codeql

mirror of https://github.com/github/codeql.git synced 2026-03-17 04:56:58 +01:00

Author	SHA1	Message	Date
Tony Torralba	452fd9a8e3	Refactor to path query	2021-08-04 13:05:18 +02:00
turbo	a8f84da7ac	Update Security-Severity for CWE-918	2021-08-04 12:17:21 +02:00
Tony Torralba	b586f3ec9c	Make the additional flow step abstract	2021-08-04 12:11:17 +02:00
Tony Torralba	f4bc4df8c1	Renamed JWTQuery so that it's named after the actual query name	2021-08-04 12:08:08 +02:00
github-actions[bot]	8a2acda53c	Add changed framework coverage reports	2021-08-04 00:07:10 +00:00
Chris Smowton	eaf3d3cc03	Merge pull request #6162 from smowton/smowton/feature/jax-rs-content-type-sensitivity-fixes Jax-RS: implement content-type tracking	2021-08-03 14:53:31 +01:00
Anders Schack-Mulligen	7fb1e1578e	Merge pull request #5894 from atorralba/atorralba/promote-ognl-injection Java: Promote OGNL Injection query from experimental	2021-08-03 15:31:40 +02:00
Anders Schack-Mulligen	be6fd7c22e	Merge pull request #6382 from bmuskalla/stringValueOfTaint Track taint for String.valueOf(..)	2021-08-03 15:30:30 +02:00
Chris Smowton	3bf41491b3	Apply suggestions from code review	2021-08-03 14:15:39 +01:00
Benjamin Muskalla	8ce841493c	Avoid taint for valueOf(Object)	2021-08-03 14:46:55 +02:00
Anders Schack-Mulligen	c0d76da1a6	Merge pull request #5846 from atorralba/atorralba/promote-unsafe-android-webview-fetch Java: Promote Unsafe resource loading in Android WebView from experimental	2021-08-03 14:24:34 +02:00
Tony Torralba	f5cbec4938	Fix tests affected by Jackson stubs changes	2021-08-03 14:22:55 +02:00
Anders Schack-Mulligen	fb9feabe64	Merge pull request #6062 from atorralba/atorralba/promote-groovy-injection Java: Promote Groovy Code Injection from experimental	2021-08-03 14:19:15 +02:00
Tony Torralba	a33e0bce9d	Fix tests affected by Jackson stubs changes	2021-08-03 13:15:45 +02:00
Tony Torralba	c44de87503	Fix reference to PostUpdateNode	2021-08-03 12:45:12 +02:00
Chris Smowton	36379146c5	Resync dataflow clone	2021-08-03 11:03:30 +01:00
Joe Farebrother	a4659f4e96	Exclude package protected members	2021-08-03 10:51:39 +01:00
Chris Smowton	afa827829a	Make imports private where possible Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>	2021-08-03 10:36:46 +01:00
Chris Smowton	a52c4746bc	Improve docs	2021-08-03 10:36:46 +01:00
Chris Smowton	75310a6609	Create a dataflow instance specifically for the Serializability library Otherwise because this dataflow instance populates AdditionalTaintStep there is an ever-present danger that a user will stumble into creating a recursive configuration, or at least that by using DataFlow5::Configuration for any other purpose they will needlessly recalculate the Serializability dataflow results.	2021-08-03 10:36:46 +01:00
Chris Smowton	f83f950be6	Merge pull request #6325 from smowton/smowton/feature/org-json-models Java: add models of JSON-java, aka `org.json`	2021-08-03 10:33:49 +01:00
Tony Torralba	084cda6daa	Merge branch 'main' into atorralba/promote-groovy-injection	2021-08-03 09:53:46 +02:00
Tony Torralba	36565802dc	Delete unnecesary file RequestForgery.expected in experimental was an artifact from a merge that wasn't adequately removed	2021-08-03 09:48:04 +02:00
Tony Torralba	8852f69d36	Apply suggestions from code review Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>	2021-08-03 09:46:32 +02:00
github-actions[bot]	cd65baf481	Add changed framework coverage reports	2021-08-03 00:07:34 +00:00
Chris Smowton	fad1622730	Merge pull request #5435 from haby0/DynamicallyLoadedClasses Java: CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')	2021-08-02 16:04:30 +01:00
Tony Torralba	08bdd1aa7a	Merge branch 'main' into atorralba/promote-ognl-injection	2021-08-02 16:05:38 +02:00
Tony Torralba	8b50b3d00f	Add jackson-core to test dependencies	2021-08-02 16:04:49 +02:00
Chris Smowton	09a873138d	Add missing qldoc	2021-08-02 14:48:42 +01:00
Chris Smowton	170bb43393	Update java/ql/test/library-tests/frameworks/json-java/test.ql Remove unnecessary import Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>	2021-08-02 14:46:38 +01:00
Chris Smowton	8a78075d3d	Remove redundant method taint flow specifications	2021-08-02 14:30:31 +01:00
Anders Schack-Mulligen	53e6ddfeb6	Merge pull request #6001 from atorralba/atorralba/promote-mvel-injection Java: Promote MVEL injection query from experimental	2021-08-02 14:40:26 +02:00
Tony Torralba	f4b78ef3bd	Fix stubs	2021-08-02 14:12:05 +02:00
Tony Torralba	9b384d84cc	Merge branch 'main' into atorralba/promote-ognl-injection	2021-08-02 14:06:45 +02:00
Tony Torralba	351a24558d	Add tests for JacksonSerializability Upgraded jackson stubs to 2.12	2021-08-02 14:03:30 +02:00
Tony Torralba	632ae747c7	Fix JacksonModel duplicate row	2021-08-02 12:53:30 +02:00
Anders Schack-Mulligen	3b676d432f	Merge pull request #5900 from artem-smotrakov/unsafe-jackson-deserialization Java: Unsafe deserialization with Jackson	2021-08-02 12:45:30 +02:00
Anders Schack-Mulligen	6c973b59ac	Update java/ql/src/semmle/code/java/frameworks/Jackson.qll	2021-08-02 10:16:42 +02:00
Tony Torralba	9fadb26325	Fix qhelp sample	2021-08-02 10:00:59 +02:00
Tony Torralba	4435853c8a	Apply suggestions from code review Co-authored-by: Felicity Chapman <felicitymay@github.com>	2021-08-02 09:56:40 +02:00
Fosstars	bd7e7b1371	Better qldoc for timing attacks	2021-08-01 10:18:37 +02:00
Fosstars	44e52517ad	Removed unsafeMacCheckWithArraysDeepEquals() test	2021-08-01 10:12:38 +02:00
Fosstars	0fc487fb04	Better qhelp for timing attacks	2021-08-01 09:57:14 +02:00
Artem Smotrakov	9b953cf0fc	Apply suggestions from code review Co-authored-by: Chris Smowton <smowton@github.com>	2021-08-01 09:47:07 +02:00
Fosstars	ad54c9d937	Two queries for timing attacks	2021-08-01 09:47:07 +02:00
Artem Smotrakov	e3b6ceade5	Renamed NonConstantTimeCryptoComparison.ql to NonConstantTimeCheckOnSignature.ql	2021-08-01 09:47:06 +02:00
Artem Smotrakov	8b557765b3	Narrow NonConstantTimeCryptoComparison.ql to timing attack on signatures and MACs only	2021-08-01 09:47:06 +02:00
Artem Smotrakov	c359852608	Consider only Cipher.ENCRYPT_MODE in NonConstantTimeCryptoComparison.ql	2021-08-01 09:47:06 +02:00
Artem Smotrakov	1f2a9cdda7	Added taint propagation steps for hashes in NonConstantTimeCryptoComparison.ql	2021-08-01 09:47:06 +02:00
Artem Smotrakov	c96d939cf5	Covered custom fast-fail checks in NonConstantTimeCryptoComparison.ql Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>	2021-08-01 09:47:06 +02:00

1 2 3 4 5 ...

3242 Commits