hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-21 06:57:09 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,001 Commits 1,712 Branches 163 Tags
fa2a6a7da3ca10dc6349ff392bda92efd330b64c
Commit Graph

38 Commits

Author SHA1 Message Date
luchua-bc
fa2a6a7da3 Remove unnecessary taint step and update qldoc 2022-03-29 17:52:49 +00:00
luchua-bc
833d842113 Drop the getPath check from the library 2022-03-28 20:14:40 +00:00
luchua-bc
88d9694628 Query to detect insecure WebResourceResponse implementation 2022-02-26 02:03:35 +00:00
Chris Smowton
50d9945625 Autoformat 2022-02-23 11:41:23 +00:00
Porcuiney Hairs
e536628a66 Java : Add SSTI query 2022-02-22 15:57:53 +05:30
luchua-bc
40bf093d34 Move shared code to the lib folder and update qldoc 2022-02-15 17:28:13 +00:00
Tony Torralba
0e738622df Merge branch 'main' into atorralba/promote-log-injection 2022-01-10 17:24:25 +01:00
Erik Krogh Kristensen
6ff8d4de5c add all remaining explicit this 2021-11-26 13:50:10 +01:00
Tony Torralba
3ea1af3819 Refactor into separate libraries 2021-10-29 17:36:02 +02:00
Chris Smowton
24e3ad4e18 Remove unnecessary type constraint 2021-09-22 10:54:24 +01:00
Daniel Santos
9e41f43ee2 Fix: android.util.Log is final. No inheritance handling is needed. 2021-09-17 10:15:48 -05:00
Daniel Santos
032a7e71fe Update Logging.qll 
Simplified using a set-literal as suggested by @intrigus-lgtm
 2021-09-16 13:03:26 -05:00
Daniel Santos
af8b2b6d9c Fix Android logging signature in java/ql/src/experimental/semmle/code/java/Logging.qll 2021-09-16 11:24:06 -05:00
Chris Smowton
7a0555ecb3 Merge pull request #6357 from artem-smotrakov/static-iv 
Java: Static initialization vector
 2021-08-26 13:45:43 +01:00
Fosstars
1dd4bf00ac Simplify StaticInitializationVectorSource 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-08-26 09:42:23 +02:00
Artem Smotrakov
23e2322635 Simplify ArrayUpdate 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-08-25 19:43:43 +02:00
Artem Smotrakov
f41828e5db Better qldoc in StaticInitializationVectorQuery.qll 
Co-authored-by: Chris Smowton <smowton@github.com>
 2021-08-25 19:38:33 +02:00
Fosstars
f97c8bb049 Removed sanitizer in StaticInitializationVectorConfig 2021-08-25 12:40:48 +02:00
Fosstars
86b7b2b86d Updated qldoc for ArrayUpdate 2021-08-25 12:14:36 +02:00
Fosstars
c80a1da483 Don't consider copyOf() and clone() in ArrayUpdate 2021-08-25 12:11:34 +02:00
Fosstars
fbac5891b8 Fixed a typo in qldoc 2021-08-14 21:28:30 +02:00
Fosstars
e2dc9753ac Covered copyOfRange() and clone() in ArrayUpdate 2021-08-14 13:25:46 +02:00
Fosstars
d218813320 Updated qldoc for ArrayUpdate 2021-08-14 13:09:14 +02:00
Fosstars
11992404ec Be precise when checking for Cipher.ENCRYPT_MODE 2021-08-14 12:18:02 +02:00
Fosstars
4e69081c22 Support multi-dimensional arrays 2021-08-13 20:52:27 +02:00
Artem Smotrakov
cfe74b527a Use inline-expectation tests for StaticInitializationVector.ql 2021-07-17 01:04:52 +02:00
Tony Torralba
0589dd7e54 Move Jndi.qll from experimental 2021-05-20 12:30:28 +02:00
Tony Torralba
3f0b803796 Refactored to use CSV sink models 2021-05-20 12:00:05 +02:00
luchua-bc
4e3791dc0d Remove LoadCredentialsConfiguration and update qldoc 2021-04-09 19:36:35 +00:00
luchua-bc
1349bf7b0b Create a .qll file to reuse the code and add check of Spring properties 2021-03-30 11:25:29 +00:00
Porcuiney Hairs
84c9137152 Include suggestions from review 2021-03-18 16:12:00 +05:30
porcupineyhairs
f27d2bdf6d Update java/ql/src/experimental/semmle/code/java/Logging.qll 
Co-authored-by: Marcono1234 <Marcono1234@users.noreply.github.com>
 2021-03-18 16:12:00 +05:30
Porcuiney Hairs
d0c82d3756 Add flogger and android logging support 2021-03-18 16:12:00 +05:30
Porcuiney Hairs
17d7ba8049 Add Log Injection Vulnerability 2021-03-18 16:12:00 +05:30
Porcuiney Hairs
5151a528ac Include suggestions from review 2021-03-01 22:59:30 +05:30
Porcupiney Hairs
42a84a18b0 JAVA : Add query to detect Apache Structs enabled DEvmode 
This query detects cases where the development mode is enabled for a
struts configuration. I can't find a CVE per se but, at present, [Github's fuzzy search](https://github.com/search?q=%3Cconstant+name%3D%22struts.devMode%22+value%3D%22true%22+%2F%3E+language%3Axml&type=Code) returns more
than 44000 results. Some of them look like they are classroom projects,
so they may be ineligible for a CVE. But we should be flagging them
anyways as setting the development on in a production system is a very
bad practice and can often lead to remote code execution.
So these should be fixed anyways.
 2021-02-26 16:30:04 +05:30
Grzegorz Golawski
df9921f870 Update according to the review comments 2020-05-07 23:19:13 +02:00
Grzegorz Golawski
af48bc3e57 CodeQL query to detect JNDI injections 2020-04-17 21:45:42 +02:00