hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
21,517 Commits 1,671 Branches 157 Tags
sauyon/java-spring-stringutils
Commit Graph

1995 Commits

Author SHA1 Message Date
Grzegorz Golawski
a16295ebc0 Fix typos 2020-05-08 20:13:50 +02:00
yo-h
c54f8d8128 Merge pull request #3383 from aschackmull/java/printast 
Java: Library for pretty-printing AST in linear time.
 2020-05-08 13:01:39 -04:00
Grzegorz Golawski
afea9330b7 Fix the case where user-controlled input is passed as URL to env Hashtable 2020-05-08 00:44:22 +02:00
Grzegorz Golawski
df9921f870 Update according to the review comments 2020-05-07 23:19:13 +02:00
Jason Reed
01eeebc068 Java: Refactor definitions query, add queries for ide search 
This enables jump-to-definition and find-references in the VS Code
extension, for Java source archives.
 2020-05-07 12:44:36 -04:00
Anders Schack-Mulligen
2561ba82db Merge pull request #3215 from aibaars/validating-object-input 
Java: teach UnsafeDeserialization about ValidatingObjectInputStream
 2020-05-07 14:57:50 +02:00
Anders Schack-Mulligen
f7410739d9 Java: Fix bug in qldoc. 2020-05-06 14:06:49 +02:00
Anders Schack-Mulligen
8c5e89c160 Java: Add PrintAst. 2020-05-06 14:06:40 +02:00
Arthur Baars
39e652b26b Java: teach UnsafeDeserialization about ValidatingObjectInputStream 
The class org.apache.commons.io.serialization.ValidatingObjectInputStream
is an implementation of ObjectInputStream that validates the deserialized
classes against a white list. Therefore, this class should not be considered an
unsafe deserialization sink.
 2020-05-06 12:15:30 +02:00
Arthur Baars
797721cd31 Test 2020-05-06 12:15:27 +02:00
Anders Schack-Mulligen
3b3ca6d41e Merge pull request #3214 from aibaars/base64 
Java: Add org.apache.commons.codec.(De|En)coder to TaintTrackingUtil
 2020-05-06 09:21:18 +02:00
Jonas Jensen
63f04afa8d Merge pull request #3312 from hvitved/dataflow/impl-no-postupdate 
Data flow: Support stores into nodes that are not `PostUpdateNode`s
 2020-05-06 09:09:31 +02:00
Anders Schack-Mulligen
11ffcc4378 Merge pull request #2912 from Mithrilwoodrat/master 
Add check for disabled HTTPOnly setting in Tomcat
 2020-05-05 14:39:32 +02:00
Tom Hvitved
e95cc24b3f Data flow: Support stores into nodes that are not PostUpdateNodes 2020-05-05 14:01:04 +02:00
Anders Schack-Mulligen
b7458091a9 Merge pull request #3110 from hvitved/dataflow/no-more-summaries 
Data flow: No more flow summaries
 2020-05-05 13:27:07 +02:00
Geoffrey White
a70f534458 Sync identical files. 2020-05-05 09:18:05 +01:00
Bt2018
3b1dad84b3 The query help builder will interpret and automatically add the reference so this isn't needed here. And one typo is corrected. 2020-05-04 07:39:45 -04:00
Bt2018
5c803b70c5 The query help builder will interpret and automatically add this reference so this isn't needed here. 2020-05-04 07:05:15 -04:00
Bt2018
a6c9c5117f Update java/ql/src/experimental/CWE-532/SensitiveInfoLog.ql 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2020-05-04 06:58:34 -04:00
Bt2018
a2560656d5 Update java/ql/src/experimental/CWE-532/SensitiveInfoLog.qhelp 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2020-05-04 06:57:42 -04:00
Mithrilwoodrat
a7960c3385 Update java/ql/src/experimental/Security/CWE/CWE-1004/InsecureTomcatConfig.qhelp 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2020-05-04 17:48:41 +08:00
mithrilwoodrat
1053aa4c44 add query to found Tomcat config disables 'HttpOnly' flag 2020-05-04 12:26:03 +08:00
Grzegorz Golawski
f893954ea3 Add Spring LDAP and JMXServiceURL related sinks 2020-05-03 20:51:50 +02:00
Anders Schack-Mulligen
29a5ea121a Merge pull request #2901 from ggolawski/java-spring-boot-actuators 
CodeQL query to detect open Spring Boot actuator endpoints
 2020-04-29 15:10:54 +02:00
Anders Schack-Mulligen
b6a7ab8bf4 Merge pull request #3372 from aibaars/spring-multipart 
Java: add `org.springframework.web.multipart.MultipartFile::getX` as RemoteFlowSource
 2020-04-29 11:35:04 +02:00
Arthur Baars
d7774788b3 Java: add Spring MultipartFile as RemoteFlowSource 2020-04-28 16:57:03 +02:00
Arthur Baars
ae2bab7e9c Add test case 2020-04-28 16:57:03 +02:00
Anders Schack-Mulligen
bc7163aa68 Merge pull request #3216 from aibaars/message-digest 
Java: teach Encryption.qll about MessageDigest.getInstance
 2020-04-28 11:41:53 +02:00
Arthur Baars
31e284a707 Add test case 2020-04-28 11:26:43 +02:00
Arthur Baars
9742d3892d Java: Add org.apache.commons.codec.(De|En)coder to TainTrackingUtil 
The commons codec library contains many encoder and decoder methods
and is fairly commonly used.
 2020-04-28 11:26:43 +02:00
Grzegorz Golawski
31a2972eca Remove qlpack.yml as these are not needed 2020-04-27 23:32:48 +02:00
Grzegorz Golawski
0c75330e42 Remove qlpack.yml as these are not needed 2020-04-27 23:31:10 +02:00
Grzegorz Golawski
639aa826ea Remove qlpack.yml as these are not needed 2020-04-27 23:26:59 +02:00
Grzegorz Golawski
d590f3fba8 CodeQL query to detect XSLT injections 2020-04-27 22:35:35 +02:00
yo-h
97f4cb64ef Merge pull request #3349 from aschackmull/java/qldoc1 
Java: Improve qldoc coverage.
 2020-04-27 12:49:23 -04:00
Tom Hvitved
d28c4fb0f5 Merge pull request #3202 from jbj/pathStep-join-unique 
Java/C++/C#: Use `unique` to improve join order fix
 2020-04-27 13:06:27 +02:00
Arthur Baars
59869ace63 Java: teach Encryption.qll about MessageDigest.getInstance 
We already modelled usage of the protected `MessageDigest(String algo)`
constructor as a crypto algorithm specification. For some reason we did
not model the more commonly used public `MessageDigest.getInstance` method.
 2020-04-25 00:41:10 +02:00
Anders Schack-Mulligen
beab320557 Java: Add more qldoc. 2020-04-24 14:17:47 +02:00
Grzegorz Golawski
40fcd4cbe5 Fix references 2020-04-19 20:49:07 +02:00
Grzegorz Golawski
457e2eaf59 CodeQL query to detect OGNL injections 2020-04-19 20:31:57 +02:00
Grzegorz Golawski
af48bc3e57 CodeQL query to detect JNDI injections 2020-04-17 21:45:42 +02:00
Tom Hvitved
05ec75558d Java: Update test 2020-04-17 13:49:08 +02:00
Tom Hvitved
1b6e978a62 Data flow: Sync files 2020-04-17 13:49:06 +02:00
Pavel Avgustinov
6737e99d65 Merge pull request #3209 from hmakholm/baselib-extractor 
Add extractor field in base language QL packs
 2020-04-09 15:24:49 +01:00
luchua-bc
b7f2d32fb0 Address improper URL authorization 2020-04-08 22:41:11 -04:00
luchua-bc
e1a680cd86 Address improper URL authorization 2020-04-08 22:41:11 -04:00
yo-h
9a79e3be2c Java 14: add PREVIEW FEATURE notes to QLDoc 2020-04-07 22:22:10 -04:00
yo-h
697b273e32 Java 14: update expected test output 2020-04-07 22:22:10 -04:00
yo-h
e12de3b021 Java 14: add dbscheme upgrade script for records 2020-04-07 22:22:09 -04:00
yo-h
70e09ddb88 Java 14: add dbscheme stats for records 2020-04-07 22:22:08 -04:00