hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-12 02:24:00 +02:00
Code Issues Packages Projects Releases Wiki Activity
1,451 Commits 1,740 Branches 164 Tags
5df728dd7d121c7f75704dba7bc499b33bb95dfd
Commit Graph

453 Commits

Author SHA1 Message Date
Arthur Baars
bf3d291a1c Updates after codeql file sync 2021-10-13 13:24:20 +02:00
Arthur Baars
80ac05d5c6 Bump codeql submodule to 'main' 2021-10-13 13:24:08 +02:00
Arthur Baars
287046e9b0 Merge pull request #346 from github/erik-krogh/fix-primary-class-typo 
fix typo for getAPrimaryQlClass
 2021-10-13 12:53:51 +02:00
Nick Rolfe
1c5dcecf1e Update expected output to match getAPrimaryQlClass change 2021-10-13 12:39:13 +02:00
Arthur Baars
80ebfed226 Merge pull request #336 from github/improve-getTemplateFile 
Improve `RenderCall#getTemplateFile` performance and accuracy
 2021-10-12 20:21:12 +02:00
Arthur Baars
06e91c1182 Merge pull request #322 from github/request-without-validation 
rb/request-without-cert-validation
 2021-10-12 20:19:11 +02:00
Arthur Baars
398ed4c0c9 Merge pull request #338 from github/aibaars/update-grammar 
Update tree-sitter-ruby
 2021-10-12 18:39:34 +02:00
Arthur Baars
bb5da92577 Update src/unsupported_feature.rb with a feature that is still unsupported 2021-10-12 18:11:00 +02:00
Arthur Baars
0dc3ea5ed1 Add test-cases for forward arguments and endless methods 2021-10-12 17:32:01 +02:00
Nick Rolfe
ecc9f07c50 Merge pull request #311 from github/nickrolfe/oj 
Consider Oj.load a sink for unsafe deserialization
 2021-10-12 16:17:08 +01:00
Alex Ford
48f3d48a11 add some test cases for checking against spurious flow into ERB templates 2021-10-12 10:37:22 +01:00
Nick Rolfe
eafe22ef93 Merge remote-tracking branch 'origin/main' into nickrolfe/oj 2021-10-07 16:40:36 +01:00
Alex Ford
de01770612 update test output 2021-10-07 15:50:35 +01:00
Alex Ford
168e67dd6d deduplicate string constantQualifiedName(ConstantWriteAccess) as string ConstantWriteAccess#getQualifiedName 2021-10-07 15:30:36 +01:00
Alex Ford
be018cc97f update ActionController tests 2021-10-07 15:30:36 +01:00
Alex Ford
8f81eaa79c format 2021-10-07 15:30:36 +01:00
Alex Ford
6a32c0cde0 update XSS tests 2021-10-07 15:30:36 +01:00
Alex Ford
f6dd6bb00c expand ActiveRecord modelling to cover how to access fields 2021-10-07 15:30:36 +01:00
Alex Ford
a2084f813e rb/stored-xss structure and initial implementation (FileSystemReadAccess sources) 2021-10-07 15:30:36 +01:00
Nick Rolfe
253064144b Tweak alert wording. 
This reflects the fact that the query finds results where validation is
only disabled under certain conditions.
 2021-10-07 12:06:53 +01:00
Tom Hvitved
1c08592637 Merge pull request #329 from github/hvitved/dataflow/synth-return 
Data flow: Add a synthetic return node
 2021-10-07 13:06:39 +02:00
Tom Hvitved
c540615223 HardcodedCredentials: Add test for default parameter values 2021-10-07 11:57:57 +02:00
Tom Hvitved
fdf1cd38fd Data flow: Add a synthetic return node 2021-10-06 15:21:43 +02:00
Nick Rolfe
1ce458fa33 Add query to find HTTP requests that disable SSL validation 2021-10-06 14:06:09 +01:00
Harry Maclean
c50a6c180f Merge pull request #318 from github/hmac-open-query 
Add a query for uses of `Kernel.open` and `IO.read`
 2021-10-06 10:05:43 +01:00
Tom Hvitved
1d1215923c Merge pull request #323 from github/hvitved/get-value-text 
Introduce `Expr::getValueText`
 2021-10-05 14:26:25 +02:00
Harry Maclean
6f293c7a5e Add a query for uses of Kernel.open and IO.read 2021-10-05 11:13:58 +01:00
Harry Maclean
e419fc9599 Make Code execution query more specific 
Only the first argument to eval, instance_eval, send, class_send and
module_send is interpreted as Ruby code.
 2021-10-05 10:28:34 +01:00
Arthur Baars
2f462771bb Merge pull request #286 from github/aibaars/xxe 
XXE query
 2021-10-01 16:14:41 +02:00
Arthur Baars
c78d02d00d Fix module of Parser::Options 2021-10-01 11:18:03 +02:00
Arthur Baars
b06bb7a789 Improve test cases 
Set NONET (2048) by default.
 2021-10-01 11:16:56 +02:00
Tom Hvitved
08225181c8 Introduce Expr::getValueText 2021-10-01 11:03:46 +02:00
Harry Maclean
8c0c08e887 Identify more instance of code injection 
`class_eval` and `module_eval` both take a string as argument and
execute it as Ruby code.
 2021-09-30 14:19:24 +01:00
Harry Maclean
7f103b9450 Merge pull request #319 from github/hmac-activerecord-updates 
Add some more vulnerable ActiveRecord methods
 2021-09-30 12:09:09 +01:00
Arthur Baars
089f9d87d4 Address comments 2021-09-30 11:20:23 +02:00
Arthur Baars
2b077595ae Also track DTDLOAD and NONET 2021-09-30 11:20:23 +02:00
Arthur Baars
4268d9c565 XXE query 2021-09-30 11:20:17 +02:00
Harry Maclean
7191e1c007 Re-add delete_all and destroy_all methods 
These methods don't take any arguments in Rails versions > 3, but
there's no harm in checking for them anyway, and some people might be
using very old Rails versions.
 2021-09-30 09:39:58 +01:00
Harry Maclean
75bbc51e73 Make room for new test cases 
This just bumps the other code down a bit so that the .expected diff is
easier to read.
 2021-09-30 09:33:39 +01:00
Harry Maclean
0ea228e86f Merge pull request #315 from github/hmac-outgoing-http 
Model more HTTP clients
 2021-09-29 14:26:56 +01:00
Harry Maclean
a9c00a05fe HTTP -> Http 
Change the capitalisation of HTTP to Http, to conform to the QL style
guide.

Leave the HTTP module in Concepts alone, so it remains consistent with
the Concepts in other language libraries.
 2021-09-29 13:50:05 +01:00
Harry Maclean
f5f79a81bc Update ActionController fixture 2021-09-29 12:51:26 +01:00
Harry Maclean
615beeec80 Identify more vulnerable ActiveRecord methods 
This change identifies the following patterns:

- `Model.select(input)`
- `Model.reselect(input)`
- `Model.rewhere(input)`
- `Model.update_all(input)`
- `model.reload(lock: input)`
 2021-09-29 11:47:07 +01:00
Harry Maclean
270d13e4ac Identify more vulnerable ActiveRecord methods 
`find_by!`, `find_or_create_by`, `find_or_create_by!` and
`find_or_initialize_by` act similarly to `find_by`.
 2021-09-29 10:49:14 +01:00
Harry Maclean
56919eee0b delete/destroy_all -> delete/destroy_by 
The ActiveRecord `delete_all` and `destroy_all` methods do not take a
condition argument - they act on the scope of their receiver.

The `delete_by` and `destroy_by` methods do take an argument which can
be raw SQL, and are therefore vulnerable to SQL injection.

For more info:

https://api.rubyonrails.org/v6.1.4/classes/ActiveRecord/Relation.html#method-i-delete_all
https://api.rubyonrails.org/v6.1.4/classes/ActiveRecord/Relation.html#method-i-delete_by
 2021-09-29 10:45:54 +01:00
Harry Maclean
3a1b294c21 Identify more ActiveRecord calculate methods 
`average`, `count`, `maximum`, `minimum` and `sum` are all convenience
methods that call `calculate(:<method name>, ...)` under the hood.
Therefore they are vulnerable to SQL injection too.
 2021-09-29 10:11:38 +01:00
Harry Maclean
6d7a04a222 Move Files test to its own folder 
This prevents it picking up fixtures from other tests.
 2021-09-28 10:06:53 +01:00
Harry Maclean
b34fcc65d1 Model the Typhoeus http client 2021-09-28 10:06:53 +01:00
Harry Maclean
b5dec5e8cf Model the OpenURI http client 2021-09-28 10:06:53 +01:00
Tom Hvitved
5219b1a8b9 Merge pull request #310 from github/hvitved/more-instanceof 
More uses of `instanceof` in the external/internal AST layer
 2021-09-27 16:11:04 +02:00