hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
83,868 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.4
Commit Graph

1088 Commits

Author SHA1 Message Date
Harry Maclean
a164e76a5d Ruby: Model actioncontroller filter overrides 
If a filter is registered twice with the same name, the last
registration wins.
 2023-01-30 18:05:22 +13:00
Harry Maclean
fb86ef4aac Ruby: Model ActionController filters 
ActionController filters provide a way to register callbacks that run
before, after or around an action (i.e. HTTP request handler). They run
in the same class context as the action, so can get/set instance
variables and generally interact with the action in arbitrary ways.

In order to track flow between filters and actions, we have to model the
callback chain. This commit does that. A later change will add dataflow
steps to actually track flow through the chain.
 2023-01-30 17:41:36 +13:00
Harry Maclean
07a7a213b3 Merge pull request #11871 from hmac/rack 2023-01-26 08:40:30 +13:00
Harry Maclean
e6e4e29bf8 Ruby: newline 2023-01-23 21:53:52 +00:00
Harry Maclean
c1207e0938 Ruby: Fix rack response tracking 
Use type tracking instead of getReturningNode, which seems to be faster
and works correctly for the cases I've tried.
 2023-01-23 21:43:04 +00:00
Arthur Baars
46063c7d04 Ruby: update expected output 2023-01-13 10:22:41 +01:00
Arthur Baars
c4ec674057 Ruby: support anonymous (hash)splat parameters/arguments 2023-01-13 10:22:41 +01:00
Harry Maclean
0626d693f5 Ruby: Recognise rack applications 
This is a basic first step in modelling rack apps. We recognise classes
that look like rack applications and then treat the argument to `call`
in the same way that we treat `request.env` in ActionController classes.

This finds a TP in CVE-2021-43840.
 2023-01-12 11:28:31 +13:00
Tony Torralba
c9d1cd97fb Ruby: Remove omittable exists variables 2023-01-10 13:39:49 +01:00
Erik Krogh Kristensen
5157d4df7b Merge pull request #11581 from erik-krogh/stdin 
Rb: add stdin as source for unsafe-deserialization
 2023-01-09 13:57:47 +01:00
erik-krogh
1a27441cfb drive-by: delete code-execution sinks from unsafe-deserialization, we risked duplicate alerts 2023-01-06 09:04:36 +01:00
Harry Maclean
4d228bcddf Ruby: Recognise more string-valued variables 
This increases the sensitivity of our barrier guards.
 2023-01-04 11:45:10 +13:00
Harry Maclean
9944252c43 Ruby: Add test for barrier guards 
This demonstrates that we are missing a guard when a case branch
compares against a string-valued variable rather than a string literal.
 2023-01-04 11:45:10 +13:00
Harry Maclean
698a679c78 Ruby: add test 2023-01-04 11:45:10 +13:00
Harry Maclean
0fbb6bf608 Ruby: Make array inclusion barrier more sensitive 2023-01-04 11:45:09 +13:00
Erik Krogh Kristensen
79a2b6d0b0 use any() instead of this = this 
Co-authored-by: Arthur Baars <aibaars@github.com>
 2023-01-02 10:49:54 +01:00
erik-krogh
99dc0a8356 fix binding 2023-01-02 10:30:28 +01:00
Harry Maclean
b70ca77afc Merge pull request #10899 from hmac/flow-summary-docs 
Ruby: Document flow summary syntax
 2022-12-28 10:47:38 +13:00
erik-krogh
db49cfb723 Merge branch 'main' into kernelLoad 2022-12-19 09:46:25 +01:00
Tom Hvitved
e629568eda Merge pull request #11720 from hvitved/ruby/call-sensitive-initialize-bug-fix 
Ruby: Fix bug in call-sensitivity logic for `initialize` calls
 2022-12-16 16:36:31 +01:00
Tom Hvitved
bfc257147c Ruby: Fix bug in call-sensitivity logic for initialize calls 2022-12-16 11:17:15 +01:00
Tom Hvitved
accf4ca364 Ruby: Recognize custom self.new methods that return self.allocate 2022-12-16 09:23:36 +01:00
Tom Hvitved
b64083d08e Ruby: Add more call graph tests 2022-12-16 09:21:00 +01:00
Tom Hvitved
d7e44a5426 Merge pull request #10714 from hvitved/ruby/initialize 
Ruby: Model flow through `initialize` constructors
 2022-12-15 13:42:59 +01:00
Alex Ford
1b49bfe605 Merge pull request #11497 from alexrford/ruby/rails_globalid 
Ruby: model `rails/globalid` component
 2022-12-15 10:35:15 +00:00
Alex Ford
2af5925f38 Ruby: improve coverage of GlobalID::Identification modelling 2022-12-14 15:21:19 +00:00
Tom Hvitved
5d9c64ba6f Ruby: Model flow through initialize constructors 2022-12-14 12:57:39 +01:00
Tom Hvitved
9a7628c988 Ruby: Add data flow tests for constructors 2022-12-14 12:57:39 +01:00
Erik Krogh Kristensen
4ff823c36b Merge pull request #11366 from p-/p--ruby-kernel-open-addition 
Ruby: Add additional sinks to the `rb/kernel-open` query
 2022-12-12 15:56:01 +01:00
Harry Maclean
6c8896d83f Merge pull request #11337 from hmac/actionmailbox 
Ruby: Model ActionMailbox
 2022-12-12 10:29:23 +13:00
Peter Stöckli
d2c8e70be1 Adjust expected file for TaintStep (due to changes to File.join) 2022-12-09 09:57:19 +01:00
erik-krogh
1a6e16f292 Merge branch 'main' into kernelLoad 2022-12-08 15:41:48 +01:00
Tom Hvitved
35938067fe Merge pull request #11517 from aibaars/phi-reads-in-data-flow-graph 
Ruby: Include SSA "phi reads" in DataFlow::Node
 2022-12-07 18:58:44 +01:00
Arthur Baars
898a4006b0 Merge pull request #10747 from aibaars/ruby-more-flow 
Ruby: also treat included/prepended modules as subclasses
 2022-12-07 15:49:00 +01:00
Arthur Baars
d862972d5e Ruby: Add use-use stress test 2022-12-07 15:28:51 +01:00
Arthur Baars
f11f2cb1a0 Ruby: Update tests 2022-12-07 15:28:50 +01:00
erik-krogh
8ab31bbe1c have getMethodName return the method being called for super-calls 2022-12-07 14:09:36 +01:00
Tom Hvitved
b171dc9b7b Merge pull request #11477 from hvitved/ruby/call-ctx-rewrite 
Ruby: Rework call-context sensitivity logic
 2022-12-06 07:39:29 +01:00
Arthur Baars
889eea92c2 Merge branch 'main' into ruby-more-flow 2022-12-05 11:13:46 +01:00
Arthur Baars
83423854d2 Merge pull request #11339 from aibaars/active_support_enumerable 
Ruby: Active support enumerable
 2022-12-05 11:02:19 +01:00
Asger F
2d578c1a73 Merge branch 'main' into merge-package-type-columns 2022-12-02 10:00:44 +01:00
Harry Maclean
91421528df Ruby: Update test 2022-12-01 09:01:03 +13:00
Alex Ford
e321657f59 Ruby: model rails/globalid 2022-11-30 12:50:26 +00:00
Arthur Baars
0f2cb440b0 Ruby: add flow summary for Enumerable#sole 2022-11-30 11:57:35 +01:00
Arthur Baars
5517cfa6c0 Ruby: add flow summary for Enumerable#pluck 2022-11-30 11:57:35 +01:00
Arthur Baars
207ba86d51 Ruby: add flow summary for Enumerable#pick 2022-11-30 11:57:29 +01:00
Tom Hvitved
bfbe5bdfb8 Ruby: Add data flow test that illustrates spurious flow 2022-11-30 11:01:32 +01:00
Harry Maclean
dab7970087 Ruby: Model JSON.pretty_generate 2022-11-30 13:18:45 +13:00
Harry Maclean
67257671ea Ruby: Remove redundant dataflow test 2022-11-30 13:18:44 +13:00
Harry Maclean
1bd2dd0a6e Ruby: update test fixture 2022-11-30 13:17:46 +13:00