hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,275 Commits 1,671 Branches 157 Tags
tausbn/python-refine-location-of-flask-request-sources
Commit Graph

3153 Commits

Author SHA1 Message Date
Nora Dimitrijević
45b627df1d [DIFF-INFORMED] Java: SensitiveLogging 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-532/SensitiveInfoLog.ql#L20
 2025-07-17 19:02:02 +02:00
Nora Dimitrijević
bc0b383595 [DIFF-INFORMED] Java: MaybeBrokenCryptoAlgorithm 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-327/MaybeBrokenCryptoAlgorithm.ql#L25
 2025-07-17 19:02:00 +02:00
Nora Dimitrijević
b688df9dec [DIFF-INFORMED] Java: LogInjection 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-117/LogInjection.ql#L20
 2025-07-17 19:01:58 +02:00
Nora Dimitrijević
2d734056b1 [DIFF-INFORMED] Java: InsecureLdapAuth 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-522/InsecureLdapAuth.ql#L21
 2025-07-17 19:01:56 +02:00
Nora Dimitrijević
74b37e71a0 [DIFF-INFORMED] Java: InsecureCookie 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-614/InsecureCookie.ql#L21
 2025-07-17 19:01:52 +02:00
Nora Dimitrijević
19e5c3d805 [DIFF-INFORMED] Java: ImproperValidationOfArray… 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndexCodeSpecified.ql#L48
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstructionCodeSpecified.ql#L28
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayConstruction.ql#L26
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-129/ImproperValidationOfArrayIndex.ql#L24
 2025-07-17 19:01:50 +02:00
Nora Dimitrijević
1c6ecf1216 [DIFF-INFORMED] Java: UntrustedDataToExternalAPI 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-020/UntrustedDataToExternalAPI.ql#L20
 2025-07-17 18:59:15 +02:00
Nora Dimitrijević
0cf1195678 [DIFF-INFORMED] Java: ConditionalBypass 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-807/ConditionalBypass.ql#L26
 2025-07-17 18:59:14 +02:00
Nora Dimitrijević
0bcdb421ed [DIFF-INFORMED] Java: ArithmeticUncontrolled 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-190/ArithmeticUncontrolled.ql#L36
 2025-07-17 18:59:11 +02:00
Nora Dimitrijević
54546f6e99 [DIFF-INFORMED] Java: ArithmeticTainted 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-190/ArithmeticTainted.ql#L35
 2025-07-17 18:59:09 +02:00
Nora Dimitrijević
8353fdd041 [DIFF-INFORMED] Java: (Android)SensitiveCommunication 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/java/ql/src/Security/CWE/CWE-927/SensitiveCommunication.ql#L20
 2025-07-17 18:59:06 +02:00
Anders Schack-Mulligen
996de78a66 Java: Prune PathGraph for CsrfUnprotectedRequestType.ql 2025-07-17 15:06:38 +02:00
Anders Schack-Mulligen
1485d7072d Merge pull request #19885 from aschackmull/java/annotated-exit-cfg 
Java: Add AnnotatedExitNodes to the CFG.
 2025-07-17 15:02:24 +02:00
Owen Mansel-Chan
af977e9ac7 Merge pull request #20067 from owen-mc/java/unsafe-deserialization-mad-sinks 
Java: allow the definition of `java/unsafe-deserialization` sinks using data extensions
 2025-07-17 13:42:31 +01:00
Owen Mansel-Chan
6629bd8279 No need to deprecate classes when module is deprecated 2025-07-17 11:52:31 +01:00
Owen Mansel-Chan
b361f76643 Delete unused private class 2025-07-17 11:36:06 +01:00
Anders Schack-Mulligen
54775e0958 Java: Adjust Paths.qll 2025-07-17 11:21:26 +02:00
Anders Schack-Mulligen
fbe79e8a52 Java: Add AnnotatedExitNodes to the CFG. 2025-07-17 11:21:26 +02:00
Owen Mansel-Chan
fdd1e3fefe Use MaD models for unsafe deserialization sinks when possible 
Many of the unsafe deserialization sinks have to stay defined in QL
because they have custom logic that cannot be expressed in MaD models.
 2025-07-16 14:42:07 +01:00
Kasper Svendsen
9c3e275e66 Merge pull request #20011 from kaspersv/kaspersv/discard-xml 
Overlay: Add XML and Java property discarding
 2025-07-15 16:13:38 +02:00
Kasper Svendsen
f84a3084f0 Address review comment about ignored QL variable 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2025-07-15 15:34:08 +02:00
Nick Rolfe
c199d0cbbe Java: use overlayChangedFiles in discard prediactes 2025-07-15 10:10:32 +01:00
Owen Mansel-Chan
03e8865933 Merge pull request #20025 from owen-mc/java/unsafe-deserialization 
Java: add extra sink for `java/unsafe-deserialization`
 2025-07-11 23:59:22 +01:00
Owen Mansel-Chan
8e4bd1a102 Add sink for ObjectInput.readObject to make test pass 2025-07-11 11:05:38 +01:00
Owen Mansel-Chan
006d77ffdd Refactor QL to make type check more concise 2025-07-11 06:13:01 +01:00
Kasper Svendsen
0739c03d03 Overlay: Add discarding of base XML locatables for Java 2025-07-10 12:31:16 +02:00
Kasper Svendsen
d7094a96b5 Overlay: Add discarding of all Java base properties 2025-07-10 12:31:15 +02:00
Jonas Jensen
5a1246a586 Merge remote-tracking branch 'upstream/main' into approximate-related-location 2025-07-09 10:10:20 +02:00
Kasper Svendsen
785e0273f2 Merge pull request #19968 from kaspersv/kaspersv/overlay-java-getastrictancestor-caller 
Overlay: Mark `RefType.getAStrictAncestor`` overlay[caller?]`
 2025-07-04 09:38:02 +02:00
Kasper Svendsen
dd8af3baf7 Overlay: Mark RefType.getAStrictAncestor overlay[caller?] 2025-07-03 12:23:20 +02:00
Kasper Svendsen
649091c0ed Fix java/local-temp-file-or-directory-information-disclosure overlay compilation regression 2025-07-03 10:47:33 +02:00
Asger F
4a2d795076 Shared: Make approximate location filtering the default behaviour 2025-07-02 14:41:02 +02:00
Asger F
82d190f4bf Java: use approximate related sink locations in polynomial redos 2025-07-02 14:40:56 +02:00
Kasper Svendsen
3d7343273e Merge pull request #19813 from github/kaspersv/overlay-java-discarding 
Overlay: Add manual Java overlay annotations & discard predicates
 2025-06-30 11:17:31 +02:00
Kasper Svendsen
c7194a4012 Overlay: Add missing QLDoc 2025-06-30 08:40:46 +02:00
Kasper Svendsen
e02affd327 Merge pull request #19901 from github/kaspersv/overlay-guards-inline 
Overlay: Add missing `overlay[caller?]` annotation
 2025-06-27 15:13:09 +02:00
Kasper Svendsen
5096ce405f Overlay: Add missing overlay[caller?] annotation 2025-06-27 10:50:28 +02:00
Jonas Jensen
b446fe74c2 Merge pull request #19846 from jbj/diff-informed-CleartextStorageCookie 
Java: Diff-informed CleartextStorageCookie.ql
 2025-06-27 08:45:11 +02:00
Kasper Svendsen
e6ef6a3326 Merge branch 'main' into kaspersv/overlay-java-discarding 2025-06-27 08:28:34 +02:00
Kasper Svendsen
9d2dd782d9 Merge remote-tracking branch 'github/main' into kaspersv/overlay-java-annotations 2025-06-26 13:18:25 +02:00
Anders Schack-Mulligen
321a4afd5c Merge pull request #19883 from aschackmull/java/fix-assert-cfg 
Java: Fix assert CFG by properly tagging the false successor.
 2025-06-26 11:43:27 +02:00
Kasper Svendsen
64f27e2adf Java: Add abstraction for discardable locatables 2025-06-26 11:35:37 +02:00
Anders Schack-Mulligen
c091fc585b Java: Account for AssertionError possibly not being extracted. 2025-06-26 11:03:59 +02:00
Anders Schack-Mulligen
f07d9dda39 Guards: Refactor EqualityTest interface. 2025-06-26 10:26:40 +02:00
Anders Schack-Mulligen
1d4c8197ec Java: Fix assert CFG by properly tagging the false successor. 2025-06-26 10:18:14 +02:00
Jonas Jensen
fc2b18ae8a Java: Diff-informed CleartextStorageCookie.ql 
This query shares implementation with several other queries about
cleartext storage, but it's the only one of them that's in the
code-scanning suite. The sharing mechanism remains the same as before,
but now each query has to override `getASelectedLocation` to become
diff-informed.

Two other data-flow configurations are used in this query, but they
can't easily be made diff-informed.
 2025-06-26 09:31:11 +02:00
Anders Schack-Mulligen
73810a6d85 Java: Fix perf issue. 2025-06-26 07:17:35 +02:00
Anders Schack-Mulligen
d4c897f8e2 Java: Fix perf issue. 2025-06-26 07:17:35 +02:00
Anders Schack-Mulligen
5c0dcd980d Java: Switch to the shared Guards library. 2025-06-26 07:17:34 +02:00
Anders Schack-Mulligen
cc13193cb6 Java: Replace some references to basicNullGuard. 2025-06-26 07:17:33 +02:00