hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,246 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.0
Commit Graph

1635 Commits

Author SHA1 Message Date
Nick Rolfe
b80a84c156 Merge pull request #7341 from github/nickrolfe/cookies 2021-12-10 19:52:23 +00:00
Andrew Eisenberg
66c1629974 Merge pull request #7285 from github/post-release-prep-2.7.3-ddd4ccbb 
Post-release preparation 2.7.3
 2021-12-10 09:59:45 -08:00
Nick Rolfe
a4da528812 Ruby: query to find user-controlled bypass of sensitive actions 2021-12-10 11:41:09 +00:00
Arthur Baars
a7b3f1370f Ruby: CFG: add test case 2021-12-09 15:23:26 +01:00
Tom Hvitved
b887165005 Ruby: Code review suggestions 2021-12-09 15:23:26 +01:00
Arthur Baars
660e52f2bf Ruby: CFG: make VariableReferencePattern a PreOrder node 2021-12-09 15:23:26 +01:00
Arthur Baars
aacba0b522 Ruby: CFG: add test cases for pattern matching 2021-12-09 15:23:26 +01:00
Arthur Baars
d17c055139 CFG 2021-12-09 15:23:25 +01:00
Arthur Baars
44a615839d Add test case with rest variable and no prefix elements 2021-12-09 15:23:25 +01:00
Arthur Baars
f08eb8e616 Revert "Temporarily allow CFG inconsistencies" 
This reverts commit dca1e34cd8.
 2021-12-09 15:23:25 +01:00
Nick Rolfe
d46564caa6 Ruby: treat ActionController#cookies as a remote flow source 2021-12-09 12:13:17 +00:00
Nick Rolfe
f6a8b9a7e5 Ruby: add cookies call to frameworks test 2021-12-09 12:07:04 +00:00
Harry Maclean
8df5aaa797 Ruby: Model private class methods 
`Module#private_class_method` takes a symbol representing the name of a
method in the current module scope and makes that module private. This
is similar to `private`, but applies only to class (singleton) methods.
Unlike `private`, it must be called with an argument, and does not
change the ambient visibility for any subsequent method definitions.

    class Foo
      def public
      end

      def private1
      end
      private_class_method :private1

      # This alternate form works because method definition
      # returns its name as a symbol:

      private_class_method def private2
      end
    end
 2021-12-09 18:15:25 +13:00
Harry Maclean
e811ba1150 Ruby: handle private module methods 
`private` can be used in both classes and modules.
 2021-12-09 18:13:29 +13:00
Tom Hvitved
5735bb698d Ruby: Hide desugared nodes in data-flow paths 2021-12-08 09:00:16 +01:00
Tom Hvitved
5183290439 Merge pull request #7315 from hvitved/ruby/inline-flow-test 
Ruby: Add `InlineFlowTest.qll`
 2021-12-07 16:29:34 +01:00
Harry Maclean
6f42153eac Ruby: Include empty StmtSequences in CFG 
Empty StmtSequences appear, for example, in the `else` branch of `if`
statements like the following:

    foo

    if cond
      bar
    else
    end

    baz

Before this change, the CFG for this code would look like this:

        foo
         │
         │
         ▼
        cond
         │
    true │
         ▼
        bar
         │
         │
         ▼
         if
         │
         │
         ▼
        baz

i.e. there is linear flow through the condition, the `then` branch, and
out of the if. This doesn't account for the possibility that the
condition is false and `bar` is not executed. After this change, the CFG
looks like this:

          foo
           │
           │
           ▼
          cond
         │    │
    true │    │ false
         ▼    │
        bar   │
         │    │
         │    │
         ▼    ▼
           if
           │
           │
           ▼
          baz

i.e. we correctly account for the `false` condition.
 2021-12-07 16:01:50 +13:00
Tom Hvitved
36569f997f Ruby: Add InlineFlowTest.qll 2021-12-06 13:35:07 +01:00
Alex Ford
6adfea2365 Merge pull request #7163 from github/ruby/file-reader-extend 
Ruby: Extend `FileSystemReadAccess` to include more potential sources of input from the filesystem
 2021-12-05 23:32:43 +00:00
Arthur Baars
51998294ad Ruby: add AST classes for parenthesized patterns 2021-12-03 18:13:53 +01:00
Nick Rolfe
5a2ef8321c Merge pull request #7120 from github/nickrolfe/regexp_g_anchor 
Ruby/Python: parse anchors in regexes as special characters
 2021-12-03 15:24:38 +00:00
Tom Hvitved
50dd4e7ee7 Ruby: Add CFG test for || 2021-12-03 09:16:11 +01:00
Nick Rolfe
05415768c9 Merge remote-tracking branch 'origin/main' into nickrolfe/regexp_g_anchor 2021-12-02 12:07:13 +00:00
Dave Bartolomeo
2dfcd1dd9c Add groups property 
Also removed versions from test packs
 2021-11-29 14:15:53 -05:00
Arthur Baars
1e026ef45e AST: merge Case and CaseMatch classes 2021-11-29 16:00:17 +01:00
Arthur Baars
f8a62c4c82 Address comments 2021-11-29 15:06:16 +01:00
Arthur Baars
8b0bc677f4 Remove PatternGuard class 2021-11-25 13:50:19 +01:00
Arthur Baars
dca1e34cd8 Temporarily allow CFG inconsistencies 2021-11-25 13:42:59 +01:00
Arthur Baars
16e1e97ff0 Add test data for case-in expressions 2021-11-25 13:25:33 +01:00
Arthur Baars
af4c3122ca Test case for **nil parameter 2021-11-25 13:25:00 +01:00
Arthur Baars
ec0bd24b64 Update diagnostic tests 2021-11-25 12:55:50 +01:00
Erik Krogh Kristensen
87a1ccd428 Merge branch 'main' into getRubyInSync 2021-11-23 20:20:37 +01:00
Nick Rolfe
1a90b388a9 Merge remote-tracking branch 'origin/main' into nickrolfe/regex_injection 2021-11-23 15:42:05 +00:00
Tom Hvitved
83d204d7a8 Merge pull request #7218 from hvitved/ssa/fix-consistency-tests 
Ruby: Fix SSA consistency tests + CFG bug
 2021-11-23 16:24:41 +01:00
Tom Hvitved
4d918b5e5f Ruby: Fix CFG splitting logic for ensure blocks with loops 2021-11-23 15:21:43 +01:00
Alex Ford
055641e684 Merge pull request #7062 from github/ruby/rails-csrf 
Ruby: Add `rb/csrf-protection-disabled` query
 2021-11-23 13:46:42 +00:00
Erik Krogh Kristensen
b2e40ac603 fix typo in test 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2021-11-23 13:09:22 +01:00
Nick Rolfe
e5f473052d Ruby: add Regexp.{compile,quote} to regex injection test 2021-11-23 11:05:41 +00:00
Tom Hvitved
9d072a12ed Merge pull request #7098 from github/ruby/desugar-for-1 
Ruby: Desugar `for` loops as calls to `each`
 2021-11-23 11:35:49 +01:00
Nick Rolfe
752b126862 Merge remote-tracking branch 'origin/main' into nickrolfe/regex_injection 2021-11-22 17:05:27 +00:00
Alex Ford
68c3c16ab3 Ruby: enable forgery protection checks for development environments 2021-11-22 15:00:32 +00:00
Nick Rolfe
f63c768d9f Ruby: parse \G, \b, and \B anchors as special characters, not escapes 2021-11-19 14:20:51 +00:00
Harry Maclean
90a9688310 Ruby: update CFG fixture 2021-11-19 11:31:14 +00:00
Harry Maclean
c297a68acf Model more of the RestClient API 
We now handle this form:

    RestClient::Request.execute(url: "http://example.com")
 2021-11-19 11:28:09 +00:00
Harry Maclean
38ff584307 Model more Faraday behaviour 
You can instantiate a Faraday connection by passing a URL as an keyword
argument:

    conn = Faraday.new(url: "http://example.com")
 2021-11-19 11:28:09 +00:00
Harry Maclean
ac20eafecc Add qhelp for Ruby SSRF 2021-11-19 11:28:08 +00:00
Harry Maclean
2bba31eb02 Update metadata of Ruby SSRF query 2021-11-19 11:28:08 +00:00
Harry Maclean
dc464879a2 Add a query for server-side request forgery 2021-11-19 11:28:08 +00:00
Harry Maclean
b6ce37b241 Add getURL to HTTP::Client::Request 
This member predicate gets dataflow nodes which contribute to the URL of
the request.

Also consolidate the identical tests for each HTTP client.
 2021-11-19 11:28:08 +00:00
Harry Maclean
8fd8c9b04d Fix CallExprCfgNode.getKeywordArgument 
This predicate now produces results.
 2021-11-19 11:28:08 +00:00