hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 19:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
45,584 Commits 1,672 Branches 157 Tags
530b29ccdfb42bcb8173f270e2f89d76bc20c2bc
Commit Graph

1685 Commits

Author SHA1 Message Date
Asger F
cbf16579ed Ruby: tweak pipeline a bit 2022-09-28 10:49:33 +02:00
Asger F
b13b2ce319 Ruby: fix join order when building append relation 2022-09-28 10:49:33 +02:00
Asger F
3498a04b89 Ruby: associate ContentSets with store/load edges in type tracker 2022-09-28 10:49:33 +02:00
Asger F
497258eda5 Ruby: reuse Content type 2022-09-28 10:49:33 +02:00
Asger F
ac1b7eb0b9 Remove SetterMethodCall in MkAttribute 2022-09-28 10:49:33 +02:00
Asger F
a64f7cd146 Ruby: simplify getSetterCallAttributeName 2022-09-28 10:49:33 +02:00
Asger F
a51a540582 Ruby: add content edges to API graph 
Fixes
 2022-09-28 10:49:33 +02:00
Asger F
d5e2b93554 Ruby: add API graph label for content 2022-09-28 10:49:33 +02:00
Asger F
cd9cddf45a Ruby: generate type-tracking steps from simple summary specs 2022-09-28 10:49:33 +02:00
Asger F
f1b99e867c Ruby: use IPA type for type tracker contents 
fixup qldoc in OptionalTypeTrckerContent
 2022-09-28 10:49:33 +02:00
Asger F
53ef054c53 Ruby: Add getACallSimple and use it for arrays and hashes 2022-09-28 10:49:24 +02:00
Asger F
182d7d38a8 Update ruby/ql/lib/codeql/ruby/experimental/Rbi.qll 
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2022-09-28 10:36:09 +02:00
Harry Maclean
adb8368e07 Add change note 2022-09-28 12:16:12 +13:00
Harry Maclean
24a10aa5ff Recognise send_file as a FileSystemAccess 
This method is available in ActionController actions, and sends the file
at the given path to the client.
 2022-09-28 12:14:22 +13:00
Harry Maclean
eada74a15c Add change note 2022-09-28 11:43:31 +13:00
Tom Hvitved
2351c0288a Ruby: Fix spurious flow through reverse stores 2022-09-27 20:16:31 +02:00
Harry Maclean
28a23209a5 Ruby: Identify ActionController::Metal controllers 
Subclasses of `ActionController::Metal` are stripped-down controllers.
We want to recognise them as ActionController controllers.
There are some common ActionController methods that are not available in
Metal, but these are not likely to be used anyway as they would throw an
exception, so I don't think there's much harm in including them in the
modelling.
 2022-09-28 07:10:09 +13:00
Tom Hvitved
df2b586e7c Merge pull request #10577 from hvitved/dataflow/get-a-read-content-fan-in 
Data flow: Fix bad join-order when getAReadContent has large fan-in
 2022-09-27 20:04:58 +02:00
Harry Maclean
6e60a6ff2e Apply suggestions from code review 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2022-09-28 05:51:28 +13:00
Tom Hvitved
335e1a8233 Address review comments 2022-09-27 13:36:52 +02:00
erik-krogh
7675571daa fix RegExpEscape::getValue having multiple results for some escapes 2022-09-27 13:25:23 +02:00
Nick Rolfe
bfda08e69c Ruby: detect uses of libxml with entity substitution enabled by default 
Including uses of ActiveSupport::XmlMini with the libxml backend
 2022-09-27 11:53:43 +01:00
Asger F
ea4ba27297 Ruby: add RbiInstantiatedType 2022-09-27 10:51:29 +02:00
Anders Schack-Mulligen
9f1bbf2bbd Merge pull request #10575 from aschackmull/dataflow/cleanup-module 
Dataflow: Minor visibility cleanup
 2022-09-27 10:10:53 +02:00
Harry Maclean
9709aa87fb Fix changenote month 2022-09-27 15:23:12 +13:00
Harry Maclean
cb8865f3ff Add missing doc 2022-09-27 11:23:08 +13:00
Harry Maclean
6803d96000 Add change note 2022-09-27 10:43:41 +13:00
Tom Hvitved
3717cb30eb Ruby: Fix two join orders 
`getExplicitVisibilityModifier`

Before
[2022-08-17 09:03:16] (186s) Tuple counts for quick_eval#ff/2@2005f7ku after 113ms:
                      39910   ~0%     {2} r1 = SCAN Method#8b49e67f::Method#ff OUTPUT 0, In.0 'this'
                      39910   ~0%     {2} r2 = STREAM DEDUP r1
                      135     ~2%     {2} r3 = JOIN r2 WITH Call#ee92d596::CallImpl::getArgumentImpl#dispred#fbb_120#join_rhs ON FIRST 2 OUTPUT Rhs.2 'result', Lhs.1 'this'
                      134     ~0%     {2} r4 = JOIN r3 WITH Method#8b49e67f::VisibilityModifier#f ON FIRST 1 OUTPUT Lhs.1 'this', Lhs.0 'result'

                      39910   ~0%     {1} r5 = SCAN Method#8b49e67f::Method#ff OUTPUT In.0 'this'
                      39910   ~0%     {1} r6 = STREAM DEDUP r5
                      39910   ~0%     {2} r7 = JOIN r6 WITH Method#8b49e67f::Method::getName#dispred#ff ON FIRST 1 OUTPUT Lhs.0 'this', Rhs.1
                      39770   ~1%     {3} r8 = JOIN r7 WITH AST#a6718388::AstNode::getEnclosingModule#dispred#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.0 'this', Lhs.1
                      1859722 ~0%     {3} r9 = JOIN r8 WITH project#Method#8b49e67f::isDeclaredIn#fff#2_10#join_rhs ON FIRST 1 OUTPUT Rhs.1 'result', Lhs.1 'this', Lhs.2
                      11757   ~0%     {4} r10 = JOIN r9 WITH Method#8b49e67f::VisibilityModifier::getMethodArgument#dispred#bf ON FIRST 1 OUTPUT Lhs.2, Lhs.1 'this', Lhs.0 'result', Rhs.1
                      24206   ~0%     {4} r11 = JOIN r10 WITH Constant#54e8b051::ConstantValue::getStringlikeValue#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.3, Rhs.1, Lhs.1 'this', Lhs.2 'result'
                      292     ~0%     {2} r12 = JOIN r11 WITH Expr#6fb2af19::Expr::getConstantValue#dispred#ff ON FIRST 2 OUTPUT Lhs.2 'this', Lhs.3 'result'

                      426     ~0%     {2} r13 = r4 UNION r12
                                      return r13

After
[2022-08-17 09:30:31] (0s) Tuple counts for quick_eval#ff/2@e014fd45 after 5ms:
                      39910 ~0%     {1} r1 = SCAN Method#8b49e67f::Method#ff OUTPUT In.0 'this'
                      39910 ~0%     {1} r2 = STREAM DEDUP r1

                      134   ~1%     {2} r3 = JOIN r2 WITH Method#8b49e67f::VisibilityModifier::getMethodArgument#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.0 'this', Rhs.1 'result'

                      37225 ~1%     {3} r4 = JOIN r2 WITH project#Method#8b49e67f::methodIsDeclaredIn#ffff ON FIRST 1 OUTPUT Rhs.1, Rhs.2, Lhs.0 'this'
                      382   ~1%     {2} r5 = JOIN r4 WITH Method#8b49e67f::modifiesIn#fff_120#join_rhs ON FIRST 2 OUTPUT Lhs.2 'this', Rhs.2 'result'

                      516   ~0%     {2} r6 = r3 UNION r5
                                    return r6

`getVisibilityModifier()`

Before
[2022-08-17 09:16:18] (1s) Tuple counts for quick_eval#ff/2@0e9b6ctl after 52ms:
                      39910   ~0%     {1} r1 = SCAN Method#8b49e67f::Method#ff OUTPUT In.0 'this'
                      39910   ~0%     {1} r2 = STREAM DEDUP r1
                      424     ~0%     {2} r3 = JOIN r2 WITH Method#8b49e67f::Method::getExplicitVisibilityModifier#dispred#ff ON FIRST 1 OUTPUT Lhs.0 'this', Rhs.1 'result'

                      34953   ~0%     {3} r4 = JOIN quick_eval#ff#shared WITH Method#8b49e67f::isDeclaredIn#fff ON FIRST 1 OUTPUT Rhs.1, Rhs.2, Lhs.0 'this'
                      2338    ~0%     {2} r5 = JOIN r4 WITH quick_eval#ff#join_rhs ON FIRST 2 OUTPUT Lhs.2 'this', Rhs.2 'result'

                      3861    ~0%     {1} r6 = SCAN Method#8b49e67f::SingletonMethod#ff OUTPUT In.0 'this'
                      3861    ~0%     {1} r7 = STREAM DEDUP r6
                      3859    ~6%     {2} r8 = JOIN r7 WITH AST#a6718388::AstNode::getEnclosingModule#dispred#ff ON FIRST 1 OUTPUT Lhs.0 'this', Rhs.1
                      3859    ~6%     {2} r9 = JOIN r8 WITH Method#8b49e67f::SingletonMethod#ff ON FIRST 1 OUTPUT Lhs.0 'this', Lhs.1

                      0       ~0%     {3} r10 = JOIN r9 WITH Method#8b49e67f::VisibilityModifier::getMethodArgument#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1 'result', Lhs.1, Lhs.0 'this'

                      3859    ~0%     {3} r11 = JOIN r9 WITH Method#8b49e67f::SingletonMethod::getName#dispred#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.0 'this', Lhs.1
                      7731    ~0%     {3} r12 = JOIN r11 WITH Constant#54e8b051::ConstantValue::getStringlikeValue#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'this', Lhs.2
                      1343055 ~1%     {3} r13 = JOIN r12 WITH Expr#6fb2af19::Expr::getConstantValue#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'this', Lhs.2
                      6546    ~2%     {3} r14 = JOIN r13 WITH Method#8b49e67f::VisibilityModifier::getMethodArgument#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1 'result', Lhs.2, Lhs.1 'this'

                      6546    ~2%     {3} r15 = r10 UNION r14
                      120     ~2%     {2} r16 = JOIN r15 WITH AST#a6718388::AstNode::getEnclosingModule#dispred#ff ON FIRST 2 OUTPUT Lhs.2 'this', Lhs.0 'result'

                      2458    ~0%     {2} r17 = r5 UNION r16
                      2882    ~0%     {2} r18 = r3 UNION r17
                                      return r18

After
[2022-08-17 09:29:42] (2s) Tuple counts for quick_eval#ff/2@77b18cdg after 5ms:
                      39910 ~0%     {1} r1 = SCAN Method#8b49e67f::Method#ff OUTPUT In.0 'this'
                      39910 ~0%     {1} r2 = STREAM DEDUP r1
                      516   ~0%     {2} r3 = JOIN r2 WITH Method#8b49e67f::Method::getExplicitVisibilityModifier#dispred#ff ON FIRST 1 OUTPUT Lhs.0 'this', Rhs.1 'result'

                      3861  ~0%     {1} r4 = SCAN Method#8b49e67f::SingletonMethod#ff OUTPUT In.0 'this'
                      3861  ~0%     {1} r5 = STREAM DEDUP r4

                      0     ~0%     {2} r6 = JOIN r5 WITH Method#8b49e67f::VisibilityModifier::getMethodArgument#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.0 'this', Rhs.1 'result'

                      516   ~0%     {2} r7 = r3 UNION r6

                      36845 ~0%     {3} r8 = JOIN quick_eval#ff#shared WITH Method#8b49e67f::isDeclaredIn#fff ON FIRST 1 OUTPUT Rhs.1, Rhs.2, Lhs.0 'this'
                      2421  ~0%     {2} r9 = JOIN r8 WITH quick_eval#ff#join_rhs ON FIRST 2 OUTPUT Lhs.2 'this', Rhs.2 'result'

                      2584  ~0%     {3} r10 = JOIN r5 WITH project#Method#8b49e67f::methodIsDeclaredIn#ffff ON FIRST 1 OUTPUT Rhs.1, Rhs.2, Lhs.0 'this'
                      39    ~0%     {2} r11 = JOIN r10 WITH Method#8b49e67f::modifiesIn#fff_120#join_rhs ON FIRST 2 OUTPUT Lhs.2 'this', Rhs.2 'result'

                      2460  ~1%     {2} r12 = r9 UNION r11
                      2976  ~0%     {2} r13 = r7 UNION r12
                                    return r13
 2022-09-27 10:29:06 +13:00
Harry Maclean
92715bac3a Attempt to fix bad join candidates 2022-09-27 10:29:06 +13:00
Harry Maclean
4df7fd248e Ruby: Ensure explicit modifiers take priority 
In Ruby, "explicit" visibility modifiers override "implicit" ones. For
example, in the following:

```rb
class C

  private

  def m1
  end

  public m2
  end

  def m3
  end
  public :m3
end
```

`m1` is private whereas `m2` and `m3` are public.
 2022-09-27 10:28:23 +13:00
Harry Maclean
d90257fd50 Add change note 2022-09-27 10:22:54 +13:00
Harry Maclean
79abb36faf Ruby: Remove MethodModifier 2022-09-27 10:21:06 +13:00
Harry Maclean
97e9eab7fc Fix QL4QL error 2022-09-27 10:21:06 +13:00
Harry Maclean
d7f40c41c5 Ruby: protected_class_method does not exist 2022-09-27 10:21:06 +13:00
Harry Maclean
58dd521ee9 Ruby: further refactor to method visibility 2022-09-27 10:13:23 +13:00
Harry Maclean
c5f36613da Ruby: Refactor method visibility modeling 2022-09-27 10:13:21 +13:00
Harry Maclean
dea5036912 Ruby: Update for Http concept changes 2022-09-27 10:03:17 +13:00
Tom Hvitved
45fc62f16b Data flow: Sync files 2022-09-26 20:39:48 +02:00
Tom Hvitved
88baf0883a Merge pull request #10358 from hvitved/ruby/dataflow/call-ctx 
Ruby: Context sensitive instance method resolution
 2022-09-26 19:55:10 +02:00
Anders Schack-Mulligen
1687d08587 Dataflow: Sync. 2022-09-26 16:10:03 +02:00
Alex Ford
06e435fd84 Ruby: remove YAML.load_file arg0 as an unsafe deserialization sink 2022-09-26 11:26:30 +01:00
Harry Maclean
7b9519fe7c Ruby: Fix import 2022-09-26 20:56:11 +13:00
Harry Maclean
7d3f9580ff Ruby: QLDoc fix 2022-09-26 20:56:11 +13:00
Harry Maclean
9f99a3ca1f Ruby: Model sanitize ActionView helper 2022-09-26 20:56:11 +13:00
Harry Maclean
9e625acd3d Ruby: QLDoc fix 2022-09-26 20:56:11 +13:00
Harry Maclean
1d693d336f Ruby: Model javascript_include_tag and friends 2022-09-26 20:56:09 +13:00
Harry Maclean
35a05f6dea Ruby: Add summaries for ActiveSupport::SafeBuffer 2022-09-26 20:55:05 +13:00
Harry Maclean
ed0c85e3af Ruby: Model ActionView helper XSS sinks 2022-09-26 20:55:04 +13:00
Dave Bartolomeo
3bd456e52d Merge pull request #10565 from github/post-release-prep/codeql-cli-2.11.0 
Post-release preparation for codeql-cli-2.11.0
 2022-09-23 18:13:59 -04:00
github-actions[bot]
6cef0af5df Post-release preparation for codeql-cli-2.11.0 2022-09-23 21:01:40 +00:00