hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity
24,362 Commits 1,741 Branches 165 Tags
08f480a5563ee552cdf951fee57aa88a99c2bfca
Commit Graph

921 Commits

Author SHA1 Message Date
luchua-bc
e4699f7fa9 Optimize the query 2021-05-18 16:12:22 +00:00
luchua-bc
d664aa6d6a Include more scenarios and update qldoc 2021-05-18 16:12:22 +00:00
luchua-bc
852bcfb5c7 Refactor the ScriptEngine query and the Rhino code injection query into one 2021-05-18 16:12:22 +00:00
luchua-bc
b0b5338359 Rhino code injection 2021-05-18 16:12:22 +00:00
Chris Smowton
4230869ee2 Merge pull request #5819 from luchua-bc/java/jpython-injection 
Java: CWE-094 Jython code injection
 2021-05-18 16:38:40 +01:00
Chris Smowton
71f540a755 Merge pull request #5844 from haby0/SpringRedirects 
[Java] CWE-601 Spring url redirection detect
 2021-05-18 16:37:40 +01:00
Anders Schack-Mulligen
9b0e3b1950 Merge pull request #5814 from JLLeitschuh/feat/JLL/jackson_as_taint_step 
[Java] Add taint tracking through Jackson deserialization
 2021-05-18 09:31:16 +02:00
haby0
a0cd551bae Add filtering of String.format 2021-05-18 11:05:10 +08:00
haby0
60fc607449 Modify ql 2021-05-14 18:17:05 +08:00
haby0
498c99e26c Add left value, Add return expression tracing flow 2021-05-14 16:31:59 +08:00
haby0
effa2b162a Add spring url redirection detect 2021-05-13 09:55:37 +08:00
Anders Schack-Mulligen
a247ae4357 Merge pull request #5843 from JLLeitschuh/feat/JLL/improve_kryo_support 
[Java] Fix Kryo FP & Kryo 5 Support
 2021-05-12 09:52:24 +02:00
haby0
12f47bcf24 Add UnsafeDeserialization 2021-05-12 12:37:16 +08:00
Marcono1234
8969da7775 Java: Improve not closing resource query; add tests 2021-05-11 19:32:02 +02:00
luchua-bc
e7cd6c9972 Optimize the query 2021-05-11 16:56:12 +00:00
Jonathan Leitschuh
5a68ac88ef Cleanup Jackson logic after code review 2021-05-11 10:48:22 -04:00
Jonathan Leitschuh
bacc3ef5b3 [Java] Jackson add support for 2 step deserialization taint flow 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
d0638db6e7 [Java] Add data flow through Iterator deserializers for Jackson 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
56b1f15dda [Java] Add taint tracking through Jackson deserialization 2021-05-11 10:36:47 -04:00
Anders Schack-Mulligen
744c495ac2 Merge pull request #5824 from JLLeitschuh/feat/JLL/guava_first_non_null 
[Java] Add support for com.google.common.base.MoreObjects#firstNonNull
 2021-05-11 09:42:20 +02:00
Chris Smowton
0afe22d60c Merge pull request #5710 from p0wn4j/jsch-os-injection 
[Java] CWE-078: Add JSch lib OS Command Injection sink
 2021-05-10 16:12:00 +01:00
Tony Torralba
e78e5b9ee4 Merge branch 'main' into promote-jexl-injection 2021-05-07 12:36:49 +02:00
Tony Torralba
b37b15cea4 Re-structure imports, add some new comments to tests 2021-05-07 12:33:51 +02:00
Tony Torralba
2a501956b3 Mark a MISSING test result as suggested in code review 2021-05-07 11:17:51 +02:00
Tony Torralba
f1fab854c4 Fix tests for XXE, introduced a dependency with jaxen 2021-05-06 12:11:55 +02:00
Tony Torralba
76468559ba Add safe example for dom4j 2021-05-06 10:17:25 +02:00
Tony Torralba
926fedb7fb Update java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2021-05-06 09:18:50 +02:00
Tony Torralba
00a7576679 Rename XPath Injection test file 2021-05-06 09:18:50 +02:00
Tony Torralba
8af7f4a484 New sinks and test cases 2021-05-06 09:18:49 +02:00
Tony Torralba
ccb3ea4453 Fix XPath Injection tests classpath 2021-05-06 09:18:49 +02:00
Tony Torralba
509fc8a640 Add missing docs to stubs 2021-05-06 09:18:49 +02:00
Tony Torralba
26c3ff2cee Move from experimental to standard 2021-05-06 09:18:49 +02:00
Tony Torralba
720b5d6da3 Refactored sto use CSV sink model. Also, added more sinks 2021-05-06 09:18:49 +02:00
Tony Torralba
ab62bb66f4 Consider second parameter of Node.selectNodes 2021-05-06 09:18:49 +02:00
Tony Torralba
2bb2baf6f7 Support more methods that evaluate XPath expressions 2021-05-06 09:18:49 +02:00
Tony Torralba
d739a8cac2 Moved configuration from XPath.qll back to XPath Injection query 2021-05-06 09:18:48 +02:00
Tony Torralba
fb3e56eac8 Fix imports and stubs so that tests pass 2021-05-06 09:18:48 +02:00
Tony Torralba
a62997463f Remove unused imports; use set literals in hasName 2021-05-06 09:18:48 +02:00
Tony Torralba
ed5619498c WIP: XPath Injection promotion 2021-05-06 09:18:48 +02:00
Jonathan Leitschuh
67e9f06304 [Java] Fix Kryo FP & Kryo 5 Support 
Closes #4992
 2021-05-05 17:38:34 -04:00
Timo Mueller
787a4ede85 Fixed file reference in test cases 2021-05-04 15:33:53 +02:00
Timo Mueller
374ed851a0 Fixed file reference in test cases 2021-05-04 15:12:50 +02:00
luchua-bc
703fbf139a Add more methods and update the library name 2021-05-04 02:54:49 +00:00
Jonathan Leitschuh
dfad1fc740 [Java] Add support for com.google.common.base.MoreObjects#firstNonNull 2021-05-03 12:58:00 -04:00
Tony Torralba
e68c6e66a5 Remove qlref file 2021-05-03 17:53:37 +02:00
Tony Torralba
4d5ec87de9 Use InlineTest 2021-05-03 13:27:24 +02:00
Tony Torralba
4bfd34b1fe Moved from experimental 2021-05-03 13:15:24 +02:00
Tony Torralba
38e052482c More csv sinks and sources 2021-05-03 12:44:53 +02:00
luchua-bc
4709e8139d JPython code injection 2021-05-03 01:43:56 +00:00
Timo Mueller
15a3068f8a Added query for insecure environment configuration RMI JMX (CVE-2016-8735) 2021-04-30 16:23:17 +02:00