hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-23 07:37:08 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,274 Commits 1,758 Branches 168 Tags
codeql-cli-2.25.4
Commit Graph

61 Commits

Author SHA1 Message Date
MarkLee131
9ff4ed286f Java: recognize Path.toRealPath() as path normalization sanitizer 
PathNormalizeSanitizer recognized Path.normalize() and
File.getCanonicalPath()/getCanonicalFile(), but not Path.toRealPath().

toRealPath() is strictly stronger than normalize() (resolves symlinks
and verifies file existence in addition to normalizing ".." components),
and is functionally equivalent to File.getCanonicalPath() for the NIO.2
API. CERT FIO16-J and OWASP both recommend it for path traversal defense.

This adds toRealPath to PathNormalizeSanitizer alongside normalize,
reducing false positives for code using idiomatic NIO.2 path handling.
 2026-04-04 20:59:45 +08:00
Nora Dimitrijević
588efe4b2b Java: Convert TaintedPath test to .qlref 2025-06-24 16:41:35 +02:00
Jami Cogswell
e17486a9d8 Java: rename springframework stubs directory from 5.3.8 to 5.8.x 2025-03-11 15:20:58 -04:00
Jami Cogswell
2bb6a3914b Java: update tests 2025-02-14 15:16:08 -05:00
Michael Nebel
0a1d2d0bbb Java: Update all test util paths to point to the new location. 2024-12-12 13:21:25 +01:00
Jami Cogswell
121780c55a Java: add File.getName as a path injection sanitizer 2024-12-04 18:57:51 -05:00
Tom Hvitved
ed9008a064 Update expected test output 2024-09-18 13:51:02 +02:00
Jami Cogswell
c70d39539e Java: use post-process provenance pretty-printing in query-tests 2024-07-28 18:12:17 -04:00
Owen Mansel-Chan
ff8bb2b1f8 Merge pull request #16760 from owen-mc/java/reverse-dns-separate-threat-model-kind 
Java: make a separate threat model kind for reverse DNS sources
 2024-07-23 10:08:52 +01:00
Jami Cogswell
6b497da15f Java: fix line number changes in tests 2024-07-11 15:33:09 -04:00
Jami Cogswell
be565288f2 Java: update more test cases due to shifted alert provenance line numbers 2024-06-27 22:08:38 -04:00
Owen Mansel-Chan
162245fb9a Fix unrelated test using reverse DNS as source 2024-06-24 21:23:50 +01:00
Tony Torralba
292395b80e Update test expectations 2024-06-04 10:35:16 +02:00
Tony Torralba
f16dd8c010 Apply code review suggestions. 2024-06-04 10:35:11 +02:00
Tony Torralba
f84c2a842d Java: Add more File-related sinks for path-injection 2024-06-04 10:35:07 +02:00
Anders Schack-Mulligen
a74cf6501a Java: update qltest expected files. 2024-05-22 11:13:06 +02:00
Anders Schack-Mulligen
c2f5731e8d Java: Update expected output (uninteresting). 2024-04-12 09:20:26 +02:00
Anders Schack-Mulligen
e9e445b2ba Java: Add empty provenance column to expected files. 2024-02-09 11:32:00 +01:00
Tony Torralba
2a146405ac Adjust tests 2024-01-26 12:38:32 +01:00
Tony Torralba
19cb7adb6d Migrate path injection sinks to MaD 
Deprecate and stop using PathCreation

Path creation sinks are now summaries
 2024-01-26 12:19:54 +01:00
Tony Torralba
282632c33b Add new snippets as tests 2024-01-25 15:11:11 +01:00
Max Schaefer
a5e7ef424e Revert "Add additional example." 
This reverts commit 947b094387.
 2023-11-16 11:54:16 +00:00
Max Schaefer
947b094387 Add additional example. 2023-11-16 10:06:19 +00:00
Max Schaefer
009d58034f Address suggestions from review. 2023-11-16 10:05:54 +00:00
Max Schaefer
a46a7fadb2 Java: Improve QHelp for java/path-injection to mention less disruptive fixes. 2023-11-15 11:25:13 +00:00
Tony Torralba
2448bc8ce2 Java: Add new Apache CXF models 2023-08-25 11:17:51 +02:00
Tony Torralba
fb0102b763 Java: New models for JAX-RS 2023-08-07 11:52:23 +02:00
Anders Schack-Mulligen
ae24d68b5d C/C++/C#/Java/Python/Ruby/Swift: Adjust expected output. 2023-07-19 11:41:15 +02:00
Tony Torralba
654bb00946 Java: Tweak java.nio.files.Files.copy models 2023-05-23 10:27:19 +02:00
Tony Torralba
e3d93c3581 Fix FileCopyUtils models 2023-04-24 15:07:19 +02:00
Tony Torralba
5bc606753e org.openjdk.jmh.runner.options tests 2023-03-15 14:47:27 +01:00
Tony Torralba
341590f9ad org.kohsuke.stapler.framework.io tests 2023-03-15 11:43:52 +01:00
Tony Torralba
7455c27086 org.apache.tools.ant.taskdefs tests 2023-03-14 17:28:35 +01:00
Tony Torralba
6aa9726223 org.apache.tools.ant tests 2023-03-14 17:20:31 +01:00
Tony Torralba
31667b4478 org.apache.commons.io tests 2023-03-14 12:50:09 +01:00
Tony Torralba
3db95f3ac9 javax.xml.transform.stream tests 2023-03-14 12:28:04 +01:00
Tony Torralba
d54abddab1 java.nio.file tests 2023-03-14 12:22:56 +01:00
Tony Torralba
cad5cd4037 java.io tests 2023-03-14 11:21:33 +01:00
Tony Torralba
f07f0888aa Fix tests 2023-03-10 12:35:13 +01:00
Tony Torralba
8065714ebe Add tests 2023-03-10 12:35:13 +01:00
Tony Torralba
0439eb640d Add tests 2023-03-01 09:49:28 +01:00
Tony Torralba
f19eb783be Generalize file/path taint steps 
This is needed by PathSanitizer but also helps simplify ZipSlip.ql
 2022-10-04 12:27:01 +02:00
erik-krogh
46b5bf32f9 update alert-messsages of java queries 2022-09-26 12:15:25 +02:00
Tony Torralba
fdc8453a59 Introduce TaintedPathAdditionalTaintStep 
Use separate configurations for tainted path and tainted path local again.
 2022-09-16 10:42:15 +02:00
Sebastian Bauersfeld
20d78972f5 Address review comments. 2022-09-15 16:44:36 +07:00
Sebastian Bauersfeld
0468b3a361 Java: Track taint through constructor arguments of java.net.URI. 2022-09-13 11:35:04 +07:00
Chris Smowton
84a4b6a866 Make reporting locations consistent with PathCreation; add test 2022-08-03 10:42:09 +01:00
Anders Schack-Mulligen
f30dad7705 Dataflow: Update test expected outputs. 2021-09-07 13:02:20 +02:00
Anders Schack-Mulligen
175c71221a Java: Adjust some test output with more edges/nodes. 2021-04-19 14:06:27 +02:00
Anders Schack-Mulligen
29aec0d770 Java: Adjust expected output. 2021-04-19 13:16:46 +02:00