hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-20 18:04:46 +01:00
Code Issues Packages Projects Releases Wiki Activity
62,070 Commits 1,683 Branches 158 Tags
cb0ea350b5cec833b6e7731ec610ec10104f8a61
Commit Graph

1126 Commits

Author SHA1 Message Date
Ed Minnix
cb0ea350b5 Improve docs 2023-12-15 11:09:07 -05:00
Ed Minnix
0efca8200d Weak Hashing query wording 2023-12-15 11:09:07 -05:00
Ed Minnix
93cf5b8eb9 Weak Hashing Property initial query 2023-12-15 11:09:07 -05:00
Edward Minnix III
06eef93f89 Docs review suggestions 2023-12-11 11:18:40 -05:00
Edward Minnix III
ce20c4ae03 Docs review suggestions 
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
 2023-12-11 11:18:40 -05:00
Ed Minnix
3ca039bc8f Rename to InsecureRandomness 2023-12-11 11:18:40 -05:00
Edward Minnix III
4678302edb Update query metadata 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2023-12-11 11:18:39 -05:00
Ed Minnix
e69ff7b601 Move to library and add docs 2023-12-11 11:18:38 -05:00
Ed Minnix
9f986ca527 Add Weak Randomness Query 2023-12-11 11:18:38 -05:00
Max Schaefer
ca334021ad Merge pull request #14793 from github/max-schaefer/tainted-path-qhelp 
Java: Improve QHelp for `java/path-injection` to mention less disruptive fixes.
 2023-11-16 14:09:55 +00:00
Max Schaefer
a5e7ef424e Revert "Add additional example." 
This reverts commit 947b094387.
 2023-11-16 11:54:16 +00:00
Max Schaefer
143e1680bd Apply suggestions from code review 
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
 2023-11-16 11:42:35 +00:00
Max Schaefer
947b094387 Add additional example. 2023-11-16 10:06:19 +00:00
Max Schaefer
009d58034f Address suggestions from review. 2023-11-16 10:05:54 +00:00
Max Schaefer
a46a7fadb2 Java: Improve QHelp for java/path-injection to mention less disruptive fixes. 2023-11-15 11:25:13 +00:00
Tony Torralba
5442cdb49c Merge pull request #14610 from atorralba/atorralba/java/jms-deserialization 
Java: Add JMS sink to java/unsafe-deserialization
 2023-11-08 09:10:20 +01:00
Geoffrey White
e8a466a02c Update dead link. 2023-11-07 09:26:07 +00:00
Tony Torralba
7af3d239ab Java: Add JMS sink to java/unsafe-deserialization 2023-10-26 16:46:19 +02:00
Chris Smowton
e8c9708282 Autoformat 2023-10-24 11:06:19 +01:00
Chris Smowton
ac38d4c9c6 Mass rename L/RValue -> VarWrite/Read 2023-10-24 10:58:29 +01:00
Chris Smowton
59a49eef0b Add aliases for public, importable renamed classes and predicates. 
Also rename and aliases a couple of uses of Access noted along the way.
 2023-10-24 10:54:35 +01:00
Chris Smowton
f552a15aae Mass-rename MethodAccess -> MethodCall 2023-10-24 10:30:26 +01:00
Tony Torralba
d08ee76b16 Java: Improve java/spring-disabled-csrf-protection 2023-10-16 16:01:14 +02:00
intrigus-lgtm
874f91c7ae Java: Further alert message improvement 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2023-09-18 12:25:31 +02:00
intrigus-lgtm
b6417ca212 Java: Fix alert message 
The signing key that is being set, is _not_ what is being parsed.
A _JWT_ is being parsed, that will then be verified using the set key.
(Or in our case not, because we're looking for security problems :P)
 2023-09-12 02:23:37 +02:00
Edward Minnix III
8d88af1af0 Apply docs review suggestions 
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
 2023-08-17 13:05:38 -04:00
Ed Minnix
b305962c9a Use more appropriate description 2023-08-17 13:05:37 -04:00
Edward Minnix III
929090a847 Typos and style fixes 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2023-08-17 13:05:37 -04:00
Ed Minnix
172b8a6967 Documentation fixes 2023-08-17 13:05:37 -04:00
Ed Minnix
b567ec875a Documentation 2023-08-17 13:05:37 -04:00
Ed Minnix
f58590c6a9 Trust Boundary Work 2023-08-17 13:05:37 -04:00
Ed Minnix
3e7444cd66 Style fixes 2023-08-17 13:05:36 -04:00
Ed Minnix
15370506b8 Add missing security severity 2023-08-17 13:05:36 -04:00
Ed Minnix
a8b7e70d01 Convert trust boundary models to MaD 2023-08-17 13:05:36 -04:00
Ed Minnix
76438f13b6 Trust Boundary Query 2023-08-17 13:05:36 -04:00
Anders Schack-Mulligen
91de43f918 C#/Java/Ruby: Remove superfluous module members. 2023-07-13 11:38:35 +02:00
Tony Torralba
a7c2a25cac Merge pull request #12879 from atorralba/atorralba/java/command-injection-mad-sinks 
Java: Convert all command injection sinks to MaD format
 2023-06-27 14:06:45 +02:00
Tony Torralba
8f6d2ed2f9 Adjust ZipSlip query description according to review suggestions. 2023-06-19 10:27:41 +02:00
Tony Torralba
3c4d938cf1 Apply code review suggestions. 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-19 10:20:19 +02:00
Tony Torralba
3e96fe60c5 Go/Java/JS/Python/Ruby: Update the description and qhelp of the ZipSlip query 
All filesystem operations, not just writes, with paths built from untrusted archive entry names are dangerous
 2023-06-16 08:52:44 +02:00
Tony Torralba
ffe67689ec Merge branch 'main' into atorralba/java/command-injection-mad-sinks 2023-06-13 09:27:33 +02:00
Tony Torralba
527fe523a8 Add PathCreation.qll sinks to models-as-data 
The old PathCreation sinks can't be removed because doing so would cause alert wobble in the path injection queries. See their getReportingNode predicates.
 2023-06-02 09:14:35 +02:00
Tony Torralba
c3b1ef2cdf Merge branch 'main' into atorralba/java/command-injection-mad-sinks 2023-06-02 08:57:24 +02:00
erik-krogh
9f5bf8fb22 also fix the first code-block 2023-05-25 13:56:29 +02:00
erik-krogh
765076bcba fix whitespace in the samples in ReDoS.qhelp 2023-05-25 13:28:39 +02:00
Tony Torralba
a276cc3094 Convert all command injection sinks to MaD format 2023-05-25 11:41:32 +02:00
erik-krogh
710b309142 apply suggestions from doc review 2023-05-21 22:18:48 +02:00
erik-krogh
480e71fd69 avoid contractions 2023-05-17 08:42:45 +02:00
erik-krogh
83ca1495e0 trim the whitespace in the poly-redos examples 2023-05-15 16:47:24 +02:00
erik-krogh
d989359656 add another example to the qhelp in poly-redos, showing how to just limit the length of the input 2023-05-15 16:47:02 +02:00