hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-06-08 14:42:30 +02:00
Code Issues Packages Projects Releases Wiki Activity
87,816 Commits 1,776 Branches 169 Tags
f84e8b0fbcfbe9f211892e41b8322ad27c5a91cd
Commit Graph

531 Commits

Author SHA1 Message Date
Owen Mansel-Chan
37589dd8a0 Improve how org.apache.http.client.HttpClient is created in test 2026-05-28 10:30:43 +01:00
copilot-swe-agent[bot]
043ec857ab Replace fluent SSRF changes with Apache HttpClient execute model tests 
Agent-Logs-Url: https://github.com/github/codeql/sessions/3db201db-a1b5-4353-a94a-14a8d156dd3b

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
 2026-05-06 20:31:34 +00:00
copilot-swe-agent[bot]
f5b17b0b48 Add SSRF tests and stubs for Apache Http fluent Request models 
Agent-Logs-Url: https://github.com/github/codeql/sessions/bd4fa112-dbc3-47e8-9cef-9b1b13c7e549

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
 2026-05-06 16:08:02 +00:00
copilot-swe-agent[bot]
25d232b815 Model additional Hibernate query sinks 
Agent-Logs-Url: https://github.com/github/codeql/sessions/fc2c7f71-3493-4bf7-9136-34571a1d4b47

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
 2026-04-23 13:41:03 +00:00
copilot-swe-agent[bot]
081ad03b4b Add Hibernate SQL injection sink tests 
Agent-Logs-Url: https://github.com/github/codeql/sessions/2e7aecca-63ea-489f-8b87-4cc557655919

Co-authored-by: owen-mc <62447351+owen-mc@users.noreply.github.com>
 2026-04-23 10:04:52 +00:00
Salah Baddou
f5131f9bc6 Java: Add XXE sink model for Woodstox WstxInputFactory 
`com.ctc.wstx.stax.WstxInputFactory` overrides `createXMLStreamReader`,
`createXMLEventReader` and `setProperty` from `XMLInputFactory`, so the
existing `XmlInputFactory` model in `XmlParsers.qll` does not match calls
where the static receiver type is `WstxInputFactory` (or its supertype
`org.codehaus.stax2.XMLInputFactory2`). Woodstox is vulnerable to XXE in
its default configuration, so these missed sinks were false negatives in
`java/xxe`.

This adds a scoped framework model under
`semmle/code/java/frameworks/woodstox/WoodstoxXml.qll` (registered in the
`Frameworks` module of `XmlParsers.qll`) that recognises these calls as
XXE sinks and treats the factory as safe when both
`javax.xml.stream.supportDTD` and
`javax.xml.stream.isSupportingExternalEntities` are disabled — mirroring
the existing `XMLInputFactory` safe-configuration logic.
 2026-04-17 18:46:51 +04:00
Owen Mansel-Chan
d0999e3abd Add failing test for @Pattern validation 2026-02-12 16:57:04 +00:00
Mauro Baluda
29f23ee192 Fix extraction error 2026-01-13 22:33:01 +01:00
Mauro Baluda
d335f039ef Improve model for CWE-089 2026-01-13 21:48:43 +01:00
Mauro Baluda
dda042f7df rename change notes 2026-01-13 13:07:14 +01:00
Mauro Baluda
4c8058d97b Merge branch 'github:main' into couchdb 2026-01-09 17:20:40 +01:00
Owen Mansel-Chan
8a80158959 Merge pull request #17590 from Kwstubbs/java-mad-test 
Java: FileUpload Support MaD
 2026-01-08 13:33:55 +00:00
Kevin Stubbings
f73f1a7aa9 Add additional test 2025-12-29 07:09:31 +00:00
Mauro Baluda
15ee88ee24 SQLi test case 2025-12-24 20:30:21 +01:00
Mauro Baluda
b22077c371 Hardcoded credentials in CouchBase 2025-12-22 20:22:20 +01:00
Joe Farebrother
1d61da51a6 Generate stubs 2025-12-09 14:13:02 +00:00
Kevin Stubbings
0d3b65a35b Resolved merge conflicts and completed merge 2025-10-06 22:37:28 -07:00
Napalys Klicius
50c7160819 Java: port java/mocking-all-non-private-methods-means-unit-test-is-too-big query 2025-08-11 13:43:36 +02:00
Jami
02ded89d84 Merge branch 'main' into jcogs33/java/junit5-missing-nested-annotation 2025-04-21 09:46:49 -04:00
Chris Smowton
3c555fce11 Add basic test for SQL injection vs Jakarta Persistence 2025-04-01 17:13:23 +01:00
Jami
e458aca806 Merge branch 'main' into jcogs33/java/junit5-missing-nested-annotation 2025-03-27 21:31:09 -04:00
Jami Cogswell
35b647839c Java: include RepeatedTest, ParameterizedTest, TestFactory, and TestTemplate when identifying JUnit 5 test methods 2025-03-23 19:49:55 -04:00
Jami Cogswell
ccbe77eb09 Java: move original files 2025-03-23 19:48:13 -04:00
Tamas Vajk
f7f8b47f12 Java: Add initial version of empty method query 2025-03-14 11:36:03 +01:00
Jami Cogswell
e17486a9d8 Java: rename springframework stubs directory from 5.3.8 to 5.8.x 2025-03-11 15:20:58 -04:00
Jami Cogswell
f65a5b9a66 Java: add test for qhelp good example 2025-02-24 18:27:45 -05:00
Jami Cogswell
b2469ff8ba Java: add APIs and tests for more recent Spring versions: authorizeHttpRequests, AuthorizeHttpRequestsConfigurer, securityMatcher(s) 2025-02-24 18:26:02 -05:00
Jami Cogswell
0ab37684e1 Java: more database update tests and stubs 2025-01-30 10:14:14 -05:00
Jami Cogswell
3bf6dc24c1 Java: Stapler tests and stubs 2025-01-30 10:14:11 -05:00
Jami Cogswell
97aaf4c011 Java: handle MyBatis annotations for insert/update/delete 2025-01-30 10:13:48 -05:00
Kevin Stubbings
ddcf852d3f Add taint steps 2024-11-20 01:07:03 +00:00
Kevin Stubbings
f0560458af Finished up 2024-09-27 19:24:40 +00:00
Kevin Stubbings
6445074fea Fixed but errors still 2024-09-25 21:46:52 +00:00
Kevin Stubbings
d99f552cb3 Test Issues 2024-09-25 08:08:02 +00:00
Chris Smowton
9c0bdbb20a Java: add a test exercising Spring component liveness detection 
The existing Spring stubs are expanded sufficiently to support the needed annotations and a few referenced classes and exceptions.
 2024-08-16 16:36:08 +01:00
Chris Smowton
0b56bf98f3 Java: add test for Apache Camel dead-code analysis 
This exercises code that detects Camel entry-points and marks them as live.
 2024-08-15 17:26:38 +01:00
Chris Smowton
95e504a5ff Merge branch 'main' into am0o0-java-PathInjection 2024-08-05 11:41:25 +01:00
am0o0
a645e01b4b delete wrong stubs 2024-08-02 01:03:47 +02:00
am0o0
d52826879b delete wrong stubs 2024-08-02 01:02:49 +02:00
am0o0
ee9f134828 update current springframework core stub and use this instead of creating a new stubs 2024-08-02 01:00:34 +02:00
Ed Minnix
62944ee473 Add tests for lastaflute framework 2024-07-18 17:41:02 -04:00
Mauro Baluda
e2479a7ce2 Disable csrf for ServerHttpSecurity 2024-05-30 23:08:57 +02:00
Joe Farebrother
2eb93b7a3b Add unit tests 2024-02-12 13:49:45 +00:00
Joe Farebrother
75a2b9415c Merge pull request #15481 from joefarebrother/android-local-auth 
Java: Add query for insecure local authentication
 2024-02-12 13:48:53 +00:00
Joe Farebrother
71852868ac Add case for androidx.biometric api 2024-02-02 17:19:20 +00:00
Joe Farebrother
88c2ccbecf Generate stubs 2024-02-01 16:59:50 +00:00
Joe Farebrother
6081f18089 Add unit tests + make some fixes 2024-01-29 16:25:37 +00:00
Joe Farebrother
2ca164ce35 Generate androidx stubs and correct some models 2024-01-23 09:51:39 +00:00
Joe Farebrother
bafd65b1d2 Add tests to cover each modeled sink + some corrections to the models 2024-01-23 09:51:38 +00:00
Tony Torralba
7bc907840c Fix tests 2023-12-13 11:15:27 +01:00