hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,347 Commits 1,672 Branches 157 Tags
hmac-cli-injection-from-library-inputs
Commit Graph

4613 Commits

Author SHA1 Message Date
Anders Schack-Mulligen
69973dadb3 Merge pull request #7548 from zbazztian/spring-taint-summaries 
Java: Add Spring and Apache Common Langs taint flow steps
 2022-01-13 13:00:41 +01:00
Owen Mansel-Chan
7e42ccfbf1 Don't cache defaultTaintSanitizerGuard for java 2022-01-13 11:36:20 +00:00
Sebastian Bauersfeld
a6e4f29560 Java: Use the interface instead of the abstract class 2022-01-13 14:13:36 +07:00
Sebastian Bauersfeld
69f329ffec Java: Add test cases for AbstractMessageSource.getMessage() methods 2022-01-13 14:13:27 +07:00
Sebastian Bauersfeld
39b6678b7d Java: Add test case for StringEscapeUtils.escapeJson() taint step. 2022-01-13 11:18:37 +07:00
github-actions[bot]
625836a3be Add changed framework coverage reports 2022-01-13 00:11:30 +00:00
Andrew Eisenberg
e435a3e9c3 Changenotes: Add changenotes for upgrades refactoring 2022-01-12 11:36:31 -08:00
Owen Mansel-Chan
c112980b81 Sync TaintTrackingImpl.qll 
Done automatically using sync-files.py
 2022-01-12 14:44:55 +00:00
Owen Mansel-Chan
9ec3d7787c Add option for default taint sanitizer guard 
This allows languages to specify A sanitizer guard in all
global taint flow configurations but not in local taint.
 2022-01-12 14:44:55 +00:00
github-actions[bot]
8a2d92badc Post-release preparation for codeql-cli-2.7.5 2022-01-12 13:28:43 +00:00
Tamás Vajk
9065a7f320 Merge pull request #7573 from tamasvajk/fix/java-field-decl-tostr 
Java: Fix toString on field declarations with single field
 2022-01-12 13:03:16 +01:00
Tony Torralba
c2105e506b Added test cases 2022-01-12 11:06:58 +01:00
Alvaro Muñoz Sanchez
715d372572 Add models for AbstractStringBuilder.substring,subsequence,getChars 2022-01-12 10:54:27 +01:00
Tamas Vajk
b9e0310aa2 Java: Fix toString on field declarations with single field 2022-01-12 09:22:16 +01:00
luchua-bc
263dbd33f6 Optimize the query 2022-01-12 02:33:17 +00:00
github-actions[bot]
c79e8ab440 Add changed framework coverage reports 2022-01-12 00:10:48 +00:00
Andrew Eisenberg
07228672df Merge branch 'main' into aeisenberg/remove-upgrades 2022-01-11 11:25:27 -08:00
Tony Torralba
7b0d9ea525 Merge pull request #7054 from atorralba/atorralba/promote-log-injection 
Java: Promote Log Injection from experimental
 2022-01-11 17:26:18 +01:00
Tony Torralba
1030ff7063 Update java/ql/src/Security/CWE/CWE-117/LogInjection.ql 2022-01-11 16:25:32 +01:00
Tony Torralba
4aacba8594 Merge pull request #6468 from atorralba/atorralba/promote-cleartext-sharedprefs 
Java: Promote Cleartext storage of sensitive information using SharedPreferences from experimental
 2022-01-11 16:23:53 +01:00
Tony Torralba
394c4a9ee0 Remove unused code 2022-01-11 14:50:48 +01:00
Anders Schack-Mulligen
fdb4851521 Java: A few perf fixes for getASupertype*(). 2022-01-11 13:33:54 +01:00
Tony Torralba
50caf7d8dc Move change note to new location and remove import 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2022-01-11 12:24:44 +01:00
Tony Torralba
b9e32208ee Move change note to new location 2022-01-11 12:23:16 +01:00
Sebastian Bauersfeld
e2a9ced691 Java: Pass taint through Apache's StringEscapeUtils.escapeJson() method. 2022-01-11 15:49:44 +07:00
Sebastian Bauersfeld
f36ee95128 Java: Pass taint through Spring's AbstractMessageSource.getMessage() methods. 2022-01-11 15:48:29 +07:00
Chris Smowton
e352a4b994 Note that parameterizations of local classes are themselves local 
Previously `LocalClass` itself would match `.isLocal()` whereas `LocalClass<Param>` would not. Rather than require each individual user to check for `.getSourceDeclaration().isLocal()`, let's note that the specializations themselves are local.
 2022-01-10 18:19:31 +00:00
Tony Torralba
fbebf5e953 Move change note to new location 2022-01-10 17:27:02 +01:00
Tony Torralba
0e738622df Merge branch 'main' into atorralba/promote-log-injection 2022-01-10 17:24:25 +01:00
Tony Torralba
cc92ce2754 Fix QLDoc 2022-01-10 17:13:13 +01:00
Tony Torralba
e1e5e78464 Apply suggestions from code review 
- Update CleartextStorage library to latest refactor
- Move change note to new location
 2022-01-10 17:10:55 +01:00
Tony Torralba
d17e973b6b Apply suggestions from code review 
Co-authored-by: Ethan Palm <56270045+ethanpalm@users.noreply.github.com>
 2022-01-10 17:09:41 +01:00
Tony Torralba
ec8c234872 Fix predicate name 2022-01-10 17:09:41 +01:00
Tony Torralba
55dc783f28 Move from experimental and refactor 2022-01-10 17:09:37 +01:00
Anders Schack-Mulligen
f590d2566e DataFlow: Fix test. 2022-01-10 11:25:52 +01:00
Anders Schack-Mulligen
ef714f7328 Dataflow: Sync 2022-01-05 14:25:35 +01:00
Anders Schack-Mulligen
6b6a9df0eb Dataflow: Remove abstract class 2022-01-05 14:13:26 +01:00
Henry Mercer
19933262c4 Java: Fix copy/paste error in existing queries 
Co-authored-by: yo-h <55373593+yo-h@users.noreply.github.com>
 2022-01-05 10:50:22 +00:00
github-actions[bot]
0aa1152899 Add changed framework coverage reports 2022-01-05 00:10:19 +00:00
Dave Bartolomeo
83ceb822aa Move upgrades into standard library packs 
Move upgrade to new location

Remove incorrectly merged files

Fix upgrades section
 2022-01-04 11:30:25 -08:00
github-actions[bot]
1dfcf427aa Release preparation for version 2.7.5 2022-01-04 14:44:56 +00:00
Anders Schack-Mulligen
6457f42497 Merge pull request #7500 from zbazztian/stringbuilder-reverse-taint 
Propagate taint through AbstractStringBuilder.reverse()
 2022-01-04 13:28:14 +01:00
Anders Schack-Mulligen
f8380dabe0 Update java/ql/lib/semmle/code/java/frameworks/Strings.qll 2022-01-04 11:47:26 +01:00
Dave Bartolomeo
ded3c52a34 Merge pull request #7407 from github/post-release-prep/codeql-cli-2.7.4 
Post-release preparation for codeql-cli-2.7.4
 2022-01-03 17:09:58 -05:00
github-actions[bot]
1334d207fa Post-release version bumps 2022-01-03 20:11:15 +00:00
Sebastian Bauersfeld
421bd1b970 Propagate taint through AbstractStringBuilder.reverse() and its overrides. 2022-01-03 10:38:27 +07:00
Tom Hvitved
27f786b41e Merge pull request #7442 from hvitved/ruby/dataflow/keyword-params 
Ruby: Data flow for keyword arguments/parameters
 2021-12-22 15:23:22 +01:00
Tom Hvitved
06575efce9 Data flow: Fix bad join-order 2021-12-20 15:44:16 +01:00
Nick Rolfe
f18492e39b Merge pull request #7443 from github/nickrolfe/behavior 
QL4QL: catch behaviour/behavior in ql/non-us-spelling
 2021-12-20 13:23:53 +00:00
Tom Hvitved
ed006d7283 Merge pull request #7231 from hvitved/csharp/dataflow/consistency-queries 
C#: Enable data-flow consistency queries
 2021-12-20 08:46:19 +01:00