codeql

mirror of https://github.com/github/codeql.git synced 2025-12-17 09:13:20 +01:00

Author	SHA1	Message	Date
amammad	32f5667bb6	revert YAML.qll and yaml sinks to previous PR, make a separate experimental query only for yaml	2024-02-26 12:12:03 +00:00
amammad	c582ea626d	update expected test file	2024-02-26 12:10:04 +00:00
amammad	9c5c8c8362	fix test file	2024-02-26 12:05:35 +00:00
amammad	464e2e4291	fix qldoc and test files	2024-02-26 12:04:52 +00:00
amammad	1410574f76	make seperate steps for YAML.parse* and use `getAsuccessor*()` to reach final to_ruby method call, All parts have Rewritten with API graphs exclusively	2024-02-26 11:59:35 +00:00
Harry Maclean	8bed3fbed4	Ruby: Add basic model for Terrapin library	2024-02-26 11:32:41 +00:00
Harry Maclean	beef9965cc	Ruby: Model Open4 library Also remove duplicate modeling of Process.spawn.	2024-02-26 11:26:38 +00:00
Joe Farebrother	386defc3c7	Update test output	2024-02-26 11:21:03 +00:00
Harry Maclean	dd092fd18f	Ruby: Fix CSRF test	2024-02-26 11:02:54 +00:00
Tom Hvitved	5b6e76c030	Move `View CFG` implementation from Ruby/Swift into shared library	2024-02-26 11:23:49 +01:00
Joe Farebrother	2257df5c6f	Model Arel::Nodes::SqlLiteral.new	2024-02-26 10:09:33 +00:00
Harry Maclean	32b775fdc3	Ruby: reduce duplicate alerts for csrf query Only generate an alert on the top-most vulnerable Rails controller in the controller tree.	2024-02-23 11:13:17 +00:00
Harry Maclean	f19a5a9837	Ruby: Add tests for Gemfile modeling	2024-02-23 11:13:16 +00:00
Harry Maclean	6d6f8ba512	Ruby: Make CSRF query more sensitive Generate an alert for every controller class that doesn't have or inherity a `protect_from_forgery` setting.	2024-02-23 11:13:15 +00:00
Harry Maclean	49d826f667	Ruby: Add a query for CSRF protection not enabled Specifically in Rails apps, we look for root ActionController classes without a call to `protect_from_forgery`.	2024-02-23 11:13:14 +00:00
Harry Maclean	fbc689227d	Merge pull request #15604 from p-/p--rails-more-request-sources Ruby: add additional sources on the request object of Rails	2024-02-22 16:35:59 +00:00
Joe Farebrother	67e8f17c4c	Merge pull request #15619 from joefarebrother/ruby-activerecord-connection Ruby: Add additional sql sinks for ActiveRecord connection methods	2024-02-22 14:02:31 +00:00
Joe Farebrother	1f409b0456	Merge pull request #15671 from joefarebrother/ruby-activerecord-extra-args Ruby: Consider additional arguments to certain `ActiveRecord` methods as sql injection sinks.	2024-02-22 14:01:56 +00:00
Joe Farebrother	92bdd637a3	Address reveiw comment - add `create` nd remove `select_insert`	2024-02-22 09:55:46 +00:00
Tom Hvitved	23869fc8e6	Ruby: Fix bug in `allowParameterReturnInSelf`	2024-02-22 09:43:52 +01:00
Tom Hvitved	007d08ea63	Ruby: Add another variable capture test	2024-02-22 09:39:01 +01:00
Joe Farebrother	10da4d14d9	Add addtional arguments as sinks to certain methods	2024-02-20 16:35:29 +00:00
Joe Farebrother	e36b9f4d3c	Add tests and change note	2024-02-15 15:26:20 +00:00
Harry Maclean	a9abba5859	Merge pull request #15520 from hmac/hmac-erb-raw-output-directive Ruby: Recognise raw Erb output as XSS sink	2024-02-15 08:05:16 +00:00
Peter Stöckli	2f7b946c9f	Ruby: add sources on request object of Rails	2024-02-13 15:52:18 +01:00
Harry Maclean	3d9f9afa77	Merge pull request #15566 from hmac/hmac-actioncontroller-regex Ruby: Fix ActionController path regex	2024-02-12 14:14:57 +00:00
Harry Maclean	99497e5f3c	Merge pull request #15521 from hmac/hmac-ar-connection Ruby: Recognise more ActiveRecord connections	2024-02-12 14:06:50 +00:00
Harry Maclean	5af58d24e0	Ruby: Recognise raw Erb output as XSS sink	2024-02-12 13:28:44 +00:00
Tom Hvitved	37d774176b	Ruby: Fix SSA inconsistency	2024-02-09 14:49:26 +01:00
Tom Hvitved	1ea7717714	Capture flow: Take overwrites in nested scopes into account	2024-02-09 14:49:23 +01:00
Tom Hvitved	0c43ad45b4	Ruby: Add another captured variable data flow test	2024-02-09 14:48:36 +01:00
Anders Schack-Mulligen	35a3aa0a09	Ruby: Add empty provenance column to expected files.	2024-02-09 11:32:08 +01:00
Harry Maclean	3a90d78c36	Ruby: Fix Rails view file regex This picks up non-nested template files correctly.	2024-02-09 09:41:43 +00:00
Harry Maclean	48890b446d	Ruby: Add more actioncontroller tests	2024-02-09 09:31:35 +00:00
Koen Vlaswinkel	87eb1ab103	Ruby: Include ReturnValue and exclude self for constructors	2024-02-08 13:40:10 +01:00
Harry Maclean	f792b58421	Ruby: Recognise more ActiveRecord connections	2024-02-05 16:45:59 +00:00
Koen Vlaswinkel	49dbad96f9	Switch from details string to DataFlow::Node	2024-02-05 16:33:01 +01:00
Koen Vlaswinkel	f83d2a7d55	Ruby: Avoid using toString where possible	2024-02-02 14:18:21 +01:00
Koen Vlaswinkel	8853acb4dd	Ruby: Add query for access paths in model editor	2024-02-01 16:20:00 +01:00
Tom Hvitved	8972133d4b	Merge pull request #15498 from hvitved/ruby/ctx-sensitivity-test Ruby: Add another dataflow test	2024-02-01 12:46:53 +01:00
Tom Hvitved	792f302bd4	Ruby: Add another dataflow test	2024-02-01 10:52:06 +01:00
Koen Vlaswinkel	ce4d8d6b51	Merge pull request #15490 from github/koesie10/ruby-model-constructor-on-new Ruby: Model constructors in endpoint query on new instead of initialize	2024-02-01 09:31:49 +01:00
Harry Maclean	06334eee2e	Merge pull request #14554 from maikypedia/maikypedia/insecure-randomness Ruby: Add Insecure Randomness Query	2024-01-31 17:16:32 +00:00
Koen Vlaswinkel	c1aaf5a574	Ruby: Model constructors in endpoint query on new	2024-01-31 13:54:48 +01:00
Harry Maclean	4cfdf8b7a3	Ruby: Add test case for view without ERB template	2024-01-30 20:30:59 +01:00
Tom Hvitved	d2d017dd64	Ruby: Model flow through `ViewComponent` render methods	2024-01-30 20:30:58 +01:00
Tom Hvitved	817a2b71a8	Add more tests	2024-01-30 20:30:58 +01:00
Harry Maclean	5b3a2b35b7	Update expected file	2024-01-30 20:30:58 +01:00
Harry Maclean	75a37486c9	Add WIP query for erb flow	2024-01-30 20:30:58 +01:00
Harry Maclean	bf3b86b402	Add test for erb flow	2024-01-30 20:30:58 +01:00

... 2 3 4 5 6 ...

1619 Commits