hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,643 Commits 1,672 Branches 157 Tags
alexet/avoid-path-node-java
Commit Graph

1073 Commits

Author SHA1 Message Date
Alex Ford
4e0e4f9b5b Ruby: make ActiveRecordInstance public 2022-05-26 17:54:02 +01:00
Alex Ford
fd8f1dc88f Ruby: fix some misidentification of ActiveRecordModelInstantiations 2022-05-26 17:54:01 +01:00
Harry Maclean
c80a06a6d8 Ruby: Simplify posix-spawn modeling 2022-05-26 14:29:04 +01:00
Harry Maclean
ee827604f7 Ruby: Model the posix-spawn gem 
This gem exists primarily to provide methods that spawn subprocesses. We
model these as SystemCommandExecutions.
 2022-05-26 14:16:08 +01:00
Tom Hvitved
b3ce2d4a2b Ruby: Data flow for hash-splat expressions in hash literals 2022-05-25 19:55:28 +02:00
Arthur Baars
033df767ef Ruby: allow fields in flow summaries 2022-05-25 16:01:04 +02:00
Arthur Baars
b0a97f9b01 Ruby: flow through getters/setters 2022-05-25 16:01:04 +02:00
Tom Hvitved
ce4959287a Ruby: Flow through hash-splat expressions 2022-05-25 15:40:08 +02:00
Tom Hvitved
a7b39ebeca Ruby: Flow through hash-splat parameters 2022-05-25 12:37:22 +02:00
Rasmus Wriedt Larsen
ae65af2c07 Ruby: Fix Argument[any] in Hash.qll 
With this PR, `self` have to be explicitly added. A few edges were
removed, and I don't know why. It doesn't seem to affect results, so I
did not worry too much.
 2022-05-24 18:09:52 +02:00
Rasmus Wriedt Larsen
04ac466189 Merge branch 'main' into ruby-mad-argument-self 2022-05-24 18:04:02 +02:00
Tom Hvitved
faf24a4f18 Ruby: Data-flow through hashes 2022-05-24 14:27:55 +02:00
Harry Maclean
334c43a2b7 Ruby: Add tests for ActiveSupport modelling 2022-05-24 09:35:26 +01:00
Arthur Baars
cf2eb0d3a1 Merge branch 'main' into instance-variable-flow 2022-05-23 18:48:51 +02:00
Arthur Baars
7ed60b19a2 Ruby: improve test case 2022-05-23 11:59:12 +02:00
Arthur Baars
29ea1b2f24 Ruby: rename getSelfVariableAccess to getReceiver 2022-05-23 11:30:29 +02:00
Arthur Baars
68aeb2ba85 Update test output 2022-05-20 16:30:58 +02:00
Arthur Baars
d9c2b78aa2 Ruby: flow through instance variables 2022-05-20 16:30:58 +02:00
Rasmus Wriedt Larsen
5d6fbcec64 Ruby: Autoformat 2022-05-19 16:30:12 +02:00
Rasmus Wriedt Larsen
e810ba4ef6 Ruby: Expand flowToAnyArg test 2022-05-19 16:27:04 +02:00
Rasmus Wriedt Larsen
0879b6ae12 Ruby: Fix Argument[any,any-named] handling for path component in MaD 2022-05-19 15:51:30 +02:00
Rasmus Wriedt Larsen
7784b9f879 Ruby: WIP: Make Argument[any] and any-named work 
It's not fully working I think the problem is that the code below ties
up `Argument[x]` with parameter positions, and `Parameter[x]` with
argument positions. This flip might be correct for flow-summaries, but
it does NOT seem to be correct for the `path` component  in MaD.

Specifically, quick-eval for ParameterPosition does NOT include `keyword key` while
quick-eval for ArgumentPosition DOES include `keyword key`!

For the test `Foo.sinkAnyNamedArg(key: tainted) # $ MISSING: hasValueFlow=tainted`

c8be8d30b3/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsSpecific.qll (L130-L133)
 2022-05-19 15:51:25 +02:00
Rasmus Wriedt Larsen
df83a51e1e Ruby: Add anyNamedArg summary test 2022-05-19 15:42:41 +02:00
Rasmus Wriedt Larsen
cb6e5c24fc Ruby: Prepare for anyNamedArg summary test 2022-05-19 15:42:41 +02:00
Rasmus Wriedt Larsen
a7f627af0c Ruby: Add test for Argument[any] and any-named 2022-05-19 15:42:41 +02:00
Rasmus Wriedt Larsen
cb5ad8b775 Ruby: Don't include Argument[self] in Argument[any] 
For flow-sumamries
 2022-05-19 15:42:41 +02:00
Tom Hvitved
a18aef23f9 Data flow: Do not discard call context when computing reverse lambda flow through jumps 2022-05-19 15:19:41 +02:00
Tom Hvitved
ea703bc49a Ruby: Add test that illustrates false negative lambda flow 2022-05-19 15:19:34 +02:00
Rasmus Wriedt Larsen
051754cf7e Ruby: Add test of what Argument[any] for input/output includes 
and an explicit test of what `Argument[self]` includes.
 2022-05-19 14:02:22 +02:00
Alex Ford
c620fceb82 Ruby: remove unnecessary line from test 2022-05-17 14:57:11 +01:00
Alex Ford
6b496c78ef Ruby: failing crypto op test 2022-05-17 14:57:11 +01:00
Alex Ford
0cc0494586 codeql format 2022-05-16 15:54:31 +01:00
Tom Hvitved
a9f6d203cd Merge pull request #8971 from aibaars/safe-nagivation 
Ruby: add safe navigation operator
 2022-05-16 10:53:56 +02:00
Alex Ford
03e34e071a ruby: inline expectations tests for CryptographicOperation concept 2022-05-13 16:32:36 +01:00
Tom Hvitved
0a7892797e Merge pull request #8938 from hvitved/ruby/with-without-mad-tokens 
Ruby: Introduce `With(out)Element` MaD input tokens
 2022-05-12 11:49:51 +02:00
Harry Maclean
e8972b814f Merge pull request #8635 from hmac/hmac/io-popen 
Ruby: Model IO.popen
 2022-05-12 21:17:55 +12:00
Alex Ford
196c68b0bd Merge remote-tracking branch 'origin/main' into ruby/rbi-lib 2022-05-11 16:31:39 +01:00
Tom Hvitved
884d3b2ff4 Ruby: Introduce With(out)Element MaD input tokens 2022-05-11 15:17:27 +02:00
Arthur Baars
e1e13b599a Fix CFG 2022-05-11 12:09:17 +02:00
Arthur Baars
dbd9c1859d Add more test cases for &. operator 2022-05-11 12:06:08 +02:00
Arthur Baars
76f806159c Ruby: desugar safe navigation calls 2022-05-11 12:06:08 +02:00
Arthur Baars
c9f7568ca3 Ruby: add Call::isSafeNavigation 2022-05-11 12:06:08 +02:00
Arthur Baars
a47e429945 Merge pull request #8909 from aibaars/tree-sitter-update 
Tree sitter update
 2022-05-11 12:02:14 +02:00
Arthur Baars
907c3db5ca Address comments 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2022-05-11 09:59:42 +02:00
Harry Maclean
7b63493fa9 Ruby: Fix identification IO.open args 2022-05-10 17:32:00 +12:00
Harry Maclean
79c6dc1af0 Refactor IO/File modelling 
The main goal here is to get rid of the duplicate definitions of module
`IO`, which currently exist in both `frameworks/core/IO.qll` and
`frameworks/Files.qll`.

We do this by moving the classes inside `Files::IO` to `core/IO.qll`,
but moving most of the actual definitions of those classes to an
internal module `core.internal.FileOrIO`. This means both `Files.qll`
and `IO.qll` can depend on them without leaking them to end users.
 2022-05-10 17:32:00 +12:00
Harry Maclean
2d12ad6238 Ruby: Model IO.popen 
This method is very similar to `Kernel.system`: it executes its
arguments as a system command in various ways.
 2022-05-10 17:32:00 +12:00
Alex Ford
4844e4f454 ruby: replace the dataflow layer RBI library with the AST layer version 2022-05-05 18:40:12 +01:00
Alex Ford
bedb1d4584 ruby: Add AST layer version of the RBI library 2022-05-05 18:37:56 +01:00
Alex Ford
961f867bed Ruby: fix getAssociatedMethod predicate to include class methods 2022-05-05 18:09:42 +01:00