hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 11:16:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
45,584 Commits 1,672 Branches 157 Tags
530b29ccdfb42bcb8173f270e2f89d76bc20c2bc
Commit Graph

1685 Commits

Author SHA1 Message Date
Harry Maclean
fa1ae26fab Add change note 2022-10-03 09:46:01 +13:00
Harry Maclean
a5998fbe4d Ruby: Model ActionController::Parameters 
Add flow summaries for methods on ActionController::Parameters,
which mostly propagate taint from receiver to return value.
 2022-10-03 09:45:59 +13:00
Harry Maclean
ba83b7c6c7 Merge pull request #10599 from hmac/hmac/actioncontroller-datastreaming 
Ruby: Model send_file
 2022-10-03 09:44:05 +13:00
Alex Ford
5c32c8badf Merge pull request #10560 from alexrford/ruby/yaml-load_file 
Ruby: treat `Psych` and `YAML` as aliases for rb/unsafe-deserialization
 2022-10-02 20:19:10 +01:00
Tom Hvitved
292bc67125 Merge pull request #10620 from hvitved/ruby/call-graph-protected-methods 
Ruby: Account for `protected` methods in call graph
 2022-09-30 19:31:36 +02:00
Tom Hvitved
32d002ed60 Merge pull request #10627 from hvitved/ruby/synthesis-reduce-non-linear-rec 
Ruby: Reduce size of input predicate for non-linear recursion
 2022-09-30 15:36:21 +02:00
Tom Hvitved
3ec43dbd16 Ruby: Do not attempt to track precise hash indices for floats and complex numbers 2022-09-30 14:57:50 +02:00
Tom Hvitved
e5d884a905 Ruby: Cache predicates in ApiGraphModels::ModelOutput 2022-09-30 14:56:55 +02:00
Tom Hvitved
299339f817 Ruby: Expose relevant predicates from internal/Module.qll and make sure they are cached 2022-09-30 14:56:55 +02:00
Asger F
6e1914ad01 Merge pull request #10375 from asgerf/rb/summarize-loads-v2 
Ruby: type-tracking and API edges through simple library callables
 2022-09-30 14:25:17 +02:00
Nick Rolfe
ef8ec0878a Merge pull request #10641 from github/nickrolfe/a_an 
JS/Python/Ruby: s/a HTML/an HTML/
 2022-09-30 12:17:15 +01:00
Nick Rolfe
ed74e0aad1 JS/Python/Ruby: s/a HTML/an HTML/ 2022-09-30 10:37:52 +01:00
Michael Nebel
82294c1349 Merge pull request #10622 from michaelnebel/ruby/postupdateassignexpr 
Ruby: Postupdate notes for assignment expressions.
 2022-09-30 10:00:02 +02:00
Harry Maclean
4a39bc8f47 Merge pull request #10598 from hmac/hmac/actioncontroller-metal 
Ruby: Identify ActionController::Metal controllers
 2022-09-30 13:07:03 +13:00
Tom Hvitved
a5fbe751f1 Ruby: Reduce size of input predicate for non-linear recursion 
Before, we would be recursive in all of `MethodCall::getMethodName`:

```
Evaluated named local Synthesis#d9ff06b1::AssignOperationDesugar::SetterAssignOperation::getCallKind#ffff#shared#3@Synthesi in 9803ms on iteration 14 (size: 31006941).
Evaluated relational algebra for predicate Synthesis#d9ff06b1::AssignOperationDesugar::SetterAssignOperation::getCallKind#ffff#shared#3@Synthesi on iteration 14 running pipeline main with tuple counts:
          256419  ~1%    {2} r1 = SCAN Call#841c84e8::MethodCall::getMethodName#0#dispred#ff#prev_delta OUTPUT In.1, In.0
        31006941  ~8%    {4} r2 = JOIN r1 WITH Synthesis#d9ff06b1::MethodCallKind#ffff#prev ON FIRST 1 OUTPUT Lhs.1, Rhs.1, Rhs.2, Rhs.3
                         return r2
```

Now, we have restricted that to only the relevant method names.
 2022-09-29 15:59:11 +02:00
Asger F
ae60b0ae6d Ruby: ensure pruning works with startInContent 2022-09-29 15:54:51 +02:00
Michael Nebel
999eb19c3d Ruby: Support postupdate notes for assignment expressions. 2022-09-29 14:12:20 +02:00
Asger F
f1de5a2ffd Ruby: Restrict summaries and type trackers to relevant contents 2022-09-29 14:10:09 +02:00
Tom Hvitved
1fcd22b0f6 Merge pull request #10621 from hvitved/ruby/fix-bad-join 
Ruby: Fix bad join-order
 2022-09-29 13:56:18 +02:00
Asger F
dc03557aea Merge branch 'main' into rb/summarize-loads-v2 2022-09-29 12:07:30 +02:00
Tom Hvitved
2bf087677f Ruby: Fix bad join-order 
Before
```
Evaluated relational algebra for predicate DataFlowDispatch#36b84300::mayBenefitFromCallContext1#6#ffffff@ba617c9q with tuple counts:
          1066626  ~2%    {3} r1 = SCAN project#Module#fe82a56b::Cached::lookupMethod#2 OUTPUT In.0, In.0, In.1
        931393128  ~0%    {4} r2 = JOIN r1 WITH DataFlowDispatch#36b84300::isInstanceLocalMustFlow#3#fff_102#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.2, Lhs.1, Rhs.2
           298573  ~0%    {6} r3 = JOIN r2 WITH DataFlowDispatch#36b84300::mayBenefitFromCallContext0#5#fffff_14023#join_rhs ON FIRST 2 OUTPUT Rhs.2, Rhs.3, Rhs.4, Lhs.2, Lhs.3, Lhs.1
                          return r3
```

After
```
Evaluated relational algebra for predicate DataFlowDispatch#36b84300::mayBenefitFromCallContext1#6#ffffff@f68de4dn with tuple counts:
        583298  ~1%    {5} r1 = SCAN DataFlowDispatch#36b84300::mayBenefitFromCallContext0#5#fffff OUTPUT In.1, In.0, In.2, In.3, In.4
        583298  ~1%    {5} r2 = JOIN r1 WITH DataFlowPrivate#462ff392::ArgumentNode#class#f ON FIRST 1 OUTPUT Lhs.0, Lhs.1, Lhs.2, Lhs.3, Lhs.4
        442278  ~0%    {6} r3 = JOIN r2 WITH DataFlowDispatch#36b84300::isInstanceLocalMustFlow#3#fff ON FIRST 1 OUTPUT Rhs.1, Lhs.4, Lhs.1, Lhs.2, Lhs.3, Rhs.2
        298573  ~0%    {6} r4 = JOIN r3 WITH project#Module#fe82a56b::Cached::lookupMethod#2 ON FIRST 2 OUTPUT Lhs.2, Lhs.3, Lhs.4, Lhs.0, Lhs.5, Lhs.1
                       return r4
```
 2022-09-29 12:00:26 +02:00
Tom Hvitved
e9b96c19b8 Ruby: Account for protected methods in call graph 2022-09-29 11:58:04 +02:00
Asger F
296c0a7925 Merge pull request #10603 from asgerf/type-model-api-node 
Add TypeModel.getAnApiNode
 2022-09-29 11:39:09 +02:00
Alex Ford
4ed4d31efd Delete 2022-09-23-yaml-load-file.md 2022-09-28 21:44:58 +01:00
Harry Maclean
0e5aa97c46 Fix changenote month 2022-09-29 09:24:42 +13:00
Harry Maclean
76cfd44478 Add change note 2022-09-29 09:24:42 +13:00
Harry Maclean
4217a50900 Treat ActiveRecord.create as a model instantiation 2022-09-29 09:24:42 +13:00
Harry Maclean
e7d19e849f Merge pull request #10090 from hmac/hmac/activestorage 
Ruby: Model Activestorage
 2022-09-29 09:16:25 +13:00
Harry Maclean
0ce0ada4df Merge pull request #10002 from hmac/hmac/protected-methods 
Ruby: Model protected methods
 2022-09-29 08:39:29 +13:00
Tom Hvitved
3af3772041 Ruby: Include With(out)Element in isElementBody 2022-09-28 16:51:20 +02:00
Asger F
76cab235d9 Ruby: reuse argumentPositionMatch 2022-09-28 15:24:48 +02:00
Asger F
8704ccee77 Ruby: mention TNoContentSet is only used by type-tracking 2022-09-28 15:18:09 +02:00
Asger F
c8162f80bf Ruby: add TypeModel.getAnApiNode 2022-09-28 12:17:10 +02:00
Asger F
a48b893ed6 Merge pull request #10588 from asgerf/rb/rbi-instantiated-type 
Ruby: add RbiInstantiatedType
 2022-09-28 11:51:20 +02:00
Tom Hvitved
99b2df0605 Ruby: Make get(Explicit)VisibilityModifier private 2022-09-28 11:16:13 +02:00
Asger F
ee7dea1ab6 Merge branch 'main' into rb/summarize-loads-v2 
This only fixes superficial conflicts with
  https://github.com/github/codeql/pull/10574
semantic conflicts will be addressed in later commits
 2022-09-28 11:11:44 +02:00
Asger F
e56630a485 Ruby: add missing qldoc 2022-09-28 10:49:34 +02:00
Asger F
e1dfed0fcb Ruby: move OptionalContentSet to TypeTrackerSpecific.qll 2022-09-28 10:49:34 +02:00
Asger F
ce3665d50e Ruby: remove unneeded qualified AST import 2022-09-28 10:49:34 +02:00
Asger F
665ee81967 Ruby: revert trackUseNode to idiomatic type-tracking 
The optimizations done here now seem to backfire and cause more problems than they fix.
 2022-09-28 10:49:34 +02:00
Asger F
032847f331 Ruby: inline getContents 2022-09-28 10:49:34 +02:00
Asger F
e09a5e87dd Ruby: clarify what getAnElement() does 2022-09-28 10:49:34 +02:00
Asger F
588b31d15d Ruby: fix another typo 2022-09-28 10:49:34 +02:00
Asger F
a7b92295a2 Ruby: fix a typo 2022-09-28 10:49:34 +02:00
Asger F
7dfa58b50d Remove Content::NoContent 2022-09-28 10:49:34 +02:00
Asger F
dd23e125e5 Rename TypeTrackerContentSet -> TypeTrackerContent 2022-09-28 10:49:34 +02:00
Asger F
6abf77d40d Factor comparison into compatibleContents 2022-09-28 10:49:34 +02:00
Asger F
85d0c63ec7 Ruby: store a ContentSet on type tracker instances 2022-09-28 10:49:34 +02:00
Asger F
e47deaffbf Ruby: More QLDoc police 2022-09-28 10:49:34 +02:00
Asger F
7737e75427 Update some QLDoc comments 2022-09-28 10:49:34 +02:00