Merge branch 'main' into rbPoly

2026-05-02 20:25:13 +02:00 · 2023-02-13 10:46:00 +01:00
parent 80d05c0425 f07c598a22
commit 634087b417
871 changed files with 114763 additions and 10869 deletions
--- a/ruby/ql/src/CHANGELOG.md
+++ b/ruby/ql/src/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.5.2
+
+### New Queries
+
+* Added a new query, `rb/html-constructed-from-input`, to detect libraries that unsafely construct HTML from their inputs.
+
 ## 0.5.1

 ### New Queries
--- a/ruby/ql/src/change-notes/2022-11-28-unsafe-html-construction.md
+++ b/ruby/ql/src/change-notes/2022-11-28-unsafe-html-construction.md
@@ -1,4 +1,5 @@
---
-category: newQuery
---
+## 0.5.2
+
+### New Queries
+
 * Added a new query, `rb/html-constructed-from-input`, to detect libraries that unsafely construct HTML from their inputs.
--- a/ruby/ql/src/codeql-pack.release.yml
+++ b/ruby/ql/src/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.1
+lastReleaseVersion: 0.5.2
--- a/ruby/ql/src/qlpack.yml
+++ b/ruby/ql/src/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/ruby-queries
-version: 0.5.2-dev
+version: 0.5.3-dev
 groups: 
  - ruby
  - queries
--- a/ruby/ql/src/queries/security/cwe-1333/ReDoSIntroduction.inc.qhelp
+++ b/ruby/ql/src/queries/security/cwe-1333/ReDoSIntroduction.inc.qhelp
@@ -19,6 +19,12 @@
      shape, increasing the input length by ten characters may make the
      automaton about 1000 times slower.
    </p>
+    <p>
+      Note that Ruby 3.2 and later have implemented a caching mechanism that
+      completely eliminates the worst-case time complexity for the regular
+      expressions flagged by this query. The regular expressions flagged by this
+      query are therefore only problematic for Ruby versions prior to 3.2.
+    </p>
    <p>
      Typically, a regular expression is affected by this problem if it contains
      a repetition of the form <code>r*</code> or <code>r+</code> where the