hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
76,207 Commits 1,671 Branches 157 Tags
codeql-cli-2.20.5
Commit Graph

4170 Commits

Author SHA1 Message Date
Anders Schack-Mulligen
c34c667e6b Java: Adjust to use the qlpack data-flow api. 2023-08-01 13:47:09 +02:00
Anders Schack-Mulligen
d7ea60e137 Java: Move data flow lib. 2023-08-01 13:47:08 +02:00
Michael Nebel
a9bc23fa3e Java: Add threat model configuration related extensible predicates and some initial tuples. 2023-08-01 12:56:13 +02:00
Michael Nebel
a8ccc8d980 Java: Update MaD internal documentation. 2023-08-01 12:03:44 +02:00
Michael Nebel
99ac98bffc Java: Re-factor a model to use WithElement (this model is already tested in collections/B.java). 2023-08-01 12:03:44 +02:00
Michael Nebel
0604a85bb1 Java: Add WithoutElement model for List.clear and add appropriate test. 2023-08-01 12:03:44 +02:00
Michael Nebel
21ec83a197 Java: Add MaD support for With[out]Element. 2023-08-01 12:03:44 +02:00
Anders Schack-Mulligen
e87b8ba3d7 Java: Make the barrier in java/potentially-weak-cryptographic-algorithm less restrictive. 2023-07-31 14:28:53 +02:00
Tony Torralba
5488abc512 Merge pull request #13850 from atorralba/atorralba/java/unimportant-generated-models 
Java: Remove superfluous generated models
 2023-07-31 11:25:03 +02:00
Tony Torralba
2cbb7ed296 Java: Add XXE sinks for MDHT 2023-07-31 11:13:17 +02:00
Tony Torralba
41f1315da9 Merge pull request #13772 from atorralba/atorralba/java/inputstream-wrapper-read-step 
Java: Add taint steps for InputStream wrappers
 2023-07-31 11:12:43 +02:00
Tony Torralba
3bd4d34a47 Java: Remove superfluous generated models 2023-07-31 09:48:03 +02:00
Tony Torralba
08cba7dc5f Merge pull request #13713 from pwntester/java/struts2_source_taint_inheriting 
[Java] Implement field taint inheritance for Struts2 unmarshalled objects
 2023-07-28 16:46:27 +02:00
Owen Mansel-Chan
a020189895 Merge pull request #13822 from owen-mc/dataflow/mergepathgraph3-signature-fix 
Dataflow: MergePathGraph3 signature fix
 2023-07-28 15:15:43 +01:00
Tony Torralba
2dff0ce5b4 Merge pull request #13712 from pwntester/java/new_struts2_models 
[Java] New models for Struts2 framework
 2023-07-28 14:31:25 +02:00
Alvaro Muñoz
c3a2ae2943 Account for public fields/setters 2023-07-28 12:12:07 +02:00
Tony Torralba
c239a4399c Changed Struts2ActionSupportClassFieldReadSource to be a FieldValueNode instead of a field read 2023-07-27 10:39:06 +02:00
Alvaro Muñoz
97a4230d5d add change note 2023-07-27 10:39:06 +02:00
Alvaro Muñoz
f3fc56294e implement field taint inheritance for Struts2 unmarshalled objects 2023-07-27 10:39:06 +02:00
Tony Torralba
9d6bc76dc0 Merge pull request #13817 from atorralba/atorralba/java/non-static-fieldvaluenode-step 
Java: Allow flow out of FieldValueNodes for non-static fields
 2023-07-27 09:14:04 +02:00
Owen Mansel-Chan
9b2b58a823 Sync files 2023-07-26 21:48:10 +01:00
Chris Smowton
c69a9ea032 Merge pull request #13793 from github/post-release-prep/codeql-cli-2.14.1 
Post-release preparation for codeql-cli-2.14.1
 2023-07-26 17:22:05 +01:00
Ian Lynagh
532552a7ac Merge pull request #13751 from igfoo/igfoo/getCompilationInfo 
Java: Improve the diagnostics consistency query
 2023-07-25 16:54:17 +01:00
Tony Torralba
b8b38e4bbe Java: Allow flow out of FieldValueNodes for non-static fields 2023-07-25 15:37:41 +02:00
Tony Torralba
c9fc5a54c7 Remove generated sinks and sources 2023-07-25 14:42:32 +02:00
Tony Torralba
6c0d47f122 Update java/ql/lib/semmle/code/java/frameworks/InputStream.qll 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2023-07-24 08:49:37 +02:00
Tony Torralba
4e7438ac5c Make sure that InputStreamWrapperCapturedLocalStep is indeed local 2023-07-24 08:49:37 +02:00
Tony Torralba
d3b3af8ae6 Re-adds jump step 
Note that this causes FP flow in the call context test cases
 2023-07-24 08:49:37 +02:00
Tony Torralba
36ff54b48b Convert jump step into local step 
Note that this has FNs in the test cases where the source is used locally in the nested classes' methods
 2023-07-24 08:49:37 +02:00
Tony Torralba
f054f73836 Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2023-07-24 08:49:36 +02:00
Tony Torralba
1de68457ae Move steps to InputStream.qll 2023-07-24 08:49:36 +02:00
Tony Torralba
0156fcc381 Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2023-07-24 08:49:36 +02:00
Tony Torralba
3a6665b0ed Add change note 2023-07-24 08:49:36 +02:00
Tony Torralba
5330ce12cc Use new TypeInputStream 2023-07-24 08:49:34 +02:00
Tony Torralba
00e0e5a61a Java: Add taint step for InputStream wrappers 2023-07-24 08:48:04 +02:00
github-actions[bot]
f91b7a9342 Post-release preparation for codeql-cli-2.14.1 2023-07-21 16:16:25 +00:00
Tony Torralba
3d515b18df Merge pull request #13769 from atorralba/atorralba/java/avoid-inputstream-low-confidence-dispatch 
Java: Avoid low-confidence dispatch to InputStream methods
 2023-07-21 10:42:34 +02:00
github-actions[bot]
c936a920b0 Release preparation for version 2.14.1 2023-07-20 16:32:27 +00:00
Geoffrey White
45a9d5bc7d Java: QLDoc. 2023-07-20 11:53:52 +01:00
Geoffrey White
80cb386ffd Java: Change note. 2023-07-20 11:52:04 +01:00
Geoffrey White
369f88beda Java: Fix for multiple parse mode flags. 2023-07-20 11:49:54 +01:00
Tony Torralba
238cb26624 Add change note 2023-07-19 15:37:33 +02:00
Tony Torralba
29543f5726 Change InputStream.read from neutral to summary 2023-07-19 14:44:18 +02:00
Anders Schack-Mulligen
e72a0b2f8c Dataflow: Add change notes. 2023-07-19 11:41:15 +02:00
Anders Schack-Mulligen
95d17045c9 Dataflow: Sync. 2023-07-19 11:41:15 +02:00
Anders Schack-Mulligen
fd83b6afdb Dataflow: Add support for not skipping configuration-specific nodes in big-step. 2023-07-19 11:41:15 +02:00
Tony Torralba
2dbbcc2413 Java: Avoid low-confidence dispatch to InputStream methods 
Also adds a neutral model for `InputStream.read`, which offers a high-confidence alternative for this method.
 2023-07-19 11:30:53 +02:00
Ian Lynagh
8a0286ec34 Java: Improve the diagnostics consistency query 
Diagnostics can be easier to read if you see them in the order in which
they were generated. By selecting the compilation and indexes, they get
sorted by the testsuite driver.

d.getCompilationInfo(c, f, i) would be a bit more natural as
d = c.getDiagnostic(f, i), but currently we don't import Diagnostic into
the default ('import java') namespace, and I don't think it's worth
changing that for this.
 2023-07-17 15:37:05 +01:00
Anders Schack-Mulligen
6770d2a49b Java: Exclude source-to-source flow in 5 queries. 2023-07-17 09:06:49 +02:00
Anders Schack-Mulligen
80a799df01 Merge pull request #13735 from aschackmull/dataflow/forcehighprecision-fix 
Dataflow: Fix forceHighPrecision for length-2 prefixes.
 2023-07-14 11:42:35 +02:00