Jonas Jensen
5bebae9abf
Java: Diff-informed ImproperIntentVerification.ql
2024-12-20 13:01:07 +01:00
Jonas Jensen
e799bff744
Java: Diff-informed TaintedPermissionsCheck.ql
2024-12-20 13:01:06 +01:00
Jonas Jensen
011d667f06
Java: Diff-informed PredictableSeed.ql
2024-12-20 13:01:05 +01:00
Jonas Jensen
a928a0d2b5
Java: Diff-informed BrokenCryptoAlgorithm.ql
2024-12-20 13:01:04 +01:00
Jonas Jensen
fea260bd55
Java: Diff-informed UnsafeHostnameVerification.ql
...
This commit also adds a test case that would fail under `codeql test run
--check-diff-informed` if not for the override of
`getASelectedSourceLocation`. There was no existing such test since all
the existing tests used anonymous classes whose location was on the same
line as the source.
2024-12-20 12:58:59 +01:00
Jonas Jensen
8224ef6929
Java: Diff-informed InsecureTrustManager.ql
2024-12-20 11:22:58 +01:00
Jonas Jensen
eac1a4c002
Java: Diff-informed SqlTainted.ql
2024-12-20 11:22:57 +01:00
Jonas Jensen
2561cec80c
Java: Diff-informed CommandLineQuery
2024-12-20 11:22:56 +01:00
Michael Nebel
aaf0cd5dee
Merge pull request #17968 from michaelnebel/java/movetestutils
...
Move test utilities to the query pack.
2024-12-16 13:41:30 +01:00
Michael Nebel
0bfc1b6ea8
Also move the postprocessing queries to the library pack.
2024-12-12 15:03:03 +01:00
Michael Nebel
941b0abbf6
Move modules to the library packs.
2024-12-12 15:03:01 +01:00
Owen Mansel-Chan
8703e21f62
Merge pull request #17996 from owen-mc/java/lightweight-IR-layer-classes
...
Java: Make separate classes for different control flow node kinds
2024-12-12 13:36:54 +00:00
Owen Mansel-Chan
8e11789186
Restore asStmt, asExpr and asCall to Node
...
It doesn't really make sense to define them in terms of dispatch.
2024-12-12 12:30:01 +00:00
Owen Mansel-Chan
066db766ef
Merge pull request #18153 from owen-mc/java/resttemplate-getforobject
...
Java: add SSRF sink model for the third parameter of `RestTemplate.getForObject`
2024-12-11 16:37:35 +00:00
Jami
538dee81b6
Merge pull request #18214 from jcogs33/jcogs33/java/file-getname-path-sanitizer
...
Java: add File.getName as a path injection sanitizer
2024-12-11 10:18:02 -05:00
Owen Mansel-Chan
1420bce36a
Move import statement in SpringWebClient.qll
2024-12-11 14:19:24 +00:00
Owen Mansel-Chan
aaa4361120
Rearrange member predicates in ControlFlow::Node
...
Put all the ones which might need to be overrridden by subclasses
together for ease of reading.
2024-12-11 10:34:18 +00:00
Owen Mansel-Chan
79f4f78fc2
Make separate classes for control flow node kinds
...
This puts all the logic of a particular control flow node kind into one
place and makes it easier to add new kinds.
2024-12-11 10:34:16 +00:00
Owen Mansel-Chan
3f5886ef7a
Accept another review suggestion
2024-12-10 15:26:17 +00:00
Owen Mansel-Chan
2da9bfb1a6
Finish renaming getCFGNode to getCfgNode
2024-12-10 15:26:16 +00:00
Owen Mansel-Chan
274281f61e
Apply all suggestions from code review
...
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com >
2024-12-10 15:26:14 +00:00
Owen Mansel-Chan
d06dfe0ca3
Add change note
2024-12-10 15:26:13 +00:00
Owen Mansel-Chan
0f3dd6d8f1
Java: IPA the CFG
2024-12-10 15:26:11 +00:00
Jami Cogswell
214da9e9ad
Java: add change note
2024-12-06 19:59:40 -05:00
Owen Mansel-Chan
347fd575a2
Refactor to avoid duplicated logic
2024-12-05 11:15:43 +00:00
Owen Mansel-Chan
b20b7c7572
Remove escaped "{" and "}" before counting placeholders
2024-12-05 10:43:13 +00:00
Anders Schack-Mulligen
4bf63fedc9
Merge pull request #18179 from aschackmull/dataflow/accesspath-notypes
...
Dataflow: Remove tracked types from Access Paths, track tainted object type, and tweak type pruning.
2024-12-05 09:58:36 +01:00
Jami Cogswell
121780c55a
Java: add File.getName as a path injection sanitizer
2024-12-04 18:57:51 -05:00
github-actions[bot]
cf71a1525b
Post-release preparation for codeql-cli-2.20.0
2024-12-04 18:36:17 +00:00
github-actions[bot]
96564b7128
Release preparation for version 2.20.0
2024-12-04 16:01:14 +00:00
Henry Mercer
963f084d87
Merge branch 'main' into henrymercer/merge-back-rc-3.16
2024-12-04 13:39:10 +00:00
Anders Schack-Mulligen
03fdceb0fd
Merge pull request #18191 from aschackmull/dataflow/remove-deprecated-lib
...
Dataflow: Delete the old configuration-class based api.
2024-12-04 11:31:46 +01:00
Owen Mansel-Chan
5351f5b69d
Update wording of alert (accepting review suggestion)
...
Co-authored-by: Chris Smowton <smowton@github.com >
2024-12-04 10:31:14 +00:00
Anders Schack-Mulligen
5042753b29
C#/Java: Add change notes.
2024-12-04 10:20:43 +01:00
Owen Mansel-Chan
95116eec51
Update recommendations
2024-12-04 00:42:23 +00:00
Anders Schack-Mulligen
b12a1c078c
Java: Delete deprecated extension points referencing deleted api.
2024-12-03 20:08:44 +01:00
Anders Schack-Mulligen
cca27e4c77
Add change notes for all languages.
2024-12-03 19:42:33 +01:00
Anders Schack-Mulligen
2c0baff76a
Java: Delete deprecated data flow api.
2024-12-03 14:13:03 +01:00
Tom Hvitved
fbeb6f3940
Shared: Move shared logic into FlowSummaryImpl.qll
2024-12-03 09:11:11 +01:00
Owen Mansel-Chan
5c99c8cc37
Improve suggestion for ECB
2024-11-29 14:05:07 +00:00
Owen Mansel-Chan
09240e46f2
Refactor: use concat instead of hand-written version
...
This changes the order of the algorithms in the regex, but I don't think
that makes any difference.
2024-11-29 11:54:29 +00:00
Owen Mansel-Chan
e6409e159f
Give reason why crypto algorithm is insecure
2024-11-29 11:54:27 +00:00
Owen Mansel-Chan
2c061b0d56
Add QLDoc for HostnameSanitizingPrefix
2024-11-29 09:46:44 +00:00
Owen Mansel-Chan
7f8a1ae941
Add change note
2024-11-29 09:46:42 +00:00
Owen Mansel-Chan
7648d397f8
Improve model to remove some false positives
2024-11-29 09:46:41 +00:00
Owen Mansel-Chan
617f4f140e
Make HostnameSanitizingPrefix public
2024-11-29 09:46:39 +00:00
Owen Mansel-Chan
ba3f9d6134
Convert model to QL
2024-11-29 09:46:38 +00:00
Owen Mansel-Chan
b5fbf2e944
Add models for third arg of getForObject
...
No attempt to stop FPs.
2024-11-28 16:51:13 +00:00
Owen Mansel-Chan
65fb895ed5
(Unrelated) Fix typo in class name
2024-11-28 16:51:09 +00:00
Anders Schack-Mulligen
df2e2e503a
Merge pull request #17901 from aschackmull/java/allowlist-sanitizer
...
Java: Add a default taint sanitizer for contains-checks on lists of constants
2024-11-27 11:09:05 +01:00
