hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 10:46:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,347 Commits 1,672 Branches 157 Tags
hmac/command-injection-from-library-inputs
Commit Graph

192 Commits

Author SHA1 Message Date
Harry Maclean
02794d95d4 Ruby: Model Kernel.open as a command execution 
If the argument to Kernel.open begins with "|", the rest of the string
is executed as a shell command.
 2022-03-10 16:15:14 +13:00
Tom Hvitved
f5fbf50d7d Ruby: Fix incorrect parsing of ranges 2022-03-08 19:53:17 +01:00
Tom Hvitved
89c3d0535a Ruby: Add regex test that outputs all RegExpTerms 2022-03-08 19:53:17 +01:00
Tom Hvitved
5f48cc06bb Ruby: Fix off-by-one error in getGroupName 2022-03-08 15:59:47 +01:00
Tom Hvitved
6dd126b6e3 Ruby: Add regex group tests 2022-03-08 15:59:28 +01:00
Tom Hvitved
6d4eecff14 Ruby: Fix regex parsing of /[|]/ 2022-03-08 09:52:06 +01:00
Tom Hvitved
a7442b7a2b Ruby: Add regex test case for /[|]/ 2022-03-08 09:51:39 +01:00
Arthur Baars
200a965fda Update expected output 2022-03-07 11:51:54 +01:00
Tom Hvitved
9c4c35141a Ruby: Update type tracker test 2022-03-07 11:51:54 +01:00
Harry Maclean
1181779c10 Merge pull request #7920 from github/hmac/string-flow-summaries 
Ruby: Add String flow summaries
 2022-03-04 09:09:19 +13:00
Harry Maclean
37dac186a8 Ruby: String.try_convert isn't value-preserving 
`String.try_convert` can convert arbitrary objects to strings, which
obviously isn't value-preserving.
 2022-03-02 13:31:59 +13:00
Arthur Baars
5ce6b847d1 Merge pull request #8166 from aibaars/regex-char-sequence-1 
Ruby/Python: regex parser: group sequences of 'normal' characters
 2022-02-28 17:47:53 +01:00
Harry Maclean
fc351fbd64 Ruby: Remove value-flow for name-matched summaries 
String summaries that are identified by name only should not specify
value-preserving flow as this can cause spurious flow in cases where
they are applied to different but identically-named methods.
 2022-02-24 16:15:15 +13:00
Arthur Baars
69ed121ecb Ruby/Python: regex parser: group sequences of 'normal' characters 2022-02-22 16:15:33 +01:00
Harry Maclean
d180a55b3a Ruby: Fix value/taint flow in String summaries 2022-02-22 16:41:16 +13:00
Harry Maclean
f07ae35b87 Ruby: Fix bug with String flow summaries 
Split summaries for methods with optional block parmaters into separate
classes. Also model the `exclusive` argument to `String#upto`.
 2022-02-22 16:41:16 +13:00
Harry Maclean
379de5581d Ruby: Disable summaries that clash with Array 
Some String methods are named identically to Array methods, and this
leads to overlapping flow summaries. These adversely affect the original
Array flow summaries.
 2022-02-22 16:41:15 +13:00
Harry Maclean
fef46e1ee4 Ruby: Add flow summaries for String methods 2022-02-22 16:41:15 +13:00
Asger F
02c4966109 Merge pull request #7878 from asgerf/dot-separated-access-paths 
Shared: Switch to dot-separated access paths in summary specs
 2022-02-21 13:29:09 +01:00
Alex Ford
9196b64d6e Merge pull request #8138 from github/ruby/file-write 
Ruby: Implement `FileSystemWriteAccess` concept
 2022-02-21 10:13:27 +00:00
Asger Feldthaus
e3605eed44 Ruby: update CSV rows to dot-separated syntax 2022-02-21 08:21:50 +01:00
Asger Feldthaus
6dbeb81f36 Ruby: use AccessPathSyntax.qll to parse input/output summary specs 2022-02-21 08:16:55 +01:00
Harry Maclean
9a60c7e4ac Ruby: Update filename in test fixture 2022-02-21 09:43:36 +13:00
Alex Ford
baabe66551 Ruby: update Files.ql tests for write accesses 2022-02-20 19:28:12 +00:00
Harry Maclean
459f949c24 Ruby: fix old import in ActiveSupport 
codeql.ruby.frameworks.StandardLibrary is deprecated
 2022-02-17 20:44:04 +13:00
Harry Maclean
546bfcb8ea Ruby: split tests to match stdlib changes 2022-02-17 20:44:04 +13:00
Erik Krogh Kristensen
25d64a7901 Merge pull request #7930 from erik-krogh/rbApiIpa 
RB: convert the ruby ApiGraphs to use IPA labels
 2022-02-11 14:35:39 +01:00
Harry Maclean
017183e7f3 Merge pull request #7919 from github/hmac/open-uri 
Ruby: recognise additional form for OpenURI
 2022-02-11 14:03:26 +13:00
Erik Krogh Kristensen
9739929795 convert the ruby ApiGraphs to use IPA labels 2022-02-10 17:54:19 +01:00
CodeQL CI
a57ee019c2 Merge pull request #7819 from asgerf/asgerf/ruby-def-nodes 
Approved by hvitved
 2022-02-10 12:37:34 +00:00
Harry Maclean
d966ca8466 Ruby: recognise additional form for OpenURI 2022-02-10 15:42:15 +13:00
Harry Maclean
f30222256f Merge pull request #7061 from github/hmac/actiondispatch 
Ruby: Rails route resolution
 2022-02-10 09:46:36 +13:00
Tom Hvitved
0bd8411cb6 Ruby: Hide more SSA nodes from data-flow path explanations 2022-02-09 15:31:10 +01:00
Nick Rolfe
1eba8277ee Merge pull request #7614 from github/nickrolfe/array_flow_summaries 
Ruby: add more Array/Enumerable flow summaries
 2022-02-09 09:57:59 +00:00
Harry Maclean
3206384884 Merge pull request #7824 from github/hmac/constantize 2022-02-09 08:30:21 +13:00
Asger Feldthaus
2b36703bfb Ruby: add def= tags to API graph test 2022-02-08 10:20:25 +01:00
Arthur Baars
ac03fab986 Merge pull request #7753 from aibaars/ruby-3.1 
Ruby 3.1 features
 2022-02-06 21:06:16 +01:00
Nick Rolfe
45962f1cad Ruby: make this unique for each method 
Even when summaries are shared in a single class.
 2022-02-04 17:03:55 +00:00
Nick Rolfe
7a9ddc28bf Ruby: address some more feedback on array flow summaries 2022-02-04 16:33:27 +00:00
Nick Rolfe
ed00f2b0d2 Ruby: address some feedback on array flow summaries 2022-02-04 13:40:39 +00:00
Nick Rolfe
161d766ba9 Ruby: address review comments on array_flow.rb 2022-02-04 11:59:59 +00:00
Asger Feldthaus
87c62db781 Ruby: disable test line not currently working 2022-02-04 11:20:42 +01:00
Asger Feldthaus
5e350a0270 Ruby: Derive edge labels from {Argument,Parameter}Position 2022-02-04 11:20:42 +01:00
Asger Feldthaus
d2e381aa79 Ruby: more def-node tests 2022-02-04 11:20:41 +01:00
Asger Feldthaus
32e0f42969 Ruby: refactor Return(x) to Method(x).return 2022-02-04 11:20:39 +01:00
Asger Feldthaus
55b5f19b92 Ruby: Add def-nodes to API graphs 2022-02-04 11:06:35 +01:00
Asger Feldthaus
9c17a5ce99 Ruby: replace "instance" label with a call to new 2022-02-04 11:03:25 +01:00
Harry Maclean
ab7fd89653 Merge pull request #7663 from github/hmac/api-graph-subclass 
Ruby: Add basic subclassing support to API Graphs
 2022-02-04 10:19:07 +13:00
Arthur Baars
6525035f0a Address comments 2022-02-03 13:47:03 +01:00
Harry Maclean
c65ca8ff86 Model calls to constantize as code executions 
`constantize` is an ActiveSupport extension to `String` that attempts to
look up a constant with a name matching the receiver.
 2022-02-03 15:22:07 +13:00