hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity
23,011 Commits 1,673 Branches 157 Tags
1ce7c631ffacb593c8ae75ea521b10b3f11abce6
Commit Graph

243 Commits

Author SHA1 Message Date
Anders Schack-Mulligen
a4661e1aca Merge pull request #5704 from edvraa/regexj 
Java: Regex injection
 2021-06-01 11:45:59 +02:00
luchua-bc
e4699f7fa9 Optimize the query 2021-05-18 16:12:22 +00:00
luchua-bc
d664aa6d6a Include more scenarios and update qldoc 2021-05-18 16:12:22 +00:00
luchua-bc
852bcfb5c7 Refactor the ScriptEngine query and the Rhino code injection query into one 2021-05-18 16:12:22 +00:00
luchua-bc
b0b5338359 Rhino code injection 2021-05-18 16:12:22 +00:00
Chris Smowton
4230869ee2 Merge pull request #5819 from luchua-bc/java/jpython-injection 
Java: CWE-094 Jython code injection
 2021-05-18 16:38:40 +01:00
Chris Smowton
71f540a755 Merge pull request #5844 from haby0/SpringRedirects 
[Java] CWE-601 Spring url redirection detect
 2021-05-18 16:37:40 +01:00
haby0
a0cd551bae Add filtering of String.format 2021-05-18 11:05:10 +08:00
haby0
498c99e26c Add left value, Add return expression tracing flow 2021-05-14 16:31:59 +08:00
haby0
effa2b162a Add spring url redirection detect 2021-05-13 09:55:37 +08:00
luchua-bc
e7cd6c9972 Optimize the query 2021-05-11 16:56:12 +00:00
Chris Smowton
0afe22d60c Merge pull request #5710 from p0wn4j/jsch-os-injection 
[Java] CWE-078: Add JSch lib OS Command Injection sink
 2021-05-10 16:12:00 +01:00
luchua-bc
703fbf139a Add more methods and update the library name 2021-05-04 02:54:49 +00:00
luchua-bc
4709e8139d JPython code injection 2021-05-03 01:43:56 +00:00
Chris Smowton
b2c0259197 Merge pull request #5631 from haby0/UseOfLessTrustedSource 
[Java] CWE-348: Using a client-supplied IP address in a security check
 2021-04-30 15:20:53 +01:00
haby0
fdcc517b9f UseOfLessTrustedSource -> ClientSuppliedIpUsedInSecurityCheck" 2021-04-30 17:43:34 +08:00
Chris Smowton
ad9ea40954 Merge pull request #5597 from intrigus-lgtm/java/jwt-insecure-parse 
[Java] JWT without signature check.
 2021-04-29 14:41:11 +01:00
haby0
e813257431 use hardCode 2021-04-29 21:23:52 +08:00
intrigus
a8865e2fa2 Java: Cleanup jwt stubs. 2021-04-28 20:46:09 +02:00
haby0
5be9fbbc5a Remove LogOperationSink and PrintSink 2021-04-27 14:12:33 +08:00
p0wn4j
3d891f0b39 [Java] CWE-078: Add JSch OS command injection sink 2021-04-26 18:20:32 +04:00
edvraa
ade238307f Add a test 2021-04-22 10:02:06 +03:00
haby0
454324781d delete IfStmt 2021-04-22 11:59:33 +08:00
edvraa
13655b5d80 Add RegExUtils 2021-04-21 13:08:35 +03:00
p0wn4j
f2de440886 [Java] CWE-094: Query to detect Groovy Code Injections 2021-04-20 19:18:24 +04:00
haby0
8296abcea8 Fix Modify the ql query (the qhelp part is not modified). 2021-04-19 20:59:47 +08:00
Anders Schack-Mulligen
175c71221a Java: Adjust some test output with more edges/nodes. 2021-04-19 14:06:27 +02:00
haby0
23b508c5e7 Merge remote-tracking branch 'upstream/main' into UseOfLessTrustedSource 2021-04-19 20:05:49 +08:00
edvraa
29e320627f Regex injection 2021-04-16 23:29:08 +03:00
Anders Schack-Mulligen
605f28f741 Merge pull request #5686 from smowton/haby0/JsonHijacking 
Java: JSONP Injection w/cleanups
 2021-04-16 11:09:17 +02:00
Chris Smowton
fa36ba901a Merge pull request #5471 from artem-smotrakov/el-injection 
Java: Query for detecting Jakarta Expression Language injections
 2021-04-15 12:39:34 +01:00
haby0
b3bdf89fc2 rm VerificationMethodFlowConfig, use springframework-5.2.3 stub 2021-04-15 10:25:40 +08:00
Artem Smotrakov
97186b3d30 Added comments for tests 2021-04-14 19:30:58 +03:00
haby0
e2ed0d02b0 Delete existsFilterVerificationMethod and existsServletVerificationMethod, add from get handler to filter 2021-04-14 12:34:52 +08:00
Chris Smowton
58d198261e Merge pull request #5663 from smowton/luchua/java/sensitive-cookie-not-httponly 
Java: CWE-1004 Query to check sensitive cookies without the HttpOnly flag set w/minor corrections
 2021-04-13 12:08:53 +01:00
Chris Smowton
45e1a61d7b Mark test as bad-but-missed 
This test ought ideally to be caught, but isn't by the current version of the query.
 2021-04-13 10:36:27 +01:00
luchua-bc
d7f26dfc18 Update stub classes and qldoc 2021-04-12 16:19:23 +00:00
Chris Smowton
423ff32d04 Merge pull request #5384 from luchua-bc/java/insecure-spring-actuator-config 
Java: CWE-016 Query to detect insecure configuration of Spring Boot Actuator
 2021-04-12 17:04:47 +01:00
luchua-bc
c281e54d22 Remove unused files and update qldoc 2021-04-12 13:05:01 +00:00
luchua-bc
4e3791dc0d Remove LoadCredentialsConfiguration and update qldoc 2021-04-09 19:36:35 +00:00
Artem Smotrakov
b39a3ab12c Added setVariable() sink 2021-04-08 20:41:43 +03:00
haby0
3f0a3266aa [Java] CWE-348: Use of less trusted source 2021-04-08 17:14:03 +08:00
Artem Smotrakov
a764a79090 Always bind arguments in TaintPropagatingCall 2021-04-07 21:12:21 +03:00
intrigus
885044e331 [Java] Add tests for jwt signature check query. 2021-04-06 01:01:57 +02:00
intrigus
b7e49c78fe [Java] Add stubs for jwtk-jjwt-0.11.2 2021-04-06 01:01:23 +02:00
luchua-bc
1349bf7b0b Create a .qll file to reuse the code and add check of Spring properties 2021-03-30 11:25:29 +00:00
haby0
0775d35591 update VerificationMethodFlowConfig, add if test 2021-03-29 12:02:37 +08:00
luchua-bc
5ce3f9d6ff Update qldoc and enhance the query 2021-03-28 16:10:35 +00:00
luchua-bc
a53cbc1631 Update qldoc and make the query more readable 2021-03-27 00:11:01 +00:00
luchua-bc
d33b04cd96 Query to detect plaintext credentials in Java properties files 2021-03-26 02:33:40 +00:00