hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
35,614 Commits 1,671 Branches 157 Tags
c20ee76826e10318f8f39c6fae901b743c2e8254
Commit Graph

5184 Commits

Author SHA1 Message Date
Tom Hvitved
b3af3ad12f Data flow: Fix bad join order in getReturnPosition() 
Joining on the enclosing callable before the kind is crucial, as witnessed by this pipeline:

```
[2020-02-06 17:58:21] (1086s) Starting to evaluate predicate DataFlowImplCommon::getReturnPosition#ff/2@83c546
[2020-02-06 18:53:16] (4382s) Tuple counts for DataFlowImplCommon::getReturnPosition#ff:
                      385478      ~1%     {3} r1 = SCAN DataFlowImplCommon::Cached::TReturnPosition0#fff@staged_ext AS I OUTPUT I.<2>, I.<0>, I.<1>
                      385478      ~2%     {3} r2 = JOIN r1 WITH DataFlowImplCommon::Cached::TReturnPosition0#fff_2#join_rhs AS R ON FIRST 1 OUTPUT r1.<2>, r1.<1>, r1.<0>
                      58638116860 ~0%     {3} r3 = JOIN r2 WITH DataFlowImplCommon::ReturnNodeExt::getKind_dispred#ff_10#join_rhs AS R ON FIRST 1 OUTPUT R.<1>, r2.<1>, r2.<2>
                      914049      ~0%     {2} r4 = JOIN r3 WITH DataFlowImplCommon::returnNodeGetEnclosingCallable#ff AS R ON FIRST 2 OUTPUT r3.<0>, r3.<2>
                                          return r4
```
 2020-02-06 19:06:40 +01:00
Anders Schack-Mulligen
aa8ebf4fe1 Merge pull request #2764 from JLLeitschuh/patch-1 
Add DefaultFullHttpResponse to Netty Check
 2020-02-06 12:19:04 +01:00
Anders Schack-Mulligen
75f7671e75 Java: Fix .expected 2020-02-06 10:27:44 +01:00
Jonas Jensen
81b1bd4177 Merge pull request #2769 from aschackmull/java/perf-regression 
Java: Improve performance.
 2020-02-05 20:15:18 +01:00
Jonathan Leitschuh
60f2fa9eb9 Update java/ql/src/Security/CWE/CWE-113/NettyResponseSplitting.ql 2020-02-05 12:45:47 -05:00
Anders Schack-Mulligen
ba86dea657 Java: Improve taint step modeling to use postupdate nodes. 2020-02-05 15:33:29 +01:00
Anders Schack-Mulligen
07482abed7 Java/C++/C#: Sync. 2020-02-05 15:17:20 +01:00
Anders Schack-Mulligen
274919ca08 Java: Fix recent perf regressions. 2020-02-05 15:15:15 +01:00
Anders Schack-Mulligen
7d19eb7c05 Java: Add LICENSE.txt 2020-02-05 09:38:16 +01:00
Jonathan Leitschuh
832a4f2e07 Add DefaultFullHttpResponse to Netty Check 2020-02-04 15:40:59 -05:00
Tom Hvitved
15ee1e37b9 Java: Follow-up changes 2020-02-04 14:09:12 +01:00
Tom Hvitved
c591719df2 Data flow: Sync files 2020-02-04 14:09:12 +01:00
Anders Schack-Mulligen
2b1723dd88 Java: Move some taint tests. 2020-02-04 13:21:31 +01:00
Anders Schack-Mulligen
3b81c3b95c Merge pull request #2651 from ggolawski/java-ldap-injection 
Java LDAP Injection (CWE-90)
 2020-01-31 16:43:52 +01:00
Anders Schack-Mulligen
18a8c2b220 Java: Add qlpack.yml in upgrades. 2020-01-31 11:39:46 +01:00
yo-h
7ca7bdfc46 Merge pull request #2725 from aschackmull/java/sqlinjection-number-barrier 
Java: Add java.lang.Number as a sanitizer for SQL injection.
 2020-01-30 18:25:24 -05:00
yo-h
b542b08c95 Merge pull request #2726 from aschackmull/java/outputstream-write-taint 
Java: Improve taint for OutputStream.write and InputStream.read.
 2020-01-30 18:24:00 -05:00
yo-h
563be9f817 Merge pull request #2719 from aschackmull/java/deprecate-parexpr 
Java: Deprecate ParExpr
 2020-01-30 18:23:13 -05:00
Grzegorz Golawski
3fd8d9eb5c Rename CWE-90 into CWE-090 2020-01-30 22:33:20 +01:00
Grzegorz Golawski
db55ec250a Rename CWE-90 to CWE-090 2020-01-30 22:32:36 +01:00
ggolawski
d065ebddde Merge pull request #3 from aschackmull/java/pr-2651-unittest 
Java: Add unit test for ldap injection.
 2020-01-30 22:23:20 +01:00
Anders Schack-Mulligen
2a0a568cbb Java: Remove duplicate class. 2020-01-30 17:04:35 +01:00
yo-h
dd517a433a Merge pull request #2671 from aschackmull/java/null-flow 
Java: Allow null literals as sources in data flow.
 2020-01-30 09:47:46 -05:00
Anders Schack-Mulligen
9bea581a23 Java: Improve taint for OutputStream.write and InputStream.read. 2020-01-30 14:29:56 +01:00
Anders Schack-Mulligen
a167577551 Java: Add java.lang.Number as a sanitizer for SQL injection. 2020-01-30 12:01:36 +01:00
Anders Schack-Mulligen
ea3d7b1b2f Java: Adjust stubs and unit test. 2020-01-30 11:27:33 +01:00
Anders Schack-Mulligen
d8b842298c Java: Autoformat. 2020-01-30 10:54:54 +01:00
Anders Schack-Mulligen
75c549baa1 Java: Deprecate ParExpr. 2020-01-30 10:52:16 +01:00
ggolawski
ebd2b932e8 Update java/ql/src/Security/CWE/CWE-90/LdapInjection.qhelp 
Co-Authored-By: Felicity Chapman <felicitymay@github.com>
 2020-01-29 20:05:20 +01:00
Anders Schack-Mulligen
9b7a728609 Java: Autoformat. 2020-01-29 12:16:25 +01:00
Anders Schack-Mulligen
9391058363 Java: Add unit test for ldap injection. 2020-01-29 11:37:33 +01:00
Grzegorz Golawski
bbcfbd7a28 Apply suggestion from code review 2020-01-28 22:34:01 +01:00
yo-h
97069a7988 Merge pull request #2683 from aschackmull/java/lshift32 
Java: Add new query for large left shifts and bugfix ConstantExpAppearsNonConstant.
 2020-01-28 13:30:26 -05:00
Anders Schack-Mulligen
0b3c90b526 Java: Fix whitespace query. 2020-01-28 10:15:48 +01:00
Anders Schack-Mulligen
34e6679afd Java: Add upgrade script. 2020-01-28 10:15:48 +01:00
Anders Schack-Mulligen
f8805ebb24 Java: Update 2 queries. 2020-01-28 10:15:48 +01:00
Anders Schack-Mulligen
4bd332ddca Java: Add Expr.isParenthesized, adjust VarAccess.toString, and fix tests. 2020-01-28 10:15:48 +01:00
Anders Schack-Mulligen
597d8e7d94 Java: Update dbscheme for ParExpr removal. 2020-01-28 10:15:48 +01:00
Anders Schack-Mulligen
dc7e8ad2ff Java: Reword help according to review comment. 2020-01-28 10:13:35 +01:00
Anders Schack-Mulligen
a99a6f79cd Apply suggestions from code review 
Co-Authored-By: Felicity Chapman <felicitymay@github.com>
 2020-01-28 10:13:35 +01:00
Anders Schack-Mulligen
4cb28d9b1d Java: Add new query for large left shifts and bugfix ConstantExpAppearsNonConstant. 2020-01-28 10:13:34 +01:00
Grzegorz Golawski
7b2192d2e3 Apply suggestion from code review 2020-01-27 22:34:15 +01:00
ggolawski
408c49a61c Apply suggestions from code review 
Co-Authored-By: Felicity Chapman <felicitymay@github.com>
 2020-01-27 22:31:51 +01:00
Chris Gavin
484333b192 Java: Update help and description of java/suspicious-date-format. 2020-01-27 11:57:59 +00:00
Chris Gavin
0e8d435ca1 Java: Add a test for java/suspicious-date-format. 2020-01-27 11:57:59 +00:00
Chris Gavin
88146295f9 Java: Add a query for suspicious date format patterns. 2020-01-27 11:57:18 +00:00
Anders Schack-Mulligen
816a8d1f9e Merge pull request #2586 from ggolawski/spring_disable_csrf 
Add check for disabled CSRF protection in Spring
 2020-01-27 11:32:39 +01:00
Esben Sparre Andreasen
8deefd60a7 java: fixup whitespace/tabs in test 2020-01-24 11:01:38 +01:00
Esben Sparre Andreasen
57b3a55b48 java: sharpen java/maven/non-https-url to allow localhost URLs 2020-01-24 08:51:54 +01:00
Esben Sparre Andreasen
a5558809f4 java: add more tests for java/maven/non-https-url 2020-01-24 08:49:59 +01:00