codeql

mirror of https://github.com/github/codeql.git synced 2025-12-20 02:44:30 +01:00

Author	SHA1	Message	Date
Erik Krogh Kristensen	694016dcbe	add missing qldoc	2021-10-01 09:01:57 +02:00
Erik Krogh Kristensen	6a9277b5ce	recognize string sanitizers for ldap-injection	2021-10-01 09:01:29 +02:00
Erik Krogh Kristensen	51b56a9e28	add cwe 090 (ldap injection) and cwe 943 (Improper Neutralization of Special Elements in Data Query Logic) to SqlInjection.ql	2021-10-01 09:01:29 +02:00
Erik Krogh Kristensen	2062afc868	add calls to parseDN as sinks for ldap-injection	2021-10-01 09:01:28 +02:00
Erik Krogh Kristensen	d4de5e3248	refactoring and renamings in the ldap model	2021-10-01 09:01:14 +02:00
Erik Krogh Kristensen	bcf4626fd0	remove ldap examples from experimental folder	2021-10-01 09:00:10 +02:00
Erik Krogh Kristensen	c55b7bcd85	model ldap filters as taint steps	2021-10-01 09:00:10 +02:00
Erik Krogh Kristensen	9b5ff66b68	naively port tests from ldap examples	2021-10-01 09:00:10 +02:00
Erik Krogh Kristensen	2b286a856c	naively move ldap into the SQL injection query	2021-10-01 09:00:10 +02:00
Erik Krogh Kristensen	94e2676c0f	naive conversion of ldapjs model to API node	2021-10-01 09:00:10 +02:00
github-actions[bot]	3d61c81456	Add changed framework coverage reports	2021-10-01 00:09:22 +00:00
Rasmus Wriedt Larsen	2d5c6e2723	Python: FastAPI: Add taint test	2021-09-30 19:14:15 +02:00
Rasmus Wriedt Larsen	c839f35485	Python: FastAPI: Proper modeling of implicit returns	2021-09-30 19:14:15 +02:00
Rasmus Wriedt Larsen	50147708bf	Python: FastAPI: Model response classes Figuring out how to do the `media_type` tracking was quite difficult.	2021-09-30 19:14:15 +02:00
Rasmus Wriedt Larsen	eef946a0c8	Python: FastAPI: Add test for custom response annotation It really is rather contrived, but it also _does_ work.	2021-09-30 19:14:15 +02:00
Rasmus Wriedt Larsen	c9895b54fe	Python: FastAPI: Add tests for direct response construction	2021-09-30 19:14:14 +02:00
Rasmus Wriedt Larsen	c50c805f5f	Python: FastAPI: Model Cookie Writes	2021-09-30 19:14:14 +02:00
Rasmus Wriedt Larsen	d34c5fd72f	Python: FastAPI: Add tests with response parameter	2021-09-30 19:14:14 +02:00
Rasmus Wriedt Larsen	285de2b4c8	Python: FastAPI: Add support for `APIRouter`	2021-09-30 19:14:14 +02:00
Rasmus Wriedt Larsen	b1f8b5352b	Python: FastAPI: Add support for `api_route` Note that `route` did not actually work (that also comes from the underlying web framework library Starlette)	2021-09-30 19:14:14 +02:00
Rasmus Wriedt Larsen	3661ff3bd8	Python: Add basic FastAPI support	2021-09-30 19:14:14 +02:00
Chris Smowton	f48c418d6d	Merge pull request #5907 from x-f1v3/java/hardcoded-shiro-key Java: CWE-798: Query to detect hard-coded SHIRO key	2021-09-30 17:58:12 +01:00
Chris Smowton	ec4cb7c90f	Fix typo	2021-09-30 16:22:12 +01:00
Harry Maclean	f61161e66d	Merge pull request #321 from github/hmac-more-eval Identify more instances of code injection	2021-09-30 16:12:24 +01:00
Chris Smowton	cb4ce36d3c	Update change note; drop unnecessary import	2021-09-30 15:00:13 +01:00
Chris Smowton	b0983cb726	Specifically include Base64 encode/decode as a likely intermediate step for hardcoded credentials	2021-09-30 14:57:49 +01:00
Chris Smowton	b57a58c253	Amend change note	2021-09-30 14:27:05 +01:00
f1v3	24c9bb2fb7	autoformat	2021-09-30 14:26:19 +01:00
f1v3	168fc4170d	Apply suggestions from code review	2021-09-30 14:26:14 +01:00
f1v3	f3bde56de9	detects a hard-coded cipher key for shiro	2021-09-30 14:22:48 +01:00
Harry Maclean	8c0c08e887	Identify more instance of code injection `class_eval` and `module_eval` both take a string as argument and execute it as Ruby code.	2021-09-30 14:19:24 +01:00
Chris Smowton	60a023d064	Merge pull request #5852 from luchua-bc/java/hardcoded-azure-credential Java: CWE-798 Query to detect hard-coded Azure credentials	2021-09-30 14:11:29 +01:00
Rasmus Lerchedahl Petersen	35d9005eae	Python: typo again..	2021-09-30 14:39:44 +02:00
Rasmus Lerchedahl Petersen	f3fc56a167	Python: typos	2021-09-30 14:39:05 +02:00
Rasmus Lerchedahl Petersen	d19d37bf9b	Python: more suggestions from review	2021-09-30 14:36:26 +02:00
yoff	c1c63d0c28	Merge pull request #6738 from RasmusWL/qldoc-getArgByName Python: Add QLDoc to `Function.getArgByName`	2021-09-30 14:11:18 +02:00
yoff	46e62cd963	Apply suggestions from code review Co-authored-by: Rasmus Wriedt Larsen <rasmuswriedtlarsen@gmail.com>	2021-09-30 14:00:18 +02:00
Rasmus Lerchedahl Petersen	02e91b3902	Python: Model functions that will raise on non-existing files.	2021-09-30 13:36:24 +02:00
Harry Maclean	7f103b9450	Merge pull request #319 from github/hmac-activerecord-updates Add some more vulnerable ActiveRecord methods	2021-09-30 12:09:09 +01:00
Arthur Baars	0419d28ba0	XXE: overapproximate feature flag values for & and \| operators	2021-09-30 11:20:23 +02:00
Arthur Baars	089f9d87d4	Address comments	2021-09-30 11:20:23 +02:00
Arthur Baars	2b077595ae	Also track DTDLOAD and NONET	2021-09-30 11:20:23 +02:00
Arthur Baars	4268d9c565	XXE query	2021-09-30 11:20:17 +02:00
Harry Maclean	7191e1c007	Re-add delete_all and destroy_all methods These methods don't take any arguments in Rails versions > 3, but there's no harm in checking for them anyway, and some people might be using very old Rails versions.	2021-09-30 09:39:58 +01:00
Harry Maclean	75bbc51e73	Make room for new test cases This just bumps the other code down a bit so that the .expected diff is easier to read.	2021-09-30 09:33:39 +01:00
Rasmus Lerchedahl Petersen	fc9fb59082	Python: Add comments	2021-09-30 10:05:57 +02:00
Jonas Jensen	45cf6344cd	Merge pull request #6184 from github/rdmarsh2/improve-exec-tainted C++: Refactor ExecTainted.ql to only report results after string concatenation	2021-09-29 19:21:13 +02:00
CodeQL CI	e9b4e571e1	Merge pull request #6775 from RasmusWL/fix-hasLocationInfo-url Approved by aschackmull, erik-krogh, hvitved, jbj, tausbn	2021-09-29 16:51:08 +01:00
alexet	447eb23356	Java: Fix for tc magic issue with subtyping.	2021-09-29 16:01:08 +01:00
Rasmus Lerchedahl Petersen	115113888f	Python: Add change note	2021-09-29 16:58:14 +02:00

... 38 39 40 41 42 ...

29908 Commits