hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 01:05:15 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #315 from github/hmac-outgoing-http

Browse Source 
Model more HTTP clients
This commit is contained in:
Harry Maclean
2021-09-29 14:26:56 +01:00
committed by GitHub
parent 1d58f8cd50 a9c00a05fe
commit 0ea228e86f
34 changed files with 324 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

0
ql/test/library-tests/frameworks/Files.expected → ql/test/library-tests/frameworks/files/Files.expected
View File

0
ql/test/library-tests/frameworks/Files.ql → ql/test/library-tests/frameworks/files/Files.ql
View File

0
ql/test/library-tests/frameworks/Files.rb → ql/test/library-tests/frameworks/files/Files.rb
View File

2
ql/test/library-tests/frameworks/http_clients/Excon.ql
View File

@@ -1,4 +1,4 @@
import codeql.ruby.frameworks.http_clients.Excon
import codeql.ruby.DataFlow
query DataFlow::Node exconHTTPRequests(ExconHTTPRequest e) { result = e.getResponseBody() }
query DataFlow::Node exconHttpRequests(ExconHttpRequest e) { result = e.getResponseBody() }

2
ql/test/library-tests/frameworks/http_clients/Faraday.ql
View File

@@ -1,4 +1,4 @@
import codeql.ruby.frameworks.http_clients.Faraday
import codeql.ruby.DataFlow
query DataFlow::Node faradayHTTPRequests(FaradayHTTPRequest e) { result = e.getResponseBody() }
query DataFlow::Node faradayHttpRequests(FaradayHttpRequest e) { result = e.getResponseBody() }

9
ql/test/library-tests/frameworks/http_clients/HttpClient.expected Normal file
View File

@@ -0,0 +1,9 @@
| HttpClient.rb:3:9:3:45 | call to get | HttpClient.rb:4:1:4:10 | call to body |
| HttpClient.rb:6:9:6:65 | call to post | HttpClient.rb:7:1:7:13 | call to content |
| HttpClient.rb:9:9:9:64 | call to put | HttpClient.rb:10:1:10:15 | call to http_body |
| HttpClient.rb:12:9:12:48 | call to delete | HttpClient.rb:13:1:13:10 | call to dump |
| HttpClient.rb:15:9:15:46 | call to head | HttpClient.rb:16:1:16:10 | call to body |
| HttpClient.rb:18:9:18:49 | call to options | HttpClient.rb:19:1:19:13 | call to content |
| HttpClient.rb:21:9:21:47 | call to trace | HttpClient.rb:22:1:22:15 | call to http_body |
| HttpClient.rb:24:9:24:53 | call to get_content | HttpClient.rb:24:9:24:53 | call to get_content |
| HttpClient.rb:26:10:26:74 | call to post_content | HttpClient.rb:26:10:26:74 | call to post_content |

4
ql/test/library-tests/frameworks/http_clients/HttpClient.ql Normal file
View File

@@ -0,0 +1,4 @@
import codeql.ruby.frameworks.http_clients.HttpClient
import codeql.ruby.DataFlow
query DataFlow::Node httpClientRequests(HttpClientRequest e) { result = e.getResponseBody() }

26
ql/test/library-tests/frameworks/http_clients/HttpClient.rb Normal file
View File

@@ -0,0 +1,26 @@
require "httpclient"
resp1 = HTTPClient.get("http://example.com/")
resp1.body
resp2 = HTTPClient.post("http://example.com/", body: "some_data")
resp2.content
resp3 = HTTPClient.put("http://example.com/", body: "some_data")
resp3.http_body
resp5 = HTTPClient.delete("http://example.com/")
resp5.dump
resp6 = HTTPClient.head("http://example.com/")
resp6.body
resp7 = HTTPClient.options("http://example.com/")
resp7.content
resp8 = HTTPClient.trace("http://example.com/")
resp8.http_body
resp9 = HTTPClient.get_content("http://example.com/")
resp10 = HTTPClient.post_content("http://example.com/", body: "some_data")

7
ql/test/library-tests/frameworks/http_clients/Httparty.expected Normal file
View File

@@ -0,0 +1,7 @@
| Httparty.rb:5:1:5:35 | call to get | Httparty.rb:5:1:5:35 | call to get |
| Httparty.rb:7:1:7:55 | call to post | Httparty.rb:7:1:7:55 | call to post |
| Httparty.rb:9:1:9:54 | call to put | Httparty.rb:9:1:9:54 | call to put |
| Httparty.rb:11:1:11:56 | call to patch | Httparty.rb:11:1:11:56 | call to patch |
| Httparty.rb:15:9:15:46 | call to delete | Httparty.rb:16:1:16:10 | call to body |
| Httparty.rb:18:9:18:44 | call to head | Httparty.rb:19:1:19:10 | call to body |
| Httparty.rb:21:9:21:47 | call to options | Httparty.rb:22:1:22:10 | call to body |

4
ql/test/library-tests/frameworks/http_clients/Httparty.ql Normal file
View File

@@ -0,0 +1,4 @@
import codeql.ruby.frameworks.http_clients.Httparty
import codeql.ruby.DataFlow
query DataFlow::Node httpartyRequests(HttpartyRequest e) { result = e.getResponseBody() }

31
ql/test/library-tests/frameworks/http_clients/Httparty.rb Normal file
View File

@@ -0,0 +1,31 @@
require "httparty"
# If the response body is not nil or an empty string, it will be parsed and returned directly.
HTTParty.get("http://example.com/")
HTTParty.post("http://example.com/", body: "some_data")
HTTParty.put("http://example.com/", body: "some_data")
HTTParty.patch("http://example.com/", body: "some_data")
# Otherwise, `HTTParty::Response` will be returned, which has a `#body` method.
resp5 = HTTParty.delete("http://example.com/")
resp5.body
resp6 = HTTParty.head("http://example.com/")
resp6.body
resp7 = HTTParty.options("http://example.com/")
resp7.body
# HTTParty methods can also be included in other classes.
# This is not yet modelled.
class MyClient
inlcude HTTParty
end
MyClient.get("http://example.com")

8
ql/test/library-tests/frameworks/http_clients/NetHTTP.expected
View File

@@ -1,8 +0,0 @@
| NetHTTP.rb:4:1:4:18 | call to get | NetHTTP.rb:4:1:4:18 | call to get |
| NetHTTP.rb:6:8:6:50 | call to post | NetHTTP.rb:7:1:7:9 | call to body |
| NetHTTP.rb:6:8:6:50 | call to post | NetHTTP.rb:8:1:8:14 | call to read_body |
| NetHTTP.rb:6:8:6:50 | call to post | NetHTTP.rb:9:1:9:11 | call to entity |
| NetHTTP.rb:13:6:13:17 | call to get | NetHTTP.rb:18:1:18:7 | call to body |
| NetHTTP.rb:14:6:14:18 | call to post | NetHTTP.rb:19:1:19:12 | call to read_body |
| NetHTTP.rb:15:6:15:17 | call to put | NetHTTP.rb:20:1:20:9 | call to entity |
| NetHTTP.rb:24:3:24:33 | call to get | NetHTTP.rb:27:1:27:28 | call to body |

4
ql/test/library-tests/frameworks/http_clients/NetHTTP.ql
View File

@@ -1,4 +0,0 @@
import codeql.ruby.frameworks.http_clients.NetHTTP
import codeql.ruby.DataFlow
query DataFlow::Node netHTTPRequests(NetHTTPRequest e) { result = e.getResponseBody() }

8
ql/test/library-tests/frameworks/http_clients/NetHttp.expected Normal file
View File

@@ -0,0 +1,8 @@
| NetHttp.rb:4:1:4:18 | call to get | NetHttp.rb:4:1:4:18 | call to get |
| NetHttp.rb:6:8:6:50 | call to post | NetHttp.rb:7:1:7:9 | call to body |
| NetHttp.rb:6:8:6:50 | call to post | NetHttp.rb:8:1:8:14 | call to read_body |
| NetHttp.rb:6:8:6:50 | call to post | NetHttp.rb:9:1:9:11 | call to entity |
| NetHttp.rb:13:6:13:17 | call to get | NetHttp.rb:18:1:18:7 | call to body |
| NetHttp.rb:14:6:14:18 | call to post | NetHttp.rb:19:1:19:12 | call to read_body |
| NetHttp.rb:15:6:15:17 | call to put | NetHttp.rb:20:1:20:9 | call to entity |
| NetHttp.rb:24:3:24:33 | call to get | NetHttp.rb:27:1:27:28 | call to body |

4
ql/test/library-tests/frameworks/http_clients/NetHttp.ql Normal file
View File

@@ -0,0 +1,4 @@
import codeql.ruby.frameworks.http_clients.NetHttp
import codeql.ruby.DataFlow
query DataFlow::Node netHttpRequests(NetHttpRequest e) { result = e.getResponseBody() }

0
ql/test/library-tests/frameworks/http_clients/NetHTTP.rb → ql/test/library-tests/frameworks/http_clients/NetHttp.rb
View File

4
ql/test/library-tests/frameworks/http_clients/OpenURI.expected Normal file
View File

@@ -0,0 +1,4 @@
| OpenURI.rb:3:9:3:41 | call to open | OpenURI.rb:4:1:4:10 | call to read |
| OpenURI.rb:6:9:6:34 | call to open | OpenURI.rb:7:1:7:15 | call to readlines |
| OpenURI.rb:9:9:9:38 | call to open | OpenURI.rb:10:1:10:10 | call to read |
| OpenURI.rb:12:9:12:45 | call to open | OpenURI.rb:13:1:13:10 | call to read |

4
ql/test/library-tests/frameworks/http_clients/OpenURI.ql Normal file
View File

@@ -0,0 +1,4 @@
import codeql.ruby.frameworks.http_clients.OpenURI
import codeql.ruby.DataFlow
query DataFlow::Node openURIRequests(OpenURIRequest e) { result = e.getResponseBody() }

13
ql/test/library-tests/frameworks/http_clients/OpenURI.rb Normal file
View File

@@ -0,0 +1,13 @@
require "open-uri"
resp1 = Kernel.open("http://example.com")
resp1.read
resp2 = open("http://example.com")
resp2.readlines
resp3 = URI.open("http://example.com")
resp3.read
resp4 = URI.parse("https://example.com").open
resp4.read

2
ql/test/library-tests/frameworks/http_clients/RestClient.ql
View File

@@ -1,6 +1,6 @@
import codeql.ruby.frameworks.http_clients.RestClient
import codeql.ruby.DataFlow
query DataFlow::Node restClientHTTPRequests(RestClientHTTPRequest e) {
query DataFlow::Node restClientHttpRequests(RestClientHttpRequest e) {
result = e.getResponseBody()
}

7
ql/test/library-tests/frameworks/http_clients/Typhoeus.expected Normal file
View File

@@ -0,0 +1,7 @@
| Typhoeus.rb:3:9:3:43 | call to get | Typhoeus.rb:4:1:4:10 | call to body |
| Typhoeus.rb:6:9:6:63 | call to post | Typhoeus.rb:7:1:7:10 | call to body |
| Typhoeus.rb:9:9:9:62 | call to put | Typhoeus.rb:10:1:10:10 | call to body |
| Typhoeus.rb:12:9:12:64 | call to patch | Typhoeus.rb:13:1:13:10 | call to body |
| Typhoeus.rb:15:9:15:46 | call to delete | Typhoeus.rb:16:1:16:10 | call to body |
| Typhoeus.rb:18:9:18:44 | call to head | Typhoeus.rb:19:1:19:10 | call to body |
| Typhoeus.rb:21:9:21:47 | call to options | Typhoeus.rb:22:1:22:10 | call to body |

4
ql/test/library-tests/frameworks/http_clients/Typhoeus.ql Normal file
View File

@@ -0,0 +1,4 @@
import codeql.ruby.frameworks.http_clients.Typhoeus
import codeql.ruby.DataFlow
query DataFlow::Node typhoeusHttpRequests(TyphoeusHttpRequest e) { result = e.getResponseBody() }

22
ql/test/library-tests/frameworks/http_clients/Typhoeus.rb Normal file
View File

@@ -0,0 +1,22 @@
require "typhoeus"
resp1 = Typhoeus.get("http://example.com/")
resp1.body
resp2 = Typhoeus.post("http://example.com/", body: "some_data")
resp2.body
resp3 = Typhoeus.put("http://example.com/", body: "some_data")
resp3.body
resp4 = Typhoeus.patch("http://example.com/", body: "some_data")
resp4.body
resp5 = Typhoeus.delete("http://example.com/")
resp5.body
resp6 = Typhoeus.head("http://example.com/")
resp6.body
resp7 = Typhoeus.options("http://example.com/")
resp7.body