hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,644 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.1
Commit Graph

3456 Commits

Author SHA1 Message Date
Erik Krogh Kristensen
c8d29a9cf1 sync files 2022-01-07 18:38:02 +01:00
Erik Krogh Kristensen
1a8b6d7414 recognize ranges without upper bounds 2022-01-07 18:38:01 +01:00
Erik Krogh Kristensen
acaf294bee support a limited number of regexp ranges 2022-01-07 18:36:30 +01:00
Harry Maclean
43ddc54f2b Ruby: Add Module#const_get as a code execution 
Module#const_get takes a single string argument and interprets it as the
name of a constant. It then looks up the constant and returns its value.

    Object.const_get("Math::PI")
    # => 3.141592653589793

By itself, this method is not as dangerous as e.g. eval, but if the
value returned is a class that is then instantiated, this can allow an
attacker to instantiate arbitrary Ruby classes.

As a result, I think it's safe to say that any remote input flowing into
this call is a potential vulnerability. A real-world example of this is
https://github.com/advisories/GHSA-52p9-v744-mwjj.
 2022-01-06 13:03:41 +13:00
Tom Hvitved
ac9cac78bc Ruby: Fix typo 2022-01-06 12:27:03 +13:00
Tom Hvitved
c3fd272f9b Ruby: Simplify getValueText logic for StringlikeLiterals 2022-01-06 12:27:03 +13:00
Tom Hvitved
799ec23b0d Ruby: Generalize ExprChildMapping logic to AstNodes 2022-01-06 12:27:03 +13:00
Tom Hvitved
322f8356dd Ruby: Include StringComponents in the CFG 2022-01-06 12:27:03 +13:00
Harry Maclean
32c93e70e2 Include simple interpolations in getValueText 
When calculating `StringlikeLiteral.getValueText`, include results from
interpolations where we can determine their string value. For example:

    b = "b" # local variable
    D = "d" # constant

    "a#{b}c"     # getValueText() = "abc"
    "a#{b}c{D}"  # getValueText() = "abcd"
    /#a#{b}c{D}/ # getValueText() = "abcd"
 2022-01-06 12:27:03 +13:00
Harry Maclean
b4b91e84a3 Ruby: Fix ConstantAccessCfgNode.getValueText 
The superclass definition uses SSA, which doesn't track constants.
 2022-01-06 12:25:19 +13:00
Alex Ford
f935df9865 Merge pull request #7313 from github/ruby/rails-cookie-config 
Ruby: Add `rb/weak-cookie-configuration` query
 2022-01-05 15:20:40 +00:00
Alex Ford
da8c745bd8 Ruby: Restrict Rails Setting nodes to SetterMethodCalls 2022-01-05 14:11:07 +00:00
Anders Schack-Mulligen
ef714f7328 Dataflow: Sync 2022-01-05 14:25:35 +01:00
Alex Ford
36ea360b25 Ruby: behaviour -> behavior 2022-01-04 15:43:38 +00:00
github-actions[bot]
1dfcf427aa Release preparation for version 2.7.5 2022-01-04 14:44:56 +00:00
Erik Krogh Kristensen
b9964799f3 Merge pull request #7458 from erik-krogh/modelling 
QL: add "modelling/modeling" to `ql/non-us-spelling`
 2022-01-04 13:33:54 +01:00
Alex Ford
dadaf25262 Merge branch 'main' into ruby/rails-cookie-config 2022-01-04 12:04:44 +00:00
Tom Hvitved
1f8a291d6f Merge pull request #7198 from hvitved/ruby/dataflow/arrays 
Ruby: Flow through arrays/enumerables
 2022-01-04 10:37:08 +01:00
Dave Bartolomeo
5f5af4a29e Move change notes to correct location 
A few change notes slipped through the cracks of my previous change. These are now in the proper locations: `old-change-notes` for older notes, and `<lang>\ql\[src|lib]\change-notes` for current change notes.
 2022-01-03 18:21:16 -05:00
Dave Bartolomeo
ded3c52a34 Merge pull request #7407 from github/post-release-prep/codeql-cli-2.7.4 
Post-release preparation for codeql-cli-2.7.4
 2022-01-03 17:09:58 -05:00
github-actions[bot]
1334d207fa Post-release version bumps 2022-01-03 20:11:15 +00:00
Alex Ford
7d3932dc8d Merge remote-tracking branch 'origin/main' into ruby/rails-cookie-config 2021-12-22 17:54:03 +00:00
Alex Ford
d977e8a473 Ruby: remove unnecessary custom transitive version of getReceiver 2021-12-22 17:47:44 +00:00
Alex Ford
9821c4a06c Ruby: behaviour -> behavior 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2021-12-22 17:47:44 +00:00
Alex Ford
2cd02157c9 Ruby: fix import 2021-12-22 17:47:44 +00:00
Alex Ford
8976469d9b Ruby: Model some Rails cookie configuration settings 2021-12-22 17:47:44 +00:00
Alex Ford
5ce6e63590 Ruby: Tidy Rails.qll to make adding new settings modeling easier 2021-12-22 17:47:44 +00:00
Alex Ford
8a3d1fe174 Ruby: add CookieSecurityConfigurationSetting concept 2021-12-22 17:47:43 +00:00
Alex Ford
0cbf136e21 Merge pull request #7273 from github/ruby/crypto-algorithms 
Ruby: add CryptoAlgorithms library
 2021-12-22 17:42:59 +00:00
Alex Ford
3da98ecb73 Bump a date 2021-12-22 16:38:16 +00:00
Alex Ford
a2104de8a0 Move CryptoAlgorithms::AlgorithmsName into a separate internal/CryptoAlgorithmNames.qll 2021-12-22 16:38:15 +00:00
Alex Ford
f16d77615d Remove unused isStrongBlockMode predicate from CryptoAlgorithms.qll 2021-12-22 16:38:15 +00:00
Alex Ford
df0da980ea Update ruby/ql/lib/codeql/ruby/security/OpenSSL.qll 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2021-12-22 16:38:15 +00:00
Alex Ford
27a40fb5cf Ruby: OpenSSL QLDoc fixes 2021-12-22 16:38:15 +00:00
Alex Ford
e6bc45ee3b Ruby: Base OpenSSL supported algorithms on OpenSSL 1.1.1 and LibreSSL 3.4.1 2021-12-22 16:38:15 +00:00
Alex Ford
d3af687767 Add more encryption algorithms and modes to CryptoAlgorithms::AlgorithmNames 
Strong encryption algorithms: ARIA, IDEA, SEED, SM4
Strong block modes: CBC, CFB, CTR, OFB
 2021-12-22 16:38:15 +00:00
Alex Ford
bdb2d8ba16 Ruby: split OpenSSL parts from CryptoALgorithms.qll and sync with JS/Python version 2021-12-22 16:38:15 +00:00
Alex Ford
1156581b52 Ruby: add CryptoAlgorithms library 2021-12-22 16:38:15 +00:00
Jeff Gran
accfd482d4 autoformat file 2021-12-22 08:44:35 -07:00
Jeff Gran
7c032f6cb4 fix docs, fix deprecations 2021-12-22 08:35:55 -07:00
Jeff Gran
f35e866799 Capitalize "Gets" 
Co-authored-by: Arthur Baars <aibaars@github.com>
 2021-12-22 08:35:55 -07:00
Jeff Gran
0c698996aa use resolveConstanteWriteAccess instead, add a few more test cases 2021-12-22 08:35:55 -07:00
Jeff Gran
3df7793803 add more test cases, fix bug by adding getFullName() predicate 2021-12-22 08:35:55 -07:00
Tom Hvitved
118d0d9ff5 Ruby: Use "Receiver" instead of "Self" in flow summaries 
Flow summaries use the "outside view", i.e., the call sites, so "receiver"
is better than "self", as the latter uses the "inside view", i.e. the callees.
 2021-12-22 15:56:20 +01:00
Tom Hvitved
3a30f58f74 Address review comments 2021-12-22 15:56:20 +01:00
Tom Hvitved
400802c5ce Ruby: Add flow summaries for Array/Enumerable methods 2021-12-22 15:56:20 +01:00
Tom Hvitved
8c18aaae74 Ruby: Prepare for data flow through arrays 2021-12-22 15:35:34 +01:00
Tom Hvitved
27f786b41e Merge pull request #7442 from hvitved/ruby/dataflow/keyword-params 
Ruby: Data flow for keyword arguments/parameters
 2021-12-22 15:23:22 +01:00
Tom Hvitved
915c0fdf9b Shared SSA: Sync files 2021-12-22 13:05:58 +01:00
Tom Hvitved
4133eb15d5 Ruby: Reintroduce old Argument[_] restriction to avoid large Cartesian product 2021-12-22 11:37:38 +01:00