hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
79,003 Commits 1,671 Branches 157 Tags
ginsbach/NewOverlayLocalJavaRebase
Commit Graph

13226 Commits

Author SHA1 Message Date
Bt2018
a2560656d5 Update java/ql/src/experimental/CWE-532/SensitiveInfoLog.qhelp 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2020-05-04 06:57:42 -04:00
Mithrilwoodrat
a7960c3385 Update java/ql/src/experimental/Security/CWE/CWE-1004/InsecureTomcatConfig.qhelp 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2020-05-04 17:48:41 +08:00
mithrilwoodrat
1053aa4c44 add query to found Tomcat config disables 'HttpOnly' flag 2020-05-04 12:26:03 +08:00
Grzegorz Golawski
f893954ea3 Add Spring LDAP and JMXServiceURL related sinks 2020-05-03 20:51:50 +02:00
Anders Schack-Mulligen
29a5ea121a Merge pull request #2901 from ggolawski/java-spring-boot-actuators 
CodeQL query to detect open Spring Boot actuator endpoints
 2020-04-29 15:10:54 +02:00
Anders Schack-Mulligen
b6a7ab8bf4 Merge pull request #3372 from aibaars/spring-multipart 
Java: add `org.springframework.web.multipart.MultipartFile::getX` as RemoteFlowSource
 2020-04-29 11:35:04 +02:00
Arthur Baars
d7774788b3 Java: add Spring MultipartFile as RemoteFlowSource 2020-04-28 16:57:03 +02:00
Arthur Baars
ae2bab7e9c Add test case 2020-04-28 16:57:03 +02:00
Anders Schack-Mulligen
bc7163aa68 Merge pull request #3216 from aibaars/message-digest 
Java: teach Encryption.qll about MessageDigest.getInstance
 2020-04-28 11:41:53 +02:00
Arthur Baars
31e284a707 Add test case 2020-04-28 11:26:43 +02:00
Arthur Baars
9742d3892d Java: Add org.apache.commons.codec.(De|En)coder to TainTrackingUtil 
The commons codec library contains many encoder and decoder methods
and is fairly commonly used.
 2020-04-28 11:26:43 +02:00
Grzegorz Golawski
31a2972eca Remove qlpack.yml as these are not needed 2020-04-27 23:32:48 +02:00
Grzegorz Golawski
0c75330e42 Remove qlpack.yml as these are not needed 2020-04-27 23:31:10 +02:00
Grzegorz Golawski
639aa826ea Remove qlpack.yml as these are not needed 2020-04-27 23:26:59 +02:00
Grzegorz Golawski
d590f3fba8 CodeQL query to detect XSLT injections 2020-04-27 22:35:35 +02:00
yo-h
97f4cb64ef Merge pull request #3349 from aschackmull/java/qldoc1 
Java: Improve qldoc coverage.
 2020-04-27 12:49:23 -04:00
Tom Hvitved
d28c4fb0f5 Merge pull request #3202 from jbj/pathStep-join-unique 
Java/C++/C#: Use `unique` to improve join order fix
 2020-04-27 13:06:27 +02:00
Arthur Baars
59869ace63 Java: teach Encryption.qll about MessageDigest.getInstance 
We already modelled usage of the protected `MessageDigest(String algo)`
constructor as a crypto algorithm specification. For some reason we did
not model the more commonly used public `MessageDigest.getInstance` method.
 2020-04-25 00:41:10 +02:00
Anders Schack-Mulligen
beab320557 Java: Add more qldoc. 2020-04-24 14:17:47 +02:00
Grzegorz Golawski
40fcd4cbe5 Fix references 2020-04-19 20:49:07 +02:00
Grzegorz Golawski
457e2eaf59 CodeQL query to detect OGNL injections 2020-04-19 20:31:57 +02:00
Grzegorz Golawski
af48bc3e57 CodeQL query to detect JNDI injections 2020-04-17 21:45:42 +02:00
Tom Hvitved
05ec75558d Java: Update test 2020-04-17 13:49:08 +02:00
Tom Hvitved
1b6e978a62 Data flow: Sync files 2020-04-17 13:49:06 +02:00
Pavel Avgustinov
6737e99d65 Merge pull request #3209 from hmakholm/baselib-extractor 
Add extractor field in base language QL packs
 2020-04-09 15:24:49 +01:00
luchua-bc
b7f2d32fb0 Address improper URL authorization 2020-04-08 22:41:11 -04:00
luchua-bc
e1a680cd86 Address improper URL authorization 2020-04-08 22:41:11 -04:00
yo-h
9a79e3be2c Java 14: add PREVIEW FEATURE notes to QLDoc 2020-04-07 22:22:10 -04:00
yo-h
697b273e32 Java 14: update expected test output 2020-04-07 22:22:10 -04:00
yo-h
e12de3b021 Java 14: add dbscheme upgrade script for records 2020-04-07 22:22:09 -04:00
yo-h
70e09ddb88 Java 14: add dbscheme stats for records 2020-04-07 22:22:08 -04:00
yo-h
662cff8316 Java 14: add class Record to Type.qll 2020-04-07 22:22:08 -04:00
yo-h
e1787f58aa Java 14: add isRecord relation to dbscheme 2020-04-07 22:22:08 -04:00
yo-h
b763342277 Java 14: account for instanceof pattern matching 2020-04-07 22:22:07 -04:00
yo-h
9d2f76849b Java 14: switch expressions are no longer in preview 2020-04-07 22:22:07 -04:00
Henning Makholm
d1ff3211ef Add extractor fields to test qlpack.yml files. 2020-04-06 19:21:41 +02:00
Henning Makholm
bf579dedd4 Add extractor field in base language QL packs 2020-04-06 18:48:01 +02:00
Jonas Jensen
46fc91315b Java/C++/C#: Revert the join order fix from #2872 
This revert brings back the performance problems in
`DataFlowImplLocal.qll` so they can be fixed in a different way. The fix
in #2872 was asymptotically good but had undesired overhead because it
introduced another predicate in the SCC that existed purely for join
ordering.

I did the revert by inlining the helper predicate, eliminating the
`enclosing` variable, and re-ordering the resulting lines to what they
were before #2872.
 2020-04-06 10:04:50 +02:00
Robert
1096e5d947 Merge pull request #3163 from robertbrignull/code_scanning_suites 
Add code-scanning suites
 2020-04-06 08:45:40 +01:00
Grzegorz Golawski
1d8da905ac Make the test runnable via codeql test run 2020-04-03 21:44:13 +02:00
ggolawski
79d7ea36ff Update java/ql/src/experimental/Security/CWE/CWE-016/SpringBootActuators.qll 
Co-Authored-By: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2020-04-03 21:36:34 +02:00
Grzegorz Golawski
6ca963a8c8 Fix 2020-04-03 00:30:02 +02:00
Grzegorz Golawski
f05b2af69d Move to experimental 2020-04-03 00:27:51 +02:00
Grzegorz Golawski
cffe89f652 Merge branch 'master' into java-spring-boot-actuators 2020-04-02 22:06:25 +02:00
Anders Schack-Mulligen
01157e43e3 Merge pull request #2899 from p-/cwe-036 
Java: Calling openStream on URLs created from remote source can lead to file disclosure
 2020-04-02 13:55:06 +02:00
Peter Stöckli
ca80bfda4f Fix tags 2020-04-02 07:43:55 +02:00
Peter Stöckli
36c351dc68 Add input from documentation review 2020-04-01 17:59:45 +02:00
Tom Hvitved
42e180d6c4 Merge pull request #3060 from aschackmull/dataflow/no-param-to-same-param-flow 
Dataflow: Exclude param-param flow through with identical params.
 2020-04-01 09:42:12 +02:00
Peter Stöckli
60d5ed9c79 Input from Review 2020-03-31 18:30:00 +02:00
Peter Stöckli
40c3b5468f Fix QHelp/XML syntax 2020-03-30 18:55:14 +02:00