hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
26,405 Commits 1,671 Branches 157 Tags
remove-javascript
Commit Graph

359 Commits

Author SHA1 Message Date
Grzegorz Golawski
5e462a897d Merge branch 'main' into xslt-injection 2020-08-30 22:45:31 +02:00
Grzegorz Golawski
37f4410764 Fix test 2020-08-30 22:32:57 +02:00
Anders Schack-Mulligen
4947e1d817 Java: Temporarily move a qltest. 2020-08-14 09:25:32 +02:00
luchua-bc
b821f918e5 Address issues with matching empty host and host in a concatenated string 2020-08-06 01:53:29 +00:00
luchua-bc
9a8eed8440 Enhance address match 2020-08-05 19:57:31 +00:00
luchua-bc
ff0dacf1d7 Optimize the TaintTracking 2020-08-03 00:52:47 +00:00
luchua-bc
ff58abb7d3 Revamp the sink code 2020-08-01 03:25:02 +00:00
luchua-bc
81de1b14d9 Revamp the source of path query 2020-07-30 19:16:48 +00:00
luchua-bc
5520504658 Update expected results 2020-07-28 15:41:23 +00:00
luchua-bc
7f911f00ee Rename to insecure basic auth 2020-07-28 11:40:21 +00:00
luchua-bc
3a23451395 Enhance the query 2020-07-27 18:50:47 +00:00
luchua-bc
01fb51829c Unsecure basic authentication 2020-07-24 20:35:09 +00:00
Anders Schack-Mulligen
b88ebd69c1 Java: Fix OgnlInjection qltest 2020-07-08 14:12:27 +02:00
Anders Schack-Mulligen
a4fe4f41b9 Java: Fix JndiInjection qltest 2020-07-08 14:09:08 +02:00
Anders Schack-Mulligen
6eac8e82a3 Java: Consolidate spring-ldap-2.3.2 stubs. 2020-07-08 10:08:44 +02:00
Anders Schack-Mulligen
40b9d34ab9 Java: Consolidate springframework-5.2.3 stubs 2020-07-08 09:57:48 +02:00
luchua-bc
1d0232b464 Add more servlet methods and fix formatting errors 2020-07-02 03:07:19 +00:00
Anders Schack-Mulligen
13cb853af5 Merge pull request #3294 from ggolawski/ognl-injection 
CodeQL query to detect OGNL injections
 2020-06-30 09:46:02 +02:00
luchua-bc
ede9cec4a9 Uncaught Servlet Exception 2020-06-29 20:07:53 +00:00
Anders Schack-Mulligen
d297ce2279 Merge pull request #3436 from artem-smotrakov/revocation-checking 
Java: Added a query for disabled certificate revocation checking
 2020-06-29 16:42:36 +02:00
Anders Schack-Mulligen
b53b90501b Merge pull request #3550 from luchua-bc/java-unsafe-cert-trust 
Java: CWE-273 Unsafe certificate trust
 2020-06-29 16:39:39 +02:00
Artem Smotrakov
a2fa03e4f5 Java: Improved the query for disabled certificate revocation checking 
- Added a taint propagation step for List.of() methods
- Added a testcase with one of the List.of() method
- Simplified conditions
- Fixed typos
 2020-06-27 11:37:20 +03:00
Artem Smotrakov
06e3f101ce Java: Added a query for disabled certificate revocation checking 
- Added experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql
  The query looks for PKIXParameters.setRevocationEnabled(false) calls.
- Added RevocationCheckingLib.qll
- Added a qhelp file with examples
- Added tests in java/ql/test/experimental/Security/CWE/CWE-299
 2020-06-27 11:37:20 +03:00
luchua-bc
0779aab28f Clean up the QL code 2020-06-24 15:02:16 +00:00
Anders Schack-Mulligen
791f31fa65 Merge pull request #3595 from luchua-bc/j2ee-server-directory-listing 
Java: Add check for J2EE server directory listing
 2020-06-24 16:45:34 +02:00
Anders Schack-Mulligen
4b3ca13f25 Merge pull request #3491 from luchua-bc/java-insecure-smtp-ssl 
Java: CWE-297 insecure JavaMail SSL configuration
 2020-06-10 11:02:50 +02:00
luchua-bc
1fd9c7fdec Add all dependent class stubs 2020-06-09 20:12:05 +00:00
Anders Schack-Mulligen
f77f486c6b Merge pull request #3438 from artem-smotrakov/unsafe-tls 
Java: Added a query for unsafe TLS versions
 2020-06-09 14:07:17 +02:00
luchua-bc
5acfc52087 Add dependent stub classes for the test case 2020-06-08 16:17:40 +00:00
luchua-bc
cba81eeb97 Fix string/type match and add a test case 2020-06-06 03:56:12 +00:00
Artem Smotrakov
4a83fb8cc1 Java: Simplified MvelInjection test 2020-06-05 17:17:43 +03:00
Artem Smotrakov
df9d10f2ac Java: Added MVELRuntime.execute() sink for MVEL injections 2020-06-05 17:17:43 +03:00
Artem Smotrakov
fa717b2d86 Java: Added template sinks for MVEL injections 2020-06-05 17:17:43 +03:00
Artem Smotrakov
8fd72659ec Java: Added JSR 223 sinks for MVEL injections 
- Updated MvelInjectionLib.qll
- Added tests and stubs for JSR 223 API
 2020-06-05 17:17:43 +03:00
Artem Smotrakov
6a6c805048 Java: Added Accessor sink for MVEL injections 2020-06-05 17:13:24 +03:00
Artem Smotrakov
12e0234d40 Java: Added CompiledAccExpression sink for MVEL injections 2020-06-05 17:13:24 +03:00
Artem Smotrakov
32ff5ad496 Java: Added CompiledExpression sink for MVEL injections 2020-06-05 17:13:24 +03:00
Artem Smotrakov
c6c4c2c99b Java: Add a query for MVEL injections 
- Added experimental/Security/CWE/CWE-094/MvelInjection.ql
- Added experimental/Security/CWE/CWE-094/MvelInjectionLib.qll
- Added a qhelp file with an example of vulnerable code
- Added tests and stubs for mvel2-2.4.7
 2020-06-05 17:13:24 +03:00
Artem Smotrakov
df3adeec36 Java: Add a query for SpEL injections 
- Added experimental/Security/CWE/CWE-094/SpelInjection.ql
  and a couple of libraries
- Added a qhelp file with a few examples
- Added tests and stubs for Spring
 2020-05-31 20:52:45 +03:00
luchua-bc
3d4a5a337d Add check for J2EE server directory listing 2020-05-30 10:58:16 +00:00
luchua-bc
104f1c3197 Add validation query for SSL Engine/Socket and com.rabbitmq.client.ConnectionFactory 2020-05-28 03:34:29 +00:00
Anders Schack-Mulligen
0d75c6a5f1 Merge pull request #3506 from ggolawski/spring-actuators-fix 
Fixes FPs in SpringBootActuators query
 2020-05-25 13:09:56 +02:00
luchua-bc
6d1ba3f899 Java: CWE-273 Unsafe certificate trust 2020-05-24 16:43:15 +00:00
Anders Schack-Mulligen
c36e6213f1 Merge pull request #3288 from ggolawski/jndi-injection 
CodeQL query to detect JNDI injections
 2020-05-19 11:03:29 +02:00
Grzegorz Golawski
ac329e81f8 Fixes FPs in SpringBootActuators query 
No evidence that Spring Actuators are being used, e.g. `http.authorizeRequests().anyRequest().permitAll()`
Only safe Actuators are enabled, e.g. `EndpointRequest.to("health", "info")`
 2020-05-18 22:55:33 +02:00
Grzegorz Golawski
14ce049fc6 Add support for Saxon 2020-05-15 00:12:08 +02:00
Artem Smotrakov
bab6f3788e Java: Added a query for unsafe TLS versions 
- Added experimental/Security/CWE/CWE-327/UnsafeTlsVersion.ql
- Added SslLib.qll
- Added a qhelp file with examples
- Added tests in java/ql/test/experimental/Security/CWE/CWE-327
 2020-05-10 19:14:52 +02:00
Grzegorz Golawski
afea9330b7 Fix the case where user-controlled input is passed as URL to env Hashtable 2020-05-08 00:44:22 +02:00
Grzegorz Golawski
df9921f870 Update according to the review comments 2020-05-07 23:19:13 +02:00
Grzegorz Golawski
f893954ea3 Add Spring LDAP and JMXServiceURL related sinks 2020-05-03 20:51:50 +02:00