hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-24 04:36:35 +01:00
Code Issues Packages Projects Releases Wiki Activity
43,936 Commits 1,673 Branches 157 Tags
06e435fd84bec4897c5d2fe56b25a690ee8b680b
Commit Graph

1829 Commits

Author SHA1 Message Date
Alex Ford
06e435fd84 Ruby: remove YAML.load_file arg0 as an unsafe deserialization sink 2022-09-26 11:26:30 +01:00
Alex Ford
d94b196843 Ruby: fix documentation 2022-09-23 16:56:33 +01:00
Alex Ford
364bc883ba Ruby: add YAML.load_file as an unsafe deserialization sink 2022-09-23 15:54:15 +01:00
Alex Ford
140458b7cc Merge pull request #9932 from alexrford/ruby/rbi-typegraph-fixes 
Ruby: RBI library changes to support models-as-data model generation
 2022-09-22 13:55:33 +01:00
Tom Hvitved
f0f4fe7286 Merge pull request #10444 from hvitved/ruby/stmt-sequence-post-update 
Ruby: Add post-update nodes for compound arguments
 2022-09-22 13:18:51 +02:00
Nick Rolfe
7d0bfe8f98 Merge pull request #10531 from github/nickrolfe/title-case 
Ruby: use consistent capitalization with `import ... as`
 2022-09-22 12:05:44 +01:00
Nick Rolfe
df8a182ac2 Ruby: use consistent capitalization with import ... as 2022-09-22 11:13:41 +01:00
Nick Rolfe
ee34ac5394 Merge pull request #10512 from github/nickrolfe/hash_from_trusted_xml 
Ruby: add Hash.from_trusted_xml as an unsafe deserialization sink
 2022-09-22 10:59:49 +01:00
Tom Hvitved
ac594842c8 Merge pull request #10504 from hvitved/ruby/private-methods 
Ruby: Two fixes for `private` methods
 2022-09-22 11:54:28 +02:00
Tom Hvitved
10a584ffb9 Merge pull request #10517 from hvitved/ruby/regexp-debug 
Ruby: Add query for debugging regexp flow
 2022-09-22 11:50:50 +02:00
Tom Hvitved
47411e3548 Ruby: Add query for debugging regexp flow 2022-09-21 19:22:10 +02:00
Andrew Eisenberg
99e8cb78b0 Merge pull request #10496 from aeisenberg/aeisenberg/merge-rc3.7-into-main 
Aeisenberg/merge rc3.7 into main
 2022-09-21 08:09:47 -07:00
Alex Ford
260db1aea2 Ruby: drop getAQualifiedName predicate from ConstantAccess 2022-09-21 14:28:43 +01:00
Alex Ford
3bbb166642 Ruby: handle block param types more neatly 2022-09-21 13:52:19 +01:00
Nick Rolfe
2edbc16829 Ruby: add Hash.from_trusted_xml as an unsafe deserialization sink 2022-09-21 13:01:21 +01:00
Tom Hvitved
61e9c6f658 Ruby: Fix call graph for overridden private methods 2022-09-21 14:00:17 +02:00
Tom Hvitved
e7649fc61a Ruby: Fix ModuleBase::get(A)Method for private methods 2022-09-21 14:00:17 +02:00
Tom Hvitved
37a2b7d0b3 Ruby: Add more call graph tests for private methods 2022-09-21 14:00:17 +02:00
Tom Hvitved
a9f2e5272f Merge pull request #10376 from hvitved/ruby/no-ast-by-default 
Ruby: Do not expose AST layer through `ruby.qll`
 2022-09-21 13:15:30 +02:00
Tom Hvitved
0064451ff0 Merge pull request #10491 from hvitved/ruby/fix-bad-join 
Ruby: Fix bad join-order
 2022-09-21 11:13:09 +02:00
Tom Hvitved
59caa977d0 Ruby: Add post-update nodes for compound arguments 2022-09-21 11:02:24 +02:00
Tom Hvitved
1f4573cf25 Ruby: Add more field flow tests 2022-09-21 10:32:38 +02:00
Erik Krogh Kristensen
7e17a919ae Merge pull request #10304 from erik-krogh/rb-followMsg 
RB: make the alert messages of taint-tracking queries more consistent
 2022-09-20 22:58:31 +02:00
Andrew Eisenberg
58e4861b45 Merge branch 'main' into rc/3.7 2022-09-20 12:43:20 -07:00
Tom Hvitved
2677ab6b19 Ruby: Fix bad join-order 
Before
```
Evaluated relational algebra for predicate Module#fe82a56b::lookupMethodOrConst0#2#fff#antijoin_rhs@e23c32nf with tuple counts:
          118006   ~0%    {3} r1 = SCAN Module#fe82a56b::getMethodOrConst#2#fff OUTPUT In.1, In.0, In.2
        35267848   ~3%    {4} r2 = JOIN r1 WITH project#Module#fe82a56b::getMethodOrConst#2#fff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1, Lhs.0, Lhs.2, Rhs.1
           21883   ~0%    {5} r3 = JOIN r2 WITH Module#fe82a56b::Cached::getAPrependedModule#1#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.3, Lhs.0, Lhs.1, Lhs.2
               7  ~16%    {3} r4 = JOIN r3 WITH Module#fe82a56b::getAncestors#1#ff ON FIRST 2 OUTPUT Lhs.2, Lhs.3, Lhs.4
                          return r4
```

After
```
Evaluated relational algebra for predicate Module#fe82a56b::lookupMethodOrConst0#2#fff#antijoin_rhs@839f6a1k with tuple counts:
        118006  ~1%    {3} r1 = SCAN Module#fe82a56b::getMethodOrConst#2#fff OUTPUT In.0, In.2, In.1
           151  ~0%    {4} r2 = JOIN r1 WITH Module#fe82a56b::Cached::getAPrependedModule#1#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.0, Lhs.1, Lhs.2
           155  ~1%    {4} r3 = JOIN r2 WITH Module#fe82a56b::getAncestors#1#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.3, Lhs.1, Lhs.2
             7  ~0%    {3} r4 = JOIN r3 WITH project#Module#fe82a56b::getMethodOrConst#2#fff ON FIRST 2 OUTPUT Lhs.2, Lhs.3, Lhs.1
                       return r4
```
 2022-09-20 16:24:39 +02:00
Tom Hvitved
647397759e Merge pull request #10336 from hvitved/ruby/call-graph-rework 
Ruby: Rework call graph implementation
 2022-09-20 15:29:40 +02:00
Nick Rolfe
30b54b2abe Merge pull request #10450 from github/nickrolfe/filesystemresolver 
Ruby: model ActionView::FileSystemResolver as a FileSystemAccess
 2022-09-20 14:21:28 +01:00
Alex Ford
52305da5a3 Ruby: move string getAQualifiedName() up to ConstantAccess 2022-09-19 21:03:05 +01:00
Alex Ford
d00c9ea2c8 Ruby: RBI library improvements, mostly for parameter types 2022-09-19 21:03:05 +01:00
Alex Ford
8d264e7e65 Ruby: add ConstanReadAcess#getAQualifiedName() predicate 2022-09-19 21:03:05 +01:00
erik-krogh
0645b11cb1 ruby: remove unused predicate from NfaUtilsSpecific 2022-09-19 15:25:00 +02:00
Tom Hvitved
bb08e6f0fd Ruby: Three call graph fixes for singleton methods 2022-09-19 14:20:12 +02:00
Tom Hvitved
d13332cff1 Ruby: Add more call graph tests 2022-09-19 14:19:25 +02:00
Erik Krogh Kristensen
a4cd913aea Merge pull request #10312 from erik-krogh/fix-caseDiff 
ensure consistent casing of names
 2022-09-19 10:43:12 +02:00
Tom Hvitved
a8cc669251 Ruby: Address review comments 2022-09-18 19:34:54 +02:00
Tom Hvitved
9004e82820 Ruby: Add another call graph test 2022-09-18 19:34:00 +02:00
Tom Hvitved
29bfb4d185 Ruby: Revert changes to isLocalSourceNode and localFlowStepTypeTracker 
Instead, use small-step type tracking, as suggested by @rasmuswl offline.
 2022-09-16 19:38:26 +02:00
github-actions[bot]
67ce442674 Post-release preparation for codeql-cli-2.10.5 2022-09-16 14:23:44 +00:00
Nick Rolfe
b5d648a6b0 Ruby: model ActionView::FileSystemResolver as a FileSystemAccess 2022-09-16 09:24:14 +01:00
Tom Hvitved
ac4d4ff613 Ruby: Rework call graph implementation 2022-09-16 10:22:26 +02:00
Tom Hvitved
41c45c26bc Ruby: Add more call graph tests, and make calls.rb interpretable by irb 2022-09-16 10:22:20 +02:00
Tom Hvitved
40241acbfc Merge pull request #10425 from hvitved/ruby/bad-join-fix 
Ruby: Fix bad join-order in DB upgrade script
 2022-09-15 12:09:14 +02:00
Tom Hvitved
c6cd2d66f8 Update ruby/ql/lib/change-notes/2022-09-14-ruby-qll.md 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2022-09-14 20:00:34 +02:00
Tom Hvitved
5cfed75e4c Ruby: Fix bad join-order in DB upgrade script 
Before
```
Evaluated relational algebra for predicate #select#query#ffffff@3e1dedi5 with tuple counts:
          30411461   ~0%    {6} r1 = locations_default AND NOT #select#query#ffffff#antijoin_rhs(Lhs.0, Lhs.1, Lhs.2, Lhs.3, Lhs.4, Lhs.5)

          30840645   ~4%    {2} r2 = SCAN #select#query#ffff OUTPUT In.0, In.3
            515559   ~1%    {3} r3 = JOIN r2 WITH #select#query#ffffff#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.0, Lhs.1
            515559   ~0%    {5} r4 = JOIN r3 WITH locations_default ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2, Rhs.4, Rhs.5
        2397708060   ~0%    {9} r5 = JOIN r4 WITH locations_default_1023#join_rhs ON FIRST 1 OUTPUT Lhs.1, 0, Rhs.1, Lhs.2, Lhs.0, Lhs.3, Lhs.4, Rhs.2, Rhs.3
            515559   ~4%    {6} r6 = JOIN r5 WITH query#f0820431::body_statement#3#bff ON FIRST 3 OUTPUT Lhs.3, Lhs.4, Lhs.7, Lhs.8, Lhs.5, Lhs.6

          30927020   ~0%    {6} r7 = r1 UNION r6
                            return
```

After
```
Evaluated relational algebra for predicate #select#query#ffffff@8810e071 with tuple counts:
        30411461   ~0%    {6} r1 = #select#query#ffffff#shared AND NOT #select#query#ffffff#antijoin_rhs(Lhs.0, Lhs.1, Lhs.2, Lhs.3, Lhs.4, Lhs.5)

        30840645   ~4%    {2} r2 = SCAN #select#query#ffff OUTPUT In.0, In.3
          515559   ~1%    {3} r3 = JOIN r2 WITH #select#query#ffffff#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.0, Lhs.1
          515559   ~0%    {6} r4 = JOIN r3 WITH locations_default ON FIRST 1 OUTPUT Lhs.1, 0, Lhs.2, Rhs.1, Rhs.4, Rhs.5
          515559   ~0%    {5} r5 = JOIN r4 WITH query#f0820431::body_statement#3#bff ON FIRST 2 OUTPUT Rhs.2, Lhs.3, Lhs.2, Lhs.4, Lhs.5
          515559   ~0%    {6} r6 = JOIN r5 WITH locations_default ON FIRST 2 OUTPUT Lhs.1, Lhs.2, Lhs.3, Lhs.4, Rhs.2, Rhs.3
          515559   ~4%    {6} r7 = JOIN r6 WITH files ON FIRST 1 OUTPUT Lhs.1, Lhs.0, Lhs.4, Lhs.5, Lhs.2, Lhs.3

        30927020   ~0%    {6} r8 = r1 UNION r7
                          return r8
```
 2022-09-14 19:27:49 +02:00
Tom Hvitved
7ecfe8daba Address review comments 2022-09-14 15:30:51 +02:00
Tom Hvitved
40e77a0c67 Merge pull request #10415 from hvitved/code-block-fix 
Change two ```codeql to ```ql
 2022-09-14 15:07:55 +02:00
Tom Hvitved
4ea1c0050b Change two ``codeql to ``ql 2022-09-14 13:53:34 +02:00
Tom Hvitved
5472210a92 Ruby: Add change note 2022-09-14 09:14:41 +02:00
erik-krogh
252394666c sync files 2022-09-13 20:44:05 +02:00
Tom Hvitved
74eb6b2b98 Merge pull request #10400 from hvitved/ruby/singleton-class-object-scope 
Ruby: Adjust the scope of singleton class targets
 2022-09-13 20:01:21 +02:00