hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-18 19:31:11 +02:00
Code Issues Packages Projects Releases Wiki Activity
24,633 Commits 1,780 Branches 169 Tags
53e6ddfeb6208e1b33e8d34564a4f7ccceed87ef
Commit Graph

293 Commits

Author SHA1 Message Date
Anders Schack-Mulligen
53e6ddfeb6 Merge pull request #6001 from atorralba/atorralba/promote-mvel-injection 
Java: Promote MVEL injection query from experimental
 2021-08-02 14:40:26 +02:00
Tony Torralba
9fadb26325 Fix qhelp sample 2021-08-02 10:00:59 +02:00
Tony Torralba
90b5e02b6e Improve qhelp 2021-07-29 16:28:10 +02:00
mc
8f1fc9e893 Update MvelInjection.qhelp 
Minor tweaks
 2021-07-29 11:30:19 +01:00
Tony Torralba
46faf68d64 Decouple MvelInjection.qll to reuse the taint tracking configuration 2021-07-19 13:50:03 +02:00
Tony Torralba
5ca8b380e9 Merge branch 'main' into atorralba/promote-mvel-injection 2021-07-19 13:45:10 +02:00
Artem Smotrakov
6d7cb48054 Refactored the query for unsafe deserialization 2021-07-16 18:25:41 +02:00
Artem Smotrakov
09ae779b21 Removed fromSource() check in looksLikeResolveClassStep() 2021-07-12 19:56:51 +02:00
Artem Smotrakov
ea0991c980 Added Jackson to UnsafeDeserialization.qhelp 2021-07-09 10:17:29 +02:00
Artem Smotrakov
3eb2af1bc2 First draft of sinks for unsafe deserialization with Jackson 2021-07-09 10:16:01 +02:00
Chris Smowton
a51154a8ef Deduplicate Jexl configuration 2021-07-02 10:02:28 +01:00
Chris Smowton
747a8e4157 Split up JexlInjection.qll 
This avoids a DataFlow2::Configuration being in scope for all queries via the import from ExternalFlow.qll
 2021-07-02 10:01:51 +01:00
Chris Smowton
643f7dfb87 Split up Random.qll 
This prevents bringing a dataflow config into scope from utility libraries.
 2021-07-02 10:00:49 +01:00
Chris Smowton
d5a9f3d87b Deduplicate shared body of regular and experimental versions of java/command-line-injection query. 2021-07-01 14:53:56 +01:00
intrigus
36575bb26f Move back to experimental......... 2021-06-25 16:47:25 +02:00
intrigus
fe923facc8 Java: Move comments to separate lines. 
Move comments to separate lines to improve
the rendering in the finished query help.
 2021-06-25 16:47:25 +02:00
intrigus-lgtm
f527df73d5 Apply suggestions from code review. 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-06-25 16:47:25 +02:00
intrigus
6bfdf8d148 Java: Fix qhelp errors. 2021-06-25 16:47:24 +02:00
intrigus
dc0b06a735 Java: Factor out SecurityFlag library. 2021-06-25 16:47:24 +02:00
intrigus-lgtm
51fdcf86c8 Apply suggestions from code review 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2021-06-25 16:47:24 +02:00
intrigus
6f217d37da Java: Apply suggestions from review. 2021-06-25 16:47:24 +02:00
intrigus
4a00670b68 Java: Reduce long comment. 2021-06-25 16:47:24 +02:00
intrigus
45cec3df1c Java: Use this consistently in QL classes. 2021-06-25 16:47:24 +02:00
intrigus
0c1ce74135 Java: Switch from tabs to spaces. 2021-06-25 16:47:24 +02:00
intrigus
6d09db6fd6 Java: Explicitly list custom flow steps. 2021-06-25 16:47:23 +02:00
intrigus
e4775e0fae Java: Remove "intention-guessing" sanitizer & simplify. 
This removes the sanitizer part that classified some results as FP
if the results were in methods with certain names, like
`disableVerification()`. I now think that it's a bad idea to filter
based on the method name.
The custom flow steps in `flagFlowStep` are now listed explicitly.
Simplified check whether a method throws an exception.
 2021-06-25 16:47:23 +02:00
intrigus
8a7f6b72e9 Java: Apply suggestions for QHelp 2021-06-25 16:47:23 +02:00
intrigus
d37d922e8f Java: Fix Typos 2021-06-25 16:47:22 +02:00
intrigus-lgtm
030c286902 Java: Use machine-in-the-middle consistently 2021-06-25 16:47:22 +02:00
intrigus-lgtm
f52e438f3e Java: Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-06-25 16:47:22 +02:00
intrigus
87554a78d4 Java: Add insecure trust manager query. 2021-06-25 16:47:22 +02:00
Calum Grant
32f6a465b0 Merge pull request #6080 from github/calumgrant/security-severities 
Update security-severity scores
 2021-06-18 09:40:40 +01:00
Chris Smowton
b66dcbe5b6 Factor request-forgery config so it can be used in an inline-expectations test 2021-06-17 11:43:32 +01:00
Chris Smowton
a665d5d111 Improve RequestForgery.qhelp recommendation 2021-06-17 11:41:05 +01:00
Chris Smowton
fb2989c16b Copyedit comments and function names 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2021-06-17 11:41:04 +01:00
Chris Smowton
575198a0e4 Java SSRF query: Server Side -> Server-Side everywhere. 2021-06-17 11:41:04 +01:00
Chris Smowton
7899e17f3a Java SSRF query: move RequestForgery qll file into semmle/code hierarchy 
This makes it importable by people wishing to extend the query.
 2021-06-17 11:41:04 +01:00
Chris Smowton
532a10bfdf Java SSRF query: Provide hook for custom taint-propagating steps; make all default sinks/sanitizers/steps private. 2021-06-17 11:41:04 +01:00
Chris Smowton
e8613367e8 Java SSRF query: copyedit qhelp 2021-06-17 11:41:04 +01:00
Chris Smowton
3333e7d186 Java SSRF query: sanitize primitives 
Even 'char' isn't a realistic vector for an exploit, unless somebody is copying out a string char by char.
 2021-06-17 11:41:04 +01:00
Chris Smowton
6933d06a46 Add exactly the string '/' as a sanitizing prefix. 
Usually this is ignored for suspicion that it could be taken for a protocol specifier, but on balance the context `(something) + "/" + tainted()` is more likely to be taken for a user-controlled location within a host the user does not control.
 2021-06-17 11:41:03 +01:00
Chris Smowton
bc43b6d760 Fix typo 2021-06-17 11:41:03 +01:00
Chris Smowton
e6249eed79 Add doc comments 2021-06-17 11:41:03 +01:00
Chris Smowton
26e10f3ad5 SSRF: don't consider results of fetches we initiated to be untrustworthy 2021-06-17 11:41:03 +01:00
Chris Smowton
c63d5986cf Sanitize StringBuilder appends that follow directly from a constructor. 
Note that some of this logic ought to be incorporated into StringBuilderVar once that code can be reviewed.
 2021-06-17 11:41:03 +01:00
Chris Smowton
b5a450b881 SSRF query: add sanitizer looking for a variety of ways of prepending a sanitizing prefix, such as one that restricts the hostname a URI will refer to. 2021-06-17 11:41:03 +01:00
Chris Smowton
487c1db6ed Promote SSRF query to main query set 2021-06-17 11:41:01 +01:00
Tony Torralba
dab33b21fb Merge branch 'main' into atorralba/promote-mvel-injection 2021-06-16 15:44:43 +02:00
haby0
c1ada6d85b Merge branch 'main' into java/UnsafeDeserialization 2021-06-16 16:37:03 +08:00
Calum Grant
771e686946 Update security-severity scores 2021-06-15 13:25:17 +01:00