hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-11 10:04:02 +02:00
Code Issues Packages Projects Releases Wiki Activity
1,356 Commits 1,740 Branches 164 Tags
1ce458fa333296ea94c689e65e207e4aa5ae96c8
Commit Graph

149 Commits

Author SHA1 Message Date
Nick Rolfe
1ce458fa33 Add query to find HTTP requests that disable SSL validation 2021-10-06 14:06:09 +01:00
Harry Maclean
c50a6c180f Merge pull request #318 from github/hmac-open-query 
Add a query for uses of `Kernel.open` and `IO.read`
 2021-10-06 10:05:43 +01:00
Tom Hvitved
1d1215923c Merge pull request #323 from github/hvitved/get-value-text 
Introduce `Expr::getValueText`
 2021-10-05 14:26:25 +02:00
Harry Maclean
7bf818fdf5 Refactor KernelMethodCall modelling 
By extending `DataFlow::CallNode` instead of `MethodCall`, we get rid of
a lot of `.asExpr().getExpr()` calls.
 2021-10-05 12:26:59 +01:00
Harry Maclean
e419fc9599 Make Code execution query more specific 
Only the first argument to eval, instance_eval, send, class_send and
module_send is interpreted as Ruby code.
 2021-10-05 10:28:34 +01:00
Arthur Baars
2f462771bb Merge pull request #286 from github/aibaars/xxe 
XXE query
 2021-10-01 16:14:41 +02:00
Arthur Baars
5a454bb9f2 Add comment 2021-10-01 12:13:19 +02:00
Arthur Baars
c78d02d00d Fix module of Parser::Options 2021-10-01 11:18:03 +02:00
Tom Hvitved
08225181c8 Introduce Expr::getValueText 2021-10-01 11:03:46 +02:00
Harry Maclean
8c0c08e887 Identify more instance of code injection 
`class_eval` and `module_eval` both take a string as argument and
execute it as Ruby code.
 2021-09-30 14:19:24 +01:00
Harry Maclean
7f103b9450 Merge pull request #319 from github/hmac-activerecord-updates 
Add some more vulnerable ActiveRecord methods
 2021-09-30 12:09:09 +01:00
Arthur Baars
0419d28ba0 XXE: overapproximate feature flag values for & and | operators 2021-09-30 11:20:23 +02:00
Arthur Baars
089f9d87d4 Address comments 2021-09-30 11:20:23 +02:00
Arthur Baars
2b077595ae Also track DTDLOAD and NONET 2021-09-30 11:20:23 +02:00
Arthur Baars
4268d9c565 XXE query 2021-09-30 11:20:17 +02:00
Harry Maclean
7191e1c007 Re-add delete_all and destroy_all methods 
These methods don't take any arguments in Rails versions > 3, but
there's no harm in checking for them anyway, and some people might be
using very old Rails versions.
 2021-09-30 09:39:58 +01:00
Harry Maclean
0ea228e86f Merge pull request #315 from github/hmac-outgoing-http 
Model more HTTP clients
 2021-09-29 14:26:56 +01:00
Harry Maclean
a9c00a05fe HTTP -> Http 
Change the capitalisation of HTTP to Http, to conform to the QL style
guide.

Leave the HTTP module in Concepts alone, so it remains consistent with
the Concepts in other language libraries.
 2021-09-29 13:50:05 +01:00
Nick Rolfe
1d58f8cd50 Merge pull request #320 from github/rasmuswl/fix-hasLocationInfo-url 2021-09-29 13:23:08 +01:00
Rasmus Wriedt Larsen
3a270abcdc Fix hasLocationInfo URL reference 
Port of https://github.com/github/codeql/pull/6775
 2021-09-29 14:04:25 +02:00
Harry Maclean
615beeec80 Identify more vulnerable ActiveRecord methods 
This change identifies the following patterns:

- `Model.select(input)`
- `Model.reselect(input)`
- `Model.rewhere(input)`
- `Model.update_all(input)`
- `model.reload(lock: input)`
 2021-09-29 11:47:07 +01:00
Harry Maclean
270d13e4ac Identify more vulnerable ActiveRecord methods 
`find_by!`, `find_or_create_by`, `find_or_create_by!` and
`find_or_initialize_by` act similarly to `find_by`.
 2021-09-29 10:49:14 +01:00
Harry Maclean
56919eee0b delete/destroy_all -> delete/destroy_by 
The ActiveRecord `delete_all` and `destroy_all` methods do not take a
condition argument - they act on the scope of their receiver.

The `delete_by` and `destroy_by` methods do take an argument which can
be raw SQL, and are therefore vulnerable to SQL injection.

For more info:

https://api.rubyonrails.org/v6.1.4/classes/ActiveRecord/Relation.html#method-i-delete_all
https://api.rubyonrails.org/v6.1.4/classes/ActiveRecord/Relation.html#method-i-delete_by
 2021-09-29 10:45:54 +01:00
Harry Maclean
3a1b294c21 Identify more ActiveRecord calculate methods 
`average`, `count`, `maximum`, `minimum` and `sum` are all convenience
methods that call `calculate(:<method name>, ...)` under the hood.
Therefore they are vulnerable to SQL injection too.
 2021-09-29 10:11:38 +01:00
Tom Hvitved
10d19bf05b Temporarily disable operation call resolution 2021-09-29 09:40:41 +02:00
Harry Maclean
b34fcc65d1 Model the Typhoeus http client 2021-09-28 10:06:53 +01:00
Harry Maclean
b5dec5e8cf Model the OpenURI http client 2021-09-28 10:06:53 +01:00
Tom Hvitved
5219b1a8b9 Merge pull request #310 from github/hvitved/more-instanceof 
More uses of `instanceof` in the external/internal AST layer
 2021-09-27 16:11:04 +02:00
Harry Maclean
ca1fc44f21 Model the HTTPClient http client 2021-09-27 14:44:25 +01:00
Harry Maclean
3a4ddc4b4e Model the HTTParty http client 
We currently model direct calls like

    HTTParty.get("http://example.com")

but we don't yet handle calls on other classes that have included the
`HTTParty` module, like

    class MyClient
      include HTTParty
    end
    MyClient.get("http://example.com")
 2021-09-27 14:44:04 +01:00
Tom Hvitved
8018c1525d Merge pull request #314 from github/hvitved/setter-method-call-base 
Strengthen the type of `SetterMethodCall`
 2021-09-27 15:29:07 +02:00
Nick Rolfe
79c2f09585 Merge pull request #302 from github/rm_tokeninfo_idx 
Remove unused columns from tokeninfo tables
 2021-09-27 14:19:38 +01:00
Tom Hvitved
317303cdad Strengthen the type of SetterMethodCall 2021-09-27 14:05:28 +02:00
Harry Maclean
3e100bc2a9 Remove unicode character from doc string 
We require that all source code is in ASCII.
 2021-09-27 11:40:04 +01:00
Tom Hvitved
793368d670 More uses of instanceof in the external/internal AST layer 2021-09-24 15:55:15 +02:00
Harry Maclean
74982cb3aa Merge pull request #307 from github/hmac-outgoing-http-2 
Model some more HTTP clients
 2021-09-24 12:30:48 +01:00
Tom Hvitved
30d2df53c6 Include MethodCall.getAChild in {Unary,Binary}Operation.getAChild 2021-09-24 12:08:54 +02:00
Tom Hvitved
edfdfb1fa4 Make {Unary,Binary}Operation a sub class of MethodCall 2021-09-23 19:13:55 +02:00
Harry Maclean
88885a222e Model the RestClient HTTP client 2021-09-23 16:32:15 +01:00
Harry Maclean
4cf520c2df Model the Faraday HTTP client 2021-09-23 16:32:15 +01:00
Harry Maclean
ee51298633 Model the Excon HTTP client 2021-09-23 16:32:15 +01:00
Tom Hvitved
ca2ff9a863 Merge pull request #305 from github/hvitved/desugar/array-literals 
Desugar array literals to `::Array.[]`
 2021-09-23 17:30:34 +02:00
Arthur Baars
40f0112e8a Merge pull request #297 from github/aibaars/alert-suppression 
Alert suppression and file classifier query
 2021-09-23 15:37:19 +02:00
Harry Maclean
4f9518a9c6 Merge pull request #293 from github/hmac-code-injection 
Add query for Code Injection
 2021-09-23 13:50:48 +01:00
Tom Hvitved
f347505542 Merge pull request #277 from github/hvitved/flow-summaries 
Add support for flow summaries
 2021-09-23 14:31:52 +02:00
Harry Maclean
41608ef47b Address review comments 2021-09-23 12:26:54 +01:00
Tom Hvitved
68d41f9f12 Address review comments 2021-09-23 12:39:47 +02:00
Harry Maclean
5826f2c279 Move Net::HTTP modelling into http_clients module 
This seems a more convenient place to keep all the HTTP client
modelling.
 2021-09-23 09:04:20 +01:00
Harry Maclean
b658bacab3 Simplify Net::HTTP modelling 2021-09-23 09:04:01 +01:00
Harry Maclean
3000587849 Add Net::HTTP request modelling 2021-09-23 09:04:01 +01:00