hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
83,868 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.4
Commit Graph

13956 Commits

Author SHA1 Message Date
Anders Schack-Mulligen
2ce0921935 Java: Clean up SpringHttp.qll 2020-07-06 14:35:53 +02:00
Anders Schack-Mulligen
2ae15f9ace Java: Remove list, map, and StringReplaceMethod flow steps. 2020-07-06 14:19:13 +02:00
Anders Schack-Mulligen
a41c2d8abf Java: Make a few predicates private and autoformat SpringController. 2020-07-06 14:18:16 +02:00
Arthur Baars
d2734b2903 Merge pull request #3684 from aschackmull/java/javadoctag-qldoc 
Java: Improve qldoc for JavadocTag.
 2020-07-06 11:42:04 +02:00
Arthur Baars
98d24101b1 Merge pull request #3687 from aschackmull/java/getanenclosingstmt 
Java: Add Expr.getAnEnclosingStmt.
 2020-07-06 11:41:21 +02:00
Marcono1234
f8e474f89a Add missing java.nio.file.Files methods to FileReadWrite.qll 2020-07-05 18:39:26 +02:00
luchua-bc
d6e9b07a9e Add JBoss BasicLogger and SciJava Logger 2020-07-03 22:34:48 +00:00
lcartey@github.com
b242a61701 Java: Untrusted data used in external APIs 
This commit adds two queries for identifying external APIs which are
used with untrusted data.

These queries are intended to facilitate a security review of the
application, and will report any external API which is called with
untrusted data. The purpose of this is to:
 - review how untrusted data flows through this application
 - identify opportunities to improve taint modeling of sinks and taint
   steps.
As a result this is not suitable for integration into a developer
workflow, as it will likely have high false positive rate, but it may
help identify false negatives for other queries.
 2020-07-03 17:32:08 +01:00
Arthur Baars
19a481f809 Java: Arrays: add tests 2020-07-03 17:15:17 +02:00
Arthur Baars
0b89efbee4 Java: model Arrays::addList 2020-07-03 17:15:17 +02:00
Arthur Baars
a07af79fff Java: model java.util.Arrays 2020-07-03 17:15:17 +02:00
Arthur Baars
1485f7c876 Java: model some new Set,List,Map methods 
Models the taint propagation for the copyOf(..),
of(..), ofEntries(..) and entry(..) methods
 2020-07-03 17:14:53 +02:00
Arthur Baars
c629f6b13a Merge pull request #3869 from aibaars/util-collections 
Java: model java.util.Collections
 2020-07-03 17:09:14 +02:00
Arthur Baars
5fff41f35b Don't track taint on Map keys 2020-07-03 14:47:25 +02:00
Anders Schack-Mulligen
6de612a566 Java: Split SpringWebRequestGetMethod into its own class. 2020-07-03 14:06:54 +02:00
luchua-bc
6d329bce6e Add Apache Commons Logging and debugv method 2020-07-03 01:13:11 +00:00
Arthur Baars
5f2a5f1b55 Java: Collections: add tests 2020-07-02 19:18:02 +02:00
luchua-bc
a61f814b4b Change to ServletResponse type and fix formatting error 2020-07-02 12:49:25 +00:00
Arthur Baars
21a4b8d6c0 Java: remove useless casts 2020-07-02 13:03:15 +02:00
Arthur Baars
d80bf3395f Add Navigable variants and sort method names 2020-07-02 13:02:38 +02:00
Arthur Baars
e7b495e7d3 Java: model Collections::addAll 2020-07-02 12:38:22 +02:00
Arthur Baars
5cf5c77b09 Java: model java.util.Collections 2020-07-02 12:25:55 +02:00
luchua-bc
1d0232b464 Add more servlet methods and fix formatting errors 2020-07-02 03:07:19 +00:00
intrigus-lgtm
cabd275baa Fix typo, add Oxford comma 2020-07-01 14:49:09 +02:00
Anders Schack-Mulligen
7d057598d8 Merge pull request #3857 from jbj/flowthrough-bigstep-perf 
C++: Remove big-step relation in flow-through code
 2020-07-01 14:23:23 +02:00
Anders Schack-Mulligen
38b73ff684 Merge pull request #3854 from hvitved/dataflow/node-type-interface 
Data flow: Replace `getErasedRepr()` and `Node::getTypeBound()` with `getNodeType()`
 2020-07-01 11:37:19 +02:00
Jonas Jensen
cff0f48d34 C++: Work around join-order issue in flow-through 
In this non-linear recursion, a `#prev` relation was joined earlier than
the `#prev_delta` relation. As a result, each iteration of the predicate
processes every tuple from previous iterations.

This quadratic behavior caused severe slowdowns on oneapi-src/oneDNN.
 2020-06-30 21:12:57 +02:00
Jonas Jensen
17beb2d867 C++: Remove big-step relation in flow-through code 
This relation was originally introduced to improve performance but may
no longer be necessary. The `localFlowStepPlus` predicate had an
explosion of tuples on oneapi-src/oneDNN for C++.
 2020-06-30 21:06:45 +02:00
Jonathan Leitschuh
fa8b278332 Add jOOQ methods as SQL Injection Sinks 2020-06-30 11:57:17 -04:00
Mathias Vorreiter Pedersen
286c09183f Merge pull request #3837 from geoffw0/qldoc5 
C++/Java: Update QLDoc and terminology in Encryption.qll
 2020-06-30 17:44:59 +02:00
Tom Hvitved
f1179cc202 Java: Follow-up changes 2020-06-30 17:44:16 +02:00
Tom Hvitved
1fa58bd82d Data flow: Sync files 2020-06-30 17:37:16 +02:00
Geoffrey White
cf75397ef1 Java: Rename tests. 2020-06-30 14:33:05 +01:00
Geoffrey White
5c11c9ee43 Java: Rename additional private predicates. 2020-06-30 13:05:46 +01:00
Geoffrey White
f8425b8a58 Java: Update uses. 2020-06-30 13:02:48 +01:00
Geoffrey White
db0500b9ef Java: Direct port of changes to Java. 2020-06-30 13:02:48 +01:00
luchua-bc
d978f28822 Simplify the query for subtype check 2020-06-30 11:15:18 +00:00
Anders Schack-Mulligen
13cb853af5 Merge pull request #3294 from ggolawski/ognl-injection 
CodeQL query to detect OGNL injections
 2020-06-30 09:46:02 +02:00
Tom Hvitved
b57cfc965a Merge pull request #3804 from aschackmull/dataflow/dispatch-refactor 
Dataflow: Refactor dispatch with call context.
 2020-06-30 08:28:27 +02:00
luchua-bc
382e5a5a7a Revert "Add remote source of Android intent extra" 
This reverts commit 65e76ab18f.
 2020-06-30 00:55:05 +00:00
luchua-bc
3e8e9f9969 Revert "Add method access qualifier as source" 
This reverts commit 87668bf075.
 2020-06-30 00:54:27 +00:00
luchua-bc
065b90ab6b Revert "text changes" 
This reverts commit 0f8dd7c328.
 2020-06-30 00:53:03 +00:00
luchua-bc
ede9cec4a9 Uncaught Servlet Exception 2020-06-29 20:07:53 +00:00
Anders Schack-Mulligen
d297ce2279 Merge pull request #3436 from artem-smotrakov/revocation-checking 
Java: Added a query for disabled certificate revocation checking
 2020-06-29 16:42:36 +02:00
Anders Schack-Mulligen
b53b90501b Merge pull request #3550 from luchua-bc/java-unsafe-cert-trust 
Java: CWE-273 Unsafe certificate trust
 2020-06-29 16:39:39 +02:00
Anders Schack-Mulligen
0bd81eb4b8 Dataflow: Fix reference to viableCallable. 2020-06-29 16:22:58 +02:00
luchua-bc
0f8dd7c328 text changes 2020-06-27 22:56:00 +00:00
Bt2018
87668bf075 Add method access qualifier as source 2020-06-27 18:00:52 -04:00
Grzegorz Golawski
aff0e0eb25 Cleanup according to review comments. 2020-06-27 18:30:36 +02:00
Artem Smotrakov
f5f30ce25e Java: Simplified the query for disabled certificate revocation checking 
Removed a dataflow cofiguration for setting a revocation checker.
Instead, the query just checks if addCertPathChecker() or setCertPathCheckers()
methods are called.
 2020-06-27 11:37:20 +03:00