hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
84,531 Commits 1,671 Branches 157 Tags
codeql-cli-2.23.7
Commit Graph

1654 Commits

Author SHA1 Message Date
Joe Farebrother
89838981b7 Add test cases 2024-03-22 14:04:52 +00:00
Tom Hvitved
90779f4413 Ruby: Extend barrier guards to handle phi inputs 2024-03-20 10:02:20 +01:00
Tom Hvitved
0f0acc0428 Ruby: Add barrier guard flow tests 2024-03-20 09:25:20 +01:00
Harry Maclean
219cd4e415 Merge pull request #14426 from hmac/hmac-ar-scopes 
Ruby: Track flow into ActiveRecord scopes
 2024-03-19 14:19:14 +00:00
Harry Maclean
7e479e3c8e Ruby: Fix Hash#keys flow summary 2024-03-19 13:47:45 +00:00
Harry Maclean
32b80f8cb1 Ruby: Add tests for hash flow 2024-03-19 08:38:14 +00:00
Tom Hvitved
fc55567d90 Merge pull request #15853 from hvitved/dataflow/get-location 
Data flow: Replace `hasLocationInfo` with `getLocation`
 2024-03-18 20:21:46 +01:00
Tom Hvitved
8899d66132 Merge pull request #15734 from hvitved/dataflow/hidden-subpath 
Data flow: Account for hidden `subpath` wrappers
 2024-03-18 20:17:16 +01:00
Harry Maclean
80ae017aa1 Ruby: Track flow into ActiveRecord scopes 2024-03-18 15:01:37 +00:00
Joe Farebrother
4177c38ed4 Merge pull request #15907 from joefarebrother/ruby-uploaded-file 
Ruby: Model ActiveDispatch::Http::UploadedFile
 2024-03-18 14:02:33 +00:00
Tom Hvitved
e53357d376 Update expected test output 2024-03-18 14:49:32 +01:00
Tom Hvitved
a13391bda1 Merge pull request #15802 from hvitved/dataflow/variable-capture-overlapping-paths 
Variable capture: Avoid overlapping and false-positive data flow paths
 2024-03-18 10:45:55 +01:00
Tom Hvitved
e7b00a7b42 Ruby: Add post-update argument nodes for string constants 2024-03-15 10:47:39 +01:00
Joe Farebrother
f464f1b94e Accept test output + fix qldoc typo 2024-03-14 22:25:37 +00:00
Joe Farebrother
b4ed77343b Add change note + fix qldoc 2024-03-14 22:25:36 +00:00
Joe Farebrother
3e61be1b6a Add test cases 2024-03-14 22:25:36 +00:00
Harry Maclean
dd5eb982ec Merge pull request #15524 from hmac/hmac-process-spawn 
Ruby: Add some more command injection sinks
 2024-03-13 09:53:10 +00:00
Tom Hvitved
4291290277 Ruby: Implement new data flow interface 2024-03-11 20:56:38 +01:00
Joe Farebrother
dbd33d1cf0 Model Argument[1] of ActiveRecord from 2024-03-08 14:04:01 +00:00
Tom Hvitved
24e35f6f3d Update expected test output 2024-03-08 10:00:43 +01:00
Tom Hvitved
e793a1e9fe Ruby: Add variable capture spurious flow test 2024-03-08 10:00:42 +01:00
Anders Schack-Mulligen
0dbe8c3d8a Merge pull request #15140 from hvitved/dataflow/pruned-ctx-sensitivity 
Data flow: prune context-sensitivity relations
 2024-03-06 10:04:48 +01:00
Joe Farebrother
dcc6f83d3b Merge pull request #15782 from joefarebrother/ruby-typhoeus 
Ruby: Model `Typhoeus::Request.new`
 2024-03-05 16:55:38 +00:00
Harry Maclean
91cb2a37fd Ruby: Model Process.exec 2024-03-05 10:19:22 +00:00
Tom Hvitved
bd7b2c4cc6 Update expected output 2024-03-05 10:44:13 +01:00
Harry Maclean
179aaa1342 Ruby: model Open4.popen4ext 2024-03-05 09:35:18 +00:00
Peter Stöckli
4adc373dfe Ruby: more test cases for code injection via method 2024-03-01 16:01:07 +01:00
Joe Farebrother
65b30c1dff Add tests and qldoc 2024-03-01 14:46:55 +00:00
Peter Stöckli
a693c6d9b4 Ruby: sinks for code injection via calls to method 2024-03-01 14:42:22 +01:00
Joe Farebrother
0b7b7ea1b8 Add test cases and improve controller model 2024-03-01 09:57:24 +00:00
Tom Hvitved
914a605a87 Ruby: Rework hidden synthetic data-flow nodes 2024-02-27 15:33:58 +01:00
Tom Hvitved
994d990f37 Ruby: Add another data flow test 2024-02-27 15:33:58 +01:00
Joe Farebrother
3ab6f222d0 Merge pull request #15718 from joefarebrother/ruby-arel-sqlliteral 
Ruby: Model Arel::Nodes::SqlLiteral.new
 2024-02-27 12:43:47 +00:00
Tom Hvitved
bbeee8f38d Merge pull request #15717 from hvitved/csharp/view-cfg 
Shared `View CFG` implementation
 2024-02-27 09:13:18 +01:00
Harry Maclean
8212f5de1b Ruby: Update test 2024-02-26 13:10:27 +00:00
amammad
32f5667bb6 revert YAML.qll and yaml sinks to previous PR, make a separate experimental query only for yaml 2024-02-26 12:12:03 +00:00
amammad
c582ea626d update expected test file 2024-02-26 12:10:04 +00:00
amammad
9c5c8c8362 fix test file 2024-02-26 12:05:35 +00:00
amammad
464e2e4291 fix qldoc and test files 2024-02-26 12:04:52 +00:00
amammad
1410574f76 make seperate steps for YAML.parse* and use getAsuccessor*() to reach final to_ruby method call, All parts have Rewritten with API graphs exclusively 2024-02-26 11:59:35 +00:00
Harry Maclean
8bed3fbed4 Ruby: Add basic model for Terrapin library 2024-02-26 11:32:41 +00:00
Harry Maclean
beef9965cc Ruby: Model Open4 library 
Also remove duplicate modeling of Process.spawn.
 2024-02-26 11:26:38 +00:00
Joe Farebrother
386defc3c7 Update test output 2024-02-26 11:21:03 +00:00
Harry Maclean
dd092fd18f Ruby: Fix CSRF test 2024-02-26 11:02:54 +00:00
Tom Hvitved
5b6e76c030 Move View CFG implementation from Ruby/Swift into shared library 2024-02-26 11:23:49 +01:00
Joe Farebrother
2257df5c6f Model Arel::Nodes::SqlLiteral.new 2024-02-26 10:09:33 +00:00
Harry Maclean
32b775fdc3 Ruby: reduce duplicate alerts for csrf query 
Only generate an alert on the top-most vulnerable Rails controller in
the controller tree.
 2024-02-23 11:13:17 +00:00
Harry Maclean
f19a5a9837 Ruby: Add tests for Gemfile modeling 2024-02-23 11:13:16 +00:00
Harry Maclean
6d6f8ba512 Ruby: Make CSRF query more sensitive 
Generate an alert for every controller class that doesn't have or
inherity a `protect_from_forgery` setting.
 2024-02-23 11:13:15 +00:00
Harry Maclean
49d826f667 Ruby: Add a query for CSRF protection not enabled 
Specifically in Rails apps, we look for root ActionController classes
without a call to `protect_from_forgery`.
 2024-02-23 11:13:14 +00:00