hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-17 23:43:42 +01:00
Code Issues Packages Projects Releases Wiki Activity
66,764 Commits 1,693 Branches 160 Tags
025aa77e79f69f17e3361952946f97f329cf78b5
Commit Graph

1081 Commits

Author SHA1 Message Date
am0o0
025aa77e79 add the snappy missed sink 2024-07-13 11:15:45 +02:00
am0o0
8c106964ec remove duplicate parts thanks to @owen-mc 2024-07-13 11:11:07 +02:00
am0o0
8ba48e801a fix examples 2024-07-13 10:28:19 +02:00
am0o0
dd3cc33298 move DecompressionBombsFlow::PathGraph to DecompressionBomb.ql 2024-07-13 10:24:07 +02:00
Am
a3b5d2a28d Update java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.qhelp 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2024-07-13 10:20:43 +02:00
Am
4fbf76008e Update java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.qhelp 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2024-07-13 10:20:25 +02:00
am0o0
7a5838f1a2 MethodAccess => MethodCall 2024-07-09 19:43:22 +02:00
am0o0
e87d2fe922 remove redundent imports 2024-07-09 19:41:06 +02:00
am0o0
fe1103d997 add stubs, upgrade test to inline test, update test files 2024-07-04 15:25:36 +02:00
am0o0
a6833945c1 remove additional taint steps and flow states 2024-07-01 16:07:44 +02:00
am0o0
d31711bd89 merge all ne flow sources into one by extending current abstract class 2024-07-01 15:16:44 +02:00
am0o0
f1324a413a update qlhelp 2024-07-01 15:09:56 +02:00
am0o0
02b0b402d6 remove useless predicate 
add missed FlowState
 2024-05-12 19:29:37 +02:00
am0o0
be03e582c6 remove isBarrier 2024-05-12 18:17:47 +02:00
am0o0
9fffd7846a remove empty predicates, fix FP for zipFile 2024-05-12 18:16:57 +02:00
am0o0
c9daf914cb remove unused predicate 2024-05-12 14:09:55 +02:00
am0o0
3eb5778543 upgrade FlowState to new DecompressionState 2024-05-12 14:08:52 +02:00
am0o0
e23cbeda24 update to MethodCall 2024-05-12 13:54:21 +02:00
am0o0
4b68dd2315 add new additional taint steps, fix some comments 2024-05-12 13:51:08 +02:00
Am
9946e07f36 Merge branch 'github:main' into amammad-java-bombs 2024-05-12 13:17:02 +02:00
Jami Cogswell
658fffeac1 Java: remove experimental files 2024-03-17 22:03:59 -04:00
Tony Torralba
2a146405ac Adjust tests 2024-01-26 12:38:32 +01:00
Tony Torralba
19cb7adb6d Migrate path injection sinks to MaD 
Deprecate and stop using PathCreation

Path creation sinks are now summaries
 2024-01-26 12:19:54 +01:00
Ed Minnix
fb80c5ea84 Rename SimpleScalarSanitizer to SimpleTypeSanitizer 2024-01-22 23:55:29 -05:00
Ed Minnix
696788e5b2 Rename semmle.code.java.security.dataflow.CommonSanitizers to semmle.code.java.security.Sanitizers 2024-01-22 23:52:19 -05:00
Ed Minnix
3311b3be8e Convert experimental queries' isBarrier to use instanceof SimpleScalarSanitizer 2024-01-22 23:38:29 -05:00
masterofnow
0fd09759df Added sample java file for qhelp to render correctly. 2023-12-22 08:31:23 +08:00
masterofnow
cb5733d647 Apply suggestions from code review 
Update to documentation.

Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2023-12-22 08:25:05 +08:00
masterofnow
7162540faf Added options, .qhelp and .expected file for unit test. 2023-12-21 19:57:37 +08:00
Tony Torralba
39708524e7 Minor fixes 
- Query ID
- MethodAccess -> MethodCall
- Redundant import
- Formatting
 2023-12-20 15:31:09 +01:00
masterofnow
e85c4b5bf6 Update query from code review feedback to express it as a dataflow problem. 2023-12-20 18:28:16 +08:00
masterofnow
4a77f45aa6 Minor adjustment to resolve error for codeql version 2.15.4 2023-12-16 12:41:39 +08:00
masterofnow
99b273d308 Apply suggestions from code review 
Added suggestion from atorralba.

Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2023-12-16 12:00:45 +08:00
masterofnow
e1b8fabf7f Use global instead of local taint tracking. 2023-12-13 13:50:34 +08:00
masterofnow
8538c12267 Merge branch 'github:main' into LoadClassNoSignatureCheck 2023-12-13 13:47:40 +08:00
Ed Minnix
1b8f3f3450 Deprecate or remove imports of dataflow library copies 2023-12-08 10:42:10 -05:00
Shati Patel
6284781a9b Update inconsistent CWE tags 
Most tags use the "external/cwe/cwe-xxx" format, except for these few queries. Updating them for consistency.
 2023-12-04 11:52:31 +00:00
masterofnow
2952d8f65a Updated query to cover broader detection. 2023-11-18 18:52:47 +08:00
masterofnow
532f6a5b0c Removed @kind path-problem in comment. Added text message in select. 2023-11-13 08:27:07 +08:00
masterofnow
20592352d0 Updated text in LoadClassNoSignatureCheck.qhelp 2023-11-12 20:48:49 +08:00
masterofnow
fd66f47d82 Added LoadClassNoSignatureCheck.ql 2023-11-12 20:27:49 +08:00
Chris Smowton
06238dd5f6 Improve reflective class names 2023-10-24 13:29:32 +01:00
Chris Smowton
e8c9708282 Autoformat 2023-10-24 11:06:19 +01:00
Chris Smowton
59a49eef0b Add aliases for public, importable renamed classes and predicates. 
Also rename and aliases a couple of uses of Access noted along the way.
 2023-10-24 10:54:35 +01:00
Chris Smowton
f552a15aae Mass-rename MethodAccess -> MethodCall 2023-10-24 10:30:26 +01:00
amammad
7fcf39277d modularize 2023-10-14 12:04:25 +02:00
Eric Bickle
7a4382fb69 Merge branch 'main' into fix/thread-resource-arithmetic 2023-10-10 09:38:16 -07:00
Eric Bickle
80c8259e34 Remove unnecessary AdditionalValueStep check 2023-10-10 09:35:45 -07:00
Michael Nebel
cf3a62d201 Java: Address review comments. 2023-10-09 13:06:59 +02:00
Eric Bickle
000c1f7ec8 Java: Flow taint through ArithExpr for ThreadResourceAbuse 
Ensure that tainted values flow through arithmetic operations when
checking for ThreadResourceAbuse vulnerabilities.

For example, multiplying 'number of seconds' by 1000 as an input
to Thread.Sleep, which accepts milliseconds, is a common scenario.
 2023-10-06 14:24:37 -07:00