hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
83,874 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.5
Commit Graph

13958 Commits

Author SHA1 Message Date
Anders Schack-Mulligen
0df7e9fa4e Merge pull request #4989 from lcartey/lcartey/spring-inheritence-improvements 
Java: Track taint through Spring Java bean getters on super types
 2021-02-03 15:06:03 +01:00
luchua-bc
2ace10fcdf Use PostUpdateNode for wrapper method calls 2021-02-03 12:21:31 +00:00
luchua-bc
3151aeff48 Enhance the query 2021-02-02 18:26:29 +00:00
luchua-bc
5e3b6fa341 Update qldoc 2021-02-02 16:20:39 +00:00
luchua-bc
50be54385a Update qldoc 2021-02-02 14:49:50 +00:00
Artem Smotrakov
59f48ecea3 Removed LocalUserInput in JexlInjectionLib.ql 2021-01-29 12:38:51 +01:00
Luke Cartey
76c9b6466e Reformat TaintTrackingUtil.qll with more recent CodeQL CLI 2021-01-29 11:27:30 +00:00
luchua-bc
ff1ed3a012 Revamp the query to use three configurations to detect password hash without salt 2021-01-29 03:39:02 +00:00
Anders Schack-Mulligen
bbdd7c9b57 Merge pull request #4963 from joefarebrother/guava-collections 
Java: Add flow steps for Guava collection utilities
 2021-01-28 11:01:03 +01:00
luchua-bc
ab7d257569 Add more cases and change EC to 256 bits 2021-01-28 04:06:27 +00:00
luchua-bc
2ac7b4bab4 Update qldoc 2021-01-28 04:06:27 +00:00
luchua-bc
058f3af4b2 Refactor the hasShortSymmetricKey method 2021-01-28 04:06:27 +00:00
luchua-bc
cbaee937d0 Optimize the query 2021-01-28 04:06:27 +00:00
luchua-bc
cfc950f803 Query for weak encryption: Insufficient key size 2021-01-28 03:25:15 +00:00
luchua-bc
6a93099b64 Simplify the query and update qldoc 2021-01-28 03:02:53 +00:00
haby0
81c56b9bed Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.ql 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-01-27 19:47:12 +08:00
haby0
31deca016f Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.ql 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-01-27 19:46:45 +08:00
haby0
ca2e6587fe Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-01-27 19:46:15 +08:00
intrigus
d3e6e594b2 Java: Improve QLDoc 2021-01-27 11:57:32 +01:00
intrigus
bdba7e14fe Java: Switch to data flow 2021-01-27 11:54:40 +01:00
haby0
b5ae417851 *)update CWE-652 qhelp references 2021-01-27 10:19:04 +08:00
haby0
b76854a384 *)add CWE-652 test case 2021-01-27 10:14:33 +08:00
Henning Makholm
54f00de3e0 Add "tests" fields to test qlpacks 
This will allow `codeql resolve tests --ignore-dubious-cases`
(and thus the VSCode extension) to recognize all `.ql` files in those
packs as test cases, even if they don't have accompanying `.expected`
files.

CLI versions prior to 2.1.0 will choke on this, but it's almost 10
months since that came out.
 2021-01-26 18:15:22 +01:00
Francis Alexander
19872e9aed More Feedback integration 2021-01-26 17:24:17 +05:30
luchua-bc
fee0b94cd4 Use isRequestGetParamMethod as the source 2021-01-26 04:41:44 +00:00
Francis Alexander
985d3d469a PR feedback integration 2021-01-25 23:26:36 +05:30
Joe Farebrother
d69ecde5c1 Java: Add additional flow steps for guava collection methods and more unit tests 2021-01-25 16:37:40 +00:00
Joe Farebrother
7e11d8ed07 Java: Add modelling for guava Sets 2021-01-25 16:37:40 +00:00
Joe Farebrother
d1427fcd93 Java: Add modelling for Guava's collection classes 2021-01-25 16:37:40 +00:00
Artem Smotrakov
8d701e604a Simplified JexlInjectionLib.qll 
- Merged multiple method definitions to DirectJexlEvaluationMethod
- Don't use TaintPropagatingJexlMethodCall field in JexlInjectionConfig
- Better variable names in JexlEvaluationSink
 2021-01-25 14:17:51 +01:00
Chris Smowton
d34233b44f Rewrite XQuery injection to use an additional taint step instead of multiple configurations. 
Also remove a needless barrier -- the method in question doesn't conduct taint by default, so excluding particular instances of that call is not necessary.
 2021-01-25 11:18:45 +00:00
haby0
16308fe557 Update java/ql/src/Security/CWE/CWE-652/XQueryInjectionLib.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-01-25 19:16:18 +08:00
haby0
14a23eed4f Update java/ql/src/Security/CWE/CWE-652/XQueryInjectionLib.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-01-25 19:15:59 +08:00
Francis Alexander
75b79039a1 Example fixes 2021-01-24 20:46:37 +05:30
Francis Alexander
81e372d078 Formatting changes 2021-01-24 20:44:21 +05:30
Francis Alexander
a64fc2b24e Java: Queries to detect remote source flow to CORS header 2021-01-24 18:58:39 +05:30
Artem Smotrakov
71e5cb45d3 Simplified method and class definitions for JEXL 2021-01-23 19:50:16 +01:00
Artem Smotrakov
03348b18b5 Simplified TaintPropagatingJexlMethodCall 2021-01-23 19:41:14 +01:00
Artem Smotrakov
a47147bc5e Simplify sinks in JexlInjectionLib.qll 2021-01-23 19:22:43 +01:00
Artem Smotrakov
28ebbee61d Added TaintPropagatingJexlMethodCall class 2021-01-23 17:42:04 +01:00
haby0
0b326aae20 *)update XQueryInjectionLib.qll 2021-01-23 18:27:38 +08:00
haby0
44d99f8cd4 *)update XQueryInjection.ql 2021-01-23 18:26:58 +08:00
haby0
ec4c155043 *)update XQueryInjection.qhelp 2021-01-23 18:26:15 +08:00
Artem Smotrakov
73c8338e52 Use <code> tag in JexlInjection.qhelp 2021-01-21 22:49:36 +01:00
Artem Smotrakov
ee6d28b562 Use LocalUserInput when looking for JEXL injections 2021-01-21 22:46:18 +01:00
Artem Smotrakov
8166e269ec Added examples of a sandbox for JEXL expressions 2021-01-21 20:53:15 +01:00
haby0
a56dd60baa *)add CWE-652 XQueryInjection detection 2021-01-21 19:18:10 +08:00
Artem Smotrakov
7df813354a Improved JexlInjectionLib.qll 2021-01-20 20:26:48 +01:00
Luke Cartey
5c6f5b7b33 Java: Track taint through Spring Java bean getters on super types 2021-01-20 16:53:03 +00:00
Anders Schack-Mulligen
9b2f69ca94 Merge pull request #4978 from github/yo-h/struts-xml-change-note 
Java: add change note for `struts.xml` extraction
 2021-01-20 08:59:45 +01:00