hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-14 03:09:26 +02:00
Code Issues Packages Projects Releases Wiki Activity
32,413 Commits 1,759 Branches 167 Tags
1f50624cf49484664bcc8a803cb8e6ae1b4ce1ff
Commit Graph

193 Commits

Author SHA1 Message Date
Nick Rolfe
1eba8277ee Merge pull request #7614 from github/nickrolfe/array_flow_summaries 
Ruby: add more Array/Enumerable flow summaries
 2022-02-09 09:57:59 +00:00
Harry Maclean
3206384884 Merge pull request #7824 from github/hmac/constantize 2022-02-09 08:30:21 +13:00
Arthur Baars
ac03fab986 Merge pull request #7753 from aibaars/ruby-3.1 
Ruby 3.1 features
 2022-02-06 21:06:16 +01:00
Nick Rolfe
45962f1cad Ruby: make this unique for each method 
Even when summaries are shared in a single class.
 2022-02-04 17:03:55 +00:00
Nick Rolfe
7a9ddc28bf Ruby: address some more feedback on array flow summaries 2022-02-04 16:33:27 +00:00
Nick Rolfe
ed00f2b0d2 Ruby: address some feedback on array flow summaries 2022-02-04 13:40:39 +00:00
Nick Rolfe
161d766ba9 Ruby: address review comments on array_flow.rb 2022-02-04 11:59:59 +00:00
Harry Maclean
ab7fd89653 Merge pull request #7663 from github/hmac/api-graph-subclass 
Ruby: Add basic subclassing support to API Graphs
 2022-02-04 10:19:07 +13:00
Arthur Baars
6525035f0a Address comments 2022-02-03 13:47:03 +01:00
Harry Maclean
c65ca8ff86 Model calls to constantize as code executions 
`constantize` is an ActiveSupport extension to `String` that attempts to
look up a constant with a name matching the receiver.
 2022-02-03 15:22:07 +13:00
Harry Maclean
704b58519f Ruby: Include subclasses in more API calls 
Change the behaviour of `API::getInstance()` and `API::getReturn()` to
include results on subclasses of the current API node.
 2022-02-03 11:35:59 +13:00
Arthur Baars
a22868ba27 Merge branch 'main' into ruby-3.1 2022-02-02 19:00:03 +01:00
Arthur Baars
fdcef6225b Ruby: fix QL warnings 2022-02-02 13:29:09 +01:00
Harry Maclean
fb00a6c61b Merge pull request #7666 from github/hmac/file-open-access 
Ruby: Add File.open as a FileSystemAccess
 2022-02-02 07:32:16 +13:00
Nick Rolfe
990e07b986 Ruby/C#: add semmle.order attribute to edges in CFG tests 2022-01-31 20:08:24 +00:00
Arthur Baars
abf3ce6223 Ruby: expressions in pin operator ^ 2022-01-28 19:47:31 +01:00
Arthur Baars
00fb4d3776 Ruby: Values in Hash literals and keyword arguments can be omitted 2022-01-28 19:47:31 +01:00
Arthur Baars
3e2ca61c01 Ruby: support anonymous block parameters/arguments 2022-01-28 19:47:31 +01:00
Arthur Baars
b9258e78ca Ruby: non-local variables in variable reference pattern 2022-01-28 19:47:31 +01:00
Nick Rolfe
8248a942ce Ruby: enable taint checking for array-flow test 2022-01-28 11:33:59 +00:00
Nick Rolfe
693ff6a904 Ruby: add flow summaries for remaining Array methods 2022-01-28 11:33:59 +00:00
Nick Rolfe
030cfa36da Ruby: add flow summaries for all remaining Enumerable methods 2022-01-28 11:33:59 +00:00
Harry Maclean
b01f81aab3 Use modified getAPath predicate for test 2022-01-28 19:45:52 +13:00
Nick Rolfe
6f06263d49 Ruby: add more properties for ordering nodes in graph tests 2022-01-27 13:57:43 +00:00
Tom Hvitved
dd27ed8392 Ruby: Desugar hash literals 
```rb
{ a: 1, **splat, b: 2 }
```

becomes

```rb
::Hash.[](a: 1, **splat, b: 2)
```
 2022-01-26 13:53:18 +01:00
Arthur Baars
948ebe4b4c Merge pull request #7568 from aibaars/ruby-pattern-matching-taint 
Ruby: taint steps for pattern matches
 2022-01-26 10:27:47 +01:00
Tom Hvitved
0299b4603f Merge pull request #7677 from hvitved/ruby/constant-value 
Ruby: Replace `getValueText` with `getConstantValue`
 2022-01-25 10:31:02 +01:00
Harry Maclean
c5904b7410 Add inline tests for API Graph subclassing 2022-01-25 16:41:49 +13:00
Harry Maclean
517f2d0823 Add optional results to InlineExpectationsTest 
The idea behind optional results is that there may be instances where
each line of source code has many results and you don't want to annotate
all of them, but you still want to ensure that any annotations you do
have are correct.

This change makes that possible by exposing a new predicate
`hasOptionalResult`, which has the same signature as `hasResult`.

Results produced by `hasOptionalResult` will be matched against any
annotations, but the lack of a matching annotation will not cause a
failure.

We will use this in the inline tests for the API edge getASubclass,
because for each API path that uses getASubclass there is always a
shorter path that does not use it, and thus we can't use the normal
shortest-path matching approach that works for other API Graph tests.
 2022-01-25 16:41:49 +13:00
Harry Maclean
5e7a29a979 Ruby: Use API graph subclassing in Rails modelling 
Now that API graphs have basic subclassing support, we can simplify some
of the ActiveRecord and ActionController code.
 2022-01-25 16:40:14 +13:00
Tom Hvitved
2a972dc045 Address review comments 2022-01-24 14:27:42 +01:00
Arthur Baars
0cef887683 Ruby: address comments 2022-01-24 11:27:26 +01:00
Arthur Baars
e9a01f9e8f Ruby: fix test case 2022-01-24 10:31:08 +01:00
Arthur Baars
fcec8a8388 Address comments 2022-01-24 10:31:08 +01:00
Arthur Baars
7630b277b8 Ruby: update AST and CFG test data 2022-01-24 10:31:08 +01:00
Arthur Baars
26a0167d6d Ruby: add taint step test for hash patterns 2022-01-24 10:31:06 +01:00
Arthur Baars
49c452239e Ruby: add taint steps from case value to variables in patterns 2022-01-24 10:10:22 +01:00
Arthur Baars
77a3e4bd61 Ruby: CFG: fix completion of AsPattern variable 2022-01-24 10:10:22 +01:00
Tom Hvitved
85e1cda81b Ruby: Distinguish symbols from strings in ConstantValue 2022-01-21 19:16:12 +01:00
Harry Maclean
8e40899dfd Merge pull request #7419 from github/hmac/const-get 2022-01-22 07:01:09 +13:00
Harry Maclean
2fa18801aa Merge pull request #7665 from github/hmac/barrier-guard-array-const 2022-01-22 06:59:51 +13:00
Erik Krogh Kristensen
f500bccbe4 add explicit this to member call 2022-01-21 11:46:33 +01:00
Tom Hvitved
aa9cfebc65 Ruby: Replace getValueText with getConstantValue 2022-01-21 09:19:19 +01:00
Alex Ford
9613ff743b Merge pull request #7611 from github/ruby/protect_from_forgery-without-exception 
Ruby: flag up `protect_from_forgery` calls without an exception strategy
 2022-01-20 13:45:30 +00:00
Harry Maclean
5dcee6ba27 Ruby: Add File.open as a FileSystemAccess 2022-01-20 21:09:41 +13:00
Harry Maclean
6bae03a7cc Ruby: Update string const barrier guard 
This change recognises guards like `FOO.include?`, where `FOO` is an array
constant.
 2022-01-20 17:34:12 +13:00
Harry Maclean
13a0ece25c Ruby: Add test case: array constant barrier guard 
This guard isn't yet recognised as a `StringConstArrayInclusionCall`.
 2022-01-20 17:07:01 +13:00
Alex Ford
0aab670b17 Ruby: add missing example rails action 2022-01-19 13:47:00 +00:00
Tom Hvitved
cb098df4ea Merge pull request #7334 from github/hmac/regexp-interpolations 
Ruby: Resolve simple string interpolations
 2022-01-19 14:43:58 +01:00
Alex Ford
b27d315ff4 Ruby: add an example of protect_from_forgery with: :exception 2022-01-19 13:30:27 +00:00