hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-12 13:11:20 +01:00
Code Issues Packages Projects Releases Wiki Activity
85,841 Commits 1,689 Branches 160 Tags
522e4d64de894558d42d88b667556d9b5b1f0356
Commit Graph

2927 Commits

Author SHA1 Message Date
Tom Hvitved
b974a84bef Merge pull request #21051 from hvitved/shared/flow-summary-provenance-filtering 
Shared: Provenance-based filtering of flow summaries
 2026-01-26 17:24:34 +01:00
Tom Hvitved
c975ae5231 Ruby: Adapt to changes in FlowSummaryImpl 2026-01-26 12:40:14 +01:00
yoff
d05901ad3f python/javascript/ruby: mark internal predicates 2026-01-22 17:30:24 +01:00
yoff
b08c972cc3 ruby: Add back sanitizer as MaD model 2026-01-22 17:30:24 +01:00
yoff
15980cb1da ruby: remove sanitizer to be replaced by MaD model 2026-01-22 17:30:24 +01:00
yoff
3dbfb9fa4b python: add machinery for MaD barriers 
and reinstate previously removed barrier
now as a MaD row
 2026-01-22 17:30:24 +01:00
Asger F
869efb8a48 JS: Sync ApiGraphModels.qll 2026-01-07 11:05:41 +01:00
Tom Hvitved
358339427b Ruby: Fix bad join 
Before
```
Evaluated relational algebra for predicate Filters::Filters::FilterCall.getAnAction/0#dispred#9c0da667@85a4cbtp with tuple counts:
           394650       ~2%    {2} r1 = `__#Module::ModuleBase.getAMethod/0#dispred#56626ed3Merge_Module::ModuleBase.getModule/0#dispred#4f2c__#shared` AND NOT `_Filters::Filters::FilterCall.getExceptArgument/0#dispred#515c95c0__#Method::Method.getName/0#dispre__#antijoin_rhs`(FIRST 2)
                               {2}    | AND NOT `project#Filters::Filters::FilterCall.getOnlyArgument/0#dispred#f337e70f`(FIRST 1)
           380366       ~0%    {2}    | SCAN OUTPUT In.1, In.0

            29453       ~0%    {2} r2 = JOIN `_#Module::ModuleBase.getAMethod/0#dispred#56626ed3Merge__#AST::AstNode.getEnclosingModule/0#dispred#__#shared` WITH project#ActionController::ActionControllerActionMethod#6db6f5e0 ON FIRST 1 OUTPUT Lhs.0, Lhs.1

           366017       ~0%    {2} r3 = JOIN `_#Module::ModuleBase.getAMethod/0#dispred#56626ed3Merge_Module::ModuleBase.getModule/0#dispred#4f2ca__#shared` WITH project#ActionController::ActionControllerActionMethod#6db6f5e0 ON FIRST 1 OUTPUT Lhs.0, Lhs.1

           395470       ~0%    {2} r4 = r2 UNION r3
           395470       ~0%    {3}    | JOIN WITH `Method::Method.getName/0#dispred#2acbf239` ON FIRST 1 OUTPUT Lhs.1, Rhs.1, Lhs.0
             2227       ~0%    {2}    | JOIN WITH `Filters::Filters::FilterCall.getOnlyArgument/0#dispred#f337e70f` ON FIRST 2 OUTPUT Lhs.2, Lhs.0

           382593       ~0%    {2} r5 = r1 UNION r4
           133735       ~4%    {2}    | JOIN WITH `project#ActionController::ActionControllerActionMethod.getARoute/0#dispred#9eb85e56` ON FIRST 1 OUTPUT Lhs.1, Lhs.0
        540556870       ~2%    {3}    | JOIN WITH Filters::Filters::Filter#a42c5138 CARTESIAN PRODUCT OUTPUT Rhs.0, Lhs.0, Lhs.1
        525979755     ~127%    {3}    | JOIN WITH `Filters::Filters::FilterImpl.getFilterCallable/0#dispred#451bf7d7` ON FIRST 1 OUTPUT Lhs.1, Lhs.2, Rhs.1
                               {3}    | REWRITE WITH TEST InOut.1 != InOut.2
        525979755  ~407036%    {2}    | SCAN OUTPUT In.0, In.1
                               return r5
```

After
```
Evaluated relational algebra for predicate Filters::Filters::FilterCall.getAnAction/0#91dba45c@74dfcepp with tuple counts:
          1363   ~4%    {2} r1 = JOIN `Filters::Filters::FilterCall.getAnActionCand/1#f053150d` WITH `Filters::Filters::FilterCall.getOnlyArgument/0#dispred#f337e70f` ON FIRST 2 OUTPUT Lhs.0, Lhs.2

        140978   ~0%    {3} r2 = `Filters::Filters::FilterCall.getAnActionCand/1#f053150d` AND NOT `Filters::Filters::FilterCall.getExceptArgument/0#dispred#515c95c0#fb`(FIRST 2)
                        {3}    | AND NOT `project#Filters::Filters::FilterCall.getOnlyArgument/0#dispred#f337e70f`(FIRST 1)
        132372   ~3%    {2}    | SCAN OUTPUT In.0, In.2

        133735   ~4%    {2} r3 = r1 UNION r2
                        return r3
```
 2026-01-06 11:42:49 +01:00
Asger F
ecfa94600f Sync ApiGraphModels.qll 2025-11-13 09:46:23 +01:00
Asger F
16e7dc1b8a Sync ApiGraphModelsExtensions.qll 2025-11-13 09:46:21 +01:00
Nora Dimitrijević
6519bd9909 Ruby/PolynomialReDoSQuery 
ruby/ql/src/queries/security/cwe-1333/PolynomialReDoS.ql
 2025-10-28 09:40:38 +01:00
Henry Mercer
9507ec0853 Fix "be be" typos 2025-10-14 11:09:43 +01:00
Tom Hvitved
1a4cfba93a Merge pull request #20427 from felickz/ruby-framework-grape 
Ruby: Add support for Grape Framework
 2025-09-25 16:12:34 +02:00
Chad Bentz
6e56c549b2 Refactor Grape method call classes to simplify handling of API instance calls for headers, request, route_param, and cookies 2025-09-22 19:21:23 -04:00
Chad Bentz
0665c39a07 Refactor GrapeHelperMethod constructor to reuse getHelperSelf to traverse dataflow instead of AST 
- add tests to check for nested helpers
 2025-09-22 19:08:34 -04:00
Chad Bentz
ecd0ce65fe Refactor GrapeHeadersBlockCall and GrapeCookiesBlockCall to simplify method call checks 2025-09-22 12:52:30 -04:00
Chad Bentz
b837c56bec Refactor RootApi and GrapeApiClass constructors for improved readability; add getHelperSelf method to retrieve self parameter in helpers block. 2025-09-22 10:13:33 -04:00
Simon Friis Vindum
7d6e2060e5 Adapt all languages to changes in shared library 2025-09-22 14:18:58 +02:00
Chad Bentz
1bf6101967 Remove redundant exclusion of base Grape::API module from GrapeApiClass 
- should not impact extracted application code
 2025-09-21 20:52:28 -04:00
Chad Bentz
50bf9ae756 Refactor RootApi class to use getAnImmediateDescendent for clarity 2025-09-21 20:44:46 -04:00
Chad Bentz
f4bbbc346f Refactor Grape framework to be encapsulated properly in Module 2025-09-19 19:06:50 -04:00
Chad Bentz
89e9ee43c0 Convert from GrapeHelperMethodTaintStep extends AdditionalTaintStep to a simplified GrapeHelperMethodTarget extends AdditionalCallTarget 2025-09-19 18:28:45 -04:00
Chad Bentz
c5e3be2c4c Grape - detect params calls inside helper methods 
- added unit tests for flow using inline format
- removed grape from Arel tests (temporary)
 2025-09-16 17:09:18 -04:00
Chad Bentz
ffd32efba2 codeql query format 2025-09-16 09:08:07 -04:00
Chad Bentz
0d0ce32ef2 Merge branch 'ruby-framework-grape' of github.com:felickz/codeql into ruby-framework-grape 2025-09-15 22:11:38 -04:00
Chad Bentz
fc98cd8d08 Fix naming standards 2025-09-15 22:11:33 -04:00
Chad Bentz
19cb187436 Update ruby/ql/lib/codeql/ruby/frameworks/Grape.qll 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
 2025-09-15 22:03:27 -04:00
Chad Bentz
a8d4d6b563 Apply naming standards + changenote 2025-09-15 22:02:03 -04:00
Chad Bentz
5cfa6e83b3 Add support for route parameters(+ blocks), headers, and cookies in Grape API 2025-09-12 22:51:47 -04:00
Chad Bentz
3252bd39d2 Enhance Grape framework with additional data flow modeling and helper method support 2025-09-12 22:13:21 -04:00
Chad Bentz
738ab6fba7 Refactor Grape framework code for improved readability and consistency 2025-09-12 19:23:15 -04:00
Chad Bentz
d295acc3c3 Add initial support for Ruby Grape 2025-09-12 19:22:05 -04:00
Michael Nebel
31852985e5 Merge pull request #20335 from michaelnebel/shared/ql4ql 
Shared and Sync: Fix some Ql4Ql violations.
 2025-09-02 14:37:34 +02:00
Anders Schack-Mulligen
f833fe0e6e Merge pull request #20300 from aschackmull/cfg/successortype 
Shared: Add a shared SuccessorType implementation
 2025-09-02 14:09:35 +02:00
Michael Nebel
7490d8ddd2 Shared and Sync: Fix some Ql4Ql violations. 2025-09-02 13:54:22 +02:00
Michael Nebel
7ae5d405fc Merge pull request #20332 from michaelnebel/ruby/ql4ql 
Ruby: Fix some Ql4Ql violations.
 2025-09-02 12:04:03 +02:00
Anders Schack-Mulligen
3d4d347150 SuccessorType: Address review comments. 2025-09-02 11:10:00 +02:00
Michael Nebel
c5cf46bc2c Ruby: Fix some Ql4Ql violations. 2025-09-01 15:19:25 +02:00
Anders Schack-Mulligen
144e34c669 Shared: Use shared SuccessorType in shared Cfg and BasicBlock libs. 2025-09-01 13:43:32 +02:00
Anders Schack-Mulligen
d8c193df18 Ruby: Use shared SuccessorType. 2025-09-01 12:56:04 +02:00
Anders Schack-Mulligen
09b2c5abf0 BasicBlock: Replace entryBlock predicate with subclass. 2025-09-01 11:48:44 +02:00
Anders Schack-Mulligen
f459ddc40a Languages: Adapt to api changes. 2025-09-01 11:26:33 +02:00
Anders Schack-Mulligen
bb3abc815f SSA: Update input to use member predicates. 2025-09-01 11:19:48 +02:00
Tom Hvitved
0a67902f5d Merge pull request #20101 from mschwager/main 
Fix #19294, Ruby NetHttpRequest improvements
 2025-08-12 14:42:32 +02:00
Matt Schwager
357964e789 Remove duplicate lines and format query 2025-08-11 08:11:36 -04:00
Chuan-kai Lin
72563ec5a4 Merge pull request #20080 from d10c/d10c/diff-informed-phase-3-ruby 
Ruby: Diff-informed queries: phase 3 (non-trivial locations)
 2025-08-07 07:37:40 -07:00
Anders Schack-Mulligen
3b8234ecec SSA: Update data flow integration and BarrierGuard interface to use GuardValue. 2025-07-28 11:29:12 +02:00
Matt Schwager
9da94fb880 Fix #19294, Ruby NetHttpRequest improvements 2025-07-21 15:17:54 -04:00
Nora Dimitrijević
4b6135c0f7 [DIFF-INFORMED] Ruby: MissingFullAnchor 
https://github.com/d10c/codeql/blob/d10c/diff-informed-phase-3/ruby/ql/src/queries/security/cwe-020/MissingFullAnchor.ql#L18
 2025-07-17 14:44:02 +02:00
Jeroen Ketema
cbde11ddc9 Properly share ConceptsShared.qll 2025-07-14 16:30:45 +02:00