hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-11 18:14:01 +02:00
Code Issues Packages Projects Releases Wiki Activity
1,316 Commits 1,740 Branches 164 Tags
270d13e4ac683fb94ccca8269e95b6b56d892cca
Commit Graph

1316 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Harry Maclean
270d13e4ac Identify more vulnerable ActiveRecord methods 
`find_by!`, `find_or_create_by`, `find_or_create_by!` and
`find_or_initialize_by` act similarly to `find_by`.
 2021-09-29 10:49:14 +01:00
Harry Maclean
56919eee0b delete/destroy_all -> delete/destroy_by 
The ActiveRecord `delete_all` and `destroy_all` methods do not take a
condition argument - they act on the scope of their receiver.

The `delete_by` and `destroy_by` methods do take an argument which can
be raw SQL, and are therefore vulnerable to SQL injection.

For more info:

https://api.rubyonrails.org/v6.1.4/classes/ActiveRecord/Relation.html#method-i-delete_all
https://api.rubyonrails.org/v6.1.4/classes/ActiveRecord/Relation.html#method-i-delete_by
 2021-09-29 10:45:54 +01:00
Harry Maclean
3a1b294c21 Identify more ActiveRecord calculate methods 
`average`, `count`, `maximum`, `minimum` and `sum` are all convenience
methods that call `calculate(:<method name>, ...)` under the hood.
Therefore they are vulnerable to SQL injection too.
 2021-09-29 10:11:38 +01:00
Tom Hvitved
5219b1a8b9 Merge pull request #310 from github/hvitved/more-instanceof 
More uses of `instanceof` in the external/internal AST layer
 2021-09-27 16:11:04 +02:00
Tom Hvitved
8018c1525d Merge pull request #314 from github/hvitved/setter-method-call-base 
Strengthen the type of `SetterMethodCall`
 2021-09-27 15:29:07 +02:00
Nick Rolfe
79c2f09585 Merge pull request #302 from github/rm_tokeninfo_idx 
Remove unused columns from tokeninfo tables
 2021-09-27 14:19:38 +01:00
Nick Rolfe
b2c4daecd5 Merge pull request #303 from github/nickrolfe/node_kind_id 
Use integer comparisons instead of strings when scanning ERB files
 2021-09-27 14:18:10 +01:00
Tom Hvitved
317303cdad Strengthen the type of SetterMethodCall 2021-09-27 14:05:28 +02:00
Arthur Baars
2a4747b27e Merge pull request #313 from github/hmac-remove-unicode-char 
Remove unicode character from doc string
 2021-09-27 12:57:21 +02:00
Harry Maclean
3e100bc2a9 Remove unicode character from doc string 
We require that all source code is in ASCII.
 2021-09-27 11:40:04 +01:00
Tom Hvitved
793368d670 More uses of instanceof in the external/internal AST layer 2021-09-24 15:55:15 +02:00
Harry Maclean
74982cb3aa Merge pull request #307 from github/hmac-outgoing-http-2 
Model some more HTTP clients
 2021-09-24 12:30:48 +01:00
Tom Hvitved
141f5f7605 Merge pull request #308 from github/hvitved/operation-method-call 
Make `{Unary,Binary}Operation` a sub class of `MethodCall`
 2021-09-24 12:51:07 +02:00
Tom Hvitved
30d2df53c6 Include MethodCall.getAChild in {Unary,Binary}Operation.getAChild 2021-09-24 12:08:54 +02:00
Tom Hvitved
edfdfb1fa4 Make {Unary,Binary}Operation a sub class of MethodCall 2021-09-23 19:13:55 +02:00
Harry Maclean
88885a222e Model the RestClient HTTP client 2021-09-23 16:32:15 +01:00
Harry Maclean
4cf520c2df Model the Faraday HTTP client 2021-09-23 16:32:15 +01:00
Harry Maclean
ee51298633 Model the Excon HTTP client 2021-09-23 16:32:15 +01:00
Tom Hvitved
ca2ff9a863 Merge pull request #305 from github/hvitved/desugar/array-literals 
Desugar array literals to `::Array.[]`
 2021-09-23 17:30:34 +02:00
Arthur Baars
40f0112e8a Merge pull request #297 from github/aibaars/alert-suppression 
Alert suppression and file classifier query
 2021-09-23 15:37:19 +02:00
Harry Maclean
4f9518a9c6 Merge pull request #293 from github/hmac-code-injection 
Add query for Code Injection
 2021-09-23 13:50:48 +01:00
Tom Hvitved
f347505542 Merge pull request #277 from github/hvitved/flow-summaries 
Add support for flow summaries
 2021-09-23 14:31:52 +02:00
Harry Maclean
41608ef47b Address review comments 2021-09-23 12:26:54 +01:00
Tom Hvitved
68d41f9f12 Address review comments 2021-09-23 12:39:47 +02:00
Harry Maclean
83705c5787 Merge pull request #306 from github/hmac-outgoing-http 
Model outgoing HTTP requests as remote flow sources
 2021-09-23 09:34:44 +01:00
Harry Maclean
5826f2c279 Move Net::HTTP modelling into http_clients module 
This seems a more convenient place to keep all the HTTP client
modelling.
 2021-09-23 09:04:20 +01:00
Harry Maclean
b658bacab3 Simplify Net::HTTP modelling 2021-09-23 09:04:01 +01:00
Harry Maclean
3000587849 Add Net::HTTP request modelling 2021-09-23 09:04:01 +01:00
Harry Maclean
2bdea01c8a Add HTTP::Client concept 2021-09-23 09:04:01 +01:00
Alex Ford
21e31a47d9 Merge pull request #283 from github/file-system-sources 
Start modelling some file system access concepts
 2021-09-22 16:45:13 +01:00
Alex Ford
b769aa67c2 test for IO.open as a way of creating an IO instance 2021-09-22 16:29:10 +01:00
Alex Ford
0092c0279b Apply suggestions from code review 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2021-09-22 14:28:15 +01:00
Tom Hvitved
e670fdbb82 Move two predicates in FlowSummaryImplSpecific.qll 2021-09-22 14:12:46 +02:00
Tom Hvitved
a37737d065 Replace string kind with boolean preservesValue 2021-09-22 09:28:55 +02:00
Tom Hvitved
888183f26d Desugar array literals to ::Array.[] 2021-09-21 21:27:29 +02:00
Alex Ford
70c2be8ca3 Files library tests 2021-09-21 19:08:03 +01:00
Alex Ford
05a04f4835 Files.qll library implementation 2021-09-21 19:07:55 +01:00
Alex Ford
6315621b16 use instanceof extensions for some filesystem concepts 2021-09-21 19:02:11 +01:00
Alex Ford
d1f2258d45 revamp weak file permissions query 2021-09-21 19:02:11 +01:00
Alex Ford
25300cb2b4 start modelling some file access concepts 2021-09-21 19:02:11 +01:00
Nick Rolfe
dd31473dff Merge pull request #301 from github/fix_source_archive 
Fix filenames in source archives
 2021-09-21 11:37:02 +01:00
Nick Rolfe
d60410e6b8 Use integer comparisons instead of strings when scanning ERB files 2021-09-21 10:50:04 +01:00
Tom Hvitved
cdc359527a Resolve semantic conflicts after rebase 2021-09-21 11:14:11 +02:00
Tom Hvitved
564c76c41f Address review comments 2021-09-21 11:04:53 +02:00
Tom Hvitved
08dc6d79ef Add support for flow summaries 2021-09-21 11:04:53 +02:00
Nick Rolfe
3201f30098 Update dbscheme stats 2021-09-20 23:13:38 +01:00
Nick Rolfe
e97adff21d Add upgrade script to remove unused tokeninfo columns 2021-09-20 22:42:13 +01:00
Nick Rolfe
6a17dfd228 Remove file column from tokeninfo tables. 2021-09-20 22:42:13 +01:00
Nick Rolfe
6f059638d2 Remove idx column from tokeninfo tables. 2021-09-20 22:42:13 +01:00
Nick Rolfe
143256e673 Fix filenames in source archives 2021-09-20 22:17:45 +01:00