hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-24 11:52:56 +01:00
Code Issues Packages Projects Releases Wiki Activity
51,298 Commits 1,686 Branches 158 Tags
e8a7139020a65fa67db2e23887c0a1d520bfa0cb
Commit Graph

952 Commits

Author SHA1 Message Date
Anders Schack-Mulligen
e8a7139020 Merge pull request #12476 from aschackmull/java/refactor-dataflow-queries-2 
Java: Refactor more dataflow queries to the new API
 2023-03-15 09:40:32 +01:00
Edward Minnix III
de1ecf943e Merge pull request #11915 from egregius313/egregius313/arbitrary-apk-installation 
Java: Arbitrary APK installation
 2023-03-14 06:23:51 -04:00
Anders Schack-Mulligen
7c0e89ffdd Java: Refactor ArithmeticTainted.ql, TempDirLocalInformationDisclosure.ql 2023-03-13 11:27:14 +01:00
Anders Schack-Mulligen
da273269cb Java: Refactor PolynomialReDoS.ql 2023-03-13 11:27:14 +01:00
Ed Minnix
b6eeac5bc8 Update names to new naming convention 2023-03-10 15:13:58 -05:00
Edward Minnix III
e2acc26419 Apply docs review suggestions 
- Punctuation
- Rewording

Co-authored-by: Ben Ahmady <32935794+subatoi@users.noreply.github.com>
 2023-03-10 09:47:47 -05:00
Anders Schack-Mulligen
64dd8b9488 Merge branch 'main' into java/refactor-dataflow-queries-1 2023-03-10 12:38:06 +01:00
Anders Schack-Mulligen
730eae9521 Java: Autoformat 2023-03-10 09:39:41 +01:00
Edward Minnix III
e8f1f364c5 Refactor to module api for PathNodes 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2023-03-09 10:45:55 -05:00
Ed Minnix
da43a61506 Convert dataflow configuration to using new module-configuration 2023-03-08 19:19:00 -05:00
Ed Minnix
882e909862 Renamed ArbitraryAPKInstallation to ArbitraryApkInstallation 2023-03-08 12:16:46 -05:00
Ed Minnix
3ea167cadf Split ArbitraryApkInstallation file into 3 files 2023-03-08 12:12:11 -05:00
Edward Minnix III
2d1088e923 Change severity level to error 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2023-03-08 12:12:11 -05:00
Ed Minnix
0eaad4136e Add RemoteFlowSource as a valid source 2023-03-08 12:12:11 -05:00
Ed Minnix
4d51e4fed0 Change description wording 2023-03-08 12:12:11 -05:00
Ed Minnix
10cd6328dc Add missing QLDocs 2023-03-08 12:12:11 -05:00
Edward Minnix III
8ec5b5b7fa Apply suggestions from code review 
Co-authored-by: Jami <57204504+jcogs33@users.noreply.github.com>
 2023-03-08 12:12:10 -05:00
Ed Minnix
fa416564c7 Documentation and examples 2023-03-08 12:12:10 -05:00
Ed Minnix
d3d712fbff Remove Url#parse as a source 2023-03-08 12:12:10 -05:00
Ed Minnix
5f4e8e3e6a Add test cases relating to intents with the ACTION_INSTALL_PACKAGE action 2023-03-08 12:12:10 -05:00
Ed Minnix
f03e90f894 Remove http(s) literal sources 2023-03-08 12:12:10 -05:00
Edward Minnix III
839b88a4bc Formatting, capitalization, and typos 
Co-authored-by: Tony Torralba <atorralba@users.noreply.github.com>
 2023-03-08 12:12:10 -05:00
Ed Minnix
b606271a61 Additional documentation 2023-03-08 12:12:10 -05:00
Ed Minnix
12f78dbed4 Add DataFlow::PathGraph import 2023-03-08 12:12:10 -05:00
Ed Minnix
2d6cdff14b Add period to alert message 2023-03-08 12:12:10 -05:00
Ed Minnix
0ec4df28f5 Add query metadata 2023-03-08 12:12:10 -05:00
Ed Minnix
3f589722c2 Refactor query to change returned source 2023-03-08 12:12:10 -05:00
Ed Minnix
618b608962 Arbitrary APK Installation MVP 2023-03-08 12:12:10 -05:00
Anders Schack-Mulligen
2288eab0fd Java: Refactor BrokenCryptoAlgorithm, MaybeBrokenCryptoAlgorithm 2023-03-07 13:53:36 +01:00
Anders Schack-Mulligen
50935899fa Java: Refactor XSS.ql 2023-03-07 13:33:00 +01:00
Anders Schack-Mulligen
d839b4038e Java: Refactor TaintedPath.ql 2023-03-07 11:53:03 +01:00
Anders Schack-Mulligen
cc75a1a97e Java: Refactor RequestForgery.ql 2023-03-07 11:39:03 +01:00
Anders Schack-Mulligen
35beadc3bb Java: Refactor SensitiveInfoLog.ql 2023-03-07 11:31:49 +01:00
Anders Schack-Mulligen
4408482699 Java: Refactor NumericCastTainted, NumericCastTaintedLocal 2023-03-07 10:42:00 +01:00
Anders Schack-Mulligen
d4e6e77200 Java: Refactor StackTraceExposure, XSS.qll 2023-03-07 10:38:00 +01:00
Anders Schack-Mulligen
c4cf2febfb Java: Refactor ResponseSplitting, ResponseSplittingLocal 2023-03-07 10:37:45 +01:00
Jami
029e1d47fe Merge pull request #12081 from jcogs33/jcogs33/update-some-Files-sinks 
Java: update `createTempDirectory` and `copy` "create-file" sinks
 2023-02-14 10:53:17 -05:00
Tony Torralba
4fad01a739 Further refactoring 
Avoid having two taint tracking configurations in the same file
 2023-02-13 09:18:05 +01:00
Tony Torralba
5555b5cd19 Add local version of the XXE query 2023-02-13 09:18:05 +01:00
Jami Cogswell
ce1c814daa Java: update path-injection query to use new 'read-file' sink kind 2023-02-11 17:10:58 -05:00
Joe Farebrother
97b2e852c9 Merge pull request #11713 from joefarebrother/sensitive-result-receiver 
Java: Add query for leaking sensitive data through a ResultReceiver
 2023-02-01 16:34:17 +00:00
Tony Torralba
834fc51a3a Update java/ql/src/Security/CWE/CWE-927/SensitiveResultReceiver.ql 2023-02-01 15:26:26 +01:00
Joe Farebrother
74dba953ca Apply suggestions from docs review 
Co-authored-by: Sam Browning <106113886+sabrowning1@users.noreply.github.com>
 2023-02-01 12:54:19 +00:00
Edward Minnix III
4c018759c8 Merge pull request #11283 from egregius313/egregius313/webview-setAllowContentAccess 
Java: Android WebView Content Access Query
 2023-01-17 11:02:47 -05:00
Antoine Taillefer
660e6d7085 Fix partial path traversal Java example 
The Java recommendation example for the "Partial path traversal vulnerability from remote" query doesn't seem right to me. Indeed, the following statement doesn't compile, since `dir.getCanonicalPath()` returns a String:
```
dir.getCanonicalPath().toPath()
```
Maybe the author wanted to state `dir.getCanonicalFile().toPath()`, which would compile, but is useless compared to `dir.getCanonicalPath()`.

Moreover, `parent.getCanonicalFile().toPath()` or `parent.getCanonicalPath()` will **not** be slash-terminated, contrary to what the description says.
From what I can see (and test), the correct fix is to concatenate `File.separator` to the parent canonical path.
 2023-01-16 21:14:29 +01:00
Tony Torralba
cca6a13fbb Update java/ql/src/Security/CWE/CWE-927/SensitiveResultReceiver.qhelp 2023-01-16 14:21:03 +01:00
jelaiw
cf7189bb28 Fix small typo in good/bad code sample. 2023-01-13 19:16:11 -06:00
Michael Nebel
5c466f3319 Java: Sync files and update other relavant files related to the new naming of shift. 2023-01-12 19:06:29 +01:00
Chris Smowton
09d8a50494 Spelling 2023-01-12 17:46:00 +00:00
Joe Farebrother
b565f997a0 Improve qhelp 2023-01-12 11:44:39 +00:00