hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,738 Commits 1,671 Branches 157 Tags
tausbn/python-add-models-for-zstd-compression
Commit Graph

14042 Commits

Author SHA1 Message Date
Remco Vermeulen
42e261ac02 Move SqlInjectionSink and PersistenceQueryInjectionSink 
Join SqlInjectionSink and PersistenceQueryInjectionSink with
QueryInjectionSink to make its definition more transparent.
 2020-07-09 10:21:24 +02:00
Remco Vermeulen
d07d21c9e2 Fix import 2020-07-09 10:20:53 +02:00
Anders Schack-Mulligen
777dc6305c Merge pull request #3893 from aibaars/set-map-list-copy-of 
Java: model some new Set,List,Map methods
 2020-07-09 10:18:12 +02:00
Arthur Baars
6367eb9ee8 Address review comments 2020-07-08 22:08:27 +02:00
Remco Vermeulen
5f560e0465 Extract HeaderSplittingSink and WhitelistedSource 
- Extract `HeaderSplittingSink` and `WhitelistedSource` into an
importable library.
- Rename the existing `HeaderSplittingSink` implementation to
`ServletHeaderSplittingSink`.
 2020-07-08 17:17:24 +02:00
Remco Vermeulen
170be9ffe8 Move UrlRedirectSink into importable library 
- The `UrlRedirect` class is renamed to `ServletUrlRedirect`.
- Abstract class `UrlRedirectSink` is defined that can be imported and
used to customise CWE-601 via Customizations.qll
 2020-07-08 16:47:51 +02:00
Remco Vermeulen
06517c6f82 Move QueryInjectionSink into importable library 
This enables defining of new sinks to customise the CWE-089 queries.
 2020-07-08 16:24:06 +02:00
Arthur Baars
e8f216c761 Merge remote-tracking branch 'upstream/master' into set-map-list-copy-of 2020-07-08 15:11:13 +02:00
Anders Schack-Mulligen
bf5c5297d3 Merge pull request #3897 from aibaars/util-objects 
Java: data flow for `java.util.Objects`
 2020-07-08 15:07:50 +02:00
Anders Schack-Mulligen
b88ebd69c1 Java: Fix OgnlInjection qltest 2020-07-08 14:12:27 +02:00
Anders Schack-Mulligen
a4fe4f41b9 Java: Fix JndiInjection qltest 2020-07-08 14:09:08 +02:00
Anders Schack-Mulligen
581d496167 Java: Fix LdapInjection qltest 2020-07-08 14:04:01 +02:00
Arthur Baars
72a24972e7 Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2020-07-08 13:30:24 +02:00
Anders Schack-Mulligen
48e4759632 Merge branch 'master' into java/spring-3653-2 2020-07-08 13:06:51 +02:00
semmle-qlci
6ef7288848 Merge pull request #3922 from aschackmull/java/stub-cleanup 
Approved by aibaars
 2020-07-08 12:04:39 +01:00
Anders Schack-Mulligen
b38839e84e Merge pull request #3920 from Marcono1234/patch-3 
Improve VariableAssign.getSource documentation
 2020-07-08 10:25:13 +02:00
Anders Schack-Mulligen
6eac8e82a3 Java: Consolidate spring-ldap-2.3.2 stubs. 2020-07-08 10:08:44 +02:00
Anders Schack-Mulligen
40b9d34ab9 Java: Consolidate springframework-5.2.3 stubs 2020-07-08 09:57:48 +02:00
Anders Schack-Mulligen
c166fee198 Merge pull request #3894 from aibaars/util-arrays 
Java: model taint for java.util.Arrays
 2020-07-08 09:06:40 +02:00
Marcono1234
00a61816c0 Improve VariableAssign.getSource documentation 2020-07-07 22:37:58 +02:00
Arthur Baars
441bf98ce7 Java: add Vector::copyInto, BlockingQueue::drainTo 2020-07-07 20:35:02 +02:00
Arthur Baars
c9ae2c8b2c Java: ContainerFlow: organize taintPreservingArgumentToQualifier 2020-07-07 20:32:10 +02:00
Arthur Baars
5d73b99fd1 Java: ContainerFlow: organize taintPreservingQualifierToMethod 2020-07-07 19:53:11 +02:00
Arthur Baars
940fec5669 Drop taint tracking for Arrays.{deepToString,toString} 2020-07-07 17:26:49 +02:00
Arthur Baars
583f7f914e Drop taint tracking for Arrays.{setAll, parallelSetAll, parallelPrefix} 2020-07-07 17:22:30 +02:00
Arthur Baars
9cf6601d02 Java: Data flow for java.util.Objects 2020-07-07 16:58:22 +02:00
Anders Schack-Mulligen
993506d781 Merge pull request #3820 from Marcono1234/patch-2 
Add missing java.nio.file.Files methods to FileReadWrite.qll
 2020-07-07 10:29:17 +02:00
Marcono1234
0a9686709b Fix wrong method name 2020-07-06 18:52:07 +02:00
Anders Schack-Mulligen
f98460cfd0 Java: Use SpringHttpEntity class. 2020-07-06 16:54:20 +02:00
Anders Schack-Mulligen
ae21de90b6 Java: Misc grammar and formatting. 2020-07-06 16:19:42 +02:00
Anders Schack-Mulligen
b06d1c715a Java: More qldoc and some formatting. 2020-07-06 16:04:14 +02:00
Marcono1234
6ff8508d01 Java: Clarify documentation for Location predicate results 2020-07-06 15:46:11 +02:00
Anders Schack-Mulligen
5e9e7feddc Java: Add some qldoc and minor formatting. 2020-07-06 15:39:20 +02:00
Anders Schack-Mulligen
e6658c5110 Java: Cleanup TaintTrackingUtil.qll 2020-07-06 15:35:16 +02:00
Anders Schack-Mulligen
5d8f9a79f1 Java: Misc grammar fixes. 2020-07-06 14:50:33 +02:00
Anders Schack-Mulligen
a80e663ab5 Java: Minor typo fix and autoformat 2020-07-06 14:43:01 +02:00
Anders Schack-Mulligen
2ce0921935 Java: Clean up SpringHttp.qll 2020-07-06 14:35:53 +02:00
Anders Schack-Mulligen
2ae15f9ace Java: Remove list, map, and StringReplaceMethod flow steps. 2020-07-06 14:19:13 +02:00
Anders Schack-Mulligen
a41c2d8abf Java: Make a few predicates private and autoformat SpringController. 2020-07-06 14:18:16 +02:00
Arthur Baars
d2734b2903 Merge pull request #3684 from aschackmull/java/javadoctag-qldoc 
Java: Improve qldoc for JavadocTag.
 2020-07-06 11:42:04 +02:00
Arthur Baars
98d24101b1 Merge pull request #3687 from aschackmull/java/getanenclosingstmt 
Java: Add Expr.getAnEnclosingStmt.
 2020-07-06 11:41:21 +02:00
Marcono1234
f8e474f89a Add missing java.nio.file.Files methods to FileReadWrite.qll 2020-07-05 18:39:26 +02:00
luchua-bc
d6e9b07a9e Add JBoss BasicLogger and SciJava Logger 2020-07-03 22:34:48 +00:00
lcartey@github.com
b242a61701 Java: Untrusted data used in external APIs 
This commit adds two queries for identifying external APIs which are
used with untrusted data.

These queries are intended to facilitate a security review of the
application, and will report any external API which is called with
untrusted data. The purpose of this is to:
 - review how untrusted data flows through this application
 - identify opportunities to improve taint modeling of sinks and taint
   steps.
As a result this is not suitable for integration into a developer
workflow, as it will likely have high false positive rate, but it may
help identify false negatives for other queries.
 2020-07-03 17:32:08 +01:00
Arthur Baars
19a481f809 Java: Arrays: add tests 2020-07-03 17:15:17 +02:00
Arthur Baars
0b89efbee4 Java: model Arrays::addList 2020-07-03 17:15:17 +02:00
Arthur Baars
a07af79fff Java: model java.util.Arrays 2020-07-03 17:15:17 +02:00
Arthur Baars
1485f7c876 Java: model some new Set,List,Map methods 
Models the taint propagation for the copyOf(..),
of(..), ofEntries(..) and entry(..) methods
 2020-07-03 17:14:53 +02:00
Arthur Baars
c629f6b13a Merge pull request #3869 from aibaars/util-collections 
Java: model java.util.Collections
 2020-07-03 17:09:14 +02:00
Arthur Baars
5fff41f35b Don't track taint on Map keys 2020-07-03 14:47:25 +02:00