hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-06 07:36:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,923 Commits 1,703 Branches 162 Tags
ff4b97bf2d329001dae6e6572008bcd46b68f369
Commit Graph

82923 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Smowton
ff4b97bf2d Reword 2025-09-30 13:08:03 +01:00
Chris Smowton
f1239352ce Note issue in related query 2025-09-29 18:43:59 +01:00
Chris Smowton
18c5cb10d9 Ruby: Update CSRF protection notes in documentation 
Autofix is confused about how the `protect_from_forgery` method works in Rails >= 5: GPT-5 says:

> In modern Rails versions (>=5, including 6 and 7 which this gem permits), ActionController::Base already enables CSRF protection by default with the `:exception` strategy; an explicit call to `protect_from_forgery` without options does not weaken security.

This is false: manual testing confirms that it actually does downgrade from `:exception` to `:null-session` behaviour when a manual call is made.

I can't find any authoritative source showing this gotcha, so I can see how the AI is confused and how humans might also struggle to verify the truth.
 2025-09-29 18:42:11 +01:00
Kasper Svendsen
b52fff2f81 Merge pull request #20505 from kaspersv/kaspersv/future-proof-java-discarding2 
Overlay: Discard Java config and XML base entities in overlay extracted files
 2025-09-29 13:01:08 +02:00
Jeroen Ketema
9dfd87c284 Merge pull request #20514 from jketema/permissive 
C++: Update tests after extractor changes
 2025-09-28 16:56:31 +02:00
Owen Mansel-Chan
18a1075e70 Merge pull request #20523 from smowton/smowton/fix/mistyped-exp-fp 
Go: mistyped-exponentiation: notice constants with likely-bitmask values
 2025-09-26 16:02:30 +01:00
Owen Mansel-Chan
f5f61193a0 Delete change note 2025-09-26 15:33:26 +01:00
Geoffrey White
a0b533bd40 Merge pull request #20529 from geoffw0/convert 
Rust: Correct from model to taint
 2025-09-26 14:48:58 +01:00
Florin Coada
ba07daa50a Merge pull request #20532 from github/coadaflorin/changelog-fixes 
Update changelog for CodeQL CLI 2.23.1
 2025-09-26 14:21:21 +01:00
Geoffrey White
1635ef9ad9 Merge branch 'main' into convert 2025-09-26 14:11:04 +01:00
Florin Coada
5a0bae27ac Update changelog for CodeQL CLI 2.23.1 2025-09-26 13:57:57 +01:00
Anders Schack-Mulligen
f4388c80d0 Merge pull request #20519 from aschackmull/controlflowreach/perf2 
ControlFlow: Split only on relevant values.
 2025-09-26 14:51:49 +02:00
Florin Coada
a4f5e9aaf5 Update changelog for CodeQL CLI 2.23.1 
Added acknowledgment for the original contributor of the 'Permissive CORS configuration' query and clarified the detection of path injection in Go.
 2025-09-26 13:46:12 +01:00
Florin Coada
f6fe469e02 Merge pull request #20531 from github/coadaflorin-formatingfix2 
Fix formatting in codeql-cli-2.23.1.rst
 2025-09-26 13:31:22 +01:00
Florin Coada
3e9332edfa Fix formatting in codeql-cli-2.23.1.rst 2025-09-26 13:16:45 +01:00
Florin Coada
f8388c521e Merge pull request #20530 from github/coadaflorin/attributer-query 
Attribute `js/cors-permissive-configuration` to original author
 2025-09-26 13:11:08 +01:00
Anders Schack-Mulligen
2c29f21004 Shared: Address review comments. 2025-09-26 13:59:53 +02:00
Tom Hvitved
615b0a0310 Merge pull request #20502 from hvitved/rust/path-resolution-check-arity 
Rust: Check call arities in path resolution
 2025-09-26 13:45:26 +02:00
Tom Hvitved
4c7b66c66a Address review comments 2025-09-26 13:14:44 +02:00
Florin Coada
ba520c60d2 Update 2.1.0.md 2025-09-26 10:11:03 +01:00
Florin Coada
09833e2541 Update CHANGELOG for query promotion and acknowledgment 
Promote 'Permissive CORS configuration' query to default suite and acknowledge contributor.
 2025-09-26 10:09:30 +01:00
Florin Coada
2f96e32ec9 Update 2.1.0.md 2025-09-26 10:08:31 +01:00
Geoffrey White
3a03bb5a0b Rust: Repair rust/hard-coded-cryptographic-value, which had an unintentional dependence on the taint flow. 2025-09-26 10:03:38 +01:00
Geoffrey White
74a350a432 Rust: Effect on tests. 2025-09-26 09:55:16 +01:00
Tom Hvitved
c52709a5f0 Merge pull request #20516 from hvitved/rust/type-inference-union-pointer-never 
Rust: Model union, never, and pointer types
 2025-09-26 10:26:05 +02:00
Tom Hvitved
7a74efcc82 Update rust/ql/lib/codeql/rust/elements/internal/UnionImpl.qll 
Co-authored-by: Simon Friis Vindum <paldepind@github.com>
 2025-09-26 09:57:13 +02:00
Geoffrey White
ff554055a6 Rust: Correct 'from' model to taint. 2025-09-26 08:43:35 +01:00
Simon Friis Vindum
6678e79239 Merge pull request #20526 from geoffw0/lock 
Rust: Add missing Cargo.lock files
 2025-09-26 08:57:21 +02:00
Geoffrey White
39ceadaa26 Merge pull request #20520 from geoffw0/gitignore 
Add .orig files to the .gitignore.
 2025-09-25 18:10:24 +01:00
Geoffrey White
656a7bc378 Rust: Add missing Cargo.lock files to query tests. 2025-09-25 17:40:59 +01:00
Chris Smowton
9e7a5214f3 Change note 2025-09-25 15:40:26 +01:00
Chris Smowton
e9cccb46c0 Go: mistyped-exponentiation: notice constants with likely-bitmask values 2025-09-25 15:19:40 +01:00
Tom Hvitved
1a4cfba93a Merge pull request #20427 from felickz/ruby-framework-grape 
Ruby: Add support for Grape Framework
 2025-09-25 16:12:34 +02:00
Taus
e592fd60ff Merge pull request #20495 from github/tausbn/python-fix-unmatchable-dollar-in-lookahead 
Python: Fix false positive for unmatchable dollar/caret
 2025-09-25 15:27:32 +02:00
Geoffrey White
b22227d0f4 Add .orig files to .gitignore. 2025-09-25 14:03:39 +01:00
Anders Schack-Mulligen
109b6a1d79 ControlFlow: Split only on relevant values. 2025-09-25 15:03:35 +02:00
Tom Hvitved
2a814dd37c Rust: Model union, never, and pointer types 2025-09-25 12:33:51 +02:00
Jeroen Ketema
e41b5f2bc0 C++: Update tests after extractor changes 2025-09-25 09:52:22 +02:00
Florin Coada
2db5f0def5 Merge pull request #20510 from github/coadaflorin-patch-1 
Fix escape character in changelog for Go query
 2025-09-24 16:18:05 +01:00
Michael B. Gale
fd6f9cd2d5 Merge pull request #20368 from github/mbg/go/support-git-source 
Go: Support `git_source`
 2025-09-24 16:14:56 +01:00
Florin Coada
86fe68bb61 Fix formatting in changelog for Go path injection query 
2 people + 2 models managed to tackle this insurmountable task.
 2025-09-24 16:12:17 +01:00
Florin Coada
6c488e6e71 Fix formatting in codeql-cli-2.23.1.rst 2025-09-24 16:01:38 +01:00
Florin Coada
f3ef6ef3c9 Fix formatting issue in changelog for Go query 2025-09-24 16:00:40 +01:00
Florin Coada
8ad6952dda Fix escape character in changelog for Go query 2025-09-24 15:58:09 +01:00
Michael B. Gale
8c8499229d Configure git to use the certificate, if needed 2025-09-24 15:52:04 +01:00
Michael B. Gale
bc38b79c9a Convert URLs to expected format 2025-09-24 15:52:04 +01:00
Michael B. Gale
4ef8ff9a0f Append * to git_source URL if not present 
Since `GOPRIVATE` / `GONOPROXY` expect a glob pattern
 2025-09-24 15:52:03 +01:00
Michael B. Gale
a8fa1a76c4 Use git_source configurations for GOPRIVATE 2025-09-24 15:52:02 +01:00
Michael B. Gale
895399ff05 Rename proxy_configs to goproxy_servers and only store URLs 2025-09-24 15:52:01 +01:00
Michael B. Gale
23a04613c0 Set lower-case variants of HTTP_PROXY and HTTPS_PROXY 2025-09-24 15:52:00 +01:00