3367 Commits

Author	SHA1	Message	Date
Harry Maclean	3499d169f9	Ruby: Add missing QLDoc	2024-02-23 11:13:16 +00:00
Harry Maclean	3c69ab10f2	Ruby: Restrict rb/csrf-protection-not-enabled ... This query only applies to codebases using Ruby on Rails < 5.2, or where there is no call to `csrf_meta_tags` in the base ERb template.	2024-02-23 11:13:15 +00:00
Harry Maclean	49d826f667	Ruby: Add a query for CSRF protection not enabled ... Specifically in Rails apps, we look for root ActionController classes without a call to `protect_from_forgery`.	2024-02-23 11:13:14 +00:00
Tom Hvitved	62b16c0fa3	Share getFileBySourceArchiveName implementation	2024-02-23 11:25:49 +01:00
Tom Hvitved	94113521d1	Merge pull request #15689 from hvitved/ruby/no-field-branch-limit-summarized-callable ... Ruby: No `fieldFlowBranchLimit` for `SummarizedCallable`s	2024-02-23 10:47:22 +01:00
Harry Maclean	fbc689227d	Merge pull request #15604 from p-/p--rails-more-request-sources ... Ruby: add additional sources on the request object of Rails	2024-02-22 16:35:59 +00:00
Joe Farebrother	67e8f17c4c	Merge pull request #15619 from joefarebrother/ruby-activerecord-connection ... Ruby: Add additional sql sinks for ActiveRecord connection methods	2024-02-22 14:02:31 +00:00
Joe Farebrother	1f409b0456	Merge pull request #15671 from joefarebrother/ruby-activerecord-extra-args ... Ruby: Consider additional arguments to certain `ActiveRecord` methods as sql injection sinks.	2024-02-22 14:01:56 +00:00
Joe Farebrother	92bdd637a3	Address reveiw comment - add create nd remove select_insert	2024-02-22 09:55:46 +00:00
Tom Hvitved	ebee35b385	Ruby: No fieldFlowBranchLimit for SummarizedCallables	2024-02-22 10:27:25 +01:00
Tom Hvitved	23869fc8e6	Ruby: Fix bug in allowParameterReturnInSelf	2024-02-22 09:43:52 +01:00
github-actions[bot]	37f8fa3413	Post-release preparation for codeql-cli-2.16.3	2024-02-20 16:50:47 +00:00
Joe Farebrother	10da4d14d9	Add addtional arguments as sinks to certain methods	2024-02-20 16:35:29 +00:00
github-actions[bot]	6d061fbc35	Release preparation for version 2.16.3	2024-02-20 14:26:23 +00:00
Joe Farebrother	e36b9f4d3c	Add tests and change note	2024-02-15 15:26:20 +00:00
Harry Maclean	a9abba5859	Merge pull request #15520 from hmac/hmac-erb-raw-output-directive ... Ruby: Recognise raw Erb output as XSS sink	2024-02-15 08:05:16 +00:00
Joe Farebrother	37eb81097f	Add additional sinks for connection methods	2024-02-14 22:42:03 +00:00
Peter Stöckli	2f7b946c9f	Ruby: add sources on request object of Rails	2024-02-13 15:52:18 +01:00
Harry Maclean	6cc5c09769	Ruby: Simplify ErbOutputDirective	2024-02-13 08:38:16 +00:00
Harry Maclean	11040d628b	Ruby: Add changenote	2024-02-13 08:38:15 +00:00
Harry Maclean	3d9f9afa77	Merge pull request #15566 from hmac/hmac-actioncontroller-regex ... Ruby: Fix ActionController path regex	2024-02-12 14:14:57 +00:00
Harry Maclean	99497e5f3c	Merge pull request #15521 from hmac/hmac-ar-connection ... Ruby: Recognise more ActiveRecord connections	2024-02-12 14:06:50 +00:00
Harry Maclean	5af58d24e0	Ruby: Recognise raw Erb output as XSS sink	2024-02-12 13:28:44 +00:00
Marcono1234	d814decc17	Ruby: Fix formatting in changelog	2024-02-10 00:23:57 +01:00
Tom Hvitved	37d774176b	Ruby: Fix SSA inconsistency	2024-02-09 14:49:26 +01:00
Tom Hvitved	1ea7717714	Capture flow: Take overwrites in nested scopes into account	2024-02-09 14:49:23 +01:00
Harry Maclean	3a90d78c36	Ruby: Fix Rails view file regex ... This picks up non-nested template files correctly.	2024-02-09 09:41:43 +00:00
Dave Bartolomeo	92bd550c55	Merge pull request #15531 from github/post-release-prep/codeql-cli-2.16.2 ... Post-release preparation for codeql-cli-2.16.2	2024-02-08 05:58:17 -08:00
github-actions[bot]	b5139078d0	Post-release preparation for codeql-cli-2.16.2	2024-02-06 19:22:35 +00:00
github-actions[bot]	c1b35fbf47	Release preparation for version 2.16.2	2024-02-05 17:58:57 +00:00
Harry Maclean	f792b58421	Ruby: Recognise more ActiveRecord connections	2024-02-05 16:45:59 +00:00
Jim Ockers	e477909200	Merge branch 'main' into ockers/certification_not_certificate	2024-02-02 15:39:29 -08:00
James Ockers	9f7f9fcc6e	Updating change-notes to reflect what will be the visible change to end users	2024-02-02 11:38:17 -08:00
Harry Maclean	06334eee2e	Merge pull request #14554 from maikypedia/maikypedia/insecure-randomness ... Ruby: Add Insecure Randomness Query	2024-01-31 17:16:32 +00:00
James Ockers	0f1e21aa09	Adding per-language change-notes	2024-01-30 17:28:34 -08:00
James Ockers	eb5e0123d6	exclude certification from maybeCertificate() regexes	2024-01-30 13:16:18 -08:00
Tom Hvitved	803513acc6	Add change note	2024-01-30 20:30:58 +01:00
Tom Hvitved	d2d017dd64	Ruby: Model flow through ViewComponent render methods	2024-01-30 20:30:58 +01:00
Harry Maclean	557b49cfc5	Ruby: Add basic modeling for ViewComponent	2024-01-30 20:30:58 +01:00
Tom Hvitved	2d95ac9d5f	Merge pull request #15468 from hvitved/ruby/ctx-sensitivity-rework	2024-01-30 20:27:43 +01:00
Peter Stöckli	1947dee46a	Merge branch 'main' into p--oj-ox-unsafe-deser	2024-01-30 15:33:39 +01:00
Peter Stöckli	9596aebee3	Format: getValue now on one line	2024-01-30 15:22:16 +01:00
Peter Stöckli	3c8bc96ab5	replace occurence of AssignExprCfgNode for Oj as well	2024-01-30 15:17:37 +01:00
Peter Stöckli	e87effc18c	Apply suggestions from code review ... Co-authored-by: Arthur Baars <aibaars@github.com>	2024-01-30 15:14:35 +01:00
Tom Hvitved	503d2f7b95	Ruby: Rework mayBenefitFromCallContext	2024-01-30 09:57:29 +01:00
Harry Maclean	75b13da4e4	Ruby: Block flow from LHS of && expressions ... The only values that can flow from the LHS of an && expression are `false` and `nil`, neither of which seem relevant for any of our queries.	2024-01-30 08:53:32 +00:00
maikypedia	d7314a1689	File format	2024-01-27 14:07:36 +01:00
github-actions[bot]	d0b74c00fe	Post-release preparation for codeql-cli-2.16.1	2024-01-23 23:02:29 +00:00
github-actions[bot]	7ef611e6dc	Release preparation for version 2.16.1	2024-01-23 19:45:16 +00:00
erik-krogh	865df920f9	add change-notes	2024-01-22 19:30:57 +01:00