hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,893 Commits 1,671 Branches 157 Tags
tausbn/python-add-support-for-template-string-literals
Commit Graph

4718 Commits

Author SHA1 Message Date
yoff
406e48b3bb java: fix aliasing FP 
reorganise code, adding `LockField`
 2025-10-27 14:30:25 +01:00
Tom Hvitved
32f21d6d49 Merge pull request #20688 from hvitved/java/request-forgery-matches-sanitizer 
Java: Treat `x.matches(regexp)` as a sanitizer for request forgery
 2025-10-24 14:34:32 +02:00
Tom Hvitved
7a9cb64e2e Java: Treat x.matches(regexp) as a sanitizer for request forgery 2025-10-24 09:06:57 +02:00
Anders Schack-Mulligen
72d83cc966 ControlFlowReachability: Align the SSA signature with the one from shared SSA. 2025-10-23 10:57:21 +02:00
Anders Schack-Mulligen
f257c7a570 Guards: Align the SSA signature with the one from shared SSA. 2025-10-23 10:23:22 +02:00
Anders Schack-Mulligen
20147cdd2b Shared/Java: Rename ControlFlowReachability library. 2025-10-23 09:07:34 +02:00
Anders Schack-Mulligen
8a3f62b9b6 Merge pull request #20558 from aschackmull/csharp/guards3 
C#: Instantiate shared Guards and shared ControlFlowReachability and replace nullness
 2025-10-23 08:43:14 +02:00
REDMOND\brodes
b374ba3d0c Crypto: Updating java 'location' information to be just a location's toString to be more verbose/precise. 2025-10-21 11:48:37 -04:00
yoff
f4878b3806 java: make as many predicates private as possible 2025-10-21 13:25:26 +02:00
yoff
de05bfbce3 java: address review comments 
- do not use `getQualifiedName`
- use camelCase
- rework alert predicates
 2025-10-21 13:25:26 +02:00
yoff
715acefacc Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2025-10-21 12:52:59 +02:00
REDMOND\brodes
cc436e897d Merge branch 'santander-java-crypto-check' of https://github.com/bdrodes/codeql into santander-java-crypto-check 2025-10-20 15:24:40 -04:00
REDMOND\brodes
354effe829 Crypto: Missing hash algorithms for HMAC operations in jca. 2025-10-20 15:24:18 -04:00
Ben Rodes
2b683c210f Merge branch 'main' into santander-java-crypto-check 2025-10-18 17:56:43 -04:00
REDMOND\brodes
c01c060476 Crypto: more ID renaming to include "examples", fix singleton issues with ql-for-ql, use formatted test for WeakAsymmetricKeyGenSize (add post processing in the qlref), misc expected files updated (test passed locally but on rerun vscode reports failures, known bug with vscode unit tests). 2025-10-17 14:13:53 -04:00
REDMOND\brodes
b4ecb91c83 Crypto: Add missing cipher algorithms to JCA. Update node tests to account for missing cipher algorithms. 2025-10-17 13:38:47 -04:00
REDMOND\brodes
f480d90a68 Crypto: Add missing block mode JCA Models, add block mode unit tests 2025-10-17 13:13:14 -04:00
yoff
3a0a8999d5 java: fix ql alerts 2025-10-17 01:52:23 +02:00
yoff
61a3e9630f java: rewrite conflict detection 
- favour unary predicates over binary ones
(the natural "conflicting access" is binary)
- switch to a dual solution to trade recursion through forall for simple existentials.

Co-authored-by: Anders Schack-Mulligen <aschackmull@github.com>
 2025-10-17 01:43:04 +02:00
REDMOND\brodes
b9b0037e07 Crypto: Comment todo for observed missing modeled case. Tests for weak and unknown KDF iteration count. 2025-10-16 14:07:45 -04:00
REDMOND\brodes
a64a24d25d Crypto: Comment in Language.qll 2025-10-16 11:03:49 -04:00
REDMOND\brodes
25599e9b4b crypto: Update JCA model macs to take into consideration update calls (use prior pattern for signatures). Misc. bug fixes. 2025-10-15 16:25:36 -04:00
REDMOND\brodes
9a6aac1300 Crypto: To get unreferenced parameters as general sources for Java, I've included the caveat that if a function is called, all the calls appear to be in test files. 2025-10-15 14:20:16 -04:00
REDMOND\brodes
ee08385e31 Crytpo: Update JCA keyagreement to type conversion, XDH is a type of ECDH. 2025-10-15 08:06:19 -04:00
github-actions[bot]
6dd07790ac Post-release preparation for codeql-cli-2.23.3 2025-10-14 11:16:33 +00:00
github-actions[bot]
33542f7d40 Release preparation for version 2.23.3 2025-10-14 09:30:24 +00:00
REDMOND\brodes
76128ed8dc Crypto: Update InsecureIVorNonce to be a path problem. 2025-10-13 15:29:57 -04:00
REDMOND\brodes
08abdb8c85 Crypto: Adding a "javaConstant" concept to handle config files. 2025-10-13 12:03:41 -04:00
REDMOND\brodes
36673659ad Crypto: Weak asymmetric key gen size fixes and test. 2025-10-10 14:49:35 -04:00
yoff
5109babd92 java: add qldoc 
These interfaces were previously in a .ql file.
Also, use the XXAccess variants.
 2025-10-09 14:20:28 +02:00
Nicolas Will
fdba3acc4b Crypto: Fix QL-for-QL alert and auto-format 2025-10-09 13:59:51 +02:00
yoff
1ad239459f java: move shared code into Concurrency.qll 2025-10-09 13:36:35 +02:00
yoff
f90e9dbb5e java: favour inline_late over inline 
This gives much greater control over the join-order
 2025-10-09 13:01:25 +02:00
yoff
830f02af1f java: fixes from the CI bots 2025-10-09 09:37:31 +02:00
yoff
93fc287ef1 java: add auto-generated overlay annotations 2025-10-09 09:25:57 +02:00
yoff
a1671ea8af java: small cleanups 
- add missing qldoc
- remove use of `getErasure`
- remove use of `getTypeDescriptor`
- define `ExposedField`
 2025-10-09 09:16:25 +02:00
yoff
821b1de5b3 java: inline char pred 2025-10-09 09:16:25 +02:00
yoff
01ddc11fa7 java: address some review comments 2025-10-09 09:16:25 +02:00
yoff
77734f83d5 java: better detection of thread safe fields. 
Identified by triage of DCA results.
Previously, we did not use the erased type, so would not recgnize `CompletableFuture<R>`.
We now also recognize safe initializers.
 2025-10-09 09:16:25 +02:00
yoff
096d5f2a56 java: implement SCC contraction of the call graph 
Our monitor analysis would be fooled by cycles in the call graph,
since it required all edges on a path to a conflicting access to be either
 - targetting a method where the access is monitored (recursively) or
 - monitored locally, that is the call is monitored in the calling method
For access to be monitored (first case) all outgoing edges (towards an access) need
to satisfy this property. For a loop, that is too strong, only edges out of the loop
actually need to be protected. This led to FPs.
 2025-10-09 09:14:16 +02:00
yoff
fe487e8bf0 java: add ThreadSafe query (P3) 
Co-authored-by: Raúl Pardo <raul.pardo@protonmail.com>
Co-authored-by: SimonJorgensenMancofi <simon.jorgensen@mancofi.dk>
Co-authored-by: Bjørnar Haugstad Jåtten <bjornjaat@hotmail.com>
 2025-10-09 09:14:16 +02:00
REDMOND\brodes
11e81395b5 Crypto: Updated default flows to use taint tracking (this is needed to fix false positives in the unknown IV/Nonce query). Add the unknown IV/Nonce query and associated test cases. Fix unknown IV/Nonce query to focus on cases where the oepration isn't known or the operation subtype is not encrypt or wrap. 2025-10-08 14:14:17 -04:00
REDMOND\brodes
83ff70bcd8 Crypto: Adding tests for insecure iv or nonce. Updating generic literal sources to include array literals. 2025-10-08 12:47:58 -04:00
REDMOND\brodes
bd34b6ce02 Crypto: Removing JCA model of random, need to reassess this as this impacts the insecure IV/Nonce query. Updated name of the Insecure nonce query to be InsecureIVorNonce 2025-10-08 11:41:21 -04:00
REDMOND\brodes
cf88e3f52d Crypto: Standardize naming where use of "family" and "type" have been used. Prefer 'type'. 2025-10-08 09:54:53 -04:00
Alex Eyers-Taylor
77d4af153d Java: Make some query libraries local. 2025-10-07 18:24:37 +01:00
Alex Eyers-Taylor
542bdf0792 Java: Use Overlay dataflow in java. 2025-10-07 17:52:12 +01:00
Alex Eyers-Taylor
c49e2ab2da DataFlow: Add code to do overlay informed dataflow. 2025-10-07 17:52:12 +01:00
Anders Schack-Mulligen
18e33b193e Merge pull request #20589 from aschackmull/java/array-entrypoint-read-taint 
Java: Allow taint-read-steps for array sources.
 2025-10-07 15:04:03 +02:00
Anders Schack-Mulligen
7dadbc43fb Java: Add change note. 2025-10-07 13:51:49 +02:00