hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
78,334 Commits 1,671 Branches 157 Tags
ginsbach/OverlayLocalJava
Commit Graph

1619 Commits

Author SHA1 Message Date
Alex Ford
e5fbc92856 Ruby: generalize rails flow step for accessing render locals hash in view 2023-01-20 13:40:19 +00:00
erik-krogh
25e65e0d9f rewrite the regexp tracking DataFlow::Configuration to TypeTracking 2023-01-18 10:10:36 +01:00
erik-krogh
2fceee4e35 track regular expressions that gets compiled with Regexp.compile 2023-01-18 09:31:04 +01:00
erik-krogh
acf28ebd98 add a RegexExecution, and use it to track regular expressions to their uses in a nice way in rb/polynomial-redos 2023-01-18 09:31:04 +01:00
erik-krogh
6e33dd5df6 add failing test 2023-01-18 09:31:04 +01:00
erik-krogh
8251ad5e99 add unsafe-html-construction query 2023-01-17 15:35:17 +01:00
erik-krogh
a562568522 add string concat as a sink for command-construction 2023-01-17 14:48:09 +01:00
erik-krogh
8fc3b268e8 add string concat as a sink for code-construction 2023-01-17 14:48:06 +01:00
Erik Krogh Kristensen
59a8b21851 Merge pull request #10862 from erik-krogh/unsafeCodeConstruction 
Rb: Add an `unsafe-code-construction` query
 2023-01-16 13:22:58 +01:00
Arthur Baars
46063c7d04 Ruby: update expected output 2023-01-13 10:22:41 +01:00
Arthur Baars
c4ec674057 Ruby: support anonymous (hash)splat parameters/arguments 2023-01-13 10:22:41 +01:00
Harry Maclean
0626d693f5 Ruby: Recognise rack applications 
This is a basic first step in modelling rack apps. We recognise classes
that look like rack applications and then treat the argument to `call`
in the same way that we treat `request.env` in ActionController classes.

This finds a TP in CVE-2021-43840.
 2023-01-12 11:28:31 +13:00
Tony Torralba
c9d1cd97fb Ruby: Remove omittable exists variables 2023-01-10 13:39:49 +01:00
Erik Krogh Kristensen
5157d4df7b Merge pull request #11581 from erik-krogh/stdin 
Rb: add stdin as source for unsafe-deserialization
 2023-01-09 13:57:47 +01:00
yoff
c01ce955ba Merge pull request #11778 from yoff/shared/inline-tests 
Shared: Inline test expectations
 2023-01-09 13:21:18 +01:00
erik-krogh
19d2b49562 drive-by: make Base64.decode64(..) into a flowsummary that is shared with all queries 2023-01-06 09:04:37 +01:00
erik-krogh
1a27441cfb drive-by: delete code-execution sinks from unsafe-deserialization, we risked duplicate alerts 2023-01-06 09:04:36 +01:00
erik-krogh
0e6028a7f3 add stdin as source for unsafe-deserialization 2023-01-06 09:04:36 +01:00
erik-krogh
f98ff65b11 use eval() instead of send() in test 2023-01-05 20:04:04 +01:00
Rasmus Lerchedahl Petersen
c3b3c05cf3 Revert "Merge pull request #37 from erik-krogh/shared/inline-tests" 
This reverts commit 65fe9abcfe, reversing
changes made to 08e9d3391f.
 2023-01-05 09:19:43 +01:00
Harry Maclean
4d228bcddf Ruby: Recognise more string-valued variables 
This increases the sensitivity of our barrier guards.
 2023-01-04 11:45:10 +13:00
Harry Maclean
9944252c43 Ruby: Add test for barrier guards 
This demonstrates that we are missing a guard when a case branch
compares against a string-valued variable rather than a string literal.
 2023-01-04 11:45:10 +13:00
Harry Maclean
698a679c78 Ruby: add test 2023-01-04 11:45:10 +13:00
Harry Maclean
0fbb6bf608 Ruby: Make array inclusion barrier more sensitive 2023-01-04 11:45:09 +13:00
Erik Krogh Kristensen
79a2b6d0b0 use any() instead of this = this 
Co-authored-by: Arthur Baars <aibaars@github.com>
 2023-01-02 10:49:54 +01:00
erik-krogh
99dc0a8356 fix binding 2023-01-02 10:30:28 +01:00
Harry Maclean
b70ca77afc Merge pull request #10899 from hmac/flow-summary-docs 
Ruby: Document flow summary syntax
 2022-12-28 10:47:38 +13:00
erik-krogh
b3dd50bc36 inline Location into the shared implementation of InlineExpectationsTest 2022-12-22 11:09:43 +01:00
Rasmus Lerchedahl Petersen
0d6c643d77 ruby: use shared inline tests 
- remove from identical-files
 2022-12-22 10:20:07 +01:00
Arthur Baars
0f313231bc AlertSuppression: add more tests 2022-12-19 16:43:11 +01:00
Arthur Baars
c176606be5 AlertSuppression: allow //lgtm comments to scope over the next line 2022-12-19 16:10:26 +01:00
Arthur Baars
016c7a8ca7 Merge pull request #11719 from aibaars/alert-suppression-shared 
Shared AlertSuppression library
 2022-12-19 16:04:44 +01:00
Arthur Baars
06736e3e91 Add .gitattributes for Windows test files 2022-12-19 12:39:01 +01:00
erik-krogh
db49cfb723 Merge branch 'main' into kernelLoad 2022-12-19 09:46:25 +01:00
Tom Hvitved
e629568eda Merge pull request #11720 from hvitved/ruby/call-sensitive-initialize-bug-fix 
Ruby: Fix bug in call-sensitivity logic for `initialize` calls
 2022-12-16 16:36:31 +01:00
Tom Hvitved
bfc257147c Ruby: Fix bug in call-sensitivity logic for initialize calls 2022-12-16 11:17:15 +01:00
Tom Hvitved
accf4ca364 Ruby: Recognize custom self.new methods that return self.allocate 2022-12-16 09:23:36 +01:00
Tom Hvitved
b64083d08e Ruby: Add more call graph tests 2022-12-16 09:21:00 +01:00
Tom Hvitved
d7e44a5426 Merge pull request #10714 from hvitved/ruby/initialize 
Ruby: Model flow through `initialize` constructors
 2022-12-15 13:42:59 +01:00
Alex Ford
1b49bfe605 Merge pull request #11497 from alexrford/ruby/rails_globalid 
Ruby: model `rails/globalid` component
 2022-12-15 10:35:15 +00:00
Alex Ford
2af5925f38 Ruby: improve coverage of GlobalID::Identification modelling 2022-12-14 15:21:19 +00:00
Tom Hvitved
5d9c64ba6f Ruby: Model flow through initialize constructors 2022-12-14 12:57:39 +01:00
Tom Hvitved
9a7628c988 Ruby: Add data flow tests for constructors 2022-12-14 12:57:39 +01:00
erik-krogh
ccf520a5cd Merge branch 'main' into unsafeCodeConstruction 2022-12-13 18:31:49 +01:00
Erik Krogh Kristensen
4ff823c36b Merge pull request #11366 from p-/p--ruby-kernel-open-addition 
Ruby: Add additional sinks to the `rb/kernel-open` query
 2022-12-12 15:56:01 +01:00
Harry Maclean
6c8896d83f Merge pull request #11337 from hmac/actionmailbox 
Ruby: Model ActionMailbox
 2022-12-12 10:29:23 +13:00
Peter Stöckli
d2c8e70be1 Adjust expected file for TaintStep (due to changes to File.join) 2022-12-09 09:57:19 +01:00
Peter Stöckli
03fff2709b Add suggestions to fix FileJoinSanitizer 2022-12-09 09:42:44 +01:00
Peter Stöckli
0d8c82009c Merge branch 'main' into p--ruby-kernel-open-addition 2022-12-09 07:54:56 +01:00
erik-krogh
1a6e16f292 Merge branch 'main' into kernelLoad 2022-12-08 15:41:48 +01:00