hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-15 12:04:07 +02:00
Code Issues Packages Projects Releases Wiki Activity
1,291 Commits 1,733 Branches 164 Tags
40f0112e8a38ee5b66dbfa705e07cfba2f21d057
Commit Graph

55 Commits

Author SHA1 Message Date
Harry Maclean
4f9518a9c6 Merge pull request #293 from github/hmac-code-injection 
Add query for Code Injection
 2021-09-23 13:50:48 +01:00
Alex Ford
d1f2258d45 revamp weak file permissions query 2021-09-21 19:02:11 +01:00
Nick Rolfe
d27f8a6d24 Add empty subpaths section to expected test output 2021-09-20 15:56:58 +01:00
Nick Rolfe
6f7d4fef70 Merge pull request #287 from github/unsafe-deserialization 
rb/unsafe-deserialization query
 2021-09-20 14:23:30 +01:00
Harry Maclean
95e50cedad Add query for Code Injection 
This query finds cases where user input flows to an argument to `eval`
or `send`, which can execute arbitrary Ruby code.
 2021-09-20 11:35:45 +01:00
Harry Maclean
916b844557 Merge pull request #280 from github/hmac-cli-injection 
Add CLI Injection query
 2021-09-20 08:54:01 +01:00
Alex Ford
36289aa9d9 Merge pull request #255 from github/reflected-xss 
rb/reflected-xss query
 2021-09-17 18:32:48 +01:00
Harry Maclean
739661eb10 Test that KernelMethodCall is specific enough 
Calls to `UnknownModule.system`, where `UnknownModule` is a module that
we know nothing about, should not be identified as instances of
`KernelMethodCall`.
 2021-09-17 17:02:17 +01:00
Harry Maclean
599dc28ffa Add another test for shell interpretation 2021-09-17 17:02:17 +01:00
Harry Maclean
f8359767bc Exclude non-shell interpreted args 
Update the CommandInjection query to only consider sinks where the
argument is interpreted by a shell. If the argument is passed directly
to a subprocess then it's not vulnerable to shell injection.
 2021-09-17 17:02:17 +01:00
Harry Maclean
c8e9a592f0 Update CLI injection tests 
Cover more cases, like sinks after (but not guarded by) barrier guards.
 2021-09-17 17:02:17 +01:00
Harry Maclean
fb23a2e3bf Add SubshellHeredocExecution 
This is a form of command execution:

    result = <<`EOF`
    echo foo bar #{baz}
    EOF
 2021-09-17 17:02:17 +01:00
Harry Maclean
799ef4e4c9 Add barrier guards for CLI injection 2021-09-17 17:02:17 +01:00
Harry Maclean
8f65d78cb5 Add Shellwords.escape as CLI injection sanitizer 2021-09-17 17:02:17 +01:00
Harry Maclean
4a0d7c528a Add top-level CLI injection query and tests 2021-09-17 17:02:17 +01:00
Nick Rolfe
3d23575a38 Merge pull request #292 from github/regexp_slash_az 
Don't parse `\A` and `\Z` as `RegExpConstant`
 2021-09-17 16:42:13 +01:00
Alex Ford
e89d485bc0 update test output (subpaths) 2021-09-15 20:51:14 +01:00
Alex Ford
773291e4c3 Put exprNodeReturnedFrom predicate in DataFlowDispatch.qll 2021-09-15 20:50:46 +01:00
Alex Ford
e80faa017c Fix rb/reflected-xss flow from helper method return values 2021-09-15 20:50:46 +01:00
Alex Ford
50b0bb8b36 Restrict rb/reflected-xss instance variable taint edges 2021-09-15 20:50:46 +01:00
Alex Ford
5cfefb1027 Add some more test cases for rb/reflected-xss 2021-09-15 20:50:46 +01:00
Alex Ford
76864a82be remove an incorrect test case 2021-09-15 20:50:46 +01:00
Alex Ford
3445a6a5e7 fix flow steps from controller instance var assignement to view read access 2021-09-15 20:50:46 +01:00
Alex Ford
b993723595 remove spurious ivar -> locals hash mapping (actionview/controller) 2021-09-15 20:50:46 +01:00
Alex Ford
3430a46440 fix some local variable mappings between view and controller 2021-09-15 20:50:46 +01:00
Alex Ford
d71dd3f6c7 rb/reflected-xss 2021-09-15 20:50:46 +01:00
Tom Hvitved
9e67382f06 Bump codeql submodule 2021-09-15 14:59:42 +02:00
Nick Rolfe
ebf23d00d1 Don't parse \A and \Z as RegExpConstant 
Fixes some FPs for the ReDoS queries.
 2021-09-14 16:49:35 +01:00
Harry Maclean
8f36b0d7fe Simplify guard in SQL injection tests 
We don't (yet) properly sanitize taint in cases like this

    foo = "A" unless foo == "B"

So for now, use a simpler guard in the SQL injection test.
We can resurrect the old, more idiomatic guard when we can support it.
 2021-09-10 16:27:57 +01:00
Nick Rolfe
2ddca2c0db Document and test YAML.safe_load 2021-09-08 18:22:31 +01:00
Nick Rolfe
760dbd739d Add test for rb/unsafe-deserialization 2021-09-08 17:49:23 +01:00
Nick Rolfe
7666d856b7 Merge remote-tracking branch 'origin/main' into polynomial_redos 2021-09-07 17:35:07 +01:00
Harry Maclean
87253032e2 Add a query for URL redirect vulnerabilities 
This query finds instances of CWE-601: Redirection to Untrusted Site.

The structure is copied from a query of the same name in the Python
library. We add customisations specific to `ActionController`.
 2021-09-03 13:17:14 +01:00
Nick Rolfe
47e5a8fd09 Add test for polynomial ReDoS query 2021-09-02 17:57:56 +01:00
Nick Rolfe
cbe23661ed Rename exponential ReDoS test directory 2021-09-02 17:57:56 +01:00
Erik Krogh Kristensen
632ad518f0 enable unicode parsing in the ruby ReDoS query 2021-08-02 07:13:41 +00:00
Nick Rolfe
d99b5510e5 Merge pull request #219 from github/regex 
Add regexp parser and exponential ReDoS query
 2021-06-30 17:23:29 +01:00
Alex Ford
31cbf818ab fix rb/sql-injection FPs due to not accounting for overridden ActiveRecord methods 2021-06-29 13:54:15 +01:00
Nick Rolfe
ba7021086b Merge remote-tracking branch 'origin/main' into regex 2021-06-25 15:00:26 +01:00
Nick Rolfe
bee94757dd Add query test for ReDoS.ql, ported from JS 2021-06-25 12:51:35 +01:00
Alex Ford
9883a9b606 update SqlInjection tests 2021-06-24 18:12:26 +01:00
Alex Ford
d62f4f5bd4 Address review comments 2021-06-24 18:12:26 +01:00
Alex Ford
12e4c9ee90 update SqlInjection tests 2021-06-24 18:12:25 +01:00
Alex Ford
5386c776b3 Implement rb/sql-injection 2021-06-24 18:12:25 +01:00
Alex Ford
f74dff560b Merge pull request #187 from github/hardcoded-credentials 
Add rb/hardcoded-credentials query
 2021-06-10 16:12:32 +01:00
Alex Ford
e26afe91b5 move rb/hardcoded-credential alert location to the source 2021-06-07 14:53:04 +01:00
Alex Ford
5d79a8cec0 account for keyword args in rb/hardcoded-credentials and simplify query 2021-06-07 14:49:49 +01:00
Alex Ford
8a3ffb6dca add missing toString 2021-06-04 13:25:03 +01:00
Alex Ford
b2d36babc4 report rb/weak-file-permission alerts at source rather than sink and improve alert message 2021-06-04 13:10:18 +01:00
Alex Ford
fdd4f7f616 attempt to use typetracker in rb/hardcoded-credentials 2021-06-01 12:22:04 +01:00