hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
78,333 Commits 1,672 Branches 157 Tags
ginsbach/NewOverlayLocalJava
Commit Graph

3367 Commits

Author SHA1 Message Date
erik-krogh
5e3cb08ed2 rename stateInPumpableRegexp to stateInRelevantRegexp 2022-08-23 12:40:45 +02:00
erik-krogh
e89e0eb7fb make some acronyms camelCase 2022-08-22 21:22:35 +02:00
Rasmus Wriedt Larsen
61bf2154cd Merge branch 'main' into shared-http-client-request 2022-08-22 12:05:37 +02:00
erik-krogh
049af68bc2 restrict suffix-construction to relevant regexps 2022-08-21 20:35:39 +02:00
erik-krogh
bcf4c57060 Merge branch 'main' into redosPrefix 2022-08-19 19:22:49 +02:00
erik-krogh
d052b1e3c9 also support regular expressions without repetitions 2022-08-19 19:21:44 +02:00
Rasmus Wriedt Larsen
9790594984 Ruby: Bugfix after HTTP::Client::Request change 
I guess this is not 100% accurate any longer since the base class is
only a `DataFlow::Node` now... I guess we could make it a
`DataFlow::CallNode` in the Concept definition.
 2022-08-19 16:25:47 +02:00
Rasmus Wriedt Larsen
9eda630965 Ruby: Add CallNode.getKeywordArgumentIncludeHashArgument 2022-08-19 15:54:15 +02:00
Rasmus Wriedt Larsen
0ac3624342 Ruby: Implement new disablesCertificateValidation for all HTTP client models 
Sadly most alert text changed, but the two important changes are:

1. The request on RestClient.rb:19 now has an expanded alert text,
   highlighting where the origin of the value that disables certificate
   validation comes from. (in this case, it's trivial since it's the
   line right above)
2. We handle passing `false`/`OpenSSL::SSL::VERIFY_NONE` the same in the
   argument passing examples in Faraday.rb
 2022-08-19 15:46:22 +02:00
Rasmus Wriedt Larsen
1f028ac206 Ruby: Implement new disablesCertificateValidation for RestClient 2022-08-19 15:43:19 +02:00
Tom Hvitved
663096fe3a Remove redundant overrides 2022-08-19 13:57:41 +02:00
Rasmus Wriedt Larsen
4a82025087 Ruby: Base HTTP::Client::Request on shared concept 
Fixing up deprecation errors in next commit
 2022-08-18 13:42:53 +02:00
Rasmus Wriedt Larsen
e2b78df5ad Ruby: Change HTTP::Client::Request to have DataFlow::Node as base class 
Although this is a breaking change, as explained in the change-note, it
should onyl affect peopel that have created their own HTTP client
request modeling, which I assume is none.

The alternative would have been to keep the old class/module as
deprecated, and introduce a `HTTP::Client::Requestv2` class/module that
is based on `DataFlow::Node` instead. The old class could then be
deprecated in 1 year, and we could do a rename from
`HTTP::Client::Requestv2` -> `HTTP::Client::Request` at the same time.
(and then wait 1 more year before being able to delete
`HTTP::Client::Requestv2`)

All in all, I think this is the right tradeoff, given that CodeQL Ruby
is still in beta.
 2022-08-18 13:42:52 +02:00
Rasmus Wriedt Larsen
e6b4d12f94 Sync ConceptsShared 2022-08-18 13:42:52 +02:00
Tom Hvitved
08a5b5dc73 Merge pull request #10089 from hvitved/ruby/local-source-nodes 
Ruby: Reduce size of `isLocalSourceNode`
 2022-08-18 12:02:35 +02:00
Nick Rolfe
a46e2b3f2f Merge pull request #10056 from hmac/hmac/action-controller-response-body 
Ruby: Recognise Rails render calls as HTTP responses
 2022-08-18 10:02:17 +01:00
Tom Hvitved
682986c0a2 Merge pull request #10087 from hvitved/ruby/unknown-member-warning 
Ruby: Get rid of warning in `getUnknownMember`
 2022-08-18 10:50:24 +02:00
erik-krogh
473bc92e2d move the PrefixConstruction module out of the ReDoSPruning module 2022-08-18 10:07:48 +02:00
Tom Hvitved
baa646e102 Ruby: Remove unused UnknownMember from API graphs 2022-08-18 09:40:02 +02:00
Harry Maclean
8f370b2457 Update ruby/ql/lib/change-notes/2022-08-16-action-controller-response-body.md 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2022-08-18 10:03:52 +12:00
Harry Maclean
70ec70940a Merge pull request #8142 from github/hmac/incomplete-multi-char-sanitization 2022-08-18 10:02:39 +12:00
Erik Krogh Kristensen
e93ff8672c Merge pull request #10075 from erik-krogh/depOld 
delete old deprecations
 2022-08-17 21:21:57 +02:00
Tom Hvitved
ed2ec1acc0 Ruby: Reduce size of isLocalSourceNode 2022-08-17 17:19:30 +02:00
Tom Hvitved
c307a12c20 Ruby: Get rid of warning in getUnknownMember 2022-08-17 16:22:11 +02:00
Alex Ford
d4d6657cb7 Merge pull request #10008 from alexrford/rb/log-injection 
Ruby: Add `rb/log-injection` query
 2022-08-17 15:01:22 +01:00
erik-krogh
6b9f01535b change All to Most in the change-notes 2022-08-17 15:34:57 +02:00
erik-krogh
2622c78766 add change-notes 2022-08-17 13:55:16 +02:00
Tom Hvitved
355c1f5959 Merge pull request #10035 from hvitved/ssa/phi-reads 
SSA: Improve use-use calculation using "phi read nodes"
 2022-08-17 13:43:00 +02:00
Nick Rolfe
94a51142d0 Ruby: fix typo in internal predicate name 2022-08-17 11:05:39 +01:00
Harry Maclean
1f4dad4167 Update for rename of ReDoSUtil to NfaUtils 2022-08-17 16:03:49 +12:00
Harry Maclean
f1a546c4d6 Rename IncompleteMultiCharacterSanitization[Query] 2022-08-17 16:03:49 +12:00
Harry Maclean
f2384a6a8f Ruby: Share more code with JS 2022-08-17 16:03:49 +12:00
Harry Maclean
025e34d8e1 Ruby: Simplify imports 2022-08-17 16:03:48 +12:00
Harry Maclean
b7d9bf4066 Share IncompleteMultiCharacterSanitization JS/Ruby 
Most of the classes and predicates in this query can be shared between
the two languages. There's just a few language-specific things that we
place in IncompleteMultiCharacterSanitizationSpecific.
 2022-08-17 16:03:46 +12:00
Harry Maclean
3179c60a1e Ruby: Remove RegExpLiteral.getAMatch 
This predicate is a duplicate of getAMatchedString, which matches the
naming in the JS version.
 2022-08-17 16:02:48 +12:00
Harry Maclean
6bb24f9d7c Ruby: matchesEmptyString -> isNullable 
Rename RegExpLiteral.matchesEmptyString to isNullable, to match the JS
version.
 2022-08-17 16:02:48 +12:00
Harry Maclean
c234bd94d1 Ruby: IncompleteMultiCharacterSanitization Query 
This query is similar to IncompleteSanitization but for multi-character
sequences.
 2022-08-17 16:02:48 +12:00
Harry Maclean
6e289a9db3 Ruby: Improvements to StringSubstitutionCall 
- Handle block arguments
- Recognise patterns passed via constants
 2022-08-17 16:02:48 +12:00
Harry Maclean
17dfb4e7b8 Ruby: Add RegExpTerm.getAMatch 2022-08-17 16:02:48 +12:00
Harry Maclean
c9fc43a4ba Ruby: Add matchesEmptyString to RegExpTerm 2022-08-17 16:02:47 +12:00
erik-krogh
4b7f63a0f3 sync SensitiveDataHeuristics.qll to the other languages 2022-08-16 22:31:26 +02:00
Tom Hvitved
7395587244 Sync files 2022-08-16 14:07:39 +02:00
Erik Krogh Kristensen
fd5b8896df Merge pull request #10063 from erik-krogh/fixRbDep 
re-deprecate ReDoSUtil in ruby
 2022-08-16 13:27:52 +02:00
Alex Ford
d02ad51d74 Merge pull request #10032 from github/post-release-prep/codeql-cli-2.10.3 
Post-release preparation for codeql-cli-2.10.3
 2022-08-16 12:04:07 +01:00
erik-krogh
2fbae81356 re-deprecate ReDoSUtil in ruby 2022-08-16 11:22:00 +02:00
erik-krogh
8e6a36256c import the non-deprecated NfaUtils in the overly-large-range query 2022-08-16 11:21:43 +02:00
Tom Hvitved
007d98e3b4 Ruby: Fix deprecation warning 2022-08-16 10:23:06 +02:00
Erik Krogh Kristensen
f106e064fa Merge pull request #9422 from erik-krogh/refacReDoS 
Refactorizations of the ReDoS libraries
 2022-08-16 09:32:08 +02:00
Harry Maclean
7ef6ffbc54 Ruby: Recognise Rails render calls as HTTP responses 2022-08-16 14:03:26 +12:00
Erik Krogh Kristensen
0adb588fe8 Merge pull request #9712 from erik-krogh/badRange 
JS/RB/PY/Java: add suspicious range query
 2022-08-15 13:55:44 +02:00