hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,540 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.8
Commit Graph

5940 Commits

Author SHA1 Message Date
Tony Torralba
2e08c5dd2b Refactored HttpsUrls.ql 2021-09-15 17:20:28 +02:00
Tony Torralba
c3c73377b8 Fix scope issues in the Java example 2021-09-15 17:20:28 +02:00
Tony Torralba
023264660b Suggestions from code review 2021-09-15 17:20:28 +02:00
mc
0e7cbbfeb8 Update InsecureBasicAuth.qhelp 2021-09-15 17:20:28 +02:00
mc
e58b90ef1c Added full stops 2021-09-15 17:20:28 +02:00
Tony Torralba
30178d4f23 Decouple InsecureBasicAuth.qll to reuse the taint tracking configuration 2021-09-15 17:20:27 +02:00
Tony Torralba
90df3fa94c Remove CWE reference from qlhelp since it's obtained from metadata 2021-09-15 17:20:27 +02:00
Tony Torralba
2cada386b4 Refactored into InsecureBasicAuth.qll 2021-09-15 17:20:27 +02:00
Tony Torralba
905be67aae Moved from experimental 2021-09-15 17:20:27 +02:00
Erik Krogh Kristensen
3f736d3eb8 Merge pull request #6694 from erik-krogh/owasp-fixes 
JS/Java: use the correct cwe tags
 2021-09-15 13:46:35 +02:00
Chris Smowton
ca87768a93 Merge pull request #6692 from bmuskalla/testGeneratorFlowTest 
Java: Test generator uses `InlineFlowTest`
 2021-09-14 15:44:24 +01:00
Chris Smowton
6cff0d0376 Merge pull request #6393 from luchua-bc/java/xss-jsf 
Java: CWE-079 Query to detect XSS with JavaServer Faces (JSF)
 2021-09-14 15:15:56 +01:00
Benjamin Muskalla
abd770a027 Avoid empty template in test generator 2021-09-14 15:32:12 +02:00
Chris Smowton
a1ad1ddc10 Deprecated and replace uses of old name ServletWriterSource 2021-09-14 14:21:29 +01:00
Erik Krogh Kristensen
6d12c4aab1 use the correct cwe tags 2021-09-14 14:42:23 +02:00
Anders Schack-Mulligen
26eafcb55a Merge pull request #6456 from smowton/smowton/admin/flexjson-unsafe-deserialization 
Java: add unsafe-deserialization support for Flexjson
 2021-09-14 14:33:22 +02:00
Tony Torralba
1f7990d6bb Refactor to use ConditionalBypassQuery.qll 2021-09-14 13:16:09 +02:00
Tony Torralba
a484e9fb06 Use RemoteFlowSource instead of UserInput 2021-09-14 13:16:09 +02:00
Chris Smowton
b7fc068cee Move JSFRenderer.qll to lib 2021-09-14 11:49:01 +01:00
Chris Smowton
cb8096f636 Remove JSF XSS Example 
Per previous commit, no need for a top-level JSF example
 2021-09-14 11:47:37 +01:00
Chris Smowton
cca9ad06b4 Remove JSF example 
I don't think we need this: there are lots of possible XSS vectors; we don't need to enumerate every one in the qhelp file.
 2021-09-14 11:47:36 +01:00
Chris Smowton
76e4077b56 Delete unused classes 2021-09-14 11:47:35 +01:00
luchua-bc
24addd5c10 Query to detect XSS with JavaServer Faces (JSF) 2021-09-14 11:47:32 +01:00
Benjamin Muskalla
f9918cc63c Test generator uses InlineFlowTest 2021-09-14 11:58:56 +02:00
Chris Smowton
122ffca049 Merge pull request #6645 from Marcono1234/marcono1234/spurious-javadoc-param-generic-class 
Java: Detect spurious param Javadoc tag of generic classes
 2021-09-13 16:41:06 +01:00
Anders Schack-Mulligen
818e75bb8f Java: Fix compilation error in telemetry lib. 2021-09-13 15:50:21 +02:00
Marcono1234
d117593d72 Java: Remove duplicate classes modeling Object.clone 2021-09-12 02:05:57 +02:00
Chris Smowton
9b488207eb Add support for the Flexjson framework to the unsafe-deserialization query 2021-09-10 16:27:23 +01:00
Chris Smowton
2d03840fde Add experimental variants of java/xxe, incorporating new sinks and a version that uses local sources. 
Originally authored by @haby0, squashed to clean up a tangled commit history.
 2021-09-10 13:49:31 +01:00
Benjamin Muskalla
a1b7437f8d Merge branch 'main' into thirdpartyapitelemtry 2021-09-09 11:11:42 +02:00
Marcono1234
a173d9593b Java: Detect spurious param Javadoc tag of generic classes 2021-09-09 00:11:02 +02:00
Benjamin Muskalla
67eaa1b735 Fix qldoc 2021-09-08 13:08:28 +02:00
Benjamin Muskalla
f7ad894495 Fix name of api filter predicate 2021-09-07 14:28:58 +02:00
Benjamin Muskalla
22df141761 Rename API name predicate 2021-09-07 14:17:13 +02:00
Andrew Eisenberg
6a47fcaf1f Packaging: Normalize all qlpack.yml files for all languages 
This commit ensures consistency among all of our qlpacks. Here are the
changes:

1. Ensure only modern references are used (codeql-{lang} is converted to
   codeql/{lang}-all or codeql/{lang}-queries where appropriate).
2. Use consistent version numbers. All languages are at 0.0.2 except
   javascript, which is 0.0.3.
3. Convert all `libraryPathDependencies` to `dependencies` with version
   constraints
4. Dependencies from query packs to other packs are always `"*"` since
   these dependencies are always from source and we should get the
   latest.
5. Dependencies from codeql/{lang}-lib to codeql/{lang}-upgrades must
   be strict since there is a tight connection between the libary
   and its relevant upgrades.
 2021-09-03 11:53:28 -07:00
Benjamin Muskalla
51475d2fb0 Merge branch 'main' into thirdpartyapitelemtry 2021-09-03 14:23:31 +02:00
Benjamin Muskalla
ab5c1d6bdd Rework filter to exclude simple constructors 2021-09-03 13:38:01 +02:00
Chris Smowton
0dd463dd2b Merge pull request #6520 from smowton/smowton/feature/allow-local-interfaces 
Java: Allow local interfaces
 2021-09-03 12:01:36 +01:00
Benjamin Muskalla
9ed14b438e Use readble format for APIs 2021-09-03 11:53:18 +02:00
Benjamin Muskalla
7d3131ca49 Move usage count into where clause 2021-09-03 11:32:14 +02:00
Benjamin Muskalla
89ce04dcb9 Pull usage count into where clause 2021-09-03 11:26:22 +02:00
Benjamin Muskalla
2edb32f344 Fix naming 2021-09-03 10:59:35 +02:00
Benjamin Muskalla
6ede08e3c9 Remove dead code 2021-09-03 10:53:24 +02:00
Chris Smowton
c259d0204a Move unreachable cases of IndirectType into getAContainedType 2021-09-02 17:53:52 +01:00
Chris Smowton
b9afccc015 Remove impossible lines from Stubs.qll 2021-09-02 17:14:38 +01:00
Chris Smowton
608d24f75e Rename QL elements that refer to local classes 2021-09-02 14:51:50 +01:00
Chris Smowton
e048a729db Add Interface.isLocal and use it where appropriate 
Some EJB logic regrettably needs to be renamed out of the way. Hopefully the churn caused by this is less than would be caused if Interface's isLocal needed to be named differently from Class.isLocal.
 2021-09-02 14:51:46 +01:00
Sauyon Lee
7156dee270 Merge pull request #6521 from sauyon/java/test-gen-improvements 
Java: generate more realistic tests
 2021-08-31 10:06:08 -07:00
Chris Smowton
b38a23daee Fix test cases featuring primitive arrays 
Previously we couldn't print the name of types like `byte[]` for example.
 2021-08-31 15:12:47 +01:00
Chris Smowton
f94d8c341d Abbreviate multi-column min 2021-08-31 11:57:49 +01:00