codeql

mirror of https://github.com/github/codeql.git synced 2026-01-21 02:14:45 +01:00

Author	SHA1	Message	Date
masterofnow	0fd09759df	Added sample java file for qhelp to render correctly.	2023-12-22 08:31:23 +08:00
masterofnow	cb5733d647	Apply suggestions from code review Update to documentation. Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>	2023-12-22 08:25:05 +08:00
masterofnow	7162540faf	Added options, .qhelp and .expected file for unit test.	2023-12-21 19:57:37 +08:00
Tony Torralba	39708524e7	Minor fixes - Query ID - MethodAccess -> MethodCall - Redundant import - Formatting	2023-12-20 15:31:09 +01:00
masterofnow	e85c4b5bf6	Update query from code review feedback to express it as a dataflow problem.	2023-12-20 18:28:16 +08:00
masterofnow	4a77f45aa6	Minor adjustment to resolve error for codeql version 2.15.4	2023-12-16 12:41:39 +08:00
masterofnow	99b273d308	Apply suggestions from code review Added suggestion from atorralba. Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>	2023-12-16 12:00:45 +08:00
masterofnow	e1b8fabf7f	Use global instead of local taint tracking.	2023-12-13 13:50:34 +08:00
masterofnow	8538c12267	Merge branch 'github:main' into LoadClassNoSignatureCheck	2023-12-13 13:47:40 +08:00
Ed Minnix	1b8f3f3450	Deprecate or remove imports of dataflow library copies	2023-12-08 10:42:10 -05:00
Shati Patel	6284781a9b	Update inconsistent CWE tags Most tags use the "external/cwe/cwe-xxx" format, except for these few queries. Updating them for consistency.	2023-12-04 11:52:31 +00:00
masterofnow	2952d8f65a	Updated query to cover broader detection.	2023-11-18 18:52:47 +08:00
masterofnow	532f6a5b0c	Removed @kind path-problem in comment. Added text message in select.	2023-11-13 08:27:07 +08:00
masterofnow	20592352d0	Updated text in LoadClassNoSignatureCheck.qhelp	2023-11-12 20:48:49 +08:00
masterofnow	fd66f47d82	Added LoadClassNoSignatureCheck.ql	2023-11-12 20:27:49 +08:00
Chris Smowton	06238dd5f6	Improve reflective class names	2023-10-24 13:29:32 +01:00
Chris Smowton	e8c9708282	Autoformat	2023-10-24 11:06:19 +01:00
Chris Smowton	59a49eef0b	Add aliases for public, importable renamed classes and predicates. Also rename and aliases a couple of uses of Access noted along the way.	2023-10-24 10:54:35 +01:00
Chris Smowton	f552a15aae	Mass-rename MethodAccess -> MethodCall	2023-10-24 10:30:26 +01:00
Eric Bickle	7a4382fb69	Merge branch 'main' into fix/thread-resource-arithmetic	2023-10-10 09:38:16 -07:00
Eric Bickle	80c8259e34	Remove unnecessary AdditionalValueStep check	2023-10-10 09:35:45 -07:00
Michael Nebel	cf3a62d201	Java: Address review comments.	2023-10-09 13:06:59 +02:00
Eric Bickle	000c1f7ec8	Java: Flow taint through ArithExpr for ThreadResourceAbuse Ensure that tainted values flow through arithmetic operations when checking for ThreadResourceAbuse vulnerabilities. For example, multiplying 'number of seconds' by 1000 as an input to Thread.Sleep, which accepts milliseconds, is a common scenario.	2023-10-06 14:24:37 -07:00
Michael Nebel	40e63a63e2	Java: Re-factor most queries and tests to use threat models.	2023-10-04 14:01:58 +02:00
Tony Torralba	586c8803c5	Move the sources back the .ql files Otherwise they would both apply at the same time, making both versions of the query identical.	2023-08-04 10:02:56 +02:00
Tony Torralba	e9bad321b6	Apply suggestions from code review	2023-08-04 09:21:45 +02:00
aegilops	fc7f8409be	Fix up for code review	2023-08-03 13:50:40 +01:00
Tony Torralba	b5d08ade59	Formatting	2023-08-01 09:35:25 +02:00
Paul Hodgkinson	bfbb77a796	Merge branch 'main' into java/experimental/command-injection	2023-06-29 09:51:14 +01:00
aegilops	01798f63f8	Switched to new dataflow and added a test (but it doesn't produce results yet)	2023-06-28 17:14:39 +01:00
aegilops	23bf8470ce	Removed .md and made class change	2023-06-19 17:29:17 +01:00
aegilops	8c9ccab9c9	Autoformat	2023-06-19 11:53:53 +01:00
aegilops	2112d73a6a	Autoformat	2023-06-19 11:50:54 +01:00
aegilops	1a108fb1c9	Changed to for constant string	2023-06-19 11:46:08 +01:00
aegilops	7c235e3786	Fixed linting issues. Will not fix instanceof, that is necessary	2023-06-19 11:41:23 +01:00
aegilops	8c73fbeabe	Formatted	2023-06-16 17:33:21 +01:00
aegilops	55eeb00309	Added experimental tag	2023-06-16 17:27:01 +01:00
aegilops	b6c35dd88c	Added experimental version of Java Command Injection query, to be more sensitive to unusual code constructs	2023-06-16 17:12:53 +01:00
Tony Torralba	ffe67689ec	Merge branch 'main' into atorralba/java/command-injection-mad-sinks	2023-06-13 09:27:33 +02:00
Anders Schack-Mulligen	a0a9d30286	Java: Fix qltests.	2023-06-09 08:37:35 +02:00
Tony Torralba	6d7234f8ed	Merge pull request #13225 from atorralba/atorralba/java/path-injection-mad-sinks-2 Java: Migrate path injection sinks to models-as-data (simplified)	2023-06-07 14:27:36 +02:00
erik-krogh	44b6366586	delete old deprecations	2023-06-02 11:58:08 +02:00
Tony Torralba	527fe523a8	Add PathCreation.qll sinks to models-as-data The old PathCreation sinks can't be removed because doing so would cause alert wobble in the path injection queries. See their getReportingNode predicates.	2023-06-02 09:14:35 +02:00
Tony Torralba	c3b1ef2cdf	Merge branch 'main' into atorralba/java/command-injection-mad-sinks	2023-06-02 08:57:24 +02:00
Jami Cogswell	5dbb698481	Java: update open/jdbc-url sink kinds to request-forgery	2023-05-31 15:50:31 -04:00
Jami Cogswell	cb10f4976b	Java: update create/read-file sink kinds to path-injection	2023-05-31 15:49:07 -04:00
Tony Torralba	a276cc3094	Convert all command injection sinks to MaD format	2023-05-25 11:41:32 +02:00
Tony Torralba	770099f210	Merge branch 'main' into atorralba/java/promote-xxe-experimental-sinks	2023-05-16 09:49:34 +02:00
Jami	3c74c8bbe0	Merge pull request #13019 from jcogs33/jcogs33/url-open-stream-updates Java: switch `url-open-stream` sink models to `experimentalSinkModel`	2023-05-04 15:07:44 -04:00
Jami Cogswell	917268e7e6	Java: activate the models in openstream query	2023-05-03 09:57:45 -04:00

1 2 3 4 5 ...

1043 Commits