hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,738 Commits 1,672 Branches 157 Tags
tausbn/python-add-models-for-zstd-compression
Commit Graph

510 Commits

Author SHA1 Message Date
haby0
12f47bcf24 Add UnsafeDeserialization 2021-05-12 12:37:16 +08:00
Jonathan Leitschuh
5a68ac88ef Cleanup Jackson logic after code review 2021-05-11 10:48:22 -04:00
Jonathan Leitschuh
bacc3ef5b3 [Java] Jackson add support for 2 step deserialization taint flow 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
d0638db6e7 [Java] Add data flow through Iterator deserializers for Jackson 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
56b1f15dda [Java] Add taint tracking through Jackson deserialization 2021-05-11 10:36:47 -04:00
Tony Torralba
fc03b92e11 Moved from experimental to standard 2021-05-11 15:42:13 +02:00
Anders Schack-Mulligen
744c495ac2 Merge pull request #5824 from JLLeitschuh/feat/JLL/guava_first_non_null 
[Java] Add support for com.google.common.base.MoreObjects#firstNonNull
 2021-05-11 09:42:20 +02:00
Tony Torralba
d99b5bfc66 Reuse previous tests from experimental 2021-05-10 11:17:20 +02:00
Tony Torralba
6884edf52a Merge branch 'main' into atorralba/promote-unsafe-android-webview-fetch 2021-05-07 16:31:55 +02:00
luchua-bc
fc7d340a89 Query to detect hard-coded Azure credentials 2021-05-07 13:16:41 +00:00
Tony Torralba
e78e5b9ee4 Merge branch 'main' into promote-jexl-injection 2021-05-07 12:36:49 +02:00
Tony Torralba
b69261727d Add a new test for 2021-05-06 13:26:25 +02:00
Tony Torralba
76468559ba Add safe example for dom4j 2021-05-06 10:17:25 +02:00
Tony Torralba
8af7f4a484 New sinks and test cases 2021-05-06 09:18:49 +02:00
Tony Torralba
509fc8a640 Add missing docs to stubs 2021-05-06 09:18:49 +02:00
Tony Torralba
720b5d6da3 Refactored sto use CSV sink model. Also, added more sinks 2021-05-06 09:18:49 +02:00
Tony Torralba
2bb2baf6f7 Support more methods that evaluate XPath expressions 2021-05-06 09:18:49 +02:00
Tony Torralba
fb3e56eac8 Fix imports and stubs so that tests pass 2021-05-06 09:18:48 +02:00
Tony Torralba
ed5619498c WIP: XPath Injection promotion 2021-05-06 09:18:48 +02:00
Jonathan Leitschuh
67e9f06304 [Java] Fix Kryo FP & Kryo 5 Support 
Closes #4992
 2021-05-05 17:38:34 -04:00
Tony Torralba
458b89bf5f Added Android stubs 2021-05-05 11:57:01 +02:00
luchua-bc
703fbf139a Add more methods and update the library name 2021-05-04 02:54:49 +00:00
Jonathan Leitschuh
dfad1fc740 [Java] Add support for com.google.common.base.MoreObjects#firstNonNull 2021-05-03 12:58:00 -04:00
Tony Torralba
38e052482c More csv sinks and sources 2021-05-03 12:44:53 +02:00
luchua-bc
4709e8139d JPython code injection 2021-05-03 01:43:56 +00:00
haby0
5be9fbbc5a Remove LogOperationSink and PrintSink 2021-04-27 14:12:33 +08:00
Chris Smowton
6589460357 Add models for Commons ToStringBuilder 
These don't include support for reflectionToString yet, which is coming up in a subsequent PR.
 2021-04-21 15:47:19 +01:00
haby0
8296abcea8 Fix Modify the ql query (the qhelp part is not modified). 2021-04-19 20:59:47 +08:00
haby0
23b508c5e7 Merge remote-tracking branch 'upstream/main' into UseOfLessTrustedSource 2021-04-19 20:05:49 +08:00
Anders Schack-Mulligen
06514159be Java: Add XXE tests. 2021-04-19 10:58:21 +02:00
Anders Schack-Mulligen
605f28f741 Merge pull request #5686 from smowton/haby0/JsonHijacking 
Java: JSONP Injection w/cleanups
 2021-04-16 11:09:17 +02:00
Chris Smowton
254de76078 Remove unnecessary stubs 2021-04-15 16:20:27 +01:00
Chris Smowton
fa36ba901a Merge pull request #5471 from artem-smotrakov/el-injection 
Java: Query for detecting Jakarta Expression Language injections
 2021-04-15 12:39:34 +01:00
haby0
216f204438 delete FilterClass 2021-04-15 19:28:25 +08:00
haby0
583d0889e2 delete tomcat-embed-core stub, update the ServletGetMethod class 2021-04-15 17:40:51 +08:00
haby0
b3bdf89fc2 rm VerificationMethodFlowConfig, use springframework-5.2.3 stub 2021-04-15 10:25:40 +08:00
Chris Smowton
58d198261e Merge pull request #5663 from smowton/luchua/java/sensitive-cookie-not-httponly 
Java: CWE-1004 Query to check sensitive cookies without the HttpOnly flag set w/minor corrections
 2021-04-13 12:08:53 +01:00
Chris Smowton
f22b11881e Minimise stubs 
By removing all business logic from the stubs, we better test that our analysis treats them as opaque and does not rely on their internal structure
 2021-04-13 10:36:28 +01:00
luchua-bc
d7f26dfc18 Update stub classes and qldoc 2021-04-12 16:19:23 +00:00
Artem Smotrakov
b39a3ab12c Added setVariable() sink 2021-04-08 20:41:43 +03:00
haby0
86ef2588f1 Restore @Component annotation 2021-04-08 17:55:29 +08:00
haby0
3f0a3266aa [Java] CWE-348: Use of less trusted source 2021-04-08 17:14:03 +08:00
Chris Smowton
7fb5bd0cab Add tests for and slightly expand models of Commons Lang's ArrayUtils class 2021-03-25 15:11:51 +00:00
Anders Schack-Mulligen
a1ccbcdaf1 Merge pull request #5260 from artem-smotrakov/spring-http-invoker 
Java: Query for detecting unsafe deserialization with Spring exporters
 2021-03-24 13:57:17 +01:00
haby0
3df23eecb6 Merge remote-tracking branch 'upstream/main' into JsonHijacking 2021-03-24 15:52:01 +08:00
Anders Schack-Mulligen
27408fefe2 Merge pull request #5008 from torque59/cwe-346 
Java: Queries to detect remote source flow origins to CORS header.
 2021-03-23 13:54:00 +01:00
haby0
fe046ec71e Merge remote-tracking branch 'upstream/main' into main 2021-03-22 17:25:37 +08:00
Artem Smotrakov
adb1ed380a Added tests for Jakarta expression injection 2021-03-21 21:19:39 +03:00
haby0
c516d69b98 Merge remote-tracking branch 'upstream/main' into main 2021-03-17 16:42:48 +08:00
haby0
98204a15a6 Fix the problem 2021-03-17 15:28:04 +08:00