hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-18 11:21:07 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,884 Commits 1,778 Branches 169 Tags
7d546696968613dec39cd4ddabb6da3dfd0335da
Commit Graph

1297 Commits

Author SHA1 Message Date
Tony Torralba
b7364f5428 Update UnsafeDeserialization.qhelp 
Move the table under <recommendation>, minor fixes.
 2023-01-10 11:18:56 -05:00
Jonathan Leitschuh
3fa11c21c3 [Java] Document fixes for deserialization vulnerabilities by framework 
Related https://github.com/github/codeql/issues/11603
 2023-01-10 11:18:56 -05:00
Ed Minnix
909b1d70d9 Rename files to say "Allow" instead of "Permit" 2023-01-09 10:11:03 -05:00
Ed Minnix
f626d4794a Change wording from "permit" to "allow" in id and name 2023-01-09 10:03:12 -05:00
Ed Minnix
64668883a4 Add good example to documentation 2023-01-09 09:59:38 -05:00
Ed Minnix
2ec73c50f9 Mention WebView in alert message 2023-01-09 09:55:09 -05:00
Chris Smowton
ef27f9fe96 Replace one more mention of escaping 2023-01-09 10:56:13 +00:00
Chris Smowton
45c732a6f9 Java: improve naming and description of SqlUnescaped.ql 
Since the main thing it's objecting to is concatenation not lack of escaping (in particular it doesn't look for escaping sanitizers), rename and re-describe it accordingly.
 2023-01-09 10:56:13 +00:00
Ed Minnix
28ad9d00fb Merge both setAllowContentAccess queries into one query 
Previously, the query to detect whether or not access to `content://`
links was done using two queries.

Now they can be merged into one query
 2023-01-03 15:17:07 -05:00
Ed Minnix
35de551f6b Formatting 2022-12-31 17:19:49 -05:00
Ed Minnix
df1a4d2ed1 Documentation fix: Add state1 and state2 to documentation 2022-12-31 15:25:37 -05:00
Ed Minnix
02f70f3536 Add @security-severity tag 2022-12-31 15:00:28 -05:00
Edward Minnix III
1d345c6101 Refactoring and simplification 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2022-12-31 15:00:28 -05:00
Ed Minnix
5265cb4b03 Merge two dataflow configurations into one taint tracking 2022-12-31 15:00:28 -05:00
Ed Minnix
973f649e76 Break dataflow into two steps in order to capture flow from WebView to settings call 2022-12-31 15:00:28 -05:00
Ed Minnix
0e15dd9fa9 Query metadata 2022-12-31 15:00:28 -05:00
Edward Minnix III
778749184b Change id to use android/ instead of prepending android- 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2022-12-31 15:00:28 -05:00
Ed Minnix
da25c586e6 Dataflow query for detecting paths that disable content access 
Since the default value is `true`, we need to determine whether or not
the `setAllowContentAccess` method is ever called using dataflow.
 2022-12-31 15:00:28 -05:00
Ed Minnix
8a763015e6 Reduce precision rating to medium 
This query won't always be a security problem, so it should have a lower
precision rating than `high`.
 2022-12-31 15:00:28 -05:00
Ed Minnix
e4e13d38b7 Java: query for Android WebView setAllowContentAccess 2022-12-31 15:00:28 -05:00
Tony Torralba
345c383acc Fix new Android queries' IDs 2022-12-21 09:36:57 +01:00
Tony Torralba
149cae9603 Merge pull request #10971 from joefarebrother/android-certificate-pinning 
Java: Add Android missing certificate pinning query (CWE-295)
 2022-12-20 11:03:16 +01:00
Tony Torralba
a47ef17a0d Update java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning1.java 
Co-authored-by: Edward Minnix III <egregius313@github.com>
 2022-12-19 18:11:54 +01:00
Edward Minnix III
39a7c7bb12 Merge pull request #11282 from egregius313/egregiu313/webview-addjavascriptinterface 
Java: Query for detecting addJavascriptInterface method calls
 2022-12-19 11:28:45 -05:00
Tony Torralba
624c9ff834 Update java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning1.java 2022-12-19 17:26:41 +01:00
Tony Torralba
0c6ace350f Update java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2022-12-19 16:24:39 +01:00
Tony Torralba
484a16ce1b Update java/ql/src/Security/CWE/CWE-295/AndroidMissingCertificatePinning.ql 2022-12-19 12:10:32 +01:00
Tony Torralba
a880fecc8b Apply suggestions from code review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2022-12-19 11:56:36 +01:00
Ed Minnix
72484b9483 Change wording of addJavascriptInterface query description 2022-12-14 16:19:03 -05:00
Edward Minnix III
40c759e61a Add @name property 
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
 2022-12-13 16:14:28 -05:00
Edward Minnix III
a2c886d367 Grammar and wording changes from docs review 
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
 2022-12-13 11:57:46 -05:00
Erik Krogh Kristensen
636d5e341c Merge pull request #11652 from erik-krogh/static-useInstanceOf 
Java/C#/GO: Use instanceof in more places
 2022-12-12 17:52:04 +01:00
Edward Minnix III
0ebfee8b11 Merge pull request #11241 from egregius313/egregius313/webview-file-access 
Java: Query to detect Android Webview file access
 2022-12-12 11:12:26 -05:00
erik-krogh
8262fbbfb5 Java/C#/GO: Use instanceof in more places 2022-12-11 18:32:19 +01:00
Edward Minnix III
4278997a2c Reword WebView file access query description 
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
 2022-12-09 11:36:09 -05:00
Edward Minnix III
8c8e71dd82 Grammar, concision, and style edits 
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
 2022-12-09 11:35:02 -05:00
Joe Farebrother
a14ebb7c03 Fixes 2022-12-09 13:41:18 +00:00
Joe Farebrother
603c1c1693 Add the domain used to the alert message 2022-12-09 13:41:18 +00:00
Joe Farebrother
ceb253e6d1 Add qhelp 2022-12-09 13:41:18 +00:00
Joe Farebrother
749ecab6b1 Add security severity 2022-12-09 13:41:18 +00:00
Joe Farebrother
c8aca06190 Implement pinning through a TrustManager 
+ Fix that the query was accidentally placed in experimental
 2022-12-09 13:41:18 +00:00
Edward Minnix III
170c9af9e8 Merge pull request #11238 from egregius313/egregius313/webview-setjavascriptenabled 
Java: Query for detecting enabling Javascript in Android WebSettings
 2022-12-07 09:31:58 -05:00
Ed Minnix
1c81f8d8d5 Apply suggestion from docs review 2022-12-06 15:32:54 -05:00
Mauro Baluda
7c4b76b08b Update InsecureCookie.ql 2022-12-05 12:55:53 +01:00
Mauro Baluda
16d7dc0853 Restrict DF configuration 2022-12-05 11:02:19 +01:00
Ed Minnix
7c4bd509a7 Java: add AssetLoader example to WebView file access documentation 2022-12-02 14:43:52 -05:00
Mauro Baluda
f3f8f35069 Update InsecureCookie.ql 
Support interprocedural setting of cookie security
 2022-12-02 17:37:23 +01:00
Edward Minnix III
55090ecb65 Java: Typos and minor fixes 
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
 2022-12-02 09:17:41 -05:00
Chris Smowton
6e98c67869 Java: fix syntax error in path-injection example fix 2022-12-02 10:04:53 +00:00
Ed Minnix
04829fc38e Java: SQLInjection example for addJavaScriptInterface query 2022-11-30 13:32:28 -05:00