hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,643 Commits 1,672 Branches 157 Tags
alexet/avoid-path-node-java
Commit Graph

21 Commits

Author SHA1 Message Date
Joe Farebrother
0b7b7ea1b8 Add test cases and improve controller model 2024-03-01 09:57:24 +00:00
Harry Maclean
5af58d24e0 Ruby: Recognise raw Erb output as XSS sink 2024-02-12 13:28:44 +00:00
Asger F
86b5f0adc7 Revert "Merge pull request #13620 from github/revert-13496-rb/tracking-on-demand" 
This reverts commit 133de56ac2, reversing
changes made to 28a8e48351.
 2023-07-07 09:42:34 +02:00
Asger F
5d1a437e9c Revert "Ruby: overhaul API graphs" 2023-06-29 15:39:19 +02:00
Asger F
ce0073b30c Ruby: update StoredXSS test results 
These results were previously flagged for the wrong reason.

Calls to a user-define method were seen as ORM calls. The real source is inside the user-defined method, but we miss that due to lack of 'self' handling in ORM tracking.
 2023-06-19 12:15:57 +02:00
Alex Ford
8fec4b804f Ruby: StoredXSS test whitespace change 2023-01-20 13:40:19 +00:00
Alex Ford
fd8dd5e103 Ruby: update StoredXSS test output 2023-01-20 13:40:19 +00:00
Alex Ford
bea110b598 Ruby: remove blank line in test file 2023-01-20 13:40:19 +00:00
Alex Ford
b78ae1608e Ruby: remove a fixed TODO 2023-01-20 13:40:19 +00:00
erik-krogh
c13e8e4f48 Merge branch 'main' into formatTaint 2022-10-20 10:46:16 +02:00
erik-krogh
8a3e255e12 remove FPs in rb/stored-xss from spurious sources 2022-10-18 11:07:48 +02:00
erik-krogh
5a98f66bef simplify the modeling of html_safe. Any call to html_safe is now considered an XSS sink 2022-10-18 10:43:22 +02:00
erik-krogh
d4919d04ba add a taint-step for format-calls 2022-10-17 13:16:38 +02:00
Harry Maclean
0e6322d673 Ruby: Restrict XSS header sinks 
Not all header writes are relevant to XSS. Restrict these to just
content-type and access-control-allow-origin.
 2022-10-17 09:34:44 +13:00
Harry Maclean
8ae86cf443 Ruby: Consider header writes as XSS sinks 2022-10-17 08:17:37 +13:00
Harry Maclean
4686718630 Ruby: Add kind to Http::Server::RequestInputAccess 
Like in JS, this describes whether the input came from the request URL,
body, parameters, headers or cookie. Only some of these are relevant for
UrlRedirect and ReflectedXSS queries.
 2022-10-13 13:24:16 +13:00
Arthur Baars
09bc78eafc Ruby: local dataflow step for || and && 2022-10-04 12:58:49 +02:00
Harry Maclean
9f99a3ca1f Ruby: Model sanitize ActionView helper 2022-09-26 20:56:11 +13:00
Harry Maclean
1d693d336f Ruby: Model javascript_include_tag and friends 2022-09-26 20:56:09 +13:00
Harry Maclean
ed0c85e3af Ruby: Model ActionView helper XSS sinks 2022-09-26 20:55:04 +13:00
Arthur Baars
976daddd36 Move files to ruby subfolder 2021-10-15 11:47:28 +02:00