hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
78,333 Commits 1,672 Branches 157 Tags
ginsbach/NewOverlayLocalJava
Commit Graph

3367 Commits

Author SHA1 Message Date
Tom Hvitved
02192acd5f Ruby: Avoid computing full fastTC for AstNode::getParent 
DIL before
```
                                                   /* AST::AstNode */ AST#87953007::Cached::TAstNode result) =
  fastTC(AST#a6718388::AstNode::getAChild#0#dispred#ff/2)
.

Synthesis#d9ff06b1::Desugared::getADescendant#0#dispred#ff(/* Synthesis::Desugared */ AST#87953007::Cached::TAstNode this,
                                                           /* AST::AstNode */ AST#87953007::Cached::TAstNode result)
:-
  (
    exists(int arg1,
           /* AST::AstNode */ dontcare AST#87953007::Cached::TAstNode _ |
      arg1 = -1, AST#87953007::Cached::getSynthChild#2(_, arg1, this)
    ),
    result = this
  );
  (
    exists(int arg1,
           /* AST::AstNode */ dontcare AST#87953007::Cached::TAstNode _ |
      arg1 = -1, AST#87953007::Cached::getSynthChild#2(_, arg1, this)
    ),
    #AST#a6718388::AstNode::getAChild#0#dispredPlus#ff(this, result)
  )
.
```

DIL after
```
incremental
Synthesis#d9ff06b1::Desugared::getADescendant#ff(/* Synthesis::Desugared */ AST#87953007::Cached::TAstNode this,
                                                 /* AST::AstNode */ AST#87953007::Cached::TAstNode result)
:-
  (
    exists(int arg1,
           /* AST::AstNode */ dontcare AST#87953007::Cached::TAstNode _ |
      arg1 = -1, AST#87953007::Cached::getSynthChild#2(_, arg1, this)
    ),
    result = this
  );
  exists(/* AST::AstNode */ AST#87953007::Cached::TAstNode call_result#2 |
    exists(int arg1,
           /* AST::AstNode */ dontcare AST#87953007::Cached::TAstNode _ |
      arg1 = -1, AST#87953007::Cached::getSynthChild#2(_, arg1, this)
    ),
    rec Synthesis#d9ff06b1::Desugared::getADescendant#ff(this, call_result#2),
    exists(cached dontcare string _ |
      AST#a6718388::AstNode::getAChild#1#dispred(call_result#2, _, result)
    )
  )
| [base_case]
  exists(int arg1, /* AST::AstNode */ dontcare AST#87953007::Cached::TAstNode _ |
    arg1 = -1, AST#87953007::Cached::getSynthChild#2(_, arg1, this)
  ),
  result = this
| [delta_order]
  exists(/* AST::AstNode */ AST#87953007::Cached::TAstNode call_result#2 |
    exists(int arg1,
           /* AST::AstNode */ dontcare AST#87953007::Cached::TAstNode _ |
      arg1 = -1, AST#87953007::Cached::getSynthChild#2(_, arg1, this)
    ),
    delta previous rec Synthesis#d9ff06b1::Desugared::getADescendant#ff(this,
                                                                        call_result#2),
    project#AST#a6718388::AstNode::getAChild#1#dispred(call_result#2, result)
  ),
  not(
    previous rec Synthesis#d9ff06b1::Desugared::getADescendant#ff(this, result)
  )
| [delta_order_up_to_500000]
  exists(/* AST::AstNode */ AST#87953007::Cached::TAstNode call_result#2 |
    delta previous rec Synthesis#d9ff06b1::Desugared::getADescendant#ff(this,
                                                                        call_result#2),
    exists(int arg1,
           /* AST::AstNode */ dontcare AST#87953007::Cached::TAstNode _ |
      arg1 = -1, AST#87953007::Cached::getSynthChild#2(_, arg1, this)
    ),
    project#AST#a6718388::AstNode::getAChild#1#dispred(call_result#2, result)
  ),
  not(
    previous rec Synthesis#d9ff06b1::Desugared::getADescendant#ff(this, result)
  )
.
```
 2022-10-09 11:12:24 +02:00
Tom Hvitved
d39b0fd3f4 Ruby: Avoid computing full fastTC for AstNode::getParent 
DIL before
```
                                                   /* AST::AstNode */ AST#87953007::Cached::TAstNode result) =
  fastTC(AST#a6718388::AstNode::getAChild#0#dispred#ff/2)
.

Synthesis#d9ff06b1::isInDesugaredContext#1#f(/* AST::AstNode */ unique AST#87953007::Cached::TAstNode n)
:-
  exists(int arg1, /* AST::AstNode */ dontcare AST#87953007::Cached::TAstNode _ |
    arg1 = -1, AST#87953007::Cached::getSynthChild#2(_, arg1, n)
  );
  exists(/* AST::AstNode */ AST#87953007::Cached::TAstNode call_result#2 |
    exists(int arg1,
           /* AST::AstNode */ dontcare AST#87953007::Cached::TAstNode _ |
      arg1 = -1, AST#87953007::Cached::getSynthChild#2(_, arg1, call_result#2)
    ),
    #AST#a6718388::AstNode::getAChild#0#dispredPlus#ff(call_result#2, n)
  )
.
```

DIL after
```
incremental
Synthesis#d9ff06b1::isInDesugaredContext#1#f(/* AST::AstNode */ unique AST#87953007::Cached::TAstNode n)
:-
  exists(int arg1, /* AST::AstNode */ dontcare AST#87953007::Cached::TAstNode _ |
    arg1 = -1, AST#87953007::Cached::getSynthChild#2(_, arg1, n)
  );
  exists(/* AST::AstNode */ AST#87953007::Cached::TAstNode any#expr##2 |
    rec Synthesis#d9ff06b1::isInDesugaredContext#1#f(any#expr##2),
    exists(cached dontcare string _ |
      AST#a6718388::AstNode::getAChild#1#dispred(any#expr##2, _, n)
    )
  )
| [base_case]
  exists(int arg1, /* AST::AstNode */ dontcare AST#87953007::Cached::TAstNode _ |
    arg1 = -1, AST#87953007::Cached::getSynthChild#2(_, arg1, n)
  )
| [delta_order]
  exists(/* AST::AstNode */ AST#87953007::Cached::TAstNode any#expr##2 |
    delta previous rec Synthesis#d9ff06b1::isInDesugaredContext#1#f(any#expr##2),
    project#AST#a6718388::AstNode::getAChild#1#dispred(any#expr##2, n)
  ),
  not(previous rec Synthesis#d9ff06b1::isInDesugaredContext#1#f(n))
.
``
 2022-10-09 11:11:48 +02:00
Tom Hvitved
262a74d03d Ruby: Avoid computing full fastTC for AstNode::getParent 
DIL before
```
                                                   /* AST::AstNode */ AST#87953007::Cached::TAstNode result) =
  fastTC(AST#a6718388::AstNode::getAChild#0#dispred#ff/2)
.

Completion#445d5844::mayRaise#1#f(/* Call::Call */ unique AST#87953007::Cached::TAstNode c)
:-
  exists(/* AST::AstNode */ AST#87953007::Cached::TAstNode call_result#2 |
    exists(/* ControlFlowGraphImpl::Trees::BodyStmtTree */ AST#87953007::Cached::TAstNode bst |
      (
        (
          project#Expr#6fb2af19::BodyStmt::getRescue#1#dispred#fff(bst),
          ControlFlowGraphImpl#288ae92e::Trees::BodyStmtTree#class#f(bst)
        );
        (
          exists(/* Expr::StmtSequence */ dontcare AST#87953007::Cached::TAstNode _ |
            Expr#6fb2af19::BodyStmt::getEnsure#0#dispred#ff(bst, _)
          ),
          ControlFlowGraphImpl#288ae92e::Trees::BodyStmtTree#class#f(bst)
        )
      ),
      ControlFlowGraphImpl#288ae92e::Trees::BodyStmtTree#class#f(bst),
      project#ControlFlowGraphImpl#288ae92e::Trees::StmtSequenceTree::getBodyChild#2#dispred#ffff(bst,
                                                                                                  call_result#2)
    ),
    (
      (c = call_result#2, Call#841c84e8::Call#f(c));
      (
        #AST#a6718388::AstNode::getAChild#0#dispredPlus#ff(call_result#2, c),
        Call#841c84e8::Call#f(c)
      )
    )
  )
.
```

DIL after
```
incremental
Completion#445d5844::getARescuableBodyChild#0#f(/* AST::AstNode */ unique AST#87953007::Cached::TAstNode result)
:-
  exists(/* ControlFlowGraphImpl::Trees::BodyStmtTree */ AST#87953007::Cached::TAstNode bst |
    (
      (
        exists(dontcare int _,
               /* Expr::RescueClause */ dontcare AST#87953007::Cached::TAstNode _1 |
          Expr#6fb2af19::BodyStmt::getRescue#1#dispred#fff(bst, _, _1)
        ),
        ControlFlowGraphImpl#288ae92e::Trees::BodyStmtTree#class#f(bst)
      );
      (
        exists(/* Expr::StmtSequence */ dontcare AST#87953007::Cached::TAstNode _ |
          Expr#6fb2af19::BodyStmt::getEnsure#0#dispred#ff(bst, _)
        ),
        ControlFlowGraphImpl#288ae92e::Trees::BodyStmtTree#class#f(bst)
      )
    ),
    ControlFlowGraphImpl#288ae92e::Trees::BodyStmtTree#class#f(bst),
    exists(boolean arg2, dontcare int _ |
      arg2 = true,
      ControlFlowGraphImpl#288ae92e::Trees::StmtSequenceTree::getBodyChild#2#dispred#ffff(bst,
                                                                                          _,
                                                                                          arg2,
                                                                                          result)
    )
  );
  exists(/* AST::AstNode */ AST#87953007::Cached::TAstNode call_result#5 |
    rec Completion#445d5844::getARescuableBodyChild#0#f(call_result#5),
    exists(cached dontcare string _ |
      AST#a6718388::AstNode::getAChild#1#dispred(call_result#5, _, result)
    )
  )
| [base_case]
  exists(/* ControlFlowGraphImpl::Trees::BodyStmtTree */ AST#87953007::Cached::TAstNode bst |
    (
      (
        project#Expr#6fb2af19::BodyStmt::getRescue#1#dispred#fff(bst),
        ControlFlowGraphImpl#288ae92e::Trees::BodyStmtTree#class#f(bst)
      );
      (
        exists(/* Expr::StmtSequence */ dontcare AST#87953007::Cached::TAstNode _ |
          Expr#6fb2af19::BodyStmt::getEnsure#0#dispred#ff(bst, _)
        ),
        ControlFlowGraphImpl#288ae92e::Trees::BodyStmtTree#class#f(bst)
      )
    ),
    ControlFlowGraphImpl#288ae92e::Trees::BodyStmtTree#class#f(bst),
    project#ControlFlowGraphImpl#288ae92e::Trees::StmtSequenceTree::getBodyChild#2#dispred#ffff(bst,
                                                                                                result)
  )
| [delta_order]
  exists(/* AST::AstNode */ AST#87953007::Cached::TAstNode call_result#5 |
    delta previous rec Completion#445d5844::getARescuableBodyChild#0#f(call_result#5),
    project#AST#a6718388::AstNode::getAChild#1#dispred(call_result#5, result)
  ),
  not(previous rec Completion#445d5844::getARescuableBodyChild#0#f(result))
.
```
 2022-10-09 11:10:39 +02:00
Tom Hvitved
d707c526e5 Ruby: Avoid computing full fastTC for AstNode::getParent 
DIL before
```
                                  /* AST::AstNode */ AST#87953007::Cached::TAstNode result) =
  fastTC(Module#fe82a56b::parent#1#ff/2)
.

Module#fe82a56b::enclosingModule#1#ff(/* AST::AstNode */ AST#87953007::Cached::TAstNode node,
                                      /* Module::ModuleBase */ AST#87953007::Cached::TAstNode result)
:-
  exists(/* AST::AstNode */ AST#87953007::Cached::TAstNode call_result#2 |
    Module#2a43f566::ModuleBase#f(result),
    project#AST#a6718388::AstNode::getAChild#1#dispred(result, call_result#2),
    (
      node = call_result#2;
      #Module#fe82a56b::parent#1Plus#ff(node, call_result#2)
    )
  )
.
```

DIL after
```
incremental
Module#fe82a56b::enclosingModule#1#ff(/* AST::AstNode */ AST#87953007::Cached::TAstNode node,
                                      /* Module::ModuleBase */ AST#87953007::Cached::TAstNode result)
:-
  (
    Module#2a43f566::ModuleBase#f(result),
    exists(cached dontcare string _ |
      AST#a6718388::AstNode::getAChild#1#dispred(result, _, node)
    )
  );
  exists(/* AST::AstNode */ AST#87953007::Cached::TAstNode mid |
    Module#2a43f566::ModuleBase#f(result),
    rec Module#fe82a56b::enclosingModule#1#ff(mid, result),
    not(Module#2a43f566::ModuleBase#f(mid)),
    not(Method#8b49e67f::Block#f(mid)),
    exists(cached dontcare string _ |
      AST#a6718388::AstNode::getAChild#1#dispred(mid, _, node)
    )
  )
| [base_case]
  Module#2a43f566::ModuleBase#f(result),
  project#AST#a6718388::AstNode::getAChild#1#dispred(result, node)
| [delta_order]
  exists(/* AST::AstNode */ AST#87953007::Cached::TAstNode mid |
    Module#2a43f566::ModuleBase#f(result),
    delta previous rec Module#fe82a56b::enclosingModule#1#ff(mid, result),
    not(Module#2a43f566::ModuleBase#f(mid)),
    not(Method#8b49e67f::Block#f(mid)),
    project#AST#a6718388::AstNode::getAChild#1#dispred(mid, node)
  ),
  not(previous rec Module#fe82a56b::enclosingModule#1#ff(node, result))
| [delta_order_up_to_500000]
  exists(/* AST::AstNode */ AST#87953007::Cached::TAstNode mid |
    delta previous rec Module#fe82a56b::enclosingModule#1#ff(mid, result),
    Module#2a43f566::ModuleBase#f(result),
    not(Module#2a43f566::ModuleBase#f(mid)),
    not(Method#8b49e67f::Block#f(mid)),
    project#AST#a6718388::AstNode::getAChild#1#dispred(mid, node)
  ),
  not(previous rec Module#fe82a56b::enclosingModule#1#ff(node, result))
.
```
 2022-10-09 11:10:33 +02:00
Dave Bartolomeo
5ee7986649 Merge pull request #10736 from github/post-release-prep/codeql-cli-2.11.1 
Post-release preparation for codeql-cli-2.11.1
 2022-10-07 14:23:31 -04:00
github-actions[bot]
b8ef9e0ddc Post-release preparation for codeql-cli-2.11.1 2022-10-07 15:59:45 +00:00
Nick Rolfe
a6674a5313 Ruby: fix uses of deprecated class name 2022-10-07 13:17:05 +01:00
Tom Hvitved
b065d2d3ab Merge pull request #10705 from hvitved/ruby/singleton-overrides 
Ruby: Take overrides into account for singleton methods defined on modules
 2022-10-07 13:33:59 +02:00
Harry Maclean
75cb0efecb Merge pull request #10538 from hmac/hmac/actioncontroller-parameters 
Ruby: Model flow through ActionController::Parameters
 2022-10-07 22:21:40 +13:00
Tom Hvitved
69fc59930f Ruby: Add ql doc to lookupSingletonMethod 2022-10-07 10:55:30 +02:00
github-actions[bot]
a02dcdc5e1 Release preparation for version 2.11.1 2022-10-07 02:20:28 +00:00
Tom Hvitved
48bdf13c89 Ruby: Take overrides into account for singleton methods defined on modules 2022-10-06 11:56:26 +02:00
Tom Hvitved
0e6735b804 Merge pull request #10691 from hvitved/dataflow/conjunctive-clears 
Data flow: Take conjunctive `With(out)Contents` into account in `prohibitsUseUseFlow`
 2022-10-06 09:03:30 +02:00
Asger F
387e57546b Merge pull request #10650 from asgerf/rb/summarize-more 
Ruby: more type-tracking steps
 2022-10-05 19:16:56 +02:00
Alex Ford
fa58c51810 Ruby: switch rb/sensitive-get-query back to using local flow 2022-10-05 15:58:05 +01:00
Tom Hvitved
0beea9fd1a Fix typos 2022-10-05 15:54:52 +02:00
Asger F
c9c36985b2 Ruby: address review comments 2022-10-05 14:59:37 +02:00
Alex Ford
71670a4f75 Ruby: add RequestInputAccess#getKind predicate 2022-10-05 13:38:31 +01:00
Alex Ford
dea53d86c9 Ruby: remove some redundant imports of DataFlow 2022-10-05 13:22:19 +01:00
Alex Ford
d64f8c73be Merge branch 'main' into rb/sensitive-get-query 2022-10-05 12:59:35 +01:00
Alex Ford
084efe062a Ruby: limit rb/sensitive-get-query to data from query params 2022-10-05 12:57:57 +01:00
Arthur Baars
6509c19aad Merge pull request #10692 from aibaars/fix-splats 
Ruby: fix CFG and toString for anonymous '*' and '**'
 2022-10-05 13:25:29 +02:00
Alex Ford
880fb2b14a Ruby: split out rb/sensitive-get-query using query/customizations pattern 2022-10-05 11:59:40 +01:00
Tom Hvitved
3f0f16afc4 Ruby: Update flow summary for Hash#except 2022-10-05 12:58:29 +02:00
Tom Hvitved
e51c20bfc7 Data flow: Take conjunctive With(out)Contents into account in prohibitsUseUseFlow 2022-10-05 12:58:29 +02:00
Arthur Baars
a080f498be Ruby: fix CFG and toString for anonymous '*' and '**' 2022-10-05 11:50:37 +02:00
Asger F
f664a77a02 Ruby: ensure Hash flow works again 2022-10-05 11:07:55 +02:00
Nick Rolfe
525fe12671 Merge pull request #10585 from github/nickrolfe/libxml-xxe 
Ruby: detect uses of LibXML with entity substitution enabled by default
 2022-10-05 09:51:39 +01:00
Asger F
7cf969f9c8 Ruby: remove mention of PairValueContent 2022-10-05 10:32:09 +02:00
Asger F
6f74a52542 Merge branch 'main' into rb/summarize-more 2022-10-05 09:55:23 +02:00
Asger F
8b7ec20573 Merge branch 'main' into rb/summarize-more 2022-10-05 09:43:52 +02:00
Tom Hvitved
1496c4f0e2 Merge pull request #10686 from hvitved/ruby/remove-value-pair-content 
Ruby: Remove `PairValueContent`
 2022-10-05 09:41:14 +02:00
Asger F
93e8434e08 Ruby: fix content restriction in type trackers 2022-10-05 09:36:42 +02:00
Asger F
f5f351e26c Ruby: make flowsToLoadStoreStep private 2022-10-05 09:35:11 +02:00
Asger F
a9a99c5b18 Ruby: nomagic on unary hasAdjacentTypeCheckedReads 2022-10-05 09:34:36 +02:00
Asger F
4c19d2d71e Ruby: make getAStaticHashCall private again 2022-10-05 09:32:56 +02:00
Arthur Baars
c1c16e44ee Merge pull request #10559 from aibaars/cve-2019-3881 
Ruby: some improvements
 2022-10-04 21:24:14 +02:00
Tom Hvitved
aae9a58ca3 Ruby: Remove ValuePairContent 2022-10-04 20:10:51 +02:00
Nick Rolfe
2e80926951 Ruby: fix a couple of references to deprecated names 2022-10-04 16:45:08 +01:00
Nick Rolfe
445241fd95 Ruby: add missing qldoc comment 2022-10-04 16:31:54 +01:00
Nick Rolfe
2315a177fe Ruby: add changenote for ActionView/Controller class renames 2022-10-04 16:22:11 +01:00
Nick Rolfe
227100d883 Ruby: make old class names available as deprecated aliases 2022-10-04 16:11:43 +01:00
Arthur Baars
88b5d4da16 Ruby: extend may have multiple arguments 2022-10-04 12:58:50 +02:00
Arthur Baars
ab3a62de3c Update ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll 2022-10-04 12:58:50 +02:00
Tom Hvitved
6e61ef10b8 Ruby: Add another dataflow copy 2022-10-04 12:58:50 +02:00
Tom Hvitved
9d7d6c29f9 Review comments 2022-10-04 12:58:50 +02:00
Arthur Baars
44cc6f7350 Ruby: improve tracking of regular expressions 
There are two flavours of `match?`. If the receiver of `match?` has type String
then the argument to `match?` is a regular expression. However, if the receiver of
`match?` has type Regexp then the argument is the text.

The role of receiver and argument flips depending on the type of the receiver, this
caused a lot of false positives when looking for string-like literals that are
used as a regular expression.

This commit attempts to improve things by trying to determine whether the type of the
receiver is known to be of type Regexp. In such cases we know that the argument
is unlikely to be  regular expression.
 2022-10-04 12:58:49 +02:00
Arthur Baars
0160c374e4 Ruby: add flow summaries for Object#dup and Kernel#tap 2022-10-04 12:58:49 +02:00
Arthur Baars
5d55daa491 Ruby: use resolveConstantReadAccess instead of trackModuleAccess for 'extend' calls 
This avoids non-linear recursion at the cost of losing some results.
 2022-10-04 12:58:49 +02:00
Arthur Baars
c2b98a4761 Ruby: add support for 'extend' method 2022-10-04 12:58:49 +02:00