hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 11:46:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
82,920 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.2
Commit Graph

4906 Commits

Author SHA1 Message Date
Alex Ford
d3c8ce3f48 Ruby: ActiveSupport extends Pathname with an existence method that may return itself 2022-10-11 21:35:58 +01:00
Asger F
ed165c6194 Ruby: bugfix in self-resolution in type-tracking 2022-10-11 18:53:20 +02:00
Asger F
a64286b664 Ruby: add test for singleton class instance field 
incorrect test output
 2022-10-11 18:53:20 +02:00
Alex Ford
3d08a2954d Ruby: add rb/unsafe-deserialization sinks for const_get args 2022-10-11 15:45:51 +01:00
Alex Ford
a3f096a6bc Ruby: rb/unsafe-deserialization test realignment 2022-10-11 15:44:00 +01:00
Nick Rolfe
078c3e9d28 Ruby: create top-level module for ActionMailer 2022-10-11 15:22:42 +01:00
Tom Hvitved
2e8f46ddd9 Type tracking: Split up levelStep into levelStepNoCall and levelStepCall 
To reduce non-linear recursion during call graph construction.
 2022-10-11 13:58:46 +02:00
erik-krogh
0220f0aa5c use type-tracking instead 2022-10-11 13:37:01 +02:00
Asger F
02656b16c3 Merge pull request #10685 from asgerf/rb/splat-and-local-field-step 
Ruby: summarize unary splat operators and add local field step
 2022-10-11 13:28:58 +02:00
erik-krogh
b64a1b7c42 add a missing qldoc 2022-10-11 13:26:04 +02:00
erik-krogh
cadb948d57 add change-note 2022-10-11 13:26:03 +02:00
erik-krogh
d427e55507 add qhelp 2022-10-11 13:26:03 +02:00
erik-krogh
557dd10896 add a rb/unsafe-shell-command-construction query 2022-10-11 13:26:01 +02:00
erik-krogh
0d5da42ddd add a getName() utility to DataFlow::ParameterNode 2022-10-11 13:05:22 +02:00
erik-krogh
75422dfa72 add library for reasoning about gems and .gemspec files 2022-10-11 13:05:19 +02:00
erik-krogh
99b90789e5 add .shellescape as a sanitizer for rb/command-injection 2022-10-11 13:05:19 +02:00
erik-krogh
b16b3c0394 move cwe-078 tests into subfolders 2022-10-11 13:05:19 +02:00
Erik Krogh Kristensen
01bc5f7226 Merge pull request #10731 from erik-krogh/rb-last-msg 
Ruby: fix some more style-guide violations in the alert-messages
 2022-10-11 12:16:52 +02:00
Tom Hvitved
878654e0ff Merge pull request #10763 from hvitved/ruby/move-summarized-callable-from-model 
Ruby: Move `SummarizedCallableFromModel` into `ModelsAsData.qll`
 2022-10-11 11:47:38 +02:00
Tom Hvitved
2b75562037 Ruby: Use DataFlow::Configuration in RegExpConfiguration.qll 2022-10-11 11:39:45 +02:00
erik-krogh
42e1735f2a update expected output 2022-10-11 11:37:26 +02:00
erik-krogh
8779da8c0b reintroduce Psych 2022-10-11 11:14:52 +02:00
Erik Krogh Kristensen
7d282c3d75 fix casing in alert-message 
Co-authored-by: Arthur Baars <aibaars@github.com>
 2022-10-11 11:12:59 +02:00
Tom Hvitved
d6df69d481 Merge pull request #10754 from hvitved/dataflow/non-hidden-succ-fast-tc 
Data flow: Improve `fastTC` bound in `PathNodeImpl::getANonHiddenSuccessor`
 2022-10-11 11:12:58 +02:00
Tom Hvitved
53abdb3fb5 Ruby: Move SummarizedCallableFromModel into ModelsAsData.qll 2022-10-11 11:06:35 +02:00
erik-krogh
9a9d2a6fe1 Merge branch 'main' into rb-last-msg 2022-10-11 10:43:39 +02:00
erik-krogh
9fe18e5d73 changes based on review 2022-10-11 09:30:18 +02:00
erik-krogh
186205bd4b add a test for explicit shell invocations using Kernel.open 2022-10-11 09:23:29 +02:00
erik-krogh
de3b15ebe9 add a query flagging uses of Kernel.open that are not with a constant string 2022-10-11 09:23:29 +02:00
erik-krogh
708f6b51f3 move cwe-078 tests into subfolders 2022-10-11 09:23:29 +02:00
Asger F
b6e07c0cd5 Ruby: block API graph nodes from tracking through self-argument passing 2022-10-11 09:03:52 +02:00
Asger F
125761755a Ruby: do not generate API graph edges from Attribute contents 
Models should use Method[x] edges, not attribute edges
 2022-10-11 09:03:52 +02:00
Asger F
6daa1c432b Ruby: update test output 2022-10-11 09:03:51 +02:00
Asger F
38a3476d37 Ruby: add local field step to type tracking 
fixup local field steps
 2022-10-11 09:03:51 +02:00
Asger F
d55925d8d4 Ruby: support splat type-tracking step 2022-10-11 09:03:51 +02:00
Josh Soref
b5bed9cbf5 spelling: explicitly 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 00:23:36 -04:00
Josh Soref
cbea5ec40c spelling: executables 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 00:23:36 -04:00
Josh Soref
6db36616cd spelling: arbitrary 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 00:23:35 -04:00
Tom Hvitved
6c2eee3eb8 Ruby: Restrict regexp taint flow to String summaries 2022-10-10 20:58:41 +02:00
Tom Hvitved
ffb2b1c15e Data flow: Sync files 2022-10-10 15:39:13 +02:00
Erik Krogh Kristensen
8cc52a4b55 Merge pull request #10704 from erik-krogh/rbMeta 
RB: add some more meta queries for Ruby evaluations
 2022-10-10 14:57:37 +02:00
Tom Hvitved
60fe370f2a Merge pull request #10744 from hvitved/dataflow/has-flow-to-no-fast-tc 
Data flow: Avoid call to `pathSuccPlus` in `Configuration::hasFlowTo(Expr)`
 2022-10-10 14:02:39 +02:00
Tom Hvitved
099251a30a Merge pull request #10741 from hvitved/ruby/no-full-fast-tc 
Ruby: Avoid computing full `fastTC` for `AstNode::getParent`
 2022-10-10 14:01:56 +02:00
erik-krogh
38c17c5d0c Merge branch 'main' into rbMeta 2022-10-10 12:22:56 +02:00
Nick Rolfe
e38cfd5f7d Ruby: add changenote for ActionMailer params 2022-10-10 10:25:19 +01:00
Nick Rolfe
d61f0559a0 Ruby: add ActionMailer#params as a RemoteFlowSource 2022-10-10 10:23:48 +01:00
Alex Ford
d0bdbe65ef Ruby: ActiveJob::Serializers.deserialize changenote 2022-10-09 22:47:52 +01:00
Alex Ford
ee77404006 Ruby: Add ActiveJob::Serializers.deserialize as a code execution sink 2022-10-09 22:28:22 +01:00
Alex Ford
4a39e4aac0 Ruby: Add new test case for rb/code-injection 2022-10-09 22:26:29 +01:00
Alex Ford
c4baf0b8fa Ruby: add space for test case 2022-10-09 22:16:23 +01:00