hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
81,788 Commits 1,672 Branches 157 Tags
codeql-cli-2.22.4
Commit Graph

5752 Commits

Author SHA1 Message Date
Artem Smotrakov
9b953cf0fc Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-08-01 09:47:07 +02:00
Fosstars
ad54c9d937 Two queries for timing attacks 2021-08-01 09:47:07 +02:00
Artem Smotrakov
e3b6ceade5 Renamed NonConstantTimeCryptoComparison.ql to NonConstantTimeCheckOnSignature.ql 2021-08-01 09:47:06 +02:00
Artem Smotrakov
8b557765b3 Narrow NonConstantTimeCryptoComparison.ql to timing attack on signatures and MACs only 2021-08-01 09:47:06 +02:00
Artem Smotrakov
c359852608 Consider only Cipher.ENCRYPT_MODE in NonConstantTimeCryptoComparison.ql 2021-08-01 09:47:06 +02:00
Artem Smotrakov
1f2a9cdda7 Added taint propagation steps for hashes in NonConstantTimeCryptoComparison.ql 2021-08-01 09:47:06 +02:00
Artem Smotrakov
c96d939cf5 Covered custom fast-fail checks in NonConstantTimeCryptoComparison.ql 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2021-08-01 09:47:06 +02:00
Artem Smotrakov
6500a1bbbb More references in NonConstantTimeCryptoComparison.qhelp 2021-08-01 09:47:05 +02:00
Artem Smotrakov
860e8f379e Better signatures in java/non-constant-time-crypto-comparison 2021-08-01 09:47:05 +02:00
Artem Smotrakov
1b4ee05b80 Better docs for java/non-constant-time-crypto-comparison 2021-08-01 09:47:05 +02:00
Artem Smotrakov
295fd686ce Make java/non-constant-time-crypto-comparison a warning 2021-08-01 09:47:04 +02:00
Artem Smotrakov
c977fd09cb Better constant check in java/non-constant-time-crypto-comparison 2021-08-01 09:47:04 +02:00
Artem Smotrakov
d01dc35011 Less duplicate code in java/non-constant-time-crypto-comparison 2021-08-01 09:47:04 +02:00
Artem Smotrakov
40e513ba52 Added more taint propagation steps for InputStream and ByteBuffer 2021-08-01 09:47:04 +02:00
Artem Smotrakov
a4f3a5a88e Take into account remote user input in java/non-constant-time-crypto-comparison 2021-08-01 09:47:03 +02:00
Artem Smotrakov
8e6d227dc0 More sinks for java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCryptoComparison.ql 2021-08-01 09:47:03 +02:00
Artem Smotrakov
dfa3b523d0 Renamed files 2021-08-01 09:47:03 +02:00
Artem Smotrakov
75f67959f3 Covered Arrays.deepEquals() in NonConstantTimeCryptoComparison.ql 2021-08-01 09:47:02 +02:00
Artem Smotrakov
5dbcf1d611 Covered Object.deepEquals() in NotConstantTimeCryptoComparison.ql 2021-08-01 09:47:02 +02:00
Artem Smotrakov
5c474f689d Better comments and descriptions 2021-08-01 09:47:02 +02:00
Artem Smotrakov
f245dc3ac8 Removed hashes from NotConstantTimeCryptoComparison.ql 2021-08-01 09:47:02 +02:00
Artem Smotrakov
8a69b7b3ac Added NotConstantTimeCryptoComparison.qhelp and examples 2021-08-01 09:47:01 +02:00
Artem Smotrakov
c2c85d32da Java: Added a query for timing attacks 2021-08-01 09:47:01 +02:00
Artem Smotrakov
7959e76da8 Better qldoc in UnsafeDeserializationQuery.qll 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-07-30 09:30:59 +02:00
Fosstars
a4b0041120 Better looksLikeResolveClassStep() predicate 2021-07-30 09:28:03 +02:00
Fosstars
1d3eb570bf hasJsonTypeInfoAnnotation() should check fields recursively 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-07-30 08:30:40 +02:00
Tony Torralba
29490e5872 Add suggestion from code review 2021-07-29 17:07:18 +02:00
Tony Torralba
3fcc9fae79 Refactor sinks to reuse code 2021-07-29 16:48:47 +02:00
Tony Torralba
6e3b6dcb98 Imporve qhelp 2021-07-29 16:36:38 +02:00
Tony Torralba
bdf0f582a4 QLDoc improvements from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-07-29 16:34:21 +02:00
Tony Torralba
90b5e02b6e Improve qhelp 2021-07-29 16:28:10 +02:00
Tony Torralba
4ea6729c53 Update java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2021-07-29 16:10:49 +02:00
mc
0a986ad0e8 Update JndiInjection.qhelp 
Improve negation
 2021-07-29 15:10:32 +01:00
Joe Farebrother
3bcb46f875 Model guava cache package 2021-07-29 14:52:26 +01:00
Tony Torralba
2628d3dc39 Improve csv sink models 2021-07-29 15:36:18 +02:00
Tony Torralba
3edc8bc679 Doc improvements 2021-07-29 15:35:39 +02:00
Tony Torralba
d9fb650dfb JacksonCreateParserMethod converted to CSV summay model 2021-07-29 15:19:30 +02:00
Tony Torralba
b20d53cfd4 Update java/ql/src/semmle/code/java/security/OgnlInjection.qll 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-07-29 15:08:27 +02:00
mc
8f1fc9e893 Update MvelInjection.qhelp 
Minor tweaks
 2021-07-29 11:30:19 +01:00
Joe Farebrother
3b430d4925 Use getComponentType 2021-07-29 10:11:22 +01:00
Joe Farebrother
f7099f459f Java: Test generator: use getComponentType 2021-07-29 10:08:45 +01:00
Artem Smotrakov
83a9b0ee28 Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-07-29 11:04:21 +02:00
mc
ebf004a4df Update MissingJWTSignatureCheck.qhelp 
Using same syntax as on other queries for 'BAD' and 'GOOD'.
 2021-07-29 09:13:00 +01:00
Benjamin Muskalla
b7b74b51a3 Track taint for String.valueOf(..) 2021-07-29 09:14:03 +02:00
Fosstars
50497eb747 Make imports as private as possible 2021-07-28 18:25:05 +02:00
Joe Farebrother
d900fcaf42 Merge pull request #6374 from joefarebrother/test-gen-improvements 
Java: Add support for synthetic fields to the test generator
 2021-07-28 16:02:47 +01:00
Joe Farebrother
9ddae3e9f6 Fix spelling 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2021-07-28 10:12:17 +01:00
haby0
eda3d864f5 Model written using smowton 2021-07-28 15:55:47 +08:00
Joe Farebrother
2d862ef119 Support synthetic fields 2021-07-27 17:28:53 +01:00
Chris Smowton
23de0859ea Add missing models and other minor improvements per Marcono1234's review 2021-07-27 16:03:39 +01:00