hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,531 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.7
Commit Graph

4687 Commits

Author SHA1 Message Date
Chris Smowton
03db15af9a Merge pull request #6685 from smowton/smowton/admin/android-uri-model 
Java: Add models for android.net.Uri[.Builder]
 2021-09-15 10:48:33 +01:00
Anders Schack-Mulligen
8485b6f0b3 Merge pull request #6691 from bmuskalla/moreStringMethods 
Java: Support String#getChars and #translateEscapes
 2021-09-15 10:14:54 +02:00
Anders Schack-Mulligen
3f7d6e6f85 Merge pull request #6136 from smowton/smowton/admin/spring-xss-content-type-sensitivity 
Spring HTTP: improve content-type sensitivity
 2021-09-15 09:50:56 +02:00
Chris Smowton
5d737934c3 Don't inherit models from a final class 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2021-09-14 16:37:07 +01:00
Chris Smowton
367a53dd71 Add models for android.net.Uri[.Builder] 2021-09-14 16:37:07 +01:00
Chris Smowton
406466de9a Simplify specifiesContentType predicate 2021-09-14 15:24:46 +01:00
Chris Smowton
6cff0d0376 Merge pull request #6393 from luchua-bc/java/xss-jsf 
Java: CWE-079 Query to detect XSS with JavaServer Faces (JSF)
 2021-09-14 15:15:56 +01:00
Chris Smowton
a1ad1ddc10 Deprecated and replace uses of old name ServletWriterSource 2021-09-14 14:21:29 +01:00
Anders Schack-Mulligen
26eafcb55a Merge pull request #6456 from smowton/smowton/admin/flexjson-unsafe-deserialization 
Java: add unsafe-deserialization support for Flexjson
 2021-09-14 14:33:22 +02:00
Chris Smowton
26dbf058c8 Add reverse import from ExternalFlow.qll 2021-09-14 12:35:33 +01:00
Chris Smowton
e439b7d7f8 Remove resource-related sources 
These access application-owned resources AFAICT
 2021-09-14 12:24:27 +01:00
Tony Torralba
097927226b Improved heuristics to increase precision 2021-09-14 13:16:47 +02:00
Tony Torralba
1f7990d6bb Refactor to use ConditionalBypassQuery.qll 2021-09-14 13:16:09 +02:00
Chris Smowton
104873e8ee Autoformat 2021-09-14 12:07:59 +01:00
Chris Smowton
6811441459 Factor JSF source definitions 2021-09-14 12:07:48 +01:00
Chris Smowton
b7fc068cee Move JSFRenderer.qll to lib 2021-09-14 11:49:01 +01:00
Chris Smowton
023c533745 Combine Servlet and JSF vulnerable writer flow-tracking 
JSP and Servlet already shared this logic; might as well add JSF into the same mechanism.
 2021-09-14 11:48:34 +01:00
luchua-bc
24addd5c10 Query to detect XSS with JavaServer Faces (JSF) 2021-09-14 11:47:32 +01:00
Chris Smowton
e92b9cbe99 Improve getAProducesExpr documentation 2021-09-14 11:16:45 +01:00
Benjamin Muskalla
199e015a06 Support missing String methods 2021-09-14 10:22:22 +02:00
Tom Hvitved
3bdc92ba8e Merge pull request #6681 from hvitved/java/files-folders-drop-columns 
Java: Drop redundant columns from `files` and `folders` relations
 2021-09-13 17:43:31 +02:00
Anders Schack-Mulligen
7b764aec92 Merge pull request #6682 from aschackmull/java/callbacks 
Java: Add support for callback-based library models.
 2021-09-13 16:43:03 +02:00
Tom Hvitved
9fdcacd865 Java: Drop redundant columns from files and folders relations 2021-09-13 16:09:47 +02:00
Anders Schack-Mulligen
12aeaeed56 Java: Address review comment. 2021-09-13 16:03:50 +02:00
Anders Schack-Mulligen
89a6cdc711 Java: Add support for callback-based library models. 2021-09-13 14:49:28 +02:00
Ian Lynagh
3404bcf265 Merge pull request #6680 from github/igfoo/java_location 
Java: Use the standard URL format for Location.toString()
 2021-09-13 13:43:32 +01:00
Ian Lynagh
4fbb165dce Java: Use the standard URL format for Location.toString() 2021-09-13 12:53:50 +01:00
Chris Smowton
95046b9bb1 Factor JaxRS models 2021-09-10 16:36:40 +01:00
Chris Smowton
451a46bf0e Add models for getLanguage, getMediaType 2021-09-10 16:36:38 +01:00
Chris Smowton
5e7a3ca2e6 Model UriInfo.relativize and resolve. 2021-09-10 16:36:37 +01:00
Chris Smowton
f1c3a11103 Add sources for Jax-RS filters 2021-09-10 16:36:34 +01:00
Chris Smowton
d83ed33252 Make supertype consideration consistent 2021-09-10 16:27:28 +01:00
Chris Smowton
9b488207eb Add support for the Flexjson framework to the unsafe-deserialization query 2021-09-10 16:27:23 +01:00
Chris Smowton
655236c70d Remove no-longer-needed generic specifiers 2021-09-10 16:10:55 +01:00
Chris Smowton
d940085384 Spring HTTP: inherit produced content-types from surrounding class 2021-09-10 16:10:52 +01:00
Chris Smowton
bdd135dbff Spring HTTP: mark explicitly content-typed body calls as sinks 
Previously only the return from the request-handler method constituted a sink, and was filtered by the Produces annotation if any, even though a BodyBuilder could explicitly override.

These sinks are also marked as out-barriers to avoid duplicate paths when the Produces annotation is in agreement.
 2021-09-10 16:10:50 +01:00
Chris Smowton
701d0bcdca Spring content types: recognise constant content-type strings 2021-09-10 16:10:48 +01:00
Chris Smowton
4397371a50 Spring constant media types: recognise constant string versions 
Previously we only recognised the constant MediaTypes
 2021-09-10 16:10:47 +01:00
Chris Smowton
b9b34eb0ee Move Spring XSS sink definition into SpringHttp.qll 2021-09-10 16:10:45 +01:00
Chris Smowton
3b6cc97557 Sanitize Spring bodies directly associated with an XSS-safe Content-Type 2021-09-10 16:10:44 +01:00
Chris Smowton
2d03840fde Add experimental variants of java/xxe, incorporating new sinks and a version that uses local sources. 
Originally authored by @haby0, squashed to clean up a tangled commit history.
 2021-09-10 13:49:31 +01:00
Tom Hvitved
649c2ce188 Merge pull request #6586 from hvitved/dataflow/stage2-precise-call-ctx-take2 
Data flow: Add precise call contexts to stage 2
 2021-09-10 11:34:35 +02:00
Tom Hvitved
296d10fe2a Data flow: Adjust callMayFlowThroughFwd pragmas 2021-09-10 09:21:24 +02:00
Anders Schack-Mulligen
3e17fdcaa3 Merge pull request #6407 from bmuskalla/charSeqSubSeq 
Java: Track taint for CharSequence#subSequence
 2021-09-10 09:01:29 +02:00
Anders Schack-Mulligen
13c4b93d3d Merge pull request #6648 from aschackmull/java/func-interface 
Java: Fix FunctionalInterface.
 2021-09-09 16:14:14 +02:00
Benjamin Muskalla
9d5e48430e Merge branch 'main' into charSeqSubSeq 2021-09-09 16:04:36 +02:00
Anders Schack-Mulligen
ec3990c619 Java: Fix FunctionalInterface. 2021-09-09 15:04:22 +02:00
Benjamin Muskalla
c0e65e71b4 Revert "Java: Fix external flow perofrmance with future optimiser." 
This reverts commit be1d4c04f2.
 2021-09-09 13:06:23 +02:00
Benjamin Muskalla
a1b7437f8d Merge branch 'main' into thirdpartyapitelemtry 2021-09-09 11:11:42 +02:00
Benjamin Muskalla
96a34b6165 Fix value flow for fluent api 2021-09-08 16:12:52 +02:00