hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
22,620 Commits 1,671 Branches 157 Tags
ginsbach/withInstanceof
Commit Graph

2261 Commits

Author SHA1 Message Date
Sebastian Bauersfeld
b05512a958 Add change notes. 2021-05-12 16:58:24 +07:00
Sebastian Bauersfeld
bf4d88175c Consider boxed booleans to avoid false positives for XXE.ql 2021-05-12 16:40:00 +07:00
Anders Schack-Mulligen
a247ae4357 Merge pull request #5843 from JLLeitschuh/feat/JLL/improve_kryo_support 
[Java] Fix Kryo FP & Kryo 5 Support
 2021-05-12 09:52:24 +02:00
Anders Schack-Mulligen
74ae2e0857 Merge pull request #5773 from hvitved/dataflow/aggressive-caching 
Data flow: Cache most language-dependent predicates
 2021-05-12 09:41:55 +02:00
Tom Hvitved
d66506b0a3 Data flow: Rename {Argument,Parameter}NodeExt to {Arg,Param}Node 2021-05-11 14:40:10 +02:00
Jonathan Leitschuh
0d9a85ca6b Update java/change-notes/2021-05-05-kryo-improvements.md 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-05-11 08:29:50 -04:00
Anders Schack-Mulligen
744c495ac2 Merge pull request #5824 from JLLeitschuh/feat/JLL/guava_first_non_null 
[Java] Add support for com.google.common.base.MoreObjects#firstNonNull
 2021-05-11 09:42:20 +02:00
Anders Schack-Mulligen
7d6a497136 Merge pull request #5857 from dbartol/container/work 
Java: Fix QLDoc for `Container.toString()`
 2021-05-11 08:37:41 +02:00
Dave Bartolomeo
f85aff869c Java: Fix PR feedback 2021-05-10 16:37:23 -04:00
Jonathan Leitschuh
d27316eb3e Apply suggestions from code review 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2021-05-10 11:55:31 -04:00
Chris Smowton
0afe22d60c Merge pull request #5710 from p0wn4j/jsch-os-injection 
[Java] CWE-078: Add JSch lib OS Command Injection sink
 2021-05-10 16:12:00 +01:00
Dave Bartolomeo
d9f243d18a Java: Fix QLDoc for Container.toString() 
Fixes #5828

The QLDoc was just too specific about the default implementation. I've improved the wording.
 2021-05-08 11:14:02 -04:00
Hayk Andriasyan
fd88b72101 Delete JSchOSInjection.qhelp 2021-05-08 12:51:15 +04:00
Tony Torralba
2a501956b3 Mark a MISSING test result as suggested in code review 2021-05-07 11:17:51 +02:00
Tony Torralba
b69be30b88 Fix imports as suggested in code review 2021-05-07 11:07:06 +02:00
Tony Torralba
f16605b3c1 Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-05-06 15:17:55 +02:00
Tony Torralba
f1fab854c4 Fix tests for XXE, introduced a dependency with jaxen 2021-05-06 12:11:55 +02:00
Tony Torralba
76468559ba Add safe example for dom4j 2021-05-06 10:17:25 +02:00
Tony Torralba
926fedb7fb Update java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2021-05-06 09:18:50 +02:00
Tony Torralba
00a7576679 Rename XPath Injection test file 2021-05-06 09:18:50 +02:00
Tony Torralba
8af7f4a484 New sinks and test cases 2021-05-06 09:18:49 +02:00
Tony Torralba
ccb3ea4453 Fix XPath Injection tests classpath 2021-05-06 09:18:49 +02:00
Tony Torralba
509fc8a640 Add missing docs to stubs 2021-05-06 09:18:49 +02:00
Tony Torralba
26c3ff2cee Move from experimental to standard 2021-05-06 09:18:49 +02:00
Tony Torralba
215118c7ea Fixes in QLDocs and imports 2021-05-06 09:18:49 +02:00
Tony Torralba
720b5d6da3 Refactored sto use CSV sink model. Also, added more sinks 2021-05-06 09:18:49 +02:00
Tony Torralba
ab62bb66f4 Consider second parameter of Node.selectNodes 2021-05-06 09:18:49 +02:00
Tony Torralba
d72dd9b861 javax.xml.xpath.XPath is an interface 2021-05-06 09:18:49 +02:00
Tony Torralba
2bb2baf6f7 Support more methods that evaluate XPath expressions 2021-05-06 09:18:49 +02:00
Tony Torralba
3705970bfd Refactored XPath.qll to remove redundant classes and restrict visibility 2021-05-06 09:18:49 +02:00
Tony Torralba
d739a8cac2 Moved configuration from XPath.qll back to XPath Injection query 2021-05-06 09:18:48 +02:00
Tony Torralba
ee269fbc69 Added missing doc comments 2021-05-06 09:18:48 +02:00
Tony Torralba
fb3e56eac8 Fix imports and stubs so that tests pass 2021-05-06 09:18:48 +02:00
Tony Torralba
a62997463f Remove unused imports; use set literals in hasName 2021-05-06 09:18:48 +02:00
Tony Torralba
ed5619498c WIP: XPath Injection promotion 2021-05-06 09:18:48 +02:00
Jonathan Leitschuh
67e9f06304 [Java] Fix Kryo FP & Kryo 5 Support 
Closes #4992
 2021-05-05 17:38:34 -04:00
Felicity Chapman
8b2009cfb1 Minor updates to qhelp file 2021-05-05 12:36:29 +01:00
Anders Schack-Mulligen
5bcf810a7c Merge pull request #5821 from JarLob/patch-1 
Update UncaughtServletException.qhelp
 2021-05-04 10:39:02 +02:00
Anders Schack-Mulligen
9ee9186a1a Merge pull request #5825 from github/yo-h/java-diagnostic-queries 
Java: split extractor diagnostics query into two
 2021-05-04 10:12:32 +02:00
yo-h
edf1a90161 Java: split extractor diagnostics query into two 2021-05-03 20:27:07 -04:00
Jonathan Leitschuh
dfad1fc740 [Java] Add support for com.google.common.base.MoreObjects#firstNonNull 2021-05-03 12:58:00 -04:00
Jaroslav Lobačevski
38bce39baa Update UncaughtServletException.qhelp 
There is no single word in https://cwe.mitre.org/data/definitions/600.html about possible DoS or unexpected state.
 2021-05-03 15:06:57 +03:00
Chris Smowton
b2c0259197 Merge pull request #5631 from haby0/UseOfLessTrustedSource 
[Java] CWE-348: Using a client-supplied IP address in a security check
 2021-04-30 15:20:53 +01:00
haby0
fdcc517b9f UseOfLessTrustedSource -> ClientSuppliedIpUsedInSecurityCheck" 2021-04-30 17:43:34 +08:00
haby0
f41301f8f5 Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-30 16:55:17 +08:00
haby0
0691cac5ab Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-30 16:54:41 +08:00
haby0
8142810455 Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-04-30 16:54:28 +08:00
haby0
711a74c9c9 Eliminate false positives\ 2021-04-30 10:31:40 +08:00
intrigus
08731fc6cf Fix typo. 2021-04-29 20:26:34 +02:00
Chris Smowton
ad9ea40954 Merge pull request #5597 from intrigus-lgtm/java/jwt-insecure-parse 
[Java] JWT without signature check.
 2021-04-29 14:41:11 +01:00