hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,643 Commits 1,672 Branches 157 Tags
alexet/avoid-path-node-java
Commit Graph

1638 Commits

Author SHA1 Message Date
Asger F
a48b893ed6 Merge pull request #10588 from asgerf/rb/rbi-instantiated-type 
Ruby: add RbiInstantiatedType
 2022-09-28 11:51:20 +02:00
Asger F
fea47c85f3 Ruby: expand on type-tracking test a bit 2022-09-28 11:40:55 +02:00
Asger F
971657245d Ruby: update API graph inline test to match output 2022-09-28 11:17:13 +02:00
Asger F
ce1c258273 Ruby: Update TypeTracker.expected 2022-09-28 11:15:25 +02:00
Asger F
ee7dea1ab6 Merge branch 'main' into rb/summarize-loads-v2 
This only fixes superficial conflicts with
  https://github.com/github/codeql/pull/10574
semantic conflicts will be addressed in later commits
 2022-09-28 11:11:44 +02:00
Asger F
14e384aaa2 Ruby: remove unneeded import 2022-09-28 10:49:34 +02:00
Asger F
85d0c63ec7 Ruby: store a ContentSet on type tracker instances 2022-09-28 10:49:34 +02:00
Asger F
a5ed3d791b Ruby: expand test case to reveal mismatching forward/backward flow 2022-09-28 10:49:34 +02:00
Asger F
a51a540582 Ruby: add content edges to API graph 
Fixes
 2022-09-28 10:49:33 +02:00
Asger F
cd9cddf45a Ruby: generate type-tracking steps from simple summary specs 2022-09-28 10:49:33 +02:00
Harry Maclean
24a10aa5ff Recognise send_file as a FileSystemAccess 
This method is available in ActionController actions, and sends the file
at the given path to the client.
 2022-09-28 12:14:22 +13:00
Tom Hvitved
31806b84ba Ruby: Add more flow summaries tests 
The tests highlight the differences between `(With|Without)?Element[1]` and
`(With|Without)?Element[1!]`.
 2022-09-27 20:16:31 +02:00
Tom Hvitved
2351c0288a Ruby: Fix spurious flow through reverse stores 2022-09-27 20:16:31 +02:00
Harry Maclean
28a23209a5 Ruby: Identify ActionController::Metal controllers 
Subclasses of `ActionController::Metal` are stripped-down controllers.
We want to recognise them as ActionController controllers.
There are some common ActionController methods that are not available in
Metal, but these are not likely to be used anyway as they would throw an
exception, so I don't think there's much harm in including them in the
modelling.
 2022-09-28 07:10:09 +13:00
Tom Hvitved
fea1e47daa Ruby: Add data-flow test for spurious flow through a reverse store 2022-09-27 20:05:35 +02:00
Asger F
52b6dd5bec Ruby: update test expectation 2022-09-27 14:41:59 +02:00
Nick Rolfe
bfda08e69c Ruby: detect uses of libxml with entity substitution enabled by default 
Including uses of ActiveSupport::XmlMini with the libxml backend
 2022-09-27 11:53:43 +01:00
Nick Rolfe
7c30d333ad Ruby: move XXE tests to subdirectory 2022-09-27 11:53:43 +01:00
Harry Maclean
49572a5218 Remove redundant import 2022-09-27 10:35:39 +13:00
Harry Maclean
5cdaae7378 Update tests 2022-09-27 10:29:04 +13:00
Harry Maclean
4df7fd248e Ruby: Ensure explicit modifiers take priority 
In Ruby, "explicit" visibility modifiers override "implicit" ones. For
example, in the following:

```rb
class C

  private

  def m1
  end

  public m2
  end

  def m3
  end
  public :m3
end
```

`m1` is private whereas `m2` and `m3` are public.
 2022-09-27 10:28:23 +13:00
Harry Maclean
bda4cfbe5d Ruby: Update test 2022-09-27 10:22:53 +13:00
Harry Maclean
5e9196e51c Ruby: Add test for protected methods 2022-09-27 10:21:04 +13:00
Harry Maclean
494fb4c966 Ruby: Make room for new test cases 2022-09-27 10:18:43 +13:00
Harry Maclean
1d728b234f Ruby: Add test for protected method visibility 2022-09-27 10:16:09 +13:00
Harry Maclean
c5f36613da Ruby: Refactor method visibility modeling 2022-09-27 10:13:21 +13:00
Harry Maclean
3beed54e35 Ruby: Fix imports in test 2022-09-27 10:09:26 +13:00
Harry Maclean
dea5036912 Ruby: Update for Http concept changes 2022-09-27 10:03:17 +13:00
Tom Hvitved
88baf0883a Merge pull request #10358 from hvitved/ruby/dataflow/call-ctx 
Ruby: Context sensitive instance method resolution
 2022-09-26 19:55:10 +02:00
Alex Ford
b018706afd Ruby: update rb/unsafe-deserialization tests 2022-09-26 11:28:24 +01:00
Tom Hvitved
257bcefaf9 Merge pull request #10548 from hvitved/ruby/call-graph-tests 
Ruby: Add call graph tests for unsupported constructs
 2022-09-26 10:47:23 +02:00
Harry Maclean
fa20a476a6 Add test code 2022-09-26 20:56:11 +13:00
Harry Maclean
9f234e9f5a Ruby: Merge duplicate tests 2022-09-26 20:56:11 +13:00
Harry Maclean
9f99a3ca1f Ruby: Model sanitize ActionView helper 2022-09-26 20:56:11 +13:00
Harry Maclean
1d693d336f Ruby: Model javascript_include_tag and friends 2022-09-26 20:56:09 +13:00
Harry Maclean
35a05f6dea Ruby: Add summaries for ActiveSupport::SafeBuffer 2022-09-26 20:55:05 +13:00
Harry Maclean
ed0c85e3af Ruby: Model ActionView helper XSS sinks 2022-09-26 20:55:04 +13:00
Alex Ford
364bc883ba Ruby: add YAML.load_file as an unsafe deserialization sink 2022-09-23 15:54:15 +01:00
Tom Hvitved
fa6da788dc Ruby: Add call graph test for unsupported constructs 2022-09-23 10:24:43 +02:00
Tom Hvitved
9937ae8ef9 Ruby: Call sensitive instance method resolution 2022-09-22 16:22:31 +02:00
Tom Hvitved
64978b0138 Ruby: Add data-flow test that demonstrates spurious flow 2022-09-22 15:18:42 +02:00
Alex Ford
140458b7cc Merge pull request #9932 from alexrford/ruby/rbi-typegraph-fixes 
Ruby: RBI library changes to support models-as-data model generation
 2022-09-22 13:55:33 +01:00
Tom Hvitved
f0f4fe7286 Merge pull request #10444 from hvitved/ruby/stmt-sequence-post-update 
Ruby: Add post-update nodes for compound arguments
 2022-09-22 13:18:51 +02:00
Nick Rolfe
ee34ac5394 Merge pull request #10512 from github/nickrolfe/hash_from_trusted_xml 
Ruby: add Hash.from_trusted_xml as an unsafe deserialization sink
 2022-09-22 10:59:49 +01:00
Tom Hvitved
ac594842c8 Merge pull request #10504 from hvitved/ruby/private-methods 
Ruby: Two fixes for `private` methods
 2022-09-22 11:54:28 +02:00
Nick Rolfe
2edbc16829 Ruby: add Hash.from_trusted_xml as an unsafe deserialization sink 2022-09-21 13:01:21 +01:00
Tom Hvitved
61e9c6f658 Ruby: Fix call graph for overridden private methods 2022-09-21 14:00:17 +02:00
Tom Hvitved
e7649fc61a Ruby: Fix ModuleBase::get(A)Method for private methods 2022-09-21 14:00:17 +02:00
Tom Hvitved
37a2b7d0b3 Ruby: Add more call graph tests for private methods 2022-09-21 14:00:17 +02:00
Tom Hvitved
a9f2e5272f Merge pull request #10376 from hvitved/ruby/no-ast-by-default 
Ruby: Do not expose AST layer through `ruby.qll`
 2022-09-21 13:15:30 +02:00