Ed Minnix
|
35de551f6b
|
Formatting
|
2022-12-31 17:19:49 -05:00 |
|
Ed Minnix
|
df1a4d2ed1
|
Documentation fix: Add state1 and state2 to documentation
|
2022-12-31 15:25:37 -05:00 |
|
Ed Minnix
|
02f70f3536
|
Add @security-severity tag
|
2022-12-31 15:00:28 -05:00 |
|
Edward Minnix III
|
1d345c6101
|
Refactoring and simplification
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
|
2022-12-31 15:00:28 -05:00 |
|
Ed Minnix
|
5265cb4b03
|
Merge two dataflow configurations into one taint tracking
|
2022-12-31 15:00:28 -05:00 |
|
Ed Minnix
|
973f649e76
|
Break dataflow into two steps in order to capture flow from WebView to settings call
|
2022-12-31 15:00:28 -05:00 |
|
Ed Minnix
|
0e15dd9fa9
|
Query metadata
|
2022-12-31 15:00:28 -05:00 |
|
Edward Minnix III
|
778749184b
|
Change id to use android/ instead of prepending android-
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
|
2022-12-31 15:00:28 -05:00 |
|
Ed Minnix
|
da25c586e6
|
Dataflow query for detecting paths that disable content access
Since the default value is `true`, we need to determine whether or not
the `setAllowContentAccess` method is ever called using dataflow.
|
2022-12-31 15:00:28 -05:00 |
|
Ed Minnix
|
8a763015e6
|
Reduce precision rating to medium
This query won't always be a security problem, so it should have a lower
precision rating than `high`.
|
2022-12-31 15:00:28 -05:00 |
|
Ed Minnix
|
e4e13d38b7
|
Java: query for Android WebView setAllowContentAccess
|
2022-12-31 15:00:28 -05:00 |
|
Tony Torralba
|
345c383acc
|
Fix new Android queries' IDs
|
2022-12-21 09:36:57 +01:00 |
|
Tony Torralba
|
149cae9603
|
Merge pull request #10971 from joefarebrother/android-certificate-pinning
Java: Add Android missing certificate pinning query (CWE-295)
|
2022-12-20 11:03:16 +01:00 |
|
Tony Torralba
|
a47ef17a0d
|
Update java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning1.java
Co-authored-by: Edward Minnix III <egregius313@github.com>
|
2022-12-19 18:11:54 +01:00 |
|
Edward Minnix III
|
39a7c7bb12
|
Merge pull request #11282 from egregius313/egregiu313/webview-addjavascriptinterface
Java: Query for detecting addJavascriptInterface method calls
|
2022-12-19 11:28:45 -05:00 |
|
Tony Torralba
|
624c9ff834
|
Update java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning1.java
|
2022-12-19 17:26:41 +01:00 |
|
Tony Torralba
|
0c6ace350f
|
Update java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
|
2022-12-19 16:24:39 +01:00 |
|
Tony Torralba
|
484a16ce1b
|
Update java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql
|
2022-12-19 12:10:32 +01:00 |
|
Tony Torralba
|
a880fecc8b
|
Apply suggestions from code review
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
|
2022-12-19 11:56:36 +01:00 |
|
Ed Minnix
|
72484b9483
|
Change wording of addJavascriptInterface query description
|
2022-12-14 16:19:03 -05:00 |
|
Edward Minnix III
|
40c759e61a
|
Add @name property
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
|
2022-12-13 16:14:28 -05:00 |
|
Edward Minnix III
|
a2c886d367
|
Grammar and wording changes from docs review
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
|
2022-12-13 11:57:46 -05:00 |
|
Erik Krogh Kristensen
|
636d5e341c
|
Merge pull request #11652 from erik-krogh/static-useInstanceOf
Java/C#/GO: Use instanceof in more places
|
2022-12-12 17:52:04 +01:00 |
|
Edward Minnix III
|
0ebfee8b11
|
Merge pull request #11241 from egregius313/egregius313/webview-file-access
Java: Query to detect Android Webview file access
|
2022-12-12 11:12:26 -05:00 |
|
erik-krogh
|
8262fbbfb5
|
Java/C#/GO: Use instanceof in more places
|
2022-12-11 18:32:19 +01:00 |
|
Edward Minnix III
|
4278997a2c
|
Reword WebView file access query description
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
|
2022-12-09 11:36:09 -05:00 |
|
Edward Minnix III
|
8c8e71dd82
|
Grammar, concision, and style edits
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
|
2022-12-09 11:35:02 -05:00 |
|
Joe Farebrother
|
a14ebb7c03
|
Fixes
|
2022-12-09 13:41:18 +00:00 |
|
Joe Farebrother
|
603c1c1693
|
Add the domain used to the alert message
|
2022-12-09 13:41:18 +00:00 |
|
Joe Farebrother
|
ceb253e6d1
|
Add qhelp
|
2022-12-09 13:41:18 +00:00 |
|
Joe Farebrother
|
749ecab6b1
|
Add security severity
|
2022-12-09 13:41:18 +00:00 |
|
Joe Farebrother
|
c8aca06190
|
Implement pinning through a TrustManager
+ Fix that the query was accidentally placed in experimental
|
2022-12-09 13:41:18 +00:00 |
|
Edward Minnix III
|
170c9af9e8
|
Merge pull request #11238 from egregius313/egregius313/webview-setjavascriptenabled
Java: Query for detecting enabling Javascript in Android WebSettings
|
2022-12-07 09:31:58 -05:00 |
|
Ed Minnix
|
1c81f8d8d5
|
Apply suggestion from docs review
|
2022-12-06 15:32:54 -05:00 |
|
Mauro Baluda
|
7c4b76b08b
|
Update InsecureCookie.ql
|
2022-12-05 12:55:53 +01:00 |
|
Mauro Baluda
|
16d7dc0853
|
Restrict DF configuration
|
2022-12-05 11:02:19 +01:00 |
|
Ed Minnix
|
7c4bd509a7
|
Java: add AssetLoader example to WebView file access documentation
|
2022-12-02 14:43:52 -05:00 |
|
Mauro Baluda
|
f3f8f35069
|
Update InsecureCookie.ql
Support interprocedural setting of cookie security
|
2022-12-02 17:37:23 +01:00 |
|
Edward Minnix III
|
55090ecb65
|
Java: Typos and minor fixes
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
|
2022-12-02 09:17:41 -05:00 |
|
Chris Smowton
|
6e98c67869
|
Java: fix syntax error in path-injection example fix
|
2022-12-02 10:04:53 +00:00 |
|
Ed Minnix
|
04829fc38e
|
Java: SQLInjection example for addJavaScriptInterface query
|
2022-11-30 13:32:28 -05:00 |
|
Ed Minnix
|
d35321f40e
|
Java: change WebView addJavascriptInterface query precision to medium
|
2022-11-30 11:35:14 -05:00 |
|
Ed Minnix
|
e31521bd14
|
Java: mention the default negative value for setJavaScriptEnabled
|
2022-11-30 10:56:17 -05:00 |
|
Edward Minnix III
|
b189e5b365
|
Java: fix precision in setJavascriptEnabled query
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
|
2022-11-30 10:45:31 -05:00 |
|
Ed Minnix
|
5ac1e012ae
|
Java: Mention AssetLoader in WebView file access query documentation
|
2022-11-30 10:43:53 -05:00 |
|
Ed Minnix
|
c836c4feb7
|
Java: Specify default value in WebView file access query
|
2022-11-30 10:43:05 -05:00 |
|
Edward Minnix III
|
710e012e09
|
Java: fix precision of Android WebView File access query
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
|
2022-11-30 10:41:45 -05:00 |
|
Jami
|
8a73675483
|
Merge pull request #11070 from jcogs33/java-regex-injection
Java: Promote regex injection query from experimental
|
2022-11-21 15:04:26 -05:00 |
|
Jami Cogswell
|
9e2ec9d12f
|
apply docs review suggestion
|
2022-11-21 13:39:46 -05:00 |
|
Tony Torralba
|
2809c3a77c
|
Handle disabled Maven repositories
|
2022-11-21 10:11:57 +01:00 |
|