hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-18 19:31:11 +02:00
Code Issues Packages Projects Releases Wiki Activity
24,880 Commits 1,780 Branches 169 Tags
0356ed7f9e77e92ffdca0f824bda9811b33f07cc
Commit Graph

345 Commits

Author SHA1 Message Date
Tony Torralba
0356ed7f9e Merge pull request #5911 from atorralba/atorralba/promote-missing-jwt-signature-check 
Java: Promote Missing JWT signature check query from experimental
 2021-08-05 09:43:03 +02:00
Anders Schack-Mulligen
1932f604dc Merge pull request #6419 from smowton/smowton/admin/unsafe-deserialization-jabsorb 
Add unsafe-deserialization support for Jabsorb
 2021-08-05 09:04:23 +02:00
Chris Smowton
69549e9ce3 Add unsafe-deserialization support for Jabsorb 
This is partly extracted from https://github.com/github/codeql/pull/5954
 2021-08-04 15:35:50 +01:00
Anders Schack-Mulligen
6a09a5667d Merge pull request #5931 from atorralba/atorralba/promote-jndi-injection 
Java: Promote JNDI Injection query from experimental
 2021-08-04 15:48:44 +02:00
Tony Torralba
a046d75ea6 Apply suggestions from code review 2021-08-04 13:15:49 +02:00
Tony Torralba
452fd9a8e3 Refactor to path query 2021-08-04 13:05:18 +02:00
turbo
a8f84da7ac Update Security-Severity for CWE-918 2021-08-04 12:17:21 +02:00
Tony Torralba
f4bc4df8c1 Renamed JWTQuery so that it's named after the actual query name 2021-08-04 12:08:08 +02:00
Chris Smowton
eaf3d3cc03 Merge pull request #6162 from smowton/smowton/feature/jax-rs-content-type-sensitivity-fixes 
Jax-RS: implement content-type tracking
 2021-08-03 14:53:31 +01:00
Anders Schack-Mulligen
7fb1e1578e Merge pull request #5894 from atorralba/atorralba/promote-ognl-injection 
Java: Promote OGNL Injection query from experimental
 2021-08-03 15:31:40 +02:00
Anders Schack-Mulligen
c0d76da1a6 Merge pull request #5846 from atorralba/atorralba/promote-unsafe-android-webview-fetch 
Java: Promote Unsafe resource loading in Android WebView from experimental
 2021-08-03 14:24:34 +02:00
Tony Torralba
084cda6daa Merge branch 'main' into atorralba/promote-groovy-injection 2021-08-03 09:53:46 +02:00
Tony Torralba
08bdd1aa7a Merge branch 'main' into atorralba/promote-ognl-injection 2021-08-02 16:05:38 +02:00
Anders Schack-Mulligen
53e6ddfeb6 Merge pull request #6001 from atorralba/atorralba/promote-mvel-injection 
Java: Promote MVEL injection query from experimental
 2021-08-02 14:40:26 +02:00
Tony Torralba
9b384d84cc Merge branch 'main' into atorralba/promote-ognl-injection 2021-08-02 14:06:45 +02:00
Tony Torralba
9fadb26325 Fix qhelp sample 2021-08-02 10:00:59 +02:00
Tony Torralba
4435853c8a Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-08-02 09:56:40 +02:00
Tony Torralba
29490e5872 Add suggestion from code review 2021-07-29 17:07:18 +02:00
Tony Torralba
6e3b6dcb98 Imporve qhelp 2021-07-29 16:36:38 +02:00
Tony Torralba
bdf0f582a4 QLDoc improvements from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-07-29 16:34:21 +02:00
Tony Torralba
90b5e02b6e Improve qhelp 2021-07-29 16:28:10 +02:00
Tony Torralba
4ea6729c53 Update java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2021-07-29 16:10:49 +02:00
mc
0a986ad0e8 Update JndiInjection.qhelp 
Improve negation
 2021-07-29 15:10:32 +01:00
Tony Torralba
3edc8bc679 Doc improvements 2021-07-29 15:35:39 +02:00
mc
8f1fc9e893 Update MvelInjection.qhelp 
Minor tweaks
 2021-07-29 11:30:19 +01:00
mc
ebf004a4df Update MissingJWTSignatureCheck.qhelp 
Using same syntax as on other queries for 'BAD' and 'GOOD'.
 2021-07-29 09:13:00 +01:00
mc
10a3dcb188 Update GroovyInjection.qhelp 2021-07-27 14:26:49 +01:00
Tony Torralba
26999c7ac4 Decouple UnsafeAndroidAccess.qll to reuse the taint tracking configuration 2021-07-20 17:46:35 +02:00
Tony Torralba
99e66cffa2 Merge branch 'main' into atorralba/promote-unsafe-android-webview-fetch 2021-07-20 17:30:56 +02:00
Tony Torralba
3259ead946 Decouple OgnlInjection.qll to reuse the taint tracking configuration 2021-07-20 17:21:10 +02:00
Tony Torralba
b6904a7992 Merge branch 'main' into atorralba/promote-ognl-injection 2021-07-20 17:17:17 +02:00
Tony Torralba
22c9baa462 Refactor JWT.qll 2021-07-20 17:14:34 +02:00
Tony Torralba
430d9f1834 Merge branch 'main' into atorralba/promote-missing-jwt-signature-check 2021-07-20 16:20:35 +02:00
Tony Torralba
42b6b26c10 Decouple JndiInjection.qll to reuse the taint tracking configuration 2021-07-20 15:38:34 +02:00
Tony Torralba
b8ea833a61 Merge branch 'main' into atorralba/promote-jndi-injection 2021-07-20 15:01:26 +02:00
Tony Torralba
46faf68d64 Decouple MvelInjection.qll to reuse the taint tracking configuration 2021-07-19 13:50:03 +02:00
Tony Torralba
5ca8b380e9 Merge branch 'main' into atorralba/promote-mvel-injection 2021-07-19 13:45:10 +02:00
Tony Torralba
441e8afe81 Decouple GrovyInjection.qll to reuse the taint tracking configuration 2021-07-19 12:53:37 +02:00
Tony Torralba
b08f417a1e Merge branch 'main' into atorralba/promote-groovy-injection 2021-07-19 12:44:03 +02:00
Artem Smotrakov
6d7cb48054 Refactored the query for unsafe deserialization 2021-07-16 18:25:41 +02:00
Artem Smotrakov
09ae779b21 Removed fromSource() check in looksLikeResolveClassStep() 2021-07-12 19:56:51 +02:00
Artem Smotrakov
ea0991c980 Added Jackson to UnsafeDeserialization.qhelp 2021-07-09 10:17:29 +02:00
Artem Smotrakov
3eb2af1bc2 First draft of sinks for unsafe deserialization with Jackson 2021-07-09 10:16:01 +02:00
Chris Smowton
a51154a8ef Deduplicate Jexl configuration 2021-07-02 10:02:28 +01:00
Chris Smowton
747a8e4157 Split up JexlInjection.qll 
This avoids a DataFlow2::Configuration being in scope for all queries via the import from ExternalFlow.qll
 2021-07-02 10:01:51 +01:00
Chris Smowton
643f7dfb87 Split up Random.qll 
This prevents bringing a dataflow config into scope from utility libraries.
 2021-07-02 10:00:49 +01:00
Chris Smowton
d5a9f3d87b Deduplicate shared body of regular and experimental versions of java/command-line-injection query. 2021-07-01 14:53:56 +01:00
Chris Smowton
3e7ea34054 XSS: expose extension point for defining barrier sinks 2021-06-30 12:04:20 +01:00
intrigus
36575bb26f Move back to experimental......... 2021-06-25 16:47:25 +02:00
intrigus
fe923facc8 Java: Move comments to separate lines. 
Move comments to separate lines to improve
the rendering in the finished query help.
 2021-06-25 16:47:25 +02:00