Chris Smowton
|
f9f143d62c
|
Merge pull request #5347 from Marcono1234/marcono1234/simplify-tests
Java: Simplify tests using InlineExpectationsTest
|
2021-03-08 14:47:28 +00:00 |
|
Anders Schack-Mulligen
|
e63f81171c
|
Merge pull request #5349 from p0wn4j/fix-nashorn-engine-1
Java: Fix NashornScriptEngine detection in ScriptEngine query
|
2021-03-08 13:23:36 +01:00 |
|
Chris Smowton
|
6cf15f49bb
|
Replace hasTaintFlow=y with hasTaintFlow everywhere
|
2021-03-08 11:57:35 +00:00 |
|
Marcono1234
|
b7353f0bb0
|
Java: Simplify tests using InlineExpectationsTest
|
2021-03-08 11:49:52 +00:00 |
|
Rasmus Lerchedahl Petersen
|
cc9a938054
|
InlineExpectationTest: clarify the nedd for an
empty `.expected` file
|
2021-03-08 09:18:47 +01:00 |
|
p0wn4j
|
6841f5f7c4
|
Java: Add NashornScriptEngine detection in ScriptEngine query
Java: Add NashornScriptEngine detection in ScriptEngine query
Java: Add NashornScriptEngine detection in ScriptEngine query
Java: Add NashornScriptEngine detection in ScriptEngine query
|
2021-03-06 16:19:07 +04:00 |
|
Anders Schack-Mulligen
|
cf4f55d9ab
|
Merge pull request #5223 from smowton/smowton/feature/backward-dataflow-for-modelled-fluent-methods
Java: Add backward dataflow edges through modelled function invocations
|
2021-03-05 15:11:43 +01:00 |
|
Chris Smowton
|
012058a866
|
Apply review suggestions: use ArgumentNode.argumentOf, and change more uses of ValuePreservingCallable -> ValuePreservingMethod
|
2021-03-05 13:34:13 +00:00 |
|
Chris Smowton
|
eed357dc93
|
ValuePreservingCallable -> ValuePreservingMethod
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
|
2021-03-05 13:28:35 +00:00 |
|
Chris Smowton
|
a37b98ca27
|
Value-preserving methods: handle generics in DataFlowUtil.qll
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
|
2021-03-05 13:15:06 +00:00 |
|
Chris Smowton
|
ca86925a45
|
Update java/ql/src/semmle/code/java/dataflow/FlowSteps.qll
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
|
2021-03-05 13:02:19 +00:00 |
|
Chris Smowton
|
45f3365d06
|
Apply suggestions from code review
Note value-preserving functions can't be constructors
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
|
2021-03-05 12:52:38 +00:00 |
|
Chris Smowton
|
990bdc20b0
|
Move value-preserving callable class into FlowSteps
|
2021-03-05 11:55:53 +00:00 |
|
Anders Schack-Mulligen
|
0d7f6ced8f
|
Merge pull request #5334 from Marcono1234/marcono1234/improve-constant-loop-condition
Java: Improve constant-loop-condition
|
2021-03-05 11:36:25 +01:00 |
|
Anders Schack-Mulligen
|
00983c8967
|
Merge pull request #4965 from artem-smotrakov/jexl-injection
Java: Query for detecting JEXL injections
|
2021-03-05 10:52:36 +01:00 |
|
Anders Schack-Mulligen
|
20ccb52912
|
Merge pull request #4299 from torque59/play-framework
Initial support for Java - Play Framework > 2.6.x
|
2021-03-05 10:51:53 +01:00 |
|
Anders Schack-Mulligen
|
8d292070a4
|
Merge pull request #5272 from Marcono1234/marcono1234/simplify-own-member-access-checks
Java: Simplify own member access checks
|
2021-03-05 10:22:17 +01:00 |
|
Anders Schack-Mulligen
|
3565ba51b3
|
Merge pull request #5209 from smowton/smowton/feature/commons-misc-text
Java: add models for miscellaneous text-processing utilities from Commons Lang
|
2021-03-05 10:21:58 +01:00 |
|
Francis Alexander
|
a35f6d030c
|
Test fixes and change notes
|
2021-03-05 06:50:57 +05:30 |
|
Marcono1234
|
e9e9634306
|
Java: Improve constant-loop-condition
|
2021-03-04 23:33:29 +01:00 |
|
Marcono1234
|
c8315577fe
|
Java: Simplify own member access checks
|
2021-03-04 22:45:52 +01:00 |
|
Artem Smotrakov
|
7d52b53c24
|
Merge branch 'jexl-injection' of github.com:artem-smotrakov/ql into jexl-injection
|
2021-03-04 20:29:10 +01:00 |
|
Artem Smotrakov
|
0695b2a1fb
|
Removed TaintedSpringRequestBody
|
2021-03-04 20:27:39 +01:00 |
|
Owen Mansel-Chan
|
96eaf2119f
|
Correct signature and package in comment
cf https://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServletResponse.html#addCookie(javax.servlet.http.Cookie)
|
2021-03-04 15:10:02 +00:00 |
|
CodeQL CI
|
ad4b9372bd
|
Merge pull request #5302 from RasmusWL/expectation-tests-allow-str-prefix
Approved by MathiasVP, tausbn
|
2021-03-04 06:48:57 -08:00 |
|
Chris Smowton
|
da0a7f343a
|
Move existing value-preserving methods to use ValuePreservingCallable
|
2021-03-04 11:45:45 +00:00 |
|
Chris Smowton
|
40b0f68d2a
|
Add backward dataflow edges through modelled function invocations.
Also add convenience abstract classes for easily modelling new functions as fluent or value-preserving.
|
2021-03-04 11:45:19 +00:00 |
|
Chris Smowton
|
71cd329ded
|
Directly import Lang from ExternalFlow's Frameworks module
|
2021-03-04 11:12:21 +00:00 |
|
Chris Smowton
|
563404120f
|
Move calls to getSourceDeclaration
|
2021-03-04 11:11:56 +00:00 |
|
Chris Smowton
|
43b9436bb8
|
Convert Apache misc text models to CSV taint-flow specifications
|
2021-03-04 11:11:56 +00:00 |
|
Chris Smowton
|
0029d3b743
|
Java CSV flow summaries: allow specifying an unqualified typename to imply either the type itself or any generic specialisation.
It is still possible to specify a precise generic signature if need be.
|
2021-03-04 11:11:56 +00:00 |
|
Chris Smowton
|
b0ba0585a7
|
Add models for Apache Commons Lang and Text's Str[ing]Substitutor
|
2021-03-04 11:11:55 +00:00 |
|
Chris Smowton
|
f749c31136
|
Add models for commons lang/text's Str[ing]Lookup class
|
2021-03-04 11:11:55 +00:00 |
|
Chris Smowton
|
1580d23b2b
|
Add models for WordUtils and StrTokenizer
Both of these have commons-text and commons-lang variants.
|
2021-03-04 11:11:55 +00:00 |
|
Anders Schack-Mulligen
|
45f52289ea
|
Merge branch 'main' into java/merge-5226
|
2021-03-04 11:36:16 +01:00 |
|
Anders Schack-Mulligen
|
fe07630e40
|
Merge pull request #5219 from smowton/smowton/feature/backward-dataflow-for-fluent-methods
Java: Add backward dataflow edges through fluent function invocations.
|
2021-03-04 11:13:32 +01:00 |
|
Anders Schack-Mulligen
|
f91c71c8f7
|
Merge pull request #5270 from Marcono1234/marcono1234/class-isPackageProtected
Java: Add Class and Interface.isPackageProtected()
|
2021-03-03 16:33:57 +01:00 |
|
Anders Schack-Mulligen
|
7ca57fd7a5
|
Merge pull request #5294 from Marcono1234/patch-1
Java: Fix wrong algorithm name matching
|
2021-03-03 16:33:13 +01:00 |
|
Marcono1234
|
d5d0439471
|
Java: Fix wrong algorithm name matching
The regex character class `[5|7]` matches `5`, `7` and `|`.
|
2021-03-03 15:44:23 +01:00 |
|
Anders Schack-Mulligen
|
3400c121d6
|
Merge pull request #5202 from joefarebrother/apache-http
Java: Add modelling for Apache HTTP Components
|
2021-03-03 13:41:41 +01:00 |
|
Artem Smotrakov
|
7cc7ec962e
|
Updated recommendations for avoiding JEXL injections
|
2021-03-03 11:40:59 +01:00 |
|
Artem Smotrakov
|
c243f2f042
|
Improved JexlInjection.qhelp
|
2021-03-02 21:25:26 +01:00 |
|
Artem Smotrakov
|
6b66323ac3
|
Simplified JexlInjectionLib.qll and removed LocalUserInput
|
2021-03-02 21:22:46 +01:00 |
|
Joe Farebrother
|
81ff76814f
|
Remove incorrect expectaton
|
2021-03-02 16:35:34 +00:00 |
|
Francis Alexander
|
173c4b7f2f
|
More Play stubs improvements
|
2021-03-02 20:39:25 +05:30 |
|
Anders Schack-Mulligen
|
0eb2c06e20
|
Merge pull request #3945 from porcupineyhairs/structsDevMode
Java: Add query to detect Apache Struts enabled Devmode
|
2021-03-02 15:22:20 +01:00 |
|
Porcuiney Hairs
|
beb15e27eb
|
remove tests
|
2021-03-02 18:13:33 +05:30 |
|
Francis Alexander
|
4384f78595
|
Play stubs improvements, cleanup and return values
|
2021-03-02 16:50:16 +05:30 |
|
Anders Schack-Mulligen
|
b0fa8dfeae
|
Merge pull request #4214 from porcupineyhairs/springViewManipulation
[Java] Add QL for detecting Spring View Manipulation Vulnerabilities.
|
2021-03-02 11:31:42 +01:00 |
|
Anders Schack-Mulligen
|
394c82d564
|
Apply suggestions from code review
Adjust qldoc.
|
2021-03-02 10:17:07 +01:00 |
|