1297 Commits

Author	SHA1	Message	Date
Chris Smowton	69549e9ce3	Add unsafe-deserialization support for Jabsorb ... This is partly extracted from https://github.com/github/codeql/pull/5954	2021-08-04 15:35:50 +01:00
Anders Schack-Mulligen	6a09a5667d	Merge pull request #5931 from atorralba/atorralba/promote-jndi-injection ... Java: Promote JNDI Injection query from experimental	2021-08-04 15:48:44 +02:00
Tony Torralba	a046d75ea6	Apply suggestions from code review	2021-08-04 13:15:49 +02:00
Tony Torralba	452fd9a8e3	Refactor to path query	2021-08-04 13:05:18 +02:00
turbo	a8f84da7ac	Update Security-Severity for CWE-918	2021-08-04 12:17:21 +02:00
Tony Torralba	f4bc4df8c1	Renamed JWTQuery so that it's named after the actual query name	2021-08-04 12:08:08 +02:00
Chris Smowton	eaf3d3cc03	Merge pull request #6162 from smowton/smowton/feature/jax-rs-content-type-sensitivity-fixes ... Jax-RS: implement content-type tracking	2021-08-03 14:53:31 +01:00
Anders Schack-Mulligen	7fb1e1578e	Merge pull request #5894 from atorralba/atorralba/promote-ognl-injection ... Java: Promote OGNL Injection query from experimental	2021-08-03 15:31:40 +02:00
Anders Schack-Mulligen	c0d76da1a6	Merge pull request #5846 from atorralba/atorralba/promote-unsafe-android-webview-fetch ... Java: Promote Unsafe resource loading in Android WebView from experimental	2021-08-03 14:24:34 +02:00
Tony Torralba	084cda6daa	Merge branch 'main' into atorralba/promote-groovy-injection	2021-08-03 09:53:46 +02:00
Tony Torralba	08bdd1aa7a	Merge branch 'main' into atorralba/promote-ognl-injection	2021-08-02 16:05:38 +02:00
Anders Schack-Mulligen	53e6ddfeb6	Merge pull request #6001 from atorralba/atorralba/promote-mvel-injection ... Java: Promote MVEL injection query from experimental	2021-08-02 14:40:26 +02:00
Tony Torralba	9b384d84cc	Merge branch 'main' into atorralba/promote-ognl-injection	2021-08-02 14:06:45 +02:00
Tony Torralba	9fadb26325	Fix qhelp sample	2021-08-02 10:00:59 +02:00
Tony Torralba	4435853c8a	Apply suggestions from code review ... Co-authored-by: Felicity Chapman <felicitymay@github.com>	2021-08-02 09:56:40 +02:00
Tony Torralba	29490e5872	Add suggestion from code review	2021-07-29 17:07:18 +02:00
Tony Torralba	6e3b6dcb98	Imporve qhelp	2021-07-29 16:36:38 +02:00
Tony Torralba	bdf0f582a4	QLDoc improvements from code review ... Co-authored-by: Felicity Chapman <felicitymay@github.com> Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>	2021-07-29 16:34:21 +02:00
Tony Torralba	90b5e02b6e	Improve qhelp	2021-07-29 16:28:10 +02:00
Tony Torralba	4ea6729c53	Update java/ql/src/Security/CWE/CWE-347/MissingJWTSignatureCheck.ql ... Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>	2021-07-29 16:10:49 +02:00
mc	0a986ad0e8	Update JndiInjection.qhelp ... Improve negation	2021-07-29 15:10:32 +01:00
Tony Torralba	3edc8bc679	Doc improvements	2021-07-29 15:35:39 +02:00
mc	8f1fc9e893	Update MvelInjection.qhelp ... Minor tweaks	2021-07-29 11:30:19 +01:00
mc	ebf004a4df	Update MissingJWTSignatureCheck.qhelp ... Using same syntax as on other queries for 'BAD' and 'GOOD'.	2021-07-29 09:13:00 +01:00
mc	10a3dcb188	Update GroovyInjection.qhelp	2021-07-27 14:26:49 +01:00
Tony Torralba	26999c7ac4	Decouple UnsafeAndroidAccess.qll to reuse the taint tracking configuration	2021-07-20 17:46:35 +02:00
Tony Torralba	99e66cffa2	Merge branch 'main' into atorralba/promote-unsafe-android-webview-fetch	2021-07-20 17:30:56 +02:00
Tony Torralba	3259ead946	Decouple OgnlInjection.qll to reuse the taint tracking configuration	2021-07-20 17:21:10 +02:00
Tony Torralba	b6904a7992	Merge branch 'main' into atorralba/promote-ognl-injection	2021-07-20 17:17:17 +02:00
Tony Torralba	22c9baa462	Refactor JWT.qll	2021-07-20 17:14:34 +02:00
Tony Torralba	430d9f1834	Merge branch 'main' into atorralba/promote-missing-jwt-signature-check	2021-07-20 16:20:35 +02:00
Tony Torralba	42b6b26c10	Decouple JndiInjection.qll to reuse the taint tracking configuration	2021-07-20 15:38:34 +02:00
Tony Torralba	b8ea833a61	Merge branch 'main' into atorralba/promote-jndi-injection	2021-07-20 15:01:26 +02:00
Tony Torralba	46faf68d64	Decouple MvelInjection.qll to reuse the taint tracking configuration	2021-07-19 13:50:03 +02:00
Tony Torralba	5ca8b380e9	Merge branch 'main' into atorralba/promote-mvel-injection	2021-07-19 13:45:10 +02:00
Tony Torralba	441e8afe81	Decouple GrovyInjection.qll to reuse the taint tracking configuration	2021-07-19 12:53:37 +02:00
Tony Torralba	b08f417a1e	Merge branch 'main' into atorralba/promote-groovy-injection	2021-07-19 12:44:03 +02:00
Artem Smotrakov	6d7cb48054	Refactored the query for unsafe deserialization	2021-07-16 18:25:41 +02:00
Artem Smotrakov	09ae779b21	Removed fromSource() check in looksLikeResolveClassStep()	2021-07-12 19:56:51 +02:00
Artem Smotrakov	ea0991c980	Added Jackson to UnsafeDeserialization.qhelp	2021-07-09 10:17:29 +02:00
Artem Smotrakov	3eb2af1bc2	First draft of sinks for unsafe deserialization with Jackson	2021-07-09 10:16:01 +02:00
Chris Smowton	a51154a8ef	Deduplicate Jexl configuration	2021-07-02 10:02:28 +01:00
Chris Smowton	747a8e4157	Split up JexlInjection.qll ... This avoids a DataFlow2::Configuration being in scope for all queries via the import from ExternalFlow.qll	2021-07-02 10:01:51 +01:00
Chris Smowton	643f7dfb87	Split up Random.qll ... This prevents bringing a dataflow config into scope from utility libraries.	2021-07-02 10:00:49 +01:00
Chris Smowton	d5a9f3d87b	Deduplicate shared body of regular and experimental versions of java/command-line-injection query.	2021-07-01 14:53:56 +01:00
Chris Smowton	3e7ea34054	XSS: expose extension point for defining barrier sinks	2021-06-30 12:04:20 +01:00
intrigus	36575bb26f	Move back to experimental.........	2021-06-25 16:47:25 +02:00
intrigus	fe923facc8	Java: Move comments to separate lines. ... Move comments to separate lines to improve the rendering in the finished query help.	2021-06-25 16:47:25 +02:00
intrigus-lgtm	f527df73d5	Apply suggestions from code review. ... Co-authored-by: Felicity Chapman <felicitymay@github.com>	2021-06-25 16:47:25 +02:00
intrigus	6bfdf8d148	Java: Fix qhelp errors.	2021-06-25 16:47:24 +02:00