This is the main git repository of GitHub Security Lab. We use it for these main purposes:

• We share with our community some best practices about security research and vulnerability disclosures in our docs
• We use issues on this repo to track CodeQL bounty requests.
• We use it for publishing some of our proof-of-concept exploits (after the vulnerability has been fixed). These PoCs can be found in the SecurityExploits sub-directory.
• Examples of CodeQL queries, which can be found in the CodeQL_Queries sub-directory.

This section is yours! Do you want to share a cool CodeQL query with the community? Or an awesome tutorial or video, or some helpful tooling? Your contributions are welcome. Please open a pull request. See Contributing below.

• CodeQL documentation
• CodeQL GitHub repo

• Java
  • Apache Struts CVE-2018-11776
  • Insecure JMS deserialization in Spring applications
• C/C++
  • Apple XNU icmp_error CVE-2018-4407
  • Facebook Fizz integer overflow vulnerability (CVE-2019-3560)
  • Eating error codes in libssh2
  • Itergator - Library and queries for iterator invalidation (blog post)
• Javascript
  • Etherpad CVE-2018-6835
• C#
  • C# Zip Slip demo
• GitHub Actions:
  • pull_request_target with explicit pull request checkout
  • Command injection from user-controlled Actions context

• Practical Introduction to CodeQL

• Conference talks/workshops:
  • Finding security vulnerabilities in JavaScript with CodeQL - GitHub Satellite 2020
  • Finding security vulnerabilities in Java with CodeQL - GitHub Satellite 2020
  • CodeQL as an auditing oracle - POC 2020
  • mbuf-oflow: Finding Vulnerabilities In iOS/MacOS Networking Code
• CodeQL demos from the Semmle days (short Youtube videos):
  • PII data leaks: Identifying personal information in logs with CodeQL
  • Vulnerability Hunting: Quest for an Exploit using QL
  • Finding Insecure Deserialization in Java
  • Finding integer overflows in Libssh2

• Editor plugins
  • Visual Studio Code (Official)
  • Neovim
  • Emacs
• Code generation
  • cqlgen — A codeql generation library written in Go.
  • codemill — A codeql model generator for Go with a web UI.

The recommendations from the GitHub Security Lab are provided graciously and it's ultimately the responsibility of the recipients to apply them or not. This concerns recommendations given through our written or audio content, our conferences, our answers in our community spaces, or our informal office hours.

We welcome contributions to the CodeQL_Queries sub-directory and to the CodeQL Resources section of this README.

If you have written a cool CodeQL query that you would like to share with the community, then please open a pull request to add it to the CodeQL_Queries sub-directory. Put your query in its own new sub-directory. For example: CodeQL_Queries/cpp/mynewsubdir/mycoolquery.ql. Of course, if you think your query might be eligible for a bounty, then you should open a pull request to the codeql repo instead, as we do not offer bounties for queries submitted to this repo. The queries in this repo are usually highly specialized queries that only make sense for a specific codebase, such as queries that specifically target Chrome or Apache Struts, or utility queries that help you explore your code without necessarily finding a vulnerability. Such queries are inappropriate for the codeql repo, which is for general purpose queries only.

If you would like to add a link to the CodeQL Resources section of this README, to share a nice video or an awesome tool, then just add another bullet point in the appropriate section.

• Each bullet point should consist of a hyperlinked title and a short description. The short description is optional if the title is already self-explanatory.
• Please add new bullet points at the bottom of the list. In the future, we may choose some other ordering such as alphabetical but for now it is just a sequential list.

Please see CONTRIBUTING.md, CODE_OF_CONDUCT.md, and LICENSE.md for further information on our contributing guidelines and license.