hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 18:33:16 +01:00
Code Issues Packages Projects Releases Wiki Activity
29,908 Commits 1,671 Branches 157 Tags
z80coder/ATM-feature-optimisation
Commit Graph

27 Commits

Author SHA1 Message Date
Anders Schack-Mulligen
57cb300759 C++/C#/Java/JavaScript/Python: Remove singleton set literals. 2021-10-14 11:34:22 +02:00
Anders Schack-Mulligen
3f7d6e6f85 Merge pull request #6136 from smowton/smowton/admin/spring-xss-content-type-sensitivity 
Spring HTTP: improve content-type sensitivity
 2021-09-15 09:50:56 +02:00
Chris Smowton
fcc0f1d5a7 Expand test to exercise all sinks 2021-09-14 12:27:33 +01:00
luchua-bc
24addd5c10 Query to detect XSS with JavaServer Faces (JSF) 2021-09-14 11:47:32 +01:00
Chris Smowton
b47939c737 Note resolved spurious results 2021-09-10 16:10:54 +01:00
Chris Smowton
d940085384 Spring HTTP: inherit produced content-types from surrounding class 2021-09-10 16:10:52 +01:00
Chris Smowton
bdd135dbff Spring HTTP: mark explicitly content-typed body calls as sinks 
Previously only the return from the request-handler method constituted a sink, and was filtered by the Produces annotation if any, even though a BodyBuilder could explicitly override.

These sinks are also marked as out-barriers to avoid duplicate paths when the Produces annotation is in agreement.
 2021-09-10 16:10:50 +01:00
Chris Smowton
701d0bcdca Spring content types: recognise constant content-type strings 2021-09-10 16:10:48 +01:00
Chris Smowton
3b6cc97557 Sanitize Spring bodies directly associated with an XSS-safe Content-Type 2021-09-10 16:10:44 +01:00
Sauyon Lee
9c1d5a70e3 Java: Add test for XSS sanitizer 2021-08-12 11:20:49 -07:00
Chris Smowton
eaf3d3cc03 Merge pull request #6162 from smowton/smowton/feature/jax-rs-content-type-sensitivity-fixes 
Jax-RS: implement content-type tracking
 2021-08-03 14:53:31 +01:00
Chris Smowton
a0297d51e5 Note fixed test result 
the Optional type has now been modelled
 2021-07-19 18:28:06 +01:00
Chris Smowton
82ea2592ad Spring HTTP: Fix test mistakes 
Classes without RestController and methods without GetMapping or similar were never going to be detected.
 2021-07-19 18:21:13 +01:00
Chris Smowton
392e405f5d Add Spring-XSS test 
This covers the cases currently exercised in https://github.com/github/codeql-securitylab/blob/main/java/ql/src/pwntester/security/RestXSS.ql
 2021-07-19 18:21:11 +01:00
Chris Smowton
7f556de8a0 Resolve now-fixed spurious XSS results 2021-06-30 12:04:22 +01:00
Chris Smowton
856046ce50 Jax-RS: implement content-type tracking 
This follows content-type specifications across Variant-related functions and the ResponseBuilder class in order to sanitize or sink entities as appropriate.
 2021-06-30 12:04:21 +01:00
Chris Smowton
dd70f2c87e Add spurious results now found in JaxXSS.java 2021-06-28 19:24:19 +01:00
Chris Smowton
8eaffaff35 Fix test mistakes 2021-06-28 19:24:19 +01:00
Chris Smowton
6b3bc42ef2 Add JAX-RS XSS tests 2021-06-28 19:24:18 +01:00
Chris Smowton
b3c186c513 Convert XSS test to inline expectations 2021-06-28 19:24:18 +01:00
Alvaro Muñoz
735e4e4b7b update failing tests 2021-05-28 15:13:18 +02:00
Porcupiney Hairs
4f07733b06 remove U+200B 2020-08-30 04:54:02 +05:30
Porcupiney Hairs
3f6eef8437 Java: add websocket reads as remote flow source. 
Currently, JAX-WS reads are considered as untrusted. However, `java.net.http.WebSocket` reads are not marked as such.

This PR adds support for the same.
 2020-08-27 02:45:59 +05:30
Tom Hvitved
7f6e253425 Java: Update expected test output 2019-10-04 11:09:44 +02:00
Anders Schack-Mulligen
2d620698d8 Java: Adjust qltest expected output. 2019-09-12 11:00:49 +02:00
Anders Schack-Mulligen
deb61d6f29 Java: Update test output. 2018-11-16 13:48:50 +01:00
Pavel Avgustinov
846c9d5860 Migrate Java code to separate QL repo. 2018-08-30 10:48:05 +01:00