hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity
63,284 Commits 1,673 Branches 157 Tags
792f302bd4dee4c7558e2ce5bbea7edb51f9896f
Commit Graph

501 Commits

Author SHA1 Message Date
masterofnow
7162540faf Added options, .qhelp and .expected file for unit test. 2023-12-21 19:57:37 +08:00
masterofnow
25c818f425 Added unit test files. 2023-12-21 12:13:00 +08:00
Eric Bickle
000c1f7ec8 Java: Flow taint through ArithExpr for ThreadResourceAbuse 
Ensure that tainted values flow through arithmetic operations when
checking for ThreadResourceAbuse vulnerabilities.

For example, multiplying 'number of seconds' by 1000 as an input
to Thread.Sleep, which accepts milliseconds, is a common scenario.
 2023-10-06 14:24:37 -07:00
aegilops
3658710578 Fixed formatting, committed expected test results 2023-08-03 13:50:40 +01:00
Paul Hodgkinson
3bc7cf6ac7 Merge branch 'main' into java/experimental/command-injection 2023-07-31 19:14:55 +01:00
Anders Schack-Mulligen
ae24d68b5d C/C++/C#/Java/Python/Ruby/Swift: Adjust expected output. 2023-07-19 11:41:15 +02:00
aegilops
8dbb0a51c0 Rewrote tests to work 2023-06-29 09:47:03 +01:00
aegilops
01798f63f8 Switched to new dataflow and added a test (but it doesn't produce results yet) 2023-06-28 17:14:39 +01:00
Anders Schack-Mulligen
a0a9d30286 Java: Fix qltests. 2023-06-09 08:37:35 +02:00
Tony Torralba
6d7234f8ed Merge pull request #13225 from atorralba/atorralba/java/path-injection-mad-sinks-2 
Java: Migrate path injection sinks to models-as-data (simplified)
 2023-06-07 14:27:36 +02:00
Tony Torralba
416d3d587d Accept test changes 
An uncovered test case is now correctly covered
 2023-06-07 10:33:17 +02:00
Tony Torralba
527fe523a8 Add PathCreation.qll sinks to models-as-data 
The old PathCreation sinks can't be removed because doing so would cause alert wobble in the path injection queries. See their getReportingNode predicates.
 2023-06-02 09:14:35 +02:00
Tony Torralba
770099f210 Merge branch 'main' into atorralba/java/promote-xxe-experimental-sinks 2023-05-16 09:49:34 +02:00
Anders Schack-Mulligen
8e6038577d Java: Update expected output. 2023-04-26 14:45:40 +02:00
Tony Torralba
fba61d51ed Remove experimental files 2023-04-26 12:24:30 +02:00
Tony Torralba
7d0680a280 Update JsonpInjection test expectations 2023-04-13 12:06:54 +02:00
Ed Minnix
57886e1713 Moved files from experimental to src/ 2023-03-27 12:16:43 -04:00
Ed Minnix
6de946ef00 Remove experimental files 2023-02-27 12:16:14 +01:00
Ed Minnix
fa6ac063d1 Add com.auth0.jwt.algorithm.Algorithm sinks 
The HMAC* constructors of the com.auth0.jwt.algorithm.Algorithm class
take a secret as a parameter. Therefore, the arguments should be added
to be checked for hardcoded credentials.
 2023-02-27 12:16:14 +01:00
Jami Cogswell
fd593fd4f0 Java: undo changes to tests that were affected by numeric-flow summary models 2023-01-11 22:34:19 -05:00
Jami Cogswell
f933fc75cd Java: update another test affected by Integer.parseInt, and one affected by String.length 2022-12-18 21:46:43 -05:00
Jami Cogswell
f3fc68352e Java: update tests affected by Integer.parseInt model 2022-12-18 19:43:32 -05:00
retanoj
8ee418405b consider blankspace / comma /dot field 2022-12-07 10:06:39 +08:00
retanoj
de652e1e27 expected 2022-12-06 18:09:48 +08:00
retanoj
fb8559f03a tiny fix function name 2022-12-06 18:03:00 +08:00
retanoj
d2140eb4b1 MyBatisAnnotationSqlInjection no @Param case 2022-12-06 17:07:49 +08:00
Tony Torralba
4bbc1dc734 Update test expectations 2022-11-24 12:34:48 +01:00
Tony Torralba
443d0f50c1 Apply suggestions from code review 2022-11-24 11:10:07 +01:00
ka1n4t
d113fb23c8 Add test case for PR-11368 2022-11-23 11:05:58 +08:00
Jami
8a73675483 Merge pull request #11070 from jcogs33/java-regex-injection 
Java: Promote regex injection query from experimental
 2022-11-21 15:04:26 -05:00
Jami Cogswell
32b140045e move files out of experimental 2022-11-08 15:29:32 -05:00
Jami Cogswell
9b7df354e6 move files 2022-10-11 16:56:10 -04:00
Tony Torralba
4e29c39c78 Merge ZipSlip sanitization logic into PathSanitizer.qll 
Apply code review suggestions regarding weak sanitizers
 2022-10-04 12:27:01 +02:00
erik-krogh
129cda00db get a few more queries in sync with other languages 2022-10-01 11:17:48 +02:00
erik-krogh
7d643e41f3 Merge branch 'main' into java-followMsg 2022-10-01 10:48:06 +02:00
Jami
56e3334c6d Merge pull request #10479 from jcogs33/android-service-sources 
Java: add Android service sources
 2022-09-27 12:40:18 -04:00
erik-krogh
46b5bf32f9 update alert-messsages of java queries 2022-09-26 12:15:25 +02:00
Jami Cogswell
9b4201f880 update FileService 2022-09-23 22:46:55 -04:00
Jami Cogswell
1e01657577 add onBind to FileService to see if it fixes Java Language Tests failure 2022-09-23 18:59:27 -04:00
luchua-bc
e33d786745 Add test cases and reduce FPs 2022-09-23 12:31:16 +00:00
luchua-bc
b3572747f0 Simplify test case and minor update to the query 2022-09-23 12:31:15 +00:00
luchua-bc
311c9e4719 Query to detect unsafe resource loading in Java Spring applications 2022-09-23 12:31:15 +00:00
Tony Torralba
cd61bd0606 Move files from experimental 2022-09-07 13:13:40 +02:00
Tony Torralba
2ec53bf78c Merge pull request #9873 from luchua-bc/java/permissive-dot-regex 
Java: CWE-625 Query to detect regex dot bypass
 2022-08-31 10:24:18 +02:00
luchua-bc
e2e87980cc Move pattern check to MatchRegexConfiguration::isSink 2022-08-30 22:48:12 +00:00
Erik Krogh Kristensen
06afe9c0f4 Merge pull request #9816 from erik-krogh/msgConsis 
Make alert messages consistent across languages
 2022-08-25 15:20:01 +02:00
Ian Lynagh
237b3670b4 Make *.xml non-executable 2022-08-24 16:53:48 +01:00
Ian Lynagh
bb73767042 Make *.java non-executable 2022-08-24 16:38:03 +01:00
erik-krogh
27fcc90a97 Merge branch 'main' into msgConsis 2022-08-24 09:21:43 +02:00
Chris Smowton
0a7350f3bf Merge pull request #10041 from smowton/AddSensitiveApiCalls 
Java: support more libraries in hardcoded-credentials queries
 2022-08-23 10:51:04 +01:00