hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,531 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.7
Commit Graph

44 Commits

Author SHA1 Message Date
Owen Mansel-Chan
fdd1e3fefe Use MaD models for unsafe deserialization sinks when possible 
Many of the unsafe deserialization sinks have to stay defined in QL
because they have custom logic that cannot be expressed in MaD models.
 2025-07-16 14:42:07 +01:00
Owen Mansel-Chan
8e4bd1a102 Add sink for ObjectInput.readObject to make test pass 2025-07-11 11:05:38 +01:00
Owen Mansel-Chan
34fae324a0 Add test for ObjectInput.readObject 2025-07-11 11:03:47 +01:00
Nora Dimitrijević
4412335223 Java: convert UnsafeDeserialization test to .qlref 2025-06-24 16:42:14 +02:00
Jami Cogswell
e17486a9d8 Java: rename springframework stubs directory from 5.3.8 to 5.8.x 2025-03-11 15:20:58 -04:00
Michael Nebel
0a1d2d0bbb Java: Update all test util paths to point to the new location. 2024-12-12 13:21:25 +01:00
Jeroen Ketema
89d20fd086 Java: Update expected test results 2024-12-03 19:18:59 +01:00
Tony Torralba
7af3d239ab Java: Add JMS sink to java/unsafe-deserialization 2023-10-26 16:46:19 +02:00
Jorge
7d0b880bf7 Merge branch 'main' into jorgectf/deserialization-lookahead 2023-06-23 18:24:39 +02:00
jorgectf
b6e4ba6f9d Add SerialKiller model 2023-06-23 18:19:43 +02:00
Jeroen Ketema
49993b023e Java: Rewrite inline expectation tests to use parameterized module 2023-06-09 10:42:17 +02:00
Ed Minnix
e5f11d00a7 Refactor CWE-502/UnsafeDeserialization 2023-03-29 22:33:08 -04:00
Ian Lynagh
237b3670b4 Make *.xml non-executable 2022-08-24 16:53:48 +01:00
Chris Smowton
1dffbcd0bd Fix tests disrupted by re-modelling and stubbing Android 9: 
* Account for changed dataflow graph shape using external flow
* Account for BaseBundle only existing as of Android 5
* Properly implement Parcelable, which we previously got away with due to a partial stub
* Restore an Android 11 function that had been added to the Android 9 Context class (I won't get into enforcing the difference in this PR)
 2021-10-12 12:35:05 +01:00
Chris Smowton
cd2c9e9ca3 Add Gson support to unsafe deserialization query 2021-10-12 12:35:04 +01:00
Chris Smowton
9b488207eb Add support for the Flexjson framework to the unsafe-deserialization query 2021-09-10 16:27:23 +01:00
Chris Smowton
0b6c991ac4 Unsafe deserialization: add support for Jodd JSON library 2021-08-05 16:01:14 +01:00
Chris Smowton
1f08c3fe55 Move test files to appropriate package directories 2021-08-04 16:50:03 +01:00
Chris Smowton
69549e9ce3 Add unsafe-deserialization support for Jabsorb 
This is partly extracted from https://github.com/github/codeql/pull/5954
 2021-08-04 15:35:50 +01:00
Tony Torralba
f5cbec4938 Fix tests affected by Jackson stubs changes 2021-08-03 14:22:55 +02:00
Tony Torralba
f4b78ef3bd Fix stubs 2021-08-02 14:12:05 +02:00
Fosstars
a4b0041120 Better looksLikeResolveClassStep() predicate 2021-07-30 09:28:03 +02:00
Artem Smotrakov
035f7ac669 Refactored libs for unsafe deserialization 2021-07-19 13:19:36 +02:00
Artem Smotrakov
e02530749b Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-07-19 11:52:12 +02:00
Artem Smotrakov
3856527d14 Refactored tests for unsafe deserialization 2021-07-16 18:26:06 +02:00
Artem Smotrakov
c98f1a479e Better taint propagation in UnsafeTypeConfig 2021-07-09 10:24:15 +02:00
Artem Smotrakov
aefd21075b Added tests for UnsafeDeserialization.ql and Jackson 2021-07-09 10:24:10 +02:00
Sauyon Lee
60db9e1851 Rename springframework-5.2.3 to 5.3.8 2021-06-28 08:26:39 -07:00
haby0
363ad5b470 Fix error 2021-06-17 17:36:35 +08:00
haby0
3dd851fffb expected 2021-06-17 15:20:03 +08:00
haby0
c1ada6d85b Merge branch 'main' into java/UnsafeDeserialization 2021-06-16 16:37:03 +08:00
haby0
60fc607449 Modify ql 2021-05-14 18:17:05 +08:00
haby0
12f47bcf24 Add UnsafeDeserialization 2021-05-12 12:37:16 +08:00
Jonathan Leitschuh
67e9f06304 [Java] Fix Kryo FP & Kryo 5 Support 
Closes #4992
 2021-05-05 17:38:34 -04:00
Anders Schack-Mulligen
175c71221a Java: Adjust some test output with more edges/nodes. 2021-04-19 14:06:27 +02:00
Anders Schack-Mulligen
6eafa9d396 Merge pull request #5133 from pwntester/fix_SnakeYaml 
Remove sanitizing condition which does not prevent vulnerability.
 2021-02-16 12:58:47 +01:00
Alvaro Muñoz
00a0b12dad update expected results 2021-02-15 11:23:40 +01:00
Alvaro Muñoz
c7072aef16 update A.java test 2021-02-15 10:34:20 +01:00
yo-h
e194411cfa Java: fix javac errors in test code 2021-02-09 09:16:57 -05:00
Anders Schack-Mulligen
4be731d2ab Java: Adjust reference to static method and add test. 2020-11-16 11:47:58 +01:00
Tom Hvitved
7f6e253425 Java: Update expected test output 2019-10-04 11:09:44 +02:00
Anders Schack-Mulligen
2d620698d8 Java: Adjust qltest expected output. 2019-09-12 11:00:49 +02:00
Anders Schack-Mulligen
deb61d6f29 Java: Update test output. 2018-11-16 13:48:50 +01:00
Pavel Avgustinov
846c9d5860 Migrate Java code to separate QL repo. 2018-08-30 10:48:05 +01:00