hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
21,517 Commits 1,671 Branches 157 Tags
sauyon/java-spring-stringutils
Commit Graph

596 Commits

Author SHA1 Message Date
luchua-bc
1d0232b464 Add more servlet methods and fix formatting errors 2020-07-02 03:07:19 +00:00
Mathias Vorreiter Pedersen
286c09183f Merge pull request #3837 from geoffw0/qldoc5 
C++/Java: Update QLDoc and terminology in Encryption.qll
 2020-06-30 17:44:59 +02:00
Geoffrey White
cf75397ef1 Java: Rename tests. 2020-06-30 14:33:05 +01:00
Geoffrey White
f8425b8a58 Java: Update uses. 2020-06-30 13:02:48 +01:00
Anders Schack-Mulligen
13cb853af5 Merge pull request #3294 from ggolawski/ognl-injection 
CodeQL query to detect OGNL injections
 2020-06-30 09:46:02 +02:00
luchua-bc
ede9cec4a9 Uncaught Servlet Exception 2020-06-29 20:07:53 +00:00
Anders Schack-Mulligen
d297ce2279 Merge pull request #3436 from artem-smotrakov/revocation-checking 
Java: Added a query for disabled certificate revocation checking
 2020-06-29 16:42:36 +02:00
Anders Schack-Mulligen
b53b90501b Merge pull request #3550 from luchua-bc/java-unsafe-cert-trust 
Java: CWE-273 Unsafe certificate trust
 2020-06-29 16:39:39 +02:00
Artem Smotrakov
a2fa03e4f5 Java: Improved the query for disabled certificate revocation checking 
- Added a taint propagation step for List.of() methods
- Added a testcase with one of the List.of() method
- Simplified conditions
- Fixed typos
 2020-06-27 11:37:20 +03:00
Artem Smotrakov
06e3f101ce Java: Added a query for disabled certificate revocation checking 
- Added experimental/Security/CWE/CWE-299/DisabledRevocationChecking.ql
  The query looks for PKIXParameters.setRevocationEnabled(false) calls.
- Added RevocationCheckingLib.qll
- Added a qhelp file with examples
- Added tests in java/ql/test/experimental/Security/CWE/CWE-299
 2020-06-27 11:37:20 +03:00
luchua-bc
0779aab28f Clean up the QL code 2020-06-24 15:02:16 +00:00
Anders Schack-Mulligen
791f31fa65 Merge pull request #3595 from luchua-bc/j2ee-server-directory-listing 
Java: Add check for J2EE server directory listing
 2020-06-24 16:45:34 +02:00
Anders Schack-Mulligen
941177ee25 Merge pull request #3762 from hvitved/dataflow/clear-contents 
Data flow: Model field clearing
 2020-06-24 10:19:50 +02:00
Anders Schack-Mulligen
3b62bd254c Merge pull request #3723 from JLLeitschuh/fix/JLL/gitignore_vs_code_generated_files 
Add .gitignore for VS Code Generated maven project files
 2020-06-24 09:35:01 +02:00
Tom Hvitved
c01f570d9e Java: Implement clearsContent() 2020-06-23 10:55:12 +02:00
Tom Hvitved
e578827626 Java: Add more field-flow tests 2020-06-23 10:55:11 +02:00
Anders Schack-Mulligen
8107fbadc2 Merge pull request #3456 from hvitved/dataflow/precise-field-types 
Data flow: Track precise types during field flow
 2020-06-19 11:50:10 +02:00
Anders Schack-Mulligen
74eab3cbc0 Dataflow: Fix qltest. 2020-06-17 17:23:35 +02:00
luchua-bc
f40e27a3c5 Hardcoded AWS credentials 2020-06-17 02:46:02 +00:00
Jonathan Leitschuh
c2052ed152 Add .gitignore for VS Code Generated maven project files 
When VS Code detects a Maven project, it automatically generates
a bunch of Eclipse files to describe the project.

These are now ignored in order to not pollute the repository
 2020-06-15 22:29:30 -04:00
Anders Schack-Mulligen
4b3ca13f25 Merge pull request #3491 from luchua-bc/java-insecure-smtp-ssl 
Java: CWE-297 insecure JavaMail SSL configuration
 2020-06-10 11:02:50 +02:00
luchua-bc
1fd9c7fdec Add all dependent class stubs 2020-06-09 20:12:05 +00:00
Anders Schack-Mulligen
f77f486c6b Merge pull request #3438 from artem-smotrakov/unsafe-tls 
Java: Added a query for unsafe TLS versions
 2020-06-09 14:07:17 +02:00
luchua-bc
5acfc52087 Add dependent stub classes for the test case 2020-06-08 16:17:40 +00:00
luchua-bc
1e4addb20d Add dependent stub classes for the test case 2020-06-08 16:17:01 +00:00
luchua-bc
cba81eeb97 Fix string/type match and add a test case 2020-06-06 03:56:12 +00:00
Artem Smotrakov
4a83fb8cc1 Java: Simplified MvelInjection test 2020-06-05 17:17:43 +03:00
Artem Smotrakov
df9d10f2ac Java: Added MVELRuntime.execute() sink for MVEL injections 2020-06-05 17:17:43 +03:00
Artem Smotrakov
fa717b2d86 Java: Added template sinks for MVEL injections 2020-06-05 17:17:43 +03:00
Artem Smotrakov
8fd72659ec Java: Added JSR 223 sinks for MVEL injections 
- Updated MvelInjectionLib.qll
- Added tests and stubs for JSR 223 API
 2020-06-05 17:17:43 +03:00
Artem Smotrakov
6a6c805048 Java: Added Accessor sink for MVEL injections 2020-06-05 17:13:24 +03:00
Artem Smotrakov
12e0234d40 Java: Added CompiledAccExpression sink for MVEL injections 2020-06-05 17:13:24 +03:00
Artem Smotrakov
32ff5ad496 Java: Added CompiledExpression sink for MVEL injections 2020-06-05 17:13:24 +03:00
Artem Smotrakov
c6c4c2c99b Java: Add a query for MVEL injections 
- Added experimental/Security/CWE/CWE-094/MvelInjection.ql
- Added experimental/Security/CWE/CWE-094/MvelInjectionLib.qll
- Added a qhelp file with an example of vulnerable code
- Added tests and stubs for mvel2-2.4.7
 2020-06-05 17:13:24 +03:00
Anders Schack-Mulligen
e4e51b5027 Merge pull request #3291 from artem-smotrakov/spel-injection 
Java: Add a query for SpEL injections
 2020-06-05 15:51:38 +02:00
Anders Schack-Mulligen
64225c31a6 Java: Add test case. 2020-06-04 10:31:08 +02:00
Artem Smotrakov
df3adeec36 Java: Add a query for SpEL injections 
- Added experimental/Security/CWE/CWE-094/SpelInjection.ql
  and a couple of libraries
- Added a qhelp file with a few examples
- Added tests and stubs for Spring
 2020-05-31 20:52:45 +03:00
luchua-bc
3d4a5a337d Add check for J2EE server directory listing 2020-05-30 10:58:16 +00:00
yo-h
c2de08ca51 Merge pull request #3499 from aschackmull/java/instanceof-pattern-cfg 
Java: Add CFG edges for Java 14 pattern-matching instanceof.
 2020-05-28 20:24:39 -04:00
luchua-bc
104f1c3197 Add validation query for SSL Engine/Socket and com.rabbitmq.client.ConnectionFactory 2020-05-28 03:34:29 +00:00
yo-h
f952293ba0 Merge pull request #3526 from aschackmull/java/qltest-fps-nullness-rangeanalyis 
Java: Add a few qltest cases for nullness and range analysis FPs.
 2020-05-26 14:09:27 -04:00
Anders Schack-Mulligen
0d75c6a5f1 Merge pull request #3506 from ggolawski/spring-actuators-fix 
Fixes FPs in SpringBootActuators query
 2020-05-25 13:09:56 +02:00
luchua-bc
6d1ba3f899 Java: CWE-273 Unsafe certificate trust 2020-05-24 16:43:15 +00:00
Anders Schack-Mulligen
8cbc01d49b Java: Add a few qltest cases for nullness and range analysis FPs. 2020-05-20 10:44:15 +02:00
Anders Schack-Mulligen
c36e6213f1 Merge pull request #3288 from ggolawski/jndi-injection 
CodeQL query to detect JNDI injections
 2020-05-19 11:03:29 +02:00
Grzegorz Golawski
ac329e81f8 Fixes FPs in SpringBootActuators query 
No evidence that Spring Actuators are being used, e.g. `http.authorizeRequests().anyRequest().permitAll()`
Only safe Actuators are enabled, e.g. `EndpointRequest.to("health", "info")`
 2020-05-18 22:55:33 +02:00
Anders Schack-Mulligen
37c8917813 Java: Add test. 2020-05-18 13:19:19 +02:00
Grzegorz Golawski
14ce049fc6 Add support for Saxon 2020-05-15 00:12:08 +02:00
Tom Hvitved
e608c53c3f Java: Follow-up changes 2020-05-14 15:58:50 +02:00
Anders Schack-Mulligen
0aad24e6db Java: Extend library support for switch expressions. 2020-05-14 15:40:26 +02:00