hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
76,612 Commits 1,672 Branches 157 Tags
codeql-cli-2.20.7
Commit Graph

3348 Commits

Author SHA1 Message Date
Harry Maclean
1fd54ed8c3 Ruby: Recognised ActiveSupport::TaggedLogging as a logger 2022-05-24 09:35:26 +01:00
Harry Maclean
dc4ddf6899 Ruby: Recognise ActiveSupport::Logger as a logger 2022-05-24 09:35:26 +01:00
Harry Maclean
14d2ff6528 Ruby: Model ActiveSupport extensions to Enumerable 2022-05-24 09:35:26 +01:00
Harry Maclean
ad2eaf0835 Ruby: Flow for ActiveSupport String extensions 
Add taint flow summaries for ActiveSupport String extensions which
transform the string in various ways, for example `camelcase` and
`underscore`.

DCA suggests this increases the sensitivity of rb/code-injection,
catching cases such as

    params[:foo].camelcase.constantize
 2022-05-24 09:35:26 +01:00
Michael Nebel
94664f11f5 C#/Java/Ruby: Sync files. 2022-05-24 08:21:39 +02:00
Arthur Baars
cf2eb0d3a1 Merge branch 'main' into instance-variable-flow 2022-05-23 18:48:51 +02:00
Harry Maclean
905a37c273 Merge pull request #9137 from hmac/hmac/cfg-ql-class 
Ruby: Add getAPrimaryQlClass to CfgNodes classes
 2022-05-23 15:37:51 +01:00
Harry Maclean
ae3a30256b Ruby: Add getAPrimaryQlClass to CfgNode 2022-05-23 14:02:23 +01:00
Rasmus Wriedt Larsen
85fa6fba63 Concepts: Move CryptographicOperation.isWeak to be Ruby specific 2022-05-23 14:39:06 +02:00
Tom Hvitved
64be958c52 Merge pull request #9262 from hvitved/ruby/local-source-node-antijoin 
Ruby: Eliminate bad `isLocalSourceNode` antijoin
 2022-05-23 14:36:03 +02:00
Rasmus Wriedt Larsen
3afa9425ef Ruby: Add TAnyKeywordArgumentPosition and TAnyKeywordParameterPosition 2022-05-23 14:03:45 +02:00
Arthur Baars
965f83e198 Reformat ControlFlowGraphImpl.qll 2022-05-23 12:22:47 +02:00
Arthur Baars
eabf2ed2d3 Apply suggestions from code review 
Co-authored-by: Tom Hvitved <hvitved@github.com>
 2022-05-23 12:18:48 +02:00
Tom Hvitved
d6b0772f7c Ruby: Improve performance of instanceVariableSelfSynthesis 2022-05-23 12:08:41 +02:00
Arthur Baars
d86983b7c8 Ruby: use InstanceVariableRead/WriteAccess CFG nodes 2022-05-23 12:03:11 +02:00
Arthur Baars
5fa4f07f7d Improve QLDoc 2022-05-23 11:59:28 +02:00
Arthur Baars
29ea1b2f24 Ruby: rename getSelfVariableAccess to getReceiver 2022-05-23 11:30:29 +02:00
Arthur Baars
f6ca3921f9 Add change note 2022-05-23 10:59:54 +02:00
Tom Hvitved
bbdedf5f14 Ruby: Eliminate bad isLocalSourceNode antijoin 
Gets rid of
```
Tuple counts for DataFlowPrivate::Cached::isLocalSourceNode#462ff392#f#antijoin_rhs@dd2f927s:
        20905019     ~3%    {2} r1 = JOIN DataFlowPrivate::Cached::TExprNode#462ff392#ff_1#higher_order_body WITH boundedFastTC(DataFlowPrivate::Cached::localFlowStepTypeTracker#462ff392#ff_10#higher_order_body,DataFlowPrivate::Cached::TExprNode#462ff392#ff_1#higher_order_body) ON FIRST 1 OUTPUT Rhs.1, Lhs.0

        10420128  ~1496%    {1} r2 = JOIN r1 WITH DataFlowPrivate::Cached::TExprNode#462ff392#ff_1#higher_order_body ON FIRST 1 OUTPUT Lhs.1

          480918     ~8%    {1} r3 = JOIN r1 WITH DataFlowPrivate::Cached::entrySsaDefinition#462ff392#f ON FIRST 1 OUTPUT Lhs.1

        10901046  ~1218%    {1} r4 = r2 UNION r3
                            return r4
```
 2022-05-23 10:54:17 +02:00
Michael Nebel
bf958ff5bb Merge pull request #9255 from michaelnebel/csharp/test-clearscontent 
C#: Remove default clears content.
 2022-05-23 10:30:30 +02:00
Anders Schack-Mulligen
f2218944f6 Merge pull request #9214 from hvitved/dataflow/lambda-fp-flow 
Data flow: Do not discard call context when computing reverse lambda flow through jumps
 2022-05-23 10:02:51 +02:00
Michael Nebel
ddde1d4607 C#: Remove default clears content. 2022-05-22 15:16:44 +02:00
Arthur Baars
d9c2b78aa2 Ruby: flow through instance variables 2022-05-20 16:30:58 +02:00
Anders Schack-Mulligen
8beef45599 Merge pull request #9195 from aschackmull/java/perf-local-flow 
Java: Performance fixes for local flow relation
 2022-05-20 12:38:02 +02:00
Michael Nebel
20af134ff0 Merge pull request #9210 from michaelnebel/dataflow/summarizedcallablerefactor 
DataFlow - SummarizedCallable refactor
 2022-05-20 09:32:30 +02:00
Alex Ford
6b7abef405 Ruby: remove unnecessary CryptographicOperation#isWeak override 2022-05-19 16:01:34 +01:00
Alex Ford
8b7bb7c358 Ruby: add missing qldoc 2022-05-19 15:55:48 +01:00
Alex Ford
d3662cf54a Deprecate CryptographicOperation#isWeak and add a default implementation 2022-05-19 15:46:13 +01:00
Alex Ford
3d66905dc6 Share the CryptographicOperation and BlockMode concepts between dynamic langs 2022-05-19 15:46:03 +01:00
Rasmus Wriedt Larsen
0879b6ae12 Ruby: Fix Argument[any,any-named] handling for path component in MaD 2022-05-19 15:51:30 +02:00
Rasmus Wriedt Larsen
7784b9f879 Ruby: WIP: Make Argument[any] and any-named work 
It's not fully working I think the problem is that the code below ties
up `Argument[x]` with parameter positions, and `Parameter[x]` with
argument positions. This flip might be correct for flow-summaries, but
it does NOT seem to be correct for the `path` component  in MaD.

Specifically, quick-eval for ParameterPosition does NOT include `keyword key` while
quick-eval for ArgumentPosition DOES include `keyword key`!

For the test `Foo.sinkAnyNamedArg(key: tainted) # $ MISSING: hasValueFlow=tainted`

c8be8d30b3/ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsSpecific.qll (L130-L133)
 2022-05-19 15:51:25 +02:00
Rasmus Wriedt Larsen
cb5ad8b775 Ruby: Don't include Argument[self] in Argument[any] 
For flow-sumamries
 2022-05-19 15:42:41 +02:00
Tom Hvitved
a18aef23f9 Data flow: Do not discard call context when computing reverse lambda flow through jumps 2022-05-19 15:19:41 +02:00
Tom Hvitved
2b2ac06128 Data flow: Sync files 2022-05-19 13:28:56 +02:00
Anders Schack-Mulligen
0e830f6052 C#/Ruby/Java: Fix pragmas. 2022-05-19 11:26:38 +02:00
Michael Nebel
73802cbd6d Ruby: Refactor SummarizedCallable. 2022-05-19 11:04:18 +02:00
Erik Krogh Kristensen
215a6a72cc Merge branch 'main' into useStringComp 2022-05-18 10:55:31 +02:00
Tom Hvitved
5e57e82997 Merge pull request #9191 from hvitved/ruby/taint-tracking-stage 
Ruby: Force cached taint tracking predicates to be evaluated in data flow stage
 2022-05-18 09:54:38 +02:00
Anders Schack-Mulligen
af7df79289 Autoformat 2022-05-18 09:38:11 +02:00
Anders Schack-Mulligen
48ab5b2403 C#/Ruby/Java: Fix references. 2022-05-18 09:27:54 +02:00
Anders Schack-Mulligen
829eb7f7a5 C#/Ruby: Sync FlowSummaryImpl. 2022-05-18 09:27:48 +02:00
Alex Ford
4bb6d1db3a Add missing qldoc 2022-05-17 15:01:28 +01:00
Alex Ford
f92782d4e7 Ruby: fix some cases where we assume that a CryptographicOperation is using CBC when it is not 2022-05-17 14:57:11 +01:00
Erik Krogh Kristensen
86e97c32d6 fix all ql/use-string-compare 2022-05-17 14:11:05 +02:00
Tom Hvitved
f1f96b7e5c Ruby: Force cached taint tracking predicates to be evaluated in data flow stage 2022-05-17 12:54:26 +02:00
Tom Hvitved
284357d2a0 Data flow: Do not materialize summaryArgParam 2022-05-17 12:50:01 +02:00
Erik Krogh Kristensen
bb289e29b9 sync typo fix to JS/RB 2022-05-17 12:26:31 +02:00
Mathias Vorreiter Pedersen
1280d43e36 Merge pull request #9141 from github/post-release-prep/codeql-cli-2.9.2 
Post-release preparation for codeql-cli-2.9.2
 2022-05-17 10:01:37 +01:00
Nick Rolfe
c518150b49 Merge pull request #9132 from github/nickrolfe/misspelling 
QL for QL: generalise non-US spelling query
 2022-05-16 16:03:36 +01:00
Alex Ford
0cc0494586 codeql format 2022-05-16 15:54:31 +01:00