hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
79,451 Commits 1,672 Branches 157 Tags
codeql-cli-2.21.4
Commit Graph

4766 Commits

Author SHA1 Message Date
Tom Hvitved
914a605a87 Ruby: Rework hidden synthetic data-flow nodes 2024-02-27 15:33:58 +01:00
Tom Hvitved
994d990f37 Ruby: Add another data flow test 2024-02-27 15:33:58 +01:00
Joe Farebrother
3ab6f222d0 Merge pull request #15718 from joefarebrother/ruby-arel-sqlliteral 
Ruby: Model Arel::Nodes::SqlLiteral.new
 2024-02-27 12:43:47 +00:00
Harry Maclean
d0e7fbc871 Ruby: Add changenote 2024-02-27 09:47:51 +00:00
Tom Hvitved
bbeee8f38d Merge pull request #15717 from hvitved/csharp/view-cfg 
Shared `View CFG` implementation
 2024-02-27 09:13:18 +01:00
Joe Farebrother
cb733dcf85 Simplify model defenition 2024-02-26 14:59:03 +00:00
Cornelius Riemenschneider
4bb725cbf5 Merge pull request #15656 from github/criemen/ruby-bazel 
Ruby: Start building the language pack using bazel.
 2024-02-26 15:52:28 +01:00
Harry Maclean
8212f5de1b Ruby: Update test 2024-02-26 13:10:27 +00:00
Harry Maclean
b86643fab2 Ruby: doc fixes 2024-02-26 12:57:21 +00:00
Harry Maclean
8a670fe9a2 Ruby: formatting 2024-02-26 12:26:04 +00:00
amammad
32f5667bb6 revert YAML.qll and yaml sinks to previous PR, make a separate experimental query only for yaml 2024-02-26 12:12:03 +00:00
amammad
c582ea626d update expected test file 2024-02-26 12:10:04 +00:00
amammad
1c1a6f13df fix QLDoc style 2024-02-26 12:05:35 +00:00
amammad
9c5c8c8362 fix test file 2024-02-26 12:05:35 +00:00
amammad
464e2e4291 fix qldoc and test files 2024-02-26 12:04:52 +00:00
amammad
18fa91bde4 add transform method that is an alias for to_ruby 2024-02-26 11:59:41 +00:00
amammad
a75a004942 add more additional steps, change parse* sinks to reciever of them 2024-02-26 11:59:41 +00:00
amammad
474a4f8abd thanks @asgerf for informing me that Successor wants to be deprecated and thank him that providing the solution 2024-02-26 11:59:41 +00:00
amammad
1410574f76 make seperate steps for YAML.parse* and use getAsuccessor*() to reach final to_ruby method call, All parts have Rewritten with API graphs exclusively 2024-02-26 11:59:35 +00:00
Harry Maclean
f7b8e8af41 Ruby: Include request forgery sinks from MaD 2024-02-26 11:34:11 +00:00
Harry Maclean
8bed3fbed4 Ruby: Add basic model for Terrapin library 2024-02-26 11:32:41 +00:00
Harry Maclean
9d13a1ff51 Ruby: Add model for Process.spawn 2024-02-26 11:26:38 +00:00
Harry Maclean
d1847566b6 Ruby: Ql4QL fix 2024-02-26 11:26:38 +00:00
Harry Maclean
beef9965cc Ruby: Model Open4 library 
Also remove duplicate modeling of Process.spawn.
 2024-02-26 11:26:38 +00:00
Harry Maclean
a03c06802e Ruby: Add some more command injection sinks 2024-02-26 11:26:38 +00:00
Cornelius Riemenschneider
1657b314c1 Re-pin ruby extractor deps. 2024-02-26 11:21:23 +00:00
Cornelius Riemenschneider
688b9955a0 Address review, start accomodating bzlmod. 2024-02-26 11:21:23 +00:00
Cornelius Riemenschneider
fd85c44129 Ruby: Start building the language pack using bazel. 
This PR introduces a bazel and `rules_rust`-based build system
for the ruby extractor and language pack.
This replacese the existing, `cargo` and `cross`-based build system.

For local development, nothing changes, and the existing `cargo`-based
build still keeps working as-is.

We no longer need to use `cross` to compile our Linux binaries,
as we now can link against our hermetic C++ toolchain, which ships
with an old enough glibc, so that we don't run into symbol version issues
when deploying the binaries to older systems.
Besides the one change in dependency (explained in detail in `Cargo.toml`
and in https://github.com/github/codeql/pull/15595), nothing ought to
change in how we build the extractor.
 2024-02-26 11:21:22 +00:00
Joe Farebrother
386defc3c7 Update test output 2024-02-26 11:21:03 +00:00
Joe Farebrother
fb06e9f6b2 Merge pull request #15719 from joefarebrother/ruby-changenote-formatting 
Ruby: Fix change note formatting
 2024-02-26 11:12:01 +00:00
Harry Maclean
dd092fd18f Ruby: Fix CSRF test 2024-02-26 11:02:54 +00:00
Tom Hvitved
5b6e76c030 Move View CFG implementation from Ruby/Swift into shared library 2024-02-26 11:23:49 +01:00
Joe Farebrother
403a1ac483 Fix change note formatting 2024-02-26 10:21:26 +00:00
Joe Farebrother
2257df5c6f Model Arel::Nodes::SqlLiteral.new 2024-02-26 10:09:33 +00:00
Tom Hvitved
03a125de38 Merge pull request #15562 from Marcono1234/patch-2 
Ruby: Fix formatting in changelog
 2024-02-26 10:03:29 +01:00
Tom Hvitved
2683e40038 Merge pull request #15708 from hvitved/share-ide-contextual 
Share `getFileBySourceArchiveName` implementation
 2024-02-23 19:56:33 +01:00
Harry Maclean
f5be407989 Ruby: deprecate old ProtectFromForgeryCall class 2024-02-23 12:02:26 +00:00
Harry Maclean
7b3f1a0982 Ruby: fix comment 2024-02-23 11:14:52 +00:00
Harry Maclean
081c1201ed Ruby: Make csrf query more specific 
CSRF protection only needs to be explicitly enabled on Rails
applications < 5.2 _or_ those that don't include a `load_defaults` call
with a version >= 5.2.
 2024-02-23 11:13:17 +00:00
Harry Maclean
3ee425cc47 Ruby: Identify ActionController::API 
`ActionController::API < ActionController::Base` is a base controller
class, so we should recognise it as such.
 2024-02-23 11:13:17 +00:00
Harry Maclean
32b775fdc3 Ruby: reduce duplicate alerts for csrf query 
Only generate an alert on the top-most vulnerable Rails controller in
the controller tree.
 2024-02-23 11:13:17 +00:00
Harry Maclean
1fbf177b54 Ruby: QLDoc fix 2024-02-23 11:13:16 +00:00
Harry Maclean
3499d169f9 Ruby: Add missing QLDoc 2024-02-23 11:13:16 +00:00
Harry Maclean
0597b2ed1b Ruby: recognise csrf_meta_tag 
csrf_meta_tag is an alias for csrf_meta_tags, retained for backwards
compatibility.
 2024-02-23 11:13:16 +00:00
Harry Maclean
f19a5a9837 Ruby: Add tests for Gemfile modeling 2024-02-23 11:13:16 +00:00
Harry Maclean
3c69ab10f2 Ruby: Restrict rb/csrf-protection-not-enabled 
This query only applies to codebases using Ruby on Rails < 5.2, or where
there is no call to `csrf_meta_tags` in the base ERb template.
 2024-02-23 11:13:15 +00:00
Harry Maclean
581072721c Ruby: Add change note 2024-02-23 11:13:15 +00:00
Harry Maclean
6d6f8ba512 Ruby: Make CSRF query more sensitive 
Generate an alert for every controller class that doesn't have or
inherity a `protect_from_forgery` setting.
 2024-02-23 11:13:15 +00:00
Harry Maclean
49d826f667 Ruby: Add a query for CSRF protection not enabled 
Specifically in Rails apps, we look for root ActionController classes
without a call to `protect_from_forgery`.
 2024-02-23 11:13:14 +00:00
Tom Hvitved
62b16c0fa3 Share getFileBySourceArchiveName implementation 2024-02-23 11:25:49 +01:00