hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,161 Commits 1,672 Branches 157 Tags
codeql-cli-2.23.6
Commit Graph

4931 Commits

Author SHA1 Message Date
Tom Hvitved
6ee231fac5 Ruby: Add more tests for flow through constructors 2023-03-13 10:52:01 +01:00
Harry Maclean
3734a544bc Ruby: Add change note 2023-03-13 21:38:45 +13:00
Harry Maclean
e80ff4efba Ruby: Fix tests and qldoc 2023-03-13 20:32:37 +13:00
Harry Maclean
071517c74b Ruby: Clean up Sinatra modeling 2023-03-13 19:25:56 +13:00
Harry Maclean
bfe42a656c Ruby: QL4QL fix 2023-03-13 19:04:46 +13:00
Harry Maclean
384e7c7a80 Jump step for sinatra callbacks 2023-03-13 19:03:32 +13:00
Harry Maclean
e65d7224db Ruby: tests, patterns, fix erb flow 2023-03-13 19:03:32 +13:00
Harry Maclean
eada3b91df Ruby: track flow from sinatra routes to erb files 2023-03-13 19:03:32 +13:00
Harry Maclean
c82b4638c6 Ruby: Import Sinatra modeling by default 2023-03-13 19:03:32 +13:00
Harry Maclean
a1fab31bfc Ruby: Model Sinatra 
Adds some very basic modeling of Sinatra applications.
We recognise the `params` call in Sinatra routes as an HTTP request
input access.
 2023-03-13 19:03:32 +13:00
Harry Maclean
9c3d141c9c Ruby: Add change note 2023-03-13 18:57:55 +13:00
Harry Maclean
fe995dd99b Ruby: ActiveRecord::Connection.execute SQL sink 2023-03-13 09:03:54 +13:00
Harry Maclean
025cd34dab Ruby: Taint flow through ActionController params 
We were not recognising "require" as returning a Parameters instance.
 2023-03-13 08:52:41 +13:00
Harry Maclean
2d95b6a049 Ruby: Add count_by_sql as SQL sink 2023-03-13 08:40:32 +13:00
Harry Maclean
c97dccf0de Ruby: Add reorder as a SQL sink 
In recent versions of Rails this method doesn't seem to be vulnerable,
but it may be in previous versions. There's a slight FP risk here, but
I think it is small.
 2023-03-13 08:38:17 +13:00
Arthur Baars
c67bfff33b Ruby: strip \\?\ from display paths 2023-03-10 22:32:11 +01:00
Arthur Baars
4bfcc31ef0 Ruby: support long paths on Windows 2023-03-10 22:32:11 +01:00
Anders Schack-Mulligen
1e64748ffe Dataflow: Autoformat. 2023-03-10 15:12:19 +01:00
Anders Schack-Mulligen
289f921171 Dataflow: Sync. 2023-03-10 14:56:54 +01:00
Anders Schack-Mulligen
00f0879ff5 Dataflow: Sync. 2023-03-10 14:56:54 +01:00
Tom Hvitved
6eea906bbf Data flow: Synthesize post-update nodes for callback arguments inside summarized callables 2023-03-10 12:43:21 +01:00
Tony Torralba
8aa80882ea Sync files 2023-03-10 12:35:13 +01:00
Anders Schack-Mulligen
83569911ae Merge pull request #12230 from aschackmull/all/autoformat 
Mass autoformat with class and module declarations format fix
 2023-03-10 12:29:34 +01:00
Anders Schack-Mulligen
159d8e978c Dataflow: one more autoformat post rebase 2023-03-10 10:04:35 +01:00
Anders Schack-Mulligen
a5d229903d Ruby: Autoformat 2023-03-10 09:41:20 +01:00
Harry Maclean
9cf2acface Ruby: Make trap option title consistent with C# 2023-03-10 21:11:58 +13:00
Harry Maclean
cf64e0e85f Ruby: trap_compression -> trap.compression 
Change the trap_compression extractor option to be an object `trap` with
a nested option `compression`. This means that on the command line you
would supply the option as follows:

    codeql database create --extractor-option trap.compression=gzip

This is a little less jarring than the previous design, which would use
underscores amonst the hyphens:

    codeql database create --extractor-option trap_compression=gzip
 2023-03-10 19:18:49 +13:00
Nick Rolfe
7649772935 Expose TRAP compression option via the new extractor options feature. 2023-03-10 19:09:51 +13:00
Arthur Baars
348165205c Merge pull request #12442 from aibaars/diagnostics-tests 
Ruby: add some integration tests for diagnostic messages
 2023-03-09 21:58:42 +01:00
Mathias Vorreiter Pedersen
59402eb754 Merge pull request #12462 from MathiasVP/disable-std-order-in-fwd-flow-stage-1 
DataFlow: Disable standard order in `Stage1::fwdFlow`
 2023-03-09 15:30:05 +00:00
Alex Ford
5ef71f9d28 Merge pull request #12306 from alexrford/rb/more-expr-nodes 
Ruby: ensure that all Ast `Expr`s have a dataflow node type more precise than `ExprNode`
 2023-03-09 14:54:34 +00:00
Asger F
6e744093e2 Merge pull request #12398 from github/post-release-prep/codeql-cli-2.12.4 
Post-release preparation for codeql-cli-2.12.4
 2023-03-09 15:38:21 +01:00
Rasmus Wriedt Larsen
38fe9b71b9 Ruby: Use new parameter position for synthetic hash-splat instead 
We wanted to ensure that a callable did not have multiple parameters
with same parameter position. Originally we fixed this with
e0bd210797. This commit reverts that and
solves it by introducing a new parameter position instead.
 2023-03-09 15:05:07 +01:00
Arthur Baars
c98e0fa0b4 Ruby: fix comment 2023-03-09 13:14:57 +01:00
Arthur Baars
8096f86224 Ruby: lower severity of parse error to warning 2023-03-09 13:14:57 +01:00
Mathias Vorreiter Pedersen
1f77f77153 DataFlow: Sync identical files. 2023-03-09 10:41:15 +00:00
dependabot[bot]
060cd9fada Bump serde from 1.0.152 to 1.0.154 in /ruby 
Bumps [serde](https://github.com/serde-rs/serde) from 1.0.152 to 1.0.154.
- [Release notes](https://github.com/serde-rs/serde/releases)
- [Commits](https://github.com/serde-rs/serde/compare/v1.0.152...v1.0.154)

---
updated-dependencies:
- dependency-name: serde
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-03-09 04:06:43 +00:00
Arthur Baars
ebf0bb889b Ruby: add some integration tests for diagnostic messages 2023-03-08 16:35:43 +01:00
Arthur Baars
2d6f3ed6c2 Address comments 2023-03-08 13:10:03 +01:00
Maiky
5a9a90d00b Move query to experimental 2023-03-08 11:50:04 +01:00
Maiky
d9d63bbdc6 Change ERB to Erb 2023-03-08 10:41:24 +01:00
Maiky
3e1808d92e Apply suggestions from code review 
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2023-03-08 10:30:43 +01:00
Maiky
cd49175fae Update ruby/ql/src/queries/security/cwe-094/TemplateInjection.qhelp 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2023-03-08 10:27:57 +01:00
Maiky
cbb031ee14 Update ruby/ql/src/queries/security/cwe-094/TemplateInjection.qhelp 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2023-03-08 10:27:39 +01:00
Arthur Baars
858aa9ae63 Ruby: add some links to diagnostic messages 2023-03-07 17:55:13 +01:00
Arthur Baars
78a802359e Remove references to 'ruby' in generic extractor code 2023-03-07 13:38:48 +01:00
Tom Hvitved
b6a709df50 Ruby: Rewrite Stored XSS query to use new data flow interface 2023-03-07 07:23:27 +01:00
Mathias Vorreiter Pedersen
92ad099c1b DataFlow: Remove bindingsets, remove the call column, and swap parameter and argument columns. 2023-03-06 13:47:59 +00:00
Mathias Vorreiter Pedersen
3bf28cc752 DataFlow: Sync identical files. 2023-03-06 13:46:21 +00:00
Mathias Vorreiter Pedersen
e6b6369a21 Ruby: Add stub. 2023-03-06 13:44:59 +00:00