hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-23 20:26:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
63,284 Commits 1,672 Branches 157 Tags
792f302bd4dee4c7558e2ce5bbea7edb51f9896f
Commit Graph

2973 Commits

Author SHA1 Message Date
Harry Maclean
4239268efd Ruby: Prevent some false flow into splat params 
In cases where there are positional parameters after a splat parameter,
don't attempt to match the splat parameter to a splat argument. We need
more sophisticated modelling to handle these cases, which is future
work.
 2023-08-09 15:01:40 +01:00
Harry Maclean
6f3e2cdde3 Ruby: Add change note 2023-08-09 15:01:40 +01:00
Harry Maclean
72356d1515 Ruby: track flow from *args to positional params 
This models flow in the following case:

    def foo(x, y)
      sink x # 1
      sink y # 2
    end

    args = [source 1, source 2]
    foo(*args)

We do this by introducing a SynthSplatParameterNode which accepts
content from the splat argument, if one is given at the callsite.
From this node we add read steps to each positional parameter.
 2023-08-09 15:01:40 +01:00
github-actions[bot]
79c90fa36a Release preparation for version 2.14.2 2023-08-07 18:08:52 +00:00
Jeroen Ketema
8b6a7985db Refactor the traint-tracking library to follow the dataflow library refactoring 2023-08-07 15:23:15 +02:00
Jeroen Ketema
5d2984b7a5 Merge branch 'main' into shared-taint-tracking 2023-08-07 15:22:29 +02:00
Tom Hvitved
db88b7da88 Ruby: Adjust to data flow refactor 2023-08-07 11:35:21 +02:00
Jeroen Ketema
747cd1745a Update all languages to use the shared taint-tracking library 2023-08-04 22:53:25 +02:00
Mathias Vorreiter Pedersen
abe3a816ce Merge pull request #13851 from MathiasVP/sink-without-states 
DataFlow: Support stateless `isSink` in `StateConfigSig`s
 2023-08-04 18:01:42 +02:00
Maiky
0cd1c1e2e5 Make private 
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2023-08-03 17:08:50 +02:00
Maiky
0dec4876f1 Replace cast to DataFlow::CallNode 
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2023-08-03 17:08:35 +02:00
Maiky
c54561e775 Merge branch 'main' into maikypedia/ldap-improper-auth 2023-08-03 16:49:30 +02:00
Maiky
fd649c1702 Fix getHost() (ldap.host = ip is not covered) 2023-08-03 16:37:48 +02:00
Maiky
f7a662814d simplify usesSsl() 2023-08-03 16:20:20 +02:00
Maiky
2d87489dfa change useSsl() to usesSsl() 2023-08-03 16:18:44 +02:00
Tom Hvitved
e011480114 Merge pull request #13509 from hvitved/cfg-pack 
Convert shared CFG construction library to a parameterized module
 2023-08-03 14:11:56 +02:00
Tom Hvitved
2ac646770e Merge ControlFlowTreeBase and AstNode 2023-08-03 10:59:26 +02:00
Tom Hvitved
525ed65b0b Rename getNode to getAstNode 2023-08-03 10:56:50 +02:00
Asger F
c38cbe859d Merge pull request #13737 from asgerf/dynamic/fuzzy-models 
Dynamic: add Fuzzy token
 2023-08-03 09:58:24 +02:00
Tom Hvitved
2f3e52646c Add class wrappers around newtype in Cfg.qll 2023-08-03 09:39:30 +02:00
Tom Hvitved
5d69e14cc1 Rename ControlFlowElement to AstNode 2023-08-03 09:39:30 +02:00
Tom Hvitved
1988397f93 Make shared CFG construction library a parameterized module 2023-08-03 09:39:30 +02:00
Mathias Vorreiter Pedersen
3007fdab5e Sync identical files. 2023-08-02 14:33:33 +02:00
Anders Schack-Mulligen
7bc8bf616f Merge pull request #13863 from aschackmull/dataflow/pack4 
Dataflow: Move the shared library to a properly shared qlpack.
 2023-08-02 14:19:49 +02:00
Anders Schack-Mulligen
73d4b126cf Ruby: Adjust to use the qlpack data-flow api. 2023-08-01 14:02:33 +02:00
Alex Ford
f437a6f729 Merge branch 'main' into maikypedia/ldap-injection 2023-07-31 16:00:41 +01:00
Alex Ford
f272b0786a Ruby: fix qldoc typo 2023-07-31 14:58:05 +01:00
Alex Ford
7f82aba7d4 qlformat 2023-07-31 14:57:14 +01:00
Maiky
2d88ac1846 Suggested Changes 2023-07-27 23:40:52 +02:00
Maiky
f5e17d7d39 Add additional Filter Methods 2023-07-27 23:04:55 +02:00
Owen Mansel-Chan
9b2b58a823 Sync files 2023-07-26 21:48:10 +01:00
github-actions[bot]
f91b7a9342 Post-release preparation for codeql-cli-2.14.1 2023-07-21 16:16:25 +00:00
github-actions[bot]
c936a920b0 Release preparation for version 2.14.1 2023-07-20 16:32:27 +00:00
Anders Schack-Mulligen
e72a0b2f8c Dataflow: Add change notes. 2023-07-19 11:41:15 +02:00
Anders Schack-Mulligen
95d17045c9 Dataflow: Sync. 2023-07-19 11:41:15 +02:00
Alex Ford
27ee72c265 Merge remote-tracking branch 'origin/main' into rb/rack-env-query-string 2023-07-17 14:11:25 +01:00
Alex Ford
06aefe01b8 Update ruby/ql/lib/codeql/ruby/frameworks/rack/internal/App.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2023-07-17 14:08:44 +01:00
Alex Ford
ab1f341aa6 Merge pull request #13566 from alexrford/rb/rack-params 
Ruby: add `Rack::Request` params and cookies as remote input sources
 2023-07-17 14:07:20 +01:00
Maiky
3f36d3244b Fix singleton set literal 2023-07-15 00:18:21 +02:00
Alex Ford
bdf1aa0807 Merge pull request #13746 from asgerf/rb/fix-rack-todo 
Ruby: Use API graphs asCallable() instead of Proc.new workaround
 2023-07-14 16:29:00 +01:00
Alex Ford
d89c10dd85 Merge pull request #13130 from maikypedia/maikypedia/xpath-injection 
Ruby :  XPath Injection Query (CWE-643)
 2023-07-14 14:10:09 +01:00
Asger F
2962727f0f Ruby: Use API graphs asCallable() instead of Proc.new workaround 2023-07-14 13:50:07 +02:00
Alex Ford
dbb55ff2b4 Ruby: fix xpathinjection deprecation warnings 2023-07-14 12:45:27 +01:00
Alex Ford
a524735236 Merge branch 'main' into maikypedia/ldap-injection 2023-07-14 12:05:17 +01:00
Alex Ford
c0009379d1 qlformat 2023-07-14 12:04:03 +01:00
Asger F
31bed36231 Merge pull request #13612 from asgerf/rb/api-graph-explicit-proc-lambda 
Ruby: Improve support for explicit proc-creation
 2023-07-14 13:02:44 +02:00
Anders Schack-Mulligen
80a799df01 Merge pull request #13735 from aschackmull/dataflow/forcehighprecision-fix 
Dataflow: Fix forceHighPrecision for length-2 prefixes.
 2023-07-14 11:42:35 +02:00
Asger F
f1c82b650f Ruby: Implement Fuzzy for Ruby 2023-07-13 15:42:34 +02:00
Asger F
919cb07c1e Sync ApiGraphModels.qll 2023-07-13 15:42:33 +02:00
Asger F
18762db0fb Ruby: factor out isProcCreationCall 2023-07-13 11:53:16 +02:00