hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
35,614 Commits 1,671 Branches 157 Tags
c20ee76826e10318f8f39c6fae901b743c2e8254
Commit Graph

1764 Commits

Author SHA1 Message Date
Tony Torralba
56a429a5f9 Merge branch 'main' into promote-jexl-injection 2021-06-03 11:10:56 +02:00
Tony Torralba
34a8383c1a Unused import 2021-06-03 10:22:53 +02:00
Anders Schack-Mulligen
8e6dd51f50 Merge pull request #5868 from Marcono1234/marcono1234/ignore-not-closing-char-array-closeable 
Java: Ignore char array based closeables for CloseReader.ql and CloseWriter.ql
 2021-06-02 15:00:59 +02:00
Anders Schack-Mulligen
8a20395857 Merge pull request #5940 from pwntester/main 
Remove XSS sink for Java
 2021-06-02 12:30:20 +02:00
Tony Torralba
d476459727 Use InlineExpectationsTest 2021-06-02 12:15:26 +02:00
Tony Torralba
59e6e1ffac Moved from experimental 2021-06-02 09:58:30 +02:00
Anders Schack-Mulligen
dbe352f3ff Java: Remove deprecated tests. 2021-06-01 11:47:52 +02:00
Anders Schack-Mulligen
901996f9fd Java: Add collection flow test. 2021-06-01 11:47:52 +02:00
Anders Schack-Mulligen
43d1b0ab27 Java: Update qltests. 2021-06-01 11:47:52 +02:00
Anders Schack-Mulligen
a4661e1aca Merge pull request #5704 from edvraa/regexj 
Java: Regex injection
 2021-06-01 11:45:59 +02:00
Alvaro Muñoz
735e4e4b7b update failing tests 2021-05-28 15:13:18 +02:00
Timo Mueller
75f6ec1f0d Updated test cases to include test for java10+ CREDENTIALS_FILTER_PATTERN constant 2021-05-25 17:08:58 +02:00
Timo Mueller
59ebe08c78 Added stup for RMIConnectorServer for valid test case 2021-05-25 16:40:41 +02:00
Artem Smotrakov
c837605c85 Added test cases with sanitizers for UnsafeDeserializationRmi.ql 2021-05-23 13:01:22 +02:00
Artem Smotrakov
d2e29fc72c Renamed RmiUnsafeDeserialization.ql -> UnsafeDeserializationRmi.ql 2021-05-23 10:21:05 +02:00
Artem Smotrakov
e28f919f3d Look for remote callable method only in RmiUnsafeDeserialization.ql 2021-05-23 10:21:05 +02:00
Artem Smotrakov
5ffe04d6a5 Updated expected output for RmiUnsafeDeserialization.java test 2021-05-23 10:21:04 +02:00
Artem Smotrakov
3d20330a92 More tests for RmiUnsafeDeserialization 2021-05-23 10:21:04 +02:00
Artem Smotrakov
ec6186a1c5 Draft of tests for RmiUnsafeDeserialization.ql 2021-05-23 10:21:04 +02:00
Tony Torralba
7dbdba28cc Consider search methods with unsafe SearchControls 2021-05-21 15:21:04 +02:00
Sebastian Bauersfeld
28f597440f Add method invocations of Spring's SavedRequest as a remote sources. 2021-05-20 20:00:14 +07:00
Tony Torralba
c1e71b60b4 Use InlineExpectationsTest 2021-05-20 12:00:11 +02:00
Tony Torralba
1351516e9a Moved JNDI injection related files from experimental to standard 2021-05-19 11:32:51 +02:00
Tony Torralba
e58746508d Merge branch 'main' into atorralba/promote-ognl-injection 2021-05-19 10:41:08 +02:00
luchua-bc
e4699f7fa9 Optimize the query 2021-05-18 16:12:22 +00:00
luchua-bc
d664aa6d6a Include more scenarios and update qldoc 2021-05-18 16:12:22 +00:00
luchua-bc
852bcfb5c7 Refactor the ScriptEngine query and the Rhino code injection query into one 2021-05-18 16:12:22 +00:00
luchua-bc
b0b5338359 Rhino code injection 2021-05-18 16:12:22 +00:00
Chris Smowton
4230869ee2 Merge pull request #5819 from luchua-bc/java/jpython-injection 
Java: CWE-094 Jython code injection
 2021-05-18 16:38:40 +01:00
Chris Smowton
71f540a755 Merge pull request #5844 from haby0/SpringRedirects 
[Java] CWE-601 Spring url redirection detect
 2021-05-18 16:37:40 +01:00
Tony Torralba
34a55e77ef Add missing subtype test 2021-05-18 09:38:35 +02:00
Anders Schack-Mulligen
9b0e3b1950 Merge pull request #5814 from JLLeitschuh/feat/JLL/jackson_as_taint_step 
[Java] Add taint tracking through Jackson deserialization
 2021-05-18 09:31:16 +02:00
haby0
a0cd551bae Add filtering of String.format 2021-05-18 11:05:10 +08:00
Tony Torralba
bc2370ae1d Use InlineExpectationsTest for tests 2021-05-17 15:58:33 +02:00
Tony Torralba
3e4ccaf9a8 Move from experimental to standard 2021-05-17 10:41:54 +02:00
haby0
60fc607449 Modify ql 2021-05-14 18:17:05 +08:00
haby0
498c99e26c Add left value, Add return expression tracing flow 2021-05-14 16:31:59 +08:00
Tony Torralba
db732918af Add taint step for setExpression 2021-05-13 15:01:36 +02:00
haby0
effa2b162a Add spring url redirection detect 2021-05-13 09:55:37 +08:00
Tony Torralba
09b40601a7 Consider ExpressionAccessor 2021-05-12 12:32:38 +02:00
Anders Schack-Mulligen
a247ae4357 Merge pull request #5843 from JLLeitschuh/feat/JLL/improve_kryo_support 
[Java] Fix Kryo FP & Kryo 5 Support
 2021-05-12 09:52:24 +02:00
haby0
12f47bcf24 Add UnsafeDeserialization 2021-05-12 12:37:16 +08:00
Marcono1234
8969da7775 Java: Improve not closing resource query; add tests 2021-05-11 19:32:02 +02:00
luchua-bc
e7cd6c9972 Optimize the query 2021-05-11 16:56:12 +00:00
Jonathan Leitschuh
5a68ac88ef Cleanup Jackson logic after code review 2021-05-11 10:48:22 -04:00
Jonathan Leitschuh
bacc3ef5b3 [Java] Jackson add support for 2 step deserialization taint flow 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
d0638db6e7 [Java] Add data flow through Iterator deserializers for Jackson 2021-05-11 10:36:47 -04:00
Jonathan Leitschuh
56b1f15dda [Java] Add taint tracking through Jackson deserialization 2021-05-11 10:36:47 -04:00
Tony Torralba
8754c85a57 Use InlineExpectationsTest 2021-05-11 16:23:12 +02:00
Tony Torralba
fc03b92e11 Moved from experimental to standard 2021-05-11 15:42:13 +02:00