hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,738 Commits 1,671 Branches 157 Tags
tausbn/python-add-models-for-zstd-compression
Commit Graph

601 Commits

Author SHA1 Message Date
Anders Schack-Mulligen
175c71221a Java: Adjust some test output with more edges/nodes. 2021-04-19 14:06:27 +02:00
haby0
23b508c5e7 Merge remote-tracking branch 'upstream/main' into UseOfLessTrustedSource 2021-04-19 20:05:49 +08:00
edvraa
29e320627f Regex injection 2021-04-16 23:29:08 +03:00
Anders Schack-Mulligen
605f28f741 Merge pull request #5686 from smowton/haby0/JsonHijacking 
Java: JSONP Injection w/cleanups
 2021-04-16 11:09:17 +02:00
Chris Smowton
fa36ba901a Merge pull request #5471 from artem-smotrakov/el-injection 
Java: Query for detecting Jakarta Expression Language injections
 2021-04-15 12:39:34 +01:00
haby0
b3bdf89fc2 rm VerificationMethodFlowConfig, use springframework-5.2.3 stub 2021-04-15 10:25:40 +08:00
Artem Smotrakov
97186b3d30 Added comments for tests 2021-04-14 19:30:58 +03:00
haby0
e2ed0d02b0 Delete existsFilterVerificationMethod and existsServletVerificationMethod, add from get handler to filter 2021-04-14 12:34:52 +08:00
Chris Smowton
58d198261e Merge pull request #5663 from smowton/luchua/java/sensitive-cookie-not-httponly 
Java: CWE-1004 Query to check sensitive cookies without the HttpOnly flag set w/minor corrections
 2021-04-13 12:08:53 +01:00
Chris Smowton
45e1a61d7b Mark test as bad-but-missed 
This test ought ideally to be caught, but isn't by the current version of the query.
 2021-04-13 10:36:27 +01:00
luchua-bc
d7f26dfc18 Update stub classes and qldoc 2021-04-12 16:19:23 +00:00
Chris Smowton
423ff32d04 Merge pull request #5384 from luchua-bc/java/insecure-spring-actuator-config 
Java: CWE-016 Query to detect insecure configuration of Spring Boot Actuator
 2021-04-12 17:04:47 +01:00
luchua-bc
c281e54d22 Remove unused files and update qldoc 2021-04-12 13:05:01 +00:00
luchua-bc
4e3791dc0d Remove LoadCredentialsConfiguration and update qldoc 2021-04-09 19:36:35 +00:00
Artem Smotrakov
b39a3ab12c Added setVariable() sink 2021-04-08 20:41:43 +03:00
haby0
3f0a3266aa [Java] CWE-348: Use of less trusted source 2021-04-08 17:14:03 +08:00
Artem Smotrakov
a764a79090 Always bind arguments in TaintPropagatingCall 2021-04-07 21:12:21 +03:00
intrigus
885044e331 [Java] Add tests for jwt signature check query. 2021-04-06 01:01:57 +02:00
luchua-bc
1349bf7b0b Create a .qll file to reuse the code and add check of Spring properties 2021-03-30 11:25:29 +00:00
haby0
0775d35591 update VerificationMethodFlowConfig, add if test 2021-03-29 12:02:37 +08:00
luchua-bc
5ce3f9d6ff Update qldoc and enhance the query 2021-03-28 16:10:35 +00:00
luchua-bc
a53cbc1631 Update qldoc and make the query more readable 2021-03-27 00:11:01 +00:00
luchua-bc
d33b04cd96 Query to detect plaintext credentials in Java properties files 2021-03-26 02:33:40 +00:00
Anders Schack-Mulligen
28fb0edfbe Merge pull request #4920 from luchua-bc/java/hash-without-salt 
Java: Query to detect hash without salt
 2021-03-25 16:13:26 +01:00
luchua-bc
fe0e7f5eac Change method check to taint flow 2021-03-25 01:45:13 +00:00
luchua-bc
08c3bf26d5 Update the query to accommodate more cases 2021-03-24 23:32:27 +00:00
Anders Schack-Mulligen
a1ccbcdaf1 Merge pull request #5260 from artem-smotrakov/spring-http-invoker 
Java: Query for detecting unsafe deserialization with Spring exporters
 2021-03-24 13:57:17 +01:00
haby0
3df23eecb6 Merge remote-tracking branch 'upstream/main' into JsonHijacking 2021-03-24 15:52:01 +08:00
Anders Schack-Mulligen
27408fefe2 Merge pull request #5008 from torque59/cwe-346 
Java: Queries to detect remote source flow origins to CORS header.
 2021-03-23 13:54:00 +01:00
Anders Schack-Mulligen
9a56601dd3 Merge pull request #5164 from luchua-bc/java/insecure-ldap-endpoint 
Java: CWE-297 Query to detect insecure LDAP endpoint configuration
 2021-03-23 13:53:51 +01:00
Artem Smotrakov
adb1ed380a Added tests for Jakarta expression injection 2021-03-21 21:19:39 +03:00
haby0
c516d69b98 Merge remote-tracking branch 'upstream/main' into main 2021-03-17 16:42:48 +08:00
haby0
98204a15a6 Fix the problem 2021-03-17 15:28:04 +08:00
luchua-bc
c8b1bc3a89 Enhance the query 2021-03-11 21:41:34 +00:00
luchua-bc
0a35feef76 Exclude CSRF cookies to reduce FPs 2021-03-11 17:28:07 +00:00
luchua-bc
eeac7e322a Query to detect insecure configuration of Spring Boot Actuator 2021-03-11 13:46:32 +00:00
Artem Smotrakov
0a5d58ed8a Cover more configurations in UnsafeSpringExporterInConfigurationClass.ql 2021-03-10 21:15:19 +03:00
Artem Smotrakov
a78f2115f2 Split SpringExporterUnsafeDeserialization.ql 2021-03-09 00:06:38 +03:00
luchua-bc
0ef3eee4ed Revamp the source and the sink of the query 2021-03-06 22:41:54 +00:00
Artem Smotrakov
82cb4a8d68 Renamed SpringHttpInvokerUnsafeDeserialization.ql 2021-03-06 21:48:35 +01:00
Artem Smotrakov
dcabce679a Cover beans from XML configs in SpringHttpInvokerUnsafeDeserialization.ql 2021-03-06 21:40:35 +01:00
p0wn4j
6841f5f7c4 Java: Add NashornScriptEngine detection in ScriptEngine query 
Java: Add NashornScriptEngine detection in ScriptEngine query

Java: Add NashornScriptEngine detection in ScriptEngine query

Java: Add NashornScriptEngine detection in ScriptEngine query
 2021-03-06 16:19:07 +04:00
luchua-bc
31eaa80f5b Revamp the source 2021-03-06 00:56:15 +00:00
Anders Schack-Mulligen
00983c8967 Merge pull request #4965 from artem-smotrakov/jexl-injection 
Java: Query for detecting JEXL injections
 2021-03-05 10:52:36 +01:00
haby0
ecdadd1826 move the query to experimental folder 2021-03-05 14:38:04 +08:00
luchua-bc
919c6b4b0a Optimize flow steps 2021-03-05 02:50:54 +00:00
Francis Alexander
abdebc29f9 Move to experimental and review feedback 2021-03-05 07:26:29 +05:30
Artem Smotrakov
0695b2a1fb Removed TaintedSpringRequestBody 2021-03-04 20:27:39 +01:00
haby0
c5577cb09a Fix the problem 2021-03-04 19:54:49 +08:00
luchua-bc
1784c202a7 Clean up the query 2021-03-03 17:03:37 +00:00