hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
81,514 Commits 1,671 Branches 157 Tags
codeql-cli-2.22.3
Commit Graph

13529 Commits

Author SHA1 Message Date
Bt2018
3b1dad84b3 The query help builder will interpret and automatically add the reference so this isn't needed here. And one typo is corrected. 2020-05-04 07:39:45 -04:00
Bt2018
5c803b70c5 The query help builder will interpret and automatically add this reference so this isn't needed here. 2020-05-04 07:05:15 -04:00
Bt2018
a6c9c5117f Update java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2020-05-04 06:58:34 -04:00
Bt2018
a2560656d5 Update java/ql/src/experimental/CWE-532/SensitiveInfoLog.qhelp 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2020-05-04 06:57:42 -04:00
Mithrilwoodrat
a7960c3385 Update java/ql/src/experimental/Security/CWE/CWE-1004/InsecureTomcatConfig.qhelp 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2020-05-04 17:48:41 +08:00
mithrilwoodrat
1053aa4c44 add query to found Tomcat config disables 'HttpOnly' flag 2020-05-04 12:26:03 +08:00
Grzegorz Golawski
f893954ea3 Add Spring LDAP and JMXServiceURL related sinks 2020-05-03 20:51:50 +02:00
Anders Schack-Mulligen
29a5ea121a Merge pull request #2901 from ggolawski/java-spring-boot-actuators 
CodeQL query to detect open Spring Boot actuator endpoints
 2020-04-29 15:10:54 +02:00
Anders Schack-Mulligen
b6a7ab8bf4 Merge pull request #3372 from aibaars/spring-multipart 
Java: add `org.springframework.web.multipart.MultipartFile::getX` as RemoteFlowSource
 2020-04-29 11:35:04 +02:00
Arthur Baars
d7774788b3 Java: add Spring MultipartFile as RemoteFlowSource 2020-04-28 16:57:03 +02:00
Arthur Baars
ae2bab7e9c Add test case 2020-04-28 16:57:03 +02:00
Anders Schack-Mulligen
bc7163aa68 Merge pull request #3216 from aibaars/message-digest 
Java: teach Encryption.qll about MessageDigest.getInstance
 2020-04-28 11:41:53 +02:00
Arthur Baars
31e284a707 Add test case 2020-04-28 11:26:43 +02:00
Arthur Baars
9742d3892d Java: Add org.apache.commons.codec.(De|En)coder to TainTrackingUtil 
The commons codec library contains many encoder and decoder methods
and is fairly commonly used.
 2020-04-28 11:26:43 +02:00
Grzegorz Golawski
31a2972eca Remove qlpack.yml as these are not needed 2020-04-27 23:32:48 +02:00
Grzegorz Golawski
0c75330e42 Remove qlpack.yml as these are not needed 2020-04-27 23:31:10 +02:00
Grzegorz Golawski
639aa826ea Remove qlpack.yml as these are not needed 2020-04-27 23:26:59 +02:00
Grzegorz Golawski
d590f3fba8 CodeQL query to detect XSLT injections 2020-04-27 22:35:35 +02:00
yo-h
97f4cb64ef Merge pull request #3349 from aschackmull/java/qldoc1 
Java: Improve qldoc coverage.
 2020-04-27 12:49:23 -04:00
Tom Hvitved
d28c4fb0f5 Merge pull request #3202 from jbj/pathStep-join-unique 
Java/C++/C#: Use `unique` to improve join order fix
 2020-04-27 13:06:27 +02:00
Arthur Baars
59869ace63 Java: teach Encryption.qll about MessageDigest.getInstance 
We already modelled usage of the protected `MessageDigest(String algo)`
constructor as a crypto algorithm specification. For some reason we did
not model the more commonly used public `MessageDigest.getInstance` method.
 2020-04-25 00:41:10 +02:00
Anders Schack-Mulligen
beab320557 Java: Add more qldoc. 2020-04-24 14:17:47 +02:00
Grzegorz Golawski
40fcd4cbe5 Fix references 2020-04-19 20:49:07 +02:00
Grzegorz Golawski
457e2eaf59 CodeQL query to detect OGNL injections 2020-04-19 20:31:57 +02:00
Grzegorz Golawski
af48bc3e57 CodeQL query to detect JNDI injections 2020-04-17 21:45:42 +02:00
Tom Hvitved
05ec75558d Java: Update test 2020-04-17 13:49:08 +02:00
Tom Hvitved
1b6e978a62 Data flow: Sync files 2020-04-17 13:49:06 +02:00
Pavel Avgustinov
6737e99d65 Merge pull request #3209 from hmakholm/baselib-extractor 
Add extractor field in base language QL packs
 2020-04-09 15:24:49 +01:00
luchua-bc
b7f2d32fb0 Address improper URL authorization 2020-04-08 22:41:11 -04:00
luchua-bc
e1a680cd86 Address improper URL authorization 2020-04-08 22:41:11 -04:00
yo-h
9a79e3be2c Java 14: add PREVIEW FEATURE notes to QLDoc 2020-04-07 22:22:10 -04:00
yo-h
697b273e32 Java 14: update expected test output 2020-04-07 22:22:10 -04:00
yo-h
e12de3b021 Java 14: add dbscheme upgrade script for records 2020-04-07 22:22:09 -04:00
yo-h
70e09ddb88 Java 14: add dbscheme stats for records 2020-04-07 22:22:08 -04:00
yo-h
662cff8316 Java 14: add class Record to Type.qll 2020-04-07 22:22:08 -04:00
yo-h
e1787f58aa Java 14: add isRecord relation to dbscheme 2020-04-07 22:22:08 -04:00
yo-h
b763342277 Java 14: account for instanceof pattern matching 2020-04-07 22:22:07 -04:00
yo-h
9d2f76849b Java 14: switch expressions are no longer in preview 2020-04-07 22:22:07 -04:00
Henning Makholm
d1ff3211ef Add extractor fields to test qlpack.yml files. 2020-04-06 19:21:41 +02:00
Henning Makholm
bf579dedd4 Add extractor field in base language QL packs 2020-04-06 18:48:01 +02:00
Jonas Jensen
46fc91315b Java/C++/C#: Revert the join order fix from #2872 
This revert brings back the performance problems in
`DataFlowImplLocal.qll` so they can be fixed in a different way. The fix
in #2872 was asymptotically good but had undesired overhead because it
introduced another predicate in the SCC that existed purely for join
ordering.

I did the revert by inlining the helper predicate, eliminating the
`enclosing` variable, and re-ordering the resulting lines to what they
were before #2872.
 2020-04-06 10:04:50 +02:00
Robert
1096e5d947 Merge pull request #3163 from robertbrignull/code_scanning_suites 
Add code-scanning suites
 2020-04-06 08:45:40 +01:00
Grzegorz Golawski
1d8da905ac Make the test runnable via codeql test run 2020-04-03 21:44:13 +02:00
ggolawski
79d7ea36ff Update java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll 
Co-Authored-By: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2020-04-03 21:36:34 +02:00
Grzegorz Golawski
6ca963a8c8 Fix 2020-04-03 00:30:02 +02:00
Grzegorz Golawski
f05b2af69d Move to experimental 2020-04-03 00:27:51 +02:00
Grzegorz Golawski
cffe89f652 Merge branch 'master' into java-spring-boot-actuators 2020-04-02 22:06:25 +02:00
Anders Schack-Mulligen
01157e43e3 Merge pull request #2899 from p-/cwe-036 
Java: Calling openStream on URLs created from remote source can lead to file disclosure
 2020-04-02 13:55:06 +02:00
Peter Stöckli
ca80bfda4f Fix tags 2020-04-02 07:43:55 +02:00
Peter Stöckli
36c351dc68 Add input from documentation review 2020-04-01 17:59:45 +02:00