codeql
codeql copied to clipboard
github
CodeQL: the libraries and queries that power security researchers around the world, as well as code scanning in GitHub Advanced Security
This makes the ``` /*- Database metadata -*/ ``` and ``` /*- Overlay support -*/ ``` sections consistent between the languages.
This is an extension of https://github.com/github/codeql/pull/18153 to include all the other methods on the class `RestTemplate` which have a parameter named `uriVariables`. They should all be request forgery sinks, but...
Reverts github/codeql#20885
Models remote flow sources for the `websockets` library. Currently omitted are handlers set up via route maps, e.g. with `websockets.asyncio.router.route`; these would require a little more complex handling of dataflow...
For debugging, it is handy to also have jump-to-def for operations and indexing.
## Summary Add an experimental CodeQL helper and query to treat custom zap encoders (types implementing go.uber.org/zap/zapcore.Encoder) as sanitizers for the purposes of log-injection detection. This reduces false positives where...
Currently Go and Javascript have this behaviour without any problems, but we have to check that it doesn't lead to FPs (or at least that they're balanced out by enough...
**Description of the issue** Similarly to https://github.com/github/codeql/issues/19966 I'm also hitting quite a few macro expansion failed warnings: ``` WARN /home/sg/dev/cosmwasm/contracts/ibc-reflect/src/msg.rs:14:21: macro expansion failed: the macro 'vec' expands to ERROR but...
When using `new Response()` to construct HTTP responses, the `content-type` header defaults to `text/plain;charset=utf-8` unless explicitly set to something else. This means its argument is not an html-injection sink when...