hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
78,334 Commits 1,671 Branches 157 Tags
ginsbach/OverlayLocalJava
Commit Graph

549 Commits

Author SHA1 Message Date
Harry Maclean
6998608257 Ruby: Document missing test result 2022-04-27 12:47:09 +12:00
Harry Maclean
bb3fb0325b Ruby: Add InsecureDownload query 
This query finds cases where a potentially unsafe file is downloaded
over an unsecured connection.
 2022-04-27 12:47:09 +12:00
Harry Maclean
2feb4a48be Ruby: Add hasMisleadingAnchorPrecedence to MissingRegExpAnchor 2022-04-27 10:12:33 +12:00
Harry Maclean
e3c3c00c68 Ruby: Add MissingRegExpAnchor query 2022-04-27 10:12:33 +12:00
Nick Rolfe
9b6e610e24 Merge remote-tracking branch 'origin/main' into nickrolfe/incomplete_sanitization 2022-04-20 12:05:22 +01:00
Harry Maclean
c3f1fba985 Merge pull request #8598 from hmac/hmac/insecure-dep-resolution 
Ruby: Add rb/insecure-dependency query
 2022-04-14 02:09:44 +02:00
Nick Rolfe
fdca896614 Ruby: improve handling of [g]sub! 
rb/incomplete-sanitization has a few cases where we find flow from one
one string substitution call to another, e.g.

    a.sub(...).sub(...)

But this didn't find typical chained uses of the destructive variants,
e.g.

    a.sub!(...)
    a.sub!(...)

We now handle those cases by tracking flow from the post-update node for
the receiver of the first call.
 2022-04-13 17:19:25 +01:00
Nick Rolfe
bbb8177176 Ruby: add rc/incomplete-sanitization query 2022-04-13 16:48:43 +01:00
Harry Maclean
8f3578c92a Ruby: Include query results in test 2022-04-05 10:20:02 +12:00
Harry Maclean
3d96c5e6db Ruby: Add test case for rb/insecure-dependency 
This tests that we recognise kwargs in hashrocket style:

    gem "foo", "1.2.3", :git => "..."

as well as the modern style:

    gem "foo", "1.2.3", git: "..."
 2022-04-01 15:30:07 +13:00
Alex Ford
882f78c6f9 Merge remote-tracking branch 'origin/main' into ruby/weak-cryptographic-algorithm 2022-03-31 17:17:46 +01:00
Arthur Baars
15c54f6100 Merge pull request #8354 from aibaars/incomplete-url-string-sanitization 
Incomplete url string sanitization
 2022-03-31 10:59:51 +02:00
Harry Maclean
37cedda63a Ruby: Add InsecureDependencyResolution query 
This query looks for places in a Gemfile where URLs with insecure
protocols (HTTP or FTP) are specified.
 2022-03-30 13:39:15 +13:00
Arthur Baars
74aea81fe3 Ruby: refactor regex libraries 2022-03-24 11:37:02 +01:00
Arthur Baars
65f8f56095 Merge branch 'main' into incomplete-url-string-sanitization 2022-03-24 11:27:30 +01:00
Arthur Baars
06a99c3987 Ruby: fix location of setter-call argument 2022-03-23 12:55:52 +01:00
Harry Maclean
ff1d96c922 Ruby: Add rb/http-to-file-access query 2022-03-22 11:09:08 +13:00
Harry Maclean
6c18e1d7ac Merge pull request #8272 from hmac/hmac/tainted-format-string 2022-03-22 08:37:47 +13:00
Alex Ford
c891c53835 Merge pull request #8395 from alexrford/ruby/clear-text-storage 
Ruby: add `rb/clear-text-storage-sensitive-data` query
 2022-03-21 10:05:39 +00:00
Harry Maclean
5a6da827d0 Ruby: Avoid FP in TaintedFormatString query 
Kernel#printf supports two call signatures:

    printf(String, *args)
    printf(IO, String, *args)

We want to identify the String argument, which is the format string.
Previously we would return the 0th and 1st arguments, which gives some
FPs when the 1st arg is not a format string.

We now try to rule out the trivial case by checking if arg 0 has a
string value, and then assuming it is the format string. Otherwise we
fall back to returning both arguments.

This still has some false positive potential, but less than previously.
 2022-03-21 12:51:47 +13:00
Harry Maclean
4249e30824 Ruby: Test tainted interpolated format arg 2022-03-21 12:51:18 +13:00
Harry Maclean
f6215d4c7e Ruby: Add rb/tainted-format-string query 2022-03-21 12:51:18 +13:00
Arthur Baars
bf888f0f0b Merge remote-tracking branch 'upstream/main' into incomplete-url-string-sanitization 
Conflicts:
	config/identical-files.json
	javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
	javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll
	ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll
 2022-03-18 16:09:20 +01:00
Arthur Baars
431b60506e Merge remote-tracking branch 'upstream/main' into incomplete-hostname 2022-03-18 13:05:34 +01:00
Arthur Baars
1a51f0cf56 Ruby: regex: fix getGroupNumber 
non-capture groups should not have a group number
 2022-03-16 18:50:51 +01:00
Arthur Baars
fb8cc6e1a4 Ruby: String.index method returns 'nil', not '-1' 2022-03-16 16:18:19 +01:00
Asger F
228570129e Merge branch 'main' into ruby/mad-prototype 2022-03-16 13:50:31 +01:00
Arthur Baars
6b323eeda8 Update expected output 2022-03-16 12:34:03 +01:00
Arthur Baars
ab93b3784b Merge remote-tracking branch 'upstream/main' into incomplete-hostname 2022-03-16 12:31:12 +01:00
Nick Rolfe
6bd9616c6e Ruby: interpret string escape sequences in getConstantValue() 2022-03-14 15:45:57 +00:00
Alex Ford
40b87e6df7 Ruby: tests for rb/weak-cryptographic-algorithm 2022-03-13 21:25:24 +00:00
Alex Ford
0f0a51e2e0 Ruby: update test output 2022-03-10 18:27:06 +00:00
Alex Ford
43fb759dfa Ruby: add a few more rb/clear-text-storage-sensitive-data test cases 2022-03-10 17:52:50 +00:00
Alex Ford
37c0702cdd Ruby: update test output 2022-03-10 17:50:29 +00:00
Alex Ford
0f3cf47ca9 Ruby/JS/Py: Add "random" to the notSensitiveRegexp() heuristic 2022-03-10 17:38:52 +00:00
Alex Ford
8be1be388e Ruby: update CleartextStorage test output for source locations 2022-03-10 17:38:52 +00:00
Alex Ford
ef29a372a4 Ruby: Cleartext storage tests 2022-03-10 17:38:52 +00:00
Arthur Baars
a1873cc803 Ruby: IncompleteUrlSubstringSanitization.ql 2022-03-07 16:17:32 +01:00
Arthur Baars
c9fa1fb5bb Ruby: copy JS version of IncompleteUrlSubstringSanitization.ql 2022-03-07 16:17:08 +01:00
Arthur Baars
097c661362 Ruby: drop results that cannot be found yet from IncompleteHostnameRegExp.expected 2022-03-07 16:10:08 +01:00
Arthur Baars
9e8930c192 Ruby: IncompleteHostnameRegExp.ql 2022-03-07 16:10:08 +01:00
Arthur Baars
832c9c4b0b Ruby: copy IncompleteHostnameRegExp files from JavaScript 2022-03-07 16:10:07 +01:00
Harry Maclean
1181779c10 Merge pull request #7920 from github/hmac/string-flow-summaries 
Ruby: Add String flow summaries
 2022-03-04 09:09:19 +13:00
Asger Feldthaus
e6a3747656 Ruby: add test for ActiveStorage.Filename.new 2022-03-01 14:08:21 +01:00
Asger Feldthaus
cbd044a768 Ruby: add a code injection test for flwo through Regexp.escape 2022-03-01 14:08:21 +01:00
Arthur Baars
b2745d44f2 Ruby: update ReDoS.expected 2022-03-01 13:30:56 +01:00
Arthur Baars
5ce6b847d1 Merge pull request #8166 from aibaars/regex-char-sequence-1 
Ruby/Python: regex parser: group sequences of 'normal' characters
 2022-02-28 17:47:53 +01:00
Arthur Baars
69ed121ecb Ruby/Python: regex parser: group sequences of 'normal' characters 2022-02-22 16:15:33 +01:00
Harry Maclean
07c70adde5 Ruby: Update CleartextLogging fixture 
The flow summary for `String#sub` leads to two new results in this test.
They are duplicates of existing results, because the query is quite
liberal in what it considers a source.

```ruby

password = "abc"
password_masked = password.sub(/./, "x")
Logger.new(STDOUT).info password_masked

```

In the example above, the query considers lines 1 and 2 to both be
sources, with a sink at line 3. Previously there was no flow from line 1
to line 3 because of the missing flow summary for `String#sub`, and
therefore there was just one result. Now we have the flow summary, there
are two results.

Line 2 is considered a source because it is an assignment to a variable
that contains the term "password". I'm not sure how to adjust the query
to avoid these duplicates, so I'm leaving them in for now.
 2022-02-22 16:58:41 +13:00
Alex Ford
dd383f942f Merge remote-tracking branch 'origin/main' into ruby/clear-text-logging 2022-02-17 15:32:31 +00:00