hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
78,334 Commits 1,671 Branches 157 Tags
ginsbach/OverlayLocalJava
Commit Graph

3367 Commits

Author SHA1 Message Date
Tom Hvitved
47fd64fc44 Merge pull request #7130 from hvitved/cfg/dead-end-consistency 
Shared CFG: Add "dead end" consistency query
 2021-11-19 13:49:53 +01:00
Erik Krogh Kristensen
75586b0cf6 Apply suggestions from code review 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2021-11-19 13:23:01 +01:00
Harry Maclean
c297a68acf Model more of the RestClient API 
We now handle this form:

    RestClient::Request.execute(url: "http://example.com")
 2021-11-19 11:28:09 +00:00
Harry Maclean
e2ef780c55 Add base_uri note to HTTParty modelling 2021-11-19 11:28:09 +00:00
Harry Maclean
38ff584307 Model more Faraday behaviour 
You can instantiate a Faraday connection by passing a URL as an keyword
argument:

    conn = Faraday.new(url: "http://example.com")
 2021-11-19 11:28:09 +00:00
Harry Maclean
f933d24031 Fix comment 2021-11-19 11:28:09 +00:00
Harry Maclean
ac20eafecc Add qhelp for Ruby SSRF 2021-11-19 11:28:08 +00:00
Harry Maclean
dc464879a2 Add a query for server-side request forgery 2021-11-19 11:28:08 +00:00
Harry Maclean
cd33e4d394 Make string interpolation sanitizer reusable 2021-11-19 11:28:08 +00:00
Harry Maclean
b6ce37b241 Add getURL to HTTP::Client::Request 
This member predicate gets dataflow nodes which contribute to the URL of
the request.

Also consolidate the identical tests for each HTTP client.
 2021-11-19 11:28:08 +00:00
Harry Maclean
8fd8c9b04d Fix CallExprCfgNode.getKeywordArgument 
This predicate now produces results.
 2021-11-19 11:28:08 +00:00
Tom Hvitved
bc80c9b013 Ruby: Move SSA consistency queries into shared SSA library 2021-11-19 11:31:28 +01:00
Tom Hvitved
923ca134e8 Shared CFG: Add "dead end" consistency query 2021-11-19 09:14:38 +01:00
Tom Hvitved
a4538de3a3 Shared CFG: Rename TNode to TCfgNode 
This is in order to avoid name clash with the often so-named IPA type for data-
flow nodes. The name clash is not problematic because they are both in scope,
but because (cached) IPA types with overlapping names are known to sometimes
result in re-evaluation of cached stages, when one of the IPA types gets an
internal `#2` suffix in one query run, and the other IPA type gets the suffix
in another run.
 2021-11-18 19:15:36 +01:00
Erik Krogh Kristensen
ee858d840e get ReDoSUtil in sync for ruby 2021-11-18 16:49:34 +01:00
Tom Hvitved
2218516685 Ruby: Remove CP in EnsureSplitImpl::exit/3 2021-11-18 16:05:09 +01:00
Erik Krogh Kristensen
af55f172ae use A/An/The to start qlDoc for classes 2021-11-18 15:42:45 +01:00
Alex Ford
1ec935dee6 Ruby: make documentation of IOReader and FileReader less ambiguous 2021-11-18 14:35:44 +00:00
Anders Schack-Mulligen
6815a13a00 Merge pull request #6931 from hvitved/dataflow/restrict-derived-summaries 
Data flow: Restrict derived flow summaries
 2021-11-18 15:31:55 +01:00
Alex Ford
bd940712de Update ruby/ql/lib/codeql/ruby/frameworks/Files.qll 
Co-authored-by: Harry Maclean <hmac@github.com>
 2021-11-18 14:18:39 +00:00
Erik Krogh Kristensen
1cca377e7d Merge pull request #6561 from erik-krogh/htmlReg 
JS/Py/Ruby: add a bad-tag-filter query
 2021-11-18 09:39:13 +01:00
Alex Ford
9a74f18ac5 Ruby: take File::try_convert as a potential file instance instantiation 2021-11-17 23:19:13 +00:00
Alex Ford
ce004e9c1e Ruby: don't interpret File#try_convert as a method that reads from a file/IO 2021-11-17 23:01:19 +00:00
Alex Ford
12a3251649 Ruby: extend FileSystemReadAccess and restructure some Files.qll classes 2021-11-17 23:01:18 +00:00
Alex Ford
08b6a17097 Merge pull request #7151 from github/ruby/methodcallnode 
Ruby: add `getMethodName` predicate to `DataFlow::CallNode` class
 2021-11-17 14:40:07 +00:00
Tom Hvitved
9ff63b00d6 Ruby: Remove CFG dependency from AST stage 
Commit 028ef6f27f had the unintended side-effect
that the AST and CFG stages got merged, because the AST stage's `isCapturedAccess`
now depends on `getCfgScopeImpl`, which belongs to the CFG stage.

The fix is to remove `getCfgScopeImpl` from the CFG stage, and instead let it
be part of the AST stage.
 2021-11-17 13:15:55 +01:00
Tom Hvitved
4eacbd1cbe Ruby: Sync files 2021-11-17 10:49:51 +01:00
Arthur Baars
7c2841f058 Ruby: QL generator: use qualified imports 2021-11-17 10:37:44 +01:00
Tom Hvitved
08c778241d Ruby: Adopt to changes after rebase 2021-11-17 09:17:32 +01:00
Tom Hvitved
413375992d Ruby: Flatten nested statements inside desugared for loops 2021-11-17 09:05:37 +01:00
Tom Hvitved
9125b85ff0 Ruby: Add missing QL doc 2021-11-17 09:05:37 +01:00
Tom Hvitved
a62ad5000b Ruby: Make isCapturedAccess work with synthesized scopes 2021-11-17 09:05:37 +01:00
Tom Hvitved
135ee0d0c1 Ruby: Add implicit writes for synthesized parameters 2021-11-17 09:05:37 +01:00
Tom Hvitved
028ef6f27f Ruby: Handle synthesized scopes 2021-11-17 09:05:37 +01:00
Tom Hvitved
48e6bdb117 Ruby: Remove EmptinessCompletion 2021-11-17 09:05:36 +01:00
Tom Hvitved
db6f843641 Ruby: Hide SynthBlock from the public API 2021-11-17 09:05:36 +01:00
Alex Ford
e468434b82 ruby: drop special handling of for-in loops in the CFG 2021-11-17 09:05:33 +01:00
Alex Ford
ddfcfc9b67 Desugar for loops as each calls 2021-11-17 09:04:29 +01:00
Alex Ford
f6d99dc00d Define getBlockImpl for synthesized method calls 2021-11-17 09:04:29 +01:00
Alex Ford
a743067dc8 Support synthesis of blocks (without a new variable scope) 2021-11-17 09:04:29 +01:00
Alex Ford
04df56d1c0 Support synthesis of SimpleParameters 2021-11-17 09:04:29 +01:00
Tom Hvitved
7cfc696d62 Merge pull request #7141 from hvitved/ruby/synthesis-realnode-recursion 
Ruby: Eliminate unnecessary recursion through `RealNode`
 2021-11-17 09:03:30 +01:00
Alex Ford
c8cdbfa352 ruby: push getMethodName into DataFlow::CallNode 2021-11-16 17:11:26 +00:00
Alex Ford
286c894f34 ruby: add DataFlow::MethodCallNode class 2021-11-16 15:39:47 +00:00
Anders Schack-Mulligen
c70d384d28 Merge pull request #7045 from aschackmull/dataflow/hidden-ret-subpaths 
Data flow: Support hidden return nodes in subpaths predicate
 2021-11-16 15:04:51 +01:00
Tom Hvitved
e7b091086d Ruby: Eliminate unnecessary recursion through RealNode 2021-11-16 12:24:17 +01:00
Tom Hvitved
3a8e2db3ab Merge pull request #7121 from hvitved/ruby/lookup-const-anti-join 2021-11-16 11:32:55 +01:00
Tom Hvitved
03ae58830a Ruby: Add missing CFG entry for ForwardParameter 2021-11-15 16:28:17 +01:00
Tom Hvitved
723ac818d9 Shared CFG: Update breakInvariant4 consistency test 2021-11-15 11:43:49 +01:00
Tom Hvitved
19e6da517b Ruby: Fix bad join-order in resolveConstant 
```
[2021-11-09 11:35:47] (99s) Starting to evaluate predicate Module::Cached::resolveConstant#ff#antijoin_rhs/3@f6dcd6
[2021-11-09 11:35:58] (111s) Tuple counts for Module::Cached::resolveConstant#ff#antijoin_rhs/3@f6dcd6 after 11.5s:
                      165960683 ~0%     {4} r1 = JOIN Module::Cached::resolveConstant#ff#shared WITH Module::constantDefinition0#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'arg1', Lhs.0 'arg0', Lhs.2 'arg2'

                      0         ~0%     {3} r2 = JOIN r1 WITH Module::ClassDeclaration::getSuperclassExpr_dispred#ff ON FIRST 2 OUTPUT Lhs.2 'arg0', Lhs.1 'arg1', Lhs.3 'arg2'

                      0         ~0%     {3} r3 = JOIN r1 WITH Constant::ConstantAccess::getScopeExpr_dispred#ff ON FIRST 2 OUTPUT Lhs.2 'arg0', Lhs.1 'arg1', Lhs.3 'arg2'

                      0         ~0%     {3} r4 = r2 UNION r3
                                        return r4
```
 2021-11-12 14:08:11 +01:00