hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
35,614 Commits 1,672 Branches 157 Tags
c20ee76826e10318f8f39c6fae901b743c2e8254
Commit Graph

440 Commits

Author SHA1 Message Date
Tony Torralba
b876431950 Merge pull request #8706 from luchua-bc/java/unsafe-get-resource 
Java: CWE-552 Add sources and sinks to to detect unsafe getResource calls in Java EE applications
 2022-05-04 10:12:28 +02:00
luchua-bc
920a7cd2e6 Put back the taint step removed during merge 2022-04-29 20:29:04 +00:00
luchua-bc
0aa1251ffe Add more test cases 2022-04-29 02:31:43 +00:00
Jorge
193ea1a86e Merge branch 'main' into mybatis-new-sinks 2022-04-28 22:26:38 +02:00
Tony Torralba
e99cee4913 Merge branch 'main' into java/unsafe-get-resource 2022-04-27 16:45:42 +02:00
luchua-bc
b76873fc8d Add more test cases 2022-04-19 22:22:15 +00:00
luchua-bc
7029802f3b Add sinks for getClass() and getClassLoader() 2022-04-11 21:03:48 +00:00
luchua-bc
eccd97c7b7 Query to detect unsafe getResource calls in Java EE applications 2022-04-09 01:14:15 +00:00
Tom Hvitved
b91858e7cf Java: Implement ContentSet 2022-04-04 13:51:44 +02:00
luchua-bc
657f615703 Fine tune the query and update qldoc 2022-03-28 20:05:12 +00:00
jorgectf
f6eb83fd22 Update MyBatisAnnotationSqlInjection.qlref 
By adding more imports in the test file, the expected result's lines changed.
 2022-03-16 10:12:38 +01:00
jorgectf
f10dac31f9 Format some tests 2022-03-14 22:12:22 +01:00
jorgectf
d47fcedd21 Add tests 2022-03-14 21:31:51 +01:00
luchua-bc
88d9694628 Query to detect insecure WebResourceResponse implementation 2022-02-26 02:03:35 +00:00
Chris Smowton
f981fee37d Adjust test expectation 2022-02-25 20:05:06 +00:00
Chris Smowton
8fbd8c52dd Fix test expectations 2022-02-25 17:35:52 +00:00
Chris Smowton
e02a3d0ddd Rename qlref file 2022-02-25 17:33:08 +00:00
Ahmed Farid
3a2d514b18 Create ComparingValueOfSensetiveHeader.qlref 2022-02-25 17:33:08 +00:00
Ahmed Farid
0d278f6d61 Create Test.java 2022-02-25 17:33:08 +00:00
Ahmed Farid
1bc5fe13eb Update and rename java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstHeader.expected to java/ql/test/experimental/query-tests/security/CWE-208/TimingAttackAgainstHeader/TimingAttackAgainstHeader.expected 2022-02-25 17:33:08 +00:00
Ahmed Farid
63133f7e8b Update TimingAttackAgainstHeader.expected 2022-02-25 17:33:08 +00:00
Ahmed Farid
f2457dafb5 Create TimingAttackAgainstHeader.expected 2022-02-25 17:33:08 +00:00
Chris Smowton
091227982c Delete unnecessary test files 2022-02-25 17:33:08 +00:00
Ahmed Farid
19d0e1f4a7 Create ComparingValueOfSensetiveHeader.qlref 2022-02-25 17:33:07 +00:00
ahmed532009
a0a1c587e5 Create ComparingValueOfSensetiveHeader.java 2022-02-25 17:33:07 +00:00
Chris Smowton
7b425a80bc Note path query expectations 2022-02-23 16:02:54 +00:00
Chris Smowton
476997a599 Replace more non-breaking spaces 2022-02-23 11:02:17 +00:00
Porcupiney Hairs
c81d85f321 Include suggestions from review 2022-02-22 23:07:34 +05:30
Porcuiney Hairs
e536628a66 Java : Add SSTI query 2022-02-22 15:57:53 +05:30
Tony Torralba
111aabb707 Merge pull request #7712 from luchua-bc/java/file-path-injection 
Java: CWE-073 File path injection with the JFinal framework
 2022-02-16 12:01:34 +01:00
luchua-bc
fd533f2ba8 Remove the same callable constraint 2022-02-15 12:44:23 +00:00
Chris Smowton
fd4dc95d84 Merge pull request #6443 from artem-smotrakov/ignored-hostname-verifier 
Java: An experimental query for ignored hostname verification
 2022-02-14 18:56:27 +00:00
luchua-bc
35a924292b Model value passing between a setter and a getter call as a value step 2022-02-14 14:08:55 +00:00
luchua-bc
78630f25dd Match attribute name to reduce FP 2022-02-11 23:53:31 +00:00
luchua-bc
ce03aeb4d9 Fixed an issue related to normalized path 2022-02-09 23:19:40 +00:00
luchua-bc
4609227e76 Use data model for request/session attribute operations 2022-02-09 03:24:46 +00:00
luchua-bc
ff4826d203 Correct the data model and update qldoc 2022-02-08 04:02:27 +00:00
Artem Smotrakov
f53b2fcc62 Updated IgnoredHostnameVerification.ql to cover more uses of HostnameVerifier.verify() 2022-02-06 11:23:20 +00:00
Tony Torralba
b59fd4070f Merge pull request #7136 from atorralba/atorralba/promote-insecure-trustmanager 
Java: Promote Insecure TrustManager from experimental
 2022-01-24 14:05:14 +01:00
luchua-bc
27043a09b3 File path injection with the JFinal framework 2022-01-23 18:07:48 +00:00
Tony Torralba
7cd05fb685 Move from experimental 2022-01-20 10:23:18 +01:00
Tony Torralba
e0f4c73aed Move from experimental 2022-01-19 16:42:00 +01:00
Chris Smowton
84097468cc Merge pull request #7286 from luchua-bc/java/unsafe-url-forward-dispatch 
Java: CWE-552 Query to detect unsafe request dispatcher usage
 2022-01-18 18:19:20 +00:00
Artem Smotrakov
825fe1797a Fixed another false-positive in CWE-297/IgnoredHostnameVerification.ql 2022-01-16 18:55:49 +00:00
Artem Smotrakov
6dad0e21d9 Ignore wrapped HostnameVerifier.vefify() calls 2022-01-16 18:29:30 +00:00
Fosstars
2b33265d0f Added a query for ignored hostname verification 
- Added IgnoredHostnameVerification.ql
- Added a qhelp file with examples
- Added tests
 2022-01-16 18:27:49 +00:00
Artem Smotrakov
f78002bc02 Fixed a false-positive in CWE-297/IgnoredHostnameVerification.ql 2022-01-16 18:25:18 +00:00
Fosstars
e11cb943a6 Added a query for ignored hostname verification 
- Added IgnoredHostnameVerification.ql
- Added a qhelp file with examples
- Added tests
 2022-01-16 18:25:18 +00:00
Tony Torralba
81feaaec02 Refactor PathMatchGuard 2022-01-13 15:24:41 +01:00
luchua-bc
263dbd33f6 Optimize the query 2022-01-12 02:33:17 +00:00