From c219011f5a0ca4f9724939bd6094b1783475cddb Mon Sep 17 00:00:00 2001
From: tintinthong <justinthong93@gmail.com>
Date: Mon, 6 Apr 2026 09:52:59 +0800
Subject: [PATCH 1/3] test malicious code

---
 security-test-samples.ts | 58 ++++++++++++++++++++++++++++++++++++++++
 1 file changed, 58 insertions(+)
 create mode 100644 security-test-samples.ts

diff --git a/security-test-samples.ts b/security-test-samples.ts
new file mode 100644
index 0000000..df8fae7
--- /dev/null
+++ b/security-test-samples.ts
@@ -0,0 +1,58 @@
+/**
+ * Sample file with intentional security vulnerabilities for CodeQL testing.
+ * DO NOT use any of this code in production.
+ */
+
+// 1. DOM-based XSS via innerHTML
+// CodeQL rule: js/xss
+function renderUserContent(userInput: string) {
+  const div = document.createElement('div');
+  div.innerHTML = userInput; // VULNERABILITY: unsanitized user input → XSS
+  document.body.appendChild(div);
+}
+
+// 2. XSS via document.write
+// CodeQL rule: js/xss
+function writeToPage(query: string) {
+  const params = new URLSearchParams(window.location.search);
+  const value = params.get(query);
+  document.write('<p>' + value + '</p>'); // VULNERABILITY: URL param written directly to DOM
+}
+
+// 3. eval() with user-controlled input
+// CodeQL rule: js/code-injection
+function runUserExpression(expr: string) {
+  const result = eval(expr); // VULNERABILITY: arbitrary code execution
+  return result;
+}
+
+// 4. Open redirect via user-controlled URL
+// CodeQL rule: js/open-redirect
+function redirectTo(dest: string) {
+  const params = new URLSearchParams(window.location.search);
+  const target = params.get(dest);
+  window.location.href = target!; // VULNERABILITY: unvalidated redirect
+}
+
+// 5. postMessage without origin check
+// CodeQL rule: js/postmessage-star-origin  (or missing origin validation)
+function listenForMessages() {
+  window.addEventListener('message', (event) => {
+    // VULNERABILITY: no check on event.origin
+    const payload = JSON.parse(event.data);
+    document.getElementById('output')!.innerHTML = payload.html;
+  });
+}
+
+// 6. Prototype pollution via merge
+// CodeQL rule: js/prototype-pollution
+function mergeObjects(target: Record<string, unknown>, source: Record<string, unknown>) {
+  for (const key in source) {
+    if (typeof source[key] === 'object') {
+      (target as any)[key] = mergeObjects((target as any)[key] ?? {}, source[key] as any);
+    } else {
+      (target as any)[key] = source[key]; // VULNERABILITY: __proto__ key can pollute prototype
+    }
+  }
+  return target;
+}

From 06b7f03738af111b05b45364008964c1c89cde86 Mon Sep 17 00:00:00 2001
From: tintinthong <justinthong93@gmail.com>
Date: Mon, 6 Apr 2026 11:02:23 +0800
Subject: [PATCH 2/3] add codeQL workflow

---
 .github/workflows/codeql.yaml | 39 +++++++++++++++++++++++++++++++++++
 1 file changed, 39 insertions(+)
 create mode 100644 .github/workflows/codeql.yaml

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
new file mode 100644
index 0000000..f857af3
--- /dev/null
+++ b/.github/workflows/codeql.yaml
@@ -0,0 +1,39 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '19 4 * * 3' # Weekly on Wednesday at 4:19 AM UTC
+
+permissions:
+  contents: read
+  security-events: write
+
+jobs:
+  analyze:
+    name: Analyze (${{ matrix.language }})
+    runs-on: ubuntu-latest
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [actions, javascript-typescript]
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@v3
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-extended
+          threat-models: remote
+
+      - name: Autobuild
+        uses: github/codeql-action/autobuild@v3
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@v3
+        with:
+          category: /language:${{ matrix.language }}

From dc66cf4b353b157a3a40e69809b11165d29889b8 Mon Sep 17 00:00:00 2001
From: tintinthong <justinthong93@gmail.com>
Date: Tue, 7 Apr 2026 16:13:25 +0800
Subject: [PATCH 3/3] remove cron

---
 .github/workflows/codeql.yaml | 2 --
 1 file changed, 2 deletions(-)

diff --git a/.github/workflows/codeql.yaml b/.github/workflows/codeql.yaml
index f857af3..a20d70e 100644
--- a/.github/workflows/codeql.yaml
+++ b/.github/workflows/codeql.yaml
@@ -5,8 +5,6 @@ on:
     branches: [main]
   pull_request:
     branches: [main]
-  schedule:
-    - cron: '19 4 * * 3' # Weekly on Wednesday at 4:19 AM UTC
 
 permissions:
   contents: read