hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,643 Commits 1,671 Branches 157 Tags
alexet/avoid-path-node-java
Commit Graph

5825 Commits

Author SHA1 Message Date
Michael Nebel
813ffa440c Java: Consider ai-generated flow summaries to as generated summaries in dataflow. 2023-02-20 12:11:48 +01:00
Jami
f72cb5f650 Merge pull request #12215 from jcogs33/jcogs33/move-awt-swing-from-isJdkInternal 
Java: move java.awt and javax.swing from `isJdkInternal` to `isInfrequentlyUsed`
 2023-02-17 15:48:39 -05:00
Joe Farebrother
a9f1436930 Test generator fixes 
- Revert previous change to constructor return values; as constructors are supposed to be modeled using Argument[-1] rather than ReturnValue
- Fix generation of ambiguous calls when one of the conflicting methods is overridden
 2023-02-17 15:30:06 +00:00
Nick Rolfe
3e5534f0ba Merge branch 'main' into post-release-prep/codeql-cli-2.12.3 2023-02-17 14:39:26 +00:00
github-actions[bot]
8eb8daa4d4 Post-release preparation for codeql-cli-2.12.3 2023-02-16 17:23:25 +00:00
Jami Cogswell
94fd412809 Java: move awt and swing to isInfrequentlyUsed predicate 2023-02-16 09:02:41 -05:00
github-actions[bot]
b0315119c6 Release preparation for version 2.12.3 2023-02-16 11:49:06 +00:00
Joe Farebrother
430b432add Merge pull request #12195 from joefarebrother/testgen-improvements 
Java: Test generator improvements
 2023-02-16 11:20:55 +00:00
Joe Farebrother
d9e5c6c48a Fix typo 2023-02-15 17:21:03 +00:00
Joe Farebrother
95a131d0d3 Update help text 2023-02-15 16:18:47 +00:00
Joe Farebrother
8ee36a5278 Test generator improvements 
- Accept yml files as input
- Output the correct type for constructors
 2023-02-15 16:11:22 +00:00
Chris Smowton
7f76d8ae55 Replace redundant use of Class or Interface 2023-02-14 17:21:24 +00:00
Chris Smowton
82a2f4349a Resolve a newly-introduced ambiguity 
Also fix a simple redundancy noticed while debugging
 2023-02-14 17:21:24 +00:00
Jami
029e1d47fe Merge pull request #12081 from jcogs33/jcogs33/update-some-Files-sinks 
Java: update `createTempDirectory` and `copy` "create-file" sinks
 2023-02-14 10:53:17 -05:00
Joe Farebrother
f68083872d Merge pull request #12174 from joefarebrother/stubgen-name-conflicts 
Java: Stub generator: Use fully qualified names to avoid conflicts
 2023-02-14 10:10:24 +00:00
Tony Torralba
935e22d10d Merge pull request #12139 from atorralba/atorralba/java/xxe-local-query 
Java: Add local version of the XXE query
 2023-02-14 09:54:36 +01:00
Joe Farebrother
0b722bfe30 Stub generator: Use fully qualified names to avoid conflicts 2023-02-13 17:09:32 +00:00
Michael Nebel
80628596dd Java: Exclude interface members from model generation. 2023-02-13 10:21:32 +01:00
Tony Torralba
4fad01a739 Further refactoring 
Avoid having two taint tracking configurations in the same file
 2023-02-13 09:18:05 +01:00
Tony Torralba
422eb0d1bb Add change note 2023-02-13 09:18:05 +01:00
Tony Torralba
5555b5cd19 Add local version of the XXE query 2023-02-13 09:18:05 +01:00
Jami Cogswell
ce1c814daa Java: update path-injection query to use new 'read-file' sink kind 2023-02-11 17:10:58 -05:00
Michael Nebel
02364d072e Java: Fix bad join in TestLibrary characteristic predicate. 2023-02-08 11:59:59 +01:00
Michael Nebel
f8dbbe006e C#/Java: Materialize sink/source/summary predicates to avoid join on input/output before filtering. 2023-02-08 10:04:43 +01:00
Anders Schack-Mulligen
3c580896dc Merge pull request #11712 from aschackmull/java/constant-guards 
Java: Apply deadcode guard to data flow nodes.
 2023-02-07 09:14:20 +01:00
Anders Schack-Mulligen
b4607d3fab Java: Add change notes. 2023-02-06 13:55:34 +01:00
Anders Schack-Mulligen
2d6d8aaa74 Java: Account for additional constants in ArrayIndexOutOfBounds query. 2023-02-03 16:16:39 +01:00
github-actions[bot]
faf21f3edb Post-release preparation for codeql-cli-2.12.2 2023-02-02 23:01:04 +00:00
github-actions[bot]
a4fa984792 Release preparation for version 2.12.2 2023-02-02 14:34:55 +00:00
Joe Farebrother
97b2e852c9 Merge pull request #11713 from joefarebrother/sensitive-result-receiver 
Java: Add query for leaking sensitive data through a ResultReceiver
 2023-02-01 16:34:17 +00:00
Tony Torralba
834fc51a3a Update java/ql/src/Security/CWE/CWE-927/SensitiveResultReceiver.ql 2023-02-01 15:26:26 +01:00
Joe Farebrother
74dba953ca Apply suggestions from docs review 
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
 2023-02-01 12:54:19 +00:00
Michael Nebel
69a42d8b1f Merge pull request #11931 from michaelnebel/csharp/refactor 
Remove the Csv postfix of some predicate names.
 2023-01-23 09:09:48 +01:00
github-actions[bot]
b62cb6ba84 Post-release preparation for codeql-cli-2.12.1 2023-01-20 19:49:56 +00:00
Jeroen Ketema
cddaa0c8fa Apply suggestions from code review 2023-01-20 14:10:27 +01:00
github-actions[bot]
005b3e4a47 Release preparation for version 2.12.1 2023-01-20 12:03:19 +00:00
Michael Nebel
dc223cb82e Sync files and make corresponding changes for other languages. 2023-01-19 15:14:06 +01:00
Edward Minnix III
4c018759c8 Merge pull request #11283 from egregius313/egregius313/webview-setAllowContentAccess 
Java: Android WebView Content Access Query
 2023-01-17 11:02:47 -05:00
Antoine Taillefer
660e6d7085 Fix partial path traversal Java example 
The Java recommendation example for the "Partial path traversal vulnerability from remote" query doesn't seem right to me. Indeed, the following statement doesn't compile, since `dir.getCanonicalPath()` returns a String:
```
dir.getCanonicalPath().toPath()
```
Maybe the author wanted to state `dir.getCanonicalFile().toPath()`, which would compile, but is useless compared to `dir.getCanonicalPath()`.

Moreover, `parent.getCanonicalFile().toPath()` or `parent.getCanonicalPath()` will **not** be slash-terminated, contrary to what the description says.
From what I can see (and test), the correct fix is to concatenate `File.separator` to the parent canonical path.
 2023-01-16 21:14:29 +01:00
Tony Torralba
cca6a13fbb Update java/ql/src/Security/CWE/CWE-927/SensitiveResultReceiver.qhelp 2023-01-16 14:21:03 +01:00
jelaiw
cf7189bb28 Fix small typo in good/bad code sample. 2023-01-13 19:16:11 -06:00
Michael Nebel
5c466f3319 Java: Sync files and update other relavant files related to the new naming of shift. 2023-01-12 19:06:29 +01:00
Chris Smowton
8aa2c23ba8 Merge pull request #11700 from JLLeitschuh/doc/JLL/improve-java-unsafe-deserialization-documentation 
[Java] Document fixes for deserialization vulnerabilities by framework
 2023-01-12 18:04:13 +00:00
Chris Smowton
09d8a50494 Spelling 2023-01-12 17:46:00 +00:00
Joe Farebrother
e12febfd96 Add change note 2023-01-12 11:44:39 +00:00
Joe Farebrother
b565f997a0 Improve qhelp 2023-01-12 11:44:39 +00:00
Joe Farebrother
639c42c9e9 Fix qhelp errors and ql-for-ql errors 2023-01-12 11:44:39 +00:00
Joe Farebrother
f52db7f9a3 Add qhelp 2023-01-12 11:44:39 +00:00
Joe Farebrother
b96edb9c64 Add Sensitive Result Receiver query 2023-01-12 11:44:39 +00:00
Michael Nebel
18a815ca8b Merge pull request #11721 from michaelnebel/csharpjava/refactorprovenance 
C#/Java: Re-factor provenance related predicates.
 2023-01-12 10:50:31 +01:00