1409 Commits

Author	SHA1	Message	Date
p0wn4j	f2de440886	[Java] CWE-094: Query to detect Groovy Code Injections	2021-04-20 19:18:24 +04:00
yo-h	cb524b6c19	Merge pull request #5611 from github/yo-h/java16 ... Java: adjust test `options` for JDK 16 upgrade	2021-04-19 15:12:23 -04:00
haby0	8296abcea8	Fix Modify the ql query (the qhelp part is not modified).	2021-04-19 20:59:47 +08:00
Anders Schack-Mulligen	579c955892	Java: Adjust some tests.	2021-04-19 14:06:27 +02:00
Anders Schack-Mulligen	175c71221a	Java: Adjust some test output with more edges/nodes.	2021-04-19 14:06:27 +02:00
haby0	23b508c5e7	Merge remote-tracking branch 'upstream/main' into UseOfLessTrustedSource	2021-04-19 20:05:49 +08:00
Anders Schack-Mulligen	29aec0d770	Java: Adjust expected output.	2021-04-19 13:16:46 +02:00
Anders Schack-Mulligen	c5193cf03f	Apply suggestions from code review	2021-04-19 13:14:56 +02:00
Anders Schack-Mulligen	06514159be	Java: Add XXE tests.	2021-04-19 10:58:21 +02:00
Anders Schack-Mulligen	daad62c4e0	Java: Add TaintedPath test.	2021-04-19 10:07:03 +02:00
edvraa	29e320627f	Regex injection	2021-04-16 23:29:08 +03:00
Anders Schack-Mulligen	605f28f741	Merge pull request #5686 from smowton/haby0/JsonHijacking ... Java: JSONP Injection w/cleanups	2021-04-16 11:09:17 +02:00
Chris Smowton	254de76078	Remove unnecessary stubs	2021-04-15 16:20:27 +01:00
Chris Smowton	fa36ba901a	Merge pull request #5471 from artem-smotrakov/el-injection ... Java: Query for detecting Jakarta Expression Language injections	2021-04-15 12:39:34 +01:00
haby0	216f204438	delete FilterClass	2021-04-15 19:28:25 +08:00
haby0	583d0889e2	delete tomcat-embed-core stub, update the ServletGetMethod class	2021-04-15 17:40:51 +08:00
haby0	b3bdf89fc2	rm VerificationMethodFlowConfig, use springframework-5.2.3 stub	2021-04-15 10:25:40 +08:00
Artem Smotrakov	97186b3d30	Added comments for tests	2021-04-14 19:30:58 +03:00
haby0	e2ed0d02b0	Delete existsFilterVerificationMethod and existsServletVerificationMethod, add from get handler to filter	2021-04-14 12:34:52 +08:00
Chris Smowton	58d198261e	Merge pull request #5663 from smowton/luchua/java/sensitive-cookie-not-httponly ... Java: CWE-1004 Query to check sensitive cookies without the HttpOnly flag set w/minor corrections	2021-04-13 12:08:53 +01:00
Chris Smowton	f22b11881e	Minimise stubs ... By removing all business logic from the stubs, we better test that our analysis treats them as opaque and does not rely on their internal structure	2021-04-13 10:36:28 +01:00
Chris Smowton	45e1a61d7b	Mark test as bad-but-missed ... This test ought ideally to be caught, but isn't by the current version of the query.	2021-04-13 10:36:27 +01:00
luchua-bc	d7f26dfc18	Update stub classes and qldoc	2021-04-12 16:19:23 +00:00
Chris Smowton	423ff32d04	Merge pull request #5384 from luchua-bc/java/insecure-spring-actuator-config ... Java: CWE-016 Query to detect insecure configuration of Spring Boot Actuator	2021-04-12 17:04:47 +01:00
Chris Smowton	2656a52880	Merge pull request #5538 from luchua-bc/java/credentials-in-properties ... Java: CWE-555 Query to detect plaintext credentials in Java properties files	2021-04-12 15:22:21 +01:00
luchua-bc	c281e54d22	Remove unused files and update qldoc	2021-04-12 13:05:01 +00:00
yo-h	4f2060f96b	Merge commit '2d618d6b928d8b76ac8033b3b63d9bde71caa325' into yo-h/java16	2021-04-11 23:55:33 -04:00
luchua-bc	4e3791dc0d	Remove LoadCredentialsConfiguration and update qldoc	2021-04-09 19:36:35 +00:00
Tom Hvitved	fd8f745468	Java: Adopt shared flow summary library and refactor data-flow nodes.	2021-04-09 16:57:03 +02:00
Artem Smotrakov	b39a3ab12c	Added setVariable() sink	2021-04-08 20:41:43 +03:00
Anders Schack-Mulligen	6109ef5e88	Merge pull request #5475 from Marcono1234/marcono1234/minus-literal ... Java: Improve documentation regarding minus in front of numeric literals	2021-04-08 16:11:14 +02:00
haby0	86ef2588f1	Restore @Component annotation	2021-04-08 17:55:29 +08:00
haby0	3f0a3266aa	[Java] CWE-348: Use of less trusted source	2021-04-08 17:14:03 +08:00
Artem Smotrakov	a764a79090	Always bind arguments in TaintPropagatingCall	2021-04-07 21:12:21 +03:00
yo-h	cc63563a88	Merge remote-tracking branch 'upstream-public/main' into yo-h/java16	2021-04-06 13:16:02 -04:00
intrigus	885044e331	[Java] Add tests for jwt signature check query.	2021-04-06 01:01:57 +02:00
intrigus	b7e49c78fe	[Java] Add stubs for jwtk-jjwt-0.11.2	2021-04-06 01:01:23 +02:00
luchua-bc	1349bf7b0b	Create a .qll file to reuse the code and add check of Spring properties	2021-03-30 11:25:29 +00:00
haby0	0775d35591	update VerificationMethodFlowConfig, add if test	2021-03-29 12:02:37 +08:00
luchua-bc	5ce3f9d6ff	Update qldoc and enhance the query	2021-03-28 16:10:35 +00:00
luchua-bc	a53cbc1631	Update qldoc and make the query more readable	2021-03-27 00:11:01 +00:00
Chris Smowton	3a274424ab	Convert fluent method models to csv and generalise to the three different variants of StrBuilder.	2021-03-26 14:31:36 +00:00
Chris Smowton	851317e34f	Add models for StrBuilder's fluent methods	2021-03-26 14:31:36 +00:00
Anders Schack-Mulligen	506c95d098	Merge pull request #5372 from smowton/smowton/feature/commons-lang-models-to-csv ... Java: Convert existing Commons Lang models to CSV	2021-03-26 10:18:23 +01:00
luchua-bc	d33b04cd96	Query to detect plaintext credentials in Java properties files	2021-03-26 02:33:40 +00:00
Anders Schack-Mulligen	28fb0edfbe	Merge pull request #4920 from luchua-bc/java/hash-without-salt ... Java: Query to detect hash without salt	2021-03-25 16:13:26 +01:00
Chris Smowton	7fb5bd0cab	Add tests for and slightly expand models of Commons Lang's ArrayUtils class	2021-03-25 15:11:51 +00:00
luchua-bc	fe0e7f5eac	Change method check to taint flow	2021-03-25 01:45:13 +00:00
luchua-bc	08c3bf26d5	Update the query to accommodate more cases	2021-03-24 23:32:27 +00:00
Anders Schack-Mulligen	a1ccbcdaf1	Merge pull request #5260 from artem-smotrakov/spring-http-invoker ... Java: Query for detecting unsafe deserialization with Spring exporters	2021-03-24 13:57:17 +01:00