hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
77,734 Commits 1,671 Branches 157 Tags
codeql-cli-2.21.0
Commit Graph

1608 Commits

Author SHA1 Message Date
Harry Maclean
32b775fdc3 Ruby: reduce duplicate alerts for csrf query 
Only generate an alert on the top-most vulnerable Rails controller in
the controller tree.
 2024-02-23 11:13:17 +00:00
Harry Maclean
f19a5a9837 Ruby: Add tests for Gemfile modeling 2024-02-23 11:13:16 +00:00
Harry Maclean
6d6f8ba512 Ruby: Make CSRF query more sensitive 
Generate an alert for every controller class that doesn't have or
inherity a `protect_from_forgery` setting.
 2024-02-23 11:13:15 +00:00
Harry Maclean
49d826f667 Ruby: Add a query for CSRF protection not enabled 
Specifically in Rails apps, we look for root ActionController classes
without a call to `protect_from_forgery`.
 2024-02-23 11:13:14 +00:00
Harry Maclean
fbc689227d Merge pull request #15604 from p-/p--rails-more-request-sources 
Ruby: add additional sources on the request object of Rails
 2024-02-22 16:35:59 +00:00
Joe Farebrother
67e8f17c4c Merge pull request #15619 from joefarebrother/ruby-activerecord-connection 
Ruby: Add additional sql sinks for ActiveRecord connection methods
 2024-02-22 14:02:31 +00:00
Joe Farebrother
1f409b0456 Merge pull request #15671 from joefarebrother/ruby-activerecord-extra-args 
Ruby: Consider additional arguments to certain `ActiveRecord` methods as sql injection sinks.
 2024-02-22 14:01:56 +00:00
Joe Farebrother
92bdd637a3 Address reveiw comment - add create nd remove select_insert 2024-02-22 09:55:46 +00:00
Tom Hvitved
23869fc8e6 Ruby: Fix bug in allowParameterReturnInSelf 2024-02-22 09:43:52 +01:00
Tom Hvitved
007d08ea63 Ruby: Add another variable capture test 2024-02-22 09:39:01 +01:00
Joe Farebrother
10da4d14d9 Add addtional arguments as sinks to certain methods 2024-02-20 16:35:29 +00:00
Joe Farebrother
e36b9f4d3c Add tests and change note 2024-02-15 15:26:20 +00:00
Harry Maclean
a9abba5859 Merge pull request #15520 from hmac/hmac-erb-raw-output-directive 
Ruby: Recognise raw Erb output as XSS sink
 2024-02-15 08:05:16 +00:00
Peter Stöckli
2f7b946c9f Ruby: add sources on request object of Rails 2024-02-13 15:52:18 +01:00
Harry Maclean
3d9f9afa77 Merge pull request #15566 from hmac/hmac-actioncontroller-regex 
Ruby: Fix ActionController path regex
 2024-02-12 14:14:57 +00:00
Harry Maclean
99497e5f3c Merge pull request #15521 from hmac/hmac-ar-connection 
Ruby: Recognise more ActiveRecord connections
 2024-02-12 14:06:50 +00:00
Harry Maclean
5af58d24e0 Ruby: Recognise raw Erb output as XSS sink 2024-02-12 13:28:44 +00:00
Tom Hvitved
37d774176b Ruby: Fix SSA inconsistency 2024-02-09 14:49:26 +01:00
Tom Hvitved
1ea7717714 Capture flow: Take overwrites in nested scopes into account 2024-02-09 14:49:23 +01:00
Tom Hvitved
0c43ad45b4 Ruby: Add another captured variable data flow test 2024-02-09 14:48:36 +01:00
Anders Schack-Mulligen
35a3aa0a09 Ruby: Add empty provenance column to expected files. 2024-02-09 11:32:08 +01:00
Harry Maclean
3a90d78c36 Ruby: Fix Rails view file regex 
This picks up non-nested template files correctly.
 2024-02-09 09:41:43 +00:00
Harry Maclean
48890b446d Ruby: Add more actioncontroller tests 2024-02-09 09:31:35 +00:00
Koen Vlaswinkel
87eb1ab103 Ruby: Include ReturnValue and exclude self for constructors 2024-02-08 13:40:10 +01:00
Harry Maclean
f792b58421 Ruby: Recognise more ActiveRecord connections 2024-02-05 16:45:59 +00:00
Koen Vlaswinkel
49dbad96f9 Switch from details string to DataFlow::Node 2024-02-05 16:33:01 +01:00
Koen Vlaswinkel
f83d2a7d55 Ruby: Avoid using toString where possible 2024-02-02 14:18:21 +01:00
Koen Vlaswinkel
8853acb4dd Ruby: Add query for access paths in model editor 2024-02-01 16:20:00 +01:00
Tom Hvitved
8972133d4b Merge pull request #15498 from hvitved/ruby/ctx-sensitivity-test 
Ruby: Add another dataflow test
 2024-02-01 12:46:53 +01:00
Tom Hvitved
792f302bd4 Ruby: Add another dataflow test 2024-02-01 10:52:06 +01:00
Koen Vlaswinkel
ce4d8d6b51 Merge pull request #15490 from github/koesie10/ruby-model-constructor-on-new 
Ruby: Model constructors in endpoint query on new instead of initialize
 2024-02-01 09:31:49 +01:00
Harry Maclean
06334eee2e Merge pull request #14554 from maikypedia/maikypedia/insecure-randomness 
Ruby: Add Insecure Randomness Query
 2024-01-31 17:16:32 +00:00
Koen Vlaswinkel
c1aaf5a574 Ruby: Model constructors in endpoint query on new 2024-01-31 13:54:48 +01:00
Harry Maclean
4cfdf8b7a3 Ruby: Add test case for view without ERB template 2024-01-30 20:30:59 +01:00
Tom Hvitved
d2d017dd64 Ruby: Model flow through ViewComponent render methods 2024-01-30 20:30:58 +01:00
Tom Hvitved
817a2b71a8 Add more tests 2024-01-30 20:30:58 +01:00
Harry Maclean
5b3a2b35b7 Update expected file 2024-01-30 20:30:58 +01:00
Harry Maclean
75a37486c9 Add WIP query for erb flow 2024-01-30 20:30:58 +01:00
Harry Maclean
bf3b86b402 Add test for erb flow 2024-01-30 20:30:58 +01:00
Tom Hvitved
2d95ac9d5f Merge pull request #15468 from hvitved/ruby/ctx-sensitivity-rework 2024-01-30 20:27:43 +01:00
Arthur Baars
4591560692 Merge pull request #14544 from p-/p--oj-ox-unsafe-deser 
Ruby: additional unsafe deserialization sinks for ox and one for oj
 2024-01-30 19:28:32 +01:00
Sid Shankar
f557110d9b Merge pull request #15465 from sidshank/sidshank/rename-file-name-for-extracted-files-diagnostic 
JS/TS/Python/Ruby: Renames diagnostic query files and tests
 2024-01-30 10:19:00 -05:00
Peter Stöckli
1947dee46a Merge branch 'main' into p--oj-ox-unsafe-deser 2024-01-30 15:33:39 +01:00
Harry Maclean
f230e618a3 Ruby: Update tests 2024-01-30 09:43:56 +00:00
Tom Hvitved
503d2f7b95 Ruby: Rework mayBenefitFromCallContext 2024-01-30 09:57:29 +01:00
Sid Shankar
b1d7a635f5 Renames diagnostic query files and tests 
This commit renames the files relating to the diagnostic query that produces information on the number of files extracted. The files have been renamed from "SuccessfullExtractedFiles.*" to "ExtractedFiles.*". All related tests and test files have been renamed too.

The `@tags` and `@id` attributes of the queries have been left untouched, consistent with the `@tags` and `@id` for similar queries in other languages.
 2024-01-29 20:19:20 +00:00
Sid Shankar
59098be8c4 Merge branch 'main' into change/adjust-extracted-files-diagnostics 2024-01-16 21:51:41 -05:00
Tom Hvitved
295198744b Ruby: Handle captured yield calls 2024-01-10 14:25:15 +01:00
Tom Hvitved
55be4c39ef Ruby: Add data flow call sensitivity test 2024-01-10 14:25:12 +01:00
Tom Hvitved
c9cf2a899c Merge pull request #15260 from hvitved/dataflow/may-benefit-from-cctx-simplify 
Data flow: Remove column from `mayBenefitFromCallContext`
 2024-01-10 11:43:15 +01:00