codeql

mirror of https://github.com/github/codeql.git synced 2026-02-12 05:01:06 +01:00

Author	SHA1	Message	Date
Joe Farebrother	ed228cbcef	Add sinks for URL Open Stream query	2021-03-08 14:07:53 +00:00
Anders Schack-Mulligen	00983c8967	Merge pull request #4965 from artem-smotrakov/jexl-injection Java: Query for detecting JEXL injections	2021-03-05 10:52:36 +01:00
Artem Smotrakov	7d52b53c24	Merge branch 'jexl-injection' of github.com:artem-smotrakov/ql into jexl-injection	2021-03-04 20:29:10 +01:00
Artem Smotrakov	0695b2a1fb	Removed TaintedSpringRequestBody	2021-03-04 20:27:39 +01:00
Anders Schack-Mulligen	45f52289ea	Merge branch 'main' into java/merge-5226	2021-03-04 11:36:16 +01:00
Artem Smotrakov	7cc7ec962e	Updated recommendations for avoiding JEXL injections	2021-03-03 11:40:59 +01:00
Artem Smotrakov	c243f2f042	Improved JexlInjection.qhelp	2021-03-02 21:25:26 +01:00
Artem Smotrakov	6b66323ac3	Simplified JexlInjectionLib.qll and removed LocalUserInput	2021-03-02 21:22:46 +01:00
Anders Schack-Mulligen	0eb2c06e20	Merge pull request #3945 from porcupineyhairs/structsDevMode Java: Add query to detect Apache Struts enabled Devmode	2021-03-02 15:22:20 +01:00
Anders Schack-Mulligen	b0fa8dfeae	Merge pull request #4214 from porcupineyhairs/springViewManipulation [Java] Add QL for detecting Spring View Manipulation Vulnerabilities.	2021-03-02 11:31:42 +01:00
Porcuiney Hairs	5151a528ac	Include suggestions from review	2021-03-01 22:59:30 +05:30
Porcuiney Hairs	14ec148272	refactor to meet experimental guidelines.	2021-03-01 18:46:33 +05:30
Porcupiney Hairs	42a84a18b0	JAVA : Add query to detect Apache Structs enabled DEvmode This query detects cases where the development mode is enabled for a struts configuration. I can't find a CVE per se but, at present, [Github's fuzzy search](https://github.com/search?q=%3Cconstant+name%3D%22struts.devMode%22+value%3D%22true%22+%2F%3E+language%3Axml&type=Code) returns more than 44000 results. Some of them look like they are classroom projects, so they may be ineligible for a CVE. But we should be flagging them anyways as setting the development on in a production system is a very bad practice and can often lead to remote code execution. So these should be fixed anyways.	2021-02-26 16:30:04 +05:30
Porcupiney Hairs	602f63ad45	[Java] Add QL for detecting Spring View Manipulation Vulnerabilities.	2021-02-26 16:29:18 +05:30
Marcono1234	e21cbe82a9	Update Java documentation links to Java 11 Where possible update Java documentation links to Java 11. Additionally update some other links to use HTTPS.	2021-02-26 00:43:51 +01:00
intrigus	141f057f7b	Java: Remove duplicate code.	2021-02-25 21:29:26 +01:00
Tamás Vajk	505d04b13e	Merge pull request #5102 from luchua-bc/java/main-method-in-servlet Java: CWE-489 Query to detect main() method in servlets	2021-02-25 16:05:06 +01:00
luchua-bc	e34a203731	Refactor the check of a main method in a test program to improve maintainability	2021-02-24 17:15:08 +00:00
Anders Schack-Mulligen	add960bc4d	Merge pull request #4880 from luchua-bc/java/sensitive-query-with-get Java: Sensitive GET Query	2021-02-24 11:08:47 +01:00
luchua-bc	56e3b301e9	Resolve ambiguous method access	2021-02-23 15:18:07 +00:00
luchua-bc	45f9125bfa	Update test program	2021-02-23 14:41:44 +00:00
luchua-bc	9eb8ec7da5	Create a separate file for EJB check	2021-02-23 14:38:15 +00:00
luchua-bc	40df01d2cd	Update qldoc and method name	2021-02-22 14:15:41 +00:00
Artem Smotrakov	43a07bb13a	Better sink in SandboxedJexlFlowConfig	2021-02-20 11:17:51 +01:00
luchua-bc	dc799019d0	Add query for Struts and Spring actions	2021-02-20 03:36:21 +00:00
luchua-bc	3d9ac0d094	Add query for enterprise beans	2021-02-20 02:00:42 +00:00
luchua-bc	e916ce8b9b	Exclude test directories of typical build tools	2021-02-18 00:50:38 +00:00
luchua-bc	5e36eedcb6	Add check for test packages	2021-02-17 18:04:55 +00:00
luchua-bc	2f17943abc	Update qldoc	2021-02-15 16:58:09 +00:00
Chris Smowton	97df60f9d6	Move misplaced experimental query into the conventional directory	2021-02-12 12:12:16 +00:00
Artem Smotrakov	042c0b005e	Covered sandboxes for JEXL 2 - Updated SandboxedJexlFlowConfig to cover JEXL 2 - Added SandboxedJexl2 test	2021-02-11 22:57:26 +01:00
Artem Smotrakov	7543df60da	Callable.call() should not be a sink in JexlInjection.ql	2021-02-11 20:37:23 +01:00
Artem Smotrakov	af0f361ac8	Updated JexlInjection.ql to check for sandboxes - Added a dataflow config to track setting a sandbox on JexlBuilder - Added SandboxedJexl3.java test	2021-02-10 22:19:45 +01:00
Anders Schack-Mulligen	b74911204a	Merge pull request #4945 from intrigus-lgtm/java/insecure-jxbrowser Java: Insecure JXBrowser	2021-02-10 15:48:17 +01:00
intrigus	5c82ff83de	Java: Fix qhelp, fix CWE reference	2021-02-10 13:57:51 +01:00
luchua-bc	cb01613aa6	Exclude FP token patterns	2021-02-09 13:53:23 +00:00
intrigus	2e30f2d9ce	Java: Fix QHelp & accept test output Accept test output for changed alert message.	2021-02-08 00:05:02 +01:00
luchua-bc	a183b00166	Query to detect main method in servlets	2021-02-05 03:53:01 +00:00
Anders Schack-Mulligen	35e620a19c	Merge pull request #4854 from luchua-bc/java/insecure-ldap-auth Java: Insecure LDAP authentication	2021-02-04 14:56:38 +01:00
luchua-bc	724c3e00e0	Update help file	2021-02-03 16:45:15 +00:00
luchua-bc	2ace10fcdf	Use PostUpdateNode for wrapper method calls	2021-02-03 12:21:31 +00:00
luchua-bc	3151aeff48	Enhance the query	2021-02-02 18:26:29 +00:00
luchua-bc	5e3b6fa341	Update qldoc	2021-02-02 16:20:39 +00:00
luchua-bc	50be54385a	Update qldoc	2021-02-02 14:49:50 +00:00
Artem Smotrakov	59f48ecea3	Removed LocalUserInput in JexlInjectionLib.ql	2021-01-29 12:38:51 +01:00
luchua-bc	ab7d257569	Add more cases and change EC to 256 bits	2021-01-28 04:06:27 +00:00
luchua-bc	2ac7b4bab4	Update qldoc	2021-01-28 04:06:27 +00:00
luchua-bc	058f3af4b2	Refactor the hasShortSymmetricKey method	2021-01-28 04:06:27 +00:00
luchua-bc	cbaee937d0	Optimize the query	2021-01-28 04:06:27 +00:00
luchua-bc	cfc950f803	Query for weak encryption: Insufficient key size	2021-01-28 03:25:15 +00:00

1 2 3 4 5 ...

266 Commits