hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-09 19:51:07 +01:00
Code Issues Packages Projects Releases Wiki Activity
26,040 Commits 1,689 Branches 160 Tags
9e41f43ee2ccc67cfc811f1f28857e62f8cb7fea
Commit Graph

644 Commits

Author SHA1 Message Date
Daniel Santos
9e41f43ee2 Fix: android.util.Log is final. No inheritance handling is needed. 2021-09-17 10:15:48 -05:00
Daniel Santos
032a7e71fe Update Logging.qll 
Simplified using a set-literal as suggested by @intrigus-lgtm
 2021-09-16 13:03:26 -05:00
Daniel Santos
af8b2b6d9c Fix Android logging signature in java/ql/src/experimental/semmle/code/java/Logging.qll 2021-09-16 11:24:06 -05:00
Tony Torralba
905be67aae Moved from experimental 2021-09-15 17:20:27 +02:00
Erik Krogh Kristensen
6d12c4aab1 use the correct cwe tags 2021-09-14 14:42:23 +02:00
Chris Smowton
2d03840fde Add experimental variants of java/xxe, incorporating new sinks and a version that uses local sources. 
Originally authored by @haby0, squashed to clean up a tangled commit history.
 2021-09-10 13:49:31 +01:00
Chris Smowton
7a0555ecb3 Merge pull request #6357 from artem-smotrakov/static-iv 
Java: Static initialization vector
 2021-08-26 13:45:43 +01:00
Fosstars
1dd4bf00ac Simplify StaticInitializationVectorSource 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-08-26 09:42:23 +02:00
Artem Smotrakov
23e2322635 Simplify ArrayUpdate 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-08-25 19:43:43 +02:00
Artem Smotrakov
f41828e5db Better qldoc in StaticInitializationVectorQuery.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-08-25 19:38:33 +02:00
Fosstars
f97c8bb049 Removed sanitizer in StaticInitializationVectorConfig 2021-08-25 12:40:48 +02:00
Fosstars
86b7b2b86d Updated qldoc for ArrayUpdate 2021-08-25 12:14:36 +02:00
Fosstars
c80a1da483 Don't consider copyOf() and clone() in ArrayUpdate 2021-08-25 12:11:34 +02:00
Fosstars
fbac5891b8 Fixed a typo in qldoc 2021-08-14 21:28:30 +02:00
Fosstars
e2dc9753ac Covered copyOfRange() and clone() in ArrayUpdate 2021-08-14 13:25:46 +02:00
Fosstars
d218813320 Updated qldoc for ArrayUpdate 2021-08-14 13:09:14 +02:00
Fosstars
11992404ec Be precise when checking for Cipher.ENCRYPT_MODE 2021-08-14 12:18:02 +02:00
Fosstars
4e69081c22 Support multi-dimensional arrays 2021-08-13 20:52:27 +02:00
Chris Smowton
5ba9347281 Merge pull request #6006 from artem-smotrakov/timing-attacks 
Java: Timing attacks while comparing results of cryptographic operations
 2021-08-09 15:30:47 +01:00
Fosstars
df0f9ee3a5 Fixed a few typos 2021-08-08 12:50:04 +02:00
Tony Torralba
0356ed7f9e Merge pull request #5911 from atorralba/atorralba/promote-missing-jwt-signature-check 
Java: Promote Missing JWT signature check query from experimental
 2021-08-05 09:43:03 +02:00
Fosstars
b913928294 Renamed queries and merged qhelp files 2021-08-04 17:54:16 +02:00
Anders Schack-Mulligen
6a09a5667d Merge pull request #5931 from atorralba/atorralba/promote-jndi-injection 
Java: Promote JNDI Injection query from experimental
 2021-08-04 15:48:44 +02:00
Anders Schack-Mulligen
7fb1e1578e Merge pull request #5894 from atorralba/atorralba/promote-ognl-injection 
Java: Promote OGNL Injection query from experimental
 2021-08-03 15:31:40 +02:00
Anders Schack-Mulligen
c0d76da1a6 Merge pull request #5846 from atorralba/atorralba/promote-unsafe-android-webview-fetch 
Java: Promote Unsafe resource loading in Android WebView from experimental
 2021-08-03 14:24:34 +02:00
Tony Torralba
084cda6daa Merge branch 'main' into atorralba/promote-groovy-injection 2021-08-03 09:53:46 +02:00
Chris Smowton
fad1622730 Merge pull request #5435 from haby0/DynamicallyLoadedClasses 
Java: CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
 2021-08-02 16:04:30 +01:00
Tony Torralba
08bdd1aa7a Merge branch 'main' into atorralba/promote-ognl-injection 2021-08-02 16:05:38 +02:00
Chris Smowton
8a78075d3d Remove redundant method taint flow specifications 2021-08-02 14:30:31 +01:00
Anders Schack-Mulligen
53e6ddfeb6 Merge pull request #6001 from atorralba/atorralba/promote-mvel-injection 
Java: Promote MVEL injection query from experimental
 2021-08-02 14:40:26 +02:00
Tony Torralba
9b384d84cc Merge branch 'main' into atorralba/promote-ognl-injection 2021-08-02 14:06:45 +02:00
Fosstars
bd7e7b1371 Better qldoc for timing attacks 2021-08-01 10:18:37 +02:00
Fosstars
0fc487fb04 Better qhelp for timing attacks 2021-08-01 09:57:14 +02:00
Artem Smotrakov
9b953cf0fc Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-08-01 09:47:07 +02:00
Fosstars
ad54c9d937 Two queries for timing attacks 2021-08-01 09:47:07 +02:00
Artem Smotrakov
e3b6ceade5 Renamed NonConstantTimeCryptoComparison.ql to NonConstantTimeCheckOnSignature.ql 2021-08-01 09:47:06 +02:00
Artem Smotrakov
8b557765b3 Narrow NonConstantTimeCryptoComparison.ql to timing attack on signatures and MACs only 2021-08-01 09:47:06 +02:00
Artem Smotrakov
c359852608 Consider only Cipher.ENCRYPT_MODE in NonConstantTimeCryptoComparison.ql 2021-08-01 09:47:06 +02:00
Artem Smotrakov
1f2a9cdda7 Added taint propagation steps for hashes in NonConstantTimeCryptoComparison.ql 2021-08-01 09:47:06 +02:00
Artem Smotrakov
c96d939cf5 Covered custom fast-fail checks in NonConstantTimeCryptoComparison.ql 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2021-08-01 09:47:06 +02:00
Artem Smotrakov
6500a1bbbb More references in NonConstantTimeCryptoComparison.qhelp 2021-08-01 09:47:05 +02:00
Artem Smotrakov
860e8f379e Better signatures in java/non-constant-time-crypto-comparison 2021-08-01 09:47:05 +02:00
Artem Smotrakov
1b4ee05b80 Better docs for java/non-constant-time-crypto-comparison 2021-08-01 09:47:05 +02:00
Artem Smotrakov
295fd686ce Make java/non-constant-time-crypto-comparison a warning 2021-08-01 09:47:04 +02:00
Artem Smotrakov
c977fd09cb Better constant check in java/non-constant-time-crypto-comparison 2021-08-01 09:47:04 +02:00
Artem Smotrakov
d01dc35011 Less duplicate code in java/non-constant-time-crypto-comparison 2021-08-01 09:47:04 +02:00
Artem Smotrakov
a4f3a5a88e Take into account remote user input in java/non-constant-time-crypto-comparison 2021-08-01 09:47:03 +02:00
Artem Smotrakov
8e6d227dc0 More sinks for java/ql/src/experimental/Security/CWE/CWE-208/NonConstantTimeCryptoComparison.ql 2021-08-01 09:47:03 +02:00
Artem Smotrakov
dfa3b523d0 Renamed files 2021-08-01 09:47:03 +02:00
Artem Smotrakov
75f67959f3 Covered Arrays.deepEquals() in NonConstantTimeCryptoComparison.ql 2021-08-01 09:47:02 +02:00