hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,275 Commits 1,672 Branches 157 Tags
tausbn/python-refine-location-of-flask-request-sources
Commit Graph

13656 Commits

Author SHA1 Message Date
luchua-bc
a93aabab40 Add the toString() method 2021-03-05 03:05:49 +00:00
luchua-bc
919c6b4b0a Optimize flow steps 2021-03-05 02:50:54 +00:00
Francis Alexander
abdebc29f9 Move to experimental and review feedback 2021-03-05 07:26:29 +05:30
Francis Alexander
a35f6d030c Test fixes and change notes 2021-03-05 06:50:57 +05:30
Marcono1234
e9e9634306 Java: Improve constant-loop-condition 2021-03-04 23:33:29 +01:00
Marcono1234
c8315577fe Java: Simplify own member access checks 2021-03-04 22:45:52 +01:00
Artem Smotrakov
7d52b53c24 Merge branch 'jexl-injection' of github.com:artem-smotrakov/ql into jexl-injection 2021-03-04 20:29:10 +01:00
Artem Smotrakov
0695b2a1fb Removed TaintedSpringRequestBody 2021-03-04 20:27:39 +01:00
Owen Mansel-Chan
96eaf2119f Correct signature and package in comment 
cf https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletResponse.html#addCookie(javax.servlet.http.Cookie)
 2021-03-04 15:10:02 +00:00
CodeQL CI
ad4b9372bd Merge pull request #5302 from RasmusWL/expectation-tests-allow-str-prefix 
Approved by MathiasVP, tausbn
 2021-03-04 06:48:57 -08:00
haby0
c5577cb09a Fix the problem 2021-03-04 19:54:49 +08:00
Chris Smowton
da0a7f343a Move existing value-preserving methods to use ValuePreservingCallable 2021-03-04 11:45:45 +00:00
Chris Smowton
40b0f68d2a Add backward dataflow edges through modelled function invocations. 
Also add convenience abstract classes for easily modelling new functions as fluent or value-preserving.
 2021-03-04 11:45:19 +00:00
Chris Smowton
71cd329ded Directly import Lang from ExternalFlow's Frameworks module 2021-03-04 11:12:21 +00:00
Chris Smowton
563404120f Move calls to getSourceDeclaration 2021-03-04 11:11:56 +00:00
Chris Smowton
43b9436bb8 Convert Apache misc text models to CSV taint-flow specifications 2021-03-04 11:11:56 +00:00
Chris Smowton
0029d3b743 Java CSV flow summaries: allow specifying an unqualified typename to imply either the type itself or any generic specialisation. 
It is still possible to specify a precise generic signature if need be.
 2021-03-04 11:11:56 +00:00
Chris Smowton
224e537459 Add change note 2021-03-04 11:11:56 +00:00
Chris Smowton
b0ba0585a7 Add models for Apache Commons Lang and Text's Str[ing]Substitutor 2021-03-04 11:11:55 +00:00
Chris Smowton
f749c31136 Add models for commons lang/text's Str[ing]Lookup class 2021-03-04 11:11:55 +00:00
Chris Smowton
1580d23b2b Add models for WordUtils and StrTokenizer 
Both of these have commons-text and commons-lang variants.
 2021-03-04 11:11:55 +00:00
Anders Schack-Mulligen
45f52289ea Merge branch 'main' into java/merge-5226 2021-03-04 11:36:16 +01:00
Anders Schack-Mulligen
fe07630e40 Merge pull request #5219 from smowton/smowton/feature/backward-dataflow-for-fluent-methods 
Java: Add backward dataflow edges through fluent function invocations.
 2021-03-04 11:13:32 +01:00
luchua-bc
1784c202a7 Clean up the query 2021-03-03 17:03:37 +00:00
Anders Schack-Mulligen
f91c71c8f7 Merge pull request #5270 from Marcono1234/marcono1234/class-isPackageProtected 
Java: Add Class and Interface.isPackageProtected()
 2021-03-03 16:33:57 +01:00
Anders Schack-Mulligen
7ca57fd7a5 Merge pull request #5294 from Marcono1234/patch-1 
Java: Fix wrong algorithm name matching
 2021-03-03 16:33:13 +01:00
Marcono1234
d5d0439471 Java: Fix wrong algorithm name matching 
The regex character class `[5|7]` matches `5`, `7` and `|`.
 2021-03-03 15:44:23 +01:00
luchua-bc
502cf38fcc Use concise API 2021-03-03 14:07:43 +00:00
luchua-bc
1b1c3f953b Remove localflow from the source 2021-03-03 13:54:26 +00:00
luchua-bc
b366ffa69e Revamp source of the query 2021-03-03 13:38:18 +00:00
Anders Schack-Mulligen
3400c121d6 Merge pull request #5202 from joefarebrother/apache-http 
Java: Add modelling for Apache HTTP Components
 2021-03-03 13:41:41 +01:00
Anders Schack-Mulligen
663c72ab1d Update java/change-notes/2021-03-23-guava-collections-and-preconditions.md 2021-03-03 12:53:16 +01:00
Joe Farebrother
a77cf12596 Add change note for Guava 2021-03-03 10:56:12 +00:00
Artem Smotrakov
7cc7ec962e Updated recommendations for avoiding JEXL injections 2021-03-03 11:40:59 +01:00
Artem Smotrakov
617ba65ef5 Improved docs for SpringHttpInvokerUnsafeDeserialization.ql 2021-03-02 21:36:14 +01:00
Artem Smotrakov
c243f2f042 Improved JexlInjection.qhelp 2021-03-02 21:25:26 +01:00
Artem Smotrakov
6b66323ac3 Simplified JexlInjectionLib.qll and removed LocalUserInput 2021-03-02 21:22:46 +01:00
Joe Farebrother
81ff76814f Remove incorrect expectaton 2021-03-02 16:35:34 +00:00
Francis Alexander
173c4b7f2f More Play stubs improvements 2021-03-02 20:39:25 +05:30
Anders Schack-Mulligen
0eb2c06e20 Merge pull request #3945 from porcupineyhairs/structsDevMode 
Java: Add query to detect Apache Struts enabled Devmode
 2021-03-02 15:22:20 +01:00
Porcuiney Hairs
beb15e27eb remove tests 2021-03-02 18:13:33 +05:30
Francis Alexander
4384f78595 Play stubs improvements, cleanup and return values 2021-03-02 16:50:16 +05:30
Anders Schack-Mulligen
b0fa8dfeae Merge pull request #4214 from porcupineyhairs/springViewManipulation 
[Java] Add QL for detecting Spring View Manipulation Vulnerabilities.
 2021-03-02 11:31:42 +01:00
Anders Schack-Mulligen
394c82d564 Apply suggestions from code review 
Adjust qldoc.
 2021-03-02 10:17:07 +01:00
luchua-bc
95d1994196 Query to check sensitive cookies without the HttpOnly flag set 2021-03-01 22:06:52 +00:00
Porcuiney Hairs
5151a528ac Include suggestions from review 2021-03-01 22:59:30 +05:30
Chris Smowton
5d2f3421d8 Add change notes 2021-03-01 16:59:20 +00:00
Chris Smowton
cdccc1a064 Remove needless typecasts 2021-03-01 16:47:34 +00:00
Porcuiney Hairs
14ec148272 refactor to meet experimental guidelines. 2021-03-01 18:46:33 +05:30
Rasmus Wriedt Larsen
0874712c97 C++/Java/Python: Allow Python string prefix in InlineExpectationsTest 
I've been writing tests for crypto libraries in Python, and have wanted to write
code along the lines of

```py
md5.hash(b"some message") # $ HashInput=b"some message"
```

which didn't work before this commit, forcing me to store my text in a variable
like below. This turned out to be really annoying when dealing with more complex
examples, so therefore I'm adding this new functionality to allow this behavior.

```py
msg = b"some message"
md5.hash(msg) # $ HashInput=msg
```
 2021-03-01 13:44:28 +01:00