codeql

mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00

Author	SHA1	Message	Date
Joe Farebrother	1a06c132be	Use ArrayElement of to handle arargs case in SpringJdbc.qll	2021-07-01 14:38:20 +01:00
Joe Farebrother	29f82fc81f	Use ArrayElementOf in Android sinks	2021-07-01 14:38:19 +01:00
Joe Farebrother	f4a59cc2e3	Convert tainted arrays to arrays of tainted elements in tests	2021-07-01 14:38:19 +01:00
Joe Farebrother	865477d020	Convert android tests to inline expectations	2021-07-01 14:38:19 +01:00
Joe Farebrother	95d8018a43	Include overrides for SQLiteQueryBuilder sinks	2021-07-01 14:38:19 +01:00
Joe Farebrother	0d4f8aedb8	Use Argument ranges in CSV rows	2021-07-01 14:38:19 +01:00
Joe Farebrother	7926d16844	Convert SQL sinks to CSV format	2021-07-01 14:38:19 +01:00
Rasmus Lerchedahl Petersen	eee56e0156	Python/JS: Make most of the new library private	2021-07-01 15:34:06 +02:00
Chris Smowton	44e8dd9ec5	Add change note	2021-07-01 13:36:00 +01:00
Anders Schack-Mulligen	cda5c22f6e	Merge pull request #5590 from github/sauyon/java-spring-errors Add models for Spring validation.Errors	2021-07-01 14:29:49 +02:00
Asger Feldthaus	993cc29275	JS: Autoformat	2021-07-01 14:22:44 +02:00
Anders Schack-Mulligen	37f8794d01	Merge pull request #6165 from edoardopirovano/fix-regression Performance: Improve join order in data flow library	2021-07-01 14:13:18 +02:00
Rasmus Wriedt Larsen	b0309dd321	Python: Limit SensitiveDataSources to prevent _some_ cross-talk	2021-07-01 12:08:12 +02:00
Rasmus Wriedt Larsen	f64e58a21c	Python: Fix a QLDoc for SensitiveDataSources	2021-07-01 12:05:59 +02:00
Rasmus Wriedt Larsen	d7e3ebb15c	Python: Add tests showing sensitive data cross-talk	2021-07-01 12:05:51 +02:00
Esben Sparre Andreasen	85b9003af4	JS: add Mootools XSS sinks	2021-07-01 09:17:27 +02:00
ihsinme	02bf800b6d	Update FindIncorrectlyUsedSwitch.ql	2021-07-01 08:50:46 +03:00
yo-h	d325d2ae81	Merge pull request #6180 from tamasvajk/fix/coverage-report-search-path Upgrade database in coverage report jobs	2021-06-30 21:00:09 -04:00
p0wn4j	0db7496617	Add URLClassLoader and Spring WebClient SSRF sinks	2021-07-01 03:34:14 +04:00
Rasmus Wriedt Larsen	d9e2f504f8	Python: Fix clear text logging sink No need to restrict it to arguments that are calls	2021-06-30 20:31:17 +02:00
Taus	e4af14638b	Merge pull request #6175 from yoff/python-port-ReDoS Python: port ReDoS queries from Javascript	2021-06-30 16:26:07 +02:00
Chris Smowton	753c878f48	Also cover jakarta version of javax.json, and some missed methods	2021-06-30 15:04:15 +01:00
yoff	6a77b890af	Merge pull request #6155 from RasmusWL/port-cleartext-queries Python: Port cleartext queries	2021-06-30 15:52:34 +02:00
Taus	fc71a648c0	Merge pull request #6092 from RasmusWL/markupsafe-modeling Python: Add `MarkupSafe` model	2021-06-30 15:52:10 +02:00
Anders Schack-Mulligen	d8b017e6c0	Merge pull request #6036 from atorralba/atorralba/spring-beans Java: Flow summaries for Spring's Bean Properties classes	2021-06-30 15:41:24 +02:00
Anders Schack-Mulligen	b8b6f05603	Merge pull request #6187 from aschackmull/java/perf-fix-variable-getinit Java: Fix bad join-order.	2021-06-30 15:39:00 +02:00
Rasmus Lerchedahl Petersen	a176e6ac30	Python: comment out temporarily unused predicate	2021-06-30 15:28:31 +02:00
Asger Feldthaus	376efaa46c	JS: Change note	2021-06-30 15:10:52 +02:00
Asger Feldthaus	780453008a	JS: Drive-by fixes in ComposedFunctions.qll	2021-06-30 15:07:59 +02:00
Asger Feldthaus	7e2871bfdf	JS: Propagate React components through recompose HOCs	2021-06-30 15:05:28 +02:00
Rasmus Lerchedahl Petersen	45e30b0c06	Python: comment out temporarily unused predicate	2021-06-30 15:04:37 +02:00
Rasmus Lerchedahl Petersen	c306cee04e	Python: mimic JS file hierarchy	2021-06-30 15:03:22 +02:00
Rasmus Lerchedahl Petersen	651f8abba0	Python: Avoid multiple results for `toString`	2021-06-30 14:39:49 +02:00
Rasmus Wriedt Larsen	c2708176b1	Python: Support %-style formatting for MarkupSafe	2021-06-30 14:15:41 +02:00
Rasmus Wriedt Larsen	0a4efd0e86	Python: Add %-style formatting tests for MarkupSafe	2021-06-30 14:13:59 +02:00
Rasmus Wriedt Larsen	c84658dff1	Python: Use `MethodCallNode` for `MarkupSafe` string-format	2021-06-30 13:58:09 +02:00
Rasmus Wriedt Larsen	d6e8fafdbd	Python: Proper sorting in `Frameworks.qll`	2021-06-30 13:55:26 +02:00
Rasmus Wriedt Larsen	075953860b	Merge branch 'main' into markupsafe-modeling	2021-06-30 13:55:08 +02:00
Anders Schack-Mulligen	f03d460e95	Java: Fix bad join-order.	2021-06-30 13:42:45 +02:00
Tamas Vajk	dc63f23d6b	Fix review findings	2021-06-30 13:40:36 +02:00
Tamas Vajk	6a35c8c5f4	Upgrade database in coverage report jobs	2021-06-30 13:40:36 +02:00
Chris Smowton	7f556de8a0	Resolve now-fixed spurious XSS results	2021-06-30 12:04:22 +01:00
Chris Smowton	c37ecb7102	Fix existing JaxRs tests * Expose getContentTypeString for use by tests * Use it to get constant arguments to @Produces annotations * Note that text/html is xss-vulnerable (I have no idea how it ever came to expect exactly text/plain)	2021-06-30 12:04:21 +01:00
Chris Smowton	52471b292a	Add change note	2021-06-30 12:04:21 +01:00
Chris Smowton	856046ce50	Jax-RS: implement content-type tracking This follows content-type specifications across Variant-related functions and the ResponseBuilder class in order to sanitize or sink entities as appropriate.	2021-06-30 12:04:21 +01:00
Chris Smowton	10714211c6	Add utility functions definining XSS-vulnerable content-types	2021-06-30 12:04:21 +01:00
Chris Smowton	450eebcd40	JaxWS: Pull out MediaType constant interpretation routine Also extend the routine slightly to expose multiple content types given with array notation	2021-06-30 12:04:20 +01:00
Chris Smowton	3e7ea34054	XSS: expose extension point for defining barrier sinks	2021-06-30 12:04:20 +01:00
Tamás Vajk	10a6089739	Merge pull request #6148 from tamasvajk/feature/try-csv-source-models C#: Start using CSV based flow models	2021-06-30 12:58:42 +02:00
Tony Torralba	a3e1b139c3	Fix spring stubs location	2021-06-30 12:56:45 +02:00

... 40 41 42 43 44 ...

26405 Commits