hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-01 11:45:14 +02:00
Code Issues Packages Projects Releases Wiki Activity
71,659 Commits 1,740 Branches 165 Tags
70cf1a57bcae0dd50d89ca5bec935de401e93af6
Commit Graph

1109 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
8c10155eb7 mass rename to ActiveThreatModelSource 2024-09-12 10:16:55 +02:00
Chris Smowton
15989ce213 Merge pull request #14089 from am0o0/amammad-java-JWT 
Java: JWT decoding without verification
 2024-08-21 14:14:08 +01:00
am0o0
f4764378c9 update tests to contain the new source, delete query with local sources 2024-08-16 16:15:46 +02:00
Anders Schack-Mulligen
3a9610795b Merge pull request #16808 from JLLeitschuh/patch-8 
Align Java CommandInjectionRuntimeExec.ql Severity
 2024-08-16 15:14:48 +02:00
am0o0
d560c1ea0f fix formatting 2024-07-31 11:08:06 +02:00
am0o0
9110df6e80 Merge branch 'amammad-java-JWT' of https://github.com/am0o0/codeql into amammad-java-JWT 2024-07-31 11:04:24 +02:00
am0o0
c6814fcf47 merge duplicate module into a module file 2024-07-31 11:04:03 +02:00
am0o0
701e3d7e53 add same query but with local source support to comply with the CVE-2021-37580 2024-07-31 10:58:22 +02:00
am0o0
40eef25133 use more specefic Classes instead of Call 2024-07-30 18:07:03 +02:00
Chris Smowton
8f52b2cd95 Fix link 2024-07-30 12:23:38 +01:00
Chris Smowton
a781522ca0 Copyedit documentation 2024-07-30 12:19:16 +01:00
am0o0
4dc1a10f71 update tests for zip4j, add aditional flow steps for zip4j, remove BombTypeInputStream class since we don't need it anymore, add a predicate which was for testing porpose and was junk 2024-07-29 18:10:04 +02:00
am0o0
c8749ff82e Merge branch 'amammad-java-bombs' of https://github.com/am0o0/codeql into amammad-java-bombs 2024-07-28 12:15:23 +02:00
am0o0
0593eaad52 we don't need ConstructorCall for ZipFile anymore since we have a more accurate sink for this 2024-07-28 12:12:07 +02:00
am0o0
cc752113af we don't need TypeInputStreamConstructorArgumentSink anymore 2024-07-28 12:09:52 +02:00
am0o0
7689db7d42 change apache commons sink 2024-07-28 12:09:33 +02:00
am0o0
b5e7716579 remove flow states, remove string as sources 2024-07-28 11:26:18 +02:00
am0o0
85b02b1399 use MethodCall instead of MethodAccess, change query id 2024-07-28 10:42:44 +02:00
am0o0
494f0b709e Merge branch 'main' into amammad-java-JWT 2024-07-28 10:37:26 +02:00
am0o0
14cf47b906 comply with PascalCase/camelCase, remove redundant import 2024-07-28 10:28:28 +02:00
Owen Mansel-Chan
9a66e66d66 Merge branch 'main' into amammad-java-bombs 2024-07-18 21:28:23 +01:00
am0o0
7bb7d83b26 remove duplicate sinks 
replace some RefType with DecompressionBomb::BombTypeInputStream
 2024-07-18 20:55:59 +02:00
am0o0
025aa77e79 add the snappy missed sink 2024-07-13 11:15:45 +02:00
am0o0
8c106964ec remove duplicate parts thanks to @owen-mc 2024-07-13 11:11:07 +02:00
am0o0
8ba48e801a fix examples 2024-07-13 10:28:19 +02:00
am0o0
dd3cc33298 move DecompressionBombsFlow::PathGraph to DecompressionBomb.ql 2024-07-13 10:24:07 +02:00
Am
a3b5d2a28d Update java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.qhelp 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2024-07-13 10:20:43 +02:00
Am
4fbf76008e Update java/ql/src/experimental/Security/CWE/CWE-522-DecompressionBombs/DecompressionBomb.qhelp 
Co-authored-by: Owen Mansel-Chan <62447351+owen-mc@users.noreply.github.com>
 2024-07-13 10:20:25 +02:00
am0o0
7a5838f1a2 MethodAccess => MethodCall 2024-07-09 19:43:22 +02:00
am0o0
e87d2fe922 remove redundent imports 2024-07-09 19:41:06 +02:00
am0o0
fe1103d997 add stubs, upgrade test to inline test, update test files 2024-07-04 15:25:36 +02:00
am0o0
a6833945c1 remove additional taint steps and flow states 2024-07-01 16:07:44 +02:00
am0o0
d31711bd89 merge all ne flow sources into one by extending current abstract class 2024-07-01 15:16:44 +02:00
am0o0
f1324a413a update qlhelp 2024-07-01 15:09:56 +02:00
Jonathan Leitschuh
472cca9221 Align Java CommandInjectionRuntimeExec.ql Severity 
Align severity with other command injection vulnerabilities:

- 4a448f445e/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql (L8)
- 4a448f445e/go/ql/src/Security/CWE-078/CommandInjection.ql (L7)
- 4a448f445e/swift/ql/src/queries/Security/CWE-078/CommandInjection.ql (L7)
- 4a448f445e/javascript/ql/src/Security/CWE-078/CommandInjection.ql (L7)
 2024-06-21 10:29:27 -04:00
Michael Nebel
b1329fd806 Merge pull request #16362 from michaelnebel/java/removelocalqueries 
Java: Remove local query variants.
 2024-05-16 14:34:04 +02:00
Anders Schack-Mulligen
76e740bc1d Java: Clean up some instances of getQualifiedName. 2024-05-13 13:06:44 +02:00
am0o0
02b0b402d6 remove useless predicate 
add missed FlowState
 2024-05-12 19:29:37 +02:00
am0o0
be03e582c6 remove isBarrier 2024-05-12 18:17:47 +02:00
am0o0
9fffd7846a remove empty predicates, fix FP for zipFile 2024-05-12 18:16:57 +02:00
am0o0
c9daf914cb remove unused predicate 2024-05-12 14:09:55 +02:00
am0o0
3eb5778543 upgrade FlowState to new DecompressionState 2024-05-12 14:08:52 +02:00
am0o0
e23cbeda24 update to MethodCall 2024-05-12 13:54:21 +02:00
am0o0
4b68dd2315 add new additional taint steps, fix some comments 2024-05-12 13:51:08 +02:00
Am
9946e07f36 Merge branch 'github:main' into amammad-java-bombs 2024-05-12 13:17:02 +02:00
Michael Nebel
85a4dd0325 Java: Deprecate the local content of CommandLineQuery and remove the exec tainted local query variant. 2024-05-01 13:07:20 +02:00
Jami Cogswell
658fffeac1 Java: remove experimental files 2024-03-17 22:03:59 -04:00
Tony Torralba
2a146405ac Adjust tests 2024-01-26 12:38:32 +01:00
Tony Torralba
19cb7adb6d Migrate path injection sinks to MaD 
Deprecate and stop using PathCreation

Path creation sinks are now summaries
 2024-01-26 12:19:54 +01:00
Ed Minnix
fb80c5ea84 Rename SimpleScalarSanitizer to SimpleTypeSanitizer 2024-01-22 23:55:29 -05:00