hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-13 06:24:46 +01:00
Code Issues Packages Projects Releases Wiki Activity
67,720 Commits 1,681 Branches 158 Tags
d142f830da8097c28722b79ef2920b8a2e2545dc
Commit Graph

1052 Commits

Author SHA1 Message Date
Michael Nebel
b1329fd806 Merge pull request #16362 from michaelnebel/java/removelocalqueries 
Java: Remove local query variants.
 2024-05-16 14:34:04 +02:00
Anders Schack-Mulligen
76e740bc1d Java: Clean up some instances of getQualifiedName. 2024-05-13 13:06:44 +02:00
Michael Nebel
85a4dd0325 Java: Deprecate the local content of CommandLineQuery and remove the exec tainted local query variant. 2024-05-01 13:07:20 +02:00
Jami Cogswell
658fffeac1 Java: remove experimental files 2024-03-17 22:03:59 -04:00
Tony Torralba
2a146405ac Adjust tests 2024-01-26 12:38:32 +01:00
Tony Torralba
19cb7adb6d Migrate path injection sinks to MaD 
Deprecate and stop using PathCreation

Path creation sinks are now summaries
 2024-01-26 12:19:54 +01:00
Ed Minnix
fb80c5ea84 Rename SimpleScalarSanitizer to SimpleTypeSanitizer 2024-01-22 23:55:29 -05:00
Ed Minnix
696788e5b2 Rename semmle.code.java.security.dataflow.CommonSanitizers to semmle.code.java.security.Sanitizers 2024-01-22 23:52:19 -05:00
Ed Minnix
3311b3be8e Convert experimental queries' isBarrier to use instanceof SimpleScalarSanitizer 2024-01-22 23:38:29 -05:00
masterofnow
0fd09759df Added sample java file for qhelp to render correctly. 2023-12-22 08:31:23 +08:00
masterofnow
cb5733d647 Apply suggestions from code review 
Update to documentation.

Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2023-12-22 08:25:05 +08:00
masterofnow
7162540faf Added options, .qhelp and .expected file for unit test. 2023-12-21 19:57:37 +08:00
Tony Torralba
39708524e7 Minor fixes 
- Query ID
- MethodAccess -> MethodCall
- Redundant import
- Formatting
 2023-12-20 15:31:09 +01:00
masterofnow
e85c4b5bf6 Update query from code review feedback to express it as a dataflow problem. 2023-12-20 18:28:16 +08:00
masterofnow
4a77f45aa6 Minor adjustment to resolve error for codeql version 2.15.4 2023-12-16 12:41:39 +08:00
masterofnow
99b273d308 Apply suggestions from code review 
Added suggestion from atorralba.

Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2023-12-16 12:00:45 +08:00
masterofnow
e1b8fabf7f Use global instead of local taint tracking. 2023-12-13 13:50:34 +08:00
masterofnow
8538c12267 Merge branch 'github:main' into LoadClassNoSignatureCheck 2023-12-13 13:47:40 +08:00
Ed Minnix
1b8f3f3450 Deprecate or remove imports of dataflow library copies 2023-12-08 10:42:10 -05:00
Shati Patel
6284781a9b Update inconsistent CWE tags 
Most tags use the "external/cwe/cwe-xxx" format, except for these few queries. Updating them for consistency.
 2023-12-04 11:52:31 +00:00
masterofnow
2952d8f65a Updated query to cover broader detection. 2023-11-18 18:52:47 +08:00
masterofnow
532f6a5b0c Removed @kind path-problem in comment. Added text message in select. 2023-11-13 08:27:07 +08:00
masterofnow
20592352d0 Updated text in LoadClassNoSignatureCheck.qhelp 2023-11-12 20:48:49 +08:00
masterofnow
fd66f47d82 Added LoadClassNoSignatureCheck.ql 2023-11-12 20:27:49 +08:00
Chris Smowton
06238dd5f6 Improve reflective class names 2023-10-24 13:29:32 +01:00
Chris Smowton
e8c9708282 Autoformat 2023-10-24 11:06:19 +01:00
Chris Smowton
59a49eef0b Add aliases for public, importable renamed classes and predicates. 
Also rename and aliases a couple of uses of Access noted along the way.
 2023-10-24 10:54:35 +01:00
Chris Smowton
f552a15aae Mass-rename MethodAccess -> MethodCall 2023-10-24 10:30:26 +01:00
Eric Bickle
7a4382fb69 Merge branch 'main' into fix/thread-resource-arithmetic 2023-10-10 09:38:16 -07:00
Eric Bickle
80c8259e34 Remove unnecessary AdditionalValueStep check 2023-10-10 09:35:45 -07:00
Michael Nebel
cf3a62d201 Java: Address review comments. 2023-10-09 13:06:59 +02:00
Eric Bickle
000c1f7ec8 Java: Flow taint through ArithExpr for ThreadResourceAbuse 
Ensure that tainted values flow through arithmetic operations when
checking for ThreadResourceAbuse vulnerabilities.

For example, multiplying 'number of seconds' by 1000 as an input
to Thread.Sleep, which accepts milliseconds, is a common scenario.
 2023-10-06 14:24:37 -07:00
Michael Nebel
40e63a63e2 Java: Re-factor most queries and tests to use threat models. 2023-10-04 14:01:58 +02:00
Tony Torralba
586c8803c5 Move the sources back the .ql files 
Otherwise they would both apply at the same time, making both versions of the query identical.
 2023-08-04 10:02:56 +02:00
Tony Torralba
e9bad321b6 Apply suggestions from code review 2023-08-04 09:21:45 +02:00
aegilops
fc7f8409be Fix up for code review 2023-08-03 13:50:40 +01:00
Tony Torralba
b5d08ade59 Formatting 2023-08-01 09:35:25 +02:00
Paul Hodgkinson
bfbb77a796 Merge branch 'main' into java/experimental/command-injection 2023-06-29 09:51:14 +01:00
aegilops
01798f63f8 Switched to new dataflow and added a test (but it doesn't produce results yet) 2023-06-28 17:14:39 +01:00
aegilops
23bf8470ce Removed .md and made class change 2023-06-19 17:29:17 +01:00
aegilops
8c9ccab9c9 Autoformat 2023-06-19 11:53:53 +01:00
aegilops
2112d73a6a Autoformat 2023-06-19 11:50:54 +01:00
aegilops
1a108fb1c9 Changed to for constant string 2023-06-19 11:46:08 +01:00
aegilops
7c235e3786 Fixed linting issues. Will not fix instanceof, that is necessary 2023-06-19 11:41:23 +01:00
aegilops
8c73fbeabe Formatted 2023-06-16 17:33:21 +01:00
aegilops
55eeb00309 Added experimental tag 2023-06-16 17:27:01 +01:00
aegilops
b6c35dd88c Added experimental version of Java Command Injection query, to be more sensitive to unusual code constructs 2023-06-16 17:12:53 +01:00
Tony Torralba
ffe67689ec Merge branch 'main' into atorralba/java/command-injection-mad-sinks 2023-06-13 09:27:33 +02:00
Anders Schack-Mulligen
a0a9d30286 Java: Fix qltests. 2023-06-09 08:37:35 +02:00
Tony Torralba
6d7234f8ed Merge pull request #13225 from atorralba/atorralba/java/path-injection-mad-sinks-2 
Java: Migrate path injection sinks to models-as-data (simplified)
 2023-06-07 14:27:36 +02:00