hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,643 Commits 1,672 Branches 157 Tags
alexet/avoid-path-node-java
Commit Graph

5825 Commits

Author SHA1 Message Date
Chris Smowton
e6249eed79 Add doc comments 2021-06-17 11:41:03 +01:00
Chris Smowton
26e10f3ad5 SSRF: don't consider results of fetches we initiated to be untrustworthy 2021-06-17 11:41:03 +01:00
Chris Smowton
c63d5986cf Sanitize StringBuilder appends that follow directly from a constructor. 
Note that some of this logic ought to be incorporated into StringBuilderVar once that code can be reviewed.
 2021-06-17 11:41:03 +01:00
Chris Smowton
b5a450b881 SSRF query: add sanitizer looking for a variety of ways of prepending a sanitizing prefix, such as one that restricts the hostname a URI will refer to. 2021-06-17 11:41:03 +01:00
Chris Smowton
487c1db6ed Promote SSRF query to main query set 2021-06-17 11:41:01 +01:00
Anders Schack-Mulligen
6ca8d69b26 Merge pull request #5881 from haby0/java/UnsafeDeserialization 
Java: CWE-502 Add UnsafeDeserialization sinks
 2021-06-17 12:36:34 +02:00
Anders Schack-Mulligen
8fe2f4a554 Merge pull request #6034 from owen-mc/java/jax-rs 
Improve JAX-WS and JAX-RS models
 2021-06-17 12:35:34 +02:00
Owen Mansel-Chan
945db01f56 Address review comments 2021-06-17 10:29:33 +01:00
Tom Hvitved
ffb2350a54 Data flow: Fix getLocalCallContext join-order 2021-06-17 10:02:31 +02:00
Tom Hvitved
cc383e0f6a Data flow: Workaround for too clever compiler in consistency queries 2021-06-17 09:43:36 +02:00
Tony Torralba
2dd862661b Generic type parameters no longer needed in CSV sink models 2021-06-16 16:23:50 +02:00
Tony Torralba
2c8f8911fc Adatp CSV sink models to generics fix 2021-06-16 16:12:02 +02:00
Tony Torralba
47fffb04a6 Merge branch 'main' into atorralba/promote-ognl-injection 2021-06-16 15:46:33 +02:00
Tony Torralba
91ba30a781 Merge branch 'main' into atorralba/promote-missing-jwt-signature-check 2021-06-16 15:46:14 +02:00
Tony Torralba
dab33b21fb Merge branch 'main' into atorralba/promote-mvel-injection 2021-06-16 15:44:43 +02:00
Tony Torralba
bf2be6ec7c Merge branch 'main' into atorralba/promote-jndi-injection 2021-06-16 15:34:37 +02:00
Owen Mansel-Chan
5d00bb23e4 Move logic for URL redirection sinks 2021-06-16 12:48:11 +01:00
Tony Torralba
af6bd0b963 Consider subtypes of ReaderSource 2021-06-16 13:01:40 +02:00
Tony Torralba
f3ef93fa8a Make sinks more specific, improve tests 2021-06-16 13:01:39 +02:00
Tony Torralba
f9e6b3c3d2 Add new URL(tainted) as taint step 2021-06-16 13:01:39 +02:00
Tony Torralba
6f926e1e80 Refine sinks and add more taint steps 2021-06-16 13:01:39 +02:00
Tony Torralba
4b491dcc50 Add codehaus sink and taint steps 2021-06-16 13:01:39 +02:00
Tony Torralba
7031e0a91d Refactor to use CSV sink models 2021-06-16 13:01:38 +02:00
Tony Torralba
356601ce15 Moved from experimental 2021-06-16 13:01:38 +02:00
haby0
c1ada6d85b Merge branch 'main' into java/UnsafeDeserialization 2021-06-16 16:37:03 +08:00
haby0
9badd7aa27 change name 2021-06-16 11:29:37 +08:00
Calum Grant
771e686946 Update security-severity scores 2021-06-15 13:25:17 +01:00
Anders Schack-Mulligen
19305a217a Merge pull request #5374 from joefarebrother/guava-base 
Java: Model additional flow steps for the package `com.google.common.base` of the Guava framwork.
 2021-06-15 10:58:48 +02:00
Joe Farebrother
36cb207600 Increase precision of tests to test value flow 2021-06-14 11:20:07 +01:00
Owen Mansel-Chan
8cf47f12b4 Model constructors of classes implementing MultivaluedMap 2021-06-14 10:56:35 +01:00
Calum Grant
85467adc5e Merge pull request #5839 from github/security-severities5 
Add security-severity scores
 2021-06-11 15:56:20 +01:00
Joe Farebrother
678597f3f9 Update CSV rows for collection flow 2021-06-11 15:08:27 +01:00
Chris Smowton
76838809bb Merge pull request #5818 from artem-smotrakov/rmi-deserialization 
Java: Unsafe RMI deserialization
 2021-06-11 13:43:07 +01:00
Joe Farebrother
04ffe80366 Add unit tests 2021-06-11 11:41:27 +01:00
Joe Farebrother
153e0c4ac3 Add modelling for more com.google.common.base methods 2021-06-11 11:40:37 +01:00
Calum Grant
a594afb828 Add security-severity metadata 2021-06-10 20:11:08 +01:00
Owen Mansel-Chan
e0130a932e Update experimental query using NewCookie 2021-06-10 13:33:20 +01:00
Owen Mansel-Chan
c173b89529 Model NewCookie 2021-06-10 13:32:39 +01:00
Owen Mansel-Chan
ee6019a2d8 Fix tests for experimental httponly query 2021-06-10 13:31:28 +01:00
Owen Mansel-Chan
e6a6a8898b Move Jax XSS sinks to JaxWS.qll and add tests 2021-06-10 10:43:39 +01:00
Owen Mansel-Chan
d1fe62d4d5 (Minor) Update comments to match ExternalFlow docs 2021-06-10 10:43:38 +01:00
Owen Mansel-Chan
1ae9d68409 Move and convert URL redirect sinks 
Adds for them as well
 2021-06-10 10:43:37 +01:00
Owen Mansel-Chan
f63fd68bfb Fix models to work with collection flow 
And also removal of `Argument` with indices
 2021-06-10 10:43:36 +01:00
Owen Mansel-Chan
e929de98ec Delete duplicated taint summary rows 2021-06-10 10:43:35 +01:00
Owen Mansel-Chan
2b8bb5c231 Fix JAX-RS models 2021-06-10 10:43:35 +01:00
Owen Mansel-Chan
7b3acd8b45 (Minor) Add missing this. 2021-06-10 10:43:33 +01:00
Owen Mansel-Chan
07f7fd0342 Add missing QLDocs in JaxWS.qll 
And correct one QLDoc
 2021-06-10 10:43:15 +01:00
Owen Mansel-Chan
d9cf1aaf39 Add stubs for JAX-WS 2021-06-08 15:12:04 +01:00
Chris Smowton
55d584b044 Add doc comment for JaxWS file 2021-06-08 15:12:03 +01:00
Chris Smowton
f71897d166 Rename JAX-WS -> JAX-RS where necessary. Improve change note and fix missing QLDoc. 2021-06-08 15:12:03 +01:00