Harry Maclean
1526fff085
Ruby: Add missing doc comments
2023-09-14 13:46:37 +01:00
Harry Maclean
20f1a74202
Ruby: Restrict GraphQL remote flow sources
...
Previously we considered any splat parameter in a graphql resolver to be
a remote flow source. Now we limit that to reads of the parameter which
yield scalar types (e.g. String), as defined by the GraphQL schema.
This should reduce GraphQL false positives.
2023-09-14 12:14:56 +01:00
Harry Maclean
4168245fc0
Ruby: Fix doc comments
2023-09-14 10:02:27 +01:00
Harry Maclean
29a8a82e92
Ruby: add more docs for splat flow
2023-09-14 09:26:42 +01:00
Tom Hvitved
97ed5b8afb
Ruby: Improvments to splat flow
...
- Only step through a `SynthSplatParameterElementNode` when there is a splat parameter
at index > 0.
- Model read+stores via `SynthSplatArgumentElementNode` as a single read-store
step in type tracking.
2023-09-14 09:26:42 +01:00
Tom Hvitved
e11a4b63e9
Ruby: Remove SynthSplatArgParameterNode
2023-09-14 09:26:38 +01:00
Harry Maclean
5a6a52b767
Ruby: Use fewer SynthSplatArgumentElementNodes
...
In cases such as
def f(x, *y); end
f(*[1, 2])
we don't need any `SynthSplatArgumentElementNodes`. We get flow from the
splat argument to a `SynthSplatParameterNode` via `parameterMatch`, then
from element 0 of the synth splat to the positional param `x` via a
read step.
We add a read step from element 1 to `SynthSplatParameterElementNode(1)`.
From there we get flow to element 0 of `*y` via an existing store step.
2023-09-14 09:26:38 +01:00
Harry Maclean
4c1beea465
Ruby: Address review comments
2023-09-14 09:26:33 +01:00
Harry Maclean
3c8683428b
Ruby: Model more splat flow (alternative approach)
2023-09-14 08:55:59 +01:00
Harry Maclean
9ccd8cd248
Ruby: Update documentation
2023-09-14 08:54:49 +01:00
Harry Maclean
7ebd51163e
Ruby: Handle more splat arg flow
...
Allow flow from a splat argument to a positional parameter in cases
where there are positional arguments left of the splat. For example:
def foo(x, y, z); end
foo(1, *[2, 3])
2023-09-14 08:54:48 +01:00
Tom Hvitved
e258324960
Ruby: Allow for implicit array reads at all sinks during taint tracking
2023-09-14 09:40:05 +02:00
Anders Schack-Mulligen
f5a4b792bd
C++/Go/Python/Ruby/Swift: Add dummy localMustFlowStep.
2023-09-13 15:43:46 +02:00
Alex Ford
79c305c1a1
Merge pull request #14124 from alexrford/rb/dataflow-query-refactor
...
Ruby: Use the new dataflow API for checked in queries
2023-09-13 14:24:47 +01:00
Tom Hvitved
f15cbb9316
Ruby: Simplify viableSourceCallableNonInit
2023-09-13 14:25:28 +02:00
Tom Hvitved
f3a78efe03
Ruby: Fix semantic merge conflict
2023-09-13 14:04:20 +02:00
Alex Ford
b5ec99cb2f
Ruby: fix missing qldoc
2023-09-13 12:28:19 +01:00
Tom Hvitved
7400b4741e
Merge pull request #14108 from hvitved/dataflow/more-consistency-checks
...
Data flow: Add `ArgumentNode` consistency checks
2023-09-13 11:30:51 +02:00
Tom Hvitved
88d2e2590f
Ruby: Rename LambdaSelfParameterNode to LambdaSelfReferenceNode
2023-09-13 08:52:22 +02:00
Tom Hvitved
b470c36c82
Ruby: Implement multipleArgumentCallExclude
2023-09-12 20:05:11 +02:00
github-actions[bot]
d699880c86
Post-release preparation for codeql-cli-2.14.4
2023-09-08 21:17:52 +00:00
Alex Ford
5b013dd5d2
Merge branch 'main' into rb/dataflow-query-refactor
2023-09-07 14:57:38 +01:00
Alex Ford
947fa0de62
Ruby: fix qldoc warnings
2023-09-07 14:57:04 +01:00
Alex Ford
4a01de13ef
Ruby: avoid toString in query warning
2023-09-07 14:54:50 +01:00
Alex Ford
0aee7f6ac6
Ruby: qlformat
2023-09-07 14:47:02 +01:00
Alex Ford
a893911dba
Ruby: Use a newtype instead of DataFlow::FlowState for insecure-download
2023-09-07 14:22:18 +01:00
Alex Ford
75fdde543f
Ruby: Use a newtype instead of DataFlow::FlowState for hardcoded-data
2023-09-07 14:13:26 +01:00
Alex Ford
0d7d5a35c9
Ruby: Use a newtype instead of DataFlow::FlowState for code-injection
2023-09-07 13:39:10 +01:00
Alex Ford
dfc3b33910
Ruby: Use a newtype instead of DataFlow::FlowState for unicode-bypass-validation
2023-09-07 12:09:47 +01:00
Tom Hvitved
a06a9ffa29
Address review comments
2023-09-06 11:01:54 +02:00
Tom Hvitved
6de315d086
Add change note
2023-09-06 11:01:54 +02:00
Tom Hvitved
48e2dcfa35
Ruby: Reimplement flow through captured variables using field flow
2023-09-06 11:00:55 +02:00
github-actions[bot]
abf2b12b1c
Release preparation for version 2.14.4
2023-09-05 16:56:14 +00:00
Tom Hvitved
4a1163b38c
Merge pull request #14109 from hvitved/ruby/hide-desugared-assignments-in-dataflow
2023-09-04 19:59:33 +02:00
Alex Ford
98851736d6
Revert "Ruby: configsig rb/tainted-format-string"
...
This reverts commit f5860cb4818dc3c07eeb6731e75bf5df203dd48f.
2023-09-03 17:20:06 +01:00
Alex Ford
bf6837cca0
Revert "Ruby: configsig rb/http-to-file-access"
...
This reverts commit e77ba1589663905c952cdb643ab66885760b27bd.
2023-09-03 17:20:06 +01:00
Alex Ford
b6d12f8b1c
Ruby: configsig rb/zip-slip
2023-09-03 17:20:05 +01:00
Alex Ford
ebf2a2e1f5
Ruby: configsig rb/unicode-bypass-validation
2023-09-03 17:20:05 +01:00
Alex Ford
7445fc43f9
Ruby: configsig rb/regexp-injection
2023-09-03 17:20:05 +01:00
Alex Ford
494b7b3fdf
Ruby: configsig rb/polynomial-redos
2023-09-03 17:20:05 +01:00
Alex Ford
04d3d04317
Ruby: configsig rb/regex/badly-anchored-regexp
2023-09-03 17:20:05 +01:00
Alex Ford
77f3a70376
Ruby: renames for rb/xpath-injection
2023-09-03 17:20:05 +01:00
Alex Ford
42cd58695d
Ruby: configsig rb/url-redirection
2023-09-03 17:20:05 +01:00
Alex Ford
f79796a644
Ruby: configsig rb/shell-command-constructed-from-input
2023-09-03 17:20:05 +01:00
Alex Ford
f03f670312
Ruby: configsig rb/html-constructed-from-input
2023-09-03 17:20:05 +01:00
Alex Ford
8ad6c72ba2
Ruby: configsig rb/unsafe-deserialization
2023-09-03 17:20:05 +01:00
Alex Ford
461bc0d359
Ruby: configsig rb/unsafe-code-construction
2023-09-03 17:20:05 +01:00
Alex Ford
3e23a6e021
Ruby: configsig rb/server-side-template-injection
2023-09-03 17:20:05 +01:00
Alex Ford
0a73ebdbee
Ruby: configsig rb/tainted-format-string
2023-09-03 17:20:05 +01:00
Alex Ford
f5e433940f
Ruby: renames for rb/stored-xss
2023-09-03 17:20:05 +01:00
