Erik Krogh Kristensen
a343ceaf8b
add suspicious-regexp-range query
2022-06-28 09:49:27 +02:00
Harry Maclean
101111bd2f
Merge pull request #9574 from hmac/hmac/action-cable-logger
...
Ruby: More Rails modeling
2022-06-27 19:56:54 +12:00
thiggy1342
cf36333082
forgot to finish this test
2022-06-24 02:18:48 +00:00
Erik Krogh Kristensen
7fb3d81d2f
add further normalization of char classses
2022-06-23 14:36:25 +02:00
thiggy1342
83b720d730
first draft of weak params query
2022-06-21 19:28:53 +00:00
thiggy1342
c5bf1b8aab
update test expectation
2022-06-20 17:27:33 +00:00
thiggy1342
7932d3e4ab
Update ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected
...
Co-authored-by: Arthur Baars <aibaars@github.com >
2022-06-20 11:05:56 -04:00
thiggy1342
b4c893d857
Update ruby/ql/test/query-tests/security/decompression-api/decompression_api.rb
...
Co-authored-by: Arthur Baars <aibaars@github.com >
2022-06-20 09:50:12 -04:00
Harry Maclean
7dfab371f6
Ruby: Model redirect_back and redirect_back_or_to
...
These are ActionController methods that redirect to the HTTP Referer,
falling back to the given location if there is no Referer.
2022-06-20 13:36:02 +12:00
thiggy1342
0456870136
Merge branch 'main' into experimental-manually-check-request-verb
2022-06-18 15:21:53 -04:00
thiggy1342
059c4d38ad
refine query to use appropriate types
2022-06-18 18:26:45 +00:00
thiggy1342
b171883cd0
Merge branch 'main' into experimental-decompression-api
2022-06-17 12:30:38 -04:00
Harry Maclean
230192df3b
Merge pull request #9267 from hmac/hmac/improper-memoization
...
Ruby: Add Improper Memoization query
2022-06-17 16:31:55 +12:00
thiggy1342
7c2b19baad
tweaks and add Zip::File.open_buffer to query
2022-06-17 02:43:54 +00:00
thiggy1342
01cb408393
Merge branch 'main' into experimental-decompression-api
2022-06-16 17:23:55 -04:00
thiggy1342
b078430faf
add Zip::File.new query to tests
2022-06-16 00:51:50 +00:00
Harry Maclean
ef6f0e5b30
Ruby: Add Improper Memoization query
...
This query finds cases where a method memoizes its result but fails to
include one or more of its parameters in the memoization key (or doesn't
use memoization keys at all). This can lead to the method returning
incorrect results when subsequently called with different arguments.
2022-06-16 12:44:33 +12:00
thiggy1342
0281dbd532
remove Zip::Entry.extract from query
2022-06-16 00:04:31 +00:00
thiggy1342
0fce620536
Merge branch 'main' into experimental-decompression-api
2022-06-14 21:54:08 -04:00
thiggy1342
df226ee610
remove standalone archive api query
2022-06-15 01:39:47 +00:00
thiggy1342
0832e299f2
move archive api path traversal tests to cwe-022
2022-06-15 01:39:47 +00:00
thiggy1342
af6fbd439c
Merge branch 'main' into experimental-archive-api
2022-06-14 20:09:02 -04:00
thiggy1342
6bef71ea2c
tweaks to tests
2022-06-14 02:17:12 +00:00
thiggy1342
7bdec98e6f
draft tests
2022-06-14 02:13:15 +00:00
Alex Ford
8d195e3188
Merge pull request #9157 from alexrford/crypto-op-block-mode
...
Ruby/Python: Add a `BlockMode` concept for `CryptographicOperations`
2022-06-13 21:32:36 +02:00
thiggy1342
c7e67eb2e2
expand test coverage for sanitizers
2022-06-10 21:30:41 +00:00
thiggy1342
62291124ff
remove constraint for Zip::File.open
2022-06-06 21:20:44 +00:00
thiggy1342
3c62271dba
fix casing of Api
2022-06-06 21:18:08 +00:00
thiggy1342
074583eab8
add archive api file open query and test
2022-06-06 21:09:57 +00:00
thiggy1342
c5db11ee2e
use select placeholder correctly
2022-06-06 14:01:02 +00:00
thiggy1342
6cb0717a07
Fix test syntax for sanitizer tests
2022-06-04 16:33:18 +00:00
thiggy1342
c5dc8779d1
Increased query robustness and test coverage
2022-06-03 18:05:56 +00:00
thiggy1342
09f082081f
Simple tests passing
2022-05-28 23:29:58 +00:00
thiggy1342
39baadbdd2
test ql packs must be in the security directory
2022-05-28 23:19:32 +00:00
Adam Thigpen
52ac93b82e
adding skeleton for experimental unit tests
2022-05-28 15:14:42 -04:00
Tom Hvitved
a7b39ebeca
Ruby: Flow through hash-splat parameters
2022-05-25 12:37:22 +02:00
Tom Hvitved
faf24a4f18
Ruby: Data-flow through hashes
2022-05-24 14:27:55 +02:00
Arthur Baars
68aeb2ba85
Update test output
2022-05-20 16:30:58 +02:00
Alex Ford
4752c45fe5
ruby: update rb/weak-cryptographic-algorithm to specify the block mode if appropriate
2022-05-13 16:32:30 +01:00
Harry Maclean
ba1d43dd42
Merge pull request #8658 from hmac/hmac/insecure-download
...
Ruby: Add InsecureDownload query
2022-04-28 11:07:35 +12:00
Harry Maclean
6998608257
Ruby: Document missing test result
2022-04-27 12:47:09 +12:00
Harry Maclean
bb3fb0325b
Ruby: Add InsecureDownload query
...
This query finds cases where a potentially unsafe file is downloaded
over an unsecured connection.
2022-04-27 12:47:09 +12:00
Harry Maclean
2feb4a48be
Ruby: Add hasMisleadingAnchorPrecedence to MissingRegExpAnchor
2022-04-27 10:12:33 +12:00
Harry Maclean
e3c3c00c68
Ruby: Add MissingRegExpAnchor query
2022-04-27 10:12:33 +12:00
Nick Rolfe
9b6e610e24
Merge remote-tracking branch 'origin/main' into nickrolfe/incomplete_sanitization
2022-04-20 12:05:22 +01:00
Harry Maclean
c3f1fba985
Merge pull request #8598 from hmac/hmac/insecure-dep-resolution
...
Ruby: Add rb/insecure-dependency query
2022-04-14 02:09:44 +02:00
Nick Rolfe
fdca896614
Ruby: improve handling of [g]sub!
...
rb/incomplete-sanitization has a few cases where we find flow from one
one string substitution call to another, e.g.
a.sub(...).sub(...)
But this didn't find typical chained uses of the destructive variants,
e.g.
a.sub!(...)
a.sub!(...)
We now handle those cases by tracking flow from the post-update node for
the receiver of the first call.
2022-04-13 17:19:25 +01:00
Nick Rolfe
bbb8177176
Ruby: add rc/incomplete-sanitization query
2022-04-13 16:48:43 +01:00
Harry Maclean
8f3578c92a
Ruby: Include query results in test
2022-04-05 10:20:02 +12:00
Harry Maclean
3d96c5e6db
Ruby: Add test case for rb/insecure-dependency
...
This tests that we recognise kwargs in hashrocket style:
gem "foo", "1.2.3", :git => "..."
as well as the modern style:
gem "foo", "1.2.3", git: "..."
2022-04-01 15:30:07 +13:00
