hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 19:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
46,367 Commits 1,672 Branches 157 Tags
2822c94aa795373371b51f3d900a9ac1cc5aa897
Commit Graph

2391 Commits

Author SHA1 Message Date
Harry Maclean
2822c94aa7 Ruby: Minor refactor of barrier guard code 2022-11-25 09:12:51 +13:00
Harry Maclean
6897fb46cb Ruby: Clean up WhenClause CFG 2022-11-25 09:12:51 +13:00
Harry Maclean
57f689401e Ruby: SplatExprCfgNode extends UnaryOperationCfgNode 2022-11-24 17:33:57 +13:00
Harry Maclean
376d4e03a1 Ruby: Cache some barrier guard predicates 2022-11-18 18:17:02 +13:00
Harry Maclean
5deb16e58c Ruby: Remove redundant predicate 
The existing barrier guard machinery recognises guards such as `if x and y`,
so there's no need to explicitly model them.
 2022-11-18 18:14:55 +13:00
Tom Hvitved
f24fa402f3 Adjust CFG 2022-11-17 10:32:28 +01:00
Harry Maclean
2b4217b8a4 Ruby: Update test fixture 2022-11-11 18:41:55 +13:00
Harry Maclean
b16cecc8db Ruby: Add missing doc 2022-11-11 18:41:42 +13:00
Harry Maclean
62ea1f0a05 Ruby: Fix performance of string comparison guard 
The `or` case ran extremely slowly before this change. Also exclude
string interpolations from consideration, for correctness, and add some
more tests.
 2022-11-11 18:24:20 +13:00
Harry Maclean
e25e192ef3 Ruby: Change the CFG for while clauses 
The `when` node now acts as a join point for patterns in the when
clause, with match/no-match completions. This is similar to how `or`
expressions work.

The result of this is that the `when` clause "controls" the body of the
`when`, which allows us to model barrier guards for multi-pattern when
clauses.

For this code

case x
when 1, 2
  y
end

The old CFG was

x --> when --> 1 --no-match--> 2 ---no-match---> case
                \               \                  ^
                  \               \                |
                   \                --match----+   |
                     \                         |   |
                       \                       |   |
                         ------match---------> y --+

The new CFG is

x --> 1 --no-match--> 2 --no-match--> [no-match] when --no-match--> case
       \               \                                             ^
         \               \                                           |
           \               --match--> [match] when --match--> y -----+
             \                       /
               \                   /
                 -------match-----

i.e. all patterns flow to the `when` node, which is split based on
whether the pattern matched or not. The body of the when clause then has
a single predecessor `[match] when`, which acts as condition block that
controls `y`.
 2022-11-11 11:52:27 +13:00
Harry Maclean
a8b0d298ff Ruby: More string comparison guards 
Recognise if statements with conditionals made up or logical `and` or
`or` clauses as barrier guards.
 2022-11-10 16:38:09 +13:00
Harry Maclean
ad7b5ae7ed Ruby: Add inline barrier guard test 2022-11-09 16:35:28 +13:00
Harry Maclean
f1b63c4df3 Ruby: Fix in clause barrier guard 2022-11-09 16:10:17 +13:00
Harry Maclean
0ab88c2e29 Ruby: Handle simple in clauses in barrier guard 2022-11-09 16:01:33 +13:00
Harry Maclean
87944a3a75 Ruby: Add test for another case guard variant 2022-11-09 15:05:03 +13:00
Harry Maclean
25ceeaf241 Ruby: Fix SplatExprCfgNode 2022-11-09 15:03:15 +13:00
Harry Maclean
4bc9096446 Ruby: Add case string comparison barrier guard 
This recognises barriers of the form

    STRINGS = ["foo", "bar"]

    case foo
    when "some string literal"
      foo
    when *["other", "strings"]
      foo
    when *STRINGS
      foo
    end

where the reads of `foo` inside each `when` are guarded by the comparison
of `foo` with the string literals.

We don't yet recognise this construct:

    case foo
    when "foo", "bar"
      foo
    end

This is due to a limitation in the shared barrier guard logic.
 2022-11-09 15:03:13 +13:00
Tom Hvitved
f0554fcdee Merge pull request #11155 from hvitved/ruby/avoid-stage-recomputation 
Ruby: Avoid stage recomputation
 2022-11-08 13:46:53 +01:00
Tom Hvitved
edde3defed Merge pull request #11153 from hvitved/ruby/basic-block-at-conditions 
Ruby: Split basic blocks around constant conditionals
 2022-11-08 13:35:52 +01:00
Tom Hvitved
f0b9ca4bf9 Ruby: Add more guards tests 2022-11-08 11:09:54 +01:00
Tom Hvitved
37a69b4569 Ruby: Avoid stage recomputation 2022-11-08 10:51:30 +01:00
Erik Krogh Kristensen
c82410fd16 Merge pull request #10680 from erik-krogh/unsafeRbCmd 
RB: add an unsafe-shell-command-construction query
 2022-11-08 09:22:33 +01:00
Tom Hvitved
7ba0682297 Ruby: Split basic blocks around constant conditionals 2022-11-08 09:07:23 +01:00
Tom Hvitved
c86f597153 Ruby: Add test for disjunctive guard 2022-11-08 09:01:22 +01:00
Harry Maclean
03aa8df8e2 Ruby: Cosmetic change 2022-11-08 10:24:21 +13:00
Harry Maclean
d392cdaab6 Merge pull request #11022 from hmac/try-code-injection 
Ruby: try/try! as code execution
 2022-11-08 09:42:52 +13:00
Erik Krogh Kristensen
3f871a08e2 apply suggestions from doc review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2022-11-07 16:29:10 +01:00
Erik Krogh Kristensen
d67235b3c1 Merge pull request #11071 from erik-krogh/fixCanon 
ReDoS: fix canonicalization in NfaUtils
 2022-11-07 14:10:50 +01:00
Anders Schack-Mulligen
99ca28ea9b Merge pull request #10886 from aschackmull/dataflow/joinorders 
Dataflow: Fix a couple of join-orders.
 2022-11-07 11:05:29 +01:00
github-actions[bot]
fca754bddd Post-release preparation for codeql-cli-2.11.3 2022-11-05 14:30:48 +00:00
Dave Bartolomeo
013b7eff1c Apply suggestions from code review 
Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com>
 2022-11-04 18:46:32 -04:00
github-actions[bot]
508327235a Release preparation for version 2.11.3 2022-11-04 20:16:23 +00:00
Arthur Baars
98f4c29913 Ruby: weak crypto: do not report weak hash algorithms 
Weak hash algorithms such as MD5 and SHA1 are often
used in non security sensitive contexts and reporting
all uses is far too noisy.
 2022-11-04 15:58:50 +01:00
Anders Schack-Mulligen
a1dba82360 Dataflow: Sync. 2022-11-04 12:41:55 +01:00
Tom Hvitved
d3488da0c2 Data flow: Sync files 2022-11-03 15:52:30 +01:00
Tom Hvitved
cc87d2e38b Data flow: Restrict public PathNodes to those that may reach a sink 2022-11-03 15:52:30 +01:00
Henry Mercer
dd264c6dfb Consistently mention language in metric names 
This improves consistency between the lines of code queries and the
number of successfully extracted files queries.
 2022-11-03 11:44:10 +00:00
Henry Mercer
c60d071239 Lowercase "lines" 2022-11-03 11:40:22 +00:00
erik-krogh
f3741ff1e4 changes based on review 2022-11-03 09:41:05 +01:00
Dave Bartolomeo
499f20f6e8 Merge pull request #11004 from dbartol/dbartol/use-workspace-versions 2022-11-02 20:02:48 -04:00
Tom Hvitved
46631d6eaf Merge pull request #10931 from hvitved/ruby/fix-flow-into-phis 
Ruby: Fix flow steps into phi nodes
 2022-11-02 21:07:06 +01:00
Dave Bartolomeo
a475e5758d Merge remote-tracking branch 'upstream/main' into dbartol/use-workspace-versions 2022-11-02 12:38:03 -04:00
Tom Hvitved
f603d96f48 Merge pull request #11074 from github/revert-10576-ssa/consistency-queries 
Revert "SSA: Turn consistency predicates into `query` predicates"
 2022-11-02 11:29:42 +01:00
Tom Hvitved
2d5b9c12a6 Ruby: Avoid calls to deprecated SSA predicates 2022-11-02 09:37:28 +01:00
Tom Hvitved
780ea72b3b Revert "SSA: Turn consistency predicates into query predicates" 2022-11-02 09:11:45 +01:00
erik-krogh
c15f63ce62 sync files 2022-11-01 21:35:27 +01:00
Dave Bartolomeo
9d5e5e3ee7 ${workspace} all the things 2022-11-01 13:29:05 -04:00
Dave Bartolomeo
49c4c554c4 Merge from main 2022-11-01 13:22:40 -04:00
Tom Hvitved
ee9163aa40 Ruby: Fix flow steps into phi nodes 
- Add missing flow from post-update nodes into phi nodes.
- Prevent flow from reads into phi nodes when use-use flow is prohibited.
 2022-11-01 16:33:06 +01:00
Tom Hvitved
a191edfbd5 Ruby: Add data flow tests that illustrate problems with flow into SSA phi nodes 2022-11-01 16:32:46 +01:00