abdb Added change note 2025-07-31 13:20:38 +02:00
Napalys Klicius
d28a6e6352 Added new test cases for regexp injection with enviromental variable threat model enabled 2025-07-31 13:20:37 +02:00
Napalys Klicius
8583257574 Created new folder for test with threat models disabled 2025-07-31 13:20:30 +02:00
Napalys Klicius
5f538209c9 Exlucde environmental variables from default detection in regexp injection 2025-07-31 12:09:30 +02:00
Anders Schack-Mulligen
3b8234ecec SSA: Update data flow integration and BarrierGuard interface to use GuardValue. 2025-07-28 11:29:12 +02:00
Geoffrey White
4f6b698ca3 Merge branch 'main' into moresensitive2 2025-07-23 08:50:25 +01:00
github-actions[bot]
37cc78255a Post-release preparation for codeql-cli-2.22.2 2025-07-22 14:22:20 +00:00
github-actions[bot]
997547b8ef Release preparation for version 2.22.2 2025-07-22 14:04:14 +00:00
Nick Rolfe
825c813095 Revert "Release preparation for version 2.22.2" 2025-07-22 14:33:45 +01:00
github-actions[bot]
c8632b70b7 Release preparation for version 2.22.2 2025-07-21 16:45:45 +00:00
Nick Rolfe
ad9b637bec Revert "Merge pull request #19994 from github/post-release-prep/codeql-cli-2.22.2" 
This reverts commit e5b4a15e35, reversing
changes made to 33e63109bb.
 2025-07-21 15:18:59 +01:00
Michael Nebel
2f29459cda Merge pull request #19931 from michaelnebel/ql4ql/qualitytagcheck 
Ql4ql: Quality query tagging.
 2025-07-17 14:53:14 +02:00
Jeroen Ketema
acc66c7b58 Merge pull request #19984 from jketema/jketema/sec-shared 
Make a proper shared library out of the concept related libraries
 2025-07-17 13:25:33 +02:00
Jeroen Ketema
1990438376 JS: Fix import 
The import should not have been private, because we want users to still be
able to import this file and have access to the crypto algorithms.
 2025-07-16 14:41:50 +02:00
Jeroen Ketema
cbde11ddc9 Properly share ConceptsShared.qll 2025-07-14 16:30:45 +02:00
Geoffrey White
30c6082b5d Sync identical files. 2025-07-14 11:45:34 +01:00
Jeroen Ketema
f07d8ee493 Remove duplicate copies of CryptoAlgorithms and CryptoAlgorithmNames 2025-07-14 11:39:06 +02:00
Jeroen Ketema
f4ba2e1fd0 Properly share CryptoAlgorithms and CryptoAlgorithmNames 2025-07-14 11:39:00 +02:00
Jeroen Ketema
c582a9ccd6 Remove duplicate copies of SensitiveDataHeuristics 2025-07-14 11:38:52 +02:00
Jeroen Ketema
8b828cecf1 Use shared SensitiveDataHeuristics 2025-07-14 11:38:47 +02:00
Taus
30f705822d JavaScript: Add test where outDir resolves to an unwanted path 2025-07-11 14:58:03 +00:00
Taus
2f822cb0cd JavaScript: Add change note 2025-07-11 13:32:35 +00:00
Taus
43accc50cd JavaScript: Ignore outDirs that would exclude everything 
In #19680 we added support for automatically ignoring files in the
`outDir` directory as specified in the TSconfig compiler options (as
these files were likely duplicates of `.ts` file we were already
scanning).

However, in some cases people put `outDir: "."` or even `outDir: ".."`
in their configuration, which had the side effect of excluding _all_
files, leading to a failed extraction.

With the changes in this PR, we now ignore any `outDir`s that are not
properly contained within the source root of the code being scanned.
This should prevent the files from being extracted, while still allowing
us to not double-scan files in, say, a `.github` directory, as seen in
some Actions workflows.
 2025-07-11 13:28:59 +00:00
Geoffrey White
8f6f9f4359 Add change notes. 2025-07-11 11:54:59 +01:00
Geoffrey White
123458fd21 Sync identical files. 2025-07-10 18:10:24 +01:00
github-actions[bot]
24a0ac1223 Post-release preparation for codeql-cli-2.22.2 2025-07-07 18:15:04 +00:00
github-actions[bot]
f12daefabe Release preparation for version 2.22.2 2025-07-07 14:00:26 +00:00
Michael Nebel
aefd941135 Java/Javascript: Fix violations. 2025-07-03 11:56:33 +02:00
Asger F
98319ce2ad Apply suggestions from code review 
Co-authored-by: Taus <tausbn@github.com>
 2025-07-03 08:44:33 +02:00
Asger F
d85838477e JS: Update Nest model 
An external contribution added more uses of the now-deprecated getType()
predicate while this PR was open.
 2025-07-02 14:11:31 +02:00
Asger F
47a90c8b32 Merge branch 'main' into js/no-type-extraction 2025-07-02 13:18:05 +02:00
Asger F
4b2025d2c4 JS: Remove obsolete unit tests 2025-07-02 09:54:18 +02:00
Asger F
2aad14771c JS: Remove TypeScriptMode 2025-07-02 08:39:17 +02:00
Michael Nebel
233b54c7fa Merge pull request #19891 from michaelnebel/michaelnebel/freezemoresuites 
Go/Ruby/Python: Freeze quality queries in `security-and-quality`.
 2025-07-01 09:04:19 +02:00
Asger F
7c38c48fd7 Merge pull request #19769 from trailofbits/VF/Nest-improvements 
Improve NestJS sources and dependency injection
 2025-06-30 10:42:18 +02:00
Asger F
3247babfa5 Merge pull request #19762 from trailofbits/VF/type-orm-model-improvements 
Improve TypeORM model
 2025-06-30 10:40:38 +02:00