hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
76,207 Commits 1,672 Branches 157 Tags
codeql-cli-2.20.5
Commit Graph

1238 Commits

Author SHA1 Message Date
Jonathan Leitschuh
ab618dcf2f Java: QL Query Detector for JHipster Generated CVE-2019-16303 2020-09-21 18:46:13 -04:00
lcartey@github.com
39200566c3 Java: Update CWE claims for XXE. 
This matches the claims in the C# equivalent.
 2020-09-18 12:30:52 +01:00
lcartey@github.com
32f43a84be Java: Add CWE 564 (SQL Injection: Hibernate) 2020-09-18 10:20:21 +01:00
Joe
b6cf1cce20 Java: Make the equivalent changes to ExecTaintedLocal 2020-09-17 15:53:04 +01:00
Joe
6bfc0afaeb Java: Improve the ExecTainted query 2020-09-17 15:39:35 +01:00
Mathias Vorreiter Pedersen
9de1fb7c18 Merge pull request #4222 from jbj/BlockStmt 
C++/Java/JS: Rename Block -> BlockStmt
 2020-09-09 10:02:37 +02:00
Jonas Jensen
464d3630a2 Java: Rename Block -> BlockStmt 2020-09-08 08:40:20 +02:00
Anders Schack-Mulligen
89829e870d Java: Clean up SqlInjectionLib. 2020-09-02 11:17:56 +02:00
Anders Schack-Mulligen
cc61e6117e Merge pull request #3542 from porcupineyhairs/mongoJava 
Java : add MongoDB injection sinks
 2020-09-01 16:19:17 +02:00
Anders Schack-Mulligen
beca44ec2f Merge pull request #4172 from rvermeulen/java/xss-sink-extensible 
Java: Customizable XSS analysis
 2020-09-01 09:27:50 +02:00
CodeQL CI
9d6b2e7684 Merge pull request #4042 from aschackmull/java/xsssink-extensible 
Approved by aibaars
 2020-08-31 11:54:25 +01:00
Porcupiney Hairs
441825919c Java : add MongoDB injection sinks 2020-08-31 02:24:23 +05:30
Remco Vermeulen
8db5c4f2e2 Abstract additional taint step 2020-08-17 10:41:27 +02:00
Remco Vermeulen
518459c0f7 Abstract Xss sanitizer 
Turn the Xss sanitizer into an abstract class to support customizations
and provide a default implementation.
 2020-08-17 10:31:44 +02:00
Anders Schack-Mulligen
8891ae70b6 Merge pull request #3938 from lcartey/java/untrusted-data-to-external-api 
Java: Untrusted data used in external APIs
 2020-08-13 09:53:57 +02:00
lcartey@github.com
6f83c55ebd Java: Switch to low as a precision 
Code Scanning doesn't support "very-low"
 2020-08-12 13:48:59 +01:00
Luke Cartey
56ff8cf084 Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2020-08-12 13:12:06 +01:00
lcartey@github.com
6b6172fa5b Java: ExternalAPIs: Further review comments 
- Extra qldoc
 - Remove unnecessary module
 2020-08-12 09:21:14 +01:00
lcartey@github.com
e1d4b98923 Java: Add further missing </p> to qhelp 2020-08-11 15:28:55 +01:00
lcartey@github.com
8a65dd2cd6 Java: Address review comments 2020-08-11 15:28:06 +01:00
Anders Schack-Mulligen
99c9524639 Java: Make XssSink extensible. 2020-08-11 13:09:27 +02:00
Anders Schack-Mulligen
77db87efb7 Merge pull request #3968 from rvermeulen/java-importable-cwe-090 
Java: Move LDAP injection sinks, sanitizers, and additional taint steps to importable location
 2020-08-07 11:57:51 +02:00
Anders Schack-Mulligen
f9de8eb3b4 Java: Update precision of java/weak-cryptographic-algorithm. 2020-08-07 09:40:21 +02:00
Remco Vermeulen
7f7ad88dea Limit LdapAdditionalTaintStep to Ldap configuration 2020-08-06 11:35:03 +02:00
Anders Schack-Mulligen
205dd1aead Merge pull request #3881 from intrigus-lgtm/more-pathcreations 
Java: Centralize and model additional path creations.
 2020-08-06 11:21:39 +02:00
Anders Schack-Mulligen
9e78341e43 Merge pull request #3928 from rvermeulen/java-importable-cwe-113 
Java: Move `HeaderSplittingSink` and `WhitelistedSource` into importable library
 2020-08-05 10:16:00 +02:00
Anders Schack-Mulligen
32d9d270fc Merge pull request #3948 from aibaars/java-3941 
Java: stack trace exposure: address false positives
 2020-08-05 09:31:01 +02:00
Luke Cartey
5a96ee1a7b Remove parameter names from signatures 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2020-08-04 09:41:40 +01:00
Luke Cartey
368572f1f0 Update java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.qhelp 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2020-08-04 09:40:59 +01:00
Luke Cartey
7928a02424 Add missing full stop. 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2020-08-04 09:40:51 +01:00
Luke Cartey
e0c081a2af Add missing </p> tag 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2020-08-04 09:40:28 +01:00
Remco Vermeulen
2c42d3cca5 Extract additional taint steps 
This is done for logical cohesion. We already have the capability of
extending additional taint steps by extending
`TaintTracking::AdditionalTaintStep`.
 2020-07-22 16:04:55 +02:00
Remco Vermeulen
57e7411c0a Extract Ldap injection sanitizers to importable lib 
This includes a new abstract class that represents all the Ldap injection
santizers and can be used to add additional santizers through
extension.
 2020-07-22 16:04:55 +02:00
Remco Vermeulen
0d5f9113a3 Extract ldap injection sink into importable library 2020-07-22 16:04:55 +02:00
intrigus
f94055fa2c Move tainted path ad-hoc guard back. 2020-07-19 00:19:29 +02:00
intrigus
4570444c7e Rename to getAnInput and clarify doc. 2020-07-19 00:10:13 +02:00
Arthur Baars
67b6018079 Merge pull request #3729 from luchua-bc/java-hardcoded-aws-credentials 
Java: Hardcoded AWS credentials
 2020-07-13 18:04:42 +02:00
Arthur Baars
c585b2e483 Java: stack trace exposure: address false positives 2020-07-13 15:26:55 +02:00
luchua-bc
12803f1f53 Merge Hardcoded AWS Credentials check into the mail source folder 2020-07-13 12:22:34 +00:00
Anders Schack-Mulligen
c8b9b779ae Merge pull request #3927 from rvermeulen/java-importable-cwe-601 
Java: Move `UrlRedirectSink` into importable library
 2020-07-09 16:03:29 +02:00
Remco Vermeulen
7435dac3d2 Move source and sink into importable library 2020-07-09 14:53:59 +02:00
intrigus
641c5df79f Centralize and model additional path creations. 2020-07-09 14:48:47 +02:00
Remco Vermeulen
b66f391c31 Extend source and sink from DataFlow::Node instead of DataFlow::exprNode 2020-07-09 14:39:08 +02:00
Remco Vermeulen
fed506a12f Rename TrustedSource to SafeHeaderSplittingSource 2020-07-09 14:36:23 +02:00
Remco Vermeulen
ba9f3e2a1e Join ServletUrlRedirectSink with UrlRedirectSink 2020-07-09 14:08:43 +02:00
Remco Vermeulen
9a84abf259 Generalize QueryInjectionSink 
Extends from the more general DataFlow::Node instead of
DataFlow::ExprNode
 2020-07-09 12:32:17 +02:00
Remco Vermeulen
c01844a39e Add file-level qldoc 2020-07-09 10:30:31 +02:00
Remco Vermeulen
42e261ac02 Move SqlInjectionSink and PersistenceQueryInjectionSink 
Join SqlInjectionSink and PersistenceQueryInjectionSink with
QueryInjectionSink to make its definition more transparent.
 2020-07-09 10:21:24 +02:00
Remco Vermeulen
d07d21c9e2 Fix import 2020-07-09 10:20:53 +02:00
Remco Vermeulen
5f560e0465 Extract HeaderSplittingSink and WhitelistedSource 
- Extract `HeaderSplittingSink` and `WhitelistedSource` into an
importable library.
- Rename the existing `HeaderSplittingSink` implementation to
`ServletHeaderSplittingSink`.
 2020-07-08 17:17:24 +02:00