Harry Maclean
80ae017aa1
Ruby: Track flow into ActiveRecord scopes
2024-03-18 15:01:37 +00:00
Harry Maclean
dd5eb982ec
Merge pull request #15524 from hmac/hmac-process-spawn
...
Ruby: Add some more command injection sinks
2024-03-13 09:53:10 +00:00
Joe Farebrother
dbd33d1cf0
Model Argument[1] of ActiveRecord from
2024-03-08 14:04:01 +00:00
Joe Farebrother
0b7b7ea1b8
Add test cases and improve controller model
2024-03-01 09:57:24 +00:00
Tom Hvitved
914a605a87
Ruby: Rework hidden synthetic data-flow nodes
2024-02-27 15:33:58 +01:00
Joe Farebrother
3ab6f222d0
Merge pull request #15718 from joefarebrother/ruby-arel-sqlliteral
...
Ruby: Model Arel::Nodes::SqlLiteral.new
2024-02-27 12:43:47 +00:00
amammad
32f5667bb6
revert YAML.qll and yaml sinks to previous PR, make a separate experimental query only for yaml
2024-02-26 12:12:03 +00:00
amammad
c582ea626d
update expected test file
2024-02-26 12:10:04 +00:00
amammad
9c5c8c8362
fix test file
2024-02-26 12:05:35 +00:00
amammad
464e2e4291
fix qldoc and test files
2024-02-26 12:04:52 +00:00
amammad
1410574f76
make seperate steps for YAML.parse* and use getAsuccessor*() to reach final to_ruby method call, All parts have Rewritten with API graphs exclusively
2024-02-26 11:59:35 +00:00
Harry Maclean
8bed3fbed4
Ruby: Add basic model for Terrapin library
2024-02-26 11:32:41 +00:00
Joe Farebrother
2257df5c6f
Model Arel::Nodes::SqlLiteral.new
2024-02-26 10:09:33 +00:00
Joe Farebrother
1f409b0456
Merge pull request #15671 from joefarebrother/ruby-activerecord-extra-args
...
Ruby: Consider additional arguments to certain `ActiveRecord` methods as sql injection sinks.
2024-02-22 14:01:56 +00:00
Joe Farebrother
10da4d14d9
Add addtional arguments as sinks to certain methods
2024-02-20 16:35:29 +00:00
Harry Maclean
5af58d24e0
Ruby: Recognise raw Erb output as XSS sink
2024-02-12 13:28:44 +00:00
Anders Schack-Mulligen
35a3aa0a09
Ruby: Add empty provenance column to expected files.
2024-02-09 11:32:08 +01:00
Peter Stöckli
1947dee46a
Merge branch 'main' into p--oj-ox-unsafe-deser
2024-01-30 15:33:39 +01:00
Harry Maclean
d630773575
Merge pull request #14627 from alexrford/rb/update_all_sink
...
Ruby: refine `ActiveRecord` `update_all` as an SQL sink
2023-12-04 13:02:14 +00:00
Alex Ford
8db23dc775
Ruby: refine ActiveRecord update_all as an SQL sink
2023-10-30 09:47:16 +00:00
Alex Ford
013e7aae97
Ruby: test whitespace changes
2023-10-30 09:32:44 +00:00
Max Schaefer
104700f6d3
Address review comment.
2023-10-27 10:19:28 +01:00
Max Schaefer
f42bd28ca9
Port changes to Ruby.
2023-10-26 15:06:45 +01:00
Peter Stöckli
09cf76a880
Ruby: additional unsafe deserialization sinks for ox, oj
2023-10-19 14:04:48 +02:00
Harry Maclean
1297acf5b1
Merge pull request #14216 from hmac/hmac-graphql-enum
...
Ruby: Restrict GraphQL remote flow sources
2023-10-13 11:31:50 +01:00
Harry Maclean
5411123b8a
Ruby: Fix GraphQL test
2023-09-14 14:14:26 +01:00
Tom Hvitved
e258324960
Ruby: Allow for implicit array reads at all sinks during taint tracking
2023-09-14 09:40:05 +02:00
Alex Ford
79c305c1a1
Merge pull request #14124 from alexrford/rb/dataflow-query-refactor
...
Ruby: Use the new dataflow API for checked in queries
2023-09-13 14:24:47 +01:00
Alex Ford
5b013dd5d2
Merge branch 'main' into rb/dataflow-query-refactor
2023-09-07 14:57:38 +01:00
Tom Hvitved
48e2dcfa35
Ruby: Reimplement flow through captured variables using field flow
2023-09-06 11:00:55 +02:00
Alex Ford
cdc788b162
Ruby: configsig rb/hardcoded-credentials
2023-09-03 17:20:06 +01:00
Alex Ford
42cd58695d
Ruby: configsig rb/url-redirection
2023-09-03 17:20:05 +01:00
Alex Ford
593d9a48d4
Ruby: configsig rb/reflected-xss
2023-09-03 17:20:05 +01:00
Alex Ford
a8ad0d8ff5
Ruby: renames for rb/insecure-download
2023-09-03 17:20:04 +01:00
Tom Hvitved
7e77c77d92
Ruby: Update expected test output
2023-08-30 13:33:48 +02:00
Harry Maclean
d18ca3f5d7
Ruby: Fix bug in excon model
...
If a codebase included a definition for `Excon.new`, we matched
connection nodes to unrelated request nodes.
2023-08-23 12:55:36 +01:00
erik-krogh
92db7b047c
escape unicode chars in the output for the ReDoS queries
2023-08-08 00:15:54 +02:00
Anders Schack-Mulligen
ae24d68b5d
C/C++/C#/Java/Python/Ruby/Swift: Adjust expected output.
2023-07-19 11:41:15 +02:00
Asger F
86b5f0adc7
Revert "Merge pull request #13620 from github/revert-13496-rb/tracking-on-demand"
...
This reverts commit 133de56ac228a8e48351
2023-07-07 09:42:34 +02:00
Asger F
5d1a437e9c
Revert "Ruby: overhaul API graphs"
2023-06-29 15:39:19 +02:00
Asger F
0039cb141e
Merge branch 'main' into rb/tracking-on-demand
2023-06-23 12:55:54 +02:00
Asger F
f392af220b
Ruby: benign changes to SQLi tests (fixed FNs)
2023-06-19 12:15:57 +02:00
Asger F
ce0073b30c
Ruby: update StoredXSS test results
...
These results were previously flagged for the wrong reason.
Calls to a user-define method were seen as ORM calls. The real source is inside the user-defined method, but we miss that due to lack of 'self' handling in ORM tracking.
2023-06-19 12:15:57 +02:00
Jeroen Ketema
d82c3ce11a
Ruby: Rewrite InlineFlowTest as a parameterized module
2023-06-15 10:52:23 +02:00
Jeroen Ketema
c3ba206b6a
Merge pull request #13346 from jketema/inline-2
...
Update inline expectation tests to use parameterized module
2023-06-13 10:10:55 +02:00
Jeroen Ketema
4485560f43
Ruby: Rewrite inline expectation tests to use parameterized module
2023-06-09 10:43:05 +02:00
Arthur Baars
7324d1705e
Merge branch 'main' into amammad-ruby-YAMLunsafeLoad
2023-06-06 12:09:06 +02:00
Erik Krogh Kristensen
219ec9d05d
Merge pull request #13127 from erik-krogh/polReDoS
...
ReDoS: revert new superlinear algorithm.
2023-06-02 16:10:24 +02:00
Harry Maclean
b8c3cba4ff
Ruby: Consolidate unsafe deserialization queries
...
Merge the experimental YAMLUnsafeDeserialization and
PlistUnsafeDeserialization queries into the generate
UnsafeDeserialization query in the default suite.
These queries look for some specific sinks that we now find in the
general query.
Also apply some small code and comment refactors.
2023-05-27 01:20:04 +00:00
Maiky
8dca585207
Expected
2023-05-23 20:04:34 +02:00
