hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
78,333 Commits 1,672 Branches 157 Tags
ginsbach/NewOverlayLocalJava
Commit Graph

3367 Commits

Author SHA1 Message Date
Nick Rolfe
0dadf0bbb4 Ruby: add flow summary for Enumerable#index_by 2022-11-14 10:01:24 +00:00
Arthur Baars
dd519cc9bf Ruby: also treat included/prepended modules as subclasses 2022-11-14 10:56:56 +01:00
Rasmus Wriedt Larsen
ddbcdcb4ba Merge pull request #11160 from RasmusWL/dataflow-consistency-read-store 
DataFlow: Add read/store stepIsLocal consistency checks
 2022-11-11 14:51:45 +01:00
Nick Rolfe
be60a871a3 Ruby: tweak comment 2022-11-11 12:01:23 +00:00
Nick Rolfe
e3ebf1c668 Merge pull request #11187 from github/nickrolfe/actioncable 
Ruby: add ActionCable channel RPC params as remote flow sources
 2022-11-11 11:32:13 +00:00
Harry Maclean
b16cecc8db Ruby: Add missing doc 2022-11-11 18:41:42 +13:00
Harry Maclean
62ea1f0a05 Ruby: Fix performance of string comparison guard 
The `or` case ran extremely slowly before this change. Also exclude
string interpolations from consideration, for correctness, and add some
more tests.
 2022-11-11 18:24:20 +13:00
Harry Maclean
e25e192ef3 Ruby: Change the CFG for while clauses 
The `when` node now acts as a join point for patterns in the when
clause, with match/no-match completions. This is similar to how `or`
expressions work.

The result of this is that the `when` clause "controls" the body of the
`when`, which allows us to model barrier guards for multi-pattern when
clauses.

For this code

case x
when 1, 2
  y
end

The old CFG was

x --> when --> 1 --no-match--> 2 ---no-match---> case
                \               \                  ^
                  \               \                |
                   \                --match----+   |
                     \                         |   |
                       \                       |   |
                         ------match---------> y --+

The new CFG is

x --> 1 --no-match--> 2 --no-match--> [no-match] when --no-match--> case
       \               \                                             ^
         \               \                                           |
           \               --match--> [match] when --match--> y -----+
             \                       /
               \                   /
                 -------match-----

i.e. all patterns flow to the `when` node, which is split based on
whether the pattern matched or not. The body of the when clause then has
a single predecessor `[match] when`, which acts as condition block that
controls `y`.
 2022-11-11 11:52:27 +13:00
Erik Krogh Kristensen
90382c4d1c Merge pull request #11178 from erik-krogh/passcode 
JS/RB/PY: Recognize `passcode` as sensitive
 2022-11-10 17:58:34 +01:00
Tom Hvitved
bda4b52395 Merge pull request #11206 from hvitved/ruby/self-toplevel-def 
Ruby: Fix SSA entry definitions for `self` in top-level
 2022-11-10 17:01:59 +01:00
Nick Rolfe
20f76e50c3 Ruby: actually call the isPublic() predicate I added 2022-11-10 15:53:04 +00:00
Nick Rolfe
b91b3148a4 Ruby: add missing qldoc comments for SQL injection query 2022-11-10 15:26:42 +00:00
Nick Rolfe
511fb97273 Ruby: remove redundant import 2022-11-10 14:30:06 +00:00
Nick Rolfe
0337ccb93a Ruby: add change notes for Arel.sql / SqlConstruction changes 2022-11-10 14:11:14 +00:00
Nick Rolfe
5a15558355 Ruby: treat an Arel.sql call as a SqlConstruction 2022-11-10 14:11:14 +00:00
Tom Hvitved
e18442069b Ruby: Fix SSA entry definitions for self in top-level 2022-11-10 15:08:17 +01:00
Erik Krogh Kristensen
5d2ab8adfb Merge pull request #11191 from erik-krogh/arrJoin 
RB: add join(" ") calls as a sink for rb/shell-command-constructed-from-input
 2022-11-10 14:20:42 +01:00
Nick Rolfe
c9d34947b7 Ruby: add SqlConstruction concept 2022-11-10 12:17:56 +00:00
Michael Nebel
9c6875ec0f Merge pull request #10777 from michaelnebel/csharp/generatedataextensions 
C#: Generate data extension files
 2022-11-10 13:08:31 +01:00
Nick Rolfe
4a98ef064e Ruby: use the 'customizations' pattern for the SQL injection query 2022-11-10 11:51:47 +00:00
Nick Rolfe
2b5e2ed282 Ruby: factor out some code into a helper predicate 2022-11-10 11:41:52 +00:00
Harry Maclean
a8b0d298ff Ruby: More string comparison guards 
Recognise if statements with conditionals made up or logical `and` or
`or` clauses as barrier guards.
 2022-11-10 16:38:09 +13:00
erik-krogh
88de299e12 add join(" ") calls as a sink for rb/shell-command-constructed-from-input 2022-11-09 21:46:25 +01:00
Nick Rolfe
c8c53cb424 Merge remote-tracking branch 'origin/main' into nickrolfe/active_support_flow_summaries 2022-11-09 17:02:05 +00:00
Nick Rolfe
cfde7e9edc Ruby: more accurate modeling of which ActionCable channel methods become endpoints 2022-11-09 16:14:11 +00:00
Nick Rolfe
611ed93e39 Ruby: add is{Public,Protected,Private} to DataFlow::MethodNode 2022-11-09 15:18:16 +00:00
Nick Rolfe
199b3f4d71 Ruby: add change note for ActionCable channel remote flow sources 2022-11-09 14:18:44 +00:00
Nick Rolfe
db20e7d143 Ruby: add ActionCable channel RPC params as remote-flow sources 2022-11-09 14:16:04 +00:00
Asger F
859dc7beb7 Merge pull request #11024 from asgerf/rb/data-flow-layer-capture2 
Ruby: expand DataFlow API
 2022-11-09 15:06:03 +01:00
Anders Schack-Mulligen
b3b7711149 Dataflow: Sync. 2022-11-09 14:23:15 +01:00
Nick Rolfe
97e939ae2b Ruby: refine summaries for Hash#reverse_merge etc. 
- revert the changes to the taint summaries specific to ActionController
  params
- make the general flow summaries value-preserving and use
  WithElement[any]
 2022-11-09 11:56:07 +00:00
erik-krogh
c8b7eccc6f sync files 2022-11-09 11:31:13 +01:00
Asger F
f4b2af730d Update ruby/ql/lib/codeql/ruby/dataflow/internal/TaintTrackingPrivate.qll 
Co-authored-by: Tom Hvitved <hvitved@github.com>
 2022-11-09 09:28:07 +01:00
Harry Maclean
f1b63c4df3 Ruby: Fix in clause barrier guard 2022-11-09 16:10:17 +13:00
Harry Maclean
0ab88c2e29 Ruby: Handle simple in clauses in barrier guard 2022-11-09 16:01:33 +13:00
Harry Maclean
25ceeaf241 Ruby: Fix SplatExprCfgNode 2022-11-09 15:03:15 +13:00
Harry Maclean
4bc9096446 Ruby: Add case string comparison barrier guard 
This recognises barriers of the form

    STRINGS = ["foo", "bar"]

    case foo
    when "some string literal"
      foo
    when *["other", "strings"]
      foo
    when *STRINGS
      foo
    end

where the reads of `foo` inside each `when` are guarded by the comparison
of `foo` with the string literals.

We don't yet recognise this construct:

    case foo
    when "foo", "bar"
      foo
    end

This is due to a limitation in the shared barrier guard logic.
 2022-11-09 15:03:13 +13:00
Nick Rolfe
865d0ca64a Ruby: add changenote for ActiveSupport Hash extension summaries 2022-11-08 15:52:21 +00:00
Nick Rolfe
04575674db Ruby: generalise summaries for ActiveSupport Hash extensions 2022-11-08 15:48:20 +00:00
Asger F
271de66f01 Ruby: rename getConst -> getConstant 2022-11-08 16:41:04 +01:00
Asger F
a60f510c85 Ruby: handle knownOrUnkown in default taint step 2022-11-08 16:11:55 +01:00
Tom Hvitved
f0554fcdee Merge pull request #11155 from hvitved/ruby/avoid-stage-recomputation 
Ruby: Avoid stage recomputation
 2022-11-08 13:46:53 +01:00
Tom Hvitved
edde3defed Merge pull request #11153 from hvitved/ruby/basic-block-at-conditions 
Ruby: Split basic blocks around constant conditionals
 2022-11-08 13:35:52 +01:00
Rasmus Wriedt Larsen
4895daba85 DataFlow: Add read/store stepIsLocal consistency checks 2022-11-08 13:32:49 +01:00
Tom Hvitved
37a69b4569 Ruby: Avoid stage recomputation 2022-11-08 10:51:30 +01:00
Erik Krogh Kristensen
c82410fd16 Merge pull request #10680 from erik-krogh/unsafeRbCmd 
RB: add an unsafe-shell-command-construction query
 2022-11-08 09:22:33 +01:00
Tom Hvitved
7ba0682297 Ruby: Split basic blocks around constant conditionals 2022-11-08 09:07:23 +01:00
Harry Maclean
03aa8df8e2 Ruby: Cosmetic change 2022-11-08 10:24:21 +13:00
Harry Maclean
d392cdaab6 Merge pull request #11022 from hmac/try-code-injection 
Ruby: try/try! as code execution
 2022-11-08 09:42:52 +13:00
erik-krogh
7a8e7150f0 add change-note 2022-11-07 14:36:55 +01:00