codeql

mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00

Author	SHA1	Message	Date
Tony Torralba	084cda6daa	Merge branch 'main' into atorralba/promote-groovy-injection	2021-08-03 09:53:46 +02:00
Tony Torralba	08bdd1aa7a	Merge branch 'main' into atorralba/promote-ognl-injection	2021-08-02 16:05:38 +02:00
Anders Schack-Mulligen	53e6ddfeb6	Merge pull request #6001 from atorralba/atorralba/promote-mvel-injection Java: Promote MVEL injection query from experimental	2021-08-02 14:40:26 +02:00
Tony Torralba	9b384d84cc	Merge branch 'main' into atorralba/promote-ognl-injection	2021-08-02 14:06:45 +02:00
Tony Torralba	9fadb26325	Fix qhelp sample	2021-08-02 10:00:59 +02:00
Tony Torralba	4435853c8a	Apply suggestions from code review Co-authored-by: Felicity Chapman <felicitymay@github.com>	2021-08-02 09:56:40 +02:00
Tony Torralba	29490e5872	Add suggestion from code review	2021-07-29 17:07:18 +02:00
Tony Torralba	6e3b6dcb98	Imporve qhelp	2021-07-29 16:36:38 +02:00
Tony Torralba	bdf0f582a4	QLDoc improvements from code review Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>	2021-07-29 16:34:21 +02:00
Tony Torralba	90b5e02b6e	Improve qhelp	2021-07-29 16:28:10 +02:00
Tony Torralba	4ea6729c53	Update java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>	2021-07-29 16:10:49 +02:00
mc	0a986ad0e8	Update JndiInjection.qhelp Improve negation	2021-07-29 15:10:32 +01:00
Tony Torralba	3edc8bc679	Doc improvements	2021-07-29 15:35:39 +02:00
mc	8f1fc9e893	Update MvelInjection.qhelp Minor tweaks	2021-07-29 11:30:19 +01:00
mc	ebf004a4df	Update MissingJWTSignatureCheck.qhelp Using same syntax as on other queries for 'BAD' and 'GOOD'.	2021-07-29 09:13:00 +01:00
mc	10a3dcb188	Update GroovyInjection.qhelp	2021-07-27 14:26:49 +01:00
Tony Torralba	26999c7ac4	Decouple UnsafeAndroidAccess.qll to reuse the taint tracking configuration	2021-07-20 17:46:35 +02:00
Tony Torralba	99e66cffa2	Merge branch 'main' into atorralba/promote-unsafe-android-webview-fetch	2021-07-20 17:30:56 +02:00
Tony Torralba	3259ead946	Decouple OgnlInjection.qll to reuse the taint tracking configuration	2021-07-20 17:21:10 +02:00
Tony Torralba	b6904a7992	Merge branch 'main' into atorralba/promote-ognl-injection	2021-07-20 17:17:17 +02:00
Tony Torralba	22c9baa462	Refactor JWT.qll	2021-07-20 17:14:34 +02:00
Tony Torralba	430d9f1834	Merge branch 'main' into atorralba/promote-missing-jwt-signature-check	2021-07-20 16:20:35 +02:00
Tony Torralba	42b6b26c10	Decouple JndiInjection.qll to reuse the taint tracking configuration	2021-07-20 15:38:34 +02:00
Tony Torralba	b8ea833a61	Merge branch 'main' into atorralba/promote-jndi-injection	2021-07-20 15:01:26 +02:00
Tony Torralba	46faf68d64	Decouple MvelInjection.qll to reuse the taint tracking configuration	2021-07-19 13:50:03 +02:00
Tony Torralba	5ca8b380e9	Merge branch 'main' into atorralba/promote-mvel-injection	2021-07-19 13:45:10 +02:00
Tony Torralba	441e8afe81	Decouple GrovyInjection.qll to reuse the taint tracking configuration	2021-07-19 12:53:37 +02:00
Tony Torralba	b08f417a1e	Merge branch 'main' into atorralba/promote-groovy-injection	2021-07-19 12:44:03 +02:00
Artem Smotrakov	6d7cb48054	Refactored the query for unsafe deserialization	2021-07-16 18:25:41 +02:00
Artem Smotrakov	09ae779b21	Removed fromSource() check in looksLikeResolveClassStep()	2021-07-12 19:56:51 +02:00
Artem Smotrakov	ea0991c980	Added Jackson to UnsafeDeserialization.qhelp	2021-07-09 10:17:29 +02:00
Artem Smotrakov	3eb2af1bc2	First draft of sinks for unsafe deserialization with Jackson	2021-07-09 10:16:01 +02:00
Chris Smowton	a51154a8ef	Deduplicate Jexl configuration	2021-07-02 10:02:28 +01:00
Chris Smowton	747a8e4157	Split up JexlInjection.qll This avoids a DataFlow2::Configuration being in scope for all queries via the import from ExternalFlow.qll	2021-07-02 10:01:51 +01:00
Chris Smowton	643f7dfb87	Split up Random.qll This prevents bringing a dataflow config into scope from utility libraries.	2021-07-02 10:00:49 +01:00
Chris Smowton	d5a9f3d87b	Deduplicate shared body of regular and experimental versions of `java/command-line-injection` query.	2021-07-01 14:53:56 +01:00
Chris Smowton	3e7ea34054	XSS: expose extension point for defining barrier sinks	2021-06-30 12:04:20 +01:00
intrigus	36575bb26f	Move back to experimental.........	2021-06-25 16:47:25 +02:00
intrigus	fe923facc8	Java: Move comments to separate lines. Move comments to separate lines to improve the rendering in the finished query help.	2021-06-25 16:47:25 +02:00
intrigus-lgtm	f527df73d5	Apply suggestions from code review. Co-authored-by: Felicity Chapman <felicitymay@github.com>	2021-06-25 16:47:25 +02:00
intrigus	6bfdf8d148	Java: Fix qhelp errors.	2021-06-25 16:47:24 +02:00
intrigus	dc0b06a735	Java: Factor out `SecurityFlag` library.	2021-06-25 16:47:24 +02:00
intrigus-lgtm	51fdcf86c8	Apply suggestions from code review Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>	2021-06-25 16:47:24 +02:00
intrigus	6f217d37da	Java: Apply suggestions from review.	2021-06-25 16:47:24 +02:00
intrigus	4a00670b68	Java: Reduce long comment.	2021-06-25 16:47:24 +02:00
intrigus	45cec3df1c	Java: Use `this` consistently in QL classes.	2021-06-25 16:47:24 +02:00
intrigus	0c1ce74135	Java: Switch from tabs to spaces.	2021-06-25 16:47:24 +02:00
intrigus	6d09db6fd6	Java: Explicitly list custom flow steps.	2021-06-25 16:47:23 +02:00
intrigus	e4775e0fae	Java: Remove "intention-guessing" sanitizer & simplify. This removes the sanitizer part that classified some results as FP if the results were in methods with certain names, like `disableVerification()`. I now think that it's a bad idea to filter based on the method name. The custom flow steps in `flagFlowStep` are now listed explicitly. Simplified check whether a method throws an exception.	2021-06-25 16:47:23 +02:00
intrigus	8a7f6b72e9	Java: Apply suggestions for QHelp	2021-06-25 16:47:23 +02:00

... 17 18 19 20 21 ...

1238 Commits