hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-10 07:21:12 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,809 Commits 1,775 Branches 169 Tags
ee6b8394ab8dbf4c30c86fa714b27d5b2e43e4ea
Commit Graph

59 Commits

Author SHA1 Message Date
Owen Mansel-Chan
ea29986c4f Fix non-US english by using "parentheses" instead of "brackets" 
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
 2026-05-12 22:40:03 +01:00
copilot-swe-agent[bot]
562f415f64 Tidy Bash alphaNumericRegex comment spacing 2026-05-12 22:40:03 +01:00
copilot-swe-agent[bot]
0620d348b2 Update Bash alphaNumericRegex to match grouped quantified forms 2026-05-12 22:40:03 +01:00
copilot-swe-agent[bot]
ef1bde7565 Widen pinned SHA regex to support SHA-256 (64-char hex) and add tests 2026-05-12 22:40:03 +01:00
Chris Smowton
dc26a57548 Use posessive quantifier to avoid stack overflow on large ${{}} expressions 2026-01-23 15:35:24 +00:00
Owen Mansel-Chan
4a16de2bc8 Pull out logic into separate predicate 2025-12-04 16:50:39 +00:00
Owen Mansel-Chan
fb841ea591 Make predicates containing query logic more self-contained 2025-12-04 16:50:37 +00:00
Owen Mansel-Chan
f6bdb3a126 Fix filtering of code injection alerts between medium and critical 2025-12-04 16:50:34 +00:00
Nora Dimitrijević
974d174757 Actions/CodeInjectionQuery 
actions/ql/src/Security/CWE-094/CodeInjectionMedium.ql

actions/ql/src/Security/CWE-094/CodeInjectionCritical.ql
 2025-10-28 09:41:24 +01:00
Nora Dimitrijević
62fde8f6e7 Actions/ArgumentInjectionQuery 
actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql

actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql
 2025-10-28 09:41:21 +01:00
Nora Dimitrijević
c40223319c Actions/EnvVarInjectionQuery 
actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql

actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql
 2025-10-28 09:41:18 +01:00
Nora Dimitrijević
edc72d29d7 Actions/EnvPathInjectionQuery 
actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql

actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql
 2025-10-28 09:41:16 +01:00
Nora Dimitrijević
1f53ffbdd7 Actions/ArtifactPoisoningQuery 
actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql

actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql
 2025-10-28 09:41:13 +01:00
Nora Dimitrijević
bb10307303 Actions/SecretExfiltrationQuery 
actions/ql/src/experimental/Security/CWE-200/SecretExfiltration.ql uses source as endpoint
 2025-10-28 09:38:38 +01:00
Nora Dimitrijević
890ca8e7d1 Actions/RequestForgeryQuery 
actions/ql/src/experimental/Security/CWE-918/RequestForgery.ql uses source as endpoint
 2025-10-28 09:38:21 +01:00
Nora Dimitrijević
3fa8259042 Actions/OutputClobberingQuery 
actions/ql/src/experimental/Security/CWE-074/OutputClobberingHigh.ql uses source as endpoint
 2025-10-28 09:38:01 +01:00
Michael Nebel
a9baf34629 Merge pull request #20324 from michaelnebel/actions/ql4ql 
Actions: Fix some Ql4Ql violations.
 2025-09-03 12:29:06 +02:00
Michael Nebel
64f9758c29 Actions: Fix some Ql4Ql violations. 2025-09-01 14:45:00 +02:00
Anders Schack-Mulligen
144e34c669 Shared: Use shared SuccessorType in shared Cfg and BasicBlock libs. 2025-09-01 13:43:32 +02:00
Anders Schack-Mulligen
92fcda3cc7 Actions: Use shared SuccessorType. 2025-09-01 12:56:08 +02:00
Nora Dimitrijević
126d24a522 [DIFF-INFORMED] Actions: EnvVarInjection 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-077/EnvVarInjectionMedium.ql#L35
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-077/EnvVarInjectionCritical.ql#L46
 2025-08-15 11:11:12 +02:00
Nora Dimitrijević
f1445eb52f [DIFF-INFORMED] Actions: EnvPathInjection 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-077/EnvPathInjectionMedium.ql#L30
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-077/EnvPathInjectionCritical.ql#L37
 2025-08-15 11:11:07 +02:00
Nora Dimitrijević
f1b995a736 [DIFF-INFORMED] Actions: CommandInjection 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/experimental/Security/CWE-078/CommandInjectionMedium.ql#L24
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/experimental/Security/CWE-078/CommandInjectionCritical.ql#L28
 2025-08-15 11:11:03 +02:00
Nora Dimitrijević
418e4b4a3a [DIFF-INFORMED] Actions: CodeInjection 
Query: https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-349/CachePoisoningViaCodeInjection.ql#L46
 2025-08-15 11:10:58 +02:00
Nora Dimitrijević
bbda2902be [DIFF-INFORMED] Actions: ArtifactPoisoning 
Queries:
- https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-829/ArtifactPoisoningMedium.ql#L23
- https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/Security/CWE-829/ArtifactPoisoningCritical.ql#L26
 2025-08-15 11:10:42 +02:00
Nora Dimitrijević
896819fdf3 [DIFF-INFORMED] Actions: ArgumentInjection 
Query:
- https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionMedium.ql#L23
- https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/actions/ql/src/experimental/Security/CWE-088/ArgumentInjectionCritical.ql#L27
 2025-08-15 11:10:14 +02:00
Adnan Khan
7be938c6c3 Handle multiple whitespaces in runner temp regex. 
Co-authored-by: Napalys Klicius <napalys@github.com>
 2025-07-10 12:22:14 -04:00
Adnan Khan
db954d6d9f Merge branch 'main' into patch-1 2025-07-08 23:31:35 -07:00
Jaroslav Lobačevski
9393181c4e Add tests and path normalization fix to handle $ expansion 2025-07-08 16:18:12 +00:00
Adnan Khan
f4f919635a Correctly specify regex. 
Co-authored-by: Jaroslav Lobačevski <jarlob@github.com>
 2025-07-08 10:17:29 -04:00
Nora Dimitrijević
fc61910df1 Actions: mass-add none() location overrides 2025-06-17 17:00:19 +02:00
Nora Dimitrijević
f2bd454e99 Actions: mass enable diff-informed data flow 
An auto-generated patch that enables diff-informed data flow in the obvious cases.

Builds on https://github.com/github/codeql/pull/18346 and https://github.com/github/codeql-patch/pull/88
 2025-06-11 19:10:11 +02:00
Aditya Sharad
848064e95a Actions: Order quoted strings by their ID, not text 
In the Bash parser, we compute a mostly-unique ID for each
quoted string within a shell script block.
Quoted strings are then ranked and referred to individually.

Avoid a performance bottleneck by ranking quoted strings by their
ID, not by their source text.
I think this was the original intent of the code.

Ranking by their original text ends up evaluating multiple
possible orderings, which is slow on workflows that contain
multiple complex quoted strings, such as JSON payloads.
 2025-06-09 09:15:45 -07:00
Aditya Sharad
fbe11cfca6 Actions: Refactor logic for identifying quoted strings 
Add some doc comments and meaningful variable names.
 2025-06-09 09:15:45 -07:00
Aditya Sharad
321513c89b Actions: Order command substitutions by their ID, not text 
In the Bash parser, we compute a mostly-unique ID for each
command substitution within a shell script block.
Commands are then ranked and referred to individually.

Avoid a performance bottleneck by ranking commands by their
ID, not by their source text.
I think this was the original intent of the code.
Ranking by their original text ends up evaluating multiple
possible orderings, which is slow on workflows that contain
multiple complex command substitutions.
 2025-06-09 08:39:58 -07:00
Aditya Sharad
39e710e805 Actions: Refactor logic for identifying command substitution 
Extract helper predicates for `$(...)` command interpolation
and backtick-quoted commands.
Add some doc comments and meaningful variable names.
 2025-06-09 08:37:40 -07:00
Chris Smowton
338d3834c4 Actions: Make Env non-abstract 
`class Env` was previously abstract with no concrete descendants, so user queries like `any(Env e | ...)` would never produce results.

In the JS library the corresponding class derived from `YamlNode` and has concrete descendants representing workflow-, job- and step-level `env` nodes. However these are dubiously useful since you can always just use `any(Step s).getEnv()` to achieve the same result. Since `EnvImpl` already fully characterises an `env` node, I simply make the class concrete.
 2025-06-05 10:21:24 +01:00
Adnan Khan
a9c4d6f383 Fix escaping. 2025-04-25 15:00:14 -04:00
Adnan Khan
38f00775bd Exclude artifacts downloaded to runner temp. 2025-04-25 14:49:01 -04:00
yoff
7bf4a47549 Apply suggestions from code review 
Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
 2025-04-02 08:43:29 +02:00
yoff
d83f35ff64 actions: remove unneded API 2025-04-01 17:07:43 +02:00
yoff
ee1eb199b5 actions: add description of actionsPermissionsDataModel 2025-04-01 17:07:02 +02:00
yoff
e7bb47f335 ruby: add MaD model for permissions needed by actions 
Use this to suggest minimal set of nedded permissions
 2025-03-31 16:48:37 +02:00
Dave Bartolomeo
0e4725bfe2 Merge pull request #18435 from felickz/felickz/actions-trusted-owner-data-extensions 
Convert trusted actions list to data extension
 2025-02-07 10:25:41 -05:00
Asger F
1904b026b2 Actions: Avoid blowup in quotation parser 
The parser has an inherent N^2 blowup and will need a rewrite eventually. For now I'm just trying to make it not blow up as often.
 2025-02-05 13:35:52 +01:00
Asger F
16634e6dc9 Merge pull request #18540 from JarLob/bash 
Actions: Improve bash support
 2025-01-28 09:49:58 +01:00
Jaroslav Lobačevski
9521467a06 Update actions/ql/lib/codeql/actions/Bash.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2025-01-24 12:59:41 +01:00
Jaroslav Lobačevski
88529d42d0 Remove comparison 2025-01-20 16:28:35 +00:00
Jaroslav Lobačevski
da9d612a47 Improve bash support 2025-01-20 14:59:30 +00:00
Simon Friis Vindum
53b63bed00 Actions: Implement added predicates in CFG instantiation 2025-01-17 13:31:00 +01:00