edvraa
7cbbd6cc89
Simplify query
2021-03-31 15:35:54 +03:00
edvraa
94234b8b02
Rename ObjectMethodSink to InstanceMethodSink
2021-03-31 15:22:30 +03:00
edvraa
ac29184521
deserialization sinks
2021-03-20 21:50:46 +02:00
Tom Hvitved
d53faa86dc
C#: Restrict FormatInvalid.ql and UncontrolledFormatString.ql to calls with insertions
2020-12-18 10:53:11 +01:00
Tamas Vajk
24670160c2
Address code review findings
2020-12-04 13:26:53 +01:00
Tamas Vajk
cd5c1f06ee
C#: Add queries to check untrusted data flow to external APIs
2020-12-04 13:26:53 +01:00
Anders Schack-Mulligen
8f2094f0bf
Autoformat.
2020-11-30 14:42:38 +01:00
Chris Smowton
578ea1ae43
Fix OWASP broken links
2020-10-01 13:09:52 +01:00
Tamás Vajk
5ab5e75b85
Merge pull request #4255 from fatenhealy/IncreaseInsufficientKeySizeValue
...
Increase insufficient key size value from 1024 to 2048
2020-09-22 23:06:12 +02:00
Faten Healy
c35a5d120a
C#: Increasing required size of RSA key to 2048
2020-09-22 11:09:49 +02:00
Tom Hvitved
aac2e0ebfb
C#: Avoid bad magic in RuntimeChecksBypass.ql
...
Before:
```
[2020-09-18 14:03:57] (2587s) Tuple counts for RuntimeChecksBypass::uncheckedWrite#bbf#antijoin_rhs#1:
1270 ~8% {2} r1 = SCAN RuntimeChecksBypass::uncheckedWrite#bbf#shared AS I OUTPUT I.<1>, I.<0>
188197390 ~0% {3} r2 = JOIN r1 WITH #Callable::Callable::calls_dispred#bfPlus AS R ON FIRST 1 OUTPUT R.<1>, r1.<1>, r1.<0>
2425784042 ~1% {3} r3 = JOIN r2 WITH Expr::Expr::getEnclosingCallable_dispred#ff_10#join_rhs AS R ON FIRST 1 OUTPUT r2.<1>, R.<1>, r2.<2>
58 ~9% {2} r4 = JOIN r3 WITH project#RuntimeChecksBypass::checkedWrite#bfff AS R ON FIRST 2 OUTPUT r3.<0>, r3.<2>
return r4
```
After:
```
[2020-09-18 14:08:48] (5s) Tuple counts for RuntimeChecksBypass::uncheckedWrite#fff#antijoin_rhs:
24704473 ~2% {2} r1 = SCAN DataFlowPublic::localExprFlow#ff AS I OUTPUT I.<1>, I.<0>
23784154 ~6% {4} r2 = JOIN r1 WITH Expr::Expr::getEnclosingCallable_dispred#ff AS R ON FIRST 1 OUTPUT r1.<1>, 28, R.<0>, R.<1>
201391 ~2% {2} r3 = JOIN r2 WITH expressions AS R ON FIRST 2 OUTPUT r2.<2>, r2.<3>
23784154 ~0% {3} r4 = JOIN r1 WITH Expr::Expr::getEnclosingCallable_dispred#ff AS R ON FIRST 1 OUTPUT r1.<1>, R.<0>, R.<1>
1065242 ~20% {2} r5 = JOIN r4 WITH expr_value AS R ON FIRST 1 OUTPUT r4.<1>, r4.<2>
1266633 ~16% {2} r6 = r3 \/ r5
return r6
```
2020-09-18 14:15:30 +02:00
Gavin Lang
7a023a65b0
Grammatical issues in Encryption using ECB.qhelp
2020-06-30 15:33:05 +10:00
Tom Hvitved
652de80fa5
C#: Enable syntax highlighting in QLDoc snippets
2020-06-23 16:56:56 +02:00
Tom Hvitved
1e8b7ed367
C#: Avoid multiple taint-tracking configurations
...
The taint-tracking configuration in `ExposureOfPrivateInformation.ql`
overlaps with the XSS taint-tracking configuration, as witnessed by this import chain:
```
semmle.code.csharp.security.dataflow.ExposureOfPrivateInformation.qll imports
semmle.code.csharp.security.dataflow.flowsinks.ExternalLocationSink imports
semmle.code.csharp.security.dataflow.flowsinks.Remote imports
semmle.code.csharp.security.dataflow.XSS
```
(The same for `CleartextStorage.qll` and `LogForging.ql`.)
The fix is to use `TaintTracking2` for the XSS configuration.
2020-06-02 14:42:35 +02:00
Tom Hvitved
a4d933d1d6
C#: More results for cs/web/missing-x-frame-options
...
Report an alert in _any_ `Web.config` file, as long as it does not have an
`X-Frame-Options` entry (as opposed to only reporting alerts when _all_
`Web.config` files lack the entry).
2020-05-04 09:17:08 +02:00
Tom Hvitved
54677189de
C#: Introduce RemoteFlowSink class
2020-03-25 20:05:39 +01:00
Tom Hvitved
142737dc61
C#: Move HtmlSinks from XSS.qll into separate file
2020-03-25 20:05:39 +01:00
Tom Hvitved
fddbce0b7b
C#: Move all predefined sources and sinks into security/dataflow/flow{sinks,sources}
2020-03-25 20:05:39 +01:00
Tom Hvitved
78380f5d59
Merge pull request #2658 from calumgrant/cs/serialization-check-bypass-type
...
C#: Fix cs/serialization-check-bypass
2020-02-12 10:26:01 +01:00
Calum Grant
803cb3f4d1
C#: Address review comment
...
- Flow from expressions with a value is excluded.
2020-02-10 16:02:29 +00:00
Jonas Jensen
c4d2163321
Merge pull request #2673 from aschackmull/ql/autoformat-comparisonterm
...
Java/C++/C#: Autoformat comparison terms
2020-01-30 08:47:50 +01:00
Calum Grant
7caae01ad1
C#: Exclude fields that are created
2020-01-29 15:47:12 +00:00
Tom Hvitved
474815bf57
Merge pull request #2660 from calumgrant/cs/release-notes
...
C#: Add release notes and precisions to queries
2020-01-29 16:05:45 +01:00
Anders Schack-Mulligen
726a873c3e
C#: Autoformat.
2020-01-29 13:15:00 +01:00
Calum Grant
c0379cc3f1
C#: Address review comment: an SQL
2020-01-29 11:46:28 +00:00
Calum Grant
3d460aeb44
C#: ZipSlip query reports alert at source
2020-01-21 15:17:06 +00:00
Calum Grant
be68b6f938
C#: Add precision to queries
2020-01-21 13:24:48 +00:00
Calum Grant
6790028d4c
C#: Use guards library
2020-01-15 15:46:19 +00:00
Calum Grant
41b4d70504
C#: Refactor, improve documentation and add tests for cs/serialization-check-bypass
2020-01-03 18:46:39 +00:00
Calum Grant
59ce8842bb
Merge branch 'master' of git.semmle.com:Semmle/ql into ASPNetPagesValidateRequest
...
# Conflicts:
# change-notes/1.24/analysis-csharp.md
2019-12-05 15:58:47 +00:00
Paulino Calderon
5fd0662264
Update csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.qhelp
...
Fixes typo
Co-Authored-By: James Fletcher <42464962+jf205@users.noreply.github.com >
2019-12-02 16:44:39 -05:00
Paulino Calderon
9576e2a698
Update csharp/ql/src/Security Features/CWE-016/ASPNetPagesValidateRequest.qhelp
...
Adds missing code tags
Co-Authored-By: James Fletcher <42464962+jf205@users.noreply.github.com >
2019-12-02 16:43:51 -05:00
Paulino Calderon
8026925a3a
Update csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.ql
...
Added missing quotes.
Co-Authored-By: James Fletcher <42464962+jf205@users.noreply.github.com >
2019-11-29 22:39:50 -05:00
Paulino Calderon
879d34d24d
Update csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.qhelp
...
Missing comma.
Co-Authored-By: James Fletcher <42464962+jf205@users.noreply.github.com >
2019-11-29 22:39:29 -05:00
Paulino Calderon
22964cba74
Update csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.qhelp
...
Rephrasing.
Co-Authored-By: James Fletcher <42464962+jf205@users.noreply.github.com >
2019-11-29 22:39:04 -05:00
Paulino Calderon
a2dfd551f6
Update csharp/ql/src/Security Features/CWE-016/ASPNetRequestValidationMode.qhelp
...
built in to built-in
Co-Authored-By: James Fletcher <42464962+jf205@users.noreply.github.com >
2019-11-29 22:38:42 -05:00
Calum Grant
30a2620a8c
C#: Tidy up docs, query metadata and add tests.
2019-11-29 10:31:58 +00:00
Paulino Calderon
eeffd7cf8d
Adds CodeQL query to check for Pages validateRequest directive
2019-11-28 14:22:08 +00:00
Calum Grant
d001c3c2d2
C#: Restructure files.
2019-11-27 17:29:53 +00:00
Calum Grant
c906a8238d
C#: Edit qhelp for cs/insecure-request-validation-mode
2019-11-27 16:37:37 +00:00
Calum Grant
4b19f3b6a4
C#: Whitespace edit and edit query metadata.
2019-11-27 16:37:37 +00:00
Paulino Calderon
6f346c6676
Adds CodeQL query to check for insecure RequestValidationMode in ASP.NET
2019-11-27 16:37:37 +00:00
Tom Hvitved
71fd5379c9
C#: Remove tabs from qhelp file
2019-11-25 13:40:44 +01:00
Paulino Calderon
63884c1a86
Mixed spaces and tabs
2019-11-19 13:06:55 -05:00
Paulino Calderon
96a02aba3f
Adds quotes on name and additional info tags
2019-11-19 12:39:10 -05:00
Paulino Calderon
56c12adab7
Adds check for insecure MaxLengthRequest values
2019-11-16 14:21:39 -05:00
Felicity Chapman
c4f958d396
Merge pull request #2263 from sauyon/master
...
Update links to OWASP cheat sheet
2019-11-11 08:51:52 +00:00
semmle-qlci
2b120def01
Merge pull request #2211 from hvitved/csharp/unsafe-deserialization
...
Approved by jf205
2019-11-07 14:16:13 +00:00
Sauyon Lee
0040c9fb4c
Update links to OWASP cheat sheet
2019-11-06 20:21:47 -08:00
Geoffrey White
8c16b36c7f
Merge pull request #2231 from semmledocs-ac/newqueries-docscheck
...
CPP & C#: Review of qhelp (SD-4028)
2019-11-05 11:11:34 +00:00