hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-06 03:00:24 +01:00
Code Issues Packages Projects Releases Wiki Activity
777 Commits 1,676 Branches 157 Tags
ebd45ace50d3daef7b0457dfdfe868b2d5d64d60
Commit Graph

202 Commits

Author SHA1 Message Date
Alvaro Muñoz
ebd45ace50 feat: add source model for peter-murra/issue-forms-body-parser 2024-10-31 10:59:05 +01:00
Alvaro Muñoz
0157bf3297 fix: improve JS require/import poisonable step to account for cwd 2024-10-30 22:12:17 +01:00
Alvaro Muñoz
263582c796 feat: Add sanitizers for bash test commands 2024-10-30 12:43:19 +01:00
Alvaro Muñoz
f76d4d67d9 tests: update tests 2024-10-29 22:31:15 +01:00
Alvaro Muñoz
871193095a feat: Add trigger event to cache poisoning queries 2024-10-29 19:04:02 +01:00
Alvaro Muñoz
24a3df0386 tests: new tests for Code Injection 2024-10-29 13:41:23 +01:00
Alvaro Muñoz
31a9346d2d feat: show trigger event on query results 2024-10-29 11:59:59 +01:00
Alvaro Muñoz
18137f58c2 fix: take trigger events into consideration 
Code Injection remote flow sources should be triggerable by the
privileged event
 2024-10-28 11:58:14 +01:00
Alvaro Muñoz
e6e1704021 Update tests 2024-10-25 10:26:51 +02:00
Alvaro Muñoz
ae6309daf6 Account for tar -C option to specify path 2024-10-23 22:02:58 +02:00
Alvaro Muñoz
674afc5edd Improve labelgate accuracy 2024-10-23 15:48:42 +02:00
Alvaro Muñoz
43211d3286 Update tests 2024-10-23 12:16:02 +02:00
Alvaro Muñoz
d1d92ae68a Create getATriggerEvent for Steps and refactor the code to use it 2024-10-23 10:13:20 +02:00
Alvaro Muñoz
0738a66380 Add trigger event checks for all checkout models 2024-10-23 09:37:01 +02:00
Alvaro Muñoz
42d4bb577c Better identification of checkout of untrusted code depending on the triggering events 2024-10-22 22:42:11 +02:00
Alvaro Muñoz
02c5f74f20 New gh CLI sources 2024-10-22 14:57:59 +02:00
Alvaro Muñoz
da10ee74d3 Add workflow_dispatch and scheduled to the list of privileged and external (user interaction) events 2024-10-22 11:18:42 +02:00
Alvaro Muñoz
229d42b515 Add sonar-scanner-action as a poisonable step 2024-10-21 11:05:06 +02:00
Alvaro Muñoz
e03ba55812 Account for checkout path on Untrusted Checkout Critical 2024-10-19 17:01:29 +02:00
Alvaro Muñoz
8323819504 New sources for octokit/request-action 2024-10-17 15:51:00 +02:00
Alvaro Muñoz
c5c3cd1726 Clean imports 2024-10-16 11:47:35 +02:00
Alvaro Muñoz
b49cd3b916 Better handling of EnvVar Injection and Argument Injection 2024-10-16 08:48:32 +02:00
Alvaro Muñoz
e2e1dddb36 Move arg injection sinks to ShellScript class 2024-10-15 09:48:01 +02:00
Alvaro Muñoz
2e5379f289 Update expected tests 2024-10-14 15:10:31 +02:00
Alvaro Muñoz
ff17d1dcb1 Add CmdI test 2024-10-14 12:50:11 +02:00
Alvaro Muñoz
be87eccbe7 Refactor Script support 2024-10-14 12:04:20 +02:00
Alvaro Muñoz
99e92af034 Update tests 2024-10-11 12:20:57 +02:00
Alvaro Muñoz
860eda9c04 Improve control checks to better account for toctou issues 2024-10-04 18:04:13 +02:00
Alvaro Muñoz
6b98a5b5b1 Update tests 2024-10-02 12:34:27 +02:00
Alvaro Muñoz
853fdf0d35 Merge pull request #97 from github/rasmuswl/avoid-duplicate-code-injection-alerts 
Suppress `actions/cache-poisoning/code-injection` alerts covered by `actions/code-injection/critical`
 2024-10-01 11:47:41 +02:00
Rasmus Wriedt Larsen
726392c8b7 Suppress actions/cache-poisoning/code-injection alerts covered by actions/code-injection/critical 2024-10-01 09:48:16 +02:00
Alvaro Muñoz
e0a2eb93d6 fix: Repository checks do not protect workflow_run triggered jobs 2024-09-30 15:27:15 +02:00
Alvaro Muñoz
f2c5a14883 Fix: ControlChecks protects/dominates only work with Steps. A sink can be in a sub-step node (eg: ScalarValue) 2024-09-28 23:57:32 +02:00
Alvaro Muñoz
4fffde2fc5 Add remote flow sources as a mutable ref source for untrusted checkouts 2024-09-27 21:38:38 +02:00
Alvaro Muñoz
9d26a8da26 Improve path checks for Artifact and Cache poisoning queries 2024-09-27 18:22:35 +02:00
Alvaro Muñoz
86c1d9c30f Improve artifact poisoning query 
Better check of download path
Add downloading to /tmp as a sanitizer
 2024-09-27 12:35:10 +02:00
Alvaro Muñoz
16f1a53584 Add new sources for github.event.changes 2024-09-25 18:21:54 +02:00
Alvaro Muñoz
b1ddbc9d13 Improve Control Checks 2024-09-25 15:25:56 +02:00
Alvaro Muñoz
153fb492f7 Update tests 2024-09-24 23:14:37 +02:00
Alvaro Muñoz
f095622a9b Update expected test results 2024-09-24 21:50:59 +02:00
Alvaro Muñoz
e8a667fdc6 Add new tests 2024-09-24 21:43:31 +02:00
Alvaro Muñoz
fe06c9e5fa d /Users/pwntester/src/github.com/github/codeql-actions/ql 2024-09-24 12:12:09 +02:00
Alvaro Muñoz
53f82d3d6c Control Checks in Run/Uses steps also protect Jobs that depend on them 2024-09-23 12:29:35 +02:00
Alvaro Muñoz
df59e6f5d2 Consider a Reusable Workflow privileged if a caller is 2024-09-23 10:18:29 +02:00
Alvaro Muñoz
d44e7aee0a Cross remote Reusable Workflow analysis 2024-09-22 22:05:39 +02:00
Alvaro Muñoz
c20e407c16 Modify UnpinnedActionsTag report node 2024-09-20 11:52:44 +02:00
Alvaro Muñoz
4f075f3f36 feat: Improve sanitizer checks 2024-09-19 13:38:08 +02:00
Alvaro Muñoz
15bb4d851d Add new test for flow through matrix 2024-09-11 10:25:31 +02:00
Alvaro Muñoz
25a210734b Update tests 2024-09-10 13:58:36 +02:00
Alvaro Muñoz
a9a297ab78 Update tests 2024-09-10 09:52:21 +02:00