hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 01:33:15 +01:00
Code Issues Packages Projects Releases Wiki Activity
78,334 Commits 1,671 Branches 157 Tags
ginsbach/OverlayLocalJava
Commit Graph

1619 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
adf109b624 Merge branch 'main' into inline-fail-tag 2022-10-27 13:42:32 +02:00
Rasmus Wriedt Larsen
6d43db43dd Ruby: Fix tag missing from getARelevantTag 2022-10-27 09:12:06 +02:00
Rasmus Wriedt Larsen
fc7eb5b4fc InlineExpectationsTest: sync 2022-10-27 09:02:28 +02:00
Rasmus Wriedt Larsen
5e9897d150 InlineExpectationsTest: sync 2022-10-26 18:21:13 +02:00
thiggy1342
9c1fbfd330 Merge branch 'main' into expand-ruby-ssrf-sinks-faraday-connection-new 2022-10-25 13:09:17 -04:00
erik-krogh
e8dce25cc2 fix rb/code-injection 2022-10-25 14:44:23 +02:00
Erik Krogh Kristensen
ef5132b0ae Merge pull request #10883 from erik-krogh/codeSink 
RB: don't flag code-injection for dynamic loading where an attacker only controls a substring
 2022-10-24 18:59:36 +02:00
thiggy1342
952ad6ea46 Merge branch 'main' into expand-ruby-ssrf-sinks-faraday-connection-new 2022-10-24 09:52:24 -04:00
Erik Krogh Kristensen
5ff98cd80e Merge pull request #10888 from erik-krogh/glob 
Ruby: add model for Dir.glob and other Dir methods
 2022-10-24 14:17:37 +02:00
Asger F
bcfe4ece6f Merge pull request #10918 from asgerf/rb/constant-compound-assignment 
Ruby: handle compound constant-assignment
 2022-10-24 14:07:28 +02:00
Asger F
cac2e2e2e4 Merge pull request #10928 from asgerf/rb/assumed-global-const 
Ruby: assume some global constants are defined
 2022-10-24 14:06:34 +02:00
erik-krogh
85cd7f9121 add model for Dir.glob and other Dir methods 2022-10-24 12:05:26 +02:00
Arthur Baars
b3855b089a Ruby: some more tests 2022-10-22 14:15:29 +02:00
Arthur Baars
ccaa12998d Ruby: desugar compound constant-assignments 2022-10-22 01:11:35 +02:00
Nick Rolfe
269c27757d Ruby: include value-preserving flow in localTaintStep 2022-10-21 16:17:11 +01:00
Nick Rolfe
5319216c18 Ruby: add test of TaintTracking::localFlowStep 2022-10-21 16:04:04 +01:00
Asger F
84ae17dcbb Ruby: ensure Object is a transitive superclass 2022-10-21 15:18:59 +02:00
Tom Hvitved
4422327c00 Ruby: Call-context sensitivity for singleton method calls 2022-10-21 11:48:25 +02:00
Asger F
db58e3357b Ruby: allow speculative container qname resolution 2022-10-21 11:44:11 +02:00
Tom Hvitved
6feff7e3ed Ruby: Add more data-flow call sensitivity tests 2022-10-21 09:36:34 +02:00
Asger F
d26b0892cf Ruby: also add an AST test 2022-10-21 09:23:21 +02:00
Asger F
038bdecad7 Ruby: add test with compound assignment to a constant 2022-10-21 09:20:03 +02:00
thiggy1342
244a3329e0 Merge branch 'main' into expand-ruby-ssrf-sinks-faraday-connection-new 2022-10-20 16:37:57 -04:00
thiggy1342
4c3e3e442a Add Faraday::Connection.new as sink for SSRF query 2022-10-20 20:32:08 +00:00
Asger F
8c2c28dd56 Ruby: add test showing missing superclass edge 2022-10-20 15:56:58 +02:00
Tom Hvitved
faaead682e Ruby: Block for steps into self parameters in trackModuleAccess 2022-10-20 13:00:12 +02:00
Tom Hvitved
bda98261cc Ruby: Add more call graph tests 2022-10-20 12:59:32 +02:00
erik-krogh
c13e8e4f48 Merge branch 'main' into formatTaint 2022-10-20 10:46:16 +02:00
erik-krogh
7797211118 Merge branch 'main' into unsafeRbCmd 2022-10-20 10:34:17 +02:00
erik-krogh
3dd89bb7bf remove duplicate alerts due to multiple states reaching the same sink 2022-10-19 13:19:18 +02:00
erik-krogh
3e51f6fa8e use flow-states to remove FPs related to an attacker only controlling a substring in code-injection 2022-10-19 13:00:44 +02:00
erik-krogh
d77b31672d add failing test for safe-ish uses of Object.send 2022-10-19 11:27:08 +02:00
erik-krogh
cb33d5aeff add test for .send(..) in code-injection 2022-10-19 11:25:30 +02:00
erik-krogh
e29bf8ced2 Merge branch 'main' into html_safe 2022-10-18 19:49:37 +02:00
Tom Hvitved
61b9065135 Ruby: Fix syntax error in a test 2022-10-18 16:49:32 +02:00
erik-krogh
8a3e255e12 remove FPs in rb/stored-xss from spurious sources 2022-10-18 11:07:48 +02:00
erik-krogh
e47e20c5e7 remove use of HtmlSafeCall from tests 2022-10-18 10:43:24 +02:00
erik-krogh
5a98f66bef simplify the modeling of html_safe. Any call to html_safe is now considered an XSS sink 2022-10-18 10:43:22 +02:00
erik-krogh
bb4bc55c6a update expected output 2022-10-17 15:52:21 +02:00
erik-krogh
f09e3bd3ac add String#% as a printf like call 2022-10-17 13:51:43 +02:00
Arthur Baars
f7ff2cdc0d Merge branch 'main' into actiondispatch-response 2022-10-17 13:22:17 +02:00
erik-krogh
d4919d04ba add a taint-step for format-calls 2022-10-17 13:16:38 +02:00
Erik Krogh Kristensen
122d188f1d Merge pull request #10832 from erik-krogh/passRb 
RB: add model for the `Digest` and `OpenSSL::Digest` modules
 2022-10-17 10:02:33 +02:00
Harry Maclean
aa6c433529 Ruby: Update test fixture 
This change is due to a8fdda65fb.
 2022-10-17 09:44:32 +13:00
Harry Maclean
0e6322d673 Ruby: Restrict XSS header sinks 
Not all header writes are relevant to XSS. Restrict these to just
content-type and access-control-allow-origin.
 2022-10-17 09:34:44 +13:00
Harry Maclean
8ae86cf443 Ruby: Consider header writes as XSS sinks 2022-10-17 08:17:37 +13:00
Harry Maclean
73ca595b56 Ruby: Model ActionDispatch::Response 2022-10-17 08:17:37 +13:00
Arthur Baars
ae0c9b76e0 Merge pull request #10843 from aibaars/fix-self 
Ruby: fix self variables in blocks
 2022-10-15 00:48:14 +02:00
Alex Ford
2c5129e720 Merge pull request #10369 from alexrford/rb/sensitive-get-query 
Ruby: add `rb/sensitive-get-query` query
 2022-10-14 22:34:47 +01:00
Arthur Baars
a8fdda65fb Ruby: fix self variables in blocks 2022-10-14 16:02:39 +02:00