Commit Graph

163 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
69353bb014 patch upper-case acronyms to be PascalCase 2022-03-11 11:10:33 +01:00
Tamas Vajk
e8bf94faf9 C#: Downgrade hardcoded credentials queries to medium precision 2022-02-15 09:34:20 +01:00
Erik Krogh Kristensen
3c59aa319e Merge pull request #7245 from erik-krogh/explicit-this-all-the-places
All langs: apply the explicit-this patch to all remaining code
2021-12-07 10:40:26 +01:00
Erik Krogh Kristensen
6ff8d4de5c add all remaining explicit this 2021-11-26 13:50:10 +01:00
Rasmus Wriedt Larsen
9710aeecbf Python/C#: Add CWE-1333 to redos queries
As is already done in JS and Ruby.
2021-11-09 16:10:38 +01:00
Tom Hvitved
51f4f57617 C#: Use cs/ prefix in all query IDs 2021-11-03 10:25:21 +01:00
Rasmus Wriedt Larsen
8f52089475 C#: Fix CWE tag for cs/insufficient-key-size
Since this targets

CWE-326 Inadequate Encryption Strength

> The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
> \- https://cwe.mitre.org/data/definitions/326.html

and not

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

> The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.
> \- https://cwe.mitre.org/data/definitions/327.html

This matches what we do for similar query in Python: https://github.com/github/codeql/blob/main/python/ql/src/Security/CWE-326/WeakCryptoKey.ql
2021-09-07 12:59:10 +02:00
Tom Hvitved
7e1efbdd8e C#: Use data flow instead of taint tracking in InsecureSQLConnection.ql 2021-08-26 13:48:57 +02:00
Tamás Vajk
763de4fff9 Merge pull request #6425 from raulgarciamsft/insecureRandom_potential_fix
C#: Adding Membership.GeneratePassword() as a bad source of random data
2021-08-19 11:16:26 +02:00
Tamas Vajk
d97525e21e Fix minor quality issues in comment and change note 2021-08-19 09:30:23 +02:00
Tom Hvitved
44ff623d8c Merge pull request #5508 from edvraa/deserializers
deserialization sinks
2021-08-17 11:41:52 +02:00
Tamás Vajk
c1cf2a1c5f Merge pull request #5579 from edvraa/cookies
C#: HttpOnly and Secure cookie queries
2021-08-09 08:58:11 +02:00
Raul Garcia (MSFT)
7340a1293f Fixing query & test 2021-08-04 19:37:57 -07:00
Raul Garcia (MSFT)
8544356f90 Adding Membership.GeneratePassword() as a bad source of random data because of the bias. 2021-08-04 17:12:00 -07:00
edvraa
d1e41689bb Merge with main 2021-08-04 14:25:34 +03:00
edvraa
fd4d8e2595 Use HasFlow instead HasFlowPath 2021-07-14 16:06:34 +03:00
edvraa
a0942e0360 JsonConvert 2021-07-12 15:23:04 +03:00
edvraa
1682e993bc Merge with Main 2021-07-12 11:32:47 +03:00
edvraa
2c9d6827ad comments 2021-07-12 01:13:40 +03:00
edvraa
89c4102462 HttpOnly and Secure cookie queries 2021-07-12 01:13:39 +03:00
Tom Hvitved
4de4753c67 C#: Remove Query.qll top-level modules 2021-07-04 09:35:27 +02:00
Tom Hvitved
c812d4e4e8 C#: Add Query suffix to libraries that should only be imported by queries 2021-07-04 09:35:26 +02:00
Calum Grant
771e686946 Update security-severity scores 2021-06-15 13:25:17 +01:00
Calum Grant
a594afb828 Add security-severity metadata 2021-06-10 20:11:08 +01:00
Chris Smowton
455b840712 Fix all dead qhelp links
For those documents with no obvious new home I've pointed the links to the Internet Archive.
2021-04-23 15:20:21 +01:00
edvraa
c9c9758e01 Make similarly named files in tests and qhelp in sync 2021-04-22 12:23:46 +03:00
edvraa
57689df5aa Remove DataFlow::Node 2021-04-21 19:29:30 +03:00
edvraa
a93d6a3ef6 Remove SafeConstructorTrackingConfig 2021-04-21 17:16:54 +03:00
edvraa
808444986d Get rid of UnsafeDeserializerCallable 2021-04-21 17:06:20 +03:00
edvraa
b6952d541a get rid of getParent 2021-04-21 16:55:34 +03:00
edvraa
3ac5f7bb18 Move RemoteSource and LocalSource to UnsafeDeserialization.qll 2021-04-21 13:27:26 +03:00
edvraa
c3deb48efa Charpred for InstanceMethodSink 2021-04-16 17:19:42 +03:00
edvraa
3aedd2c1f4 Use TaintTracking2 2021-04-15 22:12:01 +03:00
edvraa
773556e5e0 Use hasFlow where path is not needed 2021-04-15 16:27:09 +03:00
edvraa
b027fddc7e Remove redundant check 2021-04-15 00:14:09 +03:00
edvraa
a4fd70aa3d Use don't care expression 2021-04-14 23:35:38 +03:00
edvraa
13080703b9 Make query symmetric 2021-03-31 15:59:19 +03:00
edvraa
f8867e40a7 Rename deserializeCall to deserializeCallArg 2021-03-31 15:49:17 +03:00
edvraa
aa9d84854f Rename taint tracking variables 2021-03-31 15:42:52 +03:00
edvraa
7cbbd6cc89 Simplify query 2021-03-31 15:35:54 +03:00
edvraa
94234b8b02 Rename ObjectMethodSink to InstanceMethodSink 2021-03-31 15:22:30 +03:00
Tom Hvitved
b94c189946 C#: Remove VulnerablePackage.ql query 2021-03-25 09:50:24 +01:00
edvraa
ac29184521 deserialization sinks 2021-03-20 21:50:46 +02:00
Tom Hvitved
d53faa86dc C#: Restrict FormatInvalid.ql and UncontrolledFormatString.ql to calls with insertions 2020-12-18 10:53:11 +01:00
Tamas Vajk
24670160c2 Address code review findings 2020-12-04 13:26:53 +01:00
Tamas Vajk
cd5c1f06ee C#: Add queries to check untrusted data flow to external APIs 2020-12-04 13:26:53 +01:00
Anders Schack-Mulligen
8f2094f0bf Autoformat. 2020-11-30 14:42:38 +01:00
Chris Smowton
578ea1ae43 Fix OWASP broken links 2020-10-01 13:09:52 +01:00
Tamás Vajk
5ab5e75b85 Merge pull request #4255 from fatenhealy/IncreaseInsufficientKeySizeValue
Increase insufficient key size value from 1024 to 2048
2020-09-22 23:06:12 +02:00
Faten Healy
c35a5d120a C#: Increasing required size of RSA key to 2048 2020-09-22 11:09:49 +02:00