hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 02:44:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
83,868 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.4
Commit Graph

1088 Commits

Author SHA1 Message Date
Harry Maclean
6011d26823 Ruby: Restrict parameter nodes 2023-08-11 15:14:32 +01:00
Tom Hvitved
e39fb093e9 Merge pull request #13945 from hvitved/ruby/destruct-param-test 
Ruby: Add test for documenting missing flow through destructured parameters
 2023-08-11 15:11:39 +02:00
Tom Hvitved
b28f60ccd2 Ruby: Add test for documenting missing flow through destructured parameters 2023-08-10 20:22:11 +02:00
Tom Hvitved
f19232f800 Ruby: Fix another bug in isCapturedAccess 2023-08-10 14:02:58 +02:00
Tom Hvitved
77fca277fe Ruby: Improve desugaring of for loops 2023-08-10 13:22:01 +02:00
Tom Hvitved
4e954c29a2 Merge pull request #13936 from hvitved/ruby/captured-access-fix 
Ruby: Fix bug in `isCapturedAccess`
 2023-08-10 13:15:48 +02:00
Harry Maclean
5fff9fa8da More precise flow into splat parameters 
We now precisely track flow from positional arguments to splat
parameters, provided that splat arguments are not used and there are no
positional parameters after the splat parameter. For example, in this
case:

    def f(x, y, *z); end

    f(a, b, c, d)

we get flow from `c` to `z[0]` and `d` to `z[1]`.

We get false flow if there are positional parameters after the splat
parameter. For example in this case:

    def g(x, y, *z, w); end

    g(a, b, c, d)

we get flow from `d` to `z[0]` instead of `w`.

We also track flow in this case

    def f(a, *b)
      sink b[0]
    end

    f(1, *[taint, 2])
 2023-08-10 12:02:47 +01:00
Tom Hvitved
e40f0a7350 Ruby: Fix bug in isCapturedAccess 2023-08-10 09:37:04 +02:00
Tom Hvitved
e7acf8c3a8 Ruby: Add test 2023-08-10 08:53:00 +02:00
Harry Maclean
142393b599 Ruby: Handle unknown content in splat flow 2023-08-09 15:01:40 +01:00
Harry Maclean
4239268efd Ruby: Prevent some false flow into splat params 
In cases where there are positional parameters after a splat parameter,
don't attempt to match the splat parameter to a splat argument. We need
more sophisticated modelling to handle these cases, which is future
work.
 2023-08-09 15:01:40 +01:00
Harry Maclean
c0baa5116f Ruby: add test for example splat arg/param matches 2023-08-09 15:01:40 +01:00
Harry Maclean
72356d1515 Ruby: track flow from *args to positional params 
This models flow in the following case:

    def foo(x, y)
      sink x # 1
      sink y # 2
    end

    args = [source 1, source 2]
    foo(*args)

We do this by introducing a SynthSplatParameterNode which accepts
content from the splat argument, if one is given at the callsite.
From this node we add read steps to each positional parameter.
 2023-08-09 15:01:40 +01:00
Asger F
c38cbe859d Merge pull request #13737 from asgerf/dynamic/fuzzy-models 
Dynamic: add Fuzzy token
 2023-08-03 09:58:24 +02:00
Alex Ford
f437a6f729 Merge branch 'main' into maikypedia/ldap-injection 2023-07-31 16:00:41 +01:00
Alex Ford
558238a9be Ruby: update TaintStep test output 2023-07-31 16:00:27 +01:00
Alex Ford
27ee72c265 Merge remote-tracking branch 'origin/main' into rb/rack-env-query-string 2023-07-17 14:11:25 +01:00
Alex Ford
ab1f341aa6 Merge pull request #13566 from alexrford/rb/rack-params 
Ruby: add `Rack::Request` params and cookies as remote input sources
 2023-07-17 14:07:20 +01:00
Asger F
f1c82b650f Ruby: Implement Fuzzy for Ruby 2023-07-13 15:42:34 +02:00
Asger F
f232669ea5 Ruby: support Proc.new alongside 'proc' and 'lambda' 2023-07-13 11:53:16 +02:00
Asger F
194fe85442 Ruby: Use asCallable() to generate epsilon edges 2023-07-13 11:53:16 +02:00
Asger F
452fbe7e8f Ruby: add test showing lack of lambda handling 2023-07-13 11:53:16 +02:00
Asger F
86b5f0adc7 Revert "Merge pull request #13620 from github/revert-13496-rb/tracking-on-demand" 
This reverts commit 133de56ac2, reversing
changes made to 28a8e48351.
 2023-07-07 09:42:34 +02:00
Alex Ford
08784d24b4 Ruby: rack - add tests for env['QUERY_STRING'] 2023-07-05 15:49:00 +01:00
Alex Ford
082f26bcb1 Ruby: update TaintStep.ql output 2023-07-05 12:19:55 +01:00
Alex Ford
bf25b07c17 Ruby: rack - request input tests 2023-07-05 12:18:52 +01:00
Alex Ford
5fafd9ecc1 Merge branch 'main' into rb/rack-extend-app-and-resp 2023-07-04 11:43:30 +01:00
Michael Nebel
0665f4f004 Ruby: Update TaintStep expected test output. 2023-07-03 14:36:06 +02:00
Alex Ford
9d36ab9204 Merge pull request #13606 from alexrford/rb/sqlite3-getSql 
Ruby: fix sqlite3 `PreparedStatementExecution.getSql()` predicate
 2023-06-30 12:18:46 +01:00
Asger F
5d1a437e9c Revert "Ruby: overhaul API graphs" 2023-06-29 15:39:19 +02:00
Alex Ford
ede6b262cd Ruby: fix sqlite3 PreparedStatementExecution.getSql() predicate 2023-06-28 17:09:43 +01:00
Asger F
7af3d226c9 Ruby: simplify Twirp model 2023-06-28 13:20:59 +02:00
Asger F
129e6349f7 Ruby: expand Twirp test 2023-06-28 13:20:59 +02:00
Asger F
67032b5d73 Ruby: add test for self.class call 2023-06-28 13:20:58 +02:00
Alex Ford
8fdc48753c Ruby: rack - replace RackApplication with just the rack RequestHandler 2023-06-26 15:36:37 +01:00
Alex Ford
b67b80ca2a Ruby: rack - rename App as RackApplication 2023-06-23 16:12:23 +01:00
Alex Ford
29844e61e4 Ruby: rack - test for response tracking 2023-06-23 13:16:04 +01:00
Asger F
0039cb141e Merge branch 'main' into rb/tracking-on-demand 2023-06-23 12:55:54 +02:00
Alex Ford
b8f537a437 Ruby: update rack tests 2023-06-22 13:45:44 +01:00
Alex Ford
e8079727ee Ruby: rack - extend rack tests 2023-06-22 13:45:44 +01:00
Alex Ford
24e83165ee Merge pull request #13289 from alexrford/rb/rack-redirect 
Ruby: rack - model redirect responses
 2023-06-22 13:45:02 +01:00
Alex Ford
7aec22c1e4 Ruby: rack - remove MIME modelling 2023-06-20 14:57:23 +01:00
Jeroen Ketema
c53e529bac Ruby: Update remaining inline expectation tests to use the paramterized module 2023-06-20 10:16:01 +02:00
Asger F
8539db07c4 Ruby: Update ActiveDispatch due to change in toString 2023-06-19 12:16:07 +02:00
Asger F
e3a04499f6 Ruby: minor overhaul of ActiveResource model 2023-06-19 12:15:57 +02:00
Asger F
8bc4193ce0 Ruby: minor overhaul of ActiveRecord model 
Old version had scalability issues when adding taking more interprocedural flow and inheritance into account.
 2023-06-19 12:15:44 +02:00
Asger F
0110610c6a Ruby: overhaul API graphs 2023-06-19 12:01:42 +02:00
Jeroen Ketema
d82c3ce11a Ruby: Rewrite InlineFlowTest as a parameterized module 2023-06-15 10:52:23 +02:00
Anders Schack-Mulligen
1a4fca334f Merge pull request #13273 from aschackmull/dataflow/summarynode-refactor 
Dataflow: Refactor FlowSummaryImpl to synthesize nodes independently from DataFlow::Node.
 2023-06-14 09:38:36 +02:00
Alex Ford
75ccbe58ee Ruby: rack - use Mimetype rather than MimeType in predicate names for consistency with concepts 2023-06-13 12:44:29 +01:00