hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 09:43:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
78,333 Commits 1,672 Branches 157 Tags
ginsbach/NewOverlayLocalJava
Commit Graph

4731 Commits

Author SHA1 Message Date
Tom Hvitved
2683e40038 Merge pull request #15708 from hvitved/share-ide-contextual 
Share `getFileBySourceArchiveName` implementation
 2024-02-23 19:56:33 +01:00
Harry Maclean
f5be407989 Ruby: deprecate old ProtectFromForgeryCall class 2024-02-23 12:02:26 +00:00
Harry Maclean
7b3f1a0982 Ruby: fix comment 2024-02-23 11:14:52 +00:00
Harry Maclean
081c1201ed Ruby: Make csrf query more specific 
CSRF protection only needs to be explicitly enabled on Rails
applications < 5.2 _or_ those that don't include a `load_defaults` call
with a version >= 5.2.
 2024-02-23 11:13:17 +00:00
Harry Maclean
3ee425cc47 Ruby: Identify ActionController::API 
`ActionController::API < ActionController::Base` is a base controller
class, so we should recognise it as such.
 2024-02-23 11:13:17 +00:00
Harry Maclean
32b775fdc3 Ruby: reduce duplicate alerts for csrf query 
Only generate an alert on the top-most vulnerable Rails controller in
the controller tree.
 2024-02-23 11:13:17 +00:00
Harry Maclean
1fbf177b54 Ruby: QLDoc fix 2024-02-23 11:13:16 +00:00
Harry Maclean
3499d169f9 Ruby: Add missing QLDoc 2024-02-23 11:13:16 +00:00
Harry Maclean
0597b2ed1b Ruby: recognise csrf_meta_tag 
csrf_meta_tag is an alias for csrf_meta_tags, retained for backwards
compatibility.
 2024-02-23 11:13:16 +00:00
Harry Maclean
f19a5a9837 Ruby: Add tests for Gemfile modeling 2024-02-23 11:13:16 +00:00
Harry Maclean
3c69ab10f2 Ruby: Restrict rb/csrf-protection-not-enabled 
This query only applies to codebases using Ruby on Rails < 5.2, or where
there is no call to `csrf_meta_tags` in the base ERb template.
 2024-02-23 11:13:15 +00:00
Harry Maclean
581072721c Ruby: Add change note 2024-02-23 11:13:15 +00:00
Harry Maclean
6d6f8ba512 Ruby: Make CSRF query more sensitive 
Generate an alert for every controller class that doesn't have or
inherity a `protect_from_forgery` setting.
 2024-02-23 11:13:15 +00:00
Harry Maclean
49d826f667 Ruby: Add a query for CSRF protection not enabled 
Specifically in Rails apps, we look for root ActionController classes
without a call to `protect_from_forgery`.
 2024-02-23 11:13:14 +00:00
Tom Hvitved
62b16c0fa3 Share getFileBySourceArchiveName implementation 2024-02-23 11:25:49 +01:00
Tom Hvitved
94113521d1 Merge pull request #15689 from hvitved/ruby/no-field-branch-limit-summarized-callable 
Ruby: No `fieldFlowBranchLimit` for `SummarizedCallable`s
 2024-02-23 10:47:22 +01:00
Harry Maclean
fbc689227d Merge pull request #15604 from p-/p--rails-more-request-sources 
Ruby: add additional sources on the request object of Rails
 2024-02-22 16:35:59 +00:00
Joe Farebrother
67e8f17c4c Merge pull request #15619 from joefarebrother/ruby-activerecord-connection 
Ruby: Add additional sql sinks for ActiveRecord connection methods
 2024-02-22 14:02:31 +00:00
Joe Farebrother
1f409b0456 Merge pull request #15671 from joefarebrother/ruby-activerecord-extra-args 
Ruby: Consider additional arguments to certain `ActiveRecord` methods as sql injection sinks.
 2024-02-22 14:01:56 +00:00
Joe Farebrother
92bdd637a3 Address reveiw comment - add create nd remove select_insert 2024-02-22 09:55:46 +00:00
Tom Hvitved
ebee35b385 Ruby: No fieldFlowBranchLimit for SummarizedCallables 2024-02-22 10:27:25 +01:00
Tom Hvitved
23869fc8e6 Ruby: Fix bug in allowParameterReturnInSelf 2024-02-22 09:43:52 +01:00
Tom Hvitved
007d08ea63 Ruby: Add another variable capture test 2024-02-22 09:39:01 +01:00
github-actions[bot]
37f8fa3413 Post-release preparation for codeql-cli-2.16.3 2024-02-20 16:50:47 +00:00
Joe Farebrother
10da4d14d9 Add addtional arguments as sinks to certain methods 2024-02-20 16:35:29 +00:00
github-actions[bot]
6d061fbc35 Release preparation for version 2.16.3 2024-02-20 14:26:23 +00:00
Joe Farebrother
e36b9f4d3c Add tests and change note 2024-02-15 15:26:20 +00:00
Harry Maclean
a9abba5859 Merge pull request #15520 from hmac/hmac-erb-raw-output-directive 
Ruby: Recognise raw Erb output as XSS sink
 2024-02-15 08:05:16 +00:00
Joe Farebrother
37eb81097f Add additional sinks for connection methods 2024-02-14 22:42:03 +00:00
Peter Stöckli
2f7b946c9f Ruby: add sources on request object of Rails 2024-02-13 15:52:18 +01:00
Harry Maclean
6cc5c09769 Ruby: Simplify ErbOutputDirective 2024-02-13 08:38:16 +00:00
Harry Maclean
11040d628b Ruby: Add changenote 2024-02-13 08:38:15 +00:00
Harry Maclean
3d9f9afa77 Merge pull request #15566 from hmac/hmac-actioncontroller-regex 
Ruby: Fix ActionController path regex
 2024-02-12 14:14:57 +00:00
Harry Maclean
99497e5f3c Merge pull request #15521 from hmac/hmac-ar-connection 
Ruby: Recognise more ActiveRecord connections
 2024-02-12 14:06:50 +00:00
Harry Maclean
5af58d24e0 Ruby: Recognise raw Erb output as XSS sink 2024-02-12 13:28:44 +00:00
Marcono1234
d814decc17 Ruby: Fix formatting in changelog 2024-02-10 00:23:57 +01:00
Tom Hvitved
37d774176b Ruby: Fix SSA inconsistency 2024-02-09 14:49:26 +01:00
Tom Hvitved
1ea7717714 Capture flow: Take overwrites in nested scopes into account 2024-02-09 14:49:23 +01:00
Tom Hvitved
0c43ad45b4 Ruby: Add another captured variable data flow test 2024-02-09 14:48:36 +01:00
Anders Schack-Mulligen
35a3aa0a09 Ruby: Add empty provenance column to expected files. 2024-02-09 11:32:08 +01:00
Harry Maclean
3a90d78c36 Ruby: Fix Rails view file regex 
This picks up non-nested template files correctly.
 2024-02-09 09:41:43 +00:00
Harry Maclean
48890b446d Ruby: Add more actioncontroller tests 2024-02-09 09:31:35 +00:00
Koen Vlaswinkel
e596862074 Merge pull request #15541 from github/koesie10/ruby-access-path-constructor-returnvalue 
Ruby: Remove `ReturnValue` as access path for constructors
 2024-02-08 16:25:34 +01:00
Dave Bartolomeo
92bd550c55 Merge pull request #15531 from github/post-release-prep/codeql-cli-2.16.2 
Post-release preparation for codeql-cli-2.16.2
 2024-02-08 05:58:17 -08:00
Koen Vlaswinkel
87eb1ab103 Ruby: Include ReturnValue and exclude self for constructors 2024-02-08 13:40:10 +01:00
Koen Vlaswinkel
8646bffaea Ruby: Remove ReturnValue as access path for constructors 2024-02-07 14:35:19 +01:00
Henry Mercer
e71f0fc1ba Add supported build modes to extractor metadata 2024-02-06 19:51:13 +00:00
github-actions[bot]
b5139078d0 Post-release preparation for codeql-cli-2.16.2 2024-02-06 19:22:35 +00:00
Koen Vlaswinkel
8361efca4d Merge pull request #15503 from github/koesie10/ruby-access-paths 
Ruby: Add query for access paths in model editor
 2024-02-06 10:12:26 +01:00
github-actions[bot]
c1b35fbf47 Release preparation for version 2.16.2 2024-02-05 17:58:57 +00:00