hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-24 19:03:50 +01:00
Code Issues Packages Projects Releases Wiki Activity
85,829 Commits 1,692 Branches 161 Tags
fa3fba4a00a86bc047a2fd3384748b27555fcb09
Commit Graph

310 Commits

Author SHA1 Message Date
Paolo Tranquilli
4973523404 C#: Fix CSRF query to check antiforgery attributes on base classes 
Fixes https://github.com/github/codeql/discussions/21255
 2026-02-04 09:42:20 +01:00
Chris Smowton
5bb31afc83 C# CSRF query: add support for ASP.NET Core 2025-12-08 11:51:01 +00:00
Anders Schack-Mulligen
78e1879c9e Use more flowTo. 2025-12-03 14:12:08 +01:00
Anders Schack-Mulligen
dc6d3fe7ba Use flowFrom. 2025-12-03 14:04:18 +01:00
Felicity Chapman
caf6b950ac Remove trailing periods from @name metadata in query files 
Fixed 73 .ql query files where the @name metadata contained an ending period.
This ensures consistency with the CodeQL query metadata style guidelines.
 2025-11-26 14:29:51 +00:00
Joe Farebrother
c9a559a6d8 Restrict Append calls to string arguments 2025-11-10 14:14:06 +00:00
Joe Farebrother
0a085dccbe Fix qhelp 2025-11-10 14:13:46 +00:00
Joe Farebrother
c734e74c76 Update qhelp 2025-11-10 14:13:31 +00:00
Joe Farebrother
6ba7ece2f0 Add httponly tests for aspnet core + fixes 2025-11-10 14:13:19 +00:00
Joe Farebrother
bb010fee6b Add tests for secure cookie using aspnetcore 2025-11-10 14:13:04 +00:00
Joe Farebrother
3cdfa8e0ac Update comments and names 2025-11-10 14:12:57 +00:00
Joe Farebrother
a87a03cfa8 Move to main query pack 2025-11-10 14:12:48 +00:00
Nora Dimitrijević
ba22f0d7d2 C#/DontInstallRootCert 2025-10-28 09:39:21 +01:00
Paolo Tranquilli
316225bb88 Csharp: rename predicate 2025-10-21 11:47:54 +02:00
Paolo Tranquilli
6f8b1f6f4c Csharp: address review 2025-10-21 11:43:58 +02:00
Paolo Tranquilli
c3fd06c8a4 Csharp: fix cs/web/missing-x-frame-options to also consider location elements 
As explained in

https://learn.microsoft.com/en-us/previous-versions/aspnet/ms178692(v=vs.100),

it is possible to add `system.webServer` elements nested inside
`location` elements in `Web.config`.
 2025-10-17 11:27:31 +02:00
Anders Schack-Mulligen
8b50ac291f C#: Use shared SuccessorType. 2025-09-01 12:53:24 +02:00
Napalys Klicius
3369e16b1b Merge pull request #20254 from Napalys/cs/ldap-injection-qhelp 
CS: Update `cs/ldap-injection` qhelp
 2025-08-21 08:57:03 +02:00
Napalys Klicius
71a8e10f3d CS: added extra guidance in recommendation section for LDAPInjection 2025-08-20 13:37:02 +02:00
Napalys Klicius
c475bedf73 CS: removed dead links from LDAPInjection qhelp 2025-08-20 12:58:54 +02:00
Nora Dimitrijević
218fcbbec5 [DIFF-INFORMED] C#: HardcodedConnectionString 2025-07-21 11:28:55 +02:00
Nora Dimitrijević
634bfa914f C#: mass-add none() location overrides 2025-06-17 17:00:48 +02:00
Nora Dimitrijević
79e982af38 Merge pull request #19661 from d10c/d10c/csharp/diff-informed 
C#: mass enable diff-informed data flow
 2025-06-17 14:52:24 +02:00
Nora Dimitrijević
f2085c2293 C#: mass enable diff-informed data flow 
An auto-generated patch that enables diff-informed data flow in the obvious cases.

Builds on https://github.com/github/codeql/pull/18344 and https://github.com/github/codeql-patch/pull/88
 2025-06-11 18:56:25 +02:00
Chad Bentz
77e49f1f90 Merge branch 'main' into cwe-134 2025-06-06 11:16:10 -04:00
Chad Bentz
8a81aa1762 Set CWE-134 from 9.3 to 7.3 CVSS score for memory safe languages 
- Sync up to score given to javascript/ruby
 2025-05-19 14:43:08 -04:00
Michael Nebel
03ecd24469 Lower the precision of a range of harcoded password queries to remove them from query suites. 2025-05-19 09:26:45 +02:00
Michael Nebel
133e8d4897 C#: Include CompositeFormat.Parse as Format like method. 2025-05-12 15:44:59 +02:00
Owen Mansel-Chan
cf614a596d Fix cwe tags to include leading zero 2025-04-30 16:43:03 +01:00
Michael Nebel
062a2ad97d C#: Include exception property accesses in the exception information exposure query. 2024-10-23 13:08:08 +02:00
Rasmus Wriedt Larsen
8c10155eb7 mass rename to ActiveThreatModelSource 2024-09-12 10:16:55 +02:00
Chanel Young
716e2737d1 formatting 2024-06-05 09:01:10 -07:00
Chanel Young
5ee7004a62 fp case if encrypt set in initializer 2024-05-16 17:59:17 -07:00
Tom Hvitved
d8d7688f88 C#: Fix another bad join 2024-04-23 15:39:59 +02:00
Tom Hvitved
6aa4c5c187 C#: Fix a bad join 2024-04-23 11:47:55 +02:00
Joe Farebrother
3567c30020 Set precision to high 2024-04-16 09:41:46 +01:00
Joe Farebrother
6e130d24cd C#: Add missing query precision 2024-04-15 08:42:26 +01:00
Peter Stöckli
d62d68a40b C#: add hint regarding ECB to weak encryption QHelp 2024-03-22 12:08:30 +01:00
Erik Krogh Kristensen
a3da6c886b Merge pull request #15895 from erik-krogh/url-java-qhelp 
Java: update the url-redirection in the same style as the C# qhelp
 2024-03-18 21:10:07 +01:00
erik-krogh
ef8368cfc4 fix typo 2024-03-13 22:37:13 +01:00
Michael Nebel
560b355e0c C#: Remove hard-coded local sources from the uncontrolled-format-string query. 2024-03-13 14:26:30 +01:00
Edward Minnix III
58f2777532 Merge pull request #15629 from egregius313/egregius313/csharp/dataflow/threat-modeling/remove-stored-query-variants 
C#: Remove `Stored` variants of queries
 2024-03-10 22:17:03 -04:00
Ed Minnix
ec6e17360d Replace Main-method parameters with ThreatModelFlowSource 2024-03-07 12:30:08 -05:00
Ed Minnix
4dc605354c Second-order SQL injection 2024-03-01 12:51:59 -05:00
Ed Minnix
c95abd47ce Remove stored variants of queries 2024-03-01 12:51:51 -05:00
Ed Minnix
f488f23a48 Add LocalFlowSource back to UncontrolledFormatString 2024-02-29 12:06:59 -05:00
Ed Minnix
434fa20646 Refactor to using ThreatModelFlowSource 2024-02-29 12:03:05 -05:00
Ed Minnix
b76795fd28 Refactor to using ThreatModelFlowSource 2024-02-29 12:03:03 -05:00
Ed Minnix
fd3738b10e Refactor to using SourceNode::getSourceType 2024-02-29 12:03:01 -05:00
Ed Minnix
f388a0f10c Deprecate direct uses of RemoteFlowSource and replace with ThreatModelFlowSource 2024-02-29 12:02:57 -05:00