hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-07 18:51:06 +01:00
Code Issues Packages Projects Releases Wiki Activity
50,260 Commits 1,691 Branches 160 Tags
655aa700bc25636bd8a334bcb8c19ccc9a09fcff
Commit Graph

182 Commits

Author SHA1 Message Date
Tony Torralba
2ca0df0369 C#: Remove omittable exists variables 2023-01-10 13:36:25 +01:00
Michael Nebel
27efb0d843 C#: Rename -> for . 2022-12-06 13:53:50 +01:00
Michael Nebel
29ccac8e93 C#: Address review comments. 2022-12-06 12:05:48 +01:00
Michael Nebel
6b35098fb7 C#: Replace more uses of getQualifiedName/0. 2022-12-06 11:59:13 +01:00
Michael Nebel
c24302bec2 C#: Replace all uses of the deprecated hasQualifiedName/1 predicate. 2022-12-06 11:59:12 +01:00
erik-krogh
887062d339 update cs/assembly-path-injection and cs/hardcoded-key to path-problems 2022-11-11 10:55:36 +01:00
Josh Soref
88408fbd59 spelling: ciphertext 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 00:23:36 -04:00
erik-krogh
e2fe63f94a autoformat 2022-09-30 23:11:43 +02:00
erik-krogh
7098e7b102 change more queries to start with "This " 2022-09-30 13:29:18 +02:00
erik-krogh
77eeabe8e5 changed to address review 2022-09-29 13:39:59 +02:00
erik-krogh
326666ac85 update the alert-messages of csharp queries 2022-09-26 14:01:39 +02:00
erik-krogh
cc7a9ef97a rename more acronyms 2022-08-25 20:52:27 +02:00
erik-krogh
1c0f2251e2 Merge branch 'main' into msgConsis 2022-08-24 14:38:57 +02:00
erik-krogh
e52fa9a469 update {cs/java}/regex-injection to match javascript 2022-08-22 21:41:45 +02:00
erik-krogh
e89e0eb7fb make some acronyms camelCase 2022-08-22 21:22:35 +02:00
erik-krogh
ce9f69a639 rename all occurrences of XML to Xml 2022-08-22 14:08:31 +02:00
Michael Nebel
c8ede58704 C#: Flow summaries has now been added for Exception stack trace, but not for ToString. The latter will be encoded as an extra taintstep in the analysis. To reduce noise for all uses of an exception itself an isSanitizerIn is introduced. 2022-05-25 08:28:15 +02:00
Michael Nebel
13f142f143 C#: Convert xml injection query to a path problem. 2022-05-05 10:43:23 +02:00
Erik Krogh Kristensen
ff73dbc35c delete redundant imports 2022-04-22 12:55:28 +02:00
Erik Krogh Kristensen
69353bb014 patch upper-case acronyms to be PascalCase 2022-03-11 11:10:33 +01:00
Tamas Vajk
e8bf94faf9 C#: Downgrade hardcoded credentials queries to medium precision 2022-02-15 09:34:20 +01:00
Erik Krogh Kristensen
3c59aa319e Merge pull request #7245 from erik-krogh/explicit-this-all-the-places 
All langs: apply the explicit-this patch to all remaining code
 2021-12-07 10:40:26 +01:00
Erik Krogh Kristensen
6ff8d4de5c add all remaining explicit this 2021-11-26 13:50:10 +01:00
Rasmus Wriedt Larsen
9710aeecbf Python/C#: Add CWE-1333 to redos queries 
As is already done in JS and Ruby.
 2021-11-09 16:10:38 +01:00
Tom Hvitved
51f4f57617 C#: Use cs/ prefix in all query IDs 2021-11-03 10:25:21 +01:00
Rasmus Wriedt Larsen
8f52089475 C#: Fix CWE tag for cs/insufficient-key-size 
Since this targets

CWE-326 Inadequate Encryption Strength

> The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
> \- https://cwe.mitre.org/data/definitions/326.html

and not

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

> The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
> \- https://cwe.mitre.org/data/definitions/327.html

This matches what we do for similar query in Python: https://github.com/github/codeql/blob/main/python/ql/src/Security/CWE-326/WeakCryptoKey.ql
 2021-09-07 12:59:10 +02:00
Tom Hvitved
7e1efbdd8e C#: Use data flow instead of taint tracking in InsecureSQLConnection.ql 2021-08-26 13:48:57 +02:00
Tamás Vajk
763de4fff9 Merge pull request #6425 from raulgarciamsft/insecureRandom_potential_fix 
C#: Adding Membership.GeneratePassword() as a bad source of random data
 2021-08-19 11:16:26 +02:00
Tamas Vajk
d97525e21e Fix minor quality issues in comment and change note 2021-08-19 09:30:23 +02:00
Tom Hvitved
44ff623d8c Merge pull request #5508 from edvraa/deserializers 
deserialization sinks
 2021-08-17 11:41:52 +02:00
Tamás Vajk
c1cf2a1c5f Merge pull request #5579 from edvraa/cookies 
C#: HttpOnly and Secure cookie queries
 2021-08-09 08:58:11 +02:00
Raul Garcia (MSFT)
7340a1293f Fixing query & test 2021-08-04 19:37:57 -07:00
Raul Garcia (MSFT)
8544356f90 Adding Membership.GeneratePassword() as a bad source of random data because of the bias. 2021-08-04 17:12:00 -07:00
edvraa
d1e41689bb Merge with main 2021-08-04 14:25:34 +03:00
edvraa
fd4d8e2595 Use HasFlow instead HasFlowPath 2021-07-14 16:06:34 +03:00
edvraa
a0942e0360 JsonConvert 2021-07-12 15:23:04 +03:00
edvraa
1682e993bc Merge with Main 2021-07-12 11:32:47 +03:00
edvraa
2c9d6827ad comments 2021-07-12 01:13:40 +03:00
edvraa
89c4102462 HttpOnly and Secure cookie queries 2021-07-12 01:13:39 +03:00
Tom Hvitved
4de4753c67 C#: Remove Query.qll top-level modules 2021-07-04 09:35:27 +02:00
Tom Hvitved
c812d4e4e8 C#: Add Query suffix to libraries that should only be imported by queries 2021-07-04 09:35:26 +02:00
Calum Grant
771e686946 Update security-severity scores 2021-06-15 13:25:17 +01:00
Calum Grant
a594afb828 Add security-severity metadata 2021-06-10 20:11:08 +01:00
Chris Smowton
455b840712 Fix all dead qhelp links 
For those documents with no obvious new home I've pointed the links to the Internet Archive.
 2021-04-23 15:20:21 +01:00
edvraa
c9c9758e01 Make similarly named files in tests and qhelp in sync 2021-04-22 12:23:46 +03:00
edvraa
57689df5aa Remove DataFlow::Node 2021-04-21 19:29:30 +03:00
edvraa
a93d6a3ef6 Remove SafeConstructorTrackingConfig 2021-04-21 17:16:54 +03:00
edvraa
808444986d Get rid of UnsafeDeserializerCallable 2021-04-21 17:06:20 +03:00
edvraa
b6952d541a get rid of getParent 2021-04-21 16:55:34 +03:00
edvraa
3ac5f7bb18 Move RemoteSource and LocalSource to UnsafeDeserialization.qll 2021-04-21 13:27:26 +03:00