hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 02:44:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,347 Commits 1,672 Branches 157 Tags
hmac/command-injection-from-library-inputs
Commit Graph

251 Commits

Author SHA1 Message Date
Tom Hvitved
aa9cfebc65 Ruby: Replace getValueText with getConstantValue 2022-01-21 09:19:19 +01:00
Alex Ford
9613ff743b Merge pull request #7611 from github/ruby/protect_from_forgery-without-exception 
Ruby: flag up `protect_from_forgery` calls without an exception strategy
 2022-01-20 13:45:30 +00:00
Harry Maclean
5dcee6ba27 Ruby: Add File.open as a FileSystemAccess 2022-01-20 21:09:41 +13:00
Harry Maclean
6bae03a7cc Ruby: Update string const barrier guard 
This change recognises guards like `FOO.include?`, where `FOO` is an array
constant.
 2022-01-20 17:34:12 +13:00
Harry Maclean
13a0ece25c Ruby: Add test case: array constant barrier guard 
This guard isn't yet recognised as a `StringConstArrayInclusionCall`.
 2022-01-20 17:07:01 +13:00
Alex Ford
0aab670b17 Ruby: add missing example rails action 2022-01-19 13:47:00 +00:00
Tom Hvitved
cb098df4ea Merge pull request #7334 from github/hmac/regexp-interpolations 
Ruby: Resolve simple string interpolations
 2022-01-19 14:43:58 +01:00
Alex Ford
b27d315ff4 Ruby: add an example of protect_from_forgery with: :exception 2022-01-19 13:30:27 +00:00
Harry Maclean
4f7f92490a Distinguish regex components from strings 
Create a set of classes for components of regex literals,
separate from those of string literals. This allows us to special-case
components of free-spacing regexes (ones with the /x flag) to not have a
`getValueText()`.

This in turn is useful because our regex parser can't handle free-spacing
regexes, so excluding them ensures that we don't generate erroneous
ReDoS alerts.
 2022-01-19 11:23:40 +13:00
Jeff Gran
47697f59c1 Ruby: Add classes for detecting user input from graphql-ruby 2022-01-18 09:13:58 -07:00
Anders Schack-Mulligen
9479301485 Ruby: Accept qltest expected changes. 2022-01-18 10:36:52 +01:00
Chris Smowton
f7d3892320 Update test expectations 2022-01-18 10:30:09 +01:00
Alex Ford
c1a51d94a2 Ruby: add test for protect_from_forgery without exception strategy 2022-01-17 17:44:52 +00:00
Erik Krogh Kristensen
acaf294bee support a limited number of regexp ranges 2022-01-07 18:36:30 +01:00
Harry Maclean
43ddc54f2b Ruby: Add Module#const_get as a code execution 
Module#const_get takes a single string argument and interprets it as the
name of a constant. It then looks up the constant and returns its value.

    Object.const_get("Math::PI")
    # => 3.141592653589793

By itself, this method is not as dangerous as e.g. eval, but if the
value returned is a class that is then instantiated, this can allow an
attacker to instantiate arbitrary Ruby classes.

As a result, I think it's safe to say that any remote input flowing into
this call is a potential vulnerability. A real-world example of this is
https://github.com/advisories/GHSA-52p9-v744-mwjj.
 2022-01-06 13:03:41 +13:00
Tom Hvitved
c3fd272f9b Ruby: Simplify getValueText logic for StringlikeLiterals 2022-01-06 12:27:03 +13:00
Tom Hvitved
322f8356dd Ruby: Include StringComponents in the CFG 2022-01-06 12:27:03 +13:00
Tom Hvitved
301d0bbdf8 Ruby: Restructure test to avoid dead code 2022-01-06 12:27:03 +13:00
Harry Maclean
23f1352953 Add ReDoS test that uses string interpolation 
This exercises the support for resolving string interpolations, and is
based on a real vulnerability:

https://github.com/advisories/GHSA-jxhc-q857-3j6g)
 2022-01-06 12:27:03 +13:00
Harry Maclean
32c93e70e2 Include simple interpolations in getValueText 
When calculating `StringlikeLiteral.getValueText`, include results from
interpolations where we can determine their string value. For example:

    b = "b" # local variable
    D = "d" # constant

    "a#{b}c"     # getValueText() = "abc"
    "a#{b}c{D}"  # getValueText() = "abcd"
    /#a#{b}c{D}/ # getValueText() = "abcd"
 2022-01-06 12:27:03 +13:00
Harry Maclean
3df3fb092b Make room for new test code 
This change is split over several commits so it is easier to see.
This change adds some extra lines, which will be populated in the next
commit.
 2022-01-06 12:26:51 +13:00
Alex Ford
dadaf25262 Merge branch 'main' into ruby/rails-cookie-config 2022-01-04 12:04:44 +00:00
Tom Hvitved
1f8a291d6f Merge pull request #7198 from hvitved/ruby/dataflow/arrays 
Ruby: Flow through arrays/enumerables
 2022-01-04 10:37:08 +01:00
Alex Ford
7d3932dc8d Merge remote-tracking branch 'origin/main' into ruby/rails-cookie-config 2021-12-22 17:54:03 +00:00
Alex Ford
71c5711eb3 Ruby: add some rb/weak-cookie-configuration tests 2021-12-22 17:47:44 +00:00
Alex Ford
0cbf136e21 Merge pull request #7273 from github/ruby/crypto-algorithms 
Ruby: add CryptoAlgorithms library
 2021-12-22 17:42:59 +00:00
Alex Ford
97c75de771 Ruby: OpenSSL and CryptoAlgorithms test update 2021-12-22 16:38:15 +00:00
Alex Ford
bdb2d8ba16 Ruby: split OpenSSL parts from CryptoALgorithms.qll and sync with JS/Python version 2021-12-22 16:38:15 +00:00
Alex Ford
0303c279e2 Ruby: add empty ruby file to avoid DataFlowConsistency failure 2021-12-22 16:38:15 +00:00
Alex Ford
1156581b52 Ruby: add CryptoAlgorithms library 2021-12-22 16:38:15 +00:00
Jeff Gran
f21398ce84 changed the name of one of the constants for a better test case 2021-12-22 08:42:07 -07:00
Jeff Gran
445c420a3d rerun test --learn with rebuilt ruby extractor 2021-12-22 08:42:04 -07:00
Jeff Gran
07c7de5cfd run test --learn, add a few more constants to constant.rb test case 2021-12-22 08:36:07 -07:00
Jeff Gran
0c698996aa use resolveConstanteWriteAccess instead, add a few more test cases 2021-12-22 08:35:55 -07:00
Jeff Gran
3df7793803 add more test cases, fix bug by adding getFullName() predicate 2021-12-22 08:35:55 -07:00
Jeff Gran
8e46eeb88c fix expectations to expect the correct values 2021-12-22 08:35:52 -07:00
Tom Hvitved
55492ef348 Ruby: Update expected test output after rebase 2021-12-22 15:56:20 +01:00
Tom Hvitved
3a30f58f74 Address review comments 2021-12-22 15:56:20 +01:00
Tom Hvitved
400802c5ce Ruby: Add flow summaries for Array/Enumerable methods 2021-12-22 15:56:20 +01:00
Tom Hvitved
8c18aaae74 Ruby: Prepare for data flow through arrays 2021-12-22 15:35:34 +01:00
Tom Hvitved
27f786b41e Merge pull request #7442 from hvitved/ruby/dataflow/keyword-params 
Ruby: Data flow for keyword arguments/parameters
 2021-12-22 15:23:22 +01:00
Nick Rolfe
9e259b67bb Merge pull request #7305 from github/nickrolfe/user-controlled-bypass 
Ruby: query to find user-controlled bypass of sensitive actions
 2021-12-21 17:20:20 +00:00
Arthur Baars
a7aff11140 Merge pull request #7394 from aibaars/ruby-cfg-expr-post 
Ruby: CFG: make all expressions "post-order" nodes
 2021-12-21 16:36:42 +01:00
Nick Rolfe
5db80dac51 Merge remote-tracking branch 'origin/main' into nickrolfe/user-controlled-bypass 2021-12-21 15:26:08 +00:00
Arthur Baars
a86ba3b14e Ruby: rename WhenExpr to WhenClause 2021-12-21 12:31:24 +01:00
Arthur Baars
6c7114804e Ruby: remove CaseExprChildMapping::getBranch 2021-12-20 19:21:36 +01:00
Arthur Baars
7644d60dae Revert "Ruby: CFG: make WhenExpr post-order" 
This reverts commit cff63fa7d7.
 2021-12-20 18:57:25 +01:00
Alex Ford
313e0c63fd Merge pull request #7399 from github/ruby/stdlib-logger 
Ruby: Model what is written to the log from stdlib `Logger` methods
 2021-12-20 09:52:29 +00:00
Tom Hvitved
1e27ddf7c7 Ruby: Data flow for keyword arguments/parameters 2021-12-17 15:42:29 +01:00
Arthur Baars
46144fe0a3 Ruby: InClause and WhenClause are no longer Expr 2021-12-17 14:04:25 +01:00