codeql

mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00

Author	SHA1	Message	Date
Anders Schack-Mulligen	cfa0d46b73	Merge pull request #6097 from atorralba/atorralba/promote-xslt-injection Java: Promote XSLT Injection from experimental	2021-09-27 13:14:57 +02:00
Tony Torralba	6967b06dee	Decouple XsltInjection.qll to reuse the taint tracking configuration	2021-09-27 11:59:51 +02:00
Tony Torralba	108118afa3	Use InlineExpectationsTest	2021-09-27 11:58:18 +02:00
Tony Torralba	c792567904	Move from experimental	2021-09-27 11:57:53 +02:00
Tony Torralba	6d9a88d1c8	Move to lib	2021-09-27 11:43:46 +02:00
Tony Torralba	94f32d2985	Decouple SpelInjection.qll to reuse the taint tracking configuration	2021-09-27 11:39:30 +02:00
Tony Torralba	569426b04e	Consider subtypes of Expression and ExpressionParser Add parseRaw as additional taint step	2021-09-27 11:38:12 +02:00
Tony Torralba	b985ddb868	Use InlineExpectationsTest	2021-09-27 11:37:41 +02:00
Tony Torralba	fc6af0476f	Moved from experimental	2021-09-27 11:36:48 +02:00
Anders Schack-Mulligen	2cbad4aed6	Merge pull request #6600 from atorralba/atorralba/fix-conditionalbypass Java: Fix performance of the query User-controlled bypass of sensitive method	2021-09-17 16:07:39 +02:00
Marcono1234	020aa4d94c	Java: Address feedback and fix test failures	2021-09-16 14:10:48 +01:00
Tony Torralba	f18c163408	Improve handling of the 'author' word as an exception	2021-09-16 11:57:28 +02:00
Tony Torralba	21079a1315	Fix conditionControlsMethod predicate Exceptions for throw and return statements were missing the appropriate condition	2021-09-15 17:51:51 +02:00
Tony Torralba	5ed9949498	Adapt InsecureBasicAuth to the previous commit	2021-09-15 17:20:28 +02:00
Tony Torralba	30178d4f23	Decouple InsecureBasicAuth.qll to reuse the taint tracking configuration	2021-09-15 17:20:27 +02:00
Tony Torralba	148443fae1	Use InlineExpectationsTest	2021-09-15 17:20:27 +02:00
Tony Torralba	2cada386b4	Refactored into InsecureBasicAuth.qll	2021-09-15 17:20:27 +02:00
Tony Torralba	905be67aae	Moved from experimental	2021-09-15 17:20:27 +02:00
Anders Schack-Mulligen	3f7d6e6f85	Merge pull request #6136 from smowton/smowton/admin/spring-xss-content-type-sensitivity Spring HTTP: improve content-type sensitivity	2021-09-15 09:50:56 +02:00
Chris Smowton	6cff0d0376	Merge pull request #6393 from luchua-bc/java/xss-jsf Java: CWE-079 Query to detect XSS with JavaServer Faces (JSF)	2021-09-14 15:15:56 +01:00
Tony Torralba	4e93330cb9	Improved tests Note that a FN test case was added	2021-09-14 15:51:08 +02:00
Anders Schack-Mulligen	26eafcb55a	Merge pull request #6456 from smowton/smowton/admin/flexjson-unsafe-deserialization Java: add unsafe-deserialization support for Flexjson	2021-09-14 14:33:22 +02:00
Tony Torralba	0640b41f00	Adjust tests	2021-09-14 13:44:53 +02:00
Chris Smowton	fcc0f1d5a7	Expand test to exercise all sinks	2021-09-14 12:27:33 +01:00
Tony Torralba	f8d1e2ac11	Refactor tests to use InlineExpectationsTest	2021-09-14 13:16:45 +02:00
luchua-bc	24addd5c10	Query to detect XSS with JavaServer Faces (JSF)	2021-09-14 11:47:32 +01:00
Chris Smowton	122ffca049	Merge pull request #6645 from Marcono1234/marcono1234/spurious-javadoc-param-generic-class Java: Detect spurious param Javadoc tag of generic classes	2021-09-13 16:41:06 +01:00
Chris Smowton	9b488207eb	Add support for the Flexjson framework to the unsafe-deserialization query	2021-09-10 16:27:23 +01:00
Chris Smowton	b47939c737	Note resolved spurious results	2021-09-10 16:10:54 +01:00
Chris Smowton	d940085384	Spring HTTP: inherit produced content-types from surrounding class	2021-09-10 16:10:52 +01:00
Chris Smowton	bdd135dbff	Spring HTTP: mark explicitly content-typed body calls as sinks Previously only the return from the request-handler method constituted a sink, and was filtered by the Produces annotation if any, even though a BodyBuilder could explicitly override. These sinks are also marked as out-barriers to avoid duplicate paths when the Produces annotation is in agreement.	2021-09-10 16:10:50 +01:00
Chris Smowton	701d0bcdca	Spring content types: recognise constant content-type strings	2021-09-10 16:10:48 +01:00
Chris Smowton	3b6cc97557	Sanitize Spring bodies directly associated with an XSS-safe Content-Type	2021-09-10 16:10:44 +01:00
Benjamin Muskalla	9d5e48430e	Merge branch 'main' into charSeqSubSeq	2021-09-09 16:04:36 +02:00
Benjamin Muskalla	eef044f4d0	Add test to capture expected parameter format	2021-09-09 13:05:15 +02:00
Benjamin Muskalla	a1b7437f8d	Merge branch 'main' into thirdpartyapitelemtry	2021-09-09 11:11:42 +02:00
Marcono1234	a173d9593b	Java: Detect spurious param Javadoc tag of generic classes	2021-09-09 00:11:02 +02:00
Anders Schack-Mulligen	f30dad7705	Dataflow: Update test expected outputs.	2021-09-07 13:02:20 +02:00
Benjamin Muskalla	51475d2fb0	Merge branch 'main' into thirdpartyapitelemtry	2021-09-03 14:23:31 +02:00
Benjamin Muskalla	ab5c1d6bdd	Rework filter to exclude simple constructors	2021-09-03 13:38:01 +02:00
Benjamin Muskalla	9ed14b438e	Use readble format for APIs	2021-09-03 11:53:18 +02:00
Benjamin Muskalla	4b02e266fd	Fix test as we support explicit collection types	2021-09-03 11:37:39 +02:00
Benjamin Muskalla	ee8958ba03	Fix nodes for local taint test	2021-09-01 15:55:59 +02:00
Benjamin Muskalla	d178fe4e5d	Fix failing tests	2021-09-01 15:41:16 +02:00
Benjamin Muskalla	93bc8aa7b2	Fix tests to take `trim` into account	2021-09-01 15:41:15 +02:00
Chris Smowton	48818ebd6d	Merge pull request #6434 from smowton/smowton/admin/jodd-unsafe-deserialization Java: Unsafe deserialization: add support for Jodd JSON library	2021-08-18 17:26:02 +01:00
Benjamin Muskalla	1d3bcdf522	Align tests with new query structure	2021-08-16 21:55:00 +02:00
Sauyon Lee	9c1d5a70e3	Java: Add test for XSS sanitizer	2021-08-12 11:20:49 -07:00
Benjamin Muskalla	26ffe6c03d	Add tests for telemetry queries	2021-08-11 15:32:09 +02:00
Chris Smowton	0b6c991ac4	Unsafe deserialization: add support for Jodd JSON library	2021-08-05 16:01:14 +01:00

... 15 16 17 18 19 ...

1138 Commits