GitHub Security Lab

This is the main git repository of GitHub Security Lab. We use it for these main purposes:

• We use issues on this repo to track CodeQL bounty requests.
• We use it for publishing some of our proof-of-concept exploits (after the vulnerability has been fixed). These PoCs can be found in the SecurityExploits sub-directory.
• Examples of CodeQL queries, which can be found in the CodeQL_Queries sub-directory.

CodeQL Resources

Official resources

• CodeQL documentation
• CodeQL GitHub repo

Example queries

• Java
  • Apache Struts CVE-2018-11776
• C/C++
  • Apple XNU icmp_error CVE-2018-4407
  • Facebook Fizz integer overflow vulnerability (CVE-2019-3560)
  • Eating error codes in libssh2
• Javascript
  • Etherpad CVE-2018-6835
• C#
  • C# Zip Slip demo
• GitHub Actions:
  • pull_request_target with explicit pull request checkout
  • Command injection from user-controlled Actions context

Videos

• Conference talks/workshops:
  • Finding security vulnerabilities in JavaScript with CodeQL - GitHub Satellite 2020
  • Finding security vulnerabilities in Java with CodeQL - GitHub Satellite 2020
  • CodeQL as an auditing oracle - POC 2020
  • mbuf-oflow: Finding Vulnerabilities In iOS/MacOS Networking Code
• CodeQL demos from the Semmle days (short Youtube videos):
  • PII data leaks: Identifying personal information in logs with CodeQL
  • Vulnerability Hunting: Quest for an Exploit using QL
  • Finding Insecure Deserialization in Java
  • Finding integer overflows in Libssh2

Tools

• Editor plugins
  • Visual Studio Code (Official)
  • Neovim