hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-23 07:45:17 +02:00
Code Issues Packages Projects Releases Wiki Activity
29,961 Commits 1,739 Branches 165 Tags
1cc5e54357cc637b366f5f0a34b1029de2a1d110
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Rasmus Wriedt Larsen 1cc5e54357 Python: Add SSRF queries 
I've added 2 queries:

- one that detects full SSRF, where an attacker can control the full URL,
  which is always bad
- and one for partial SSRF, where an attacker can control parts of an
  URL (such as the path, query parameters, or fragment), which is not a
  big problem in many cases (but might still be exploitable)

full SSRF should run by default, and partial SSRF should not (but makes
it easy to see the other results).

Some elements of the full SSRF queries needs a bit more polishing, like
being able to detect `"https://" + user_input` is in fact controlling
the full URL.
2021-12-16 01:48:34 +01:00
.devcontainer
Update CodeSpaces configuration
2021-10-15 15:38:16 +02:00
.github
Ruby: add ruby/ruby to the dataset-measure CI job
2021-11-25 14:10:15 +01:00
.vscode
Apply suggestions from code review
2021-03-11 15:57:44 +01:00
change-notes
Python: Update change notes for 1.26
2020-12-02 14:01:46 +01:00
config
get ReDoSUtil in sync for ruby
2021-11-18 16:49:34 +01:00
cpp
Merge pull request #7285 from github/post-release-prep-2.7.3-ddd4ccbb
2021-12-10 09:59:45 -08:00
csharp
Merge pull request #7304 from michaelnebel/csharp-mad-as-csv2
2021-12-13 08:56:06 +01:00
docs
Python: Add modeling of requests
2021-12-13 14:56:16 +01:00
java
Merge pull request #7285 from github/post-release-prep-2.7.3-ddd4ccbb
2021-12-10 09:59:45 -08:00
javascript
Merge pull request #7285 from github/post-release-prep-2.7.3-ddd4ccbb
2021-12-10 09:59:45 -08:00
misc
Manually bump versions
2021-11-29 14:21:08 -05:00
python
Python: Add SSRF queries
2021-12-16 01:48:34 +01:00
ruby
Ruby: Don't count private methods as Rails actions
2021-12-13 15:36:55 +13:00
.codeqlmanifest.json
Add a version policy
2021-11-30 14:47:48 -08:00
.editorconfig
Normalize all text files to LF
2018-09-23 16:24:31 -07:00
.gitattributes
Hide changes for experimenal stubs
2021-09-03 14:16:04 +02:00
.gitignore
Exclude .class files from git
2021-11-16 16:41:23 +01:00
.lgtm.yml
JS: Exclude test cases from extraction
2019-05-07 14:36:35 +01:00
CODE_OF_CONDUCT.md
Update code of conduct in line with GH
2020-04-23 10:19:13 +01:00
CODEOWNERS
Add ruby to CODEOWNERS
2021-10-15 15:38:16 +02:00
CONTRIBUTING.md
Ruby: clean up docs
2021-10-28 12:04:48 +01:00
LICENSE
Relicense under MIT
2020-04-07 12:03:26 +01:00
README.md
Fix dead links in README.md
2021-09-28 15:12:36 +02:00

README.md

CodeQL

This open source repository contains the standard CodeQL libraries and queries that power LGTM and the other CodeQL products that GitHub makes available to its customers worldwide. For the queries, libraries, and extractor that power Go analysis, visit the CodeQL for Go repository.

How do I learn CodeQL and run queries?

There is extensive documentation on getting started with writing CodeQL. You can use the interactive query console on LGTM.com or the CodeQL for Visual Studio Code extension to try out your queries on any open source project that's currently being analyzed.

Contributing

We welcome contributions to our standard library and standard checks. Do you have an idea for a new check, or how to improve an existing query? Then please go ahead and open a pull request! Before you do, though, please take the time to read our contributing guidelines. You can also consult our style guides to learn how to format your code for consistency and clarity, how to write query metadata, and how to write query help documentation for your query.

License

The code in this repository is licensed under the MIT License by GitHub.

Visual Studio Code integration

If you use Visual Studio Code to work in this repository, there are a few integration features to make development easier.

CodeQL for Visual Studio Code

You can install the CodeQL for Visual Studio Code extension to get syntax highlighting, IntelliSense, and code navigation for the QL language, as well as unit test support for testing CodeQL libraries and queries.

Tasks

The .vscode/tasks.json file defines custom tasks specific to working in this repository. To invoke one of these tasks, select the Terminal | Run Task... menu option, and then select the desired task from the dropdown. You can also invoke the Tasks: Run Task command from the command palette.

Description
CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
codeqlgithub-advanced-securitygithub-security-labsemmle-qlworks-with-codespaces
Readme MIT 19 GiB
Languages
CodeQL 32.3%
Kotlin 27.4%
C# 17.1%
Java 7.7%
Python 4.6%
Other 10.7%