hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-30 23:02:56 +01:00
Code Issues Packages Projects Releases Wiki Activity
32,227 Commits 1,684 Branches 159 Tags
66fd43fc3bfff8278289adeeafbfce13f46a8b40
Commit Graph

525 Commits

Author SHA1 Message Date
Harry Maclean
ab7fd89653 Merge pull request #7663 from github/hmac/api-graph-subclass 
Ruby: Add basic subclassing support to API Graphs
 2022-02-04 10:19:07 +13:00
Harry Maclean
e328c6222a Merge pull request #7797 from github/hmac/pin-rust 
Ruby: Pin Rust to 1.54
 2022-02-04 10:18:46 +13:00
Harry Maclean
912842623d Simplify cache key 2022-02-04 07:41:29 +13:00
Tom Hvitved
6bb71f051b Merge pull request #7791 from hvitved/dataflow/inline-local-flow-star 
Data flow: Inline `local(Expr|Instruction)?(Flow|Taint)`
 2022-02-03 09:02:43 +01:00
Harry Maclean
704b58519f Ruby: Include subclasses in more API calls 
Change the behaviour of `API::getInstance()` and `API::getReturn()` to
include results on subclasses of the current API node.
 2022-02-03 11:35:59 +13:00
Arthur Baars
3b05cb621c Address comment 2022-02-02 14:11:45 +01:00
Arthur Baars
fdcef6225b Ruby: fix QL warnings 2022-02-02 13:29:09 +01:00
Tom Hvitved
712418e5f8 Merge pull request #7781 from hvitved/dataflow/summary-stack-bottom-less-nonlinear 
Data flow: Reduce non-linear recursion in `SummaryComponentStack::bottom`
 2022-02-02 10:35:53 +01:00
Harry Maclean
ce0354acb3 Include rust-toolchain.toml in Ruby cache keys 
This ensures that if we change our Rust version, the caches will be
invalidated.
 2022-02-02 08:08:11 +13:00
Harry Maclean
9c32ab7122 rust-toolchain -> rust-toolchain.toml 2022-02-02 08:05:46 +13:00
Harry Maclean
613ecbb418 Ruby: Pin Rust to 1.54 
Add a rust-toolchain file to the Ruby directory, which instructs Rustup
to install a specific version of Rust (1.54). This will be used in CI,
so any use of language features or dependencies that don't support 1.54
will result in a CI failure.

This should ensure we have a documented minimum supported rust version
and an easy to way to update it in the future (update the rust-toolchain
file).
 2022-02-02 08:05:46 +13:00
Harry Maclean
fb00a6c61b Merge pull request #7666 from github/hmac/file-open-access 
Ruby: Add File.open as a FileSystemAccess
 2022-02-02 07:32:16 +13:00
Arthur Baars
6451a71a78 Ruby: use ruby specific cache key 2022-02-01 15:18:09 +01:00
Nick Rolfe
990e07b986 Ruby/C#: add semmle.order attribute to edges in CFG tests 2022-01-31 20:08:24 +00:00
Tom Hvitved
f2352d8272 Data flow: Inline local(Expr|Instruction)?(Flow|Taint) 
Computing a full transitive closure is often bad; by inlining all calls we are
providing more context to the QL optimizer.
 2022-01-31 14:33:41 +01:00
Tom Hvitved
682163962a Data flow: Sync files 2022-01-28 13:01:24 +01:00
Nick Rolfe
588e60e230 Merge pull request #7775 from github/nickrolfe/graph_test_ordering 
Ruby/C#: more stable graph test ordering
 2022-01-28 11:16:02 +00:00
Harry Maclean
b01f81aab3 Use modified getAPath predicate for test 2022-01-28 19:45:52 +13:00
Harry Maclean
a1b0f02e6e Ruby: Introduce API::getAnImmediateSubclass() 
class A; end
    class B < A; end
    class C < B; end

In the example above, `getMember("A").getAnImmediateSubclass()` will
select only uses of B, whereas `getMember("A").getASubclass()` will
select uses of A, B and C. This is usually the behaviour you want.
 2022-01-28 16:44:03 +13:00
Dave Bartolomeo
cca74e925f Merge pull request #7724 from github/aeisenberg/examples-groups 
Add new groups for examples packs
 2022-01-27 12:11:26 -05:00
Nick Rolfe
6f06263d49 Ruby: add more properties for ordering nodes in graph tests 2022-01-27 13:57:43 +00:00
Tom Hvitved
280023c45a Address review comments 2022-01-27 09:44:41 +01:00
Andrew Eisenberg
a7f755cf12 Add new groups for examples packs 
Also, remove version numbers. Will make it easier to avoid publishing
the examples packs.
 2022-01-26 14:49:18 -08:00
Tom Hvitved
dd27ed8392 Ruby: Desugar hash literals 
```rb
{ a: 1, **splat, b: 2 }
```

becomes

```rb
::Hash.[](a: 1, **splat, b: 2)
```
 2022-01-26 13:53:18 +01:00
Tom Hvitved
39436828de Ruby: Add internal/Literal.qll for internal implementation details 2022-01-26 13:48:26 +01:00
Arthur Baars
948ebe4b4c Merge pull request #7568 from aibaars/ruby-pattern-matching-taint 
Ruby: taint steps for pattern matches
 2022-01-26 10:27:47 +01:00
Tom Hvitved
28e03a8aae Merge pull request #7738 from hvitved/ruby/action-controller-perf 
Ruby: Fix bad join in `ActionControllerHelperMethod`
 2022-01-26 09:48:21 +01:00
Tom Hvitved
2c27a07ead Merge pull request #7726 from hvitved/ruby/any-array-element-content 
Ruby: Introduce `TAnyArrayElementContent`
 2022-01-26 09:48:01 +01:00
Arthur Baars
941f230c94 Merge pull request #7729 from github/hmac/bump-clap 
Ruby extractor: bump clap
 2022-01-26 08:12:47 +01:00
Edoardo Pirovano
1b539eb4dc Merge branch rc/3.4 into main 2022-01-25 16:22:01 +00:00
Tom Hvitved
49488fa0a0 Ruby: Fix bad join in ActionControllerHelperMethod 
```
[2022-01-25 12:35:14] (234s) Tuple counts for ActionController::ActionControllerHelperMethod#class#ff/2@ef816fil after 1.5s:
                      7685     ~0%     {3} r1 = JOIN ActionController::ActionControllerContextCall#ff#shared WITH Method::Method::getName_dispred#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.1 'controllerClass', Lhs.0 'this'
                      13198    ~0%     {3} r2 = JOIN r1 WITH Constant::ConstantValue::getStringOrSymbol_dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1 'controllerClass', Lhs.2 'this', Rhs.1
                      15835365 ~4%     {5} r3 = JOIN r2 WITH AST::AstNode::getEnclosingModule_dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, "helper_method", Lhs.0 'controllerClass', Lhs.1 'this', Lhs.2
                      12943    ~1%     {4} r4 = JOIN r3 WITH Call::MethodCall::getMethodName_dispred#ff ON FIRST 2 OUTPUT Lhs.4, Lhs.2 'controllerClass', Lhs.3 'this', Lhs.0
                      1146184  ~0%     {4} r5 = JOIN r4 WITH Expr::Expr::getConstantValue_dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.3, Rhs.1, Lhs.1 'controllerClass', Lhs.2 'this'
                      212      ~0%     {2} r6 = JOIN r5 WITH project#Call::Call::getArgument_dispred#fff ON FIRST 2 OUTPUT Lhs.3 'this', Lhs.2 'controllerClass'
                                       return r6
```

Joining on enclosing module and name simultaneously yields a much better join.
 2022-01-25 13:00:13 +01:00
Tom Hvitved
67962cb93d Ruby: Fix bad join in access predicate 
Joining on variable name alone is a bad thing:

```
[2022-01-25 11:13:20] (228s) Tuple counts for Variable::Cached::access#ff#shared/3@868b54tu after 3m37s:
                      112554    ~0%     {3} r1 = JOIN Variable::VariableReal::getNameImpl_dispred#ff WITH Variable::VariableReal::getDeclaringScopeImpl_dispred#ff ON FIRST 1 OUTPUT Lhs.1, Lhs.0 'arg2', Rhs.1 'arg1'
                      561015756 ~1%     {3} r2 = JOIN r1 WITH Variable::variableName#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1 'arg0', Lhs.2 'arg1', Lhs.1 'arg2'
                                        return r2
```

This change ensures that we join on name and scope simultaneously.
 2022-01-25 11:37:38 +01:00
Tom Hvitved
0299b4603f Merge pull request #7677 from hvitved/ruby/constant-value 
Ruby: Replace `getValueText` with `getConstantValue`
 2022-01-25 10:31:02 +01:00
Harry Maclean
962d0213b5 Ruby extractor: stop using deprecated function 2022-01-25 22:04:24 +13:00
dependabot[bot]
6543b1a3a9 Update clap requirement from 2.33 to 3.0 
Updates the requirements on [clap](https://github.com/clap-rs/clap) to permit the latest version.

Apply this update in both the generator and extractor.
 2022-01-25 16:53:39 +13:00
Harry Maclean
c5904b7410 Add inline tests for API Graph subclassing 2022-01-25 16:41:49 +13:00
Harry Maclean
517f2d0823 Add optional results to InlineExpectationsTest 
The idea behind optional results is that there may be instances where
each line of source code has many results and you don't want to annotate
all of them, but you still want to ensure that any annotations you do
have are correct.

This change makes that possible by exposing a new predicate
`hasOptionalResult`, which has the same signature as `hasResult`.

Results produced by `hasOptionalResult` will be matched against any
annotations, but the lack of a matching annotation will not cause a
failure.

We will use this in the inline tests for the API edge getASubclass,
because for each API path that uses getASubclass there is always a
shorter path that does not use it, and thus we can't use the normal
shortest-path matching approach that works for other API Graph tests.
 2022-01-25 16:41:49 +13:00
Harry Maclean
d0a274c1e8 Use API graph subclassing in GraphQL modelling 
This simplifies some of the code.
 2022-01-25 16:41:24 +13:00
Harry Maclean
5e7a29a979 Ruby: Use API graph subclassing in Rails modelling 
Now that API graphs have basic subclassing support, we can simplify some
of the ActiveRecord and ActionController code.
 2022-01-25 16:40:14 +13:00
Tom Hvitved
66a24c5c49 Ruby: Introduce TAnyArrayElementContent 2022-01-24 20:25:05 +01:00
Tom Hvitved
cc712c20cb Ruby: Use bitShiftLeft instead of pow in parseInteger 2022-01-24 16:06:35 +01:00
Tom Hvitved
6efa595478 Merge pull request #7688 from hvitved/dataflow/required-component-stack 
Data flow: Restructure `RequiredSummaryComponentStack`
 2022-01-24 15:10:08 +01:00
Tom Hvitved
2a972dc045 Address review comments 2022-01-24 14:27:42 +01:00
Tom Hvitved
64f19637d4 Address review comments 2022-01-24 13:33:18 +01:00
Arthur Baars
78b4d7cbb5 Ruby: remove redundant cast 2022-01-24 11:27:31 +01:00
Arthur Baars
0cef887683 Ruby: address comments 2022-01-24 11:27:26 +01:00
Arthur Baars
5df1f7a0c3 Ruby: use CfgNodes classes to implement case value to pattern variable taint steps 2022-01-24 10:31:08 +01:00
Arthur Baars
7d7e9ba9e1 Ruby: add CasePattern classes to CfgNodes 2022-01-24 10:31:08 +01:00
Arthur Baars
e9a01f9e8f Ruby: fix test case 2022-01-24 10:31:08 +01:00
Arthur Baars
634c8cd060 Ruby: Generalize CfgNodes::ChildMapping 2022-01-24 10:31:08 +01:00