Commit Graph

33902 Commits

Author SHA1 Message Date
Harry Maclean
91a7e9405c Share HttpToFileAccessQuery between JS and Ruby
There's so little in this query that it may not be worth sharing, but
it's an interesting exercise in figuring out how we do it nicely.
2022-03-22 11:10:08 +13:00
Harry Maclean
130d93dded Ruby: Make HttpToFileAccess more specific
Only consider sources from HTTP requests, rather than any remote flow
source.
2022-03-22 11:09:08 +13:00
Harry Maclean
fac17384c3 Ruby: Add RequestInputAccess concept
This sits in between RemoteFlowSource and specific classes like
ParamsSource from ActionController. It represents any user-controller
input from an incoming HTTP request.

This more closely aligns our concepts with the JS library, and allows us
to specifically target sources from HTTP requests in the
HttpToFileAccess query.
2022-03-22 11:09:08 +13:00
Harry Maclean
ff1d96c922 Ruby: Add rb/http-to-file-access query 2022-03-22 11:09:08 +13:00
Harry Maclean
6c18e1d7ac Merge pull request #8272 from hmac/hmac/tainted-format-string 2022-03-22 08:37:47 +13:00
Mathias Vorreiter Pedersen
aff76b7295 Merge pull request #8512 from github/fix-dead-select-clause-link
Fix dead link in `CONTRIBUTING.md`
2022-03-21 17:39:07 +00:00
Mathias Vorreiter Pedersen
2e55fd6be3 Update CONTRIBUTING.md
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
2022-03-21 16:49:59 +00:00
Mathias Vorreiter Pedersen
cf54006c86 Fix dead link in CONTRIBUTING.md
cc @felicitymay.
2022-03-21 16:05:57 +00:00
Michael Nebel
d31ef371ec Merge pull request #8391 from michaelnebel/csharp/gvn-interface
C#: Deprecate the StructuralComparisonConfiguration interface and use sameGvn instead.
2022-03-21 14:10:53 +01:00
Alex Ford
c891c53835 Merge pull request #8395 from alexrford/ruby/clear-text-storage
Ruby: add `rb/clear-text-storage-sensitive-data` query
2022-03-21 10:05:39 +00:00
CodeQL CI
b04c46f96d Merge pull request #8478 from asgerf/js/store-load-flow-context-sensitivity-bug
Approved by erik-krogh
2022-03-21 08:54:51 +00:00
Harry Maclean
5a6da827d0 Ruby: Avoid FP in TaintedFormatString query
Kernel#printf supports two call signatures:

    printf(String, *args)
    printf(IO, String, *args)

We want to identify the String argument, which is the format string.
Previously we would return the 0th and 1st arguments, which gives some
FPs when the 1st arg is not a format string.

We now try to rule out the trivial case by checking if arg 0 has a
string value, and then assuming it is the format string. Otherwise we
fall back to returning both arguments.

This still has some false positive potential, but less than previously.
2022-03-21 12:51:47 +13:00
Harry Maclean
5dcf0ad759 Ruby: Make IOPrintfCall more sensitive
It will now identify cases like this:

    file = File.open "foo.txt", "a"
    file.printf(params[:format], arg)
2022-03-21 12:51:47 +13:00
Harry Maclean
c253bddbe0 Ruby: Make getFormatArgument 0-indexed 2022-03-21 12:51:47 +13:00
Harry Maclean
c73dc8ad0c Ruby: Add change note for rb/tainted-format-string 2022-03-21 12:51:47 +13:00
Harry Maclean
10a411e5cc Ruby: Remove duplicate CWE reference 2022-03-21 12:51:47 +13:00
Harry Maclean
d79a6ddcb2 Ruby: Improve qhelp for rb/tainted-format-string 2022-03-21 12:51:47 +13:00
Harry Maclean
0cfe37dff4 Share TaintedFormatString between Ruby and JS 2022-03-21 12:51:46 +13:00
Harry Maclean
4249e30824 Ruby: Test tainted interpolated format arg 2022-03-21 12:51:18 +13:00
Harry Maclean
63199024a2 Add missing QLDoc 2022-03-21 12:51:18 +13:00
Harry Maclean
f6215d4c7e Ruby: Add rb/tainted-format-string query 2022-03-21 12:51:18 +13:00
Robert Marsh
4bf35ad188 Merge pull request #8483 from jketema/command-line-injection-test-cases-with-calls
C++: Add additional command line injection tests
2022-03-18 15:05:12 -04:00
Arthur Baars
beef8e29bc Merge pull request #8332 from hvitved/ruby/regexp-taint-flow
Ruby: Use taint tracking instead of type tracking to define `regExpSource`
2022-03-18 18:24:02 +01:00
Jeroen Ketema
d37ef1b5ca C++: Add command line injection test that currently results in a false positive 2022-03-18 16:12:09 +01:00
Arthur Baars
117fb5be7d Merge pull request #7917 from aibaars/incomplete-hostname
Ruby: IncompleteHostnameRegExp.ql
2022-03-18 16:00:09 +01:00
Tom Hvitved
1437aefe9d Ruby: Use taint tracking instead of type tracking to define regExpSource 2022-03-18 14:48:12 +01:00
Tom Hvitved
d97eaba070 Ruby: Add dataflow/taintracking copies for use in libraries 2022-03-18 14:48:12 +01:00
Arthur Baars
4a27928728 Ruby/JS add missing ^ in qhelp 2022-03-18 14:00:10 +01:00
Jeroen Ketema
459870ac1e C++: Add additional command line injection tests 2022-03-18 13:42:27 +01:00
Arthur Baars
431b60506e Merge remote-tracking branch 'upstream/main' into incomplete-hostname 2022-03-18 13:05:34 +01:00
Arthur Baars
6d24591416 Revert "Python: switch to shared implementation of IncompleteHostnameRegExp.ql"
This reverts commit ce50f35dda.
2022-03-18 13:02:55 +01:00
Chris Smowton
767453520e Merge pull request #8032 from JLLeitschuh/feat/JLL/check_os
Java: Add Guard Classes for checking OS & unify System Property Access
2022-03-18 11:20:36 +00:00
Asger Feldthaus
26b7edccd4 JS: Change note 2022-03-18 11:59:36 +01:00
Asger F
929419abba Merge pull request #8254 from asgerf/ruby/mad-prototype
Ruby: initial prototype of models-as-data
2022-03-18 10:48:33 +01:00
Mathias Vorreiter Pedersen
8bf172913e Merge pull request #8474 from hvitved/flow-state-changing-steps-should-be-in-path-explanation-alternative
Dataflow: Flow-state changing steps should always be in path explanations
2022-03-18 09:08:36 +00:00
Asger Feldthaus
8753632193 JS: Fix bug in reachableFromStoreBase 2022-03-17 17:30:46 +01:00
Asger Feldthaus
8c6ca6582e JS: Add test showing missing flow 2022-03-17 17:30:46 +01:00
Mathias Vorreiter Pedersen
abe30457ee Python: Accept test changes. 2022-03-17 14:03:58 +01:00
Tom Hvitved
79ea2a3a9c Data flow: Sync files 2022-03-17 14:03:58 +01:00
Tom Hvitved
4df12dc6e6 Data flow: State-changing taint steps should not be stepped over by the big step relation 2022-03-17 14:03:58 +01:00
Erik Krogh Kristensen
870521bd1e Merge pull request #8473 from erik-krogh/redundantAnyCast
QL: expand redundant-inline-cast, and rename to redundant-cast
2022-03-17 10:41:50 +01:00
Erik Krogh Kristensen
fe94421d32 rename redundant-inline-cast to redundant-cast 2022-03-17 10:25:40 +01:00
Erik Krogh Kristensen
86398a8c65 Merge pull request #8304 from erik-krogh/xssUrl
JS: Refactor the XSS / Client-side-url queries
2022-03-17 09:13:09 +01:00
Erik Krogh Kristensen
aa8b7c8679 update reference to deprecated class name 2022-03-16 22:32:54 +01:00
Erik Krogh Kristensen
6cdc38748c update expected output 2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen
d8a5947a08 simplify TaintedUrlSuffix::source() to only consider window.location based sources 2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen
b3de5d94a6 move PrefixStringSanitizer to the Query.qll file, and have it extend LabeledSanitizerGuardNode 2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen
562dce57e8 rename isXSSSink to isXssSink 2022-03-16 22:32:09 +01:00
Erik Krogh Kristensen
f083e87fa1 refactor the js/xss query to use three flowlabels and one configuration 2022-03-16 22:32:08 +01:00
Erik Krogh Kristensen
87842bb8b7 add client-side-url sinks that may execute JavaScript as XSS sinks 2022-03-16 22:32:08 +01:00