hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-18 19:31:11 +02:00
Code Issues Packages Projects Releases Wiki Activity
36,508 Commits 1,780 Branches 169 Tags
c0a755e0619fc02ed64291ab771abbdc4203d17e
Commit Graph

561 Commits

Author SHA1 Message Date
Ian Lynagh
c0a755e061 Merge remote-tracking branch 'upstream/main' into igfoo/kotlin_merge 
Resolving conflicts:
	java/ql/lib/semmle/code/java/Expr.qll
 2022-05-11 14:13:09 +01:00
Tony Torralba
43b425d0e4 Merge pull request #9002 from atorralba/atorralba/https-urls-improvs 
Java: Add OkHttp and Retrofit models
 2022-05-11 10:48:08 +02:00
Chris Smowton
7dec3f4835 Use EqualityTest for either value or ref comparions, and ReferenceEqualityTest for strictly ref comparison. 2022-05-10 19:51:17 +01:00
Chris Smowton
f95effcf82 Always extract ValueEQ/NEExpr for Kotlin ==/!= 
I introduce AnyEqualsExpr for either reference or value equality and AnyEqualityTest for the same concept including not-equals operators, and use them wherever the written QL clearly doesn't care about the difference between reference and value comparison, typically because it is concerned with testing against null or against a primitive constant.
 2022-05-10 19:51:17 +01:00
Ian Lynagh
6566f7b69f Kotlin: Add types for the different kinds of casts that Kotlin has 
We might want to unify some of these in future, but doing that
correctly is easier than splitting them up correctly, so I've given each
one its own QL class for now.

I am not familiar with many of the libraries/queries that use CastExpr.
I've briefly looked at them and updated them in a way that looks
superficially reasonable, but some of the uses will probably want to be
refined later.
 2022-05-10 19:51:13 +01:00
Joe Farebrother
f7d0884db1 Java: Add cwe-377 tag to predictable-seed 2022-05-03 12:28:14 +01:00
Tony Torralba
1cf4b60769 Simplify non-https-url query 2022-05-02 15:43:07 +02:00
Jonathan Leitschuh
2565cdb964 Add additional File taint value flow models 
Adds
 - File::getAbsoluteFile
 - File::getCanonicalFile
 - File::getAbsolutePath
 - File::getCanonicalPath
 2022-04-26 10:42:53 -04:00
Chris Smowton
7d4767a4f5 Java insecure cookies query: look through named constants 2022-04-26 10:32:13 +01:00
Anders Schack-Mulligen
cbdd4927ce Merge pull request #8582 from Marcono1234/marcono1234/JumpStmt-superclass 
Java: Make `JumpStmt` a proper superclass
 2022-04-25 12:22:20 +02:00
Anders Schack-Mulligen
c0f48b6c14 Merge pull request #8681 from JLLeitschuh/fix/JLL/os_check_bugs 
Java: Fix Local Temp File/Dir Incorrect Guard Logic
 2022-04-07 14:00:13 +02:00
Erik Krogh Kristensen
ef9b6a11a6 Merge pull request #8679 from erik-krogh/getUrl 
Java: rename existing getUrl predicate to getRepositoryUrl
 2022-04-07 10:01:14 +02:00
Jonathan Leitschuh
2753521650 Java: Fix Local Temp File/Dir Incorrect Guard Logic 
Resolves https://github.com/github/codeql/pull/8032#discussion_r841723906
 2022-04-06 12:16:09 -04:00
Erik Krogh Kristensen
563d0d6532 rename existing getUrl predicate to getRepositoryUrl 2022-04-06 15:32:33 +02:00
Alvaro Muñoz Sanchez
abaa71e2c5 Update Sql Injection queries 
move java/ql/src/Security/CWE/CWE-089/SqlInjectionLib.qll -> java/ql/lib/semmle/code/java/security/SqlInjectionQuery.qll
 2022-04-06 10:57:14 +02:00
Anders Schack-Mulligen
f1ec2e3260 Merge pull request #8426 from atorralba/atorralba/missing-severities 
Java: Add missing security-severity scores
 2022-03-31 14:53:47 +02:00
Marcono1234
a93b4ed0f2 Java: Make JumpStmt a proper superclass 2022-03-30 00:30:27 +02:00
Chris Smowton
767453520e Merge pull request #8032 from JLLeitschuh/feat/JLL/check_os 
Java: Add Guard Classes for checking OS & unify System Property Access
 2022-03-18 11:20:36 +00:00
Joe Farebrother
e4a16cc700 Add security severity 2022-03-15 10:42:41 +00:00
Joe Farebrother
d4b5eed3e4 Merge pull request #8410 from joefarebrother/sensitive-logging 
Java: Promote Sensitive Logging query
 2022-03-14 14:50:26 +00:00
Tony Torralba
1f4f4207b5 Add missing security-severity scores 2022-03-14 09:50:14 +01:00
Joe Farebrother
b924de631f Add change note, minor docs improvement 2022-03-11 17:58:52 +00:00
Joe Farebrother
06f2c03828 Add tests 2022-03-11 17:44:52 +00:00
Jonathan Leitschuh
50ff2c2c68 Code cleanup from code review 2022-03-11 11:44:15 -05:00
Erik Krogh Kristensen
69353bb014 patch upper-case acronyms to be PascalCase 2022-03-11 11:10:33 +01:00
Joe Farebrother
4bf6c10896 Split configs into Query.qll library 2022-03-10 13:23:40 +00:00
Jonathan Leitschuh
b282c7f1b9 Apply suggestions from code review 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-03-07 11:31:32 -05:00
Joe Farebrother
6c05f7a81a remove url from sensitive info regex 2022-03-04 10:37:05 +00:00
Jonathan Leitschuh
31527a67e5 Refactor OS Checks & SystemProperty logic from review feedback 2022-03-03 17:15:35 -05:00
Jonathan Leitschuh
103c770ce7 Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-03-03 16:39:45 -05:00
Joe Farebrother
4ad402f33f Move from experimental to main 2022-03-03 12:13:14 +00:00
Jonathan Leitschuh
82d3cd8924 Improve system property lookup 2022-03-02 12:51:15 -05:00
Jonathan Leitschuh
dad9a02fbd Update TempDirInfoDisclosure with new OS Guards 2022-03-02 12:51:15 -05:00
Jonathan Leitschuh
fd63107edf Update OS Check from Review Feedback 2022-03-02 12:51:12 -05:00
Jonathan Leitschuh
39828fd596 Apply OS guard checks to TempDirLocalInformationDisclosure 2022-03-02 12:50:37 -05:00
Ian Lynagh
1e62b485a5 Merge pull request #8241 from igfoo/igfoo/stats4 
Java: Update stats and make some performance tweaks
 2022-02-28 12:58:06 +00:00
Ian Lynagh
7ce9b160d0 Java: Performance tweaks 2022-02-21 17:05:00 +00:00
Tony Torralba
bfa14fa066 Merge pull request #7823 from JLLeitschuh/improve/JLL/combined_http_headers 
Java: Add HTTP Request Splitting to Netty Query
 2022-02-15 10:24:36 +01:00
Jonathan Leitschuh
2048aed0a9 Review feedback and improve temp dir vulnerable/safe code sugestion 2022-02-14 11:29:16 -05:00
Jonathan Leitschuh
76964d58f2 Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2022-02-14 11:04:31 -05:00
Jonathan Leitschuh
bb580ddbab Apply suggestions from code review 
Co-authored-by: Felicity Chapman <felicitymay@github.com>
 2022-02-14 11:02:05 -05:00
Jonathan Leitschuh
7dee22a130 Fix implicit 'this' usage 2022-02-14 11:00:41 -05:00
Jonathan Leitschuh
bafcce17d4 Apply suggestions from code review 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-02-09 22:14:17 -05:00
Jonathan Leitschuh
ded8d64301 Remove CAPC and add CWE-93 2022-02-09 12:31:53 -05:00
Jonathan Leitschuh
03fdee3767 Cleanup Netty Response Splitting Query 2022-02-09 12:28:11 -05:00
Jonathan Leitschuh
8ffe878722 Apply suggestions from code review 
Co-authored-by: Matt Pollard <mattpollard@users.noreply.github.com>
 2022-02-09 12:28:11 -05:00
Jonathan Leitschuh
c732cb7759 Add HTTP Request Splitting to Netty Query 2022-02-09 12:28:10 -05:00
Jonathan Leitschuh
49a73673b6 Fix FP from mkdirs call on exact temp directory 2022-02-09 11:04:23 -05:00
Jonathan Leitschuh
787e3dac31 Update java/ql/src/Security/CWE/CWE-200/TempDirLocalInformationDisclosure.ql 
Co-authored-by: Chris Smowton <smowton@github.com>
 2022-02-09 10:07:56 -05:00
Jonathan Leitschuh
7f46640176 Consider calls to setReadable(false, false) then setReadable(true, true) to be safe 2022-02-08 17:57:10 -05:00