Harry Maclean
2b4217b8a4
Ruby: Update test fixture
2022-11-11 18:41:55 +13:00
Harry Maclean
62ea1f0a05
Ruby: Fix performance of string comparison guard
...
The `or` case ran extremely slowly before this change. Also exclude
string interpolations from consideration, for correctness, and add some
more tests.
2022-11-11 18:24:20 +13:00
Harry Maclean
e25e192ef3
Ruby: Change the CFG for while clauses
...
The `when` node now acts as a join point for patterns in the when
clause, with match/no-match completions. This is similar to how `or`
expressions work.
The result of this is that the `when` clause "controls" the body of the
`when`, which allows us to model barrier guards for multi-pattern when
clauses.
For this code
case x
when 1, 2
y
end
The old CFG was
x --> when --> 1 --no-match--> 2 ---no-match---> case
\ \ ^
\ \ |
\ --match----+ |
\ | |
\ | |
------match---------> y --+
The new CFG is
x --> 1 --no-match--> 2 --no-match--> [no-match] when --no-match--> case
\ \ ^
\ \ |
\ --match--> [match] when --match--> y -----+
\ /
\ /
-------match-----
i.e. all patterns flow to the `when` node, which is split based on
whether the pattern matched or not. The body of the when clause then has
a single predecessor `[match] when`, which acts as condition block that
controls `y`.
2022-11-11 11:52:27 +13:00
Tom Hvitved
bda4b52395
Merge pull request #11206 from hvitved/ruby/self-toplevel-def
...
Ruby: Fix SSA entry definitions for `self` in top-level
2022-11-10 17:01:59 +01:00
Nick Rolfe
5a15558355
Ruby: treat an Arel.sql call as a SqlConstruction
2022-11-10 14:11:14 +00:00
Tom Hvitved
e18442069b
Ruby: Fix SSA entry definitions for self in top-level
2022-11-10 15:08:17 +01:00
Erik Krogh Kristensen
5d2ab8adfb
Merge pull request #11191 from erik-krogh/arrJoin
...
RB: add join(" ") calls as a sink for rb/shell-command-constructed-from-input
2022-11-10 14:20:42 +01:00
Harry Maclean
a8b0d298ff
Ruby: More string comparison guards
...
Recognise if statements with conditionals made up or logical `and` or
`or` clauses as barrier guards.
2022-11-10 16:38:09 +13:00
erik-krogh
88de299e12
add join(" ") calls as a sink for rb/shell-command-constructed-from-input
2022-11-09 21:46:25 +01:00
Nick Rolfe
eb2a487433
Ruby: update expected test output
2022-11-09 17:38:33 +00:00
Nick Rolfe
0d9aa0cdac
Ruby: fix clashing method names from merge conflict
2022-11-09 17:06:43 +00:00
Nick Rolfe
c8c53cb424
Merge remote-tracking branch 'origin/main' into nickrolfe/active_support_flow_summaries
2022-11-09 17:02:05 +00:00
Nick Rolfe
db20e7d143
Ruby: add ActionCable channel RPC params as remote-flow sources
2022-11-09 14:16:04 +00:00
Asger F
859dc7beb7
Merge pull request #11024 from asgerf/rb/data-flow-layer-capture2
...
Ruby: expand DataFlow API
2022-11-09 15:06:03 +01:00
Nick Rolfe
97e939ae2b
Ruby: refine summaries for Hash#reverse_merge etc.
...
- revert the changes to the taint summaries specific to ActionController
params
- make the general flow summaries value-preserving and use
WithElement[any]
2022-11-09 11:56:07 +00:00
Harry Maclean
ad7b5ae7ed
Ruby: Add inline barrier guard test
2022-11-09 16:35:28 +13:00
Harry Maclean
f1b63c4df3
Ruby: Fix in clause barrier guard
2022-11-09 16:10:17 +13:00
Harry Maclean
0ab88c2e29
Ruby: Handle simple in clauses in barrier guard
2022-11-09 16:01:33 +13:00
Harry Maclean
87944a3a75
Ruby: Add test for another case guard variant
2022-11-09 15:05:03 +13:00
Harry Maclean
4bc9096446
Ruby: Add case string comparison barrier guard
...
This recognises barriers of the form
STRINGS = ["foo", "bar"]
case foo
when "some string literal"
foo
when *["other", "strings"]
foo
when *STRINGS
foo
end
where the reads of `foo` inside each `when` are guarded by the comparison
of `foo` with the string literals.
We don't yet recognise this construct:
case foo
when "foo", "bar"
foo
end
This is due to a limitation in the shared barrier guard logic.
2022-11-09 15:03:13 +13:00
Asger F
43769ad464
Ruby: update test output
2022-11-08 19:20:57 +01:00
Nick Rolfe
a9ff0bdbbf
Ruby: accept changed test output
2022-11-08 17:36:31 +00:00
Nick Rolfe
04575674db
Ruby: generalise summaries for ActiveSupport Hash extensions
2022-11-08 15:48:20 +00:00
Asger F
271de66f01
Ruby: rename getConst -> getConstant
2022-11-08 16:41:04 +01:00
Tom Hvitved
edde3defed
Merge pull request #11153 from hvitved/ruby/basic-block-at-conditions
...
Ruby: Split basic blocks around constant conditionals
2022-11-08 13:35:52 +01:00
Tom Hvitved
f0b9ca4bf9
Ruby: Add more guards tests
2022-11-08 11:09:54 +01:00
Asger F
a75c50620c
Ruby: update more SSA test output
2022-11-08 11:03:24 +01:00
Erik Krogh Kristensen
c82410fd16
Merge pull request #10680 from erik-krogh/unsafeRbCmd
...
RB: add an unsafe-shell-command-construction query
2022-11-08 09:22:33 +01:00
Tom Hvitved
7ba0682297
Ruby: Split basic blocks around constant conditionals
2022-11-08 09:07:23 +01:00
Tom Hvitved
c86f597153
Ruby: Add test for disjunctive guard
2022-11-08 09:01:22 +01:00
Harry Maclean
d392cdaab6
Merge pull request #11022 from hmac/try-code-injection
...
Ruby: try/try! as code execution
2022-11-08 09:42:52 +13:00
erik-krogh
860c3c443c
update expected output of the queries (some sorting changed due to locations being used slightly differently in the shared pack)
2022-11-07 14:34:20 +01:00
Asger F
edc5d8d644
Ruby: update test output
2022-11-07 14:17:50 +01:00
Asger F
a213e9e55d
Merge pull request #1 from hvitved/rb/data-flow-layer-capture2
...
Ruby: Make sure to always generate SSA definitions for namespace self-variables
2022-11-07 14:12:48 +01:00
Asger F
f991991474
Ruby: fix incomplete renaming of getCanonicalEnclosing/Nested module
2022-11-07 14:04:10 +01:00
Tom Hvitved
2737255705
Ruby: Make sure to always generate SSA definitions for namespace self-variables
2022-11-07 14:02:09 +01:00
Asger F
a39cefe40f
Ruby: fix broken test
2022-11-07 14:01:11 +01:00
Arthur Baars
98f4c29913
Ruby: weak crypto: do not report weak hash algorithms
...
Weak hash algorithms such as MD5 and SHA1 are often
used in non security sensitive contexts and reporting
all uses is far too noisy.
2022-11-04 15:58:50 +01:00
erik-krogh
f3741ff1e4
changes based on review
2022-11-03 09:41:05 +01:00
Dave Bartolomeo
499f20f6e8
Merge pull request #11004 from dbartol/dbartol/use-workspace-versions
2022-11-02 20:02:48 -04:00
Tom Hvitved
46631d6eaf
Merge pull request #10931 from hvitved/ruby/fix-flow-into-phis
...
Ruby: Fix flow steps into phi nodes
2022-11-02 21:07:06 +01:00
erik-krogh
6bc12e8f2b
Merge branch 'main' into formatTaint
2022-11-02 13:39:30 +01:00
Dave Bartolomeo
9d5e5e3ee7
${workspace} all the things
2022-11-01 13:29:05 -04:00
Tom Hvitved
ee9163aa40
Ruby: Fix flow steps into phi nodes
...
- Add missing flow from post-update nodes into phi nodes.
- Prevent flow from reads into phi nodes when use-use flow is prohibited.
2022-11-01 16:33:06 +01:00
Tom Hvitved
a191edfbd5
Ruby: Add data flow tests that illustrate problems with flow into SSA phi nodes
2022-11-01 16:32:46 +01:00
Tom Hvitved
e8f9429b92
Merge pull request #10917 from hvitved/ruby/singleton-call-sensitivity
...
Ruby: Call-context sensitivity for singleton method calls
2022-11-01 14:13:26 +01:00
Arthur Baars
aba87a139d
Merge pull request #10668 from aibaars/ruby-deps
...
Ruby: update dependencies
2022-11-01 13:55:42 +01:00
erik-krogh
84a7fddd95
remove explicit versions in lock files, as the dependencies are all installed locally
2022-11-01 09:09:26 +01:00
Asger F
056b1e8d63
Ruby: add some basic tests
2022-10-31 14:05:11 +01:00
Asger F
9be2512050
Ruby: rename one of the PostsController2 classes
...
These had the same name and ended up being unified
2022-10-31 13:33:41 +01:00
