hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
29,624 Commits 1,671 Branches 157 Tags
codeql-cli-2.7.3
Commit Graph

1409 Commits

Author SHA1 Message Date
Chris Smowton
0b6c991ac4 Unsafe deserialization: add support for Jodd JSON library 2021-08-05 16:01:14 +01:00
Tony Torralba
0356ed7f9e Merge pull request #5911 from atorralba/atorralba/promote-missing-jwt-signature-check 
Java: Promote Missing JWT signature check query from experimental
 2021-08-05 09:43:03 +02:00
Anders Schack-Mulligen
1932f604dc Merge pull request #6419 from smowton/smowton/admin/unsafe-deserialization-jabsorb 
Add unsafe-deserialization support for Jabsorb
 2021-08-05 09:04:23 +02:00
Chris Smowton
1f08c3fe55 Move test files to appropriate package directories 2021-08-04 16:50:03 +01:00
Chris Smowton
69549e9ce3 Add unsafe-deserialization support for Jabsorb 
This is partly extracted from https://github.com/github/codeql/pull/5954
 2021-08-04 15:35:50 +01:00
Anders Schack-Mulligen
6a09a5667d Merge pull request #5931 from atorralba/atorralba/promote-jndi-injection 
Java: Promote JNDI Injection query from experimental
 2021-08-04 15:48:44 +02:00
Owen Mansel-Chan
2e04319d9f Manually improve tests 2021-08-04 14:27:01 +01:00
Owen Mansel-Chan
a538699a0a Add automatically generated tests 2021-08-04 14:27:00 +01:00
Tony Torralba
989afb446e Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-08-04 14:07:10 +02:00
Tony Torralba
452fd9a8e3 Refactor to path query 2021-08-04 13:05:18 +02:00
Tony Torralba
f4bc4df8c1 Renamed JWTQuery so that it's named after the actual query name 2021-08-04 12:08:08 +02:00
Chris Smowton
eaf3d3cc03 Merge pull request #6162 from smowton/smowton/feature/jax-rs-content-type-sensitivity-fixes 
Jax-RS: implement content-type tracking
 2021-08-03 14:53:31 +01:00
Anders Schack-Mulligen
7fb1e1578e Merge pull request #5894 from atorralba/atorralba/promote-ognl-injection 
Java: Promote OGNL Injection query from experimental
 2021-08-03 15:31:40 +02:00
Anders Schack-Mulligen
be6fd7c22e Merge pull request #6382 from bmuskalla/stringValueOfTaint 
Track taint for String.valueOf(..)
 2021-08-03 15:30:30 +02:00
Benjamin Muskalla
8ce841493c Avoid taint for valueOf(Object) 2021-08-03 14:46:55 +02:00
Anders Schack-Mulligen
c0d76da1a6 Merge pull request #5846 from atorralba/atorralba/promote-unsafe-android-webview-fetch 
Java: Promote Unsafe resource loading in Android WebView from experimental
 2021-08-03 14:24:34 +02:00
Tony Torralba
f5cbec4938 Fix tests affected by Jackson stubs changes 2021-08-03 14:22:55 +02:00
Anders Schack-Mulligen
fb9feabe64 Merge pull request #6062 from atorralba/atorralba/promote-groovy-injection 
Java: Promote Groovy Code Injection from experimental
 2021-08-03 14:19:15 +02:00
Tony Torralba
a33e0bce9d Fix tests affected by Jackson stubs changes 2021-08-03 13:15:45 +02:00
Chris Smowton
f83f950be6 Merge pull request #6325 from smowton/smowton/feature/org-json-models 
Java: add models of JSON-java, aka `org.json`
 2021-08-03 10:33:49 +01:00
Tony Torralba
084cda6daa Merge branch 'main' into atorralba/promote-groovy-injection 2021-08-03 09:53:46 +02:00
Tony Torralba
36565802dc Delete unnecesary file 
RequestForgery.expected in experimental was an artifact from a merge that wasn't adequately removed
 2021-08-03 09:48:04 +02:00
Chris Smowton
fad1622730 Merge pull request #5435 from haby0/DynamicallyLoadedClasses 
Java: CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
 2021-08-02 16:04:30 +01:00
Tony Torralba
08bdd1aa7a Merge branch 'main' into atorralba/promote-ognl-injection 2021-08-02 16:05:38 +02:00
Tony Torralba
8b50b3d00f Add jackson-core to test dependencies 2021-08-02 16:04:49 +02:00
Chris Smowton
170bb43393 Update java/ql/test/library-tests/frameworks/json-java/test.ql 
Remove unnecessary import

Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-08-02 14:46:38 +01:00
Anders Schack-Mulligen
53e6ddfeb6 Merge pull request #6001 from atorralba/atorralba/promote-mvel-injection 
Java: Promote MVEL injection query from experimental
 2021-08-02 14:40:26 +02:00
Tony Torralba
f4b78ef3bd Fix stubs 2021-08-02 14:12:05 +02:00
Tony Torralba
9b384d84cc Merge branch 'main' into atorralba/promote-ognl-injection 2021-08-02 14:06:45 +02:00
Tony Torralba
351a24558d Add tests for JacksonSerializability 
Upgraded jackson stubs to 2.12
 2021-08-02 14:03:30 +02:00
Anders Schack-Mulligen
3b676d432f Merge pull request #5900 from artem-smotrakov/unsafe-jackson-deserialization 
Java: Unsafe deserialization with Jackson
 2021-08-02 12:45:30 +02:00
Fosstars
44e52517ad Removed unsafeMacCheckWithArraysDeepEquals() test 2021-08-01 10:12:38 +02:00
Fosstars
ad54c9d937 Two queries for timing attacks 2021-08-01 09:47:07 +02:00
Artem Smotrakov
e3b6ceade5 Renamed NonConstantTimeCryptoComparison.ql to NonConstantTimeCheckOnSignature.ql 2021-08-01 09:47:06 +02:00
Artem Smotrakov
8b557765b3 Narrow NonConstantTimeCryptoComparison.ql to timing attack on signatures and MACs only 2021-08-01 09:47:06 +02:00
Artem Smotrakov
1f2a9cdda7 Added taint propagation steps for hashes in NonConstantTimeCryptoComparison.ql 2021-08-01 09:47:06 +02:00
Artem Smotrakov
c96d939cf5 Covered custom fast-fail checks in NonConstantTimeCryptoComparison.ql 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2021-08-01 09:47:06 +02:00
Artem Smotrakov
8c4da16459 More test cases for java/non-constant-time-crypto-comparison 2021-08-01 09:47:04 +02:00
Artem Smotrakov
a4f3a5a88e Take into account remote user input in java/non-constant-time-crypto-comparison 2021-08-01 09:47:03 +02:00
Artem Smotrakov
8e6d227dc0 More sinks for java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCryptoComparison.ql 2021-08-01 09:47:03 +02:00
Artem Smotrakov
dfa3b523d0 Renamed files 2021-08-01 09:47:03 +02:00
Artem Smotrakov
75f67959f3 Covered Arrays.deepEquals() in NonConstantTimeCryptoComparison.ql 2021-08-01 09:47:02 +02:00
Artem Smotrakov
5dbcf1d611 Covered Object.deepEquals() in NotConstantTimeCryptoComparison.ql 2021-08-01 09:47:02 +02:00
Artem Smotrakov
f245dc3ac8 Removed hashes from NotConstantTimeCryptoComparison.ql 2021-08-01 09:47:02 +02:00
Artem Smotrakov
67579dd1d8 Added tests for NotConstantTimeCryptoComparison.ql 2021-08-01 09:47:01 +02:00
Fosstars
a4b0041120 Better looksLikeResolveClassStep() predicate 2021-07-30 09:28:03 +02:00
Joe Farebrother
e23f666f67 Replace get and newWith methods with real implementations 2021-07-29 16:39:50 +01:00
Joe Farebrother
f1ca29a846 Add more stubs 2021-07-29 15:58:42 +01:00
Joe Farebrother
096509b9aa Generate tests and stubs 2021-07-29 15:01:50 +01:00
Benjamin Muskalla
b7b74b51a3 Track taint for String.valueOf(..) 2021-07-29 09:14:03 +02:00