hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
78,267 Commits 1,672 Branches 157 Tags
codeql-cli-2.21.1
Commit Graph

4248 Commits

Author SHA1 Message Date
Marcono1234
58d2d5d14e Java: Replace incorrect usage of Literal.getLiteral() 2021-09-16 14:10:48 +01:00
Tony Torralba
f18c163408 Improve handling of the 'author' word as an exception 2021-09-16 11:57:28 +02:00
Tony Torralba
8022530f34 Merge pull request #5983 from atorralba/atorralba/promote-insecure-basic-auth 
Java: Promote Insecure Basic Authentication query from experimental
 2021-09-16 11:45:30 +02:00
Anders Schack-Mulligen
28e5dcef52 Java: Add container flow to the local taint flow relation. 2021-09-16 11:14:30 +02:00
Anders Schack-Mulligen
236ffc8972 Merge pull request #6700 from aschackmull/dataflow/subpaths-joinorder 
Dataflow: Fix bad joinorder in subpaths
 2021-09-16 08:22:59 +02:00
Tony Torralba
21079a1315 Fix conditionControlsMethod predicate 
Exceptions for throw and return statements were missing the appropriate condition
 2021-09-15 17:51:51 +02:00
Tony Torralba
d3cf697b07 QLDoc 2021-09-15 17:32:36 +02:00
Tony Torralba
5ed9949498 Adapt InsecureBasicAuth to the previous commit 2021-09-15 17:20:28 +02:00
Tony Torralba
2e08c5dd2b Refactored HttpsUrls.ql 2021-09-15 17:20:28 +02:00
Anders Schack-Mulligen
c0fd44c909 Dataflow: Sync. 2021-09-15 16:10:54 +02:00
Anders Schack-Mulligen
3abe1b4fc6 Dataflow: Fix bad join-order. 2021-09-15 16:10:30 +02:00
Chris Smowton
03db15af9a Merge pull request #6685 from smowton/smowton/admin/android-uri-model 
Java: Add models for android.net.Uri[.Builder]
 2021-09-15 10:48:33 +01:00
Anders Schack-Mulligen
8485b6f0b3 Merge pull request #6691 from bmuskalla/moreStringMethods 
Java: Support String#getChars and #translateEscapes
 2021-09-15 10:14:54 +02:00
Anders Schack-Mulligen
3f7d6e6f85 Merge pull request #6136 from smowton/smowton/admin/spring-xss-content-type-sensitivity 
Spring HTTP: improve content-type sensitivity
 2021-09-15 09:50:56 +02:00
Chris Smowton
5d737934c3 Don't inherit models from a final class 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2021-09-14 16:37:07 +01:00
Chris Smowton
367a53dd71 Add models for android.net.Uri[.Builder] 2021-09-14 16:37:07 +01:00
Chris Smowton
406466de9a Simplify specifiesContentType predicate 2021-09-14 15:24:46 +01:00
Chris Smowton
6cff0d0376 Merge pull request #6393 from luchua-bc/java/xss-jsf 
Java: CWE-079 Query to detect XSS with JavaServer Faces (JSF)
 2021-09-14 15:15:56 +01:00
Chris Smowton
a1ad1ddc10 Deprecated and replace uses of old name ServletWriterSource 2021-09-14 14:21:29 +01:00
Anders Schack-Mulligen
26eafcb55a Merge pull request #6456 from smowton/smowton/admin/flexjson-unsafe-deserialization 
Java: add unsafe-deserialization support for Flexjson
 2021-09-14 14:33:22 +02:00
Chris Smowton
26dbf058c8 Add reverse import from ExternalFlow.qll 2021-09-14 12:35:33 +01:00
Chris Smowton
e439b7d7f8 Remove resource-related sources 
These access application-owned resources AFAICT
 2021-09-14 12:24:27 +01:00
Tony Torralba
097927226b Improved heuristics to increase precision 2021-09-14 13:16:47 +02:00
Tony Torralba
1f7990d6bb Refactor to use ConditionalBypassQuery.qll 2021-09-14 13:16:09 +02:00
Chris Smowton
104873e8ee Autoformat 2021-09-14 12:07:59 +01:00
Chris Smowton
6811441459 Factor JSF source definitions 2021-09-14 12:07:48 +01:00
Chris Smowton
b7fc068cee Move JSFRenderer.qll to lib 2021-09-14 11:49:01 +01:00
Chris Smowton
023c533745 Combine Servlet and JSF vulnerable writer flow-tracking 
JSP and Servlet already shared this logic; might as well add JSF into the same mechanism.
 2021-09-14 11:48:34 +01:00
luchua-bc
24addd5c10 Query to detect XSS with JavaServer Faces (JSF) 2021-09-14 11:47:32 +01:00
Chris Smowton
e92b9cbe99 Improve getAProducesExpr documentation 2021-09-14 11:16:45 +01:00
Benjamin Muskalla
199e015a06 Support missing String methods 2021-09-14 10:22:22 +02:00
Tom Hvitved
3bdc92ba8e Merge pull request #6681 from hvitved/java/files-folders-drop-columns 
Java: Drop redundant columns from `files` and `folders` relations
 2021-09-13 17:43:31 +02:00
Anders Schack-Mulligen
7b764aec92 Merge pull request #6682 from aschackmull/java/callbacks 
Java: Add support for callback-based library models.
 2021-09-13 16:43:03 +02:00
Tom Hvitved
9fdcacd865 Java: Drop redundant columns from files and folders relations 2021-09-13 16:09:47 +02:00
Anders Schack-Mulligen
12aeaeed56 Java: Address review comment. 2021-09-13 16:03:50 +02:00
Anders Schack-Mulligen
89a6cdc711 Java: Add support for callback-based library models. 2021-09-13 14:49:28 +02:00
Ian Lynagh
3404bcf265 Merge pull request #6680 from github/igfoo/java_location 
Java: Use the standard URL format for Location.toString()
 2021-09-13 13:43:32 +01:00
Ian Lynagh
4fbb165dce Java: Use the standard URL format for Location.toString() 2021-09-13 12:53:50 +01:00
Chris Smowton
95046b9bb1 Factor JaxRS models 2021-09-10 16:36:40 +01:00
Chris Smowton
451a46bf0e Add models for getLanguage, getMediaType 2021-09-10 16:36:38 +01:00
Chris Smowton
5e7a3ca2e6 Model UriInfo.relativize and resolve. 2021-09-10 16:36:37 +01:00
Chris Smowton
f1c3a11103 Add sources for Jax-RS filters 2021-09-10 16:36:34 +01:00
Chris Smowton
d83ed33252 Make supertype consideration consistent 2021-09-10 16:27:28 +01:00
Chris Smowton
9b488207eb Add support for the Flexjson framework to the unsafe-deserialization query 2021-09-10 16:27:23 +01:00
Chris Smowton
655236c70d Remove no-longer-needed generic specifiers 2021-09-10 16:10:55 +01:00
Chris Smowton
d940085384 Spring HTTP: inherit produced content-types from surrounding class 2021-09-10 16:10:52 +01:00
Chris Smowton
bdd135dbff Spring HTTP: mark explicitly content-typed body calls as sinks 
Previously only the return from the request-handler method constituted a sink, and was filtered by the Produces annotation if any, even though a BodyBuilder could explicitly override.

These sinks are also marked as out-barriers to avoid duplicate paths when the Produces annotation is in agreement.
 2021-09-10 16:10:50 +01:00
Chris Smowton
701d0bcdca Spring content types: recognise constant content-type strings 2021-09-10 16:10:48 +01:00
Chris Smowton
4397371a50 Spring constant media types: recognise constant string versions 
Previously we only recognised the constant MediaTypes
 2021-09-10 16:10:47 +01:00
Chris Smowton
b9b34eb0ee Move Spring XSS sink definition into SpringHttp.qll 2021-09-10 16:10:45 +01:00