hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
79,000 Commits 1,671 Branches 157 Tags
codeql-cli-2.21.3
Commit Graph

1162 Commits

Author SHA1 Message Date
Owen Mansel-Chan
74a249597a Merge pull request #18607 from owen-mc/java/xss-content-type-sanitizer 
Java: Add XSS Sanitizer for `HttpServletResponse.setContentType` with safe values
 2025-02-24 23:39:18 +00:00
Jami Cogswell
26e396732a Java: edit qhelp 2025-02-24 18:33:43 -05:00
Jami Cogswell
53cb30dcd0 Java: update metadata, move from CWE-016 to CWE-200 2025-02-24 18:33:41 -05:00
Jami Cogswell
f65a5b9a66 Java: add test for qhelp good example 2025-02-24 18:27:45 -05:00
Jami Cogswell
9e51b014d2 Java: handle example in Spring docs 2025-02-24 18:27:43 -05:00
Jami Cogswell
b2469ff8ba Java: add APIs and tests for more recent Spring versions: authorizeHttpRequests, AuthorizeHttpRequestsConfigurer, securityMatcher(s) 2025-02-24 18:26:02 -05:00
Jami Cogswell
8dfb920e05 Java: refactor QL, move code to libraries 2025-02-24 18:24:48 -05:00
Jami Cogswell
8064e8f1f9 Java: convert tests to inline expectations 2025-02-24 18:24:26 -05:00
Jami Cogswell
089a491d5a Java: fix tests; update for non-experimental directory 2025-02-24 18:24:17 -05:00
Jami Cogswell
2ce5920c5e Java: copy out of experimental 2025-02-24 18:24:12 -05:00
Jonas Jensen
11a0a9f8af Java: StaticInitializationVector with postprocess 
Use the new `postprocess` feature for the test of
`StaticInitializationVector.ql`. This makes it easier to modify and test
this query for diff-informed operation.
 2025-02-24 13:33:02 +01:00
Jami
d94dc5aa40 Merge pull request #18504 from jcogs33/jcogs33/java/file-constructor-path-sanitizer 
Java: `File` constructor path sanitizer
 2025-02-18 08:00:32 -05:00
Jami Cogswell
2bb6a3914b Java: update tests 2025-02-14 15:16:08 -05:00
Jami Cogswell
530103e2d9 Java: narrow query 
remove PUT and DELETE from StaplerCsrfUnprotectedMethod

remove OPTIONS and TRACE from SpringCsrfUnprotectedMethod
 2025-01-30 10:14:31 -05:00
Jami Cogswell
d4114f66c2 Java: more name-based heuristic tests to test regex 2025-01-30 10:14:16 -05:00
Jami Cogswell
0ab37684e1 Java: more database update tests and stubs 2025-01-30 10:14:14 -05:00
Jami Cogswell
3bf6dc24c1 Java: Stapler tests and stubs 2025-01-30 10:14:11 -05:00
Jami Cogswell
fa27689719 Java: update InlineExpectationsTest import for new location 2025-01-30 10:14:05 -05:00
Jami Cogswell
ede9e78645 Java: remove exists variable in test 2025-01-30 10:14:01 -05:00
Jami Cogswell
c9ad15cc83 Java: update .expected file contents 2025-01-30 10:13:57 -05:00
Jami Cogswell
39ccde0c9d Java: add name-based heuristic 2025-01-30 10:13:54 -05:00
Jami Cogswell
0f39011122 Java: add taint-tracking config for execute to exclude FPs from non-update queries like select 2025-01-30 10:13:50 -05:00
Jami Cogswell
97aaf4c011 Java: handle MyBatis annotations for insert/update/delete 2025-01-30 10:13:48 -05:00
Jami Cogswell
df77d4914f Java: initial tests 2025-01-30 10:13:45 -05:00
Owen Mansel-Chan
0ccf4cecb8 Fix XSS FPs when content type is safe 2025-01-28 15:32:30 +00:00
Owen Mansel-Chan
9f3572d15a Reformat inline expectations (space after $) 2025-01-27 14:36:26 +00:00
Owen Mansel-Chan
05fb22e8ff Make test easier to understand 2025-01-27 14:10:19 +00:00
Jonas Jensen
773a98a9eb Merge pull request #18340 from jbj/diff-informed-getASelectedLocation 
Java: make more queries diff-informed with getASelectedLocation
 2025-01-22 14:25:33 +01:00
Owen Mansel-Chan
883301938b Merge pull request #18161 from owen-mc/java/weak-crypto-algo-more-informative 
Java: Make `java/weak-cryptographic-algorithm` give  a reason why the algo is insecure
 2025-01-13 23:43:04 +00:00
Chris Smowton
03c6529961 Spelling 2025-01-06 22:46:22 +01:00
Chris Smowton
5c2df36786 Exclude classes with a writeReplace method from serializability checks 2025-01-06 14:42:44 +00:00
Jonas Jensen
fea260bd55 Java: Diff-informed UnsafeHostnameVerification.ql 
This commit also adds a test case that would fail under `codeql test run
--check-diff-informed` if not for the override of
`getASelectedSourceLocation`. There was no existing such test since all
the existing tests used anonymous classes whose location was on the same
line as the source.
 2024-12-20 12:58:59 +01:00
Michael Nebel
0a1d2d0bbb Java: Update all test util paths to point to the new location. 2024-12-12 13:21:25 +01:00
Owen Mansel-Chan
066db766ef Merge pull request #18153 from owen-mc/java/resttemplate-getforobject 
Java: add SSRF sink model for the third parameter of `RestTemplate.getForObject`
 2024-12-11 16:37:35 +00:00
Jami Cogswell
121780c55a Java: add File.getName as a path injection sanitizer 2024-12-04 18:57:51 -05:00
Jeroen Ketema
89d20fd086 Java: Update expected test results 2024-12-03 19:18:59 +01:00
Owen Mansel-Chan
e6409e159f Give reason why crypto algorithm is insecure 2024-11-29 11:54:27 +00:00
Owen Mansel-Chan
7648d397f8 Improve model to remove some false positives 2024-11-29 09:46:41 +00:00
Owen Mansel-Chan
b5fbf2e944 Add models for third arg of getForObject 
No attempt to stop FPs.
 2024-11-28 16:51:13 +00:00
Anders Schack-Mulligen
df2e2e503a Merge pull request #17901 from aschackmull/java/allowlist-sanitizer 
Java: Add a default taint sanitizer for contains-checks on lists of constants
 2024-11-27 11:09:05 +01:00
Anders Schack-Mulligen
85778f7fea Java: Fix semantic merge conflict in expected file. 2024-11-27 08:53:41 +01:00
Anders Schack-Mulligen
a6fc41ec4b Java: Accept consistency failure. 2024-11-26 13:25:44 +01:00
Anders Schack-Mulligen
38eb3e4952 Java: Adjust expected output. 2024-11-26 13:25:44 +01:00
Anders Schack-Mulligen
2ff2d25784 Java: Cherry-pick test from https://github.com/github/codeql/pull/17051 2024-11-26 13:25:43 +01:00
Jami Cogswell
05b6700607 Java: add SHA384 to list of secure algorithms 2024-11-25 09:27:53 -05:00
Arthur Baars
c2b342f1a0 Merge pull request #18084 from github/aibaars/java-sha3 
Java: add SHA3 family to list of secure crypto algorithms
 2024-11-25 15:07:43 +01:00
Jami
f0045692a7 Merge pull request #17869 from jcogs33/jcogs33/improve-weak-crypto 
Java: Improve weak crypto query
 2024-11-24 12:04:00 -05:00
Arthur Baars
c6eaed343d Java: add SHA3 family to list of secure crypto algorithms 2024-11-22 19:03:00 +01:00
Arthur Baars
7f84cf6d72 Add test case 2024-11-22 19:02:11 +01:00
Tom Hvitved
95e9d013cc Update expected test output 2024-11-04 12:07:06 +01:00