hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-05 02:30:19 +01:00
Code Issues Packages Projects Releases Wiki Activity
14,541 Commits 1,673 Branches 157 Tags
32d9d270fc55bf2706c8ab8ea642875784a118a5
Commit Graph

97 Commits

Author SHA1 Message Date
Anders Schack-Mulligen
32d9d270fc Merge pull request #3948 from aibaars/java-3941 
Java: stack trace exposure: address false positives
 2020-08-05 09:31:01 +02:00
Arthur Baars
67b6018079 Merge pull request #3729 from luchua-bc/java-hardcoded-aws-credentials 
Java: Hardcoded AWS credentials
 2020-07-13 18:04:42 +02:00
Arthur Baars
c585b2e483 Java: stack trace exposure: address false positives 2020-07-13 15:26:55 +02:00
luchua-bc
12803f1f53 Merge Hardcoded AWS Credentials check into the mail source folder 2020-07-13 12:22:34 +00:00
Anders Schack-Mulligen
c8b9b779ae Merge pull request #3927 from rvermeulen/java-importable-cwe-601 
Java: Move `UrlRedirectSink` into importable library
 2020-07-09 16:03:29 +02:00
Remco Vermeulen
ba9f3e2a1e Join ServletUrlRedirectSink with UrlRedirectSink 2020-07-09 14:08:43 +02:00
Remco Vermeulen
9a84abf259 Generalize QueryInjectionSink 
Extends from the more general DataFlow::Node instead of
DataFlow::ExprNode
 2020-07-09 12:32:17 +02:00
Remco Vermeulen
c01844a39e Add file-level qldoc 2020-07-09 10:30:31 +02:00
Remco Vermeulen
42e261ac02 Move SqlInjectionSink and PersistenceQueryInjectionSink 
Join SqlInjectionSink and PersistenceQueryInjectionSink with
QueryInjectionSink to make its definition more transparent.
 2020-07-09 10:21:24 +02:00
Remco Vermeulen
d07d21c9e2 Fix import 2020-07-09 10:20:53 +02:00
Remco Vermeulen
170be9ffe8 Move UrlRedirectSink into importable library 
- The `UrlRedirect` class is renamed to `ServletUrlRedirect`.
- Abstract class `UrlRedirectSink` is defined that can be imported and
used to customise CWE-601 via Customizations.qll
 2020-07-08 16:47:51 +02:00
Remco Vermeulen
06517c6f82 Move QueryInjectionSink into importable library 
This enables defining of new sinks to customise the CWE-089 queries.
 2020-07-08 16:24:06 +02:00
Geoffrey White
f8425b8a58 Java: Update uses. 2020-06-30 13:02:48 +01:00
luchua-bc
f40e27a3c5 Hardcoded AWS credentials 2020-06-17 02:46:02 +00:00
Anders Schack-Mulligen
67b32796dd Merge pull request #853 from joshhale/tweak-cwe-078-example 
doc: remove - from command arguments
 2020-02-24 16:15:58 +01:00
Jonathan Leitschuh
60f2fa9eb9 Update java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql 2020-02-05 12:45:47 -05:00
Jonathan Leitschuh
832a4f2e07 Add DefaultFullHttpResponse to Netty Check 2020-02-04 15:40:59 -05:00
Anders Schack-Mulligen
3b81c3b95c Merge pull request #2651 from ggolawski/java-ldap-injection 
Java LDAP Injection (CWE-90)
 2020-01-31 16:43:52 +01:00
yo-h
7ca7bdfc46 Merge pull request #2725 from aschackmull/java/sqlinjection-number-barrier 
Java: Add java.lang.Number as a sanitizer for SQL injection.
 2020-01-30 18:25:24 -05:00
Grzegorz Golawski
db55ec250a Rename CWE-90 to CWE-090 2020-01-30 22:32:36 +01:00
Anders Schack-Mulligen
a167577551 Java: Add java.lang.Number as a sanitizer for SQL injection. 2020-01-30 12:01:36 +01:00
Anders Schack-Mulligen
75c549baa1 Java: Deprecate ParExpr. 2020-01-30 10:52:16 +01:00
ggolawski
ebd2b932e8 Update java/ql/src/Security/CWE/CWE-90/LdapInjection.qhelp 
Co-Authored-By: Felicity Chapman <felicitymay@github.com>
 2020-01-29 20:05:20 +01:00
Anders Schack-Mulligen
9b7a728609 Java: Autoformat. 2020-01-29 12:16:25 +01:00
Grzegorz Golawski
bbcfbd7a28 Apply suggestion from code review 2020-01-28 22:34:01 +01:00
Grzegorz Golawski
7b2192d2e3 Apply suggestion from code review 2020-01-27 22:34:15 +01:00
ggolawski
408c49a61c Apply suggestions from code review 
Co-Authored-By: Felicity Chapman <felicitymay@github.com>
 2020-01-27 22:31:51 +01:00
Anders Schack-Mulligen
816a8d1f9e Merge pull request #2586 from ggolawski/spring_disable_csrf 
Add check for disabled CSRF protection in Spring
 2020-01-27 11:32:39 +01:00
Esben Sparre Andreasen
57b3a55b48 java: sharpen java/maven/non-https-url to allow localhost URLs 2020-01-24 08:51:54 +01:00
Grzegorz Golawski
968c18d208 Query to detect LDAP injections in Java 
Refactoring according to review comments.
 2020-01-23 22:51:10 +01:00
Grzegorz Golawski
bed6a9886f Query to detect LDAP injections in Java 
Autoformat
 2020-01-22 21:42:47 +01:00
Grzegorz Golawski
5596944926 Add check for disabled CSRF protection in Spring 
Fix help and correct formatting.
 2020-01-22 21:27:34 +01:00
Grzegorz Golawski
c5a974788b Add check for disabled CSRF protection in Spring 
Fix the help according to review comments.
 2020-01-21 21:54:36 +01:00
Grzegorz Golawski
00ee3d2549 Query to detect LDAP injections in Java 
Cleanup
 2020-01-18 20:21:38 +01:00
Grzegorz Golawski
95723b08e1 Query to detect LDAP injections in Java 
Add help
 2020-01-18 19:01:35 +01:00
Grzegorz Golawski
8cec46342f Query to detect LDAP injections in Java 
Refactoring
 2020-01-18 17:14:22 +01:00
Grzegorz Golawski
b7325232d7 Query to detect LDAP injections in Java 
Consider DNs as injection points as well
Add more taint steps
 2020-01-14 23:07:21 +01:00
Grzegorz Golawski
3e86dd1182 Query to detect LDAP injections in Java 
Apache LDAP API sink
 2020-01-12 20:19:25 +01:00
Grzegorz Golawski
c01aa3d2ee Query to detect LDAP injections in Java 
Spring LDAP sink
 2020-01-12 13:28:29 +01:00
Grzegorz Golawski
7570fa9137 Query to detect LDAP injections in Java 
JNDI and UnboundID sinks
JNDI, UnboundID and Spring LDAP sanitizers
 2020-01-11 21:55:54 +01:00
Anders Schack-Mulligen
d918cb1f6f Merge pull request #2550 from JLLeitschuh/task/JLL/improve_netty_response_splitting_detection 
Add io.netty.handler.codec.http.DefaultHttpResponse to Netty Response Splitting Detection
 2020-01-07 14:28:01 +01:00
Grzegorz Golawski
4ce25c045d Simplify the query 2020-01-05 22:05:00 +01:00
Grzegorz Golawski
ab49397bb8 Add check for disabled CSRF protection in Spring 2020-01-03 21:52:50 +01:00
Jonathan Leitschuh
0e2c5db7b1 Netty Response Splitting use CompileTimeConstantExpr 
Co-Authored-By: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2020-01-03 07:51:55 -05:00
Anders Schack-Mulligen
7e987c570f Merge pull request #2413 from JLLeitschuh/feature/JLL/maven_insecure_artifact_resolution 
Java: Use of HTTP/FTP to download/upload Maven artifacts
 2020-01-02 14:47:30 +01:00
Jonathan Leitschuh
75939afe9c Update java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.qhelp 
Co-Authored-By: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2019-12-18 09:53:36 -05:00
Jonathan Leitschuh
b218374772 Add io.netty.handler.codec.http.DefaultHttpResponse to Netty Response Splitting Detection 
Related: #2185
Related: https://github.com/github/security-lab/issues/22
 2019-12-17 12:12:04 -05:00
Jonathan Leitschuh
0c2da8af40 Update java/ql/src/Security/CWE/CWE-829/InsecureDependencyResolution.ql 2019-12-12 14:10:11 -05:00
Jonathan Leitschuh
229622459c Update InsecureDependencyResolution with code review comments 2019-12-09 20:37:53 -05:00
Jonathan Leitschuh
f341234edb Apply suggestions from code review 
Co-Authored-By: Felicity Chapman <felicitymay@github.com>
Co-Authored-By: yo-h <55373593+yo-h@users.noreply.github.com>
 2019-12-09 19:17:23 -05:00