hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 11:19:27 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,294 Commits 1,759 Branches 167 Tags
dd35bc0722d74ca4d75ca40841c702ffba4a72e8
Commit Graph

530 Commits

Author SHA1 Message Date
copilot-swe-agent[bot]
043ec857ab Replace fluent SSRF changes with Apache HttpClient execute model tests 
Agent-Logs-Url: https://github.com/github/codeql/sessions/3db201db-a1b5-4353-a94a-14a8d156dd3b

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
 2026-05-06 20:31:34 +00:00
copilot-swe-agent[bot]
f5b17b0b48 Add SSRF tests and stubs for Apache Http fluent Request models 
Agent-Logs-Url: https://github.com/github/codeql/sessions/bd4fa112-dbc3-47e8-9cef-9b1b13c7e549

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
 2026-05-06 16:08:02 +00:00
copilot-swe-agent[bot]
25d232b815 Model additional Hibernate query sinks 
Agent-Logs-Url: https://github.com/github/codeql/sessions/fc2c7f71-3493-4bf7-9136-34571a1d4b47

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
 2026-04-23 13:41:03 +00:00
copilot-swe-agent[bot]
081ad03b4b Add Hibernate SQL injection sink tests 
Agent-Logs-Url: https://github.com/github/codeql/sessions/2e7aecca-63ea-489f-8b87-4cc557655919

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
 2026-04-23 10:04:52 +00:00
Salah Baddou
f5131f9bc6 Java: Add XXE sink model for Woodstox WstxInputFactory 
`com.ctc.wstx.stax.WstxInputFactory` overrides `createXMLStreamReader`,
`createXMLEventReader` and `setProperty` from `XMLInputFactory`, so the
existing `XmlInputFactory` model in `XmlParsers.qll` does not match calls
where the static receiver type is `WstxInputFactory` (or its supertype
`org.codehaus.stax2.XMLInputFactory2`). Woodstox is vulnerable to XXE in
its default configuration, so these missed sinks were false negatives in
`java/xxe`.

This adds a scoped framework model under
`semmle/code/java/frameworks/woodstox/WoodstoxXml.qll` (registered in the
`Frameworks` module of `XmlParsers.qll`) that recognises these calls as
XXE sinks and treats the factory as safe when both
`javax.xml.stream.supportDTD` and
`javax.xml.stream.isSupportingExternalEntities` are disabled — mirroring
the existing `XMLInputFactory` safe-configuration logic.
 2026-04-17 18:46:51 +04:00
Owen Mansel-Chan
d0999e3abd Add failing test for @Pattern validation 2026-02-12 16:57:04 +00:00
Mauro Baluda
29f23ee192 Fix extraction error 2026-01-13 22:33:01 +01:00
Mauro Baluda
d335f039ef Improve model for CWE-089 2026-01-13 21:48:43 +01:00
Mauro Baluda
dda042f7df rename change notes 2026-01-13 13:07:14 +01:00
Mauro Baluda
4c8058d97b Merge branch 'github:main' into couchdb 2026-01-09 17:20:40 +01:00
Owen Mansel-Chan
8a80158959 Merge pull request #17590 from Kwstubbs/java-mad-test 
Java: FileUpload Support MaD
 2026-01-08 13:33:55 +00:00
Kevin Stubbings
f73f1a7aa9 Add additional test 2025-12-29 07:09:31 +00:00
Mauro Baluda
15ee88ee24 SQLi test case 2025-12-24 20:30:21 +01:00
Mauro Baluda
b22077c371 Hardcoded credentials in CouchBase 2025-12-22 20:22:20 +01:00
Joe Farebrother
1d61da51a6 Generate stubs 2025-12-09 14:13:02 +00:00
Kevin Stubbings
0d3b65a35b Resolved merge conflicts and completed merge 2025-10-06 22:37:28 -07:00
Napalys Klicius
50c7160819 Java: port java/mocking-all-non-private-methods-means-unit-test-is-too-big query 2025-08-11 13:43:36 +02:00
Jami
02ded89d84 Merge branch 'main' into jcogs33/java/junit5-missing-nested-annotation 2025-04-21 09:46:49 -04:00
Chris Smowton
3c555fce11 Add basic test for SQL injection vs Jakarta Persistence 2025-04-01 17:13:23 +01:00
Jami
e458aca806 Merge branch 'main' into jcogs33/java/junit5-missing-nested-annotation 2025-03-27 21:31:09 -04:00
Jami Cogswell
35b647839c Java: include RepeatedTest, ParameterizedTest, TestFactory, and TestTemplate when identifying JUnit 5 test methods 2025-03-23 19:49:55 -04:00
Jami Cogswell
ccbe77eb09 Java: move original files 2025-03-23 19:48:13 -04:00
Tamas Vajk
f7f8b47f12 Java: Add initial version of empty method query 2025-03-14 11:36:03 +01:00
Jami Cogswell
e17486a9d8 Java: rename springframework stubs directory from 5.3.8 to 5.8.x 2025-03-11 15:20:58 -04:00
Jami Cogswell
f65a5b9a66 Java: add test for qhelp good example 2025-02-24 18:27:45 -05:00
Jami Cogswell
b2469ff8ba Java: add APIs and tests for more recent Spring versions: authorizeHttpRequests, AuthorizeHttpRequestsConfigurer, securityMatcher(s) 2025-02-24 18:26:02 -05:00
Jami Cogswell
0ab37684e1 Java: more database update tests and stubs 2025-01-30 10:14:14 -05:00
Jami Cogswell
3bf6dc24c1 Java: Stapler tests and stubs 2025-01-30 10:14:11 -05:00
Jami Cogswell
97aaf4c011 Java: handle MyBatis annotations for insert/update/delete 2025-01-30 10:13:48 -05:00
Kevin Stubbings
ddcf852d3f Add taint steps 2024-11-20 01:07:03 +00:00
Kevin Stubbings
f0560458af Finished up 2024-09-27 19:24:40 +00:00
Kevin Stubbings
6445074fea Fixed but errors still 2024-09-25 21:46:52 +00:00
Kevin Stubbings
d99f552cb3 Test Issues 2024-09-25 08:08:02 +00:00
Chris Smowton
9c0bdbb20a Java: add a test exercising Spring component liveness detection 
The existing Spring stubs are expanded sufficiently to support the needed annotations and a few referenced classes and exceptions.
 2024-08-16 16:36:08 +01:00
Chris Smowton
0b56bf98f3 Java: add test for Apache Camel dead-code analysis 
This exercises code that detects Camel entry-points and marks them as live.
 2024-08-15 17:26:38 +01:00
Chris Smowton
95e504a5ff Merge branch 'main' into am0o0-java-PathInjection 2024-08-05 11:41:25 +01:00
am0o0
a645e01b4b delete wrong stubs 2024-08-02 01:03:47 +02:00
am0o0
d52826879b delete wrong stubs 2024-08-02 01:02:49 +02:00
am0o0
ee9f134828 update current springframework core stub and use this instead of creating a new stubs 2024-08-02 01:00:34 +02:00
Ed Minnix
62944ee473 Add tests for lastaflute framework 2024-07-18 17:41:02 -04:00
Mauro Baluda
e2479a7ce2 Disable csrf for ServerHttpSecurity 2024-05-30 23:08:57 +02:00
Joe Farebrother
2eb93b7a3b Add unit tests 2024-02-12 13:49:45 +00:00
Joe Farebrother
75a2b9415c Merge pull request #15481 from joefarebrother/android-local-auth 
Java: Add query for insecure local authentication
 2024-02-12 13:48:53 +00:00
Joe Farebrother
71852868ac Add case for androidx.biometric api 2024-02-02 17:19:20 +00:00
Joe Farebrother
88c2ccbecf Generate stubs 2024-02-01 16:59:50 +00:00
Joe Farebrother
6081f18089 Add unit tests + make some fixes 2024-01-29 16:25:37 +00:00
Joe Farebrother
2ca164ce35 Generate androidx stubs and correct some models 2024-01-23 09:51:39 +00:00
Joe Farebrother
bafd65b1d2 Add tests to cover each modeled sink + some corrections to the models 2024-01-23 09:51:38 +00:00
Tony Torralba
7bc907840c Fix tests 2023-12-13 11:15:27 +01:00
Ed Minnix
b9d2a26e6e Move ESAPI models into the Weak Randomness query 
These models don't need to apply to all queries. So instead they are
better suited to be within the weak randomness query itself.
 2023-12-11 11:18:39 -05:00