codeql

mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00

Author	SHA1	Message	Date
luchua-bc	cfc950f803	Query for weak encryption: Insufficient key size	2021-01-28 03:25:15 +00:00
luchua-bc	6a93099b64	Simplify the query and update qldoc	2021-01-28 03:02:53 +00:00
haby0	81c56b9bed	Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.ql Co-authored-by: Chris Smowton <smowton@github.com>	2021-01-27 19:47:12 +08:00
haby0	31deca016f	Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.ql Co-authored-by: Chris Smowton <smowton@github.com>	2021-01-27 19:46:45 +08:00
haby0	ca2e6587fe	Update java/ql/src/Security/CWE/CWE-652/XQueryInjection.qhelp Co-authored-by: Chris Smowton <smowton@github.com>	2021-01-27 19:46:15 +08:00
intrigus	d3e6e594b2	Java: Improve QLDoc	2021-01-27 11:57:32 +01:00
intrigus	bdba7e14fe	Java: Switch to data flow	2021-01-27 11:54:40 +01:00
haby0	b5ae417851	*)update CWE-652 qhelp references	2021-01-27 10:19:04 +08:00
haby0	b76854a384	*)add CWE-652 test case	2021-01-27 10:14:33 +08:00
Henning Makholm	54f00de3e0	Add "tests" fields to test qlpacks This will allow `codeql resolve tests --ignore-dubious-cases` (and thus the VSCode extension) to recognize all `.ql` files in those packs as test cases, even if they don't have accompanying `.expected` files. CLI versions prior to 2.1.0 will choke on this, but it's almost 10 months since that came out.	2021-01-26 18:15:22 +01:00
Francis Alexander	19872e9aed	More Feedback integration	2021-01-26 17:24:17 +05:30
luchua-bc	fee0b94cd4	Use isRequestGetParamMethod as the source	2021-01-26 04:41:44 +00:00
Francis Alexander	985d3d469a	PR feedback integration	2021-01-25 23:26:36 +05:30
Joe Farebrother	d69ecde5c1	Java: Add additional flow steps for guava collection methods and more unit tests	2021-01-25 16:37:40 +00:00
Joe Farebrother	7e11d8ed07	Java: Add modelling for guava `Sets`	2021-01-25 16:37:40 +00:00
Joe Farebrother	d1427fcd93	Java: Add modelling for Guava's collection classes	2021-01-25 16:37:40 +00:00
Artem Smotrakov	8d701e604a	Simplified JexlInjectionLib.qll - Merged multiple method definitions to DirectJexlEvaluationMethod - Don't use TaintPropagatingJexlMethodCall field in JexlInjectionConfig - Better variable names in JexlEvaluationSink	2021-01-25 14:17:51 +01:00
Chris Smowton	d34233b44f	Rewrite XQuery injection to use an additional taint step instead of multiple configurations. Also remove a needless barrier -- the method in question doesn't conduct taint by default, so excluding particular instances of that call is not necessary.	2021-01-25 11:18:45 +00:00
haby0	16308fe557	Update java/ql/src/Security/CWE/CWE-652/XQueryInjectionLib.qll Co-authored-by: Chris Smowton <smowton@github.com>	2021-01-25 19:16:18 +08:00
haby0	14a23eed4f	Update java/ql/src/Security/CWE/CWE-652/XQueryInjectionLib.qll Co-authored-by: Chris Smowton <smowton@github.com>	2021-01-25 19:15:59 +08:00
Francis Alexander	75b79039a1	Example fixes	2021-01-24 20:46:37 +05:30
Francis Alexander	81e372d078	Formatting changes	2021-01-24 20:44:21 +05:30
Francis Alexander	a64fc2b24e	Java: Queries to detect remote source flow to CORS header	2021-01-24 18:58:39 +05:30
Artem Smotrakov	71e5cb45d3	Simplified method and class definitions for JEXL	2021-01-23 19:50:16 +01:00
Artem Smotrakov	03348b18b5	Simplified TaintPropagatingJexlMethodCall	2021-01-23 19:41:14 +01:00
Artem Smotrakov	a47147bc5e	Simplify sinks in JexlInjectionLib.qll	2021-01-23 19:22:43 +01:00
Artem Smotrakov	28ebbee61d	Added TaintPropagatingJexlMethodCall class	2021-01-23 17:42:04 +01:00
haby0	0b326aae20	*)update XQueryInjectionLib.qll	2021-01-23 18:27:38 +08:00
haby0	44d99f8cd4	*)update XQueryInjection.ql	2021-01-23 18:26:58 +08:00
haby0	ec4c155043	*)update XQueryInjection.qhelp	2021-01-23 18:26:15 +08:00
Artem Smotrakov	73c8338e52	Use <code> tag in JexlInjection.qhelp	2021-01-21 22:49:36 +01:00
Artem Smotrakov	ee6d28b562	Use LocalUserInput when looking for JEXL injections	2021-01-21 22:46:18 +01:00
Artem Smotrakov	8166e269ec	Added examples of a sandbox for JEXL expressions	2021-01-21 20:53:15 +01:00
haby0	a56dd60baa	*)add CWE-652 XQueryInjection detection	2021-01-21 19:18:10 +08:00
Artem Smotrakov	7df813354a	Improved JexlInjectionLib.qll	2021-01-20 20:26:48 +01:00
Luke Cartey	5c6f5b7b33	Java: Track taint through Spring Java bean getters on super types	2021-01-20 16:53:03 +00:00
Anders Schack-Mulligen	9b2f69ca94	Merge pull request #4978 from github/yo-h/struts-xml-change-note Java: add change note for `struts.xml` extraction	2021-01-20 08:59:45 +01:00
yo-h	91fa12b1be	Java: add change note for `struts.xml` extraction	2021-01-19 10:19:18 -05:00
Anders Schack-Mulligen	dde8d320f3	Apply suggestions from code review Minor qldoc fixes.	2021-01-19 08:24:24 +01:00
luchua-bc	b9809b071e	Update the query to work with wrapper classes	2021-01-18 19:22:34 +00:00
Marcono1234	703336a77f	Add ArrayInit.getSize(), improve documentation	2021-01-18 16:44:53 +01:00
luchua-bc	048167d39a	Revamp the query to reduce FPs introduced by wrapper calls	2021-01-18 04:23:30 +00:00
Artem Smotrakov	7d2d27394b	Java: Added a source and a taint step for JexlInjectionConfig - Added TaintedSpringRequestBody source - Added returningTaintedDataFromBean() taint step - Added tests	2021-01-17 22:28:42 +01:00
Artem Smotrakov	99401f6e84	Java: Query for detecting JEXL injections	2021-01-17 14:19:26 +01:00
intrigus	a4cbd7037b	Java: Add tests for different versions. Adds a test for version 6.24, because that version is not vulnerable. The other test is for versions < 6.24, because these versions are vulnerable.	2021-01-15 17:20:57 +01:00
luchua-bc	3af8773dd6	Add more cases	2021-01-15 16:20:31 +00:00
luchua-bc	32c54628f8	Drop fieldName from the function for runtime evaluation	2021-01-15 12:33:00 +00:00
luchua-bc	e5a703e49c	Revamp the query	2021-01-15 04:05:11 +00:00
yo-h	27fd16ae87	Java: update documentation on supported language versions	2021-01-14 20:29:16 -05:00
intrigus-lgtm	b8076481bf	Java: Suggestions from Review	2021-01-13 20:32:23 +01:00

... 6 7 8 9 10 ...

1995 Commits