hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
76,207 Commits 1,672 Branches 157 Tags
codeql-cli-2.20.5
Commit Graph

1238 Commits

Author SHA1 Message Date
Joe Farebrother
eed2df0fb3 Fix qhelp & ql-for-ql errors 2022-09-21 13:57:30 +01:00
Joe Farebrother
f934554143 Add docs + add an additional case 2022-09-21 13:57:29 +01:00
Joe Farebrother
20b2956322 Add webview debugging query 2022-09-21 13:57:28 +01:00
Tony Torralba
cbb64cc8c1 Merge pull request #10352 from atorralba/atorralba/promote-template-injection 
Java: Promote Server-side template injection from experimental
 2022-09-20 16:11:58 +02:00
Tony Torralba
4af29e6abf Update java/ql/src/Security/CWE/CWE-094/TemplateInjection.qhelp 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2022-09-20 11:48:40 +02:00
Tony Torralba
4997f36f05 Apply suggestions from code review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2022-09-20 11:48:18 +02:00
Ed Minnix
e37f62bb5e Android ContentProvider.openFile does not check mode initital commit 
Initial commit for work on a query finding instances where the `mode`
parameter of an override of the `openFile` method of the
`android.content.ContentProvider` class
 2022-09-19 10:32:02 -04:00
Ed Minnix
00891fa455 Android Manifest Incomplete provider permissions initial commit 
Initial work on checking provider elements in Android manifests for
complete permissions.
 2022-09-19 10:31:02 -04:00
Tony Torralba
e140f04881 Merge pull request #10393 from zbazztian/uri-constructor-flow 
Java: Model taint flow for java.net.URI constructors in tainted path queries
 2022-09-16 15:10:40 +02:00
Tony Torralba
fdc8453a59 Introduce TaintedPathAdditionalTaintStep 
Use separate configurations for tainted path and tainted path local again.
 2022-09-16 10:42:15 +02:00
Sebastian Bauersfeld
95478f1af6 Address review comments. 2022-09-16 14:35:30 +07:00
Sebastian Bauersfeld
20d78972f5 Address review comments. 2022-09-15 16:44:36 +07:00
Anders Schack-Mulligen
d713910714 Merge pull request #10334 from aschackmull/java/uniontypeflow 
Java: Implement union type flow and replace ad-hoc variable tracking in dispatch
 2022-09-14 13:34:28 +02:00
Tony Torralba
ac46a38b9d Update java/ql/src/Security/CWE/CWE-079/XSS.java 2022-09-13 16:49:20 +02:00
Tony Torralba
2b027709e4 Update XSS qhelp 2022-09-13 16:39:48 +02:00
gx1
1c4488e7c8 Updated vulnerable XSS.java version 2022-09-13 15:58:25 +02:00
Anders Schack-Mulligen
c8b93e0910 Java: Replace uses of deprecated variableTrack. 2022-09-13 13:30:40 +02:00
Edward Minnix III
eadb8a3988 Merge pull request #10106 from egregius313/egregius313/android-backup-allowed 
Java: Query to detect Android backup allowed
 2022-09-12 11:14:03 -04:00
Tony Torralba
dd6257c757 Add security-severity 2022-09-12 11:59:01 +02:00
Edward Minnix III
08a17b355e allowBackup documentation updates 
Make error messages and descriptions clearer about application backups not being disabled, rather than focusing on `android:allowBackup` specifically.

Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2022-09-09 09:30:49 -04:00
Edward Minnix III
83c8e22225 Apply suggestions from documentation review 
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
 2022-09-08 15:55:00 -04:00
Tony Torralba
fb13e7f307 Docs changes 2022-09-08 17:38:25 +02:00
Tony Torralba
b68e6669b8 Refactor TemplateInjection libraries 2022-09-08 17:38:25 +02:00
Ed Minnix
c69a2be976 Moved allowBackup query logic to allowsBackup pred 2022-09-07 12:08:25 -04:00
Edward Minnix III
f6c8144eed Update java/ql/src/Security/CWE/CWE-312/AllowBackupAttributeEnabled.ql 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2022-09-07 09:46:36 -04:00
Tony Torralba
cd61bd0606 Move files from experimental 2022-09-07 13:13:40 +02:00
Ed Minnix
dca4cd221a Documentation cleanup for allowBackup query 2022-09-06 14:35:11 -04:00
Ed Minnix
500a6f3b86 Add check for files which provide the app launcher 
Adds support for filtering which applications include the
`android.intent.action.MAIN` intent.
 2022-08-30 12:54:26 -04:00
Tony Torralba
1f83c5833b Merge pull request #10092 from zbazztian/zbazztian/string.replace-taint 
Java: Add additional taint steps for java.lang.String methods
 2022-08-30 12:24:37 +02:00
Erik Krogh Kristensen
06afe9c0f4 Merge pull request #9816 from erik-krogh/msgConsis 
Make alert messages consistent across languages
 2022-08-25 15:20:01 +02:00
Edward Minnix III
e6a1b1fab9 Rename allowBackup query id 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2022-08-24 15:54:13 -04:00
Ed Minnix
dad4a403db Add support for android:allowBackup default value 
The default value of `android:allowBackup` is `true`. Added support for
detecting if the default value is used.
 2022-08-24 15:54:13 -04:00
Ed Minnix
6509426fb3 android:allowBackup query documentation 2022-08-24 15:54:13 -04:00
Ed Minnix
44b0a2b8af Android allowBackup query 2022-08-24 15:54:13 -04:00
Ed Minnix
dac64eeca7 Query test files 2022-08-24 15:54:13 -04:00
Jami
b3e88f8234 Merge pull request #9983 from jcogs33/android-implicit-export 
Java: query to detect implicitly exported Android components
 2022-08-24 10:52:50 -04:00
erik-krogh
1c0f2251e2 Merge branch 'main' into msgConsis 2022-08-24 14:38:57 +02:00
Erik Krogh Kristensen
4df2e5d937 Merge pull request #10096 from erik-krogh/acronyms-part1 
make acronyms camelcase
 2022-08-24 09:33:53 +02:00
erik-krogh
27fcc90a97 Merge branch 'main' into msgConsis 2022-08-24 09:21:43 +02:00
Chris Smowton
0a7350f3bf Merge pull request #10041 from smowton/AddSensitiveApiCalls 
Java: support more libraries in hardcoded-credentials queries
 2022-08-23 10:51:04 +01:00
Tony Torralba
e3c1101b79 Merge pull request #10136 from atorralba/atorralba/redos-cwe-tag 
Java: Add CWE-1333 tag to Java ReDoS queries
 2022-08-23 11:07:51 +02:00
Joe Farebrother
ac79866799 Merge pull request #9982 from joefarebrother/rsa-without-oaep 
Java: Add query for RSA without OAEP
 2022-08-23 09:14:46 +01:00
Tony Torralba
cd10f559ca Add CWE-1333 tag to Java ReDoS queries 2022-08-23 09:56:59 +02:00
erik-krogh
034d197e01 update {java/rb}/xxe to match python/javascript 2022-08-22 21:41:46 +02:00
erik-krogh
55c8863e92 update java/sql-injection to match go/javascript/python/ruby 2022-08-22 21:41:45 +02:00
erik-krogh
e89e0eb7fb make some acronyms camelCase 2022-08-22 21:22:35 +02:00
Jami Cogswell
733078183e update query description 2022-08-22 12:41:22 -04:00
Jami Cogswell
f34e23bdba adjusted comments and precision level 2022-08-22 12:41:22 -04:00
Jami Cogswell
eacce03073 resolved merge conflict in AndroidManifest lib 2022-08-22 12:41:22 -04:00
Jami Cogswell
0934c1d184 resolved merge conflict in AndroidManifest lib 2022-08-22 12:41:22 -04:00