codeql

mirror of https://github.com/github/codeql.git synced 2026-04-14 11:34:00 +02:00

Author	SHA1	Message	Date
Nick Rolfe	7666d856b7	Merge remote-tracking branch 'origin/main' into polynomial_redos	2021-09-07 17:35:07 +01:00
Harry Maclean	87253032e2	Add a query for URL redirect vulnerabilities This query finds instances of CWE-601: Redirection to Untrusted Site. The structure is copied from a query of the same name in the Python library. We add customisations specific to `ActionController`.	2021-09-03 13:17:14 +01:00
Nick Rolfe	47e5a8fd09	Add test for polynomial ReDoS query	2021-09-02 17:57:56 +01:00
Nick Rolfe	cbe23661ed	Rename exponential ReDoS test directory	2021-09-02 17:57:56 +01:00
Harry Maclean	91d56cd802	Use dataflow to find method call targets This includes both local and non-local methods, and is also simpler than the previous definition.	2021-08-31 15:42:06 +01:00
Harry Maclean	8901eba978	Include constants in jump-to-def query The previous version of this query inadvertently excluded constants which weren't classes or modules. This version includes them, by introducing a laxer version of `resolveScopeExpr` that doesn't require the result to be a `TResolved`.	2021-08-31 15:42:06 +01:00
Harry Maclean	e72f1399cb	Include class variables in jump-to-def query	2021-08-31 15:42:06 +01:00
Harry Maclean	e84ebe2b94	Include instance variables in jump-to-def query By convention, instance variables are considered to be "defined" in the `#initialize` method of their containing class. If an instance variable is written to in `#initialize` and then read elsewhere in the program, we will point from the read to the write. If it is not written to in `#initialize` then we won't provide any jump-to-definition information for it.	2021-08-31 15:42:06 +01:00
Harry Maclean	a16cd8967b	Ignore synthesised reads for jump-to-definition We synthesise variables for things like tuple patterns. For example, this Ruby code: a, b = ... becomes: __synth__0 = ... a = __synth__0[0] b = __synth__0[1] The `__synth__` variables should be ignored when calculating jump-to-definition information, since they don't appear in the original source code.	2021-08-31 15:42:05 +01:00
Harry Maclean	95e2b8a4a4	Simplify jump-to-def query The expected output format is a tuple (a, b, k) where `a` and `b` are any `AstNode` subclass and `k` is a string indicating the kind of definition (e.g. variable, method, ...). By ensuring that every value in `DefLoc` is a subclass of `Expr` (itself a subclass of `AstNode`) we can simplify the query by removing all the use of `getLocation()`.	2021-08-31 15:42:05 +01:00
Harry Maclean	2fbbabda2d	First draft of a jump-to-definition query TODO: flesh out this message	2021-08-31 15:42:05 +01:00
Nick Rolfe	bc06817611	Add ERB comment as regression test for parsing bug	2021-08-25 12:43:33 +01:00
Arthur Baars	9ca0e81953	Move UseDetect to experimental for now	2021-08-04 15:52:48 +02:00
Erik Krogh Kristensen	632ad518f0	enable unicode parsing in the ruby ReDoS query	2021-08-02 07:13:41 +00:00
Nick Rolfe	d99b5510e5	Merge pull request #219 from github/regex Add regexp parser and exponential ReDoS query	2021-06-30 17:23:29 +01:00
Alex Ford	31cbf818ab	fix rb/sql-injection FPs due to not accounting for overridden ActiveRecord methods	2021-06-29 13:54:15 +01:00
Nick Rolfe	ba7021086b	Merge remote-tracking branch 'origin/main' into regex	2021-06-25 15:00:26 +01:00
Nick Rolfe	bee94757dd	Add query test for ReDoS.ql, ported from JS	2021-06-25 12:51:35 +01:00
Alex Ford	9883a9b606	update SqlInjection tests	2021-06-24 18:12:26 +01:00
Alex Ford	d62f4f5bd4	Address review comments	2021-06-24 18:12:26 +01:00
Alex Ford	12e4c9ee90	update SqlInjection tests	2021-06-24 18:12:25 +01:00
Alex Ford	5386c776b3	Implement rb/sql-injection	2021-06-24 18:12:25 +01:00
Alex Ford	f74dff560b	Merge pull request #187 from github/hardcoded-credentials Add rb/hardcoded-credentials query	2021-06-10 16:12:32 +01:00
Alex Ford	e26afe91b5	move rb/hardcoded-credential alert location to the source	2021-06-07 14:53:04 +01:00
Alex Ford	5d79a8cec0	account for keyword args in rb/hardcoded-credentials and simplify query	2021-06-07 14:49:49 +01:00
Alex Ford	8a3ffb6dca	add missing toString	2021-06-04 13:25:03 +01:00
Alex Ford	b2d36babc4	report rb/weak-file-permission alerts at source rather than sink and improve alert message	2021-06-04 13:10:18 +01:00
Alex Ford	fdd4f7f616	attempt to use typetracker in rb/hardcoded-credentials	2021-06-01 12:22:04 +01:00
Alex Ford	f1303e0ced	remove WIP files	2021-06-01 12:22:04 +01:00
Alex Ford	4fdd072603	WIP: HardcodedCredentials query	2021-06-01 12:22:04 +01:00
Alex Ford	3c0f20cec8	Merge pull request #170 from github/weak-file-permissions Add `rb/overly-permissive-file` query	2021-05-14 17:04:15 +01:00
Alex Ford	6bd2e4e4b7	Merge pull request #175 from github/loc-summary-queries-1 Summary queries for total LOC and user-code LOC	2021-05-14 15:51:45 +01:00
Alex Ford	49d9bb798c	revamp the diagnostics tests	2021-05-11 19:53:00 +01:00
Alex Ford	d1d8cff915	tests for some more diagnostics queries	2021-05-11 19:14:22 +01:00
Alex Ford	de497dd1ba	tests for NumberOfFiles* summary queries	2021-05-11 19:14:22 +01:00
Alex Ford	e5896047d8	summary LOC query tests	2021-05-06 19:54:23 +01:00
Alex Ford	2c8a4f833f	make rb/overly-permissive-file a proper path-problem	2021-04-29 19:11:39 +01:00
Alex Ford	0a6dc6f150	update WeakFilePermissions.expected	2021-04-28 16:31:07 +01:00
Alex Ford	e5862a942f	WIP rb/overly-permissive-file query	2021-04-27 21:22:17 +01:00
Alex Ford	c6b6a83501	extend FLines* tests	2021-04-21 10:42:53 +01:00
Alex Ford	a1c91e28da	move FLines* tests to a common directory	2021-04-21 10:34:58 +01:00
Alex Ford	50a0f282bf	add basic tests for FLines queries	2021-04-20 17:36:16 +01:00
Calum Grant	855d190800	Ruby: Test local data flow	2021-03-09 10:25:24 +00:00
Calum Grant	5b4bf584a1	Ruby: Update qltest output for new select format	2021-03-09 10:20:23 +00:00
Calum Grant	ca497479c2	Ruby: Finish the test for UseDetect	2021-03-04 15:44:05 +00:00
Calum Grant	522bcff79d	Ruby: Initial test case	2021-03-04 15:38:09 +00:00

46 Commits