hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 02:44:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
31,029 Commits 1,672 Branches 157 Tags
z80coder/query-pack-release-candidate-2
Commit Graph

4135 Commits

Author SHA1 Message Date
Jonathan Leitschuh
5a68ac88ef Cleanup Jackson logic after code review 2021-05-11 10:48:22 -04:00
Jonathan Leitschuh
bacc3ef5b3 [Java] Jackson add support for 2 step deserialization taint flow 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
e97bad3b33 Support field access data flow for JacksonDeserializedTaintStep 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
83d527ed19 Apply suggestions from code review 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
b871f48c50 [Java] Add release note to Jackson change 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
d0b0b767a2 Apply suggestions from code review 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
d0638db6e7 [Java] Add data flow through Iterator deserializers for Jackson 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
56b1f15dda [Java] Add taint tracking through Jackson deserialization 2021-05-11 10:36:47 -04:00
Tony Torralba
8754c85a57 Use InlineExpectationsTest 2021-05-11 16:23:12 +02:00
Tony Torralba
fc03b92e11 Moved from experimental to standard 2021-05-11 15:42:13 +02:00
Tony Torralba
53da3b661a Refactor to CSV sink model 2021-05-11 15:33:49 +02:00
Tom Hvitved
d66506b0a3 Data flow: Rename {Argument,Parameter}NodeExt to {Arg,Param}Node 2021-05-11 14:40:10 +02:00
Jonathan Leitschuh
0d9a85ca6b Update java/change-notes/2021-05-05-kryo-improvements.md 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-05-11 08:29:50 -04:00
Anders Schack-Mulligen
744c495ac2 Merge pull request #5824 from JLLeitschuh/feat/JLL/guava_first_non_null 
[Java] Add support for com.google.common.base.MoreObjects#firstNonNull
 2021-05-11 09:42:20 +02:00
Anders Schack-Mulligen
7d6a497136 Merge pull request #5857 from dbartol/container/work 
Java: Fix QLDoc for `Container.toString()`
 2021-05-11 08:37:41 +02:00
Dave Bartolomeo
f85aff869c Java: Fix PR feedback 2021-05-10 16:37:23 -04:00
Marcono1234
2e098f050e Java: Ignore char array based closeables for CloseReader.ql and CloseWriter.ql 2021-05-10 18:33:07 +02:00
Jonathan Leitschuh
d27316eb3e Apply suggestions from code review 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2021-05-10 11:55:31 -04:00
Chris Smowton
0afe22d60c Merge pull request #5710 from p0wn4j/jsch-os-injection 
[Java] CWE-078: Add JSch lib OS Command Injection sink
 2021-05-10 16:12:00 +01:00
Tony Torralba
8553ca1019 Autoformatting 2021-05-10 15:42:20 +02:00
Tony Torralba
d99b5bfc66 Reuse previous tests from experimental 2021-05-10 11:17:20 +02:00
Tony Torralba
c70503142f Require JS enabled even when cross-origin access is enabled in the webviews 2021-05-10 09:45:59 +02:00
Dave Bartolomeo
d9f243d18a Java: Fix QLDoc for Container.toString() 
Fixes #5828

The QLDoc was just too specific about the default implementation. I've improved the wording.
 2021-05-08 11:14:02 -04:00
Hayk Andriasyan
fd88b72101 Delete JSchOSInjection.qhelp 2021-05-08 12:51:15 +04:00
Tony Torralba
6884edf52a Merge branch 'main' into atorralba/promote-unsafe-android-webview-fetch 2021-05-07 16:31:55 +02:00
Tony Torralba
1f1a1bdb41 Remove unnecessary CWE reference 2021-05-07 16:29:00 +02:00
luchua-bc
fc7d340a89 Query to detect hard-coded Azure credentials 2021-05-07 13:16:41 +00:00
Tony Torralba
dcee1daa31 Mark spurious test results 2021-05-07 13:17:04 +02:00
Tony Torralba
e6b7da1926 Add import for Android sinks in ExternalFlow 2021-05-07 12:41:39 +02:00
Tony Torralba
e78e5b9ee4 Merge branch 'main' into promote-jexl-injection 2021-05-07 12:36:49 +02:00
Tony Torralba
b37b15cea4 Re-structure imports, add some new comments to tests 2021-05-07 12:33:51 +02:00
Tony Torralba
e2e65aca3c Add new sink for Android XSS 2021-05-07 12:25:19 +02:00
Tony Torralba
2a501956b3 Mark a MISSING test result as suggested in code review 2021-05-07 11:17:51 +02:00
Tony Torralba
b69be30b88 Fix imports as suggested in code review 2021-05-07 11:07:06 +02:00
Tony Torralba
f16605b3c1 Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-05-06 15:17:55 +02:00
Tony Torralba
b69261727d Add a new test for 2021-05-06 13:26:25 +02:00
Tony Torralba
1f1f85aeb5 Add change note and fix some QLDocs 2021-05-06 13:13:23 +02:00
Tony Torralba
f1fab854c4 Fix tests for XXE, introduced a dependency with jaxen 2021-05-06 12:11:55 +02:00
Tony Torralba
e14294a2f7 Remove XSS sink since it's better handled in this query 2021-05-06 11:20:37 +02:00
Tony Torralba
84504a88e4 Fix tests by adding AndroidManifest.xml 2021-05-06 10:55:56 +02:00
Tony Torralba
76468559ba Add safe example for dom4j 2021-05-06 10:17:25 +02:00
Tony Torralba
926fedb7fb Update java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2021-05-06 09:18:50 +02:00
Tony Torralba
00a7576679 Rename XPath Injection test file 2021-05-06 09:18:50 +02:00
Tony Torralba
8af7f4a484 New sinks and test cases 2021-05-06 09:18:49 +02:00
Tony Torralba
ccb3ea4453 Fix XPath Injection tests classpath 2021-05-06 09:18:49 +02:00
Tony Torralba
509fc8a640 Add missing docs to stubs 2021-05-06 09:18:49 +02:00
Tony Torralba
26c3ff2cee Move from experimental to standard 2021-05-06 09:18:49 +02:00
Tony Torralba
215118c7ea Fixes in QLDocs and imports 2021-05-06 09:18:49 +02:00
Tony Torralba
720b5d6da3 Refactored sto use CSV sink model. Also, added more sinks 2021-05-06 09:18:49 +02:00
Tony Torralba
ab62bb66f4 Consider second parameter of Node.selectNodes 2021-05-06 09:18:49 +02:00