codeql

mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00

Author	SHA1	Message	Date
Sebastian Bauersfeld	28f597440f	Add method invocations of Spring's SavedRequest as a remote sources.	2021-05-20 20:00:14 +07:00
luchua-bc	d664aa6d6a	Include more scenarios and update qldoc	2021-05-18 16:12:22 +00:00
Chris Smowton	4230869ee2	Merge pull request #5819 from luchua-bc/java/jpython-injection Java: CWE-094 Jython code injection	2021-05-18 16:38:40 +01:00
Chris Smowton	71f540a755	Merge pull request #5844 from haby0/SpringRedirects [Java] CWE-601 Spring url redirection detect	2021-05-18 16:37:40 +01:00
Anders Schack-Mulligen	9b0e3b1950	Merge pull request #5814 from JLLeitschuh/feat/JLL/jackson_as_taint_step [Java] Add taint tracking through Jackson deserialization	2021-05-18 09:31:16 +02:00
haby0	effa2b162a	Add spring url redirection detect	2021-05-13 09:55:37 +08:00
Anders Schack-Mulligen	a247ae4357	Merge pull request #5843 from JLLeitschuh/feat/JLL/improve_kryo_support [Java] Fix Kryo FP & Kryo 5 Support	2021-05-12 09:52:24 +02:00
Jonathan Leitschuh	5a68ac88ef	Cleanup Jackson logic after code review	2021-05-11 10:48:22 -04:00
Jonathan Leitschuh	bacc3ef5b3	[Java] Jackson add support for 2 step deserialization taint flow	2021-05-11 10:36:47 -04:00
Jonathan Leitschuh	d0638db6e7	[Java] Add data flow through Iterator deserializers for Jackson	2021-05-11 10:36:47 -04:00
Jonathan Leitschuh	56b1f15dda	[Java] Add taint tracking through Jackson deserialization	2021-05-11 10:36:47 -04:00
Anders Schack-Mulligen	744c495ac2	Merge pull request #5824 from JLLeitschuh/feat/JLL/guava_first_non_null [Java] Add support for com.google.common.base.MoreObjects#firstNonNull	2021-05-11 09:42:20 +02:00
Tony Torralba	76468559ba	Add safe example for dom4j	2021-05-06 10:17:25 +02:00
Tony Torralba	8af7f4a484	New sinks and test cases	2021-05-06 09:18:49 +02:00
Tony Torralba	509fc8a640	Add missing docs to stubs	2021-05-06 09:18:49 +02:00
Tony Torralba	720b5d6da3	Refactored sto use CSV sink model. Also, added more sinks	2021-05-06 09:18:49 +02:00
Tony Torralba	2bb2baf6f7	Support more methods that evaluate XPath expressions	2021-05-06 09:18:49 +02:00
Tony Torralba	fb3e56eac8	Fix imports and stubs so that tests pass	2021-05-06 09:18:48 +02:00
Tony Torralba	ed5619498c	WIP: XPath Injection promotion	2021-05-06 09:18:48 +02:00
Jonathan Leitschuh	67e9f06304	[Java] Fix Kryo FP & Kryo 5 Support Closes #4992	2021-05-05 17:38:34 -04:00
luchua-bc	703fbf139a	Add more methods and update the library name	2021-05-04 02:54:49 +00:00
Jonathan Leitschuh	dfad1fc740	[Java] Add support for com.google.common.base.MoreObjects#firstNonNull	2021-05-03 12:58:00 -04:00
luchua-bc	4709e8139d	JPython code injection	2021-05-03 01:43:56 +00:00
haby0	5be9fbbc5a	Remove LogOperationSink and PrintSink	2021-04-27 14:12:33 +08:00
haby0	8296abcea8	Fix Modify the ql query (the qhelp part is not modified).	2021-04-19 20:59:47 +08:00
haby0	23b508c5e7	Merge remote-tracking branch 'upstream/main' into UseOfLessTrustedSource	2021-04-19 20:05:49 +08:00
Anders Schack-Mulligen	06514159be	Java: Add XXE tests.	2021-04-19 10:58:21 +02:00
Anders Schack-Mulligen	605f28f741	Merge pull request #5686 from smowton/haby0/JsonHijacking Java: JSONP Injection w/cleanups	2021-04-16 11:09:17 +02:00
Chris Smowton	254de76078	Remove unnecessary stubs	2021-04-15 16:20:27 +01:00
Chris Smowton	fa36ba901a	Merge pull request #5471 from artem-smotrakov/el-injection Java: Query for detecting Jakarta Expression Language injections	2021-04-15 12:39:34 +01:00
haby0	216f204438	delete FilterClass	2021-04-15 19:28:25 +08:00
haby0	583d0889e2	delete tomcat-embed-core stub, update the ServletGetMethod class	2021-04-15 17:40:51 +08:00
haby0	b3bdf89fc2	rm VerificationMethodFlowConfig, use springframework-5.2.3 stub	2021-04-15 10:25:40 +08:00
Chris Smowton	58d198261e	Merge pull request #5663 from smowton/luchua/java/sensitive-cookie-not-httponly Java: CWE-1004 Query to check sensitive cookies without the HttpOnly flag set w/minor corrections	2021-04-13 12:08:53 +01:00
Chris Smowton	f22b11881e	Minimise stubs By removing all business logic from the stubs, we better test that our analysis treats them as opaque and does not rely on their internal structure	2021-04-13 10:36:28 +01:00
luchua-bc	d7f26dfc18	Update stub classes and qldoc	2021-04-12 16:19:23 +00:00
Artem Smotrakov	b39a3ab12c	Added setVariable() sink	2021-04-08 20:41:43 +03:00
haby0	86ef2588f1	Restore @Component annotation	2021-04-08 17:55:29 +08:00
haby0	3f0a3266aa	[Java] CWE-348: Use of less trusted source	2021-04-08 17:14:03 +08:00
Chris Smowton	7fb5bd0cab	Add tests for and slightly expand models of Commons Lang's ArrayUtils class	2021-03-25 15:11:51 +00:00
Anders Schack-Mulligen	a1ccbcdaf1	Merge pull request #5260 from artem-smotrakov/spring-http-invoker Java: Query for detecting unsafe deserialization with Spring exporters	2021-03-24 13:57:17 +01:00
haby0	3df23eecb6	Merge remote-tracking branch 'upstream/main' into JsonHijacking	2021-03-24 15:52:01 +08:00
Anders Schack-Mulligen	27408fefe2	Merge pull request #5008 from torque59/cwe-346 Java: Queries to detect remote source flow origins to CORS header.	2021-03-23 13:54:00 +01:00
haby0	fe046ec71e	Merge remote-tracking branch 'upstream/main' into main	2021-03-22 17:25:37 +08:00
Artem Smotrakov	adb1ed380a	Added tests for Jakarta expression injection	2021-03-21 21:19:39 +03:00
haby0	c516d69b98	Merge remote-tracking branch 'upstream/main' into main	2021-03-17 16:42:48 +08:00
haby0	98204a15a6	Fix the problem	2021-03-17 15:28:04 +08:00
Joe Farebrother	1e3c4d0eb1	Add stubs to fix broken test case	2021-03-16 14:24:49 +00:00
Anders Schack-Mulligen	45c9428668	Merge pull request #5337 from smowton/smowton/feature/commons-lang-random-sources Java: Add support for Commons-Lang's RandomUtils	2021-03-15 16:21:01 +01:00
luchua-bc	0a35feef76	Exclude CSRF cookies to reduce FPs	2021-03-11 17:28:07 +00:00

1 2 3 4

157 Commits