hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-11 04:31:05 +01:00
Code Issues Packages Projects Releases Wiki Activity
50,260 Commits 1,690 Branches 160 Tags
655aa700bc25636bd8a334bcb8c19ccc9a09fcff
Commit Graph

2175 Commits

Author SHA1 Message Date
Arthur Baars
88b5d4da16 Ruby: extend may have multiple arguments 2022-10-04 12:58:50 +02:00
Arthur Baars
ab3a62de3c Update ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll 2022-10-04 12:58:50 +02:00
Tom Hvitved
6e61ef10b8 Ruby: Add another dataflow copy 2022-10-04 12:58:50 +02:00
Tom Hvitved
9d7d6c29f9 Review comments 2022-10-04 12:58:50 +02:00
Arthur Baars
44cc6f7350 Ruby: improve tracking of regular expressions 
There are two flavours of `match?`. If the receiver of `match?` has type String
then the argument to `match?` is a regular expression. However, if the receiver of
`match?` has type Regexp then the argument is the text.

The role of receiver and argument flips depending on the type of the receiver, this
caused a lot of false positives when looking for string-like literals that are
used as a regular expression.

This commit attempts to improve things by trying to determine whether the type of the
receiver is known to be of type Regexp. In such cases we know that the argument
is unlikely to be  regular expression.
 2022-10-04 12:58:49 +02:00
Arthur Baars
0160c374e4 Ruby: add flow summaries for Object#dup and Kernel#tap 2022-10-04 12:58:49 +02:00
Arthur Baars
5d55daa491 Ruby: use resolveConstantReadAccess instead of trackModuleAccess for 'extend' calls 
This avoids non-linear recursion at the cost of losing some results.
 2022-10-04 12:58:49 +02:00
Arthur Baars
c2b98a4761 Ruby: add support for 'extend' method 2022-10-04 12:58:49 +02:00
Arthur Baars
09bc78eafc Ruby: local dataflow step for || and && 2022-10-04 12:58:49 +02:00
Arthur Baars
e95b5468d9 Ruby: use Dataflow for Pathname instead of TypeTracking 2022-10-04 12:58:49 +02:00
Arthur Baars
f9b952f04f Ruby: Pathname use TypeTracker instead of local flow 2022-10-04 12:58:49 +02:00
Nick Rolfe
dd1b302fce Ruby: revert making inActionViewContext private 2022-10-04 11:29:09 +01:00
Nick Rolfe
a738f1d5cf Ruby: remove public abstract classes for Action{View,Controller} 2022-10-04 10:53:41 +01:00
Asger F
b6231e82ec Ruby: do not treat WithoutElement[0..!] as a type filter 2022-10-04 11:14:31 +02:00
Asger F
3ccc3a2058 Ruby: move special treatment of Hash.[] into Hash.qll 2022-10-04 11:14:31 +02:00
Asger F
94d41b9fa4 Ruby: add hook for adding type-tracking steps 
fixup docs

fixup docs

fixup TypeTrackingStep
 2022-10-04 11:14:31 +02:00
Asger F
96711b2810 Ruby: improve join order in trackInstanceRec 2022-10-04 11:14:31 +02:00
Asger F
c220f4e103 Ruby: prune unusable summaries earlier 
Ruby: prune more aggressively
 2022-10-04 11:14:30 +02:00
Asger F
ff4ce4a151 Ruby: use Element[n..] tokens in inject and reduce 2022-10-04 11:14:30 +02:00
Asger F
fd9c1e4507 Ruby: filter out obvious module 'prepend' calls 2022-10-04 11:14:30 +02:00
Asger F
9302271c15 Ruby: Hack special-casing of hash literals 2022-10-04 11:14:30 +02:00
Asger F
bd11946aec Ruby: support WithoutContent steps in restricted cases 
fixup ContentFilter

fixup basicWith(out)contentstep
 2022-10-04 11:14:28 +02:00
Asger F
323abf45ca Ruby: Speed up evaluateSummaryComponentStackLocal 2022-10-04 11:12:09 +02:00
Asger F
a7d764d2a7 Ruby: Improve join order when generating edges 2022-10-04 11:12:09 +02:00
Asger F
8c43ab627f Ruby: go to local source in load-store steps 2022-10-04 11:11:50 +02:00
Asger F
8b389fe5f9 Ruby: use getACallSimple in more Hash methods 2022-10-04 11:08:46 +02:00
Asger F
74c3886167 Ruby: use getACallSimple in more Array methods 2022-10-04 11:08:46 +02:00
Asger F
5b2d8b0894 Ruby: make Array.each a simple summary 2022-10-04 11:08:46 +02:00
Asger F
fbab0f50f2 Ruby: Evaluate longer summary component stacks 2022-10-04 11:08:46 +02:00
Asger F
0000a7d429 Ruby: Summarize load-store steps in type-tracking 
fixup to LoadStore
 2022-10-04 11:08:44 +02:00
Asger F
a4d4e406c6 Ruby: Summarize level steps in type tracking 2022-10-04 11:06:44 +02:00
Tom Hvitved
12536578d4 Merge pull request #10664 from hvitved/type-tracking-more-caching 
Ruby/Python: Cache more type tracking predicates
 2022-10-04 10:58:41 +02:00
Harry Maclean
42a97b26bb Merge pull request #10316 from hmac/hmac/actionview 
Ruby: Model ActionView
 2022-10-04 08:16:16 +13:00
Tom Hvitved
bc3e9339dc Ruby: Cache more type tracking predicates 2022-10-03 20:29:17 +02:00
Tom Hvitved
d52d3d7b75 Merge pull request #10644 from hvitved/ruby/prevent-reevaluation 
Ruby: Prevent reevaluation of expensive predicates
 2022-10-03 13:10:39 +02:00
Asger F
47e5623b90 Merge pull request #10639 from hvitved/ruby/dataflow/known-element-no-floats-complexs 
Ruby: Do not attempt to track precise hash indices for floats and complex numbers
 2022-10-03 09:23:33 +02:00
Harry Maclean
e48665ad9f Fix doc 2022-10-03 14:13:12 +13:00
Harry Maclean
236b628ee2 Ruby: Constrain parameters flow properly 2022-10-03 14:06:06 +13:00
Harry Maclean
32baf67b07 Fix change note month 2022-10-03 09:46:01 +13:00
Harry Maclean
5c20039e09 Ruby: Slightly improve class name 2022-10-03 09:46:01 +13:00
Harry Maclean
fa1ae26fab Add change note 2022-10-03 09:46:01 +13:00
Harry Maclean
a5998fbe4d Ruby: Model ActionController::Parameters 
Add flow summaries for methods on ActionController::Parameters,
which mostly propagate taint from receiver to return value.
 2022-10-03 09:45:59 +13:00
Harry Maclean
ba83b7c6c7 Merge pull request #10599 from hmac/hmac/actioncontroller-datastreaming 
Ruby: Model send_file
 2022-10-03 09:44:05 +13:00
Alex Ford
5c32c8badf Merge pull request #10560 from alexrford/ruby/yaml-load_file 
Ruby: treat `Psych` and `YAML` as aliases for rb/unsafe-deserialization
 2022-10-02 20:19:10 +01:00
Tom Hvitved
292bc67125 Merge pull request #10620 from hvitved/ruby/call-graph-protected-methods 
Ruby: Account for `protected` methods in call graph
 2022-09-30 19:31:36 +02:00
Tom Hvitved
32d002ed60 Merge pull request #10627 from hvitved/ruby/synthesis-reduce-non-linear-rec 
Ruby: Reduce size of input predicate for non-linear recursion
 2022-09-30 15:36:21 +02:00
Tom Hvitved
3ec43dbd16 Ruby: Do not attempt to track precise hash indices for floats and complex numbers 2022-09-30 14:57:50 +02:00
Tom Hvitved
e5d884a905 Ruby: Cache predicates in ApiGraphModels::ModelOutput 2022-09-30 14:56:55 +02:00
Tom Hvitved
299339f817 Ruby: Expose relevant predicates from internal/Module.qll and make sure they are cached 2022-09-30 14:56:55 +02:00
Asger F
6e1914ad01 Merge pull request #10375 from asgerf/rb/summarize-loads-v2 
Ruby: type-tracking and API edges through simple library callables
 2022-09-30 14:25:17 +02:00