hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,738 Commits 1,671 Branches 157 Tags
tausbn/python-add-models-for-zstd-compression
Commit Graph

4345 Commits

Author SHA1 Message Date
Grzegorz Golawski
afea9330b7 Fix the case where user-controlled input is passed as URL to env Hashtable 2020-05-08 00:44:22 +02:00
Grzegorz Golawski
df9921f870 Update according to the review comments 2020-05-07 23:19:13 +02:00
Anders Schack-Mulligen
2561ba82db Merge pull request #3215 from aibaars/validating-object-input 
Java: teach UnsafeDeserialization about ValidatingObjectInputStream
 2020-05-07 14:57:50 +02:00
Arthur Baars
797721cd31 Test 2020-05-06 12:15:27 +02:00
Anders Schack-Mulligen
3b3ca6d41e Merge pull request #3214 from aibaars/base64 
Java: Add org.apache.commons.codec.(De|En)coder to TaintTrackingUtil
 2020-05-06 09:21:18 +02:00
Anders Schack-Mulligen
b7458091a9 Merge pull request #3110 from hvitved/dataflow/no-more-summaries 
Data flow: No more flow summaries
 2020-05-05 13:27:07 +02:00
Grzegorz Golawski
f893954ea3 Add Spring LDAP and JMXServiceURL related sinks 2020-05-03 20:51:50 +02:00
Anders Schack-Mulligen
29a5ea121a Merge pull request #2901 from ggolawski/java-spring-boot-actuators 
CodeQL query to detect open Spring Boot actuator endpoints
 2020-04-29 15:10:54 +02:00
Anders Schack-Mulligen
b6a7ab8bf4 Merge pull request #3372 from aibaars/spring-multipart 
Java: add `org.springframework.web.multipart.MultipartFile::getX` as RemoteFlowSource
 2020-04-29 11:35:04 +02:00
Arthur Baars
ae2bab7e9c Add test case 2020-04-28 16:57:03 +02:00
Arthur Baars
31e284a707 Add test case 2020-04-28 11:26:43 +02:00
Grzegorz Golawski
31a2972eca Remove qlpack.yml as these are not needed 2020-04-27 23:32:48 +02:00
Grzegorz Golawski
0c75330e42 Remove qlpack.yml as these are not needed 2020-04-27 23:31:10 +02:00
Grzegorz Golawski
639aa826ea Remove qlpack.yml as these are not needed 2020-04-27 23:26:59 +02:00
Grzegorz Golawski
d590f3fba8 CodeQL query to detect XSLT injections 2020-04-27 22:35:35 +02:00
Arthur Baars
59869ace63 Java: teach Encryption.qll about MessageDigest.getInstance 
We already modelled usage of the protected `MessageDigest(String algo)`
constructor as a crypto algorithm specification. For some reason we did
not model the more commonly used public `MessageDigest.getInstance` method.
 2020-04-25 00:41:10 +02:00
Grzegorz Golawski
457e2eaf59 CodeQL query to detect OGNL injections 2020-04-19 20:31:57 +02:00
Grzegorz Golawski
af48bc3e57 CodeQL query to detect JNDI injections 2020-04-17 21:45:42 +02:00
Tom Hvitved
05ec75558d Java: Update test 2020-04-17 13:49:08 +02:00
Pavel Avgustinov
6737e99d65 Merge pull request #3209 from hmakholm/baselib-extractor 
Add extractor field in base language QL packs
 2020-04-09 15:24:49 +01:00
yo-h
697b273e32 Java 14: update expected test output 2020-04-07 22:22:10 -04:00
yo-h
9d2f76849b Java 14: switch expressions are no longer in preview 2020-04-07 22:22:07 -04:00
Henning Makholm
d1ff3211ef Add extractor fields to test qlpack.yml files. 2020-04-06 19:21:41 +02:00
Grzegorz Golawski
1d8da905ac Make the test runnable via codeql test run 2020-04-03 21:44:13 +02:00
Grzegorz Golawski
f05b2af69d Move to experimental 2020-04-03 00:27:51 +02:00
Grzegorz Golawski
cffe89f652 Merge branch 'master' into java-spring-boot-actuators 2020-04-02 22:06:25 +02:00
Anders Schack-Mulligen
b2769b42ed Merge pull request #3117 from adityasharad/java/jackson-taint-steps 
Java: Add taint steps through Jackson serialization methods.
 2020-03-30 10:34:56 +02:00
Aditya Sharad
a6e039b284 Java: Add tests for Jackson taint steps. 
Add stubs for jackson-databind-2.10.
Based on http://fasterxml.github.io/jackson-databind/javadoc/2.10.
Test taint through Jackson serialization APIs.
 2020-03-24 12:59:24 -07:00
Anders Schack-Mulligen
d8edae96df Java: Add test. 2020-03-24 15:24:17 +01:00
Anders Schack-Mulligen
e1a0c2d846 Java: Add minor test case to typeflow qltest. 2020-03-11 13:13:19 +01:00
Anders Schack-Mulligen
4298a3a931 Java: Add test. 2020-03-09 11:16:59 +01:00
Anders Schack-Mulligen
4601639bad Java: Document a FP in a test. 2020-03-03 13:39:26 +01:00
semmle-qlci
ec90627a64 Merge pull request #2909 from yo-h/experimental 
Approved by aschackmull, jbj, max-schaefer, tausbn
 2020-02-28 03:15:58 +00:00
yo-h
f8bf055fe1 Merge pull request #2927 from aschackmull/java/taintgettersetter-tests 
Java: Add some more taint-getter-setter tests.
 2020-02-27 22:12:25 -05:00
Anders Schack-Mulligen
33f6392be5 Java: Add some more taint-getter-setter tests. 2020-02-27 10:47:25 +01:00
Anders Schack-Mulligen
0c30d7cced Java: Update test output. 2020-02-27 10:28:12 +01:00
yo-h
43bcd5b26c Add guidelines for experimental CodeQL queries and libraries 2020-02-24 15:08:31 -05:00
Grzegorz Golawski
fda4ab155a CodeQL query to detect open Spring Boot actuator endpoints 2020-02-23 20:03:41 +01:00
semmle-qlci
ecad925101 Merge pull request #2631 from hvitved/dataflow/generalize-flow-summaries 
Approved by aschackmull
 2020-02-17 18:22:46 +00:00
Anders Schack-Mulligen
75f7671e75 Java: Fix .expected 2020-02-06 10:27:44 +01:00
Anders Schack-Mulligen
ba86dea657 Java: Improve taint step modeling to use postupdate nodes. 2020-02-05 15:33:29 +01:00
Anders Schack-Mulligen
7d19eb7c05 Java: Add LICENSE.txt 2020-02-05 09:38:16 +01:00
Tom Hvitved
15ee1e37b9 Java: Follow-up changes 2020-02-04 14:09:12 +01:00
Anders Schack-Mulligen
2b1723dd88 Java: Move some taint tests. 2020-02-04 13:21:31 +01:00
Anders Schack-Mulligen
3b81c3b95c Merge pull request #2651 from ggolawski/java-ldap-injection 
Java LDAP Injection (CWE-90)
 2020-01-31 16:43:52 +01:00
yo-h
b542b08c95 Merge pull request #2726 from aschackmull/java/outputstream-write-taint 
Java: Improve taint for OutputStream.write and InputStream.read.
 2020-01-30 18:24:00 -05:00
yo-h
563be9f817 Merge pull request #2719 from aschackmull/java/deprecate-parexpr 
Java: Deprecate ParExpr
 2020-01-30 18:23:13 -05:00
Grzegorz Golawski
3fd8d9eb5c Rename CWE-90 into CWE-090 2020-01-30 22:33:20 +01:00
yo-h
dd517a433a Merge pull request #2671 from aschackmull/java/null-flow 
Java: Allow null literals as sources in data flow.
 2020-01-30 09:47:46 -05:00
Anders Schack-Mulligen
9bea581a23 Java: Improve taint for OutputStream.write and InputStream.read. 2020-01-30 14:29:56 +01:00