2243 Commits

Author	SHA1	Message	Date
Dave Bartolomeo	d9f243d18a	Java: Fix QLDoc for Container.toString() ... Fixes #5828 The QLDoc was just too specific about the default implementation. I've improved the wording.	2021-05-08 11:14:02 -04:00
Tony Torralba	2a501956b3	Mark a MISSING test result as suggested in code review	2021-05-07 11:17:51 +02:00
Tony Torralba	b69be30b88	Fix imports as suggested in code review	2021-05-07 11:07:06 +02:00
Tony Torralba	f16605b3c1	Apply suggestions from code review ... Co-authored-by: Felicity Chapman <felicitymay@github.com>	2021-05-06 15:17:55 +02:00
Tony Torralba	f1fab854c4	Fix tests for XXE, introduced a dependency with jaxen	2021-05-06 12:11:55 +02:00
Tony Torralba	76468559ba	Add safe example for dom4j	2021-05-06 10:17:25 +02:00
Tony Torralba	926fedb7fb	Update java/ql/test/query-tests/security/CWE-643/XPathInjectionTest.java ... Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>	2021-05-06 09:18:50 +02:00
Tony Torralba	00a7576679	Rename XPath Injection test file	2021-05-06 09:18:50 +02:00
Tony Torralba	8af7f4a484	New sinks and test cases	2021-05-06 09:18:49 +02:00
Tony Torralba	ccb3ea4453	Fix XPath Injection tests classpath	2021-05-06 09:18:49 +02:00
Tony Torralba	509fc8a640	Add missing docs to stubs	2021-05-06 09:18:49 +02:00
Tony Torralba	26c3ff2cee	Move from experimental to standard	2021-05-06 09:18:49 +02:00
Tony Torralba	215118c7ea	Fixes in QLDocs and imports	2021-05-06 09:18:49 +02:00
Tony Torralba	720b5d6da3	Refactored sto use CSV sink model. Also, added more sinks	2021-05-06 09:18:49 +02:00
Tony Torralba	ab62bb66f4	Consider second parameter of Node.selectNodes	2021-05-06 09:18:49 +02:00
Tony Torralba	d72dd9b861	javax.xml.xpath.XPath is an interface	2021-05-06 09:18:49 +02:00
Tony Torralba	2bb2baf6f7	Support more methods that evaluate XPath expressions	2021-05-06 09:18:49 +02:00
Tony Torralba	3705970bfd	Refactored XPath.qll to remove redundant classes and restrict visibility	2021-05-06 09:18:49 +02:00
Tony Torralba	d739a8cac2	Moved configuration from XPath.qll back to XPath Injection query	2021-05-06 09:18:48 +02:00
Tony Torralba	ee269fbc69	Added missing doc comments	2021-05-06 09:18:48 +02:00
Tony Torralba	fb3e56eac8	Fix imports and stubs so that tests pass	2021-05-06 09:18:48 +02:00
Tony Torralba	a62997463f	Remove unused imports; use set literals in hasName	2021-05-06 09:18:48 +02:00
Tony Torralba	ed5619498c	WIP: XPath Injection promotion	2021-05-06 09:18:48 +02:00
Felicity Chapman	8b2009cfb1	Minor updates to qhelp file	2021-05-05 12:36:29 +01:00
Anders Schack-Mulligen	5bcf810a7c	Merge pull request #5821 from JarLob/patch-1 ... Update UncaughtServletException.qhelp	2021-05-04 10:39:02 +02:00
Anders Schack-Mulligen	9ee9186a1a	Merge pull request #5825 from github/yo-h/java-diagnostic-queries ... Java: split extractor diagnostics query into two	2021-05-04 10:12:32 +02:00
yo-h	edf1a90161	Java: split extractor diagnostics query into two	2021-05-03 20:27:07 -04:00
Jaroslav Lobačevski	38bce39baa	Update UncaughtServletException.qhelp ... There is no single word in https://cwe.mitre.org/data/definitions/600.html about possible DoS or unexpected state.	2021-05-03 15:06:57 +03:00
Chris Smowton	b2c0259197	Merge pull request #5631 from haby0/UseOfLessTrustedSource ... [Java] CWE-348: Using a client-supplied IP address in a security check	2021-04-30 15:20:53 +01:00
haby0	fdcc517b9f	UseOfLessTrustedSource -> ClientSuppliedIpUsedInSecurityCheck"	2021-04-30 17:43:34 +08:00
haby0	f41301f8f5	Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.java ... Co-authored-by: Chris Smowton <smowton@github.com>	2021-04-30 16:55:17 +08:00
haby0	0691cac5ab	Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSourceLib.qll ... Co-authored-by: Chris Smowton <smowton@github.com>	2021-04-30 16:54:41 +08:00
haby0	8142810455	Update java/ql/src/experimental/Security/CWE/CWE-348/UseOfLessTrustedSource.qhelp ... Co-authored-by: Chris Smowton <smowton@github.com>	2021-04-30 16:54:28 +08:00
haby0	711a74c9c9	Eliminate false positives\	2021-04-30 10:31:40 +08:00
intrigus	08731fc6cf	Fix typo.	2021-04-29 20:26:34 +02:00
Chris Smowton	ad9ea40954	Merge pull request #5597 from intrigus-lgtm/java/jwt-insecure-parse ... [Java] JWT without signature check.	2021-04-29 14:41:11 +01:00
haby0	e813257431	use hardCode	2021-04-29 21:23:52 +08:00
Anders Schack-Mulligen	404a6c1506	Merge pull request #5805 from smowton/smowton/admin/spring-setter-method-docs ... Document `SpringProperty::getSetterMethod`.	2021-04-29 15:10:58 +02:00
Anders Schack-Mulligen	c78285e557	Merge pull request #5784 from Marcono1234/marcono1234/switch-expr-stmt-parent ... Java: Add StmtParent as superclass of SwitchExpr	2021-04-29 15:02:05 +02:00
Chris Smowton	2787c2f874	Document SpringProperty::getSetterMethod.	2021-04-29 12:28:26 +01:00
intrigus	a8865e2fa2	Java: Cleanup jwt stubs.	2021-04-28 20:46:09 +02:00
haby0	b0f745365d	Node type restriction	2021-04-28 14:32:25 +08:00
Tom Hvitved	37377644c9	Merge pull request #5781 from hvitved/java/predictable-seed-df6 ... Java: Use separate data-flow copy for `PredictableSeedFlowConfiguration`	2021-04-27 19:01:55 +02:00
Tamás Vajk	4cc88662e2	Merge pull request #5557 from tamasvajk/feature/java-sinks-csv ... Java: convert sinks to CSV	2021-04-27 15:58:09 +02:00
Marcono1234	05ce49adaf	Java: Add StmtParent as superclass of SwitchExpr ... Database type `@stmtparent` already includes `@switchexpr`, this commit merely changes the class SwitchExpr to also accordingly extend StmtParent.	2021-04-27 15:17:55 +02:00
Tamas Vajk	5b79094f34	Fix naming in HTTPS URL check	2021-04-27 14:59:52 +02:00
Tamas Vajk	e08b629cb5	Add documentation for URL opening sinks	2021-04-27 10:32:41 +02:00
Tom Hvitved	017beb6786	Java: Use separate data-flow copy for PredictableSeedFlowConfiguration	2021-04-27 10:07:33 +02:00
haby0	5be9fbbc5a	Remove LogOperationSink and PrintSink	2021-04-27 14:12:33 +08:00
intrigus	b1a3633495	Java: Remove redundant condition + docs.	2021-04-23 22:06:04 +02:00