hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-21 06:57:09 +01:00
Code Issues Packages Projects Releases Wiki Activity
20,964 Commits 1,712 Branches 163 Tags
f27d2bdf6d3ebbb37bb006d249494b96cfafadf9
Commit Graph

1888 Commits

Author SHA1 Message Date
Jonathan Leitschuh
bfa9324266 CWE-1104: Maven POM dependence upon Bintray/JCenter 2021-02-05 13:05:51 -05:00
luchua-bc
a183b00166 Query to detect main method in servlets 2021-02-05 03:53:01 +00:00
Francis Alexander
683233333c test case return statements and feedback 2021-02-04 22:28:10 +05:30
Anders Schack-Mulligen
35e620a19c Merge pull request #4854 from luchua-bc/java/insecure-ldap-auth 
Java: Insecure LDAP authentication
 2021-02-04 14:56:38 +01:00
luchua-bc
724c3e00e0 Update help file 2021-02-03 16:45:15 +00:00
Anders Schack-Mulligen
40d02e7e32 Merge pull request #4926 from luchua-bc/java/insufficient-key-size 
Java: Query to detect weak encryption: insufficient key size
 2021-02-03 15:16:10 +01:00
Anders Schack-Mulligen
0df7e9fa4e Merge pull request #4989 from lcartey/lcartey/spring-inheritence-improvements 
Java: Track taint through Spring Java bean getters on super types
 2021-02-03 15:06:03 +01:00
luchua-bc
2ace10fcdf Use PostUpdateNode for wrapper method calls 2021-02-03 12:21:31 +00:00
luchua-bc
3151aeff48 Enhance the query 2021-02-02 18:26:29 +00:00
luchua-bc
5e3b6fa341 Update qldoc 2021-02-02 16:20:39 +00:00
luchua-bc
50be54385a Update qldoc 2021-02-02 14:49:50 +00:00
Artem Smotrakov
59f48ecea3 Removed LocalUserInput in JexlInjectionLib.ql 2021-01-29 12:38:51 +01:00
Luke Cartey
76c9b6466e Reformat TaintTrackingUtil.qll with more recent CodeQL CLI 2021-01-29 11:27:30 +00:00
Anders Schack-Mulligen
bbdd7c9b57 Merge pull request #4963 from joefarebrother/guava-collections 
Java: Add flow steps for Guava collection utilities
 2021-01-28 11:01:03 +01:00
luchua-bc
ab7d257569 Add more cases and change EC to 256 bits 2021-01-28 04:06:27 +00:00
luchua-bc
2ac7b4bab4 Update qldoc 2021-01-28 04:06:27 +00:00
luchua-bc
058f3af4b2 Refactor the hasShortSymmetricKey method 2021-01-28 04:06:27 +00:00
luchua-bc
cbaee937d0 Optimize the query 2021-01-28 04:06:27 +00:00
luchua-bc
cfc950f803 Query for weak encryption: Insufficient key size 2021-01-28 03:25:15 +00:00
luchua-bc
6a93099b64 Simplify the query and update qldoc 2021-01-28 03:02:53 +00:00
intrigus
d3e6e594b2 Java: Improve QLDoc 2021-01-27 11:57:32 +01:00
intrigus
bdba7e14fe Java: Switch to data flow 2021-01-27 11:54:40 +01:00
Henning Makholm
54f00de3e0 Add "tests" fields to test qlpacks 
This will allow `codeql resolve tests --ignore-dubious-cases`
(and thus the VSCode extension) to recognize all `.ql` files in those
packs as test cases, even if they don't have accompanying `.expected`
files.

CLI versions prior to 2.1.0 will choke on this, but it's almost 10
months since that came out.
 2021-01-26 18:15:22 +01:00
luchua-bc
fee0b94cd4 Use isRequestGetParamMethod as the source 2021-01-26 04:41:44 +00:00
Joe Farebrother
d69ecde5c1 Java: Add additional flow steps for guava collection methods and more unit tests 2021-01-25 16:37:40 +00:00
Joe Farebrother
7e11d8ed07 Java: Add modelling for guava Sets 2021-01-25 16:37:40 +00:00
Joe Farebrother
d1427fcd93 Java: Add modelling for Guava's collection classes 2021-01-25 16:37:40 +00:00
Artem Smotrakov
8d701e604a Simplified JexlInjectionLib.qll 
- Merged multiple method definitions to DirectJexlEvaluationMethod
- Don't use TaintPropagatingJexlMethodCall field in JexlInjectionConfig
- Better variable names in JexlEvaluationSink
 2021-01-25 14:17:51 +01:00
Artem Smotrakov
71e5cb45d3 Simplified method and class definitions for JEXL 2021-01-23 19:50:16 +01:00
Artem Smotrakov
03348b18b5 Simplified TaintPropagatingJexlMethodCall 2021-01-23 19:41:14 +01:00
Artem Smotrakov
a47147bc5e Simplify sinks in JexlInjectionLib.qll 2021-01-23 19:22:43 +01:00
Artem Smotrakov
28ebbee61d Added TaintPropagatingJexlMethodCall class 2021-01-23 17:42:04 +01:00
Artem Smotrakov
73c8338e52 Use <code> tag in JexlInjection.qhelp 2021-01-21 22:49:36 +01:00
Artem Smotrakov
ee6d28b562 Use LocalUserInput when looking for JEXL injections 2021-01-21 22:46:18 +01:00
Artem Smotrakov
8166e269ec Added examples of a sandbox for JEXL expressions 2021-01-21 20:53:15 +01:00
Artem Smotrakov
7df813354a Improved JexlInjectionLib.qll 2021-01-20 20:26:48 +01:00
Luke Cartey
5c6f5b7b33 Java: Track taint through Spring Java bean getters on super types 2021-01-20 16:53:03 +00:00
Anders Schack-Mulligen
9b2f69ca94 Merge pull request #4978 from github/yo-h/struts-xml-change-note 
Java: add change note for `struts.xml` extraction
 2021-01-20 08:59:45 +01:00
yo-h
91fa12b1be Java: add change note for struts.xml extraction 2021-01-19 10:19:18 -05:00
Anders Schack-Mulligen
dde8d320f3 Apply suggestions from code review 
Minor qldoc fixes.
 2021-01-19 08:24:24 +01:00
Marcono1234
703336a77f Add ArrayInit.getSize(), improve documentation 2021-01-18 16:44:53 +01:00
Artem Smotrakov
7d2d27394b Java: Added a source and a taint step for JexlInjectionConfig 
- Added TaintedSpringRequestBody source
- Added returningTaintedDataFromBean() taint step
- Added tests
 2021-01-17 22:28:42 +01:00
Artem Smotrakov
99401f6e84 Java: Query for detecting JEXL injections 2021-01-17 14:19:26 +01:00
intrigus
a4cbd7037b Java: Add tests for different versions. 
Adds a test for version 6.24, because that version is not vulnerable.
The other test is for versions < 6.24, because these versions are
vulnerable.
 2021-01-15 17:20:57 +01:00
luchua-bc
32c54628f8 Drop fieldName from the function for runtime evaluation 2021-01-15 12:33:00 +00:00
luchua-bc
e5a703e49c Revamp the query 2021-01-15 04:05:11 +00:00
yo-h
27fd16ae87 Java: update documentation on supported language versions 2021-01-14 20:29:16 -05:00
intrigus-lgtm
b8076481bf Java: Suggestions from Review 2021-01-13 20:32:23 +01:00
Anders Schack-Mulligen
f3b8fe2e2e Java: Add Member.hasQualifiedName. 2021-01-13 13:42:35 +01:00
Anders Schack-Mulligen
29935e1388 Merge pull request #4771 from intrigus-lgtm/split-cwe-295 
Java: Add unsafe hostname verification query and remove existing overlapping query
 2021-01-13 11:31:38 +01:00