hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,347 Commits 1,672 Branches 157 Tags
hmac-cli-injection-from-library-inputs
Commit Graph

33347 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Harry Maclean
e975f92091 Ruby: remove unused predicate 2022-02-02 16:26:20 +13:00
Harry Maclean
3786fbfc7d Ruby: Rewrite ActionDispatch::underscore 
This version is much shorter and hopefully performs a bit better.
 2022-02-02 16:26:20 +13:00
Harry Maclean
eff2136f52 Ruby: remove unused predicate 2022-02-02 16:26:20 +13:00
Harry Maclean
dead7a8059 Ruby: Make most of ActionDispatch private 
Any classes/predicates not used externally or in tests are now private.
Also fix some typos.
 2022-02-02 16:26:20 +13:00
Harry Maclean
fa28e55645 Add a test for ActionDispatch::underscore 
This shows how the predicate behaves, as well as a case where it goes
wrong.
 2022-02-02 16:26:20 +13:00
Harry Maclean
9c67869875 Remove ActionDispatch::capitalize 
This predicate isn't used.
 2022-02-02 16:26:20 +13:00
Harry Maclean
ad71fdbb24 Add missing documentation to ActionDispatch::Route 2022-02-02 16:26:20 +13:00
Harry Maclean
1766916fc5 Ruby: Document ActionDispatch modelling 2022-02-02 16:26:20 +13:00
Harry Maclean
314683d5fb Ruby: Improve UrlRedirect query using Rails routes 
Handlers for non-GET requests aren't vulnerable to URL redirect attacks,
because browsers won't initiate non-GET requests when you click a link.

We can use Rails routing information, if present, to filter out any
handlers for non-GET requests.
 2022-02-02 16:26:20 +13:00
Harry Maclean
751d8a7f59 Ruby: Document getACapture 2022-02-02 16:26:20 +13:00
Harry Maclean
870c6d7412 Ruby: Rails route resolution 
Add `Route` classes which model Rails routing information, typically
defined in a `routes.rb` file. We extract only the most basic
information: HTTP method, path, controller and action. This is enough to
determine whether a given controller method is a route handler, and what
HTTP method it handles, which is useful for, among other things, the URL
redirect query.
 2022-02-02 16:26:19 +13:00
Henry Mercer
e622e517d9 Merge pull request #7800 from github/henrymercer/js-atm-add-model-building-pack 
JS: Add model building pack for ML-powered queries
 2022-02-01 20:51:19 +00:00
Harry Maclean
ce0354acb3 Include rust-toolchain.toml in Ruby cache keys 
This ensures that if we change our Rust version, the caches will be
invalidated.
 2022-02-02 08:08:11 +13:00
Harry Maclean
9c32ab7122 rust-toolchain -> rust-toolchain.toml 2022-02-02 08:05:46 +13:00
Harry Maclean
613ecbb418 Ruby: Pin Rust to 1.54 
Add a rust-toolchain file to the Ruby directory, which instructs Rustup
to install a specific version of Rust (1.54). This will be used in CI,
so any use of language features or dependencies that don't support 1.54
will result in a CI failure.

This should ensure we have a documented minimum supported rust version
and an easy to way to update it in the future (update the rust-toolchain
file).
 2022-02-02 08:05:46 +13:00
Geoffrey White
d864af3622 C++: Change note. 2022-02-01 19:00:40 +00:00
Harry Maclean
fb00a6c61b Merge pull request #7666 from github/hmac/file-open-access 
Ruby: Add File.open as a FileSystemAccess
 2022-02-02 07:32:16 +13:00
liangjinhuang
1dd15fa235 style:auto format 2022-02-02 01:30:54 +08:00
liangjinhuang
976e484c57 style:move all source files under src/experimental & feat:modify source regular matching rules 2022-02-02 01:14:51 +08:00
Henry Mercer
14601316a5 JS: Autoformat 2022-02-01 17:08:21 +00:00
Rasmus Wriedt Larsen
f6215f2300 Python: Refactor field-flow test 2022-02-01 17:59:03 +01:00
Rasmus Wriedt Larsen
cc4fe38fbd Python: Delete dedicated argumentRouting<N> tests 
I feel like they don't bring any value anymore, since we have the nice
inline expectation tests. If I'm wrong, happy to revert this commit
though.
 2022-02-01 17:51:33 +01:00
Rasmus Wriedt Larsen
54f53c828e Python: Refactor argumentRoutingTest.ql to be more generic 
I checked to see that the tests still works. If I deleted the `arg5`
annotation, it got failures:

```diff
diff --git a/python/ql/test/experimental/dataflow/coverage/argumentPassing.py b/python/ql/test/experimental/dataflow/coverage/argumentPassing.py
index e218bdde9b..71816c1e01 100644
--- a/python/ql/test/experimental/dataflow/coverage/argumentPassing.py
+++ b/python/ql/test/experimental/dataflow/coverage/argumentPassing.py
@@ -46,7 +46,7 @@ def argument_passing(
     c,
     d=arg4,  #$ arg4 func=argument_passing
     *,
-    e=arg5,  #$ arg5 func=argument_passing
+    e=arg5,
     f,
     **g,
 ):
diff --git a/python/ql/test/experimental/dataflow/coverage/argumentRoutingTest.expected b/python/ql/test/experimental/dataflow/coverage/argumentRoutingTest.expected
index e69de29bb2..22037a40c3 100644
--- a/python/ql/test/experimental/dataflow/coverage/argumentRoutingTest.expected
+++ b/python/ql/test/experimental/dataflow/coverage/argumentRoutingTest.expected
@@ -0,0 +1,2 @@
+| argumentPassing.py:49:7:49:10 | ControlFlowNode for arg5 | Unexpected result: arg5= |
+| argumentPassing.py:49:7:49:10 | ControlFlowNode for arg5 | Unexpected result: func=argument_passing |
```
 2022-02-01 17:50:06 +01:00
Rasmus Wriedt Larsen
76f3d74fed Python: Remove extra whitespace from argumentPassing.py 2022-02-01 17:48:16 +01:00
Rasmus Wriedt Larsen
5ee755db09 Python: Require MISSING: flow annotations for normal data-flow tests 
I had to rewrite the SINK1-SINK7 definitions, since this new requirement
complained that we had to add this `MISSING: flow` annotation :D

Doing this implementation also revealed that there was a bug, since I
did not compare files when checking for these `MISSING:` annotations. So
fixed that up in the implementation for inline taint tests as well.

(extra whitespace in argumentPassing.py to avoid changing line numbers
for other tests)
 2022-02-01 17:46:53 +01:00
Erik Krogh Kristensen
e06f6529f1 refactor API-graph labels to an IPA type 2022-02-01 17:32:08 +01:00
Rasmus Wriedt Larsen
2bc4a60496 Python: Unify normal dataflow test setup 
I went with NormalDataflowTest to signify that if you don't know what
you're looking for, this is probably the one. I did not want to just
call it DataflowTest, since that becomes a big vague when there are also
`FlowTest.qll` and `MaximalFlowTest.qll` -- I'm open to renaming this
though 👍
 2022-02-01 17:31:31 +01:00
Rasmus Wriedt Larsen
41319607a9 Python: Use InlineExpectationsTest for field-flow tests 
I deleted the old tests, so it's very clear what tests to look for
 2022-02-01 17:31:31 +01:00
Rasmus Wriedt Larsen
d6f415bae2 Python: Run match tests if Python 3.10 or newer 
Also fixes a bug in the tests
 2022-02-01 17:31:31 +01:00
liangjinhuang
1885b683f7 style:formatDocument 2022-02-02 00:21:26 +08:00
liangjinhuang
af2e8ff8c6 feat:modify source regular matching rules 2022-02-02 00:10:15 +08:00
Henry Mercer
368839edfc JS: Fix QLDoc style in ExtractMisclassifiedEndpointFeatures.ql 2022-02-01 15:39:15 +00:00
Arthur Baars
ea901adb3c Merge pull request #7799 from github/aibaars/fix-ruby-workflows 
Ruby: use ruby specific cache key
 2022-02-01 16:28:14 +01:00
Henry Mercer
db0b4fc463 JS: Add model building pack for ML-powered queries 
Tests are currently still internal. They will be migrated to
`github/codeql` in a subsequent PR.
 2022-02-01 15:03:26 +00:00
Arthur Baars
73d60550ce QL-QL: fix cache keys 2022-02-01 15:57:59 +01:00
Erik Krogh Kristensen
0f85a52f09 Merge pull request #7773 from erik-krogh/CWE-367 
JS: add a js/file-system-race query
 2022-02-01 15:36:13 +01:00
Rasmus Wriedt Larsen
a4bb0cc5d8 Python: Run tests for fieldflow/test.py 2022-02-01 15:32:07 +01:00
Rasmus Wriedt Larsen
1390f034f3 Python: Delete duplicated tests 
All the same tests are present in `fieldflow/test.py`
 2022-02-01 15:31:30 +01:00
Arthur Baars
6451a71a78 Ruby: use ruby specific cache key 2022-02-01 15:18:09 +01:00
Rasmus Wriedt Larsen
1394b38032 Python: Improve customSanitizer tests 
Before we didn't show how we treated the value _after_ the check. But we
do actually handle this nicely 💪
 2022-02-01 15:09:29 +01:00
Mathias Vorreiter Pedersen
3597d80340 Merge pull request #7787 from Yonah125/main 
C/C++ : Useless test
 2022-02-01 14:01:27 +00:00
Jeroen Ketema
ff1c971100 Add query for missing mode argument in open/openat calls 2022-02-01 14:52:22 +01:00
Rasmus Lerchedahl Petersen
1e2428cb6b python: create LDAP module in Concepts 2022-02-01 14:39:58 +01:00
Nick Rolfe
5828a61fec Merge pull request #7795 from github/nickrolfe/graph_test_edge_ordering 
Ruby/C#: add semmle.order attribute to edges in CFG tests
 2022-02-01 13:36:15 +00:00
Rasmus Lerchedahl Petersen
c2cd58edc4 python: rewrite to separate configurations 
source nodes get duplicated, so perhaps flow states
are actually better for performance?
 2022-02-01 14:36:11 +01:00
Erik Krogh Kristensen
a51f892a99 move dot in qhelp 
Co-authored-by: Esben Sparre Andreasen <esbena@github.com>
 2022-02-01 14:34:30 +01:00
Michael Nebel
2c6e35f55e C#: Add more attribute testcases. 2022-02-01 14:06:45 +01:00
Rasmus Lerchedahl Petersen
7df5c70c6f python: update frameworks.rst 2022-02-01 13:54:34 +01:00
Rasmus Lerchedahl Petersen
bec8c0daea python: update change note 2022-02-01 13:39:03 +01:00
Rasmus Lerchedahl Petersen
c587084758 python: use standard InstanceSource construction 2022-02-01 13:31:16 +01:00