Porcupiney Hairs
42a84a18b0
JAVA : Add query to detect Apache Structs enabled DEvmode
...
This query detects cases where the development mode is enabled for a
struts configuration. I can't find a CVE per se but, at present, [Github's fuzzy search](https://github.com/search?q=%3Cconstant+name%3D%22struts.devMode%22+value%3D%22true%22+%2F%3E+language%3Axml&type=Code ) returns more
than 44000 results. Some of them look like they are classroom projects,
so they may be ineligible for a CVE. But we should be flagging them
anyways as setting the development on in a production system is a very
bad practice and can often lead to remote code execution.
So these should be fixed anyways.
2021-02-26 16:30:04 +05:30
Porcupiney Hairs
602f63ad45
[Java] Add QL for detecting Spring View Manipulation Vulnerabilities.
2021-02-26 16:29:18 +05:30
Marcono1234
53dc2ce9b6
Java: Use .inc.qhelp extension for included help files
2021-02-26 00:43:51 +01:00
Marcono1234
e21cbe82a9
Update Java documentation links to Java 11
...
Where possible update Java documentation links to Java 11.
Additionally update some other links to use HTTPS.
2021-02-26 00:43:51 +01:00
intrigus
141f057f7b
Java: Remove duplicate code.
2021-02-25 21:29:26 +01:00
Marcono1234
fa189ded9d
Java: Add Class and Interface.isPackageProtected()
2021-02-25 18:21:18 +01:00
Tamás Vajk
505d04b13e
Merge pull request #5102 from luchua-bc/java/main-method-in-servlet
...
Java: CWE-489 Query to detect main() method in servlets
2021-02-25 16:05:06 +01:00
Joe Farebrother
41b7db144d
Allow for array types in model signatures
2021-02-25 11:40:48 +00:00
Anders Schack-Mulligen
f0d3841369
Merge pull request #5105 from JLLeitschuh/feat/JLL/depricated_bintray_usage
...
CWE-1104: Maven POM dependence upon Bintray/JCenter
2021-02-25 09:08:31 +01:00
Artem Smotrakov
e02b51f42b
Improved SpringHttpInvokerUnsafeDeserialization.qhelp
2021-02-24 22:35:20 +01:00
Artem Smotrakov
aac0c27dcd
Added tests for SpringHttpInvokerUnsafeDeserialization.ql
2021-02-24 22:35:20 +01:00
Artem Smotrakov
95284ad71d
Added SpringHttpInvokerUnsafeDeserialization.qhelp and example
2021-02-24 22:35:20 +01:00
Artem Smotrakov
476309af6d
Added SpringHttpInvokerUnsafeDeserialization.ql
2021-02-24 22:35:20 +01:00
Artem Smotrakov
34b6ed0a05
Removed commented code from JexlUberspect
2021-02-24 22:31:03 +01:00
luchua-bc
e34a203731
Refactor the check of a main method in a test program to improve maintainability
2021-02-24 17:15:08 +00:00
Joe Farebrother
caa6f00292
Switch to CSV based modelling
2021-02-24 16:59:49 +00:00
Jonathan Leitschuh
237fefbcf1
Add release notes
2021-02-24 11:19:20 -05:00
Anders Schack-Mulligen
add960bc4d
Merge pull request #4880 from luchua-bc/java/sensitive-query-with-get
...
Java: Sensitive GET Query
2021-02-24 11:08:47 +01:00
yo-h
1d654febfd
Merge pull request #5195 from aschackmull/java/cwe-548-test
...
Java: Add empty file to test.
2021-02-23 21:12:40 -05:00
Joe Farebrother
e13c779f0f
Add additional unit tests
2021-02-23 16:17:13 +00:00
luchua-bc
56e3b301e9
Resolve ambiguous method access
2021-02-23 15:18:07 +00:00
luchua-bc
45f9125bfa
Update test program
2021-02-23 14:41:44 +00:00
luchua-bc
9eb8ec7da5
Create a separate file for EJB check
2021-02-23 14:38:15 +00:00
Joe Farebrother
ee651da23f
Remove TODO comment
2021-02-23 14:27:11 +00:00
Joe Farebrother
459c0afc55
Add change note
2021-02-23 14:26:12 +00:00
Joe Farebrother
a3b8d4ab2d
Switch to inline test expectations; fix failing test outputs
2021-02-23 14:26:12 +00:00
Joe Farebrother
7b5961769a
Add unit tests for version 5.x
2021-02-23 14:26:12 +00:00
Joe Farebrother
cf58a90d74
Add unit tests for utility methods
2021-02-23 14:26:12 +00:00
Joe Farebrother
e5d624d1e8
Add open redirect sinks
2021-02-23 14:26:12 +00:00
Joe Farebrother
e3fe635004
Add support for httpcomponents 5.x
2021-02-23 14:26:11 +00:00
Joe Farebrother
5bba7f6df7
Add unit tests
2021-02-23 14:26:11 +00:00
Joe Farebrother
da6e9492a0
Model XSS sinks and utility methods
2021-02-23 14:26:11 +00:00
Joe Farebrother
561679611e
Java: Model flow source for apache http requests,
...
Model flow steps for associated getters
Fix rebase conflict
2021-02-23 14:26:11 +00:00
Joe Farebrother
4184ebd091
Java: Add HttpRequestHandler as a remote flow source
2021-02-23 14:26:11 +00:00
Anders Schack-Mulligen
b1bed2731d
Merge pull request #5172 from smowton/smowton/feature/commons-strbuilder
...
Java: Add support for commons-lang's StrBuilder class
2021-02-23 14:39:11 +01:00
yo-h
6213c20bc3
Merge pull request #5136 from aschackmull/java/csv-models
...
Java: Add support for framework modelling through csv data.
2021-02-22 19:00:41 -05:00
Jonathan Leitschuh
ad99aa2d76
Fix typo in test output
2021-02-22 13:26:51 -05:00
luchua-bc
40df01d2cd
Update qldoc and method name
2021-02-22 14:15:41 +00:00
Francis Alexander
45bdb22db8
Switch from sanitizer to tainttracking, formatting and qldoc changes
2021-02-21 16:45:48 +05:30
Artem Smotrakov
43a07bb13a
Better sink in SandboxedJexlFlowConfig
2021-02-20 11:17:51 +01:00
luchua-bc
dc799019d0
Add query for Struts and Spring actions
2021-02-20 03:36:21 +00:00
luchua-bc
3d9ac0d094
Add query for enterprise beans
2021-02-20 02:00:42 +00:00
Anders Schack-Mulligen
dae65f687a
Merge pull request #5150 from Marcono1234/marcono1234/conditional-expr-branch
...
Java: Add ConditionalExpr.getBranchExpr(boolean)
2021-02-19 10:12:43 +01:00
Chris Smowton
321df82851
Apply review feedback: comment style, bracketing, and use proper MISSING test annotations
2021-02-18 14:56:52 +00:00
Anders Schack-Mulligen
954e0b9496
Java: Add empty file to test.
2021-02-18 13:10:29 +01:00
Anders Schack-Mulligen
74d35f4f37
Java: Add support for value-preserving steps.
2021-02-18 11:26:15 +01:00
Anders Schack-Mulligen
04eeeda2c9
Java: Add documentation for the final column.
2021-02-18 11:23:49 +01:00
Anders Schack-Mulligen
6f583baa90
Java: More documentation and support for field writes.
2021-02-18 11:18:31 +01:00
luchua-bc
e916ce8b9b
Exclude test directories of typical build tools
2021-02-18 00:50:38 +00:00
luchua-bc
5e36eedcb6
Add check for test packages
2021-02-17 18:04:55 +00:00
