hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 03:36:30 +01:00
Code Issues Packages Projects Releases Wiki Activity
45,584 Commits 1,672 Branches 157 Tags
530b29ccdfb42bcb8173f270e2f89d76bc20c2bc
Commit Graph

24 Commits

Author SHA1 Message Date
Harry Maclean
0e6322d673 Ruby: Restrict XSS header sinks 
Not all header writes are relevant to XSS. Restrict these to just
content-type and access-control-allow-origin.
 2022-10-17 09:34:44 +13:00
Harry Maclean
73ca595b56 Ruby: Model ActionDispatch::Response 2022-10-17 08:17:37 +13:00
Harry Maclean
e6dc27a7b5 Add content_mime_type, fix env/filtered_env 2022-10-14 19:49:22 +13:00
Harry Maclean
a3c14f7f46 Update test 2022-10-13 13:57:28 +13:00
Harry Maclean
ad464abde2 Ruby: Model more params accesses 2022-10-13 13:24:16 +13:00
Nick Rolfe
d61f0559a0 Ruby: add ActionMailer#params as a RemoteFlowSource 2022-10-10 10:23:48 +01:00
Harry Maclean
a5998fbe4d Ruby: Model ActionController::Parameters 
Add flow summaries for methods on ActionController::Parameters,
which mostly propagate taint from receiver to return value.
 2022-10-03 09:45:59 +13:00
Harry Maclean
4a39bc8f47 Merge pull request #10598 from hmac/hmac/actioncontroller-metal 
Ruby: Identify ActionController::Metal controllers
 2022-09-30 13:07:03 +13:00
Harry Maclean
63309150e0 Make some space 2022-09-29 09:24:37 +13:00
Harry Maclean
28a23209a5 Ruby: Identify ActionController::Metal controllers 
Subclasses of `ActionController::Metal` are stripped-down controllers.
We want to recognise them as ActionController controllers.
There are some common ActionController methods that are not available in
Metal, but these are not likely to be used anyway as they would throw an
exception, so I don't think there's much harm in including them in the
modelling.
 2022-09-28 07:10:09 +13:00
Harry Maclean
ba5cd08a09 Update ActionController fixture 2022-09-20 15:55:35 +01:00
Harry Maclean
7ef6ffbc54 Ruby: Recognise Rails render calls as HTTP responses 2022-08-16 14:03:26 +12:00
Harry Maclean
83393dc195 Ruby: Recognise more AR write accesses 
This change means we recognise calls like

```rb
User.create(params)
User.update(id, params)
```

as instances of `PersistentWriteAccess`.
 2022-08-04 17:22:46 +12:00
Harry Maclean
7ed81db32d Ruby: Move ActiveRecord tests to new directory 2022-08-04 17:22:46 +12:00
thiggy1342
e8e8da1b31 fix lib test expect for ActionController 2022-07-08 19:01:01 +00:00
Harry Maclean
7dfab371f6 Ruby: Model redirect_back and redirect_back_or_to 
These are ActionController methods that redirect to the HTTP Referer,
falling back to the given location if there is no Referer.
 2022-06-20 13:36:02 +12:00
Alex Ford
c44a68613a Ruby: add a test case for ActiveRecord dynamic finder methods 2022-06-16 11:29:56 +01:00
Alex Ford
56bf977498 Ruby: trim some SQLi related comments from ActiveRecord.rb 2022-06-16 11:29:56 +01:00
Alex Ford
de486baf4a Ruby: rename ActiveRecord.rb test case file 2022-06-16 11:29:56 +01:00
Harry Maclean
870c6d7412 Ruby: Rails route resolution 
Add `Route` classes which model Rails routing information, typically
defined in a `routes.rb` file. We extract only the most basic
information: HTTP method, path, controller and action. This is enough to
determine whether a given controller method is a route handler, and what
HTTP method it handles, which is useful for, among other things, the URL
redirect query.
 2022-02-02 16:26:19 +13:00
Harry Maclean
e1d290d4c0 Ruby: Don't count private methods as Rails actions 
Private instance methods on ActionController classes aren't valid
request handlers. Routing to them will raise an exception.
 2021-12-13 15:36:55 +13:00
Nick Rolfe
d46564caa6 Ruby: treat ActionController#cookies as a remote flow source 2021-12-09 12:13:17 +00:00
Nick Rolfe
f6a8b9a7e5 Ruby: add cookies call to frameworks test 2021-12-09 12:07:04 +00:00
Arthur Baars
976daddd36 Move files to ruby subfolder 2021-10-15 11:47:28 +02:00