codeql

mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00

Author	SHA1	Message	Date
Tom Hvitved	0e6735b804	Merge pull request #10691 from hvitved/dataflow/conjunctive-clears Data flow: Take conjunctive `With(out)Contents` into account in `prohibitsUseUseFlow`	2022-10-06 09:03:30 +02:00
Asger F	387e57546b	Merge pull request #10650 from asgerf/rb/summarize-more Ruby: more type-tracking steps	2022-10-05 19:16:56 +02:00
Alex Ford	fa58c51810	Ruby: switch rb/sensitive-get-query back to using local flow	2022-10-05 15:58:05 +01:00
Tom Hvitved	0beea9fd1a	Fix typos	2022-10-05 15:54:52 +02:00
Asger F	c9c36985b2	Ruby: address review comments	2022-10-05 14:59:37 +02:00
Alex Ford	71670a4f75	Ruby: add RequestInputAccess#getKind predicate	2022-10-05 13:38:31 +01:00
Alex Ford	dea53d86c9	Ruby: remove some redundant imports of DataFlow	2022-10-05 13:22:19 +01:00
Alex Ford	d64f8c73be	Merge branch 'main' into rb/sensitive-get-query	2022-10-05 12:59:35 +01:00
Alex Ford	084efe062a	Ruby: limit rb/sensitive-get-query to data from query params	2022-10-05 12:57:57 +01:00
Arthur Baars	6509c19aad	Merge pull request #10692 from aibaars/fix-splats Ruby: fix CFG and toString for anonymous '' and '*'	2022-10-05 13:25:29 +02:00
Alex Ford	880fb2b14a	Ruby: split out rb/sensitive-get-query using query/customizations pattern	2022-10-05 11:59:40 +01:00
Tom Hvitved	3f0f16afc4	Ruby: Update flow summary for `Hash#except`	2022-10-05 12:58:29 +02:00
Tom Hvitved	e51c20bfc7	Data flow: Take conjunctive `With(out)Contents` into account in `prohibitsUseUseFlow`	2022-10-05 12:58:29 +02:00
Arthur Baars	a080f498be	Ruby: fix CFG and toString for anonymous '' and '*'	2022-10-05 11:50:37 +02:00
Asger F	f664a77a02	Ruby: ensure Hash flow works again	2022-10-05 11:07:55 +02:00
Nick Rolfe	525fe12671	Merge pull request #10585 from github/nickrolfe/libxml-xxe Ruby: detect uses of LibXML with entity substitution enabled by default	2022-10-05 09:51:39 +01:00
Asger F	7cf969f9c8	Ruby: remove mention of PairValueContent	2022-10-05 10:32:09 +02:00
Asger F	6f74a52542	Merge branch 'main' into rb/summarize-more	2022-10-05 09:55:23 +02:00
Asger F	8b7ec20573	Merge branch 'main' into rb/summarize-more	2022-10-05 09:43:52 +02:00
Tom Hvitved	1496c4f0e2	Merge pull request #10686 from hvitved/ruby/remove-value-pair-content Ruby: Remove `PairValueContent`	2022-10-05 09:41:14 +02:00
Asger F	93e8434e08	Ruby: fix content restriction in type trackers	2022-10-05 09:36:42 +02:00
Asger F	f5f351e26c	Ruby: make flowsToLoadStoreStep private	2022-10-05 09:35:11 +02:00
Asger F	a9a99c5b18	Ruby: nomagic on unary hasAdjacentTypeCheckedReads	2022-10-05 09:34:36 +02:00
Asger F	4c19d2d71e	Ruby: make getAStaticHashCall private again	2022-10-05 09:32:56 +02:00
Arthur Baars	c1c16e44ee	Merge pull request #10559 from aibaars/cve-2019-3881 Ruby: some improvements	2022-10-04 21:24:14 +02:00
Tom Hvitved	aae9a58ca3	Ruby: Remove `ValuePairContent`	2022-10-04 20:10:51 +02:00
Nick Rolfe	2e80926951	Ruby: fix a couple of references to deprecated names	2022-10-04 16:45:08 +01:00
Nick Rolfe	445241fd95	Ruby: add missing qldoc comment	2022-10-04 16:31:54 +01:00
Nick Rolfe	2315a177fe	Ruby: add changenote for ActionView/Controller class renames	2022-10-04 16:22:11 +01:00
Nick Rolfe	227100d883	Ruby: make old class names available as deprecated aliases	2022-10-04 16:11:43 +01:00
Arthur Baars	88b5d4da16	Ruby: `extend` may have multiple arguments	2022-10-04 12:58:50 +02:00
Arthur Baars	ab3a62de3c	Update ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll	2022-10-04 12:58:50 +02:00
Tom Hvitved	6e61ef10b8	Ruby: Add another dataflow copy	2022-10-04 12:58:50 +02:00
Tom Hvitved	9d7d6c29f9	Review comments	2022-10-04 12:58:50 +02:00
Arthur Baars	44cc6f7350	Ruby: improve tracking of regular expressions There are two flavours of `match?`. If the receiver of `match?` has type String then the argument to `match?` is a regular expression. However, if the receiver of `match?` has type Regexp then the argument is the text. The role of receiver and argument flips depending on the type of the receiver, this caused a lot of false positives when looking for string-like literals that are used as a regular expression. This commit attempts to improve things by trying to determine whether the type of the receiver is known to be of type Regexp. In such cases we know that the argument is unlikely to be regular expression.	2022-10-04 12:58:49 +02:00
Arthur Baars	0160c374e4	Ruby: add flow summaries for Object#dup and Kernel#tap	2022-10-04 12:58:49 +02:00
Arthur Baars	5d55daa491	Ruby: use resolveConstantReadAccess instead of trackModuleAccess for 'extend' calls This avoids non-linear recursion at the cost of losing some results.	2022-10-04 12:58:49 +02:00
Arthur Baars	c2b98a4761	Ruby: add support for 'extend' method	2022-10-04 12:58:49 +02:00
Arthur Baars	09bc78eafc	Ruby: local dataflow step for \|\| and &&	2022-10-04 12:58:49 +02:00
Arthur Baars	e95b5468d9	Ruby: use Dataflow for Pathname instead of TypeTracking	2022-10-04 12:58:49 +02:00
Arthur Baars	f9b952f04f	Ruby: Pathname use TypeTracker instead of local flow	2022-10-04 12:58:49 +02:00
Nick Rolfe	dd1b302fce	Ruby: revert making inActionViewContext private	2022-10-04 11:29:09 +01:00
Nick Rolfe	a738f1d5cf	Ruby: remove public abstract classes for Action{View,Controller}	2022-10-04 10:53:41 +01:00
Asger F	b6231e82ec	Ruby: do not treat WithoutElement[0..!] as a type filter	2022-10-04 11:14:31 +02:00
Asger F	3ccc3a2058	Ruby: move special treatment of Hash.[] into Hash.qll	2022-10-04 11:14:31 +02:00
Asger F	94d41b9fa4	Ruby: add hook for adding type-tracking steps fixup docs fixup docs fixup TypeTrackingStep	2022-10-04 11:14:31 +02:00
Asger F	96711b2810	Ruby: improve join order in trackInstanceRec	2022-10-04 11:14:31 +02:00
Asger F	c220f4e103	Ruby: prune unusable summaries earlier Ruby: prune more aggressively	2022-10-04 11:14:30 +02:00
Asger F	ff4ce4a151	Ruby: use Element[n..] tokens in inject and reduce	2022-10-04 11:14:30 +02:00
Asger F	fd9c1e4507	Ruby: filter out obvious module 'prepend' calls	2022-10-04 11:14:30 +02:00

... 37 38 39 40 41 ...

3455 Commits