hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-31 15:22:57 +01:00
Code Issues Packages Projects Releases Wiki Activity
34,915 Commits 1,684 Branches 159 Tags
52b7fbf48456b2aad0ca9bd6ab4fba6845bd78ca
Commit Graph

346 Commits

Author SHA1 Message Date
Nick Rolfe
3737248deb Merge pull request #8879 from github/nickrolfe/graph_ordering 
Ruby: fix graph query tests by defining total ordering
 2022-04-26 13:22:53 +01:00
Nick Rolfe
a2f66e8631 Ruby: specify total ordering for test graph queries 2022-04-26 12:58:44 +01:00
Tom Hvitved
b033f107df Merge remote-tracking branch 'upstream/main' into dataflow/interpret-read-store 2022-04-22 14:35:02 +02:00
Tom Hvitved
093a3879be Merge pull request #8794 from hvitved/ruby/capture-barrier-guards 
Ruby: Handle captured variables in `BarrierGuard::getAGuardedNode()`
 2022-04-22 11:47:36 +02:00
Tom Hvitved
be5363ea53 Merge pull request #8801 from hvitved/ruby/exclude-splat-in-taint-tracking 
Ruby: Exclude `SplatExpr` from taint tracking
 2022-04-22 11:12:05 +02:00
Tom Hvitved
c20ce62767 Ruby: Exclude SplatExpr from taint tracking 
`SplatExpr`s are modelled using flow summaries, so there is no need to include them
explicitly in `defaultAdditionalTaintStep`.
 2022-04-21 20:27:04 +02:00
Tom Hvitved
addb92f13b Ruby: Handle captured variables in BarrierGuard::getAGuardedNode() 2022-04-21 13:25:47 +02:00
Tom Hvitved
325b451288 Ruby: Add barrier guards test involving captured variables 2022-04-21 13:25:40 +02:00
Tom Hvitved
b4542c58c2 Ruby: Implement Argument[any] and Argument[n..] 2022-04-20 13:55:18 +02:00
Harry Maclean
c3f1fba985 Merge pull request #8598 from hmac/hmac/insecure-dep-resolution 
Ruby: Add rb/insecure-dependency query
 2022-04-14 02:09:44 +02:00
Dave Bartolomeo
9f074cd8fd Bump a few more versions 
Also fixes up some dependency declarations that should have been "*" because they refer to packs in the same workspace.
 2022-04-08 13:01:41 -04:00
Harry Maclean
8f3578c92a Ruby: Include query results in test 2022-04-05 10:20:02 +12:00
Tom Hvitved
725d76e934 Ruby: Implement ContentSet 2022-04-04 13:51:44 +02:00
Tom Hvitved
a5040fd0ce Ruby: Add data-flow test for reverse array stores 2022-04-04 13:51:43 +02:00
Harry Maclean
3d96c5e6db Ruby: Add test case for rb/insecure-dependency 
This tests that we recognise kwargs in hashrocket style:

    gem "foo", "1.2.3", :git => "..."

as well as the modern style:

    gem "foo", "1.2.3", git: "..."
 2022-04-01 15:30:07 +13:00
Alex Ford
882f78c6f9 Merge remote-tracking branch 'origin/main' into ruby/weak-cryptographic-algorithm 2022-03-31 17:17:46 +01:00
Arthur Baars
15c54f6100 Merge pull request #8354 from aibaars/incomplete-url-string-sanitization 
Incomplete url string sanitization
 2022-03-31 10:59:51 +02:00
Nick Rolfe
a274af2b16 Merge pull request #7985 from github/nickrolfe/constant_regexp 
Ruby: separate constant propagation of regexps from strings
 2022-03-30 11:37:33 +01:00
Harry Maclean
37cedda63a Ruby: Add InsecureDependencyResolution query 
This query looks for places in a Gemfile where URLs with insecure
protocols (HTTP or FTP) are specified.
 2022-03-30 13:39:15 +13:00
Asger F
f22df765ed Merge pull request #8533 from asgerf/mad-receiver-token 
JS/Ruby: Represent non-positional arguments with Argument/Parameter tokens
 2022-03-28 15:28:52 +02:00
Nick Rolfe
9406aa2f29 Merge remote-tracking branch 'origin/main' into nickrolfe/constant_regexp 2022-03-28 13:05:34 +01:00
Asger Feldthaus
0b30ecf36a Ruby: add select clause back to Summaries.ql 2022-03-28 13:57:50 +02:00
Nick Rolfe
a9eac19dac Ruby: address review feedback 2022-03-28 11:19:24 +01:00
Arthur Baars
af1d949d06 Merge pull request #8489 from aibaars/regex-refactor 
Ruby: refactor regex libraries
 2022-03-28 12:17:00 +02:00
Asger Feldthaus
8e2ffc2508 Ruby: add the inline test expectations 2022-03-25 11:31:22 +01:00
Asger Feldthaus
5703f63afa Ruby: use InlineFlowTest in Summaries.ql test 2022-03-25 11:18:52 +01:00
Nick Rolfe
034fce0682 Ruby: show constant value type in tests 2022-03-25 08:25:07 +00:00
Nick Rolfe
0613fda57f Ruby: separate constant propagation of regexps from strings 2022-03-24 17:46:58 +00:00
Tom Hvitved
e12b6df118 Merge pull request #8484 from hvitved/ruby/constant-value-rework 
Ruby: Rework `getConstantValue` implementation
 2022-03-24 14:32:31 +01:00
Rasmus Wriedt Larsen
98c0d73ffe Merge pull request #8524 from RasmusWL/ruby-update-ssrf-concept 
Ruby: Minor change of SSRF concept
 2022-03-24 13:48:06 +01:00
Arthur Baars
74aea81fe3 Ruby: refactor regex libraries 2022-03-24 11:37:02 +01:00
Arthur Baars
65f8f56095 Merge branch 'main' into incomplete-url-string-sanitization 2022-03-24 11:27:30 +01:00
Arthur Baars
496aab78a7 Merge pull request #8535 from aibaars/setter-method-arg-location 
Ruby: fix location of setter-call argument
 2022-03-24 11:26:13 +01:00
Harry Maclean
28a430a2f2 Ruby: Fix bad name of lambda in test 
This isn't the identity function, so it's confusing for it to be named
so.
 2022-03-24 12:44:41 +13:00
Asger Feldthaus
ce54eb3c78 Ruby: Add Argument[foo:] syntax for keyword arguments 2022-03-23 18:06:12 +01:00
Asger Feldthaus
6d84baf276 Ruby: Support self,block in Argument/Parameter tokens 2022-03-23 18:06:12 +01:00
Arthur Baars
06a99c3987 Ruby: fix location of setter-call argument 2022-03-23 12:55:52 +01:00
Rasmus Wriedt Larsen
9254b2904e Ruby: Adjust HttpClients test 2022-03-22 11:19:55 +01:00
Tom Hvitved
99ddfb489f Ruby: Rework getConstantValue implementation 2022-03-22 10:07:44 +01:00
Harry Maclean
99b5c580a5 Ruby: Fix captured reads in lambdas 
These were previously identified as method calls. The fix is to
recognise lambdas as a scope which can inherit variables from its
parent.
 2022-03-22 15:35:43 +13:00
Harry Maclean
c891e62a0e Ruby: Add some tests for method calls in lambdas 
This reveals a bug where we identify reads of captured variables in
lambdas as method calls. This is fixed in a followup commit.
 2022-03-22 15:33:22 +13:00
Harry Maclean
ff1d96c922 Ruby: Add rb/http-to-file-access query 2022-03-22 11:09:08 +13:00
Harry Maclean
6c18e1d7ac Merge pull request #8272 from hmac/hmac/tainted-format-string 2022-03-22 08:37:47 +13:00
Alex Ford
c891c53835 Merge pull request #8395 from alexrford/ruby/clear-text-storage 
Ruby: add `rb/clear-text-storage-sensitive-data` query
 2022-03-21 10:05:39 +00:00
Harry Maclean
5a6da827d0 Ruby: Avoid FP in TaintedFormatString query 
Kernel#printf supports two call signatures:

    printf(String, *args)
    printf(IO, String, *args)

We want to identify the String argument, which is the format string.
Previously we would return the 0th and 1st arguments, which gives some
FPs when the 1st arg is not a format string.

We now try to rule out the trivial case by checking if arg 0 has a
string value, and then assuming it is the format string. Otherwise we
fall back to returning both arguments.

This still has some false positive potential, but less than previously.
 2022-03-21 12:51:47 +13:00
Harry Maclean
4249e30824 Ruby: Test tainted interpolated format arg 2022-03-21 12:51:18 +13:00
Harry Maclean
f6215d4c7e Ruby: Add rb/tainted-format-string query 2022-03-21 12:51:18 +13:00
Arthur Baars
bf888f0f0b Merge remote-tracking branch 'upstream/main' into incomplete-url-string-sanitization 
Conflicts:
	config/identical-files.json
	javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
	javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll
	ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll
 2022-03-18 16:09:20 +01:00
Arthur Baars
431b60506e Merge remote-tracking branch 'upstream/main' into incomplete-hostname 2022-03-18 13:05:34 +01:00
Arthur Baars
1a51f0cf56 Ruby: regex: fix getGroupNumber 
non-capture groups should not have a group number
 2022-03-16 18:50:51 +01:00