hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-18 07:53:43 +01:00
Code Issues Packages Projects Releases Wiki Activity
42,183 Commits 1,693 Branches 160 Tags
9eda63096510786349486d0ecdebcb66a4f430ca
Commit Graph

1552 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
9eda630965 Ruby: Add CallNode.getKeywordArgumentIncludeHashArgument 2022-08-19 15:54:15 +02:00
Rasmus Wriedt Larsen
10968bf115 Ruby: Fix alert-msg logic for RequestWithoutValidation.ql 
This really surprised me, but as shown on the results, it does actually
make a difference in the alert-message.
 2022-08-19 15:50:09 +02:00
Rasmus Wriedt Larsen
0ac3624342 Ruby: Implement new disablesCertificateValidation for all HTTP client models 
Sadly most alert text changed, but the two important changes are:

1. The request on RestClient.rb:19 now has an expanded alert text,
   highlighting where the origin of the value that disables certificate
   validation comes from. (in this case, it's trivial since it's the
   line right above)
2. We handle passing `false`/`OpenSSL::SSL::VERIFY_NONE` the same in the
   argument passing examples in Faraday.rb
 2022-08-19 15:46:22 +02:00
Rasmus Wriedt Larsen
1f028ac206 Ruby: Implement new disablesCertificateValidation for RestClient 2022-08-19 15:43:19 +02:00
Rasmus Wriedt Larsen
07d95918f2 Ruby: Add more RequestWithoutValidation.ql tests 
Added:
- one where the value is not directly used when disabling certificate
  validation.
- one with argument passing, Faraday, where it is only the passing of
  `OpenSSL::SSL::VERIFY_NONE` that is recognized.
 2022-08-19 15:42:50 +02:00
Rasmus Wriedt Larsen
47c9c5bddd Ruby: Update RequestWithoutValidation.ql to match Python version 
No library modeling currently has support for the new disablesCertificateValidation/2, so only the alert text has changed

(removed an import from Python so the queries would ACTUALLY match)
 2022-08-18 14:32:41 +02:00
Rasmus Wriedt Larsen
4a82025087 Ruby: Base HTTP::Client::Request on shared concept 
Fixing up deprecation errors in next commit
 2022-08-18 13:42:53 +02:00
Rasmus Wriedt Larsen
e2b78df5ad Ruby: Change HTTP::Client::Request to have DataFlow::Node as base class 
Although this is a breaking change, as explained in the change-note, it
should onyl affect peopel that have created their own HTTP client
request modeling, which I assume is none.

The alternative would have been to keep the old class/module as
deprecated, and introduce a `HTTP::Client::Requestv2` class/module that
is based on `DataFlow::Node` instead. The old class could then be
deprecated in 1 year, and we could do a rename from
`HTTP::Client::Requestv2` -> `HTTP::Client::Request` at the same time.
(and then wait 1 more year before being able to delete
`HTTP::Client::Requestv2`)

All in all, I think this is the right tradeoff, given that CodeQL Ruby
is still in beta.
 2022-08-18 13:42:52 +02:00
Rasmus Wriedt Larsen
e6b4d12f94 Sync ConceptsShared 2022-08-18 13:42:52 +02:00
Rasmus Wriedt Larsen
9d96b73b8b Ruby: Fixup test annotation 2022-08-18 13:42:49 +02:00
Harry Maclean
70ec70940a Merge pull request #8142 from github/hmac/incomplete-multi-char-sanitization 2022-08-18 10:02:39 +12:00
Erik Krogh Kristensen
e93ff8672c Merge pull request #10075 from erik-krogh/depOld 
delete old deprecations
 2022-08-17 21:21:57 +02:00
Alex Ford
d4d6657cb7 Merge pull request #10008 from alexrford/rb/log-injection 
Ruby: Add `rb/log-injection` query
 2022-08-17 15:01:22 +01:00
erik-krogh
6b9f01535b change All to Most in the change-notes 2022-08-17 15:34:57 +02:00
erik-krogh
2622c78766 add change-notes 2022-08-17 13:55:16 +02:00
Tom Hvitved
355c1f5959 Merge pull request #10035 from hvitved/ssa/phi-reads 
SSA: Improve use-use calculation using "phi read nodes"
 2022-08-17 13:43:00 +02:00
Nick Rolfe
94a51142d0 Ruby: fix typo in internal predicate name 2022-08-17 11:05:39 +01:00
Tom Hvitved
44e1ecdf94 Merge pull request #10060 from hvitved/ruby/pos-args-missing-flow-tests 
Ruby: Add tests that demonstrate missing flow through positional arguments
 2022-08-17 10:45:25 +02:00
Harry Maclean
1f4dad4167 Update for rename of ReDoSUtil to NfaUtils 2022-08-17 16:03:49 +12:00
Harry Maclean
f1a546c4d6 Rename IncompleteMultiCharacterSanitization[Query] 2022-08-17 16:03:49 +12:00
Harry Maclean
f2384a6a8f Ruby: Share more code with JS 2022-08-17 16:03:49 +12:00
Harry Maclean
025e34d8e1 Ruby: Simplify imports 2022-08-17 16:03:48 +12:00
Harry Maclean
ab6287aebd Ruby: Fix import 2022-08-17 16:03:48 +12:00
Harry Maclean
b7d9bf4066 Share IncompleteMultiCharacterSanitization JS/Ruby 
Most of the classes and predicates in this query can be shared between
the two languages. There's just a few language-specific things that we
place in IncompleteMultiCharacterSanitizationSpecific.
 2022-08-17 16:03:46 +12:00
Harry Maclean
3179c60a1e Ruby: Remove RegExpLiteral.getAMatch 
This predicate is a duplicate of getAMatchedString, which matches the
naming in the JS version.
 2022-08-17 16:02:48 +12:00
Harry Maclean
6bb24f9d7c Ruby: matchesEmptyString -> isNullable 
Rename RegExpLiteral.matchesEmptyString to isNullable, to match the JS
version.
 2022-08-17 16:02:48 +12:00
Harry Maclean
3fba4a5fa7 Ruby: Add change note for new query 2022-08-17 16:02:48 +12:00
Harry Maclean
c234bd94d1 Ruby: IncompleteMultiCharacterSanitization Query 
This query is similar to IncompleteSanitization but for multi-character
sequences.
 2022-08-17 16:02:48 +12:00
Harry Maclean
6e289a9db3 Ruby: Improvements to StringSubstitutionCall 
- Handle block arguments
- Recognise patterns passed via constants
 2022-08-17 16:02:48 +12:00
Harry Maclean
17dfb4e7b8 Ruby: Add RegExpTerm.getAMatch 2022-08-17 16:02:48 +12:00
Harry Maclean
c9fc43a4ba Ruby: Add matchesEmptyString to RegExpTerm 2022-08-17 16:02:47 +12:00
erik-krogh
4b7f63a0f3 sync SensitiveDataHeuristics.qll to the other languages 2022-08-16 22:31:26 +02:00
Tom Hvitved
7395587244 Sync files 2022-08-16 14:07:39 +02:00
Erik Krogh Kristensen
fd5b8896df Merge pull request #10063 from erik-krogh/fixRbDep 
re-deprecate ReDoSUtil in ruby
 2022-08-16 13:27:52 +02:00
Alex Ford
d02ad51d74 Merge pull request #10032 from github/post-release-prep/codeql-cli-2.10.3 
Post-release preparation for codeql-cli-2.10.3
 2022-08-16 12:04:07 +01:00
erik-krogh
2fbae81356 re-deprecate ReDoSUtil in ruby 2022-08-16 11:22:00 +02:00
erik-krogh
8e6a36256c import the non-deprecated NfaUtils in the overly-large-range query 2022-08-16 11:21:43 +02:00
Tom Hvitved
aa93986d1a Ruby: Add tests that demonstrate missing flow through positional arguments 2022-08-16 10:36:40 +02:00
Tom Hvitved
007d98e3b4 Ruby: Fix deprecation warning 2022-08-16 10:23:06 +02:00
Erik Krogh Kristensen
f106e064fa Merge pull request #9422 from erik-krogh/refacReDoS 
Refactorizations of the ReDoS libraries
 2022-08-16 09:32:08 +02:00
Erik Krogh Kristensen
0adb588fe8 Merge pull request #9712 from erik-krogh/badRange 
JS/RB/PY/Java: add suspicious range query
 2022-08-15 13:55:44 +02:00
Anders Schack-Mulligen
a3fb54c9de Merge pull request #10007 from aschackmull/dataflow/source-node-identity 
Dataflow: Fix identification of source PathNodes in the presence of source-to-source flow
 2022-08-15 10:39:17 +02:00
erik-krogh
3a4a3437b5 fix some QL-for-QL warnings 2022-08-12 20:38:50 +02:00
erik-krogh
b54f037424 Merge branch 'main' into refacReDoS 2022-08-12 20:28:30 +02:00
erik-krogh
b9e96fb078 sync changes to other languages 2022-08-12 20:28:12 +02:00
github-actions[bot]
21d0c78376 Post-release preparation for codeql-cli-2.10.3 2022-08-11 23:20:39 +00:00
github-actions[bot]
57c4f9145b Release preparation for version 2.10.3 2022-08-11 11:12:15 +00:00
Erik Krogh Kristensen
887f6557ed fix common misspellings throughout github/codeql 2022-08-10 23:21:41 +02:00
Alex Ford
7a61f59b1e Ruby: add change note for new rb/log-injeciton query 2022-08-10 16:17:55 +01:00
Alex Ford
44c4b9ba5c Ruby: add rb/log-injection test cases 2022-08-10 16:17:37 +01:00