hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
78,334 Commits 1,672 Branches 157 Tags
ginsbach/OverlayLocalJava
Commit Graph

4731 Commits

Author SHA1 Message Date
Michael Nebel
30d554503a C#/Java: Fix some QL doc spelling typos. 2022-08-24 09:58:53 +02:00
Michael Nebel
160ae934af C#/Java/Ruby/Swift: Fix typo in QL doc. 2022-08-24 09:58:53 +02:00
Michael Nebel
581824a9b4 C#/Java/Ruby/Swift: Fix various typos. 2022-08-24 09:58:53 +02:00
Michael Nebel
fbc0e6a1ec Ruby: Sync files and make dummy negative summary implementation. 2022-08-24 09:58:52 +02:00
Anders Schack-Mulligen
b83e851ac6 Ruby: one more pragma 2022-08-23 16:04:29 +02:00
Anders Schack-Mulligen
0ea55a9581 Ruby: autoformat 2022-08-23 15:58:29 +02:00
Anders Schack-Mulligen
844e0129b6 Ruby: Perf fix for trackUseNode. 2022-08-23 15:50:54 +02:00
Rasmus Wriedt Larsen
eccc7d6d6f Ruby: Remove redundant .getExpr() 2022-08-23 15:42:21 +02:00
Rasmus Wriedt Larsen
717a355913 Ruby: Accept grammar fix 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2022-08-23 15:36:45 +02:00
Rasmus Wriedt Larsen
d832298e40 Ruby: Accept grammar fix 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2022-08-23 15:36:37 +02:00
erik-krogh
5e3cb08ed2 rename stateInPumpableRegexp to stateInRelevantRegexp 2022-08-23 12:40:45 +02:00
erik-krogh
f7846a598e add change-notes 2022-08-23 07:54:01 +02:00
erik-krogh
94ec0b8a52 update expected output of tests 2022-08-23 07:19:37 +02:00
erik-krogh
7e0bd5bde4 update expected output of tests 2022-08-22 21:41:47 +02:00
erik-krogh
df9a9f4a56 update rb/stored-css to match javascript 2022-08-22 21:41:47 +02:00
erik-krogh
9b257bfa9e update rb/reflected-xss to match javascript 2022-08-22 21:41:47 +02:00
erik-krogh
778879908e update rb/code-injection to match python 2022-08-22 21:41:46 +02:00
erik-krogh
034d197e01 update {java/rb}/xxe to match python/javascript 2022-08-22 21:41:46 +02:00
erik-krogh
3553f3d9b8 update {rb/py/js/go}/path-injection to match java/csharp 2022-08-22 21:41:45 +02:00
erik-krogh
b471a401cc update {rb/js/java}/unused-parameter to match python 2022-08-22 21:41:45 +02:00
erik-krogh
e89e0eb7fb make some acronyms camelCase 2022-08-22 21:22:35 +02:00
Rasmus Wriedt Larsen
61bf2154cd Merge branch 'main' into shared-http-client-request 2022-08-22 12:05:37 +02:00
Chris Smowton
f3ef8510d3 Merge pull request #10093 from smowton/smowton/feature/java-singular-locations 
Java: pick an arbitrary representative location when an entity has many candidate locations.
 2022-08-22 09:32:43 +01:00
erik-krogh
049af68bc2 restrict suffix-construction to relevant regexps 2022-08-21 20:35:39 +02:00
Chris Smowton
8d20b9cf52 Use hasLocationInfo to match several Location fields at once 2022-08-19 19:03:17 +01:00
erik-krogh
bcf4c57060 Merge branch 'main' into redosPrefix 2022-08-19 19:22:49 +02:00
erik-krogh
d052b1e3c9 also support regular expressions without repetitions 2022-08-19 19:21:44 +02:00
Chris Smowton
1ea7caf559 Fix join ordering in inline-expectations test 2022-08-19 18:17:22 +01:00
Rasmus Wriedt Larsen
9790594984 Ruby: Bugfix after HTTP::Client::Request change 
I guess this is not 100% accurate any longer since the base class is
only a `DataFlow::Node` now... I guess we could make it a
`DataFlow::CallNode` in the Concept definition.
 2022-08-19 16:25:47 +02:00
Rasmus Wriedt Larsen
9eda630965 Ruby: Add CallNode.getKeywordArgumentIncludeHashArgument 2022-08-19 15:54:15 +02:00
Rasmus Wriedt Larsen
10968bf115 Ruby: Fix alert-msg logic for RequestWithoutValidation.ql 
This really surprised me, but as shown on the results, it does actually
make a difference in the alert-message.
 2022-08-19 15:50:09 +02:00
Rasmus Wriedt Larsen
0ac3624342 Ruby: Implement new disablesCertificateValidation for all HTTP client models 
Sadly most alert text changed, but the two important changes are:

1. The request on RestClient.rb:19 now has an expanded alert text,
   highlighting where the origin of the value that disables certificate
   validation comes from. (in this case, it's trivial since it's the
   line right above)
2. We handle passing `false`/`OpenSSL::SSL::VERIFY_NONE` the same in the
   argument passing examples in Faraday.rb
 2022-08-19 15:46:22 +02:00
Rasmus Wriedt Larsen
1f028ac206 Ruby: Implement new disablesCertificateValidation for RestClient 2022-08-19 15:43:19 +02:00
Rasmus Wriedt Larsen
07d95918f2 Ruby: Add more RequestWithoutValidation.ql tests 
Added:
- one where the value is not directly used when disabling certificate
  validation.
- one with argument passing, Faraday, where it is only the passing of
  `OpenSSL::SSL::VERIFY_NONE` that is recognized.
 2022-08-19 15:42:50 +02:00
Tom Hvitved
663096fe3a Remove redundant overrides 2022-08-19 13:57:41 +02:00
Rasmus Wriedt Larsen
47c9c5bddd Ruby: Update RequestWithoutValidation.ql to match Python version 
No library modeling currently has support for the new disablesCertificateValidation/2, so only the alert text has changed

(removed an import from Python so the queries would ACTUALLY match)
 2022-08-18 14:32:41 +02:00
Rasmus Wriedt Larsen
4a82025087 Ruby: Base HTTP::Client::Request on shared concept 
Fixing up deprecation errors in next commit
 2022-08-18 13:42:53 +02:00
Rasmus Wriedt Larsen
e2b78df5ad Ruby: Change HTTP::Client::Request to have DataFlow::Node as base class 
Although this is a breaking change, as explained in the change-note, it
should onyl affect peopel that have created their own HTTP client
request modeling, which I assume is none.

The alternative would have been to keep the old class/module as
deprecated, and introduce a `HTTP::Client::Requestv2` class/module that
is based on `DataFlow::Node` instead. The old class could then be
deprecated in 1 year, and we could do a rename from
`HTTP::Client::Requestv2` -> `HTTP::Client::Request` at the same time.
(and then wait 1 more year before being able to delete
`HTTP::Client::Requestv2`)

All in all, I think this is the right tradeoff, given that CodeQL Ruby
is still in beta.
 2022-08-18 13:42:52 +02:00
Rasmus Wriedt Larsen
e6b4d12f94 Sync ConceptsShared 2022-08-18 13:42:52 +02:00
Rasmus Wriedt Larsen
9d96b73b8b Ruby: Fixup test annotation 2022-08-18 13:42:49 +02:00
Tom Hvitved
08a5b5dc73 Merge pull request #10089 from hvitved/ruby/local-source-nodes 
Ruby: Reduce size of `isLocalSourceNode`
 2022-08-18 12:02:35 +02:00
Nick Rolfe
a46e2b3f2f Merge pull request #10056 from hmac/hmac/action-controller-response-body 
Ruby: Recognise Rails render calls as HTTP responses
 2022-08-18 10:02:17 +01:00
Tom Hvitved
682986c0a2 Merge pull request #10087 from hvitved/ruby/unknown-member-warning 
Ruby: Get rid of warning in `getUnknownMember`
 2022-08-18 10:50:24 +02:00
erik-krogh
473bc92e2d move the PrefixConstruction module out of the ReDoSPruning module 2022-08-18 10:07:48 +02:00
Tom Hvitved
baa646e102 Ruby: Remove unused UnknownMember from API graphs 2022-08-18 09:40:02 +02:00
Harry Maclean
8f370b2457 Update ruby/ql/lib/change-notes/2022-08-16-action-controller-response-body.md 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2022-08-18 10:03:52 +12:00
Harry Maclean
70ec70940a Merge pull request #8142 from github/hmac/incomplete-multi-char-sanitization 2022-08-18 10:02:39 +12:00
Erik Krogh Kristensen
e93ff8672c Merge pull request #10075 from erik-krogh/depOld 
delete old deprecations
 2022-08-17 21:21:57 +02:00
Tom Hvitved
ed2ec1acc0 Ruby: Reduce size of isLocalSourceNode 2022-08-17 17:19:30 +02:00
Tom Hvitved
c307a12c20 Ruby: Get rid of warning in getUnknownMember 2022-08-17 16:22:11 +02:00