hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
14,595 Commits 1,671 Branches 157 Tags
rc/1.25
Commit Graph

1004 Commits

Author SHA1 Message Date
Anders Schack-Mulligen
68441bdf99 Merge pull request #3987 from Marcono1234/patch-1 
[Java] Improve InsecureJavaMail.qhelp references
 2020-08-04 12:12:38 +02:00
Anders Schack-Mulligen
cdea0f05b0 Merge pull request #3946 from aibaars/util-collections-2 
Java: Clean up ContainerFlow: address outstanding comments
 2020-08-04 10:27:22 +02:00
Arthur Baars
7e72ef350e Merge pull request #3975 from aibaars/lgtm-suites 
CodeQL: complete LGTM suites
 2020-07-30 18:39:01 +02:00
Arthur Baars
5bad003c0c Add qlpack.yml files for example queries 2020-07-29 16:57:04 +02:00
Marcono1234
5942bc6a43 Improve InsecureJavaMail.qhelp references 2020-07-29 01:45:27 +02:00
Arthur Baars
c4041e55ba CodeQL: complete LGTM suites 2020-07-28 20:40:44 +02:00
Arthur Baars
67b6018079 Merge pull request #3729 from luchua-bc/java-hardcoded-aws-credentials 
Java: Hardcoded AWS credentials
 2020-07-13 18:04:42 +02:00
luchua-bc
12803f1f53 Merge Hardcoded AWS Credentials check into the mail source folder 2020-07-13 12:22:34 +00:00
Arthur Baars
b1e604b490 Java: treat Stack.push as data flow instead of taint flow 2020-07-13 11:36:34 +02:00
Arthur Baars
a484aff76d Java: improve comments 2020-07-13 11:09:05 +02:00
Anders Schack-Mulligen
a1d272e870 Merge pull request #3918 from aibaars/organise-container-flow 
Java: Clean up ContainerFlow, consider more methods
 2020-07-10 14:19:44 +02:00
Arthur Baars
43b61038e9 Drop Map.merge as taint step 2020-07-10 13:00:14 +02:00
Arthur Baars
0d33a77ee3 Fix modelling of Stack.push 
Stack.push(E) returns its argument, it does not propagate taint from
the stack to the return value.
 2020-07-09 16:16:29 +02:00
Anders Schack-Mulligen
879551fc6a Merge pull request #3936 from aibaars/object-clone 
Java: model Object.clone
 2020-07-09 16:09:01 +02:00
Anders Schack-Mulligen
c8b9b779ae Merge pull request #3927 from rvermeulen/java-importable-cwe-601 
Java: Move `UrlRedirectSink` into importable library
 2020-07-09 16:03:29 +02:00
Anders Schack-Mulligen
99a4f8fd0b Merge pull request #3926 from rvermeulen/java-importable-cwe-089 
Java: Move `QueryInjectionSink` into importable library
 2020-07-09 16:00:56 +02:00
Remco Vermeulen
7428a8cd95 Add missing java import 2020-07-09 15:06:26 +02:00
Remco Vermeulen
d3db4fa5b2 Add missing java import 2020-07-09 15:04:16 +02:00
Remco Vermeulen
54d6c8b5f4 Mark ServletUrlRedirectSink private 2020-07-09 15:03:51 +02:00
Arthur Baars
e183171fea Java: model Object.clone 2020-07-09 14:50:29 +02:00
Remco Vermeulen
1212feab28 Add file-level qldoc 2020-07-09 14:11:59 +02:00
Remco Vermeulen
99228d8bc2 Optimize imports 2020-07-09 14:09:39 +02:00
Remco Vermeulen
ba9f3e2a1e Join ServletUrlRedirectSink with UrlRedirectSink 2020-07-09 14:08:43 +02:00
Remco Vermeulen
88f4b224c3 Extend UrlRedirectSink from DataFlow::Node 2020-07-09 14:05:54 +02:00
Remco Vermeulen
f8078f1125 Remove superfluous imports 2020-07-09 13:43:10 +02:00
Arthur Baars
d3d58795f1 Java: ContainerFlow add comments 
Some method variants are captured by a super class. Added some comments
to indicate where this happens to make review of missing methods easier
in the future.
 2020-07-09 12:46:57 +02:00
Remco Vermeulen
9a84abf259 Generalize QueryInjectionSink 
Extends from the more general DataFlow::Node instead of
DataFlow::ExprNode
 2020-07-09 12:32:17 +02:00
Arthur Baars
24c6e506aa Java: ContainerFlow: RValue -> Expr 
While most flow for a qualifierToArgumentStep goes through a variable use
this is not always the case. Therefore it is best to remove the restriction
to RValue to allow taint steps to use postupdate nodes.

See also: ba86dea657
 2020-07-09 12:20:48 +02:00
Arthur Baars
0bd103ac05 Java: add tests for Container taint steps 2020-07-09 12:15:38 +02:00
Remco Vermeulen
c01844a39e Add file-level qldoc 2020-07-09 10:30:31 +02:00
Remco Vermeulen
42e261ac02 Move SqlInjectionSink and PersistenceQueryInjectionSink 
Join SqlInjectionSink and PersistenceQueryInjectionSink with
QueryInjectionSink to make its definition more transparent.
 2020-07-09 10:21:24 +02:00
Remco Vermeulen
d07d21c9e2 Fix import 2020-07-09 10:20:53 +02:00
Anders Schack-Mulligen
777dc6305c Merge pull request #3893 from aibaars/set-map-list-copy-of 
Java: model some new Set,List,Map methods
 2020-07-09 10:18:12 +02:00
Arthur Baars
6367eb9ee8 Address review comments 2020-07-08 22:08:27 +02:00
Remco Vermeulen
170be9ffe8 Move UrlRedirectSink into importable library 
- The `UrlRedirect` class is renamed to `ServletUrlRedirect`.
- Abstract class `UrlRedirectSink` is defined that can be imported and
used to customise CWE-601 via Customizations.qll
 2020-07-08 16:47:51 +02:00
Remco Vermeulen
06517c6f82 Move QueryInjectionSink into importable library 
This enables defining of new sinks to customise the CWE-089 queries.
 2020-07-08 16:24:06 +02:00
Arthur Baars
e8f216c761 Merge remote-tracking branch 'upstream/master' into set-map-list-copy-of 2020-07-08 15:11:13 +02:00
Anders Schack-Mulligen
bf5c5297d3 Merge pull request #3897 from aibaars/util-objects 
Java: data flow for `java.util.Objects`
 2020-07-08 15:07:50 +02:00
Anders Schack-Mulligen
b88ebd69c1 Java: Fix OgnlInjection qltest 2020-07-08 14:12:27 +02:00
Anders Schack-Mulligen
a4fe4f41b9 Java: Fix JndiInjection qltest 2020-07-08 14:09:08 +02:00
Anders Schack-Mulligen
581d496167 Java: Fix LdapInjection qltest 2020-07-08 14:04:01 +02:00
Arthur Baars
72a24972e7 Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2020-07-08 13:30:24 +02:00
Anders Schack-Mulligen
48e4759632 Merge branch 'master' into java/spring-3653-2 2020-07-08 13:06:51 +02:00
semmle-qlci
6ef7288848 Merge pull request #3922 from aschackmull/java/stub-cleanup 
Approved by aibaars
 2020-07-08 12:04:39 +01:00
Anders Schack-Mulligen
b38839e84e Merge pull request #3920 from Marcono1234/patch-3 
Improve VariableAssign.getSource documentation
 2020-07-08 10:25:13 +02:00
Anders Schack-Mulligen
6eac8e82a3 Java: Consolidate spring-ldap-2.3.2 stubs. 2020-07-08 10:08:44 +02:00
Anders Schack-Mulligen
40b9d34ab9 Java: Consolidate springframework-5.2.3 stubs 2020-07-08 09:57:48 +02:00
Anders Schack-Mulligen
c166fee198 Merge pull request #3894 from aibaars/util-arrays 
Java: model taint for java.util.Arrays
 2020-07-08 09:06:40 +02:00
Marcono1234
00a61816c0 Improve VariableAssign.getSource documentation 2020-07-07 22:37:58 +02:00
Arthur Baars
441bf98ce7 Java: add Vector::copyInto, BlockingQueue::drainTo 2020-07-07 20:35:02 +02:00