codeql

mirror of https://github.com/github/codeql.git synced 2026-01-13 14:34:45 +01:00

Author	SHA1	Message	Date
Chris Smowton	d34233b44f	Rewrite XQuery injection to use an additional taint step instead of multiple configurations. Also remove a needless barrier -- the method in question doesn't conduct taint by default, so excluding particular instances of that call is not necessary.	2021-01-25 11:18:45 +00:00
haby0	16308fe557	Update java/ql/src/Security/CWE/CWE-652/XQueryInjectionLib.qll Co-authored-by: Chris Smowton <smowton@github.com>	2021-01-25 19:16:18 +08:00
haby0	14a23eed4f	Update java/ql/src/Security/CWE/CWE-652/XQueryInjectionLib.qll Co-authored-by: Chris Smowton <smowton@github.com>	2021-01-25 19:15:59 +08:00
haby0	0b326aae20	*)update XQueryInjectionLib.qll	2021-01-23 18:27:38 +08:00
haby0	44d99f8cd4	*)update XQueryInjection.ql	2021-01-23 18:26:58 +08:00
haby0	ec4c155043	*)update XQueryInjection.qhelp	2021-01-23 18:26:15 +08:00
haby0	a56dd60baa	*)add CWE-652 XQueryInjection detection	2021-01-21 19:18:10 +08:00
Anders Schack-Mulligen	9b2f69ca94	Merge pull request #4978 from github/yo-h/struts-xml-change-note Java: add change note for `struts.xml` extraction	2021-01-20 08:59:45 +01:00
yo-h	91fa12b1be	Java: add change note for `struts.xml` extraction	2021-01-19 10:19:18 -05:00
Anders Schack-Mulligen	dde8d320f3	Apply suggestions from code review Minor qldoc fixes.	2021-01-19 08:24:24 +01:00
Marcono1234	703336a77f	Add ArrayInit.getSize(), improve documentation	2021-01-18 16:44:53 +01:00
yo-h	27fd16ae87	Java: update documentation on supported language versions	2021-01-14 20:29:16 -05:00
Anders Schack-Mulligen	29935e1388	Merge pull request #4771 from intrigus-lgtm/split-cwe-295 Java: Add unsafe hostname verification query and remove existing overlapping query	2021-01-13 11:31:38 +01:00
intrigus	2931e1f3fb	Java: Add change note for #4771	2021-01-12 15:37:45 +01:00
intrigus	1901f6bf55	Java: Make @id @name of query more similar.	2021-01-12 15:36:55 +01:00
intrigus	4fa8f5eab2	Java: Accept test changes	2021-01-12 15:29:03 +01:00
intrigus	85286f362c	Java: Replace global flow by local flow	2021-01-11 19:02:07 +01:00
intrigus-lgtm	722bd4dafa	Java: Revise qhelp	2021-01-11 18:57:24 +01:00
intrigus-lgtm	4cfdb10ddc	Java: Improve QLDoc & simplify code Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>	2021-01-11 18:50:43 +01:00
intrigus	5c1e746c96	Java: Rename to `EnvReadMethod`	2021-01-11 13:42:08 +01:00
intrigus	1eb2b75389	Java: Further reduce FPs, simply Flag2Guard flow	2021-01-11 13:42:08 +01:00
intrigus	b4692734b2	Java: Add QLDoc improve query message	2021-01-11 13:42:08 +01:00
intrigus-lgtm	f4b912cd8a	Apply suggestions from doc review Co-authored-by: Felicity Chapman <felicitymay@github.com>	2021-01-11 13:42:08 +01:00
intrigus	e11304a1ca	Java: Autoformat	2021-01-11 13:42:08 +01:00
intrigus-lgtm	b8f3e64a0f	Apply suggestions from code review Co-authored-by: Felicity Chapman <felicitymay@github.com>	2021-01-11 13:42:08 +01:00
intrigus	502e4c39f5	Java: Fix Qhelp	2021-01-11 13:42:08 +01:00
intrigus-lgtm	355cb6eeec	Fix Qhelp format Co-authored-by: Felicity Chapman <felicitymay@github.com>	2021-01-11 13:42:07 +01:00
intrigus-lgtm	10fc2cf9f8	Apply suggestions from code review Co-authored-by: Chris Smowton <smowton@github.com>	2021-01-11 13:42:07 +01:00
intrigus	c88f07dde4	Java: Accept test output	2021-01-11 13:42:07 +01:00
intrigus	33b0ff28d8	Java: Update test	2021-01-11 13:42:07 +01:00
intrigus	9e2ef9bd74	Java: Filter results by feature flags. This ignores results that are guarded by a feature flag that suggests an intentionally insecure feature. Inspired by Go's `InsecureFeatureFlag.qll` and `DisabledCertificateCheck.ql`.	2021-01-11 13:42:07 +01:00
intrigus	a62a2e58dd	Java: Improve QL-Doc	2021-01-11 13:42:07 +01:00
intrigus	d98b171998	Java: Make `EnvTaintedMethod` public + QL-Doc	2021-01-11 13:42:07 +01:00
intrigus	e021158b5f	Java: Tighter model of `HostnameVerifier#verify` This more tightly models `HostnameVerifier#verify` previously it was possible to accidentally match other methods called `verify`.	2021-01-11 13:42:07 +01:00
intrigus	0a9df07df7	Apply suggestions from review.	2021-01-11 13:42:07 +01:00
intrigus	70b0703952	Java: Remove overlapping code	2021-01-11 13:42:07 +01:00
intrigus	3da1cb0879	Java: Add unsafe hostname verification query	2021-01-11 13:42:07 +01:00
intrigus	8df5d77398	Java: Model `HostnameVerifier` method Model `HostnameVerifier#setDefaultHostnameVerifier`	2021-01-11 13:42:06 +01:00
Anders Schack-Mulligen	3a2dd8f1ed	Merge pull request #4867 from RasmusWL/java-externalapis-taint-step Java: Fix taint-step handling for untrusted-data-external-api	2021-01-11 13:36:59 +01:00
Rasmus Wriedt Larsen	00c253a710	Java: Don't ignore local taint steps (fixup)	2021-01-08 15:29:01 +01:00
Anders Schack-Mulligen	e5b4975450	Merge pull request #4675 from luchua-bc/cleartext-storage-shared-prefs Java: Query to detect cleartext storage of sensitive information using Android SharedPreferences	2021-01-08 12:41:34 +01:00
luchua-bc	606d0946fc	Update qldoc	2021-01-07 14:05:12 +00:00
luchua-bc	b54e5b1c49	Revamp the library module	2021-01-07 12:44:59 +00:00
luchua-bc	f13b8814f5	Update class/method names in the module	2021-01-06 16:49:35 +00:00
luchua-bc	5690bf49f4	Optimize the query	2021-01-06 16:21:26 +00:00
Chris Smowton	e87fd86e63	Merge pull request #4814 from luchua-bc/java/password-in-configuration Java: Password in Java EE configuration files	2021-01-05 11:42:27 +00:00
Jonathan Leitschuh	ba4a562c9a	Update PrintAst.actual with new test output	2021-01-04 23:37:58 -05:00
Jonathan Leitschuh	028e4756bb	Apply suggestions from code review Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>	2021-01-04 10:13:52 -05:00
Jonathan Leitschuh	54950c2f42	Add MethodAccessSystemGetProperty predicate	2021-01-01 20:07:45 -05:00
Rasmus Wriedt Larsen	874af7637f	Java: Fix taint-step handling for untrusted-data-external-api The previous implementation would not handle any `AdditionalTaintStep` subclasses.	2020-12-22 11:02:50 +01:00

1 2 3 4 5 ...

1578 Commits