hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
alexet/avoid-path-node-java
codeql/java/ql/lib/change-notes/released/0.6.3.md
Jeroen Ketema bff11c3d23 Apply suggestions from code review
2023-06-08 22:33:50 +02:00

2.7 KiB
Raw Permalink Blame History

0.6.3

New Features

  • Kotlin versions up to 1.9.0 are now supported.

Minor Analysis Improvements

  • Added flow through the block arguments of kotlin.io.use and kotlin.with.

  • Added models for the following packages:

    • com.alibaba.druid.sql
    • com.fasterxml.jackson.databind
    • com.jcraft.jsch
    • io.netty.handler.ssl
    • okhttp3
    • org.antlr.runtime
    • org.fusesource.leveldbjni
    • org.influxdb
    • org.springframework.core.io
    • org.yaml.snakeyaml

  • Deleted the deprecated getRHS predicate from the LValue class, use getRhs instead.

  • Deleted the deprecated getCFGNode predicate from the SsaVariable class, use getCfgNode instead.

  • Deleted many deprecated predicates and classes with uppercase XML, JSON, URL, API, etc. in their names. Use the PascalCased versions instead.

  • Added models for the following packages:

    • java.lang
    • java.nio.file

  • Added dataflow models for the Gson deserialization library.

  • Added models for the following packages:

    • okhttp3

  • Added more dataflow models for the Play Framework.

  • Modified the models related to java.nio.file.Files.copy so that generic [Input|Output]Stream arguments are not considered file-related sinks.

  • Dataflow analysis has a new flow step through constructors of transitive subtypes of java.io.InputStream that wrap an underlying data source. Previously, the step only existed for direct subtypes of java.io.InputStream.

  • Path creation sinks modeled in PathCreation.qll have been added to the models-as-data sink kind path-injection.

  • Updated the regular expression in the HostnameSanitizer sanitizer in the semmle.code.java.security.RequestForgery library to better detect strings prefixed with a hostname.

  • Changed the android-widget Java source kind to remote. Any custom data extensions that use the android-widget source kind will need to be updated accordingly in order to continue working.

  • Updated the following Java sink kind names. Any custom data extensions will need to be updated accordingly in order to continue working.

    • sql to sql-injection
    • url-redirect to url-redirection
    • xpath to xpath-injection
    • ssti to template-injection
    • logging to log-injection
    • groovy to groovy-injection
    • jexl to jexl-injection
    • mvel to mvel-injection
    • xslt to xslt-injection
    • ldap to ldap-injection
    • pending-intent-sent to pending-intents
    • intent-start to intent-redirection
    • set-hostname-verifier to hostname-verification
    • header-splitting to response-splitting
    • xss to html-injection and js-injection
    • write-file to file-system-store
    • create-file and read-file to path-injection
    • open-url and jdbc-url to request-forgery