4170 Commits

Author	SHA1	Message	Date
Jami Cogswell	f255b6acb8	Java: fix typos	2023-05-26 18:55:13 -04:00
Jami Cogswell	7e6913af62	Java: update provenance to 'hq-manual'	2023-05-26 18:55:13 -04:00
Jami Cogswell	60b07083c3	Java: add 'sink' kind	2023-05-26 18:55:13 -04:00
Jami Cogswell	65dd7eb8e7	Java: add neutral models discovered with path-inj and ssrf heuristics	2023-05-26 18:55:13 -04:00
Michael Nebel	915042a881	Minor cleanup and sync files.	2023-05-26 12:25:00 +02:00
Michael Nebel	b7a8660375	Java: Re-factor getComponent.	2023-05-26 12:24:59 +02:00
Tony Torralba	903fdb0cb8	Java: Add models for the Play Framework	2023-05-26 10:23:43 +02:00
Tony Torralba	a276cc3094	Convert all command injection sinks to MaD format	2023-05-25 11:41:32 +02:00
github-actions[bot]	d2e192020b	Post-release preparation for codeql-cli-2.13.3	2023-05-24 11:26:12 +00:00
Tony Torralba	7d0b02e267	Merge pull request #13248 from atorralba/atorralba/java/nio-files-copy-models-fix ... Java: Tweak java.nio.file.Files.copy models	2023-05-24 10:55:15 +02:00
Edward Minnix III	52340802bb	Merge pull request #13097 from egregius313/egregius313/java/webgoat/ssrf-regex-fix ... Java: Add constraint to `HostnameSanitizingPrefix` to prevent false negatives in SSRF queries	2023-05-23 10:50:43 -04:00
Tony Torralba	6f012d51c0	Merge pull request #13091 from atorralba/atorralba/java/inputstreamwrapper-transitive ... Java: Make inputStreamWrapper consider supertypes transitively	2023-05-23 13:28:17 +02:00
Tony Torralba	5c5f910130	Add change note	2023-05-23 10:31:28 +02:00
Tony Torralba	654bb00946	Java: Tweak java.nio.files.Files.copy models	2023-05-23 10:27:19 +02:00
github-actions[bot]	7aa23cf11d	Release preparation for version 2.13.3	2023-05-22 20:47:00 +00:00
Ed Minnix	2d69f81d85	Add change note	2023-05-22 15:57:15 -04:00
Ed Minnix	43966ebaeb	Change regex used in HostnameSanitizingPrefix	2023-05-22 15:57:15 -04:00
Tony Torralba	183915410d	Add change note	2023-05-22 15:01:25 +02:00
Tony Torralba	b58eb3a92c	Java: Add TemplateEngine.createTemplate as a groovy injection sink	2023-05-19 17:45:47 +02:00
Tony Torralba	a8afa4785e	Merge pull request #13140 from atorralba/atorralba/java/spring-jdbc-namedparam-models ... Java: Add SQLi sinks for Spring JDBC	2023-05-18 14:49:28 +02:00
Alvaro Muñoz	bf3fb09dfd	Apply suggestions from code review ... Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>	2023-05-18 12:39:41 +02:00
Tony Torralba	2c54996499	Apply @jcogs33's suggestions from code review	2023-05-18 08:51:19 +02:00
Alvaro Muñoz	b235b1cbb9	improve yaml models	2023-05-17 16:40:28 +02:00
Alvaro Muñoz	7baf244ac6	remove test predicate	2023-05-17 16:18:46 +02:00
Alvaro Muñoz	8cd85a5676	add flow support for unmarshaled object fields	2023-05-17 16:16:30 +02:00
Alvaro Muñoz	d17199a9e1	add gson models	2023-05-16 15:00:26 +02:00
Tony Torralba	770099f210	Merge branch 'main' into atorralba/java/promote-xxe-experimental-sinks	2023-05-16 09:49:34 +02:00
Tony Torralba	7d79d87d48	Add XPath.evaluate as XXE sink	2023-05-15 17:39:35 +02:00
Tony Torralba	549fa7e288	Java: make inputStreamWrapper only act on constructors from outside of source	2023-05-12 17:47:56 +02:00
Kasper Svendsen	d40cd0f275	Java: Make implicit this receivers explicit	2023-05-12 12:47:21 +02:00
Tony Torralba	a48fa652ce	Java: Add SQLi sinks for Spring JDBC	2023-05-12 10:57:49 +02:00
Stephan Brandauer	61b0514b53	Merge pull request #13122 from github/java/update-mad-decls-after-triage-2023-05-11T08-52-07 ... Java: Update MaD Declarations after Triage	2023-05-11 16:04:36 +02:00
Tony Torralba	ca6ae26aad	Change provenance to ai-manual	2023-05-11 14:56:16 +02:00
Stephan Brandauer	9b35a9f74a	Update java/ql/lib/ext/org.apache.hadoop.fs.model.yml ... Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>	2023-05-11 14:01:25 +02:00
Stephan Brandauer	b0ec089a3a	Update MaD Declarations after Triage	2023-05-11 10:52:09 +02:00
Tony Torralba	aa14105e1c	Don't use the reflexive transitive closure, so that the predicate becomes a little more efficient	2023-05-10 16:45:07 +02:00
Tony Torralba	e1f868b976	Merge pull request #12965 from atorralba/atorralba/java/apache-commons-net-models ... Java: Add manual models for `org.apache.commons.net`	2023-05-10 16:28:19 +02:00
Tony Torralba	3f8a56722f	Remove auto-generated models	2023-05-10 10:35:34 +02:00
Tony Torralba	9839eb1fd2	Update java/ql/lib/change-notes/2023-05-02-apache-commons-net-models.md ... Co-authored-by: Jami <57204504+jcogs33@users.noreply.github.com>	2023-05-10 10:15:55 +02:00
Tony Torralba	2c41c5b0e2	Make inputStreamWrapper consider supertypes transitively	2023-05-09 17:27:16 +02:00
Kasper Svendsen	0de6e4138f	Merge pull request #13037 from kaspersv/kaspersv/java-enable-implicit-this-warnings ... Java: Enable implicit this receiver warnings	2023-05-09 10:24:31 +02:00
Anders Schack-Mulligen	e996eaefb1	Merge pull request #13036 from aschackmull/java/typeprefix-perf ... Java: Minor perf fix for typePrefixContainsAux1.	2023-05-09 08:57:56 +02:00
Michael Nebel	f2f9944a1c	Merge pull request #12931 from michaelnebel/neutralkinds ... Java/C#: Introduce kind for neutrals.	2023-05-09 08:42:38 +02:00
Kasper Svendsen	b0714904c0	Java: Enable implicit this receiver warnings	2023-05-09 08:25:40 +02:00
Edward Minnix III	05b1bd881e	Merge pull request #12852 from egregius313/egregius313/java/webgoat/model-jwsheader ... Java: Model `io.jsonwebtoken.SigningKeyResolverAdapter` and `io.jsonwebtoken.JwsHeader`	2023-05-08 10:57:34 -04:00
Michael Nebel	baee4cedfd	Apply suggestions from code review ... Co-authored-by: Jami <57204504+jcogs33@users.noreply.github.com>	2023-05-08 16:19:00 +02:00
Michael Nebel	efa2bd8614	Apply suggestions from code review ... Co-authored-by: Jami <57204504+jcogs33@users.noreply.github.com>	2023-05-08 16:19:00 +02:00
Michael Nebel	7858da66e3	C#/Java: Add change note.	2023-05-08 16:18:59 +02:00
Michael Nebel	bd23814e7c	Java: Update existing neutrals to include kind information.	2023-05-08 16:18:59 +02:00
Michael Nebel	bcbda9046f	Java: Extend neutrals with a kind column and introduce validation.	2023-05-08 16:18:59 +02:00