1607 Commits

Author	SHA1	Message	Date
erik-krogh	860c3c443c	update expected output of the queries (some sorting changed due to locations being used slightly differently in the shared pack)	2022-11-07 14:34:20 +01:00
Asger F	edc5d8d644	Ruby: update test output	2022-11-07 14:17:50 +01:00
Asger F	a213e9e55d	Merge pull request #1 from hvitved/rb/data-flow-layer-capture2 ... Ruby: Make sure to always generate SSA definitions for namespace self-variables	2022-11-07 14:12:48 +01:00
Asger F	f991991474	Ruby: fix incomplete renaming of getCanonicalEnclosing/Nested module	2022-11-07 14:04:10 +01:00
Tom Hvitved	2737255705	Ruby: Make sure to always generate SSA definitions for namespace self-variables	2022-11-07 14:02:09 +01:00
Asger F	a39cefe40f	Ruby: fix broken test	2022-11-07 14:01:11 +01:00
Arthur Baars	98f4c29913	Ruby: weak crypto: do not report weak hash algorithms ... Weak hash algorithms such as MD5 and SHA1 are often used in non security sensitive contexts and reporting all uses is far too noisy.	2022-11-04 15:58:50 +01:00
erik-krogh	f3741ff1e4	changes based on review	2022-11-03 09:41:05 +01:00
Dave Bartolomeo	499f20f6e8	Merge pull request #11004 from dbartol/dbartol/use-workspace-versions	2022-11-02 20:02:48 -04:00
Tom Hvitved	46631d6eaf	Merge pull request #10931 from hvitved/ruby/fix-flow-into-phis ... Ruby: Fix flow steps into phi nodes	2022-11-02 21:07:06 +01:00
erik-krogh	6bc12e8f2b	Merge branch 'main' into formatTaint	2022-11-02 13:39:30 +01:00
Dave Bartolomeo	9d5e5e3ee7	${workspace} all the things	2022-11-01 13:29:05 -04:00
Tom Hvitved	ee9163aa40	Ruby: Fix flow steps into phi nodes ... - Add missing flow from post-update nodes into phi nodes. - Prevent flow from reads into phi nodes when use-use flow is prohibited.	2022-11-01 16:33:06 +01:00
Tom Hvitved	a191edfbd5	Ruby: Add data flow tests that illustrate problems with flow into SSA phi nodes	2022-11-01 16:32:46 +01:00
Tom Hvitved	e8f9429b92	Merge pull request #10917 from hvitved/ruby/singleton-call-sensitivity ... Ruby: Call-context sensitivity for singleton method calls	2022-11-01 14:13:26 +01:00
Arthur Baars	aba87a139d	Merge pull request #10668 from aibaars/ruby-deps ... Ruby: update dependencies	2022-11-01 13:55:42 +01:00
erik-krogh	84a7fddd95	remove explicit versions in lock files, as the dependencies are all installed locally	2022-11-01 09:09:26 +01:00
Asger F	056b1e8d63	Ruby: add some basic tests	2022-10-31 14:05:11 +01:00
Asger F	9be2512050	Ruby: rename one of the PostsController2 classes ... These had the same name and ended up being unified	2022-10-31 13:33:41 +01:00
Asger F	b4b34cc994	Ruby: port part of ActionController model	2022-10-31 13:33:41 +01:00
Asger F	9f59b6b439	Update type-tracking test	2022-10-31 13:33:41 +01:00
Asger F	0a8f39fe96	Ruby: recover some incomplete capture flow	2022-10-31 13:33:41 +01:00
Asger F	b29ac5249e	Ruby: add type-tracking inline test in global flow test	2022-10-31 13:33:41 +01:00
Asger F	4ed61c13f8	Ruby: add some captured-variable flow tests	2022-10-31 13:33:41 +01:00
Harry Maclean	fd61a5253d	Ruby: Recognise try/try! as code executions	2022-10-31 11:53:22 +13:00
Harry Maclean	3f403f0f87	Merge pull request #10700 from hmac/activesupport ... Ruby: Model some ActiveSupport methods	2022-10-31 11:50:44 +13:00
Asger F	436cc60138	Ruby: update some uses of getConstantValue()	2022-10-28 15:16:14 +02:00
Rasmus Wriedt Larsen	8628ff5e52	Merge pull request #10999 from RasmusWL/inline-fail-tag ... InlineExpectationsTest: Fail if missing `getARelevantTag`	2022-10-28 10:35:49 +02:00
Erik Krogh Kristensen	93fb2930c8	Merge pull request #10968 from erik-krogh/fixRbCode ... RB: fix rb/code-injection	2022-10-28 09:14:14 +02:00
Harry Maclean	5e781f24b6	Ruby: Remove duplicate test ... This is already tested in hash-flow.	2022-10-28 11:31:55 +13:00
Harry Maclean	4ec527a9ea	Ruby: Explain difference between flow tests ... The type-tracking flow tests document the difference in sensitivity between type-tracking and dataflow, so failures in that test are expected.	2022-10-28 11:31:55 +13:00
Harry Maclean	6e8446b6ae	Fix tests	2022-10-28 11:31:55 +13:00
Harry Maclean	71d703f2a5	Ruby: Add ActiveSupport extensions	2022-10-28 11:31:55 +13:00
Harry Maclean	cb37a0e835	Ruby: Add summaries for Hash#deep_merge(!)	2022-10-28 11:31:55 +13:00
Harry Maclean	3dea1d6a60	Ruby: Add flow summary for Hash#except!	2022-10-28 11:31:55 +13:00
Harry Maclean	0454642220	Ruby: Model deep_dup and presence	2022-10-28 11:31:55 +13:00
Harry Maclean	9f260853ac	Ruby: Model more ActiveSupport string extensions	2022-10-28 11:31:55 +13:00
Harry Maclean	b389d50943	Ruby: Identify safe_constantize	2022-10-28 11:31:54 +13:00
Rasmus Wriedt Larsen	adf109b624	Merge branch 'main' into inline-fail-tag	2022-10-27 13:42:32 +02:00
Rasmus Wriedt Larsen	6d43db43dd	Ruby: Fix tag missing from getARelevantTag	2022-10-27 09:12:06 +02:00
Rasmus Wriedt Larsen	fc7eb5b4fc	InlineExpectationsTest: sync	2022-10-27 09:02:28 +02:00
Rasmus Wriedt Larsen	5e9897d150	InlineExpectationsTest: sync	2022-10-26 18:21:13 +02:00
thiggy1342	9c1fbfd330	Merge branch 'main' into expand-ruby-ssrf-sinks-faraday-connection-new	2022-10-25 13:09:17 -04:00
erik-krogh	e8dce25cc2	fix rb/code-injection	2022-10-25 14:44:23 +02:00
Erik Krogh Kristensen	ef5132b0ae	Merge pull request #10883 from erik-krogh/codeSink ... RB: don't flag code-injection for dynamic loading where an attacker only controls a substring	2022-10-24 18:59:36 +02:00
thiggy1342	952ad6ea46	Merge branch 'main' into expand-ruby-ssrf-sinks-faraday-connection-new	2022-10-24 09:52:24 -04:00
Erik Krogh Kristensen	5ff98cd80e	Merge pull request #10888 from erik-krogh/glob ... Ruby: add model for Dir.glob and other Dir methods	2022-10-24 14:17:37 +02:00
Asger F	bcfe4ece6f	Merge pull request #10918 from asgerf/rb/constant-compound-assignment ... Ruby: handle compound constant-assignment	2022-10-24 14:07:28 +02:00
Asger F	cac2e2e2e4	Merge pull request #10928 from asgerf/rb/assumed-global-const ... Ruby: assume some global constants are defined	2022-10-24 14:06:34 +02:00
erik-krogh	85cd7f9121	add model for Dir.glob and other Dir methods	2022-10-24 12:05:26 +02:00