hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,643 Commits 1,671 Branches 157 Tags
alexet/avoid-path-node-java
Commit Graph

1073 Commits

Author SHA1 Message Date
Harry Maclean
384e7c7a80 Jump step for sinatra callbacks 2023-03-13 19:03:32 +13:00
Harry Maclean
e65d7224db Ruby: tests, patterns, fix erb flow 2023-03-13 19:03:32 +13:00
erik-krogh
b0797a2559 Merge branch 'main' into more-shell-taint 2023-02-27 18:27:09 +01:00
Harry Maclean
ba4d0a81d5 Ruby: Simplify filter dataflow 
This introduces some false flow (the `ThreeController` and
`FourController` examples in `filter_flow.rb`) but is simpler and
in line with how we model flow for normal method calls.
 2023-02-21 19:28:53 +13:00
Harry Maclean
0a02b45ad7 Ruby: More filter flow steps 
Add a jump step from the last self post-update node in a method to the self parameter of the
next method.
 2023-02-21 19:28:26 +13:00
Harry Maclean
fae5320c3a Ruby: Add filter flow tests 2023-02-21 19:27:53 +13:00
Harry Maclean
ae3d91b546 Ruby: First draft of rails callback flow 2023-02-21 19:26:36 +13:00
Alex Ford
774030a8db Merge pull request #12083 from pwntester/ruby_twirp_support 
[Ruby] Add support for Twirp framework
 2023-02-20 13:16:52 +00:00
Tom Hvitved
658cc33bb8 Merge pull request #12212 from hvitved/util/inline-expect-test-use-end-line 
Util: Use end line instead of start line for actual results
 2023-02-20 11:41:02 +01:00
Harry Maclean
4e07fd3eb1 Ruby: Model ApplicationController.renderer 2023-02-19 13:37:27 +13:00
Tom Hvitved
e9bce9f8cd Ruby: Update test expectations 2023-02-17 13:22:28 +01:00
Alex Ford
74782bf6a2 Merge branch 'main' into ruby_twirp_support 2023-02-15 17:15:08 +00:00
Alex Ford
801ed1ce7c Ruby: add Twirp.expected 2023-02-15 17:05:33 +00:00
Rasmus Wriedt Larsen
c72dbc49fc Merge pull request #12165 from RasmusWL/crypto-updates 
Python/Ruby/JS Crypto: Add a few algorithms + block modes
 2023-02-15 14:35:40 +01:00
erik-krogh
17f7ba2a8f rewrite the taint-step for join() to a flowsummary 2023-02-15 12:34:59 +01:00
Harry Maclean
fb14920281 Merge pull request #12056 from hmac/test-refactor 2023-02-15 17:34:25 +13:00
Alvaro Muñoz
4644a88b89 address code review comments 2023-02-14 14:27:17 +01:00
Rasmus Wriedt Larsen
39e50f745d Ruby: Fix .expected for CryptoAlgorithms 2023-02-13 14:21:12 +01:00
Anders Schack-Mulligen
e877b161d8 Merge pull request #12124 from hvitved/dataflow/stage1-dispatch 
Data flow: Call context virtual dispatch pruning in stage 1
 2023-02-13 13:13:43 +01:00
Tom Hvitved
0b8173e2e7 Ruby: Add another data flow test 2023-02-13 09:50:50 +01:00
Harry Maclean
43ce26e4d0 Ruby: re-add Eval.rb 2023-02-07 09:37:26 +13:00
Arthur Baars
f391948b53 Ruby: update expected output 2023-02-06 10:17:19 +01:00
Arthur Baars
3c15fd266d Ruby: add one-line pattern match test 2023-02-06 10:17:19 +01:00
Harry Maclean
02b09ca9f7 Ruby: Remove unused test files 2023-02-04 14:42:59 +13:00
Harry Maclean
cfb3bc9dce Ruby: Remove unused test file 2023-02-04 14:30:56 +13:00
Harry Maclean
0711326619 Ruby: Move PosixSpawn tests to their own directory 2023-02-04 14:30:23 +13:00
Harry Maclean
dbbef0534b Ruby: Move Core tests into core directory 2023-02-04 14:28:25 +13:00
Harry Maclean
b5d98d9011 Ruby: Move GraphQL test to their own directory 2023-02-04 14:25:38 +13:00
Harry Maclean
6c816d5602 Ruby: Move ActionDispatch tests to own directory 2023-02-04 14:19:08 +13:00
Harry Maclean
58d7af4018 Ruby: Move ActionView tests into their own dir 
This ensures that changes to unrelated test files don't affect these
tests.
 2023-02-04 14:19:08 +13:00
Alvaro Muñoz
dd31be43e0 Support for Twirp framework 2023-02-03 09:35:22 +01:00
Harry Maclean
da45d3aa7f Ruby: Fix string comparison barrier guard 
`strNode` was not properly restricted for some cases.
 2023-02-01 14:40:53 +13:00
Harry Maclean
c99a096c9b Ruby: Update test fixtures 2023-01-31 11:27:19 +13:00
Harry Maclean
708e303c01 Ruby: Model except: with a const argument 2023-01-30 21:17:31 +13:00
Harry Maclean
246ad46eb1 Ruby: Account for filter skip ordering 
A `skip_*_filter :foo` call only has an effect if there was an earlier
call that registered `:foo` as a filter.
 2023-01-30 18:50:30 +13:00
Harry Maclean
a164e76a5d Ruby: Model actioncontroller filter overrides 
If a filter is registered twice with the same name, the last
registration wins.
 2023-01-30 18:05:22 +13:00
Harry Maclean
fb86ef4aac Ruby: Model ActionController filters 
ActionController filters provide a way to register callbacks that run
before, after or around an action (i.e. HTTP request handler). They run
in the same class context as the action, so can get/set instance
variables and generally interact with the action in arbitrary ways.

In order to track flow between filters and actions, we have to model the
callback chain. This commit does that. A later change will add dataflow
steps to actually track flow through the chain.
 2023-01-30 17:41:36 +13:00
Harry Maclean
07a7a213b3 Merge pull request #11871 from hmac/rack 2023-01-26 08:40:30 +13:00
Harry Maclean
e6e4e29bf8 Ruby: newline 2023-01-23 21:53:52 +00:00
Harry Maclean
c1207e0938 Ruby: Fix rack response tracking 
Use type tracking instead of getReturningNode, which seems to be faster
and works correctly for the cases I've tried.
 2023-01-23 21:43:04 +00:00
Arthur Baars
46063c7d04 Ruby: update expected output 2023-01-13 10:22:41 +01:00
Arthur Baars
c4ec674057 Ruby: support anonymous (hash)splat parameters/arguments 2023-01-13 10:22:41 +01:00
Harry Maclean
0626d693f5 Ruby: Recognise rack applications 
This is a basic first step in modelling rack apps. We recognise classes
that look like rack applications and then treat the argument to `call`
in the same way that we treat `request.env` in ActionController classes.

This finds a TP in CVE-2021-43840.
 2023-01-12 11:28:31 +13:00
Tony Torralba
c9d1cd97fb Ruby: Remove omittable exists variables 2023-01-10 13:39:49 +01:00
Erik Krogh Kristensen
5157d4df7b Merge pull request #11581 from erik-krogh/stdin 
Rb: add stdin as source for unsafe-deserialization
 2023-01-09 13:57:47 +01:00
erik-krogh
1a27441cfb drive-by: delete code-execution sinks from unsafe-deserialization, we risked duplicate alerts 2023-01-06 09:04:36 +01:00
Harry Maclean
4d228bcddf Ruby: Recognise more string-valued variables 
This increases the sensitivity of our barrier guards.
 2023-01-04 11:45:10 +13:00
Harry Maclean
9944252c43 Ruby: Add test for barrier guards 
This demonstrates that we are missing a guard when a case branch
compares against a string-valued variable rather than a string literal.
 2023-01-04 11:45:10 +13:00
Harry Maclean
698a679c78 Ruby: add test 2023-01-04 11:45:10 +13:00
Harry Maclean
0fbb6bf608 Ruby: Make array inclusion barrier more sensitive 2023-01-04 11:45:09 +13:00