hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
81,475 Commits 1,672 Branches 157 Tags
js/move-cors-query-from-experimental
Commit Graph

1632 Commits

Author SHA1 Message Date
Arthur Baars
c9f7568ca3 Ruby: add Call::isSafeNavigation 2022-05-11 12:06:08 +02:00
Arthur Baars
a47e429945 Merge pull request #8909 from aibaars/tree-sitter-update 
Tree sitter update
 2022-05-11 12:02:14 +02:00
Arthur Baars
907c3db5ca Address comments 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2022-05-11 09:59:42 +02:00
Harry Maclean
7b63493fa9 Ruby: Fix identification IO.open args 2022-05-10 17:32:00 +12:00
Harry Maclean
79c6dc1af0 Refactor IO/File modelling 
The main goal here is to get rid of the duplicate definitions of module
`IO`, which currently exist in both `frameworks/core/IO.qll` and
`frameworks/Files.qll`.

We do this by moving the classes inside `Files::IO` to `core/IO.qll`,
but moving most of the actual definitions of those classes to an
internal module `core.internal.FileOrIO`. This means both `Files.qll`
and `IO.qll` can depend on them without leaking them to end users.
 2022-05-10 17:32:00 +12:00
Harry Maclean
2d12ad6238 Ruby: Model IO.popen 
This method is very similar to `Kernel.system`: it executes its
arguments as a system command in various ways.
 2022-05-10 17:32:00 +12:00
Alex Ford
4844e4f454 ruby: replace the dataflow layer RBI library with the AST layer version 2022-05-05 18:40:12 +01:00
Alex Ford
bedb1d4584 ruby: Add AST layer version of the RBI library 2022-05-05 18:37:56 +01:00
Alex Ford
961f867bed Ruby: fix getAssociatedMethod predicate to include class methods 2022-05-05 18:09:42 +01:00
Alex Ford
08fa397877 ruby: new rbi test case 2022-05-05 18:09:27 +01:00
Alex Ford
1af5c680fa ruby: drop the CallableCfgNode classes 2022-05-04 14:07:04 +01:00
Rasmus Wriedt Larsen
a7b43f7356 Ruby: Accept changes to TypeTracker tests 
Since this is not using inline-expectation-tests, I'm not entirely sure
whether these changes are OK or not, so hope to get someone else to
signoff on that.
 2022-05-03 14:59:06 +02:00
Tom Hvitved
3fd93b460f Merge pull request #8935 from hvitved/ruby/typetracker-kw-test 2022-04-28 18:22:51 +02:00
Tom Hvitved
8d2bf2228b Merge pull request #7914 from hvitved/ruby/generalize-element-content 
Ruby: Generalize `ArrayElementContent` to `ElementContent`
 2022-04-28 14:23:08 +02:00
Arthur Baars
d055f9a186 Update tests 2022-04-28 13:47:10 +02:00
Arthur Baars
7359ffaa2e Ruby: add tree-sitter test case 2022-04-28 12:59:56 +02:00
Tom Hvitved
29f1c533a9 Ruby: Add type tracker tests for flow through keyword/positional parameters 2022-04-28 11:34:12 +02:00
Harry Maclean
ba1d43dd42 Merge pull request #8658 from hmac/hmac/insecure-download 
Ruby: Add InsecureDownload query
 2022-04-28 11:07:35 +12:00
Harry Maclean
f4453f4da2 Merge pull request #8573 from hmac/hmac/missing-regexp-anchor 
Ruby: Add MissingRegExpAnchor query
 2022-04-28 11:06:33 +12:00
Erik Krogh Kristensen
e1c7d369be Merge pull request #8796 from erik-krogh/redundantImport 
Remove redundant imports
 2022-04-27 12:39:51 +02:00
Tom Hvitved
d1c9d68e14 Ruby: Generalize ArrayElementContent to ElementContent 2022-04-27 11:53:21 +02:00
Tom Hvitved
3b7fe06858 Ruby: Simplify flow summary for fetch 2022-04-27 08:26:24 +02:00
Harry Maclean
6998608257 Ruby: Document missing test result 2022-04-27 12:47:09 +12:00
Harry Maclean
bb3fb0325b Ruby: Add InsecureDownload query 
This query finds cases where a potentially unsafe file is downloaded
over an unsecured connection.
 2022-04-27 12:47:09 +12:00
Harry Maclean
ce7675ef43 Ruby: Identify domain in Net::HTTP requests 2022-04-27 12:47:09 +12:00
Harry Maclean
2feb4a48be Ruby: Add hasMisleadingAnchorPrecedence to MissingRegExpAnchor 2022-04-27 10:12:33 +12:00
Harry Maclean
3f8b27c0cd Ruby: Add RegExpNonWordBoundary to RegExpTreeView 2022-04-27 10:12:33 +12:00
Harry Maclean
e3c3c00c68 Ruby: Add MissingRegExpAnchor query 2022-04-27 10:12:33 +12:00
Nick Rolfe
649d7dd022 Merge pull request #8607 from github/nickrolfe/incomplete_sanitization 
Ruby: port of `js/incomplete-sanitization`
 2022-04-26 17:10:24 +01:00
Nick Rolfe
a7185e8a75 Ruby: fix typo in edge key for graph query 2022-04-26 13:56:38 +01:00
Erik Krogh Kristensen
d389012b75 Merge branch 'main' into redundantImport 2022-04-26 14:24:51 +02:00
Nick Rolfe
3737248deb Merge pull request #8879 from github/nickrolfe/graph_ordering 
Ruby: fix graph query tests by defining total ordering
 2022-04-26 13:22:53 +01:00
Nick Rolfe
a2f66e8631 Ruby: specify total ordering for test graph queries 2022-04-26 12:58:44 +01:00
Alex Ford
ad3a9b19e4 Ruby: test files for RBI library 2022-04-24 22:48:52 +01:00
Tom Hvitved
b033f107df Merge remote-tracking branch 'upstream/main' into dataflow/interpret-read-store 2022-04-22 14:35:02 +02:00
Erik Krogh Kristensen
ff73dbc35c delete redundant imports 2022-04-22 12:55:28 +02:00
Tom Hvitved
093a3879be Merge pull request #8794 from hvitved/ruby/capture-barrier-guards 
Ruby: Handle captured variables in `BarrierGuard::getAGuardedNode()`
 2022-04-22 11:47:36 +02:00
Tom Hvitved
be5363ea53 Merge pull request #8801 from hvitved/ruby/exclude-splat-in-taint-tracking 
Ruby: Exclude `SplatExpr` from taint tracking
 2022-04-22 11:12:05 +02:00
Tom Hvitved
c20ce62767 Ruby: Exclude SplatExpr from taint tracking 
`SplatExpr`s are modelled using flow summaries, so there is no need to include them
explicitly in `defaultAdditionalTaintStep`.
 2022-04-21 20:27:04 +02:00
Tom Hvitved
addb92f13b Ruby: Handle captured variables in BarrierGuard::getAGuardedNode() 2022-04-21 13:25:47 +02:00
Tom Hvitved
325b451288 Ruby: Add barrier guards test involving captured variables 2022-04-21 13:25:40 +02:00
Tom Hvitved
b4542c58c2 Ruby: Implement Argument[any] and Argument[n..] 2022-04-20 13:55:18 +02:00
Nick Rolfe
9b6e610e24 Merge remote-tracking branch 'origin/main' into nickrolfe/incomplete_sanitization 2022-04-20 12:05:22 +01:00
Harry Maclean
c3f1fba985 Merge pull request #8598 from hmac/hmac/insecure-dep-resolution 
Ruby: Add rb/insecure-dependency query
 2022-04-14 02:09:44 +02:00
Nick Rolfe
fdca896614 Ruby: improve handling of [g]sub! 
rb/incomplete-sanitization has a few cases where we find flow from one
one string substitution call to another, e.g.

    a.sub(...).sub(...)

But this didn't find typical chained uses of the destructive variants,
e.g.

    a.sub!(...)
    a.sub!(...)

We now handle those cases by tracking flow from the post-update node for
the receiver of the first call.
 2022-04-13 17:19:25 +01:00
Nick Rolfe
bbb8177176 Ruby: add rc/incomplete-sanitization query 2022-04-13 16:48:43 +01:00
Dave Bartolomeo
9f074cd8fd Bump a few more versions 
Also fixes up some dependency declarations that should have been "*" because they refer to packs in the same workspace.
 2022-04-08 13:01:41 -04:00
Harry Maclean
8f3578c92a Ruby: Include query results in test 2022-04-05 10:20:02 +12:00
Tom Hvitved
725d76e934 Ruby: Implement ContentSet 2022-04-04 13:51:44 +02:00
Tom Hvitved
a5040fd0ce Ruby: Add data-flow test for reverse array stores 2022-04-04 13:51:43 +02:00