hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-12 02:24:00 +02:00
Code Issues Packages Projects Releases Wiki Activity
1,191 Commits 1,740 Branches 164 Tags
4763312e55f67962d2637142729d5ef8bb84fec8
Commit Graph

1191 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Harry Maclean
4763312e55 Merge ConditionBlock and BarrierGuard 2021-09-14 11:11:12 +01:00
Harry Maclean
6f32401e5c Add unless x != test to barrier guards 
This tests that the following call to `foo bar` is guarded:

    unless bar != "bar"
      foo bar
    end
 2021-09-13 11:58:17 +01:00
Harry Maclean
800e18349f Add != to StringConstCompare 
This means we treat != comparisons against strings as taint tracking guards:

    if foo != "A"
      foo         # still tainted
    else
      foo         # not tainted, because we know foo == "A"
    end
 2021-09-10 16:42:45 +01:00
Harry Maclean
8f36b0d7fe Simplify guard in SQL injection tests 
We don't (yet) properly sanitize taint in cases like this

    foo = "A" unless foo == "B"

So for now, use a simpler guard in the SQL injection test.
We can resurrect the old, more idiomatic guard when we can support it.
 2021-09-10 16:27:57 +01:00
Harry Maclean
56983565fe Update ReDoS length guard 
Changes to barrier guards in a previous commit mean we need to update
this guard to match.
 2021-09-10 16:21:17 +01:00
Harry Maclean
b4c29425ea Make barrier guards more specific 
Following examples from the other libraries, this change introduces a
member predicate `checks(CfgNode expr, boolean branch)` to
`BarrierGuard`, which holds if the guard validates `expr` for a
particular value of `branch`, which represents the value of the
condition in the guard.

For example, in the following guard...

    if foo == "foo"
      do_something foo
    else
      do_something_else foo
    end

...the variable `foo` is validated when the condition `foo == "foo"` is
true.

We also introduce the concept that a guard "controls" a code block based
on the value of `branch`. In the example above, the "then" branch of the
if statement is controlled when `branch` is true. The else branch is
not controlled because `foo` can take (almost) any value in that branch.

Based on these concepts, we define a guarded node to be a read of a
validated variable in a controlled block.

In the above example, the `foo` in `do_something foo` is guarded, but
the `foo` in `do_something_else foo` is not.
 2021-09-09 11:04:52 +01:00
Nick Rolfe
a62aa2b1b2 Merge pull request #269 from github/polynomial_redos 
Polynomial ReDoS query
 2021-09-07 18:31:04 +01:00
Nick Rolfe
414362db8d Rename .qll to match our naming scheme for other dataflow queries. 2021-09-07 17:38:08 +01:00
Nick Rolfe
7666d856b7 Merge remote-tracking branch 'origin/main' into polynomial_redos 2021-09-07 17:35:07 +01:00
Nick Rolfe
4d5928ae5a Add @security-severity tag 2021-09-07 12:15:44 +01:00
Nick Rolfe
8fbe5c0adf Merge pull request #261 from github/getPrimaryQlClasses 
Implement getPrimaryQlClasses
 2021-09-07 12:02:15 +01:00
Tom Hvitved
8ce7fdc59a Merge pull request #284 from github/hvitved/instanceof-test 
Use `instanceof` base classes
 2021-09-07 13:01:43 +02:00
Nick Rolfe
060060bc0b Merge remote-tracking branch 'origin/main' into getPrimaryQlClasses 2021-09-06 19:34:34 +01:00
Tom Hvitved
3594794875 Use instanceof base classes in range patterns 2021-09-06 16:15:52 +02:00
Tom Hvitved
9b3b9a731f Move instanceof check from charpred in CfgScope 2021-09-06 10:31:16 +02:00
Calum Grant
51d729a086 Merge pull request #282 from github/add-coc 
Create CODE_OF_CONDUCT.md
 2021-09-03 14:25:44 +01:00
Harry Maclean
36d5fda400 Merge pull request #260 from github/hmac-url-redirect 
Add URLRedirect query
 2021-09-03 13:36:54 +01:00
Pierre
12c1f43ceb Create CODE_OF_CONDUCT.md 
Add COC based on the latest template.
 2021-09-03 14:27:04 +02:00
Harry Maclean
87253032e2 Add a query for URL redirect vulnerabilities 
This query finds instances of CWE-601: Redirection to Untrusted Site.

The structure is copied from a query of the same name in the Python
library. We add customisations specific to `ActionController`.
 2021-09-03 13:17:14 +01:00
Calum Grant
799c0ff252 Merge pull request #281 from github/add-license 
Add LICENSE
 2021-09-03 13:14:15 +01:00
Pierre
bc85a1b825 Add LICENSE file 
Required step for open-sourcing. This uses the same license at `codeql-ruby`.
 2021-09-03 13:10:54 +02:00
Nick Rolfe
47e5a8fd09 Add test for polynomial ReDoS query 2021-09-02 17:57:56 +01:00
Nick Rolfe
cbe23661ed Rename exponential ReDoS test directory 2021-09-02 17:57:56 +01:00
Nick Rolfe
d62b41bdf4 Add query for polynomial ReDoS 2021-09-02 17:57:56 +01:00
Alex Ford
86073776b7 Merge pull request #249 from github/erb-lib 
Add codeql_ruby.ast.Erb library
 2021-09-02 16:26:52 +01:00
Tom Hvitved
b8ec5d7d31 Merge pull request #276 from github/hvitved/api-graphs-comment-typo 
Fix typo in comment
 2021-09-02 12:50:25 +02:00
Tom Hvitved
2d0febeb04 Fix typo in comment 2021-09-02 10:24:37 +02:00
Tom Hvitved
c176d344ab Merge pull request #274 from github/hvitved/cfg/may-raise 
CFG: Model calls that may raise an exception
 2021-09-01 17:42:13 +02:00
Tom Hvitved
6e23a9ae7a Merge pull request #275 from github/hvitved/api-graphs-fix 
API graphs: Fix bug for resolvable modules
 2021-09-01 17:10:27 +02:00
Tom Hvitved
03e91a22bc API graphs: Performance fixes 2021-09-01 16:57:56 +02:00
Tom Hvitved
ae70af01cd API graphs: Fix bug for resolvable modules 2021-09-01 16:57:52 +02:00
Tom Hvitved
031a73ff0f Add API graph test that exhibits a missing edge 2021-09-01 16:56:09 +02:00
Tom Hvitved
701eab7b74 Merge pull request #273 from github/hvitved/has-name 
Add `hasName` predicates
 2021-09-01 15:39:39 +02:00
Tom Hvitved
89e6c0e838 CFG: Model calls that may raise an exception 
In order to avoid dead `rescue`s, we assume that any call that happens in a
`rescue`/`ensure` context may raise an exception.
 2021-09-01 14:07:28 +02:00
Tom Hvitved
4eaa31d800 Add hasName predicates 2021-09-01 13:32:19 +02:00
Alex Ford
41e7ef11e6 add missing pragma back 2021-08-31 21:19:56 +01:00
Alex Ford
d47c8ee9a5 format 2021-08-31 21:04:43 +01:00
Tom Hvitved
2d08b0156a Merge pull request #271 from github/hvitved/cfg/shared 
Adopt shared CFG library
 2021-08-31 19:41:02 +02:00
Alex Ford
20b851a6e0 improve ErbExecutionDirective definition 2021-08-31 17:49:15 +01:00
Alex Ford
df9e0dfcb2 make strictlyBefore a member predicate on Location 2021-08-31 16:24:38 +01:00
Alex Ford
d84731bcc7 Add a library for working with the ERB AST 2021-08-31 16:24:38 +01:00
Harry Maclean
502ad3f9bd Merge pull request #247 from github/hmac-jump-to-def 
Jump-to-definition
 2021-08-31 16:00:43 +01:00
Harry Maclean
3490e328e1 codeql_ruby -> codeql.ruby 2021-08-31 15:43:02 +01:00
Harry Maclean
d3f683e573 Minor refactor of constantQualifiedName 2021-08-31 15:42:06 +01:00
Harry Maclean
34f02ee622 Fix constantQualifiedName 
Exclude partial results

Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2021-08-31 15:42:06 +01:00
Harry Maclean
91d56cd802 Use dataflow to find method call targets 
This includes both local and non-local methods, and is also simpler than
the previous definition.
 2021-08-31 15:42:06 +01:00
Harry Maclean
cd3192e8f1 Fix ordering for definitionOf 
Actually select the lexicographically least location, not the greatest.
 2021-08-31 15:42:06 +01:00
Harry Maclean
8901eba978 Include constants in jump-to-def query 
The previous version of this query inadvertently excluded constants
which weren't classes or modules. This version includes them, by
introducing a laxer version of `resolveScopeExpr` that doesn't require
the result to be a `TResolved`.
 2021-08-31 15:42:06 +01:00
Harry Maclean
155b385981 Simplify LocalVariable constraint in jump-to-def 2021-08-31 15:42:06 +01:00
Harry Maclean
e72f1399cb Include class variables in jump-to-def query 2021-08-31 15:42:06 +01:00