hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-20 18:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
1,231 Commits 1,672 Branches 157 Tags
58d06715fcd565c6bb901bffbaf7cd88924a88ad
Commit Graph

61 Commits

Author SHA1 Message Date
Alex Ford
36289aa9d9 Merge pull request #255 from github/reflected-xss 
rb/reflected-xss query
 2021-09-17 18:32:48 +01:00
Nick Rolfe
3d23575a38 Merge pull request #292 from github/regexp_slash_az 
Don't parse `\A` and `\Z` as `RegExpConstant`
 2021-09-17 16:42:13 +01:00
Alex Ford
e89d485bc0 update test output (subpaths) 2021-09-15 20:51:14 +01:00
Alex Ford
773291e4c3 Put exprNodeReturnedFrom predicate in DataFlowDispatch.qll 2021-09-15 20:50:46 +01:00
Alex Ford
e80faa017c Fix rb/reflected-xss flow from helper method return values 2021-09-15 20:50:46 +01:00
Alex Ford
50b0bb8b36 Restrict rb/reflected-xss instance variable taint edges 2021-09-15 20:50:46 +01:00
Alex Ford
5cfefb1027 Add some more test cases for rb/reflected-xss 2021-09-15 20:50:46 +01:00
Alex Ford
76864a82be remove an incorrect test case 2021-09-15 20:50:46 +01:00
Alex Ford
3445a6a5e7 fix flow steps from controller instance var assignement to view read access 2021-09-15 20:50:46 +01:00
Alex Ford
b993723595 remove spurious ivar -> locals hash mapping (actionview/controller) 2021-09-15 20:50:46 +01:00
Alex Ford
3430a46440 fix some local variable mappings between view and controller 2021-09-15 20:50:46 +01:00
Alex Ford
d71dd3f6c7 rb/reflected-xss 2021-09-15 20:50:46 +01:00
Tom Hvitved
9e67382f06 Bump codeql submodule 2021-09-15 14:59:42 +02:00
Nick Rolfe
ebf23d00d1 Don't parse \A and \Z as RegExpConstant 
Fixes some FPs for the ReDoS queries.
 2021-09-14 16:49:35 +01:00
Harry Maclean
8f36b0d7fe Simplify guard in SQL injection tests 
We don't (yet) properly sanitize taint in cases like this

    foo = "A" unless foo == "B"

So for now, use a simpler guard in the SQL injection test.
We can resurrect the old, more idiomatic guard when we can support it.
 2021-09-10 16:27:57 +01:00
Nick Rolfe
7666d856b7 Merge remote-tracking branch 'origin/main' into polynomial_redos 2021-09-07 17:35:07 +01:00
Harry Maclean
87253032e2 Add a query for URL redirect vulnerabilities 
This query finds instances of CWE-601: Redirection to Untrusted Site.

The structure is copied from a query of the same name in the Python
library. We add customisations specific to `ActionController`.
 2021-09-03 13:17:14 +01:00
Nick Rolfe
47e5a8fd09 Add test for polynomial ReDoS query 2021-09-02 17:57:56 +01:00
Nick Rolfe
cbe23661ed Rename exponential ReDoS test directory 2021-09-02 17:57:56 +01:00
Harry Maclean
91d56cd802 Use dataflow to find method call targets 
This includes both local and non-local methods, and is also simpler than
the previous definition.
 2021-08-31 15:42:06 +01:00
Harry Maclean
8901eba978 Include constants in jump-to-def query 
The previous version of this query inadvertently excluded constants
which weren't classes or modules. This version includes them, by
introducing a laxer version of `resolveScopeExpr` that doesn't require
the result to be a `TResolved`.
 2021-08-31 15:42:06 +01:00
Harry Maclean
e72f1399cb Include class variables in jump-to-def query 2021-08-31 15:42:06 +01:00
Harry Maclean
e84ebe2b94 Include instance variables in jump-to-def query 
By convention, instance variables are considered to be "defined" in the
`#initialize` method of their containing class. If an instance variable
is written to in `#initialize` and then read elsewhere in the program,
we will point from the read to the write. If it is not written to in
`#initialize` then we won't provide any jump-to-definition information
for it.
 2021-08-31 15:42:06 +01:00
Harry Maclean
a16cd8967b Ignore synthesised reads for jump-to-definition 
We synthesise variables for things like tuple patterns. For example,
this Ruby code:

    a, b = ...

becomes:

    __synth__0 = ...
    a = __synth__0[0]
    b = __synth__0[1]

The `__synth__` variables should be ignored when calculating
jump-to-definition information, since they don't appear in the original
source code.
 2021-08-31 15:42:05 +01:00
Harry Maclean
95e2b8a4a4 Simplify jump-to-def query 
The expected output format is a tuple (a, b, k) where `a` and `b` are any
`AstNode` subclass and `k` is a string indicating the kind of
definition (e.g. variable, method, ...).

By ensuring that every value in `DefLoc` is a subclass of `Expr` (itself
a subclass of `AstNode`) we can simplify the query by removing all the
use of `getLocation()`.
 2021-08-31 15:42:05 +01:00
Harry Maclean
2fbbabda2d First draft of a jump-to-definition query 
TODO: flesh out this message
 2021-08-31 15:42:05 +01:00
Nick Rolfe
bc06817611 Add ERB comment as regression test for parsing bug 2021-08-25 12:43:33 +01:00
Arthur Baars
9ca0e81953 Move UseDetect to experimental for now 2021-08-04 15:52:48 +02:00
Erik Krogh Kristensen
632ad518f0 enable unicode parsing in the ruby ReDoS query 2021-08-02 07:13:41 +00:00
Nick Rolfe
d99b5510e5 Merge pull request #219 from github/regex 
Add regexp parser and exponential ReDoS query
 2021-06-30 17:23:29 +01:00
Alex Ford
31cbf818ab fix rb/sql-injection FPs due to not accounting for overridden ActiveRecord methods 2021-06-29 13:54:15 +01:00
Nick Rolfe
ba7021086b Merge remote-tracking branch 'origin/main' into regex 2021-06-25 15:00:26 +01:00
Nick Rolfe
bee94757dd Add query test for ReDoS.ql, ported from JS 2021-06-25 12:51:35 +01:00
Alex Ford
9883a9b606 update SqlInjection tests 2021-06-24 18:12:26 +01:00
Alex Ford
d62f4f5bd4 Address review comments 2021-06-24 18:12:26 +01:00
Alex Ford
12e4c9ee90 update SqlInjection tests 2021-06-24 18:12:25 +01:00
Alex Ford
5386c776b3 Implement rb/sql-injection 2021-06-24 18:12:25 +01:00
Alex Ford
f74dff560b Merge pull request #187 from github/hardcoded-credentials 
Add rb/hardcoded-credentials query
 2021-06-10 16:12:32 +01:00
Alex Ford
e26afe91b5 move rb/hardcoded-credential alert location to the source 2021-06-07 14:53:04 +01:00
Alex Ford
5d79a8cec0 account for keyword args in rb/hardcoded-credentials and simplify query 2021-06-07 14:49:49 +01:00
Alex Ford
8a3ffb6dca add missing toString 2021-06-04 13:25:03 +01:00
Alex Ford
b2d36babc4 report rb/weak-file-permission alerts at source rather than sink and improve alert message 2021-06-04 13:10:18 +01:00
Alex Ford
fdd4f7f616 attempt to use typetracker in rb/hardcoded-credentials 2021-06-01 12:22:04 +01:00
Alex Ford
f1303e0ced remove WIP files 2021-06-01 12:22:04 +01:00
Alex Ford
4fdd072603 WIP: HardcodedCredentials query 2021-06-01 12:22:04 +01:00
Alex Ford
3c0f20cec8 Merge pull request #170 from github/weak-file-permissions 
Add `rb/overly-permissive-file` query
 2021-05-14 17:04:15 +01:00
Alex Ford
6bd2e4e4b7 Merge pull request #175 from github/loc-summary-queries-1 
Summary queries for total LOC and user-code LOC
 2021-05-14 15:51:45 +01:00
Alex Ford
49d9bb798c revamp the diagnostics tests 2021-05-11 19:53:00 +01:00
Alex Ford
d1d8cff915 tests for some more diagnostics queries 2021-05-11 19:14:22 +01:00
Alex Ford
de497dd1ba tests for NumberOfFiles* summary queries 2021-05-11 19:14:22 +01:00