hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-07 14:41:41 +02:00
Code Issues Packages Projects Releases Wiki Activity
74,208 Commits 1,747 Branches 166 Tags
e382ffc5d23e90d98448f0bd6bb4edbefdbeb015
Commit Graph

1023 Commits

Author SHA1 Message Date
Napalys
9d4e737bc2 JS: follow proper code standards for get predicates 
Co-authored-by: asgerf <asgerf@github.com>
 2024-11-29 11:32:10 +01:00
Napalys
3171f38cdd JS: fixed bad alert messages when it came to incomplete sanitization for new RegExp objects 2024-11-29 11:14:45 +01:00
Napalys
98fd97799c JS: imcomplete sanization now handles properly maybe global 2024-11-28 11:26:50 +01:00
Napalys
1ae174849f JS: incomplete sanitization now also works with RegExp objects 2024-11-28 11:26:48 +01:00
Napalys Klicius
d6372aebc7 Update javascript/ql/src/Security/CWE-178/CaseSensitiveMiddlewarePath.ql 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2024-11-25 12:12:12 +01:00
Napalys
e38b63ebcd JS: previously js/case-sensitive-middleware-path was not taking into consideration unknown flags 2024-11-25 11:56:06 +01:00
Napalys Klicius
c8c15a0899 Merge pull request #17910 from Napalys/napalys/matchAll-support 
JS: Support for matchAll
 2024-11-14 15:36:20 +01:00
Mikaël Barbero
881fe0ba57 fix: add "actions" tag to ActionsArtifactLeak 
Similar to javascript/ql/src/Security/CWE-094/ExpressionInjection.ql
 2024-11-05 15:58:46 +01:00
Napalys Klicius
5e8b1b061f Update javascript/ql/src/Security/CWE-020/MissingRegExpAnchor.ql 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2024-11-05 10:29:22 +01:00
Napalys
ccee34d6d3 Added support for matchAll in CWE-020 including new test cases 2024-11-05 08:51:24 +01:00
Alvaro Muñoz
5d1da861a2 fix: Use YamlScalar for booleans 2024-09-06 23:21:41 +02:00
Alvaro Muñoz
5df3af2272 Fix alert message 2024-09-06 23:06:57 +02:00
Alvaro Muñoz
d9e8792d33 [javascript] Query to detect GITHUB_TOKEN leaked in artifacts 2024-09-06 22:55:58 +02:00
Kristen Newbury
e84dda4fa6 Update JS helmet model structure 2024-08-15 16:08:48 -04:00
aegilops
79980a98a2 Added links to eventual location of CUSTOMIZING.md 2024-07-12 14:21:50 +01:00
Paul Hodgkinson
11249e7182 Apply suggestions from code review - docs tweaks of CUSTOMIZING.md 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2024-07-12 14:20:03 +01:00
Paul Hodgkinson
c9af53f050 Merge branch 'main' into aegilops/polyfill-io-compromised-script 2024-07-12 12:53:44 +01:00
aegilops
61df4d2f04 Merge branch 'aegilops/polyfill-io-compromised-script' of https://github.com/aegilops/codeql into aegilops/polyfill-io-compromised-script 2024-07-12 12:49:18 +01:00
aegilops
00d91dc6ba Created guide on customizing these queries, and referenced it in the query help 2024-07-12 12:49:09 +01:00
aegilops
040f948e65 Added a note that SRI can be considered for some dynamic services 2024-07-12 12:48:36 +01:00
Paul Hodgkinson
3f37fe6add Apply suggestions from code review - docs and wording 
Docs suggestions accepted, thank you 🙏

Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2024-07-12 11:48:39 +01:00
aegilops
d71be8aeaf Moved from experimental into default queries 2024-07-11 11:44:01 +01:00
aegilops
86afd54a9b Moved new query to 'experimental' 
Moved lists of domains to data extensions, including adding those to the overall qlpack.yml

Expanded scope of new query to further domains operated by the untrusted owners of polyfill.io
 2024-07-09 16:38:01 +01:00
aegilops
2aff2a7385 Fixed code markup 2024-07-08 11:31:06 +01:00
aegilops
c003f265b0 Fixed missing li closing tag 2024-07-08 10:58:06 +01:00
aegilops
b4d8c4889a Fixed wrong name for example HTML 2024-07-01 16:58:03 +01:00
aegilops
1744a98017 Added full stop to end of message 2024-07-01 16:53:22 +01:00
aegilops
ceda46e317 Fixed ending <p> tags 2024-07-01 16:52:28 +01:00
aegilops
a1b0703690 Added detection for specific Polyfill.io CDN compromise - edited existing library and added new query and tests 2024-07-01 16:21:34 +01:00
aegilops
fc6fba8d06 Fixed CWE tags 2024-07-01 14:25:47 +01:00
aegilops
d1d082982a More external references 2024-07-01 14:25:29 +01:00
aegilops
1ecd72727d Renamed README to CUSTOMIZING, removed details from qhelp and referenced md doc instead 2024-06-19 17:59:43 +01:00
aegilops
a07639f4f6 Set severity to 7.0, in line with other configuration queries 2024-06-19 17:43:41 +01:00
aegilops
26f1b36736 Fixed formatting 2024-06-19 17:41:58 +01:00
aegilops
252c9e9416 Added data extension to set defaults, updated help, added README to explain customization 2024-06-19 17:27:17 +01:00
aegilops
d142f830da Change note and changed name of query in .ql file 2024-06-19 12:04:32 +01:00
aegilops
8a3cec4977 Fix formatting for check 2024-06-19 11:38:20 +01:00
aegilops
de96d3951d Renamed to helmetProperty everywhere 2024-06-19 10:15:06 +01:00
aegilops
f4691b1919 Changed to more-modern Dataflow libraries 2024-06-19 10:11:06 +01:00
aegilops
81ef255a87 Change to helmetProperty from helmetSetting variable name 2024-06-19 10:09:50 +01:00
aegilops
da9e1e61a4 Moved examples into separate files 2024-06-18 19:50:06 +01:00
aegilops
975811ae59 Change layout of qhelp example code 2024-06-07 15:50:06 +01:00
aegilops
7136763c37 Formatting 2024-06-07 15:36:39 +01:00
aegilops
465d64a810 Removed br tags 2024-06-07 15:34:45 +01:00
aegilops
29322f5ff0 Merge branch 'aegilops/js/insecure-helmet-middleware' of https://github.com/aegilops/codeql into aegilops/js/insecure-helmet-middleware 2024-06-07 15:32:23 +01:00
aegilops
f5d465f08a Added data extension to allow setting extra required Helmet features 2024-06-07 15:32:11 +01:00
Paul Hodgkinson
65dfd4c860 Merge branch 'main' into aegilops/js/insecure-helmet-middleware 2024-05-21 14:46:49 +01:00
aegilops
68e21a594a Fixed query help formatting issues 2024-05-21 14:35:18 +01:00
aegilops
83037b1195 Adjust structure to avoid warnings about message 2024-05-21 13:51:13 +01:00
aegilops
3a885eaf9f Insecure Helmet middle configuration - frameguard or CSP to 'false' 2024-05-20 11:58:55 +01:00