hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
61,927 Commits 1,672 Branches 157 Tags
d955dce72a8271ae1693485d0879ebe8f0672a7f
Commit Graph

11029 Commits

Author SHA1 Message Date
Tony Torralba
d955dce72a Improve source of randomness detection 
Also sanitize flow out of sinks to avoid overlapping paths
 2023-12-13 11:15:27 +01:00
Tony Torralba
fc45621ab1 Add pac4j JWT cryptographic key sinks 2023-12-13 11:15:27 +01:00
Tony Torralba
7bc907840c Fix tests 2023-12-13 11:15:27 +01:00
Tony Torralba
3a5d711711 Add cookie sinks 2023-12-13 11:15:27 +01:00
Tony Torralba
435d1f97a3 Add sink for OpenSAML's RequestType.setID 2023-12-13 11:15:27 +01:00
github-actions[bot]
9b20665d75 Add changed framework coverage reports 2023-12-13 00:16:25 +00:00
Tony Torralba
27be5ba14b Merge pull request #15073 from atorralba/atorralba/java/remove-invalid-ognl-sinks 
Java: Remove invalid OGNL sinks
 2023-12-12 16:52:31 +01:00
Tony Torralba
fad53a25c0 Update java/ql/lib/ext/struts2.model.yml 
Co-authored-by: Anders Schack-Mulligen <aschackmull@users.noreply.github.com>
 2023-12-12 14:58:47 +01:00
Tony Torralba
103110f9c2 Java: Remove invalid OGNL sinks 
Fixes #15053
 2023-12-12 13:39:51 +01:00
Edward Minnix III
06eef93f89 Docs review suggestions 2023-12-11 11:18:40 -05:00
Edward Minnix III
ce20c4ae03 Docs review suggestions 
Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
 2023-12-11 11:18:40 -05:00
Ed Minnix
7362158229 Fix test case 2023-12-11 11:18:40 -05:00
Ed Minnix
1271cd3348 Remove unnecessary crypto sinks 2023-12-11 11:18:40 -05:00
Ed Minnix
3ca039bc8f Rename to InsecureRandomness 2023-12-11 11:18:40 -05:00
Ed Minnix
6e70e6c85a Use pre-exisiting type for SecureRandom 2023-12-11 11:18:39 -05:00
Edward Minnix III
4678302edb Update query metadata 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2023-12-11 11:18:39 -05:00
Ed Minnix
bbf99375c7 Alter cookie sinks to instead focus on creation of a cookie 2023-12-11 11:18:39 -05:00
Ed Minnix
4bdf2b5e18 Bump change note date 2023-12-11 11:18:39 -05:00
Ed Minnix
b9d2a26e6e Move ESAPI models into the Weak Randomness query 
These models don't need to apply to all queries. So instead they are
better suited to be within the weak randomness query itself.
 2023-12-11 11:18:39 -05:00
Ed Minnix
7f3995f524 Remove extra encryption-iv models 2023-12-11 11:18:39 -05:00
Ed Minnix
7241e0920c Replace convertBytesToString with models 2023-12-11 11:18:39 -05:00
Ed Minnix
e9ca4a25d4 Update to new MethodCall name 2023-12-11 11:18:39 -05:00
Ed Minnix
a1e9564cc5 Add more sources 2023-12-11 11:18:39 -05:00
Ed Minnix
b8b2de2f3c Remove use of crypto-parameter sink kind 2023-12-11 11:18:39 -05:00
Ed Minnix
646254c9b2 Add credentials sinks from SensitiveApi 2023-12-11 11:18:39 -05:00
Ed Minnix
057a74d914 Remove unnused class 2023-12-11 11:18:39 -05:00
Ed Minnix
fb875f5095 More variety of test cases 2023-12-11 11:18:39 -05:00
Ed Minnix
ba3c38c226 Restrict addCookie to specific interface 2023-12-11 11:18:38 -05:00
Ed Minnix
dc3e4cd928 Refactored method accesses to the RandomDataSource library 2023-12-11 11:18:38 -05:00
Ed Minnix
ce7690b53f Make imports private 2023-12-11 11:18:38 -05:00
Edward Minnix III
bc0655573f Simplifications 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2023-12-11 11:18:38 -05:00
Ed Minnix
14fdfa4428 Add new sink kind and change note 2023-12-11 11:18:38 -05:00
Ed Minnix
0313f39229 Cryptographic sinks 2023-12-11 11:18:38 -05:00
Ed Minnix
b713efb711 Add ThreadLocalRandom.current as another source 2023-12-11 11:18:38 -05:00
Ed Minnix
bf0123d6ae Add org.apache.commons.lang.RandomStringUtils as a source 2023-12-11 11:18:38 -05:00
Ed Minnix
1daa83bf46 Add test cases 2023-12-11 11:18:38 -05:00
Ed Minnix
e69ff7b601 Move to library and add docs 2023-12-11 11:18:38 -05:00
Ed Minnix
9f986ca527 Add Weak Randomness Query 2023-12-11 11:18:38 -05:00
Ed Minnix
1526da5929 Deprecation change note 2023-12-08 10:50:04 -05:00
Ed Minnix
aebbc7d4ab Add private imports to prevent compile warnings 2023-12-08 10:42:11 -05:00
Ed Minnix
1b8f3f3450 Deprecate or remove imports of dataflow library copies 2023-12-08 10:42:10 -05:00
Anders Schack-Mulligen
0618568cdc Merge pull request #15045 from aschackmull/java/fix-cp 
Java: Fix accidental cartesian product.
 2023-12-08 15:43:01 +01:00
Anders Schack-Mulligen
64eb4ff753 Merge pull request #14983 from aschackmull/dataflow/deprecate-old-api 
Data Flow: Deprecate old data flow api.
 2023-12-08 14:27:25 +01:00
Anders Schack-Mulligen
7ee3068fe7 Java: Fix accidental cartesian product. 2023-12-08 13:27:05 +01:00
Ian Lynagh
fc11a87882 Kotlin: Fix dataflow with Array.set wrappers 2023-12-06 12:19:46 +00:00
Ian Lynagh
7fc7b96ed7 Kotlin: Add a test for dataflow with an Array.set wrapper 2023-12-06 12:19:25 +00:00
Ian Lynagh
2c625e34b5 Merge pull request #15008 from igfoo/igfoo/kot-arr-taint 
Kotlin: Track taint through Array.get/set
 2023-12-05 18:30:21 +00:00
Ian Lynagh
8ea155ef24 Kotlin: Add changenote 2023-12-05 14:48:02 +00:00
Ian Lynagh
babf1d6648 Kotlin: Track Kotlin's Array.set when tracking taint 2023-12-05 14:42:45 +00:00
Ian Lynagh
124487c57c Kotlin: Add more taint tests 2023-12-05 14:42:45 +00:00