hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,246 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.0
Commit Graph

5817 Commits

Author SHA1 Message Date
Raul Garcia
0dbb03f732 Adding CVE information. 2022-07-12 21:49:19 -07:00
Raul Garcia
a4adf06713 Addressing feedback for the qhelp file. 2022-07-12 13:51:12 -07:00
Raul Garcia
64343e00f4 Update java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-07-12 08:14:25 -07:00
Raul Garcia
8a48708014 Update java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-07-12 08:14:13 -07:00
Raul Garcia
2bac181094 Update java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-07-12 08:13:53 -07:00
Raul Garcia
a4e35a97ea Update java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-07-12 08:13:38 -07:00
Raul Garcia
a51d713925 Update java/ql/src/experimental/Security/CWE/CWE-327/Azure/UnsafeUsageOfClientSideEncryptionVersion.ql 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-07-12 08:13:12 -07:00
Erik Krogh Kristensen
220ff3cb2e convert tabs to spaces in qhelp 2022-07-12 16:02:50 +02:00
Erik Krogh Kristensen
ff25451699 rename query to overly-large-range, and rewrite the @description 2022-07-12 16:02:46 +02:00
Shyam Mehta
65b9947428 Incorporate jksco's feedback 2022-07-12 02:02:31 -04:00
smehta23
781a2a73d3 Merge branch 'main' into feat/SM/java_partial_path_traversal_vulnerability 2022-07-12 01:48:12 -04:00
Raul Garcia
d5791e2d56 Addressing feedback from the PR 2022-07-11 15:45:15 -07:00
Raul Garcia
ac05577966 Making various changes based on the feedback. Pending: 2 non-trivial fixes for Java & Python. 2022-07-11 13:25:35 -07:00
Chris Smowton
74641ccfee Simplify test for no-arg constructor 2022-07-11 11:01:19 +01:00
Raul Garcia
01da877d0e Moving the new query to experimental. It was added to the wrong folder initially. 2022-07-06 14:07:14 -07:00
Raul Garcia
f5c6b45014 Update UnsafeUsageOfClientSideEncryptionVersion.qhelp 2022-07-05 13:58:11 -07:00
Raul Garcia
e43e5810cf New queries to detect unsafe client side encryption in Azure Storage 2022-07-01 17:08:35 -07:00
Shyam Mehta
39f885413f Change log 2022-07-01 11:34:56 -04:00
smehta23
391dd5b38d Update java/ql/src/Security/CWE/CWE-023/PartialPathTraversalGood.java 
Co-authored-by: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
 2022-07-01 10:55:58 -04:00
smehta23
ebe48ec30a Update java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.qhelp 
Co-authored-by: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
 2022-07-01 10:53:43 -04:00
smehta23
48e16e52b5 Update java/ql/src/Security/CWE/CWE-023/PartialPathTraversal.qhelp 
Co-authored-by: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
 2022-07-01 10:52:41 -04:00
Shyam Mehta
1a41d4c379 Add CVE number 2022-07-01 10:51:33 -04:00
Shyam Mehta
300a14c35c Add ESAPI reference 2022-07-01 10:43:59 -04:00
smehta23
209a21655a Update java/ql/src/Security/CWE/CWE-023/PartialPathTraversalGood.java 
Co-authored-by: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
 2022-07-01 10:40:38 -04:00
smehta23
c6f2f61bfb Update java/ql/src/Security/CWE/CWE-023/PartialPathTraversalBad.java 
Co-authored-by: Jonathan Leitschuh <jonathan.leitschuh@gmail.com>
 2022-07-01 10:39:46 -04:00
Shyam Mehta
16814071df Fix typo in .qhelp 2022-06-29 18:03:57 -04:00
Shyam Mehta
7ab8f0262c Fix duplicate class header and better fix using toPath() 2022-06-29 18:01:12 -04:00
Shyam Mehta
955e614563 Add documentation of the Partial Path Traversal vuln 2022-06-29 17:31:04 -04:00
Andrew Eisenberg
fbeecd6c08 Merge pull request #9744 from github/aeisenberg/move-contextual-queries 2022-06-29 11:44:33 -07:00
Andrew Eisenberg
ddf06f8617 Add change notes and qldoc for moved files 2022-06-29 10:03:12 -07:00
Andrew Eisenberg
a3f4d1bf66 Move contextual queries from src to lib 
With this change, users are now able to run View AST command in
vscode within vscode workspaces that do not include the core libraries.
The relevant core library only needs to be installed in the package
cache.
 2022-06-29 07:51:26 -07:00
Erik Krogh Kristensen
9ecc3a2671 filter out potential misparses from java/suspicious-regexp-range 2022-06-29 13:16:40 +02:00
Tony Torralba
12fa6967dc Merge pull request #8669 from joefarebrother/intent-verification 
Java: Add query for Improper Verification of Intent by Broadcast Receiver (CWE-925)
 2022-06-29 09:43:07 +02:00
Shyam Mehta
b5ca2c3d9d Add additional tests from real world query run 2022-06-28 17:32:20 -04:00
Shyam Mehta
7122f29296 Finish Partial Path Traversal Query 2022-06-28 15:02:06 -04:00
Shyam Mehta
4c7d476280 [JAVA] Partial Path Traversal Vuln Query 2022-06-28 13:52:41 -04:00
Erik Krogh Kristensen
a343ceaf8b add suspicious-regexp-range query 2022-06-28 09:49:27 +02:00
Asger F
cc57cb8af5 Merge branch 'main' into post-release-prep/codeql-cli-2.10.0 2022-06-27 20:37:25 +02:00
github-actions[bot]
d506f448ef Post-release preparation for codeql-cli-2.10.0 2022-06-24 07:36:33 +00:00
Erik Krogh Kristensen
13482fc97b rename ReDoSUtil to NfaUtils, and rename the "performance" folder to "regexp" 2022-06-23 14:36:25 +02:00
github-actions[bot]
a74051c658 Release preparation for version 2.10.0 2022-06-23 11:17:46 +00:00
Tamas Vajk
cf18a9a04b Fix bad join order in Shadowing::shadows 
Fixes the bad join order in `Shadowing::shadows`:
Tuple counts for Shadowing::shadows#f4fb89a3#ffff@c4b8a90j:
           182915  ~0%    {2} r1 = Variable::LocalVariableDecl::getCallable#dispred#f0820431#ff AND NOT Shadowing::shadows#f4fb89a3#ffff#antijoin_rhs(Lhs.0, Lhs.1)
           182915  ~0%    {3} r2 = JOIN r1 WITH localvars ON FIRST 1 OUTPUT Lhs.1, Lhs.0, Rhs.2
           182915  ~3%    {4} r3 = JOIN r2 WITH Member::Member::getDeclaringType#dispred#f0820431#bf ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.0, Lhs.2
           182833  ~0%    {4} r4 = JOIN r3 WITH classes ON FIRST 1 OUTPUT Lhs.1, Lhs.2, Lhs.3, Lhs.0
           182833  ~3%    {5} r5 = JOIN r4 WITH Element::Element::getName#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.2, Lhs.0, Lhs.1, Lhs.3, Rhs.1
        183352620  ~5%    {5} r6 = JOIN r5 WITH Member::Field::getType#dispred#f0820431#bf_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.3, Lhs.1, Lhs.2, Lhs.4
            40529  ~0%    {5} r7 = JOIN r6 WITH Member::Field::getDeclaringType#dispred#f0820431#fb ON FIRST 2 OUTPUT Lhs.0, Lhs.4, Lhs.2, Lhs.3, Lhs.1
              678  ~4%    {4} r8 = JOIN r7 WITH Element::Element::getName#dispred#f0820431#ff ON FIRST 2 OUTPUT Lhs.2, Lhs.3, Lhs.4, Lhs.0
              670  ~4%    {4} r9 = r8 AND NOT Member::Field::isStatic#dispred#f0820431#b(Lhs.3)
              670  ~3%    {4} r10 = SCAN r9 OUTPUT In.0, In.2, In.3, In.1
                          return r10

After the fix:
Tuple counts for Shadowing::shadows#f4fb89a3#ffff@95ca976v:
        182915  ~0%    {2} r1 = Variable::LocalVariableDecl::getCallable#dispred#f0820431#ff AND NOT Shadowing::shadows#f4fb89a3#ffff#antijoin_rhs(Lhs.0, Lhs.1)
        182915  ~0%    {3} r2 = JOIN r1 WITH localvars ON FIRST 1 OUTPUT Lhs.1, Lhs.0, Rhs.2
        182915  ~0%    {4} r3 = JOIN r2 WITH Member::Member::getDeclaringType#dispred#f0820431#bf ON FIRST 1 OUTPUT Lhs.1, Lhs.0, Lhs.2, Rhs.1
        182915  ~7%    {5} r4 = JOIN r3 WITH Element::Element::getName#dispred#f0820431#ff ON FIRST 1 OUTPUT Lhs.3, Rhs.1, Lhs.2, Lhs.0, Lhs.1
           678  ~4%    {4} r5 = JOIN r4 WITH Shadowing::getField#f4fb89a3#ffff ON FIRST 3 OUTPUT Lhs.3, Lhs.4, Lhs.0, Rhs.3
           670  ~4%    {4} r6 = r5 AND NOT Member::Field::isStatic#dispred#f0820431#b(Lhs.3)
           670  ~3%    {4} r7 = SCAN r6 OUTPUT In.0, In.2, In.3, In.1
                       return r7
 2022-06-23 10:30:39 +02:00
Chris Smowton
1f9f6d7c33 Java: Report log-injection at the source rather than the sink 
This should remove the problem of excessive grouping of different alerts that share a sink location, often due to wrapper functions that form the ultimate sink of all logging calls in a given codebase.
 2022-06-22 13:05:20 +01:00
Anders Schack-Mulligen
df6d68b215 Merge pull request #9618 from aschackmull/dataflow/deprecate-barrierguard-class 
Dataflow: Deprecate BarrierGuard class
 2022-06-22 10:44:08 +02:00
Michael Nebel
24ba5cc06e Merge pull request #9025 from michaelnebel/csharp/generatedrefactor 
C#: Provenance column in Models as Data CSV format.
 2022-06-22 10:34:31 +02:00
Michael Nebel
2b892bc000 Merge pull request #9553 from michaelnebel/csharp/narrowtelemetry 
C#/Java: Only display 1k most relevant results for ExternalApi telemetry queries.
 2022-06-22 07:35:56 +02:00
Edoardo Pirovano
70dbd92e25 Bump minor version of all regularly released packs 2022-06-21 11:22:58 +01:00
Edoardo Pirovano
ad02b85efa Merge branch main into rc/3.6 2022-06-21 11:15:25 +01:00
Michael Nebel
b6ccaf14f6 Java: Update Log4J models with provenance information. 2022-06-20 16:20:02 +02:00
Michael Nebel
733fc16902 Java: Update ThreadResourceAbuse specific models with provenance information. 2022-06-20 16:20:02 +02:00