hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
21,517 Commits 1,671 Branches 157 Tags
sauyon/java-spring-stringutils
Commit Graph

1740 Commits

Author SHA1 Message Date
intrigus
502e4c39f5 Java: Fix Qhelp 2021-01-11 13:42:08 +01:00
intrigus-lgtm
355cb6eeec Fix Qhelp format 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-01-11 13:42:07 +01:00
intrigus-lgtm
10fc2cf9f8 Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-01-11 13:42:07 +01:00
intrigus
9e2ef9bd74 Java: Filter results by feature flags. 
This ignores results that are guarded by a feature flag
that suggests an intentionally insecure feature.
Inspired by Go's `InsecureFeatureFlag.qll` and
`DisabledCertificateCheck.ql`.
 2021-01-11 13:42:07 +01:00
intrigus
a62a2e58dd Java: Improve QL-Doc 2021-01-11 13:42:07 +01:00
intrigus
d98b171998 Java: Make EnvTaintedMethod public + QL-Doc 2021-01-11 13:42:07 +01:00
intrigus
e021158b5f Java: Tighter model of HostnameVerifier#verify 
This more tightly models `HostnameVerifier#verify` previously it
was possible to accidentally match other methods called `verify`.
 2021-01-11 13:42:07 +01:00
intrigus
0a9df07df7 Apply suggestions from review. 2021-01-11 13:42:07 +01:00
intrigus
70b0703952 Java: Remove overlapping code 2021-01-11 13:42:07 +01:00
intrigus
3da1cb0879 Java: Add unsafe hostname verification query 2021-01-11 13:42:07 +01:00
intrigus
8df5d77398 Java: Model HostnameVerifier method 
Model `HostnameVerifier#setDefaultHostnameVerifier`
 2021-01-11 13:42:06 +01:00
Anders Schack-Mulligen
3a2dd8f1ed Merge pull request #4867 from RasmusWL/java-externalapis-taint-step 
Java: Fix taint-step handling for untrusted-data-external-api
 2021-01-11 13:36:59 +01:00
Rasmus Wriedt Larsen
00c253a710 Java: Don't ignore local taint steps (fixup) 2021-01-08 15:29:01 +01:00
luchua-bc
39103af718 Remove additional taint step 2021-01-08 13:02:57 +00:00
Anders Schack-Mulligen
e5b4975450 Merge pull request #4675 from luchua-bc/cleartext-storage-shared-prefs 
Java: Query to detect cleartext storage of sensitive information using Android SharedPreferences
 2021-01-08 12:41:34 +01:00
luchua-bc
b56fe2b25f Remove specific method name in additional taint step 2021-01-07 16:31:21 +00:00
luchua-bc
606d0946fc Update qldoc 2021-01-07 14:05:12 +00:00
luchua-bc
19ff00bad4 Enhance the additional step flow and update qldoc 2021-01-07 13:15:30 +00:00
luchua-bc
b54e5b1c49 Revamp the library module 2021-01-07 12:44:59 +00:00
luchua-bc
ce2db21f15 Query to detect hash without salt 2021-01-06 17:30:04 +00:00
Francis Alexander
1f5a466e46 Playframework test cases & review fixes 2021-01-06 22:57:14 +05:30
luchua-bc
f13b8814f5 Update class/method names in the module 2021-01-06 16:49:35 +00:00
luchua-bc
5690bf49f4 Optimize the query 2021-01-06 16:21:26 +00:00
luchua-bc
3d26e5b8a4 Update qldoc 2021-01-06 12:41:00 +00:00
luchua-bc
f1763ae354 Use the sensitive info sink 2021-01-06 01:48:19 +00:00
luchua-bc
367ff99909 Change the source to be the request variable 2021-01-05 17:30:19 +00:00
Chris Smowton
e87fd86e63 Merge pull request #4814 from luchua-bc/java/password-in-configuration 
Java: Password in Java EE configuration files
 2021-01-05 11:42:27 +00:00
Jonathan Leitschuh
ba4a562c9a Update PrintAst.actual with new test output 2021-01-04 23:37:58 -05:00
luchua-bc
195755d687 Revamp the query to be more selective 2021-01-05 00:04:08 +00:00
luchua-bc
496db4b42f Factor isGetServletMethod into the servlet library 2021-01-04 16:14:13 +00:00
Jonathan Leitschuh
028e4756bb Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-01-04 10:13:52 -05:00
luchua-bc
c069a5b4c6 Factor private host regex into the networking library and enhance the query 2021-01-04 14:51:32 +00:00
Jonathan Leitschuh
54950c2f42 Add MethodAccessSystemGetProperty predicate 2021-01-01 20:07:45 -05:00
luchua-bc
ffe9d4a310 Sensitive GET Query 2020-12-26 16:51:30 +00:00
Rasmus Wriedt Larsen
874af7637f Java: Fix taint-step handling for untrusted-data-external-api 
The previous implementation would not handle any `AdditionalTaintStep`
subclasses.
 2020-12-22 11:02:50 +01:00
luchua-bc
4ec78d04f8 Insecure LDAP authentication 2020-12-21 00:15:15 +00:00
luchua-bc
bfb138d415 Update qldoc 2020-12-17 14:42:14 +00:00
luchua-bc
7b44ee50ea Revamp the functions to have a string parameter 2020-12-17 14:26:13 +00:00
luchua-bc
b44f01a87b Enhance the check for embedded passwords 2020-12-17 03:47:38 +00:00
luchua-bc
bed8a68d28 Exclude broken algorithms from the list of secure algorithms 2020-12-17 00:41:23 +00:00
luchua-bc
6b77922a25 Fix typo and update qldoc 2020-12-16 14:04:45 +00:00
luchua-bc
d7facb42d6 Add missing broken crypto algorithms 2020-12-16 04:32:11 +00:00
luchua-bc
523f0fb247 Enhance the query and update qldoc 2020-12-14 17:01:30 +00:00
luchua-bc
d469e9b24e Format the code and minor text change 2020-12-13 21:15:18 +00:00
luchua-bc
e27ccd0a81 Format the code and update qldoc 2020-12-13 02:33:03 +00:00
luchua-bc
7ba237120b Password in Java EE configuration files 2020-12-12 05:15:04 +00:00
Joe Farebrother
24dc631a8f Java: Fix false positive in XXE query 2020-12-08 16:38:42 +00:00
yo-h
54d7cac46d Merge pull request #4718 from aschackmull/java/cleanup-deprecated 
Java: Remove some deprecated classes.
 2020-12-04 11:17:14 -05:00
yo-h
a5393b4661 Merge pull request #4746 from aschackmull/java/ssa-perf 
Java: Improve performance of SSA.
 2020-12-04 11:16:39 -05:00
Anders Schack-Mulligen
0cc324b715 Merge pull request #3839 from luchua-bc/uncaught-servlet-exception 
Java: Uncaught servlet exception
 2020-12-02 15:12:59 +01:00