hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-31 07:12:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,353 Commits 1,684 Branches 159 Tags
2cbb25acaa4d635cb34b55e33cec3ed9b9173cd4
Commit Graph

739 Commits

Author SHA1 Message Date
Taus
7b877fb317 Merge pull request #8336 from tausbn/python-fix-a-bunch-of-ql-warnings 
Python: Fix a bunch of QL warnings
 2022-03-09 16:31:28 +01:00
Tom Hvitved
f5fbf50d7d Ruby: Fix incorrect parsing of ranges 2022-03-08 19:53:17 +01:00
Tom Hvitved
89c3d0535a Ruby: Add regex test that outputs all RegExpTerms 2022-03-08 19:53:17 +01:00
Tom Hvitved
073302f196 Ruby: Add another regex consistency test 2022-03-08 19:53:17 +01:00
Tom Hvitved
5f48cc06bb Ruby: Fix off-by-one error in getGroupName 2022-03-08 15:59:47 +01:00
Tom Hvitved
6dd126b6e3 Ruby: Add regex group tests 2022-03-08 15:59:28 +01:00
Taus
063a8bbc43 Python: Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-03-08 15:20:35 +01:00
Tom Hvitved
3bc8d0878f Ruby: Add regex consistency queries 2022-03-08 10:10:14 +01:00
Tom Hvitved
6d4eecff14 Ruby: Fix regex parsing of /[|]/ 2022-03-08 09:52:06 +01:00
Tom Hvitved
a7442b7a2b Ruby: Add regex test case for /[|]/ 2022-03-08 09:51:39 +01:00
Taus
af7f532212 Python: Fix up a bunch of function QLDoc 2022-03-07 18:59:49 +00:00
Arthur Baars
200a965fda Update expected output 2022-03-07 11:51:54 +01:00
Arthur Baars
95027e746c Ruby: TypeTracker: add smallstep for functions that return their arguments 2022-03-07 11:51:54 +01:00
Tom Hvitved
9c4c35141a Ruby: Update type tracker test 2022-03-07 11:51:54 +01:00
Tom Hvitved
c1db0a9429 Merge pull request #8317 from hvitved/typetracker/jump-step 
Ruby/Python: Clear call contexts after jump steps in type tracking
 2022-03-07 11:38:51 +01:00
Arthur Baars
cd5c71e85e Ruby: cache regExpSource/1 instead of isInterpretedAsRegExp 2022-03-04 10:15:22 +01:00
Harry Maclean
1181779c10 Merge pull request #7920 from github/hmac/string-flow-summaries 
Ruby: Add String flow summaries
 2022-03-04 09:09:19 +13:00
Arthur Baars
b79d08523c Merge pull request #8293 from aibaars/regex-pattern-source 
Ruby: parse more string literals as regular expressions
 2022-03-03 17:35:40 +01:00
Arthur Baars
22b0697371 Update ruby/ql/lib/codeql/ruby/security/performance/ParseRegExp.qll 
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2022-03-03 17:13:19 +01:00
Tom Hvitved
9d6d479fba Add missing QL doc 2022-03-03 14:17:41 +01:00
Tom Hvitved
b23ab8089a Ruby: Clear call contexts after jump steps in type tracking 2022-03-03 12:29:47 +01:00
Harry Maclean
4a43731b83 Ruby: Use SimpleSummarizedCallable 
This simplifies some String flow summaries.
 2022-03-03 10:49:44 +13:00
Arthur Baars
692fc4cb02 Update ruby/ql/lib/change-notes/2022-02-28-regex-string-literals.md 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2022-03-02 21:13:23 +01:00
Harry Maclean
37dac186a8 Ruby: String.try_convert isn't value-preserving 
`String.try_convert` can convert arbitrary objects to strings, which
obviously isn't value-preserving.
 2022-03-02 13:31:59 +13:00
Arthur Baars
169f65526e Merge pull request #8292 from aibaars/api-graphs-private 
Ruby: ApiGraphs: use private imports
 2022-03-02 00:35:46 +01:00
Arthur Baars
b2745d44f2 Ruby: update ReDoS.expected 2022-03-01 13:30:56 +01:00
Arthur Baars
61fa3ba314 Add change note 2022-03-01 13:30:56 +01:00
Arthur Baars
a51f17e0ed Ruby: introduce RegExpPatternSource 2022-03-01 13:30:51 +01:00
Arthur Baars
1240c11c4b Ruby: parse some string literals as regex 
In addition to regex literals, also parse normal string literals
as regular expressions if they somehow "flow" into a method call
that is known to interpret string values as regular expressions.
 2022-03-01 13:26:51 +01:00
Tamás Vajk
94cb5c2be4 Merge pull request #8296 from github/post-release-prep/codeql-cli-2.8.2 
Post-release preparation for codeql-cli-2.8.2
 2022-03-01 11:57:36 +01:00
github-actions[bot]
980f822983 Post-release preparation for codeql-cli-2.8.2 2022-03-01 09:24:30 +00:00
Arthur Baars
7e6ef7ac74 Ruby: ApiGraphs: use private imports 2022-03-01 10:24:19 +01:00
Arthur Baars
5ce6b847d1 Merge pull request #8166 from aibaars/regex-char-sequence-1 
Ruby/Python: regex parser: group sequences of 'normal' characters
 2022-02-28 17:47:53 +01:00
Arthur Baars
0c23f5815f Add change note 2022-02-25 18:43:43 +01:00
Arthur Baars
5044f89105 Ruby/Python re-introduce normalCharacterSequence 2022-02-25 18:43:43 +01:00
Asger F
a8bfebaeb6 Merge pull request #8149 from asgerf/shared/use-shared-access-path-syntax 
Shared: use shared access path syntax to parse arguments in CSV rows
 2022-02-25 14:04:18 +01:00
CodeQL CI
0f125d1e8a Merge pull request #8234 from asgerf/ruby/meta-queries 
Approved by nickrolfe
 2022-02-25 12:46:15 +00:00
Arthur Baars
9d9abaf1f9 Apply suggestions from code review 
Co-authored-by: yoff <lerchedahl@gmail.com>
 2022-02-25 12:27:20 +01:00
github-actions[bot]
20fe22c8c8 Release preparation for version 2.8.2 2022-02-24 14:57:08 +00:00
Harry Maclean
fc351fbd64 Ruby: Remove value-flow for name-matched summaries 
String summaries that are identified by name only should not specify
value-preserving flow as this can cause spurious flow in cases where
they are applied to different but identically-named methods.
 2022-02-24 16:15:15 +13:00
Harry Maclean
07369916b0 Ruby: Remove bad flow to/from block arguments 
In these cases there is no block argument to the method call.
 2022-02-24 14:44:59 +13:00
Asger Feldthaus
f1bfb31403 Shared: fix typo in a comment 2022-02-23 14:13:41 +01:00
Asger Feldthaus
bb9348d77f Ruby: reject ArrayElement[-n] instead of interpreting it as ArrayElement[?] 2022-02-23 14:13:41 +01:00
Asger Feldthaus
a11c6f0f8e Ruby: use AccessPathSyntax library 2022-02-23 14:13:40 +01:00
Asger Feldthaus
5cab737ef1 Shared: sync AccessPathSyntax.qll 2022-02-23 14:13:40 +01:00
Stephan Brandauer
c17d8b145a Merge pull request #8054 from asgerf/js/split-request-forgery 
JS: split request forgery query into server-side and client-side variants
 2022-02-23 10:27:16 +01:00
Arthur Baars
69ed121ecb Ruby/Python: regex parser: group sequences of 'normal' characters 2022-02-22 16:15:33 +01:00
Asger Feldthaus
5390faeb8a Ruby: add query for measuring call graph 2022-02-22 14:42:05 +01:00
Asger Feldthaus
c7c97d5bbb Ruby: add queries for measuring taint sources and sinks 2022-02-22 14:29:47 +01:00
Harry Maclean
07c70adde5 Ruby: Update CleartextLogging fixture 
The flow summary for `String#sub` leads to two new results in this test.
They are duplicates of existing results, because the query is quite
liberal in what it considers a source.

```ruby

password = "abc"
password_masked = password.sub(/./, "x")
Logger.new(STDOUT).info password_masked

```

In the example above, the query considers lines 1 and 2 to both be
sources, with a sink at line 3. Previously there was no flow from line 1
to line 3 because of the missing flow summary for `String#sub`, and
therefore there was just one result. Now we have the flow summary, there
are two results.

Line 2 is considered a source because it is an assignment to a variable
that contains the term "password". I'm not sure how to adjust the query
to avoid these duplicates, so I'm leaving them in for now.
 2022-02-22 16:58:41 +13:00