hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
26,003 Commits 1,671 Branches 157 Tags
e58b90ef1c670308976b6e901b202a4c4ab665a3
Commit Graph

1167 Commits

Author SHA1 Message Date
Tony Torralba
30178d4f23 Decouple InsecureBasicAuth.qll to reuse the taint tracking configuration 2021-09-15 17:20:27 +02:00
Tony Torralba
148443fae1 Use InlineExpectationsTest 2021-09-15 17:20:27 +02:00
Tony Torralba
2cada386b4 Refactored into InsecureBasicAuth.qll 2021-09-15 17:20:27 +02:00
Tony Torralba
905be67aae Moved from experimental 2021-09-15 17:20:27 +02:00
Chris Smowton
03db15af9a Merge pull request #6685 from smowton/smowton/admin/android-uri-model 
Java: Add models for android.net.Uri[.Builder]
 2021-09-15 10:48:33 +01:00
Anders Schack-Mulligen
8485b6f0b3 Merge pull request #6691 from bmuskalla/moreStringMethods 
Java: Support String#getChars and #translateEscapes
 2021-09-15 10:14:54 +02:00
Anders Schack-Mulligen
3f7d6e6f85 Merge pull request #6136 from smowton/smowton/admin/spring-xss-content-type-sensitivity 
Spring HTTP: improve content-type sensitivity
 2021-09-15 09:50:56 +02:00
Chris Smowton
e5b84fb795 Use InlineFlowTest 2021-09-14 16:37:07 +01:00
Chris Smowton
367a53dd71 Add models for android.net.Uri[.Builder] 2021-09-14 16:37:07 +01:00
Chris Smowton
6cff0d0376 Merge pull request #6393 from luchua-bc/java/xss-jsf 
Java: CWE-079 Query to detect XSS with JavaServer Faces (JSF)
 2021-09-14 15:15:56 +01:00
Anders Schack-Mulligen
26eafcb55a Merge pull request #6456 from smowton/smowton/admin/flexjson-unsafe-deserialization 
Java: add unsafe-deserialization support for Flexjson
 2021-09-14 14:33:22 +02:00
Chris Smowton
fcc0f1d5a7 Expand test to exercise all sinks 2021-09-14 12:27:33 +01:00
luchua-bc
24addd5c10 Query to detect XSS with JavaServer Faces (JSF) 2021-09-14 11:47:32 +01:00
Anders Schack-Mulligen
e71173d953 Merge pull request #6591 from bmuskalla/inlineFlowTest 
Java: Simplify setup for flow tests using `InlineExpectationsTest`
 2021-09-14 10:31:29 +02:00
Benjamin Muskalla
199e015a06 Support missing String methods 2021-09-14 10:22:22 +02:00
Chris Smowton
122ffca049 Merge pull request #6645 from Marcono1234/marcono1234/spurious-javadoc-param-generic-class 
Java: Detect spurious param Javadoc tag of generic classes
 2021-09-13 16:41:06 +01:00
Benjamin Muskalla
24d740b2da Merge branch 'main' into inlineFlowTest 2021-09-13 17:15:37 +02:00
Benjamin Muskalla
bf5a46f6d8 Simplify inline tests 2021-09-13 17:08:02 +02:00
Anders Schack-Mulligen
7b764aec92 Merge pull request #6682 from aschackmull/java/callbacks 
Java: Add support for callback-based library models.
 2021-09-13 16:43:03 +02:00
Anders Schack-Mulligen
ab862276fc Java: Fix tests. 2021-09-13 16:04:11 +02:00
Chris Smowton
abdd3a5dbe Adjust Java tests that check for unpaired surrogate extraction 2021-09-13 14:02:05 +01:00
Anders Schack-Mulligen
89a6cdc711 Java: Add support for callback-based library models. 2021-09-13 14:49:28 +02:00
Chris Smowton
68ed3250e8 Merge pull request #6478 from smowton/smowton/feature/jax-rs-request-filters 
Java: Add sources for Jax-RS filters
 2021-09-13 10:59:17 +01:00
Marcono1234
5009ed618f Java: Extend functional interfaces test 2021-09-12 01:50:07 +02:00
Chris Smowton
451a46bf0e Add models for getLanguage, getMediaType 2021-09-10 16:36:38 +01:00
Chris Smowton
5e7a3ca2e6 Model UriInfo.relativize and resolve. 2021-09-10 16:36:37 +01:00
Chris Smowton
f1c3a11103 Add sources for Jax-RS filters 2021-09-10 16:36:34 +01:00
Chris Smowton
9b488207eb Add support for the Flexjson framework to the unsafe-deserialization query 2021-09-10 16:27:23 +01:00
Chris Smowton
b47939c737 Note resolved spurious results 2021-09-10 16:10:54 +01:00
Chris Smowton
d940085384 Spring HTTP: inherit produced content-types from surrounding class 2021-09-10 16:10:52 +01:00
Chris Smowton
bdd135dbff Spring HTTP: mark explicitly content-typed body calls as sinks 
Previously only the return from the request-handler method constituted a sink, and was filtered by the Produces annotation if any, even though a BodyBuilder could explicitly override.

These sinks are also marked as out-barriers to avoid duplicate paths when the Produces annotation is in agreement.
 2021-09-10 16:10:50 +01:00
Chris Smowton
701d0bcdca Spring content types: recognise constant content-type strings 2021-09-10 16:10:48 +01:00
Chris Smowton
3b6cc97557 Sanitize Spring bodies directly associated with an XSS-safe Content-Type 2021-09-10 16:10:44 +01:00
Chris Smowton
29028c5d46 Update test expectations to account for dataflow subpaths changes 2021-09-10 13:53:41 +01:00
Chris Smowton
2d03840fde Add experimental variants of java/xxe, incorporating new sinks and a version that uses local sources. 
Originally authored by @haby0, squashed to clean up a tangled commit history.
 2021-09-10 13:49:31 +01:00
Anders Schack-Mulligen
3e17fdcaa3 Merge pull request #6407 from bmuskalla/charSeqSubSeq 
Java: Track taint for CharSequence#subSequence
 2021-09-10 09:01:29 +02:00
Chris Smowton
5b8b27a2aa Merge pull request #6651 from smowton/smowton/admin/functional-interface-tests 
Add tests for functional interfaces
 2021-09-09 22:02:16 +01:00
Benjamin Muskalla
9d5e48430e Merge branch 'main' into charSeqSubSeq 2021-09-09 16:04:36 +02:00
Chris Smowton
a0bf170d02 Add test for functional interfaces 2021-09-09 15:00:42 +01:00
Benjamin Muskalla
eef044f4d0 Add test to capture expected parameter format 2021-09-09 13:05:15 +02:00
Benjamin Muskalla
a1b7437f8d Merge branch 'main' into thirdpartyapitelemtry 2021-09-09 11:11:42 +02:00
Marcono1234
a173d9593b Java: Detect spurious param Javadoc tag of generic classes 2021-09-09 00:11:02 +02:00
Benjamin Muskalla
9e66ee1da0 Add example to inline flow test docs 2021-09-07 16:47:02 +02:00
Benjamin Muskalla
3641b28c3e Convert javax-json to InlineFlowTest 2021-09-07 16:47:01 +02:00
Benjamin Muskalla
a6b47208e1 Convert optional to InlineFlowTest 2021-09-07 16:47:01 +02:00
Benjamin Muskalla
2d9b4b33d4 Convert spring to InlineFlowTest 2021-09-07 16:47:01 +02:00
Benjamin Muskalla
da3b7a2b69 Convert json-java to InlineFlowTest 2021-09-07 16:47:00 +02:00
Benjamin Muskalla
ff73e46c95 Convert jackson to InlineFlowTest 2021-09-07 16:47:00 +02:00
Benjamin Muskalla
1ead522705 Convert guava-cache to InlineFlowTest 2021-09-07 16:47:00 +02:00
Benjamin Muskalla
efd5dc94e6 Convert apache-commons-lang3 to InlineFlowTest 2021-09-07 16:47:00 +02:00