hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-17 08:24:46 +01:00
Code Issues Packages Projects Releases Wiki Activity
67,409 Commits 1,679 Branches 158 Tags
dd8b65130e5d1d49b983d7fdfd6138f5f84ca615
Commit Graph

973 Commits

Author SHA1 Message Date
erik-krogh
56dff8540f add an example of how to get a floating point value between 0 and 1 2024-05-16 11:15:07 +02:00
erik-krogh
066f3b61a2 RandomSource is deprecated, it's crypto now 2024-05-16 11:14:50 +02:00
erik-krogh
39a8b49222 add qhelp recommendation that you can use an obvious placeholder value 2024-05-03 19:37:31 +02:00
erik-krogh
ff85db36e2 exclude credentials as kind key from hardcoded-credentials when the key looks like a dummy password 2024-05-03 13:58:11 +02:00
erik-krogh
baa31e1469 delete outdated deprecations 2024-04-25 22:19:28 +02:00
Felicity Chapman
4cb2f53223 Remove unwanted period from query name 
Our style guide states that names should not end in a period. I'm updating this now to allow us to automate a process for GitHub docs, see: https://github.com/github/codeql/blob/main/docs/query-metadata-style-guide.md#query-name-name
 2023-11-30 14:31:17 +00:00
Max Schaefer
dfffa1e237 Apply suggestions from code review 
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
 2023-11-21 10:07:11 +00:00
Max Schaefer
d147faba4e Update qhelp for js/path-injection. 2023-11-20 11:58:00 +00:00
Remco Vermeulen
52540b42fc Merge branch 'main' into rvermeulen/javascript-adjust-security-severity 2023-11-14 11:21:38 -08:00
Remco Vermeulen
6bd7047e41 Restore XssThroughDom.ql's severity 2023-11-14 11:20:51 -08:00
Max Schaefer
104700f6d3 Address review comment. 2023-10-27 10:19:28 +01:00
Max Schaefer
741735cc83 Port changes to JavaScript. 2023-10-26 14:47:24 +01:00
erik-krogh
ccd06c78b9 delete an .expected file outside the test directories 2023-10-10 21:35:19 +02:00
Remco Vermeulen
76e56cdac7 Adjust query severities 2023-10-09 12:52:09 -07:00
Erik Krogh Kristensen
7e7852eff6 Merge pull request #13641 from erik-krogh/multi-char 
JS/RB: write qhelp for `incomplete-multi-character-sanitization`
 2023-09-14 14:48:30 +02:00
Max Schaefer
e722e3288f Merge pull request #13771 from github/max-schaefer/server-side-url-redirect-help 
JavaScript: Improve query help for `js/server-side-unvalidated-url-redirection`.
 2023-09-13 13:20:48 +01:00
Max Schaefer
a9e81672f0 Make suggestion to replace example.com more explicit. 2023-09-12 16:54:05 +01:00
Max Schaefer
7ddb7da65e Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2023-09-12 16:47:23 +01:00
Max Schaefer
46d7165885 Explain about redirects to example.com. 2023-09-07 09:12:07 +01:00
Max Schaefer
a02f373e79 Use better sanitiser. 2023-09-06 14:06:16 +01:00
Max Schaefer
87364137df Use more sensible validator in example. 2023-08-21 15:14:01 +01:00
erik-krogh
5ffce86768 change the defaults in the qhelp for missing-rate-limit to something more reasonable 2023-08-10 13:40:17 +02:00
Erik Krogh Kristensen
6631e838cf re-appearing -> reappearing 
Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>
 2023-08-07 09:57:52 +02:00
Max Schaefer
5124310f14 Update javascript/ql/src/Security/CWE-730/ServerCrash.qhelp 
Co-authored-by: Asger F <asgerf@github.com>
 2023-08-01 17:03:05 +01:00
Max Schaefer
7823ff968c JavaScript: Improve query help for js/server-side-unvalidated-url-redirection. 2023-07-19 13:23:25 +01:00
Max Schaefer
9432fec612 JavaScript: Improve qhelp for js/server-crash. 
The examples now use `fs.access` instead of the deprecated `fs.exists`. I have also rewritten the async/await example, since as of Node.js v15 the default behaviour for uncaught exceptions has changed to terminating the process instead of logging a warning, making the previous advice incorrect.
 2023-07-17 14:44:23 +01:00
erik-krogh
1fe66232c6 suggestions based on review: add a popular library example for HTML-sanitization, and use the old text about ../ replacements 2023-07-13 14:28:11 +02:00
Erik Krogh Kristensen
9db970f055 apply suggestion from review 
Co-authored-by: Max Schaefer <54907921+max-schaefer@users.noreply.github.com>
 2023-07-13 14:17:33 +02:00
Max Schaefer
ae237247f2 Apply suggestions from code review 
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
 2023-07-13 12:10:57 +01:00
Max Schaefer
63c45a0da3 Add another example of when and how to use shell-quote. 2023-07-10 14:02:17 +01:00
Max Schaefer
1d3e3440f2 Add example of manual sanitisation. 2023-07-06 12:54:30 +01:00
Max Schaefer
240e0799b0 Fix spurious character in code example. 2023-07-06 12:54:03 +01:00
Max Schaefer
83a854c3ff Update javascript/ql/src/Security/CWE-078/IndirectCommandInjection.qhelp 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-07-06 12:47:06 +01:00
Max Schaefer
6fb41adc61 Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-07-06 12:02:44 +01:00
Max Schaefer
f89992eb16 Address more review feedback. 2023-07-05 12:02:11 +01:00
Max Schaefer
921d8de8dc Apply suggestions from code review 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-07-05 11:19:30 +01:00
Max Schaefer
5fb6b5810f Clarify that splitting arguments on space is not safe. 2023-07-04 15:58:37 +01:00
Max Schaefer
74af0b1f05 Improve command-injection example and provide a fixed version. 2023-07-04 15:58:37 +01:00
Erik Krogh Kristensen
8676516cb9 recursively -> repeatedly 
Co-authored-by: Asger F <asgerf@github.com>
 2023-07-03 13:17:13 +02:00
erik-krogh
3e2b8124c9 apply suggestions from review 2023-07-03 10:03:45 +02:00
erik-krogh
bea4162736 delete multi-char note from the incomplete-sanitization qhelp 2023-07-03 09:10:54 +02:00
erik-krogh
a60478ba8a write qhelp for js/incomplete-multi-character-sanitization 2023-07-03 09:07:13 +02:00
Adrien Pessu
e332a4348d Update javascript/ql/src/Security/CWE-798/HardcodedCredentials.qhelp 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-06-21 12:55:33 +01:00
Adrien Pessu
4d1bbe36a9 Merge branch 'main' into main 2023-06-21 09:11:57 +01:00
Adrien Pessu
7dfb404fd7 clean examples 2023-06-21 08:11:39 +00:00
Adrien Pessu
e85987bfc5 remove useless phrase 2023-06-21 07:59:24 +00:00
Adrien Pessu
2a2f6de78c fixed text not in a tag 2023-06-20 17:27:37 +00:00
Adrien Pessu
36cb60c746 Add fixed proposition for NodeJS 2023-06-20 17:22:56 +00:00
Tiago Pascoal
150854603b Single quote was preventing the shell from expanding the BODY variable 
While this prevents the attack highlighted in the query help it also prevents it from working.

Double quotes will allow the expansion of the variable while still preventing the attack
 2023-06-20 11:38:27 +01:00
Adrien Pessu
eb28266bcb improv example the help file 2023-06-19 17:00:52 +00:00