hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 02:44:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,347 Commits 1,672 Branches 157 Tags
hmac/command-injection-from-library-inputs
Commit Graph

511 Commits

Author SHA1 Message Date
Harry Maclean
9afdab917e Ruby: Only use library inputs for libraries 
Use the application heuristics to control whether we consider public
method parameters to all be sources of remote flow.
 2022-03-10 16:35:13 +13:00
Harry Maclean
1915fce2d1 Ruby: Add heuristic to guess app or library 
This uses the presence of various gem-related files to guess whether the
codebase is a Ruby application or a Ruby gem.
 2022-03-10 16:34:01 +13:00
Harry Maclean
7a5b72b8f1 Ruby: Library input sources for Command Injection 
Consider parameters of any public method to be remote flow sources for
the command injection vulnerability. This has the potential to be
noisy, but it does find several new TPs in mechanize.
 2022-03-10 16:16:31 +13:00
Harry Maclean
02794d95d4 Ruby: Model Kernel.open as a command execution 
If the argument to Kernel.open begins with "|", the rest of the string
is executed as a shell command.
 2022-03-10 16:15:14 +13:00
Tom Hvitved
f5fbf50d7d Ruby: Fix incorrect parsing of ranges 2022-03-08 19:53:17 +01:00
Tom Hvitved
5f48cc06bb Ruby: Fix off-by-one error in getGroupName 2022-03-08 15:59:47 +01:00
Tom Hvitved
3bc8d0878f Ruby: Add regex consistency queries 2022-03-08 10:10:14 +01:00
Tom Hvitved
6d4eecff14 Ruby: Fix regex parsing of /[|]/ 2022-03-08 09:52:06 +01:00
Arthur Baars
95027e746c Ruby: TypeTracker: add smallstep for functions that return their arguments 2022-03-07 11:51:54 +01:00
Tom Hvitved
c1db0a9429 Merge pull request #8317 from hvitved/typetracker/jump-step 
Ruby/Python: Clear call contexts after jump steps in type tracking
 2022-03-07 11:38:51 +01:00
Arthur Baars
cd5c71e85e Ruby: cache regExpSource/1 instead of isInterpretedAsRegExp 2022-03-04 10:15:22 +01:00
Harry Maclean
1181779c10 Merge pull request #7920 from github/hmac/string-flow-summaries 
Ruby: Add String flow summaries
 2022-03-04 09:09:19 +13:00
Arthur Baars
b79d08523c Merge pull request #8293 from aibaars/regex-pattern-source 
Ruby: parse more string literals as regular expressions
 2022-03-03 17:35:40 +01:00
Arthur Baars
22b0697371 Update ruby/ql/lib/codeql/ruby/security/performance/ParseRegExp.qll 
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2022-03-03 17:13:19 +01:00
Tom Hvitved
9d6d479fba Add missing QL doc 2022-03-03 14:17:41 +01:00
Tom Hvitved
b23ab8089a Ruby: Clear call contexts after jump steps in type tracking 2022-03-03 12:29:47 +01:00
Harry Maclean
4a43731b83 Ruby: Use SimpleSummarizedCallable 
This simplifies some String flow summaries.
 2022-03-03 10:49:44 +13:00
Harry Maclean
37dac186a8 Ruby: String.try_convert isn't value-preserving 
`String.try_convert` can convert arbitrary objects to strings, which
obviously isn't value-preserving.
 2022-03-02 13:31:59 +13:00
Arthur Baars
a51f17e0ed Ruby: introduce RegExpPatternSource 2022-03-01 13:30:51 +01:00
Arthur Baars
1240c11c4b Ruby: parse some string literals as regex 
In addition to regex literals, also parse normal string literals
as regular expressions if they somehow "flow" into a method call
that is known to interpret string values as regular expressions.
 2022-03-01 13:26:51 +01:00
Arthur Baars
7e6ef7ac74 Ruby: ApiGraphs: use private imports 2022-03-01 10:24:19 +01:00
Arthur Baars
5ce6b847d1 Merge pull request #8166 from aibaars/regex-char-sequence-1 
Ruby/Python: regex parser: group sequences of 'normal' characters
 2022-02-28 17:47:53 +01:00
Arthur Baars
5044f89105 Ruby/Python re-introduce normalCharacterSequence 2022-02-25 18:43:43 +01:00
Arthur Baars
9d9abaf1f9 Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-02-25 12:27:20 +01:00
Harry Maclean
fc351fbd64 Ruby: Remove value-flow for name-matched summaries 
String summaries that are identified by name only should not specify
value-preserving flow as this can cause spurious flow in cases where
they are applied to different but identically-named methods.
 2022-02-24 16:15:15 +13:00
Harry Maclean
07369916b0 Ruby: Remove bad flow to/from block arguments 
In these cases there is no block argument to the method call.
 2022-02-24 14:44:59 +13:00
Asger Feldthaus
f1bfb31403 Shared: fix typo in a comment 2022-02-23 14:13:41 +01:00
Asger Feldthaus
bb9348d77f Ruby: reject ArrayElement[-n] instead of interpreting it as ArrayElement[?] 2022-02-23 14:13:41 +01:00
Asger Feldthaus
a11c6f0f8e Ruby: use AccessPathSyntax library 2022-02-23 14:13:40 +01:00
Asger Feldthaus
5cab737ef1 Shared: sync AccessPathSyntax.qll 2022-02-23 14:13:40 +01:00
Arthur Baars
69ed121ecb Ruby/Python: regex parser: group sequences of 'normal' characters 2022-02-22 16:15:33 +01:00
Harry Maclean
340288e0d4 Ruby: Update summary access paths for dot syntax 2022-02-22 16:41:16 +13:00
Harry Maclean
d180a55b3a Ruby: Fix value/taint flow in String summaries 2022-02-22 16:41:16 +13:00
Harry Maclean
f07ae35b87 Ruby: Fix bug with String flow summaries 
Split summaries for methods with optional block parmaters into separate
classes. Also model the `exclusive` argument to `String#upto`.
 2022-02-22 16:41:16 +13:00
Harry Maclean
379de5581d Ruby: Disable summaries that clash with Array 
Some String methods are named identically to Array methods, and this
leads to overlapping flow summaries. These adversely affect the original
Array flow summaries.
 2022-02-22 16:41:15 +13:00
Harry Maclean
fef46e1ee4 Ruby: Add flow summaries for String methods 2022-02-22 16:41:15 +13:00
Asger F
02c4966109 Merge pull request #7878 from asgerf/dot-separated-access-paths 
Shared: Switch to dot-separated access paths in summary specs
 2022-02-21 13:29:09 +01:00
Alex Ford
9196b64d6e Merge pull request #8138 from github/ruby/file-write 
Ruby: Implement `FileSystemWriteAccess` concept
 2022-02-21 10:13:27 +00:00
Alex Ford
746290d903 Merge pull request #7713 from github/ruby/clear-text-logging 
Ruby: Add `rb/clear-text-logging-sensitive-data` query
 2022-02-21 10:12:33 +00:00
Asger Feldthaus
7848fcec80 Shared: sync AccessPathSyntax.qll 2022-02-21 08:21:53 +01:00
Asger Feldthaus
55ac5cb012 Shared: auto format 2022-02-21 08:21:53 +01:00
Asger Feldthaus
4985fbb526 Shared: update getSummaryCsv and related test output 2022-02-21 08:21:53 +01:00
Asger Feldthaus
dcc523a2b7 Shared: auto format 2022-02-21 08:21:53 +01:00
Asger Feldthaus
7fcbdbeada Shared: sync AccessPathSyntax.qll and FlowSummaryImpl.qll 2022-02-21 08:21:52 +01:00
Asger Feldthaus
2907d53e17 Shared: sync AccessPathSyntax.qll and FlowSummaryImpl.qll 2022-02-21 08:21:52 +01:00
Asger Feldthaus
57bf0b1432 Ruby: remove support for legacy syntax 2022-02-21 08:21:51 +01:00
Asger Feldthaus
e3605eed44 Ruby: update CSV rows to dot-separated syntax 2022-02-21 08:21:50 +01:00
Asger Feldthaus
7005d53a67 Ruby: manually rewrite DigSummary access path 2022-02-21 08:16:55 +01:00
Asger Feldthaus
6dbeb81f36 Ruby: use AccessPathSyntax.qll to parse input/output summary specs 2022-02-21 08:16:55 +01:00
Alex Ford
12ce3d4784 Ruby: Implement FileSystemWriteAccess for IO/File API 2022-02-20 19:27:11 +00:00