hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,643 Commits 1,671 Branches 157 Tags
alexet/avoid-path-node-java
Commit Graph

1270 Commits

Author SHA1 Message Date
Anders Schack-Mulligen
3f7d6e6f85 Merge pull request #6136 from smowton/smowton/admin/spring-xss-content-type-sensitivity 
Spring HTTP: improve content-type sensitivity
 2021-09-15 09:50:56 +02:00
Chris Smowton
6cff0d0376 Merge pull request #6393 from luchua-bc/java/xss-jsf 
Java: CWE-079 Query to detect XSS with JavaServer Faces (JSF)
 2021-09-14 15:15:56 +01:00
Tony Torralba
4e93330cb9 Improved tests 
Note that a FN test case was added
 2021-09-14 15:51:08 +02:00
Anders Schack-Mulligen
26eafcb55a Merge pull request #6456 from smowton/smowton/admin/flexjson-unsafe-deserialization 
Java: add unsafe-deserialization support for Flexjson
 2021-09-14 14:33:22 +02:00
Tony Torralba
0640b41f00 Adjust tests 2021-09-14 13:44:53 +02:00
Chris Smowton
fcc0f1d5a7 Expand test to exercise all sinks 2021-09-14 12:27:33 +01:00
Tony Torralba
f8d1e2ac11 Refactor tests to use InlineExpectationsTest 2021-09-14 13:16:45 +02:00
luchua-bc
24addd5c10 Query to detect XSS with JavaServer Faces (JSF) 2021-09-14 11:47:32 +01:00
Chris Smowton
122ffca049 Merge pull request #6645 from Marcono1234/marcono1234/spurious-javadoc-param-generic-class 
Java: Detect spurious param Javadoc tag of generic classes
 2021-09-13 16:41:06 +01:00
Chris Smowton
9b488207eb Add support for the Flexjson framework to the unsafe-deserialization query 2021-09-10 16:27:23 +01:00
Chris Smowton
b47939c737 Note resolved spurious results 2021-09-10 16:10:54 +01:00
Chris Smowton
d940085384 Spring HTTP: inherit produced content-types from surrounding class 2021-09-10 16:10:52 +01:00
Chris Smowton
bdd135dbff Spring HTTP: mark explicitly content-typed body calls as sinks 
Previously only the return from the request-handler method constituted a sink, and was filtered by the Produces annotation if any, even though a BodyBuilder could explicitly override.

These sinks are also marked as out-barriers to avoid duplicate paths when the Produces annotation is in agreement.
 2021-09-10 16:10:50 +01:00
Chris Smowton
701d0bcdca Spring content types: recognise constant content-type strings 2021-09-10 16:10:48 +01:00
Chris Smowton
3b6cc97557 Sanitize Spring bodies directly associated with an XSS-safe Content-Type 2021-09-10 16:10:44 +01:00
Benjamin Muskalla
9d5e48430e Merge branch 'main' into charSeqSubSeq 2021-09-09 16:04:36 +02:00
Benjamin Muskalla
eef044f4d0 Add test to capture expected parameter format 2021-09-09 13:05:15 +02:00
Benjamin Muskalla
a1b7437f8d Merge branch 'main' into thirdpartyapitelemtry 2021-09-09 11:11:42 +02:00
Marcono1234
a173d9593b Java: Detect spurious param Javadoc tag of generic classes 2021-09-09 00:11:02 +02:00
Anders Schack-Mulligen
f30dad7705 Dataflow: Update test expected outputs. 2021-09-07 13:02:20 +02:00
Benjamin Muskalla
51475d2fb0 Merge branch 'main' into thirdpartyapitelemtry 2021-09-03 14:23:31 +02:00
Benjamin Muskalla
ab5c1d6bdd Rework filter to exclude simple constructors 2021-09-03 13:38:01 +02:00
Benjamin Muskalla
9ed14b438e Use readble format for APIs 2021-09-03 11:53:18 +02:00
Benjamin Muskalla
4b02e266fd Fix test as we support explicit collection types 2021-09-03 11:37:39 +02:00
Benjamin Muskalla
ee8958ba03 Fix nodes for local taint test 2021-09-01 15:55:59 +02:00
Benjamin Muskalla
d178fe4e5d Fix failing tests 2021-09-01 15:41:16 +02:00
Benjamin Muskalla
93bc8aa7b2 Fix tests to take trim into account 2021-09-01 15:41:15 +02:00
Chris Smowton
48818ebd6d Merge pull request #6434 from smowton/smowton/admin/jodd-unsafe-deserialization 
Java: Unsafe deserialization: add support for Jodd JSON library
 2021-08-18 17:26:02 +01:00
Benjamin Muskalla
1d3bcdf522 Align tests with new query structure 2021-08-16 21:55:00 +02:00
Sauyon Lee
9c1d5a70e3 Java: Add test for XSS sanitizer 2021-08-12 11:20:49 -07:00
Benjamin Muskalla
26ffe6c03d Add tests for telemetry queries 2021-08-11 15:32:09 +02:00
Chris Smowton
0b6c991ac4 Unsafe deserialization: add support for Jodd JSON library 2021-08-05 16:01:14 +01:00
Tony Torralba
0356ed7f9e Merge pull request #5911 from atorralba/atorralba/promote-missing-jwt-signature-check 
Java: Promote Missing JWT signature check query from experimental
 2021-08-05 09:43:03 +02:00
Anders Schack-Mulligen
1932f604dc Merge pull request #6419 from smowton/smowton/admin/unsafe-deserialization-jabsorb 
Add unsafe-deserialization support for Jabsorb
 2021-08-05 09:04:23 +02:00
Chris Smowton
1f08c3fe55 Move test files to appropriate package directories 2021-08-04 16:50:03 +01:00
Chris Smowton
69549e9ce3 Add unsafe-deserialization support for Jabsorb 
This is partly extracted from https://github.com/github/codeql/pull/5954
 2021-08-04 15:35:50 +01:00
Anders Schack-Mulligen
6a09a5667d Merge pull request #5931 from atorralba/atorralba/promote-jndi-injection 
Java: Promote JNDI Injection query from experimental
 2021-08-04 15:48:44 +02:00
Tony Torralba
989afb446e Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-08-04 14:07:10 +02:00
Tony Torralba
452fd9a8e3 Refactor to path query 2021-08-04 13:05:18 +02:00
Tony Torralba
f4bc4df8c1 Renamed JWTQuery so that it's named after the actual query name 2021-08-04 12:08:08 +02:00
Chris Smowton
eaf3d3cc03 Merge pull request #6162 from smowton/smowton/feature/jax-rs-content-type-sensitivity-fixes 
Jax-RS: implement content-type tracking
 2021-08-03 14:53:31 +01:00
Anders Schack-Mulligen
7fb1e1578e Merge pull request #5894 from atorralba/atorralba/promote-ognl-injection 
Java: Promote OGNL Injection query from experimental
 2021-08-03 15:31:40 +02:00
Anders Schack-Mulligen
c0d76da1a6 Merge pull request #5846 from atorralba/atorralba/promote-unsafe-android-webview-fetch 
Java: Promote Unsafe resource loading in Android WebView from experimental
 2021-08-03 14:24:34 +02:00
Tony Torralba
f5cbec4938 Fix tests affected by Jackson stubs changes 2021-08-03 14:22:55 +02:00
Tony Torralba
084cda6daa Merge branch 'main' into atorralba/promote-groovy-injection 2021-08-03 09:53:46 +02:00
Tony Torralba
08bdd1aa7a Merge branch 'main' into atorralba/promote-ognl-injection 2021-08-02 16:05:38 +02:00
Anders Schack-Mulligen
53e6ddfeb6 Merge pull request #6001 from atorralba/atorralba/promote-mvel-injection 
Java: Promote MVEL injection query from experimental
 2021-08-02 14:40:26 +02:00
Tony Torralba
f4b78ef3bd Fix stubs 2021-08-02 14:12:05 +02:00
Tony Torralba
9b384d84cc Merge branch 'main' into atorralba/promote-ognl-injection 2021-08-02 14:06:45 +02:00
Anders Schack-Mulligen
3b676d432f Merge pull request #5900 from artem-smotrakov/unsafe-jackson-deserialization 
Java: Unsafe deserialization with Jackson
 2021-08-02 12:45:30 +02:00