hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-22 19:56:32 +01:00
Code Issues Packages Projects Releases Wiki Activity
47,335 Commits 1,672 Branches 157 Tags
80c92dc3e65a07a75f487a9b0ddcdfe8ca3e09cf
Commit Graph

213 Commits

Author SHA1 Message Date
erik-krogh
f1668801d3 add a rb/unsafe-code-construction query 
rebase
 2022-11-25 10:25:30 +01:00
erik-krogh
10fff4e2ef Merge branch 'main' into rb-redosMod 2022-11-14 21:31:10 +01:00
Nick Rolfe
4a98ef064e Ruby: use the 'customizations' pattern for the SQL injection query 2022-11-10 11:51:47 +00:00
Asger F
859dc7beb7 Merge pull request #11024 from asgerf/rb/data-flow-layer-capture2 
Ruby: expand DataFlow API
 2022-11-09 15:06:03 +01:00
Erik Krogh Kristensen
c82410fd16 Merge pull request #10680 from erik-krogh/unsafeRbCmd 
RB: add an unsafe-shell-command-construction query
 2022-11-08 09:22:33 +01:00
Erik Krogh Kristensen
3f871a08e2 apply suggestions from doc review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2022-11-07 16:29:10 +01:00
erik-krogh
40e4359173 port the Ruby regex/redos queries to use the shared pack 2022-11-07 14:34:18 +01:00
Arthur Baars
98f4c29913 Ruby: weak crypto: do not report weak hash algorithms 
Weak hash algorithms such as MD5 and SHA1 are often
used in non security sensitive contexts and reporting
all uses is far too noisy.
 2022-11-04 15:58:50 +01:00
Henry Mercer
dd264c6dfb Consistently mention language in metric names 
This improves consistency between the lines of code queries and the
number of successfully extracted files queries.
 2022-11-03 11:44:10 +00:00
Henry Mercer
c60d071239 Lowercase "lines" 2022-11-03 11:40:22 +00:00
Asger F
436cc60138 Ruby: update some uses of getConstantValue() 2022-10-28 15:16:14 +02:00
erik-krogh
e8dce25cc2 fix rb/code-injection 2022-10-25 14:44:23 +02:00
erik-krogh
7797211118 Merge branch 'main' into unsafeRbCmd 2022-10-20 10:34:17 +02:00
erik-krogh
3dd89bb7bf remove duplicate alerts due to multiple states reaching the same sink 2022-10-19 13:19:18 +02:00
Alex Ford
3baad89e57 Merge remote-tracking branch 'origin/main' into rb/sensitive-get-query 2022-10-14 10:50:09 +01:00
Erik Krogh Kristensen
332bc35ff1 Merge pull request #10708 from erik-krogh/kernelSink 
RB: add a query flagging uses of `Kernel.open()` that are not with a constant string
 2022-10-14 09:13:26 +02:00
Alex Ford
3d478a3951 Ruby: clarify qhelp 2022-10-13 22:39:54 +01:00
Alex Ford
15cab6eed5 Update ruby/ql/src/queries/security/cwe-598/SensitiveGetQuery.qhelp 
Co-authored-by: Arthur Baars <aibaars@github.com>
 2022-10-13 21:43:59 +01:00
Jeroen Ketema
d389a183f0 Merge pull request #10743 from jsoref/spelling 
Spelling
 2022-10-12 12:48:22 +02:00
erik-krogh
d427e55507 add qhelp 2022-10-11 13:26:03 +02:00
erik-krogh
557dd10896 add a rb/unsafe-shell-command-construction query 2022-10-11 13:26:01 +02:00
Erik Krogh Kristensen
7d282c3d75 fix casing in alert-message 
Co-authored-by: Arthur Baars <aibaars@github.com>
 2022-10-11 11:12:59 +02:00
erik-krogh
9a9d2a6fe1 Merge branch 'main' into rb-last-msg 2022-10-11 10:43:39 +02:00
erik-krogh
de3b15ebe9 add a query flagging uses of Kernel.open that are not with a constant string 2022-10-11 09:23:29 +02:00
Josh Soref
cbea5ec40c spelling: executables 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 00:23:36 -04:00
Josh Soref
6db36616cd spelling: arbitrary 
Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
 2022-10-11 00:23:35 -04:00
erik-krogh
38c17c5d0c Merge branch 'main' into rbMeta 2022-10-10 12:22:56 +02:00
Alex Ford
43fec9dfc8 Revert "Ruby: switch rb/sensitive-get-query back to using local flow" 
This reverts commit fa58c51810.
 2022-10-09 13:06:13 +01:00
Alex Ford
139d3868e5 Merge branch 'main' into rb/sensitive-get-query 2022-10-09 12:26:44 +01:00
erik-krogh
5d9c68c962 remove the taint-steps meta query 2022-10-07 13:21:24 +02:00
erik-krogh
a0725fba71 fix some more style-guide violations in the alert-messages 2022-10-07 12:01:03 +02:00
erik-krogh
c1fae91a1f have rb/meta/taint-steps print only one for each file, to limit the size of the output 2022-10-06 15:19:11 +02:00
erik-krogh
169965cfb9 make rb/meta/taint-steps into a @kind problem query 2022-10-06 13:28:10 +02:00
erik-krogh
db056aae1b add some more meta queries for Ruby evaluations 2022-10-06 10:14:28 +02:00
Henry Mercer
d80d39504f Tag successfully extracted files queries 
Tag the successfully extracted files queries with
`successfully-extracted-files` to make them easier to identify
programmatically in a language-independent way.
This follows the prior art for lines of code queries, which are tagged
`lines-of-code`.
 2022-10-05 19:19:43 +01:00
Alex Ford
fa58c51810 Ruby: switch rb/sensitive-get-query back to using local flow 2022-10-05 15:58:05 +01:00
Alex Ford
dea53d86c9 Ruby: remove some redundant imports of DataFlow 2022-10-05 13:22:19 +01:00
Alex Ford
d64f8c73be Merge branch 'main' into rb/sensitive-get-query 2022-10-05 12:59:35 +01:00
Alex Ford
880fb2b14a Ruby: split out rb/sensitive-get-query using query/customizations pattern 2022-10-05 11:59:40 +01:00
Alex Ford
703829c647 Ruby: use taint tracking for rb/sensitive-get-query 2022-10-04 15:04:41 +01:00
Erik Krogh Kristensen
5ba7c13ecd fix alert-message by adding the link 
Co-authored-by: Arthur Baars <aibaars@github.com>
 2022-10-04 13:50:25 +02:00
erik-krogh
d370b2a51e simplify the where clause of rb/kernel-open 2022-10-04 13:49:50 +02:00
erik-krogh
bf74481f65 add a link to the source in the alert-message for rb/kernel-open 2022-10-04 13:41:50 +02:00
Tom Hvitved
299339f817 Ruby: Expose relevant predicates from internal/Module.qll and make sure they are cached 2022-09-30 14:56:55 +02:00
Tom Hvitved
a9f2e5272f Merge pull request #10376 from hvitved/ruby/no-ast-by-default 
Ruby: Do not expose AST layer through `ruby.qll`
 2022-09-21 13:15:30 +02:00
Erik Krogh Kristensen
7e17a919ae Merge pull request #10304 from erik-krogh/rb-followMsg 
RB: make the alert messages of taint-tracking queries more consistent
 2022-09-20 22:58:31 +02:00
Alex Ford
7720d85c98 Ruby: use camelcase verion of Http module 2022-09-20 08:58:35 +01:00
Alex Ford
be1ac17a60 Merge branch 'main' into rb/sensitive-get-query 2022-09-19 20:57:20 +01:00
Alex Ford
08c8db8937 Ruby: stop rb/sensitive-get-query from considering ID type data as sensitive 2022-09-16 15:40:13 +01:00
Alex Ford
79ad7d293f Ruby: make SensitiveExpr a dataflow node rather than an Expr 2022-09-16 15:39:16 +01:00