Owen Mansel-Chan
6001c735ff
Ruby: Inline expectation should have space after $
...
This was a regex-find-replace from `# \$(?! )` (using a negative lookahead) to `# $ `.
2026-03-04 12:45:06 +00:00
Owen Mansel-Chan
1d6b8c5120
Use postprocessing queries for unrelated test
...
Need to do this because the model numbering was changing. At the same
time we may as well use inline expectations.
2026-02-18 13:49:53 +00:00
Owen Mansel-Chan
eb7f1989c7
Reinstate ql model for String#shellescape
2026-02-17 22:27:15 +00:00
Owen Mansel-Chan
de5470a85c
Add MaD barriers for Shellwords.escape and shellescape
...
Note that this will only block flow for queries that use the kind `command-injection`.
2026-02-17 22:27:13 +00:00
Owen Mansel-Chan
b3681f7a0c
Model flow through Shellwords escape and shellescape
2026-02-17 22:27:11 +00:00
Owen Mansel-Chan
6294c3b3b8
Remove Shellwords sanitizer in ql
...
Note that some sanitizers had no effect because flow through those functions wasn't modeled.
2026-02-17 22:27:10 +00:00
Arthur Baars
5d3ec35e29
Remove non-breaking spaces from code
2025-09-05 09:41:15 +02:00
Nora Dimitrijević
92a48cdc2b
Ruby: convert InsecureDownload test to .qlref
2025-06-24 14:57:59 +02:00
Nora Dimitrijević
e32982057c
Ruby: convert CommandInjection test to .qlref
2025-06-24 14:57:54 +02:00
Tom Hvitved
978a816f11
Ruby: Track types in data flow
2025-01-06 13:26:10 +01:00
Asger F
be939dca29
Merge pull request #14350 from asgerf/shared/deduplicate-path-graph
...
Shared: Add DataFlow::DeduplicatePathGraph
2024-12-18 14:04:29 +01:00
Michael Nebel
138e294dae
Ruby: Update all test util paths to point to the new location.
2024-12-12 13:54:37 +01:00
Asger F
f9c0ba3826
Ruby: use DeduplicatePathGraph in CodeInjection query
2024-12-11 11:48:15 +01:00
Jeroen Ketema
ca40b60e62
Ruby: update expected test results
2024-12-03 19:18:46 +01:00
Tom Hvitved
5b5ca05e87
Ruby: Post-processing query for inline test expectations
2024-10-29 13:35:33 +01:00
Tom Hvitved
f287216060
Update expected test output
2024-09-24 14:21:38 +02:00
Tom Hvitved
ed9008a064
Update expected test output
2024-09-18 13:51:02 +02:00
Tom Hvitved
c92c96fa78
Data flow: Compute local big step relation per stage
2024-08-26 09:15:27 +02:00
Anders Schack-Mulligen
9724516c84
C#/Go/Java/Python/Ruby: Accept qltest .expected changes.
2024-07-31 14:45:10 +02:00
Alex Ford
9fb657c4c4
Merge pull request #16781 from alexrford/rb/weak-sensitive-data-hashing
...
Add `rb/weak-sensitive-data-hashing` query port
2024-07-25 14:11:42 +01:00
Alex Ford
51f3f15e42
Ruby: remove outdated test comment
2024-06-18 17:51:49 +01:00
Alex Ford
d994959720
Ruby: add tests for rb/weak-sensitive-data-hashing
2024-06-18 17:47:32 +01:00
Joe Farebrother
07f03be8cc
Add unit tests
2024-06-12 15:11:35 +01:00
Anders Schack-Mulligen
5d51b5b97b
Ruby: Add support for pretty-printed provenace in tests. Convert one test.
2024-06-07 11:47:48 +02:00
Tom Hvitved
ad99158838
Ruby: Fix/accept extraction errors
2024-06-04 12:55:44 +02:00
Anders Schack-Mulligen
bbebdfea8d
Merge pull request #16511 from aschackmull/dataflow/configuration-provenance
...
Dataflow: Add provenance for configuration-specific steps.
2024-05-22 14:07:10 +02:00
Alex Ford
8119a27540
Merge pull request #16185 from alexrford/rb/conditions-arr0
...
Ruby: ActiveRecord - refine `conditions` argument as an SQLi sink
2024-05-22 12:19:10 +01:00
Anders Schack-Mulligen
012b861ffb
Ruby: Accept qltest .expected file changes.
2024-05-22 10:08:59 +02:00
Anders Schack-Mulligen
c4ae18649e
Ruby: Accept qltest .expected file changes (interesting).
2024-05-22 10:08:59 +02:00
Harry Maclean
ef88f3ed09
Merge pull request #16377 from hmac/hmac-sanitization-fp
...
Ruby: Fix StringSubstitutionCall charpred
2024-05-02 13:31:01 +01:00
Harry Maclean
c00d0d302d
Ruby: fix wording in rb/request-without-cert-validation
2024-05-01 17:25:58 +01:00
Harry Maclean
f7fc2e0b00
Ruby: Fix StringSubstitutionCall charpred
...
Some missing parens meant this class targeted way more things than
intended.
2024-05-01 16:14:58 +01:00
Harry Maclean
51bc8e917e
Ruby: Reduce FPs for rb/incomplete-hostname-regexp
...
Arguments in calls to `match[?]` should only be considered regular
expression interpretations if the `match` refers to the standard library
method, not a method in source code.
2024-04-29 11:19:34 +01:00
Alex Ford
98a6d0fa26
Ruby: add another SQLi AR conditions test case
2024-04-24 14:46:53 +01:00
Alex Ford
6b0e7961fa
Ruby: prepare test case whitespace
2024-04-24 14:39:06 +01:00
Alex Ford
91bca4a2c3
Ruby: limit ActiveRecord conditions sink to first array element
2024-04-12 15:32:16 +01:00
Alex Ford
2950890180
Ruby: add more ActiveRecord conditions arg test cases
2024-04-12 15:31:28 +01:00
Alex Ford
f98479dca3
Ruby: prepare test case whitespace
2024-04-12 15:30:42 +01:00
Tom Hvitved
04de315e0e
Ruby: Deprecate models-as-data CSV interface
2024-04-12 13:40:14 +02:00
Joe Farebrother
5cebcadc56
Merge pull request #15987 from joefarebrother/ruby-mass-reassignment
...
Ruby: Add query for insecure mass assignment
2024-04-12 10:18:41 +01:00
Anders Schack-Mulligen
2c43d0c5a4
Ruby: Update expected output (interesting).
2024-04-12 09:20:38 +02:00
Anders Schack-Mulligen
7cc8fd00aa
Ruby: Update expected output (uninteresting).
2024-04-12 09:20:35 +02:00
Joe Farebrother
0a3d73d902
Add flow steps and sanitizers for permit calls
2024-04-10 21:47:07 +01:00
erik-krogh
642a134035
add tests for the fixes in the qhelp, and fix an FP that appeared
2024-04-08 12:00:27 +02:00
Harry Maclean
409f46ef7b
Merge pull request #14308 from hmac/hmac-rb-csrf-not-enabled
...
Ruby: Add a query for CSRF protection not enabled
2024-04-02 11:30:36 +01:00
erik-krogh
c60cec36d4
add calls to .html_safe? as a shared XSS sanitizer
2024-03-22 17:46:39 +01:00
Joe Farebrother
b74145349b
Add test cases
2024-03-22 14:07:11 +00:00
Joe Farebrother
507a6102a2
Reorganise into Custimizations file + add some more sinks on ActiveRecord methods
2024-03-22 14:07:04 +00:00
Joe Farebrother
89838981b7
Add test cases
2024-03-22 14:04:52 +00:00
Harry Maclean
80ae017aa1
Ruby: Track flow into ActiveRecord scopes
2024-03-18 15:01:37 +00:00
