hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-01 16:56:33 +01:00
Code Issues Packages Projects Releases Wiki Activity
777 Commits 1,673 Branches 157 Tags
ebd45ace50d3daef7b0457dfdfe868b2d5d64d60
Commit Graph

777 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Alvaro Muñoz
ebd45ace50 feat: add source model for peter-murra/issue-forms-body-parser 2024-10-31 10:59:05 +01:00
Alvaro Muñoz
0157bf3297 fix: improve JS require/import poisonable step to account for cwd 2024-10-30 22:12:17 +01:00
Alvaro Muñoz
a2f162e482 Bump qlpack versions 2024-10-30 12:43:44 +01:00
Alvaro Muñoz
263582c796 feat: Add sanitizers for bash test commands 2024-10-30 12:43:19 +01:00
Alvaro Muñoz
f76d4d67d9 tests: update tests 2024-10-29 22:31:15 +01:00
Alvaro Muñoz
685c9e97cc Bump qlpack versions 2024-10-29 21:17:55 +01:00
Alvaro Muñoz
fcc7efbc5c Bump qlpack versions 2024-10-29 19:19:06 +01:00
Alvaro Muñoz
58f060234a fix: count(text.splitAt()) does not account for all lines, use max(text.splitAt(,i)) instead 2024-10-29 19:17:24 +01:00
Alvaro Muñoz
871193095a feat: Add trigger event to cache poisoning queries 2024-10-29 19:04:02 +01:00
Alvaro Muñoz
ee7e50c1cf Bump qlpack versions 2024-10-29 13:42:02 +01:00
Alvaro Muñoz
24a3df0386 tests: new tests for Code Injection 2024-10-29 13:41:23 +01:00
Alvaro Muñoz
31a9346d2d feat: show trigger event on query results 2024-10-29 11:59:59 +01:00
Alvaro Muñoz
0ad7f08c9f fix: do not require github.event.workflow_run.id as an argument for gh run download 2024-10-28 16:15:47 +01:00
Alvaro Muñoz
aecb478e1c Bump qlpack versions 2024-10-28 11:58:45 +01:00
Alvaro Muñoz
18137f58c2 fix: take trigger events into consideration 
Code Injection remote flow sources should be triggerable by the
privileged event
 2024-10-28 11:58:14 +01:00
Alvaro Muñoz
792e8555af fix: remove context 2 events mappings 
client_paylaod (dispatch), commits (push), head_commit (push) and
merge_group are not under external attacker control so remove them
 2024-10-28 11:56:59 +01:00
Alvaro Muñoz
62d9302e8b chore: remove leftover commented out code 2024-10-28 11:55:44 +01:00
Alvaro Muñoz
e34835f71a fix: AstNode.getATriggerEvent() 
getATriggerEvent did not work for nodes outside a Job.
If there is no enclosing job, get the trigger from the enclosing
workflow
 2024-10-28 11:55:23 +01:00
Alvaro Muñoz
6136a98764 Add getEvent to RemoteFlowSource for events able to trigger the source 2024-10-28 11:54:04 +01:00
Alvaro Muñoz
fe9c908880 Bump qlpack versions 2024-10-25 14:18:20 +02:00
Alvaro Muñoz
e6e1704021 Update tests 2024-10-25 10:26:51 +02:00
Alvaro Muñoz
922ae57aba Fix LabelIf ControlCheck so that it recognizes checks not at the beginning of the expression 2024-10-25 10:26:47 +02:00
Alvaro Muñoz
d8f79818d6 Improve extraction of Output/Env assignments 2024-10-25 10:25:47 +02:00
Alvaro Muñoz
6802cd2398 Improve checkout trigger events checks 2024-10-25 10:25:18 +02:00
Alvaro Muñoz
dbcf113546 Bump qlpack versions 2024-10-23 22:04:01 +02:00
Alvaro Muñoz
b6a26e76d4 New azure models 2024-10-23 22:03:11 +02:00
Alvaro Muñoz
ae6309daf6 Account for tar -C option to specify path 2024-10-23 22:02:58 +02:00
Alvaro Muñoz
674afc5edd Improve labelgate accuracy 2024-10-23 15:48:42 +02:00
Alvaro Muñoz
9a0795cc75 Bump qlpack versions 2024-10-23 12:16:32 +02:00
Alvaro Muñoz
43211d3286 Update tests 2024-10-23 12:16:02 +02:00
Alvaro Muñoz
315ffdff8d Improve env var injection sanitizers 2024-10-23 12:15:54 +02:00
Alvaro Muñoz
fef37b6025 Remove pull_request from context event map so that accesss to github.event.pull_request are not considered a source for pull_request triggers 2024-10-23 12:15:26 +02:00
Alvaro Muñoz
c9bb42a46c Enforce a checkout kind of trigger to consider gh pr/gh api ... pulls as a source of untrusted data 2024-10-23 12:14:20 +02:00
Alvaro Muñoz
6298f2520e Bump qlpack versions 2024-10-23 10:37:33 +02:00
Alvaro Muñoz
d1d92ae68a Create getATriggerEvent for Steps and refactor the code to use it 2024-10-23 10:13:20 +02:00
Alvaro Muñoz
b2a3aaacfd Bump qlpack versions 2024-10-23 09:40:25 +02:00
Alvaro Muñoz
a057b9dd44 Add poisonable step for azure/powershell 2024-10-23 09:39:34 +02:00
Alvaro Muñoz
0738a66380 Add trigger event checks for all checkout models 2024-10-23 09:37:01 +02:00
Alvaro Muñoz
0cacb6feaf Bump qlpack versions 2024-10-22 22:42:51 +02:00
Alvaro Muñoz
42d4bb577c Better identification of checkout of untrusted code depending on the triggering events 2024-10-22 22:42:11 +02:00
Alvaro Muñoz
8f350d9068 Merge pull request #104 from github/new_gh_sources 
New gh CLI sources
 2024-10-22 21:36:19 +02:00
Alvaro Muñoz
02c5f74f20 New gh CLI sources 2024-10-22 14:57:59 +02:00
Alvaro Muñoz
54338f4f35 Bump qlpack versions 2024-10-22 11:19:48 +02:00
Alvaro Muñoz
9a7e33bf3f Merge pull request #103 from github/new_events 
Add workflow_dispatch and scheduled to the list of privileged and external (user interaction) events
 2024-10-22 11:19:13 +02:00
Alvaro Muñoz
da10ee74d3 Add workflow_dispatch and scheduled to the list of privileged and external (user interaction) events 2024-10-22 11:18:42 +02:00
Alvaro Muñoz
6dbbfa9672 Bump qlpack versions 2024-10-21 12:12:37 +02:00
Alvaro Muñoz
229d42b515 Add sonar-scanner-action as a poisonable step 2024-10-21 11:05:06 +02:00
Alvaro Muñoz
fc5a6703b3 Add github.event.sender.login as an Actor source 2024-10-19 17:01:47 +02:00
Alvaro Muñoz
e03ba55812 Account for checkout path on Untrusted Checkout Critical 2024-10-19 17:01:29 +02:00
Alvaro Muñoz
7cba2e07bc Bump qlpack versions 2024-10-17 21:40:40 +02:00