hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-27 22:26:31 +01:00
Code Issues Packages Projects Releases Wiki Activity
58,973 Commits 1,673 Branches 157 Tags
73aa302bd28afdab72112fd68aa23dfd5bc2d913
Commit Graph

357 Commits

Author SHA1 Message Date
Tom Hvitved
e258324960 Ruby: Allow for implicit array reads at all sinks during taint tracking 2023-09-14 09:40:05 +02:00
Alex Ford
79c305c1a1 Merge pull request #14124 from alexrford/rb/dataflow-query-refactor 
Ruby: Use the new dataflow API for checked in queries
 2023-09-13 14:24:47 +01:00
Alex Ford
5b013dd5d2 Merge branch 'main' into rb/dataflow-query-refactor 2023-09-07 14:57:38 +01:00
Tom Hvitved
48e2dcfa35 Ruby: Reimplement flow through captured variables using field flow 2023-09-06 11:00:55 +02:00
Alex Ford
cdc788b162 Ruby: configsig rb/hardcoded-credentials 2023-09-03 17:20:06 +01:00
Alex Ford
42cd58695d Ruby: configsig rb/url-redirection 2023-09-03 17:20:05 +01:00
Alex Ford
593d9a48d4 Ruby: configsig rb/reflected-xss 2023-09-03 17:20:05 +01:00
Alex Ford
a8ad0d8ff5 Ruby: renames for rb/insecure-download 2023-09-03 17:20:04 +01:00
Tom Hvitved
7e77c77d92 Ruby: Update expected test output 2023-08-30 13:33:48 +02:00
Harry Maclean
d18ca3f5d7 Ruby: Fix bug in excon model 
If a codebase included a definition for `Excon.new`, we matched
connection nodes to unrelated request nodes.
 2023-08-23 12:55:36 +01:00
erik-krogh
92db7b047c escape unicode chars in the output for the ReDoS queries 2023-08-08 00:15:54 +02:00
Anders Schack-Mulligen
ae24d68b5d C/C++/C#/Java/Python/Ruby/Swift: Adjust expected output. 2023-07-19 11:41:15 +02:00
Asger F
86b5f0adc7 Revert "Merge pull request #13620 from github/revert-13496-rb/tracking-on-demand" 
This reverts commit 133de56ac2, reversing
changes made to 28a8e48351.
 2023-07-07 09:42:34 +02:00
Asger F
5d1a437e9c Revert "Ruby: overhaul API graphs" 2023-06-29 15:39:19 +02:00
Asger F
0039cb141e Merge branch 'main' into rb/tracking-on-demand 2023-06-23 12:55:54 +02:00
Asger F
f392af220b Ruby: benign changes to SQLi tests (fixed FNs) 2023-06-19 12:15:57 +02:00
Asger F
ce0073b30c Ruby: update StoredXSS test results 
These results were previously flagged for the wrong reason.

Calls to a user-define method were seen as ORM calls. The real source is inside the user-defined method, but we miss that due to lack of 'self' handling in ORM tracking.
 2023-06-19 12:15:57 +02:00
Jeroen Ketema
d82c3ce11a Ruby: Rewrite InlineFlowTest as a parameterized module 2023-06-15 10:52:23 +02:00
Jeroen Ketema
c3ba206b6a Merge pull request #13346 from jketema/inline-2 
Update inline expectation tests to use parameterized module
 2023-06-13 10:10:55 +02:00
Jeroen Ketema
4485560f43 Ruby: Rewrite inline expectation tests to use parameterized module 2023-06-09 10:43:05 +02:00
Arthur Baars
7324d1705e Merge branch 'main' into amammad-ruby-YAMLunsafeLoad 2023-06-06 12:09:06 +02:00
Erik Krogh Kristensen
219ec9d05d Merge pull request #13127 from erik-krogh/polReDoS 
ReDoS: revert new superlinear algorithm.
 2023-06-02 16:10:24 +02:00
Harry Maclean
b8c3cba4ff Ruby: Consolidate unsafe deserialization queries 
Merge the experimental YAMLUnsafeDeserialization and
PlistUnsafeDeserialization queries into the generate
UnsafeDeserialization query in the default suite.

These queries look for some specific sinks that we now find in the
general query.

Also apply some small code and comment refactors.
 2023-05-27 01:20:04 +00:00
Maiky
8dca585207 Expected 2023-05-23 20:04:34 +02:00
Maiky
ad5355a04a Pg Library, change note and Frameworks.qll 2023-05-23 19:49:03 +02:00
erik-krogh
c7e21ee9ae add really long regex as a test-case 2023-05-23 09:56:06 +02:00
Anders Schack-Mulligen
09d4fe21e8 Ruby: Update more expected output. 2023-04-26 13:37:07 +02:00
Anders Schack-Mulligen
90f84bb516 Ruby: Update expected output. 2023-04-26 13:08:16 +02:00
Peter Stöckli
2f268b309b Ruby: improve non-constant-kernel-open, freeze called on constant 2023-04-18 11:24:01 +02:00
Peter Stöckli
0a6bb3f7ce Ruby: improve non-constant-kernel-open, no FP's on open without arguments 2023-04-18 10:10:36 +02:00
Arthur Baars
cd53c77e23 Merge pull request #12670 from alexrford/mergeback-rc/3.9 
Merge `rc/3.9` back into `main`
 2023-03-28 10:49:08 +02:00
Erik Krogh Kristensen
d3c3f2dc90 Merge pull request #12628 from erik-krogh/betterReDoS 
ReDoS: better super-linear algorithm
 2023-03-27 15:26:49 +02:00
Alex Ford
181e5d588d Merge remote-tracking branch 'origin/rc/3.9' into main 2023-03-27 12:16:03 +01:00
Alex Ford
24aa16c919 Ruby: update rb/sensitive-get-query test output 2023-03-27 09:44:55 +01:00
Tom Hvitved
b816c79248 Ruby: Include all assignments in data flow paths 2023-03-24 10:09:30 +01:00
erik-krogh
b071d3557e JS/PY/RB: add a worst-case test, that now performs OK 2023-03-22 10:13:18 +01:00
Erik Krogh Kristensen
af98ceb3c3 Merge pull request #11478 from erik-krogh/more-shell-taint 
Rb: more taint-steps for shell-command-construction
 2023-03-20 08:41:22 +01:00
Tom Hvitved
9d3863eccc Ruby: Rely on built-in hash-flow in clear text storage query 2023-03-16 14:55:06 +01:00
Tom Hvitved
ae10e6e08f Ruby: Add a test that shows FP/FN for clear text logging query 2023-03-16 14:38:45 +01:00
erik-krogh
2133d1a5ab Merge branch 'main' into more-shell-taint 2023-03-15 10:54:30 +01:00
erik-krogh
25a6d496d9 Merge branch 'main' into HEAD 2023-03-13 17:33:06 +01:00
Harry Maclean
fe995dd99b Ruby: ActiveRecord::Connection.execute SQL sink 2023-03-13 09:03:54 +13:00
Harry Maclean
025cd34dab Ruby: Taint flow through ActionController params 
We were not recognising "require" as returning a Parameters instance.
 2023-03-13 08:52:41 +13:00
Harry Maclean
2d95b6a049 Ruby: Add count_by_sql as SQL sink 2023-03-13 08:40:32 +13:00
Harry Maclean
c97dccf0de Ruby: Add reorder as a SQL sink 
In recent versions of Rails this method doesn't seem to be vulnerable,
but it may be in previous versions. There's a slight FP risk here, but
I think it is small.
 2023-03-13 08:38:17 +13:00
erik-krogh
31336b09c4 add summary for the Array method on Kernel 2023-03-01 12:53:13 +01:00
erik-krogh
36b33765a5 use allowImplicitRead instead of a taint-step from elements to the array 2023-02-28 16:09:52 +01:00
erik-krogh
b0797a2559 Merge branch 'main' into more-shell-taint 2023-02-27 18:27:09 +01:00
Harry Maclean
ae3d91b546 Ruby: First draft of rails callback flow 2023-02-21 19:26:36 +13:00
Tom Hvitved
e9bce9f8cd Ruby: Update test expectations 2023-02-17 13:22:28 +01:00