hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
80,824 Commits 1,672 Branches 157 Tags
ginsbach/EnableJavaOverlayCompilation
Commit Graph

555 Commits

Author SHA1 Message Date
Maiky
d45d046fa7 Add test file and .expected 2023-05-28 17:29:34 +02:00
Harry Maclean
b8c3cba4ff Ruby: Consolidate unsafe deserialization queries 
Merge the experimental YAMLUnsafeDeserialization and
PlistUnsafeDeserialization queries into the generate
UnsafeDeserialization query in the default suite.

These queries look for some specific sinks that we now find in the
general query.

Also apply some small code and comment refactors.
 2023-05-27 01:20:04 +00:00
amammad
b9296d3df8 v2.1 fix file names 2023-05-27 01:14:36 +00:00
amammad
4360a56b45 v2 add plist.parse_xml as a dangerous sink and enhancements on documents 2023-05-27 01:14:36 +00:00
amammad
0521ffe175 v1.4 correct dirs uppercase issue 2023-05-27 01:14:36 +00:00
amammad
0e343e5a12 v1.3 2023-05-27 01:14:36 +00:00
amammad
486a5ac96f v1 2023-05-27 01:14:36 +00:00
Arthur Baars
e0466900ad Merge pull request #12992 from Sim4n6/ruby-UBV 
[Ruby] Add Unicode Bypass Validation query, test and help file
 2023-05-26 13:00:21 +02:00
Maiky
8dca585207 Expected 2023-05-23 20:04:34 +02:00
Maiky
ad5355a04a Pg Library, change note and Frameworks.qll 2023-05-23 19:49:03 +02:00
Sim4n6
90c174de4e Updated the .expected file accordingly 2023-05-23 17:36:50 +01:00
erik-krogh
c7e21ee9ae add really long regex as a test-case 2023-05-23 09:56:06 +02:00
Sim4n6
f7f0564e36 added one more test 2023-05-20 18:00:27 +01:00
Sim4n6
d11cb9195c Use of CGI.escapeHTML() in test samples 2023-05-20 12:57:50 +01:00
Maiky
071a77cedc Ruby : XPath Injection Query (CWE-643) 2023-05-11 15:29:54 +02:00
Sim4n6
1247403d43 Updated expected results file 2023-05-04 08:56:45 +01:00
Alex Ford
82c025020d Merge remote-tracking branch 'origin/main' into maikypedia/ruby-ssti 2023-05-02 16:18:41 +01:00
Alex Ford
a571bc64ac ruby: regenerate TemplateInjection.expected 2023-05-02 16:14:20 +01:00
Sim4n6
019b85beb6 Add Unicode Bypass Validation query, test and help file 2023-05-02 15:36:39 +01:00
Maiky
5d15ec99c8 Change expected file to new 2023-05-02 09:26:41 +02:00
Anders Schack-Mulligen
09d4fe21e8 Ruby: Update more expected output. 2023-04-26 13:37:07 +02:00
Anders Schack-Mulligen
90f84bb516 Ruby: Update expected output. 2023-04-26 13:08:16 +02:00
Peter Stöckli
2f268b309b Ruby: improve non-constant-kernel-open, freeze called on constant 2023-04-18 11:24:01 +02:00
Peter Stöckli
0a6bb3f7ce Ruby: improve non-constant-kernel-open, no FP's on open without arguments 2023-04-18 10:10:36 +02:00
Maiky
820db43945 Add ERB Template Injection Sink 2023-04-13 17:21:31 +02:00
Arthur Baars
cd53c77e23 Merge pull request #12670 from alexrford/mergeback-rc/3.9 
Merge `rc/3.9` back into `main`
 2023-03-28 10:49:08 +02:00
Erik Krogh Kristensen
d3c3f2dc90 Merge pull request #12628 from erik-krogh/betterReDoS 
ReDoS: better super-linear algorithm
 2023-03-27 15:26:49 +02:00
Alex Ford
181e5d588d Merge remote-tracking branch 'origin/rc/3.9' into main 2023-03-27 12:16:03 +01:00
Alex Ford
24aa16c919 Ruby: update rb/sensitive-get-query test output 2023-03-27 09:44:55 +01:00
Tom Hvitved
b816c79248 Ruby: Include all assignments in data flow paths 2023-03-24 10:09:30 +01:00
erik-krogh
b071d3557e JS/PY/RB: add a worst-case test, that now performs OK 2023-03-22 10:13:18 +01:00
Alex Ford
4b1171ce64 Merge branch 'main' into maikypedia/ruby-ssti 2023-03-20 09:55:53 +00:00
Erik Krogh Kristensen
af98ceb3c3 Merge pull request #11478 from erik-krogh/more-shell-taint 
Rb: more taint-steps for shell-command-construction
 2023-03-20 08:41:22 +01:00
Alex Ford
e84b08409c Ruby: test fixes 2023-03-17 12:08:38 +00:00
Alex Ford
60f313863a Merge branch 'main' into maikypedia/ruby-ssti 2023-03-17 11:31:49 +00:00
Tom Hvitved
9d3863eccc Ruby: Rely on built-in hash-flow in clear text storage query 2023-03-16 14:55:06 +01:00
Tom Hvitved
ae10e6e08f Ruby: Add a test that shows FP/FN for clear text logging query 2023-03-16 14:38:45 +01:00
erik-krogh
2133d1a5ab Merge branch 'main' into more-shell-taint 2023-03-15 10:54:30 +01:00
erik-krogh
25a6d496d9 Merge branch 'main' into HEAD 2023-03-13 17:33:06 +01:00
Harry Maclean
fe995dd99b Ruby: ActiveRecord::Connection.execute SQL sink 2023-03-13 09:03:54 +13:00
Harry Maclean
025cd34dab Ruby: Taint flow through ActionController params 
We were not recognising "require" as returning a Parameters instance.
 2023-03-13 08:52:41 +13:00
Harry Maclean
2d95b6a049 Ruby: Add count_by_sql as SQL sink 2023-03-13 08:40:32 +13:00
Harry Maclean
c97dccf0de Ruby: Add reorder as a SQL sink 
In recent versions of Rails this method doesn't seem to be vulnerable,
but it may be in previous versions. There's a slight FP risk here, but
I think it is small.
 2023-03-13 08:38:17 +13:00
Arthur Baars
858aa9ae63 Ruby: add some links to diagnostic messages 2023-03-07 17:55:13 +01:00
Arthur Baars
d2ab40c184 Merge pull request #12208 from gregxsunday/main 
Add ZipSlip and TarSlip query to ruby
 2023-03-06 10:40:06 +01:00
Arthur Baars
9e5ef9cf9d Merge pull request #12216 from aibaars/diagnostics-2 
Ruby: improve diagnostic messages
 2023-03-02 10:30:58 +01:00
Arthur Baars
2c611d3fef Address review comments 2023-03-01 13:30:02 +01:00
erik-krogh
31336b09c4 add summary for the Array method on Kernel 2023-03-01 12:53:13 +01:00
erik-krogh
36b33765a5 use allowImplicitRead instead of a taint-step from elements to the array 2023-02-28 16:09:52 +01:00
Arthur Baars
6c57823232 Merge branch 'main' into diagnostics-2 2023-02-27 19:00:03 +01:00