Erik Krogh Kristensen
|
69353bb014
|
patch upper-case acronyms to be PascalCase
|
2022-03-11 11:10:33 +01:00 |
|
Tamas Vajk
|
e8bf94faf9
|
C#: Downgrade hardcoded credentials queries to medium precision
|
2022-02-15 09:34:20 +01:00 |
|
Erik Krogh Kristensen
|
3c59aa319e
|
Merge pull request #7245 from erik-krogh/explicit-this-all-the-places
All langs: apply the explicit-this patch to all remaining code
|
2021-12-07 10:40:26 +01:00 |
|
Erik Krogh Kristensen
|
6ff8d4de5c
|
add all remaining explicit this
|
2021-11-26 13:50:10 +01:00 |
|
Rasmus Wriedt Larsen
|
9710aeecbf
|
Python/C#: Add CWE-1333 to redos queries
As is already done in JS and Ruby.
|
2021-11-09 16:10:38 +01:00 |
|
Tom Hvitved
|
51f4f57617
|
C#: Use cs/ prefix in all query IDs
|
2021-11-03 10:25:21 +01:00 |
|
Rasmus Wriedt Larsen
|
8f52089475
|
C#: Fix CWE tag for cs/insufficient-key-size
Since this targets
CWE-326 Inadequate Encryption Strength
> The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
> \- https://cwe.mitre.org/data/definitions/326.html
and not
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
> The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
> \- https://cwe.mitre.org/data/definitions/327.html
This matches what we do for similar query in Python: https://github.com/github/codeql/blob/main/python/ql/src/Security/CWE-326/WeakCryptoKey.ql
|
2021-09-07 12:59:10 +02:00 |
|
Tom Hvitved
|
7e1efbdd8e
|
C#: Use data flow instead of taint tracking in InsecureSQLConnection.ql
|
2021-08-26 13:48:57 +02:00 |
|
Tamás Vajk
|
763de4fff9
|
Merge pull request #6425 from raulgarciamsft/insecureRandom_potential_fix
C#: Adding Membership.GeneratePassword() as a bad source of random data
|
2021-08-19 11:16:26 +02:00 |
|
Tamas Vajk
|
d97525e21e
|
Fix minor quality issues in comment and change note
|
2021-08-19 09:30:23 +02:00 |
|
Tom Hvitved
|
44ff623d8c
|
Merge pull request #5508 from edvraa/deserializers
deserialization sinks
|
2021-08-17 11:41:52 +02:00 |
|
Tamás Vajk
|
c1cf2a1c5f
|
Merge pull request #5579 from edvraa/cookies
C#: HttpOnly and Secure cookie queries
|
2021-08-09 08:58:11 +02:00 |
|
Raul Garcia (MSFT)
|
7340a1293f
|
Fixing query & test
|
2021-08-04 19:37:57 -07:00 |
|
Raul Garcia (MSFT)
|
8544356f90
|
Adding Membership.GeneratePassword() as a bad source of random data because of the bias.
|
2021-08-04 17:12:00 -07:00 |
|
edvraa
|
d1e41689bb
|
Merge with main
|
2021-08-04 14:25:34 +03:00 |
|
edvraa
|
fd4d8e2595
|
Use HasFlow instead HasFlowPath
|
2021-07-14 16:06:34 +03:00 |
|
edvraa
|
a0942e0360
|
JsonConvert
|
2021-07-12 15:23:04 +03:00 |
|
edvraa
|
1682e993bc
|
Merge with Main
|
2021-07-12 11:32:47 +03:00 |
|
edvraa
|
2c9d6827ad
|
comments
|
2021-07-12 01:13:40 +03:00 |
|
edvraa
|
89c4102462
|
HttpOnly and Secure cookie queries
|
2021-07-12 01:13:39 +03:00 |
|
Tom Hvitved
|
4de4753c67
|
C#: Remove Query.qll top-level modules
|
2021-07-04 09:35:27 +02:00 |
|
Tom Hvitved
|
c812d4e4e8
|
C#: Add Query suffix to libraries that should only be imported by queries
|
2021-07-04 09:35:26 +02:00 |
|
Calum Grant
|
771e686946
|
Update security-severity scores
|
2021-06-15 13:25:17 +01:00 |
|
Calum Grant
|
a594afb828
|
Add security-severity metadata
|
2021-06-10 20:11:08 +01:00 |
|
Chris Smowton
|
455b840712
|
Fix all dead qhelp links
For those documents with no obvious new home I've pointed the links to the Internet Archive.
|
2021-04-23 15:20:21 +01:00 |
|
edvraa
|
c9c9758e01
|
Make similarly named files in tests and qhelp in sync
|
2021-04-22 12:23:46 +03:00 |
|
edvraa
|
57689df5aa
|
Remove DataFlow::Node
|
2021-04-21 19:29:30 +03:00 |
|
edvraa
|
a93d6a3ef6
|
Remove SafeConstructorTrackingConfig
|
2021-04-21 17:16:54 +03:00 |
|
edvraa
|
808444986d
|
Get rid of UnsafeDeserializerCallable
|
2021-04-21 17:06:20 +03:00 |
|
edvraa
|
b6952d541a
|
get rid of getParent
|
2021-04-21 16:55:34 +03:00 |
|
edvraa
|
3ac5f7bb18
|
Move RemoteSource and LocalSource to UnsafeDeserialization.qll
|
2021-04-21 13:27:26 +03:00 |
|
edvraa
|
c3deb48efa
|
Charpred for InstanceMethodSink
|
2021-04-16 17:19:42 +03:00 |
|
edvraa
|
3aedd2c1f4
|
Use TaintTracking2
|
2021-04-15 22:12:01 +03:00 |
|
edvraa
|
773556e5e0
|
Use hasFlow where path is not needed
|
2021-04-15 16:27:09 +03:00 |
|
edvraa
|
b027fddc7e
|
Remove redundant check
|
2021-04-15 00:14:09 +03:00 |
|
edvraa
|
a4fd70aa3d
|
Use don't care expression
|
2021-04-14 23:35:38 +03:00 |
|
edvraa
|
13080703b9
|
Make query symmetric
|
2021-03-31 15:59:19 +03:00 |
|
edvraa
|
f8867e40a7
|
Rename deserializeCall to deserializeCallArg
|
2021-03-31 15:49:17 +03:00 |
|
edvraa
|
aa9d84854f
|
Rename taint tracking variables
|
2021-03-31 15:42:52 +03:00 |
|
edvraa
|
7cbbd6cc89
|
Simplify query
|
2021-03-31 15:35:54 +03:00 |
|
edvraa
|
94234b8b02
|
Rename ObjectMethodSink to InstanceMethodSink
|
2021-03-31 15:22:30 +03:00 |
|
Tom Hvitved
|
b94c189946
|
C#: Remove VulnerablePackage.ql query
|
2021-03-25 09:50:24 +01:00 |
|
edvraa
|
ac29184521
|
deserialization sinks
|
2021-03-20 21:50:46 +02:00 |
|
Tom Hvitved
|
d53faa86dc
|
C#: Restrict FormatInvalid.ql and UncontrolledFormatString.ql to calls with insertions
|
2020-12-18 10:53:11 +01:00 |
|
Tamas Vajk
|
24670160c2
|
Address code review findings
|
2020-12-04 13:26:53 +01:00 |
|
Tamas Vajk
|
cd5c1f06ee
|
C#: Add queries to check untrusted data flow to external APIs
|
2020-12-04 13:26:53 +01:00 |
|
Anders Schack-Mulligen
|
8f2094f0bf
|
Autoformat.
|
2020-11-30 14:42:38 +01:00 |
|
Chris Smowton
|
578ea1ae43
|
Fix OWASP broken links
|
2020-10-01 13:09:52 +01:00 |
|
Tamás Vajk
|
5ab5e75b85
|
Merge pull request #4255 from fatenhealy/IncreaseInsufficientKeySizeValue
Increase insufficient key size value from 1024 to 2048
|
2020-09-22 23:06:12 +02:00 |
|
Faten Healy
|
c35a5d120a
|
C#: Increasing required size of RSA key to 2048
|
2020-09-22 11:09:49 +02:00 |
|