hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,643 Commits 1,672 Branches 157 Tags
alexet/avoid-path-node-java
Commit Graph

1638 Commits

Author SHA1 Message Date
erik-krogh
94ec0b8a52 update expected output of tests 2022-08-23 07:19:37 +02:00
erik-krogh
7e0bd5bde4 update expected output of tests 2022-08-22 21:41:47 +02:00
erik-krogh
e89e0eb7fb make some acronyms camelCase 2022-08-22 21:22:35 +02:00
Rasmus Wriedt Larsen
61bf2154cd Merge branch 'main' into shared-http-client-request 2022-08-22 12:05:37 +02:00
Chris Smowton
8d20b9cf52 Use hasLocationInfo to match several Location fields at once 2022-08-19 19:03:17 +01:00
Chris Smowton
1ea7caf559 Fix join ordering in inline-expectations test 2022-08-19 18:17:22 +01:00
Rasmus Wriedt Larsen
10968bf115 Ruby: Fix alert-msg logic for RequestWithoutValidation.ql 
This really surprised me, but as shown on the results, it does actually
make a difference in the alert-message.
 2022-08-19 15:50:09 +02:00
Rasmus Wriedt Larsen
0ac3624342 Ruby: Implement new disablesCertificateValidation for all HTTP client models 
Sadly most alert text changed, but the two important changes are:

1. The request on RestClient.rb:19 now has an expanded alert text,
   highlighting where the origin of the value that disables certificate
   validation comes from. (in this case, it's trivial since it's the
   line right above)
2. We handle passing `false`/`OpenSSL::SSL::VERIFY_NONE` the same in the
   argument passing examples in Faraday.rb
 2022-08-19 15:46:22 +02:00
Rasmus Wriedt Larsen
1f028ac206 Ruby: Implement new disablesCertificateValidation for RestClient 2022-08-19 15:43:19 +02:00
Rasmus Wriedt Larsen
07d95918f2 Ruby: Add more RequestWithoutValidation.ql tests 
Added:
- one where the value is not directly used when disabling certificate
  validation.
- one with argument passing, Faraday, where it is only the passing of
  `OpenSSL::SSL::VERIFY_NONE` that is recognized.
 2022-08-19 15:42:50 +02:00
Rasmus Wriedt Larsen
47c9c5bddd Ruby: Update RequestWithoutValidation.ql to match Python version 
No library modeling currently has support for the new disablesCertificateValidation/2, so only the alert text has changed

(removed an import from Python so the queries would ACTUALLY match)
 2022-08-18 14:32:41 +02:00
Rasmus Wriedt Larsen
4a82025087 Ruby: Base HTTP::Client::Request on shared concept 
Fixing up deprecation errors in next commit
 2022-08-18 13:42:53 +02:00
Rasmus Wriedt Larsen
9d96b73b8b Ruby: Fixup test annotation 2022-08-18 13:42:49 +02:00
Tom Hvitved
08a5b5dc73 Merge pull request #10089 from hvitved/ruby/local-source-nodes 
Ruby: Reduce size of `isLocalSourceNode`
 2022-08-18 12:02:35 +02:00
Nick Rolfe
a46e2b3f2f Merge pull request #10056 from hmac/hmac/action-controller-response-body 
Ruby: Recognise Rails render calls as HTTP responses
 2022-08-18 10:02:17 +01:00
Harry Maclean
70ec70940a Merge pull request #8142 from github/hmac/incomplete-multi-char-sanitization 2022-08-18 10:02:39 +12:00
Tom Hvitved
ed2ec1acc0 Ruby: Reduce size of isLocalSourceNode 2022-08-17 17:19:30 +02:00
Alex Ford
d4d6657cb7 Merge pull request #10008 from alexrford/rb/log-injection 
Ruby: Add `rb/log-injection` query
 2022-08-17 15:01:22 +01:00
Nick Rolfe
94a51142d0 Ruby: fix typo in internal predicate name 2022-08-17 11:05:39 +01:00
Harry Maclean
f1a546c4d6 Rename IncompleteMultiCharacterSanitization[Query] 2022-08-17 16:03:49 +12:00
Harry Maclean
f2384a6a8f Ruby: Share more code with JS 2022-08-17 16:03:49 +12:00
Harry Maclean
025e34d8e1 Ruby: Simplify imports 2022-08-17 16:03:48 +12:00
Harry Maclean
b7d9bf4066 Share IncompleteMultiCharacterSanitization JS/Ruby 
Most of the classes and predicates in this query can be shared between
the two languages. There's just a few language-specific things that we
place in IncompleteMultiCharacterSanitizationSpecific.
 2022-08-17 16:03:46 +12:00
Harry Maclean
c234bd94d1 Ruby: IncompleteMultiCharacterSanitization Query 
This query is similar to IncompleteSanitization but for multi-character
sequences.
 2022-08-17 16:02:48 +12:00
Tom Hvitved
aa93986d1a Ruby: Add tests that demonstrate missing flow through positional arguments 2022-08-16 10:36:40 +02:00
Erik Krogh Kristensen
f106e064fa Merge pull request #9422 from erik-krogh/refacReDoS 
Refactorizations of the ReDoS libraries
 2022-08-16 09:32:08 +02:00
Harry Maclean
7ef6ffbc54 Ruby: Recognise Rails render calls as HTTP responses 2022-08-16 14:03:26 +12:00
Erik Krogh Kristensen
0adb588fe8 Merge pull request #9712 from erik-krogh/badRange 
JS/RB/PY/Java: add suspicious range query
 2022-08-15 13:55:44 +02:00
erik-krogh
b54f037424 Merge branch 'main' into refacReDoS 2022-08-12 20:28:30 +02:00
Alex Ford
44c4b9ba5c Ruby: add rb/log-injection test cases 2022-08-10 16:17:37 +01:00
Tom Hvitved
19043bdf38 Merge pull request #9976 from hvitved/ruby/hash-literal-summary-simplification 
Ruby: Simplify flow summaries for hash literals
 2022-08-10 08:57:33 +02:00
Harry Maclean
30ff18aec8 Merge pull request #9919 from hmac/hmac/ar-associations 
Ruby: ActiveRecord associations
 2022-08-10 11:13:39 +12:00
Erik Krogh Kristensen
49276b1f38 Merge branch 'main' into refacReDoS 2022-08-09 16:18:46 +02:00
Tom Hvitved
28c8d9b885 Ruby: Add two more hash flow tests 2022-08-09 14:17:07 +02:00
Tom Hvitved
975edac34e Merge pull request #9969 from hvitved/ruby/kwargs-missing-flow 
Ruby: Support more flow through keyword arguments
 2022-08-09 09:59:57 +02:00
Harry Maclean
22d7b046ab Ruby: Fix << 2022-08-09 15:08:17 +12:00
Harry Maclean
e3115b5ed7 Ruby: Add test for other= 2022-08-09 15:08:17 +12:00
Harry Maclean
831f722402 Ruby: Make room for new test 2022-08-09 15:08:17 +12:00
Harry Maclean
dc853d9728 Ruby: Model ActiveRecord associations 2022-08-09 15:08:17 +12:00
Tom Hvitved
9268437a58 Ruby: Generalize SynthHashSplatParameterNode to also work for synthesized methods 2022-08-08 14:05:06 +02:00
Harry Maclean
74d529d3e3 Merge pull request #9918 from hmac/hmac/mime-type-match 
Ruby: Model Mime::Type
 2022-08-05 11:51:45 +12:00
Tom Hvitved
01c0d4b59f Ruby: Support more flow through keyword arguments 2022-08-04 16:20:08 +02:00
Tom Hvitved
38ede25385 Ruby: Add test that illustrates missing flow for keyword arguments 2022-08-04 14:39:22 +02:00
Harry Maclean
83393dc195 Ruby: Recognise more AR write accesses 
This change means we recognise calls like

```rb
User.create(params)
User.update(id, params)
```

as instances of `PersistentWriteAccess`.
 2022-08-04 17:22:46 +12:00
Harry Maclean
d4f7f2b75e Ruby: Add test for AR PersistentWriteAccesses 2022-08-04 17:22:46 +12:00
Harry Maclean
7ed81db32d Ruby: Move ActiveRecord tests to new directory 2022-08-04 17:22:46 +12:00
Arthur Baars
d8592a2b05 Ruby: PrintAST: more stable order for synthesized nodes 2022-08-03 09:02:38 +02:00
Harry Maclean
f42d33312f Ruby: Model Mime::Type 
Add type summaries to recognise instances of Mime::Type, and recognise
arguments to Mime::Type.match? and Mime::Type.=~ as regular expression
interpretations.
 2022-07-29 11:41:48 +12:00
Harry Maclean
c29eb814b2 Ruby: Reorganise ActionDispatch framework 
Put routing modelling inside a Routing module.
 2022-07-29 10:44:36 +12:00
Nick Rolfe
6356b20928 Ruby: port js/hardcoded-data-interpreted-as-code 2022-07-26 16:05:22 +01:00