Harry Maclean
91a7e9405c
Share HttpToFileAccessQuery between JS and Ruby
...
There's so little in this query that it may not be worth sharing, but
it's an interesting exercise in figuring out how we do it nicely.
2022-03-22 11:10:08 +13:00
Harry Maclean
130d93dded
Ruby: Make HttpToFileAccess more specific
...
Only consider sources from HTTP requests, rather than any remote flow
source.
2022-03-22 11:09:08 +13:00
Harry Maclean
fac17384c3
Ruby: Add RequestInputAccess concept
...
This sits in between RemoteFlowSource and specific classes like
ParamsSource from ActionController. It represents any user-controller
input from an incoming HTTP request.
This more closely aligns our concepts with the JS library, and allows us
to specifically target sources from HTTP requests in the
HttpToFileAccess query.
2022-03-22 11:09:08 +13:00
Harry Maclean
ff1d96c922
Ruby: Add rb/http-to-file-access query
2022-03-22 11:09:08 +13:00
Harry Maclean
6c18e1d7ac
Merge pull request #8272 from hmac/hmac/tainted-format-string
2022-03-22 08:37:47 +13:00
Mathias Vorreiter Pedersen
aff76b7295
Merge pull request #8512 from github/fix-dead-select-clause-link
...
Fix dead link in `CONTRIBUTING.md`
2022-03-21 17:39:07 +00:00
Mathias Vorreiter Pedersen
2e55fd6be3
Update CONTRIBUTING.md
...
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com >
2022-03-21 16:49:59 +00:00
Mathias Vorreiter Pedersen
cf54006c86
Fix dead link in CONTRIBUTING.md
...
cc @felicitymay.
2022-03-21 16:05:57 +00:00
Michael Nebel
d31ef371ec
Merge pull request #8391 from michaelnebel/csharp/gvn-interface
...
C#: Deprecate the StructuralComparisonConfiguration interface and use sameGvn instead.
2022-03-21 14:10:53 +01:00
Alex Ford
c891c53835
Merge pull request #8395 from alexrford/ruby/clear-text-storage
...
Ruby: add `rb/clear-text-storage-sensitive-data` query
2022-03-21 10:05:39 +00:00
CodeQL CI
b04c46f96d
Merge pull request #8478 from asgerf/js/store-load-flow-context-sensitivity-bug
...
Approved by erik-krogh
2022-03-21 08:54:51 +00:00
Harry Maclean
5a6da827d0
Ruby: Avoid FP in TaintedFormatString query
...
Kernel#printf supports two call signatures:
printf(String, *args)
printf(IO, String, *args)
We want to identify the String argument, which is the format string.
Previously we would return the 0th and 1st arguments, which gives some
FPs when the 1st arg is not a format string.
We now try to rule out the trivial case by checking if arg 0 has a
string value, and then assuming it is the format string. Otherwise we
fall back to returning both arguments.
This still has some false positive potential, but less than previously.
2022-03-21 12:51:47 +13:00
Harry Maclean
5dcf0ad759
Ruby: Make IOPrintfCall more sensitive
...
It will now identify cases like this:
file = File.open "foo.txt", "a"
file.printf(params[:format], arg)
2022-03-21 12:51:47 +13:00
Harry Maclean
c253bddbe0
Ruby: Make getFormatArgument 0-indexed
2022-03-21 12:51:47 +13:00
Harry Maclean
c73dc8ad0c
Ruby: Add change note for rb/tainted-format-string
2022-03-21 12:51:47 +13:00
Harry Maclean
10a411e5cc
Ruby: Remove duplicate CWE reference
2022-03-21 12:51:47 +13:00
Harry Maclean
d79a6ddcb2
Ruby: Improve qhelp for rb/tainted-format-string
2022-03-21 12:51:47 +13:00
Harry Maclean
0cfe37dff4
Share TaintedFormatString between Ruby and JS
2022-03-21 12:51:46 +13:00
Harry Maclean
4249e30824
Ruby: Test tainted interpolated format arg
2022-03-21 12:51:18 +13:00
Harry Maclean
63199024a2
Add missing QLDoc
2022-03-21 12:51:18 +13:00
Harry Maclean
f6215d4c7e
Ruby: Add rb/tainted-format-string query
2022-03-21 12:51:18 +13:00
Robert Marsh
4bf35ad188
Merge pull request #8483 from jketema/command-line-injection-test-cases-with-calls
...
C++: Add additional command line injection tests
2022-03-18 15:05:12 -04:00
Arthur Baars
beef8e29bc
Merge pull request #8332 from hvitved/ruby/regexp-taint-flow
...
Ruby: Use taint tracking instead of type tracking to define `regExpSource`
2022-03-18 18:24:02 +01:00
Jeroen Ketema
d37ef1b5ca
C++: Add command line injection test that currently results in a false positive
2022-03-18 16:12:09 +01:00
Arthur Baars
117fb5be7d
Merge pull request #7917 from aibaars/incomplete-hostname
...
Ruby: IncompleteHostnameRegExp.ql
2022-03-18 16:00:09 +01:00
Tom Hvitved
1437aefe9d
Ruby: Use taint tracking instead of type tracking to define regExpSource
2022-03-18 14:48:12 +01:00
Tom Hvitved
d97eaba070
Ruby: Add dataflow/taintracking copies for use in libraries
2022-03-18 14:48:12 +01:00
Arthur Baars
4a27928728
Ruby/JS add missing ^ in qhelp
2022-03-18 14:00:10 +01:00
Jeroen Ketema
459870ac1e
C++: Add additional command line injection tests
2022-03-18 13:42:27 +01:00
Arthur Baars
431b60506e
Merge remote-tracking branch 'upstream/main' into incomplete-hostname
2022-03-18 13:05:34 +01:00
Arthur Baars
6d24591416
Revert "Python: switch to shared implementation of IncompleteHostnameRegExp.ql"
...
This reverts commit ce50f35dda .
2022-03-18 13:02:55 +01:00
Chris Smowton
767453520e
Merge pull request #8032 from JLLeitschuh/feat/JLL/check_os
...
Java: Add Guard Classes for checking OS & unify System Property Access
2022-03-18 11:20:36 +00:00
Asger Feldthaus
26b7edccd4
JS: Change note
2022-03-18 11:59:36 +01:00
Asger F
929419abba
Merge pull request #8254 from asgerf/ruby/mad-prototype
...
Ruby: initial prototype of models-as-data
2022-03-18 10:48:33 +01:00
Mathias Vorreiter Pedersen
8bf172913e
Merge pull request #8474 from hvitved/flow-state-changing-steps-should-be-in-path-explanation-alternative
...
Dataflow: Flow-state changing steps should always be in path explanations
2022-03-18 09:08:36 +00:00
Asger Feldthaus
8753632193
JS: Fix bug in reachableFromStoreBase
2022-03-17 17:30:46 +01:00
Asger Feldthaus
8c6ca6582e
JS: Add test showing missing flow
2022-03-17 17:30:46 +01:00
Mathias Vorreiter Pedersen
abe30457ee
Python: Accept test changes.
2022-03-17 14:03:58 +01:00
Tom Hvitved
79ea2a3a9c
Data flow: Sync files
2022-03-17 14:03:58 +01:00
Tom Hvitved
4df12dc6e6
Data flow: State-changing taint steps should not be stepped over by the big step relation
2022-03-17 14:03:58 +01:00
Erik Krogh Kristensen
870521bd1e
Merge pull request #8473 from erik-krogh/redundantAnyCast
...
QL: expand redundant-inline-cast, and rename to redundant-cast
2022-03-17 10:41:50 +01:00
Erik Krogh Kristensen
fe94421d32
rename redundant-inline-cast to redundant-cast
2022-03-17 10:25:40 +01:00
Erik Krogh Kristensen
86398a8c65
Merge pull request #8304 from erik-krogh/xssUrl
...
JS: Refactor the XSS / Client-side-url queries
2022-03-17 09:13:09 +01:00
Erik Krogh Kristensen
aa8b7c8679
update reference to deprecated class name
2022-03-16 22:32:54 +01:00
Erik Krogh Kristensen
6cdc38748c
update expected output
2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen
d8a5947a08
simplify TaintedUrlSuffix::source() to only consider window.location based sources
2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen
b3de5d94a6
move PrefixStringSanitizer to the Query.qll file, and have it extend LabeledSanitizerGuardNode
2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen
562dce57e8
rename isXSSSink to isXssSink
2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen
f083e87fa1
refactor the js/xss query to use three flowlabels and one configuration
2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen
87842bb8b7
add client-side-url sinks that may execute JavaScript as XSS sinks
2022-03-16 22:32:08 +01:00