hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-18 19:31:11 +02:00
Code Issues Packages Projects Releases Wiki Activity
25,918 Commits 1,780 Branches 169 Tags
6cff0d0376a1c7c77537ef63e83bc802825527df
Commit Graph

25918 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Chris Smowton
6cff0d0376 Merge pull request #6393 from luchua-bc/java/xss-jsf 
Java: CWE-079 Query to detect XSS with JavaServer Faces (JSF)
 2021-09-14 15:15:56 +01:00
Chris Smowton
a1ad1ddc10 Deprecated and replace uses of old name ServletWriterSource 2021-09-14 14:21:29 +01:00
Anders Schack-Mulligen
26eafcb55a Merge pull request #6456 from smowton/smowton/admin/flexjson-unsafe-deserialization 
Java: add unsafe-deserialization support for Flexjson
 2021-09-14 14:33:22 +02:00
Rasmus Wriedt Larsen
8b7fad8595 Merge pull request #6283 from tausbn/python-fix-exceptstmt-gettype 
Python: Fix `ExceptStmt::getType`
 2021-09-14 13:40:33 +02:00
Rasmus Wriedt Larsen
49f5f1e2c2 Merge pull request #6336 from tausbn/python-make-annotated-assignment-a-definitionnode 
Python: Two fixes regarding annotated assignments
 2021-09-14 13:37:53 +02:00
Chris Smowton
6af5c5fc86 Add change note 2021-09-14 12:36:38 +01:00
Chris Smowton
26dbf058c8 Add reverse import from ExternalFlow.qll 2021-09-14 12:35:33 +01:00
Chris Smowton
fcc0f1d5a7 Expand test to exercise all sinks 2021-09-14 12:27:33 +01:00
Chris Smowton
e439b7d7f8 Remove resource-related sources 
These access application-owned resources AFAICT
 2021-09-14 12:24:27 +01:00
Tom Hvitved
98a12cef26 Merge pull request #6690 from hvitved/js/files-folders-drop-columns 
JavaScript: Drop redundant columns from `files` and `folders` relations
 2021-09-14 13:13:37 +02:00
Chris Smowton
104873e8ee Autoformat 2021-09-14 12:07:59 +01:00
Chris Smowton
6811441459 Factor JSF source definitions 2021-09-14 12:07:48 +01:00
Chris Smowton
b7fc068cee Move JSFRenderer.qll to lib 2021-09-14 11:49:01 +01:00
Chris Smowton
023c533745 Combine Servlet and JSF vulnerable writer flow-tracking 
JSP and Servlet already shared this logic; might as well add JSF into the same mechanism.
 2021-09-14 11:48:34 +01:00
Chris Smowton
cb8096f636 Remove JSF XSS Example 
Per previous commit, no need for a top-level JSF example
 2021-09-14 11:47:37 +01:00
Chris Smowton
cca9ad06b4 Remove JSF example 
I don't think we need this: there are lots of possible XSS vectors; we don't need to enumerate every one in the qhelp file.
 2021-09-14 11:47:36 +01:00
Chris Smowton
76e4077b56 Delete unused classes 2021-09-14 11:47:35 +01:00
luchua-bc
24addd5c10 Query to detect XSS with JavaServer Faces (JSF) 2021-09-14 11:47:32 +01:00
Anders Schack-Mulligen
e71173d953 Merge pull request #6591 from bmuskalla/inlineFlowTest 
Java: Simplify setup for flow tests using `InlineExpectationsTest`
 2021-09-14 10:31:29 +02:00
Tom Hvitved
57b5b2af2e JavaScript: DB upgrade script 2021-09-14 10:25:53 +02:00
Tom Hvitved
25e1da0150 JavaScript: Update expected test output 2021-09-14 10:25:42 +02:00
Tom Hvitved
63e28c57cd JavaScript: Drop redundant columns from files and folders relations 2021-09-14 10:25:37 +02:00
Tamás Vajk
d52616b687 Merge pull request #6683 from tamasvajk/feature/csv-coverage-fix 
Only leave CSV coverage updater job enabled on github/codeql
 2021-09-14 10:13:28 +02:00
Benjamin Muskalla
93f9097b02 Merge pull request #6689 from github/workflow/coverage/update 
Update CSV framework coverage reports
 2021-09-14 09:35:31 +02:00
github-actions[bot]
bf7c26e681 Add changed framework coverage reports 2021-09-14 00:07:57 +00:00
Taus
4d24be04a1 Merge pull request #6688 from RasmusWL/small-fix 
Python: Fix `globals() == locals()` FP
 2021-09-13 21:50:13 +02:00
Rasmus Wriedt Larsen
f402475dd3 Python: Fix globals() == locals() FP 2021-09-13 20:03:11 +02:00
Rasmus Wriedt Larsen
69fe2a36e5 Python: Add globals() == locals() test 2021-09-13 20:02:08 +02:00
Rasmus Wriedt Larsen
ba7cdec2ea Python: Add some lines in test file 
These are just empty now, such that it's obvious the tests didn't
change.
 2021-09-13 20:00:50 +02:00
Rasmus Wriedt Larsen
a9694bf0ef Python: Clean whitespace 2021-09-13 19:58:59 +02:00
Tom Hvitved
3bdc92ba8e Merge pull request #6681 from hvitved/java/files-folders-drop-columns 
Java: Drop redundant columns from `files` and `folders` relations
 2021-09-13 17:43:31 +02:00
Chris Smowton
122ffca049 Merge pull request #6645 from Marcono1234/marcono1234/spurious-javadoc-param-generic-class 
Java: Detect spurious param Javadoc tag of generic classes
 2021-09-13 16:41:06 +01:00
Benjamin Muskalla
24d740b2da Merge branch 'main' into inlineFlowTest 2021-09-13 17:15:37 +02:00
Benjamin Muskalla
bf5a46f6d8 Simplify inline tests 2021-09-13 17:08:02 +02:00
Taus
b51ce1d2b3 Merge pull request #6640 from yoff/python-add-parameter-default-value-flow-step 
Python: add parameter default value flow step
 2021-09-13 17:05:48 +02:00
Anders Schack-Mulligen
7b764aec92 Merge pull request #6682 from aschackmull/java/callbacks 
Java: Add support for callback-based library models.
 2021-09-13 16:43:03 +02:00
Chris Smowton
3c7b39f089 Add change note 2021-09-13 15:36:26 +01:00
Tamas Vajk
80f5ec29d4 Log stdout and stderr in CSV coverage jobs 2021-09-13 16:16:03 +02:00
Tamas Vajk
1d8fae44cc Only leave CSV coverage updater job enabled on github/codeql 2021-09-13 16:15:21 +02:00
Tom Hvitved
b60f1cd531 Java: Upgrade script 2021-09-13 16:09:47 +02:00
Tom Hvitved
9fdcacd865 Java: Drop redundant columns from files and folders relations 2021-09-13 16:09:47 +02:00
Anders Schack-Mulligen
ab862276fc Java: Fix tests. 2021-09-13 16:04:11 +02:00
Anders Schack-Mulligen
12aeaeed56 Java: Address review comment. 2021-09-13 16:03:50 +02:00
Chris Smowton
47b5165f2a Merge pull request #6653 from smowton/smowton/admin/javascript-unpaired-surrogate-test 
Java and JS: Add/adapt tests for literals with an unpaired surrogate character
 2021-09-13 14:53:23 +01:00
Anders Schack-Mulligen
818e75bb8f Java: Fix compilation error in telemetry lib. 2021-09-13 15:50:21 +02:00
Chris Smowton
abdd3a5dbe Adjust Java tests that check for unpaired surrogate extraction 2021-09-13 14:02:05 +01:00
Erik Krogh Kristensen
05cc6bcf8a adjust regexp libraries to how unpaired surrogate are parsed now 2021-09-13 14:02:05 +01:00
Chris Smowton
f24d7c4212 Acknowledge new FPs due to the extractor using U+FFFD for unpaired surrogates 
These were already misinterpreted, but the ReDoS code ignored them as they previously appeared to be `?` characters.
 2021-09-13 14:02:05 +01:00
Chris Smowton
487ebdf173 Add test for Javascript literal with an unpaired surrogate character 2021-09-13 14:02:05 +01:00
Anders Schack-Mulligen
89a6cdc711 Java: Add support for callback-based library models. 2021-09-13 14:49:28 +02:00