hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-05 21:55:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into atorralba/java/command-injection-mad-sinks

Browse Source
This commit is contained in:
Tony Torralba
2023-06-02 08:57:24 +02:00
committed by GitHub
parent a276cc3094 84a7b3ca52
commit c3b1ef2cdf
652 changed files with 20081 additions and 5057 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
java/ql/lib/change-notes/2023-04-20-create-model-for-io-jsonwebtoken.md
View File

@@ -1,5 +0,0 @@
---
category: minorAnalysis
---
* Added models for the `io.jsonwebtoken` library.

4
java/ql/lib/change-notes/2023-04-26-neutral-model-kinds.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Updated the `neutralModel` extensible predicate to include a `kind` column.

4
java/ql/lib/change-notes/2023-05-02-apache-commons-net-models.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added models for the Apache Commons Net library.

4
java/ql/lib/change-notes/2023-05-03-url-open-stream-as-experimental.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Moved the `url-open-stream` sink models to experimental and removed `url-open-stream` as a sink option from the [Customizing Library Models for Java](https://github.com/github/codeql/blob/733a00039efdb39c3dd76ddffad5e6d6c85e6774/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst#customizing-library-models-for-java) documentation.

22
java/ql/lib/change-notes/2023-05-05-java-sink-kind-revamp.md Normal file
View File

@@ -0,0 +1,22 @@
---
category: minorAnalysis
---
* Updated the following Java sink kind names. Any custom data extensions will need to be updated accordingly in order to continue working.
* `sql` to `sql-injection`
* `url-redirect` to `url-redirection`
* `xpath` to `xpath-injection`
* `ssti` to `template-injection`
* `logging` to `log-injection`
* `groovy` to `groovy-injection`
* `jexl` to `jexl-injection`
* `mvel` to `mvel-injection`
* `xslt` to `xslt-injection`
* `ldap` to `ldap-injection`
* `pending-intent-sent` to `pending-intents`
* `intent-start` to `intent-redirection`
* `set-hostname-verifier` to `hostname-verification`
* `header-splitting` to `response-splitting`
* `xss` to `html-injection` and `js-injection`
* `write-file` to `file-system-store`
* `create-file` and `read-file` to `path-injection`
* `open-url` and `jdbc-url` to `request-forgery`

4
java/ql/lib/change-notes/2023-05-12-androidwidget-source-kind-to-remote.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Changed the `android-widget` Java source kind to `remote`. Any custom data extensions that use the `android-widget` source kind will need to be updated accordingly in order to continue working.

4
java/ql/lib/change-notes/2023-05-12-spring-jdbc-sql-sinks.md
View File

@@ -1,4 +0,0 @@
---
category: minorAnalysis
---
* Added SQL injection sinks for Spring JDBC's `NamedParameterJdbcOperations`.

4
java/ql/lib/change-notes/2023-05-24-kotlin-1.9.0.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: feature
---
* Kotlin versions up to 1.9.0 are now supported.

4
java/ql/lib/change-notes/2023-05-26-play-framework-models.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added more dataflow models for the Play Framework.

4
java/ql/lib/change-notes/2023-05-30-gson-models.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Added dataflow models for the Gson deserialization library.

2
java/ql/lib/change-notes/2023-05-11-new-models.md → java/ql/lib/change-notes/2023-05-30-new-models.md
View File

@@ -3,4 +3,4 @@ category: minorAnalysis
---
* Added models for the following packages:
* org.apache.hadoop.fs
* okhttp3

17
java/ql/lib/change-notes/2023-05-04-add-libraries-for-query-configurations.md → java/ql/lib/change-notes/released/0.6.2.md
View File

@@ -1,6 +1,11 @@
---
category: minorAnalysis
---
## 0.6.2
### Minor Analysis Improvements
* Added SQL injection sinks for Spring JDBC's `NamedParameterJdbcOperations`.
* Added models for the following packages:
* org.apache.hadoop.fs
* Added the `ArithmeticCommon.qll` library to provide predicates for reasoning about arithmetic operations.
* Added the `ArithmeticTaintedLocalQuery.qll` library to provide the `ArithmeticTaintedLocalOverflowFlow` and `ArithmeticTaintedLocalUnderflowFlow` taint-tracking modules to reason about arithmetic with unvalidated user input.
* Added the `ArithmeticTaintedQuery.qll` library to provide the `RemoteUserInputOverflow` and `RemoteUserInputUnderflow` taint-tracking modules to reason about arithmetic with unvalidated user input.
@@ -28,4 +33,8 @@ category: minorAnalysis
* Added the `UrlRedirectLocalQuery.qll` library to provide the `UrlRedirectLocalFlow` taint-tracking module to reason about URL redirection vulnerabilities caused by local data flow.
* Added the `UrlRedirectQuery.qll` library to provide the `UrlRedirectFlow` taint-tracking module to reason about URL redirection vulnerabilities.
* Added the `XPathInjectionQuery.qll` library to provide the `XPathInjectionFlow` taint-tracking module to reason about XPath injection vulnerabilities.
* Added the `XssLocalQuery.qll` library to provide the `XssLocalFlow` taint-tracking module to reason about XSS vulnerabilities caused by local data flow.
* Added the `XssLocalQuery.qll` library to provide the `XssLocalFlow` taint-tracking module to reason about XSS vulnerabilities caused by local data flow.
* Moved the `url-open-stream` sink models to experimental and removed `url-open-stream` as a sink option from the [Customizing Library Models for Java](https://github.com/github/codeql/blob/733a00039efdb39c3dd76ddffad5e6d6c85e6774/docs/codeql/codeql-language-guides/customizing-library-models-for-java.rst#customizing-library-models-for-java) documentation.
* Added models for the Apache Commons Net library.
* Updated the `neutralModel` extensible predicate to include a `kind` column.
* Added models for the `io.jsonwebtoken` library.