hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-21 10:24:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
44,593 Commits 1,684 Branches 158 Tags
a28d7b64ea7303a6eaa2412ef55cd6c951b9546f
Commit Graph

2030 Commits

Author SHA1 Message Date
Alex Ford
fa58c51810 Ruby: switch rb/sensitive-get-query back to using local flow 2022-10-05 15:58:05 +01:00
Alex Ford
71670a4f75 Ruby: add RequestInputAccess#getKind predicate 2022-10-05 13:38:31 +01:00
Alex Ford
dea53d86c9 Ruby: remove some redundant imports of DataFlow 2022-10-05 13:22:19 +01:00
Alex Ford
f01670f663 Ruby: add a note to a test case 2022-10-05 13:06:49 +01:00
Alex Ford
d64f8c73be Merge branch 'main' into rb/sensitive-get-query 2022-10-05 12:59:35 +01:00
Alex Ford
084efe062a Ruby: limit rb/sensitive-get-query to data from query params 2022-10-05 12:57:57 +01:00
Alex Ford
977e8a8a6f Ruby: add a test case for sensitive data from cookies for rb/sensitive-get-query (should not be flagged) 2022-10-05 12:57:07 +01:00
Arthur Baars
6509c19aad Merge pull request #10692 from aibaars/fix-splats 
Ruby: fix CFG and toString for anonymous '*' and '**'
 2022-10-05 13:25:29 +02:00
Alex Ford
880fb2b14a Ruby: split out rb/sensitive-get-query using query/customizations pattern 2022-10-05 11:59:40 +01:00
Arthur Baars
a080f498be Ruby: fix CFG and toString for anonymous '*' and '**' 2022-10-05 11:50:37 +02:00
Arthur Baars
4ff85d5275 Ruby: add test case 2022-10-05 10:57:53 +02:00
Nick Rolfe
525fe12671 Merge pull request #10585 from github/nickrolfe/libxml-xxe 
Ruby: detect uses of LibXML with entity substitution enabled by default
 2022-10-05 09:51:39 +01:00
Tom Hvitved
1496c4f0e2 Merge pull request #10686 from hvitved/ruby/remove-value-pair-content 
Ruby: Remove `PairValueContent`
 2022-10-05 09:41:14 +02:00
Arthur Baars
c1c16e44ee Merge pull request #10559 from aibaars/cve-2019-3881 
Ruby: some improvements
 2022-10-04 21:24:14 +02:00
Tom Hvitved
aae9a58ca3 Ruby: Remove ValuePairContent 2022-10-04 20:10:51 +02:00
Nick Rolfe
d69a658e06 Merge pull request #10673 from github/nickrolfe/no_abstract 
Ruby: remove public abstract classes for Action{View,Controller}
 2022-10-04 17:49:59 +01:00
Nick Rolfe
2e80926951 Ruby: fix a couple of references to deprecated names 2022-10-04 16:45:08 +01:00
Nick Rolfe
445241fd95 Ruby: add missing qldoc comment 2022-10-04 16:31:54 +01:00
Nick Rolfe
2315a177fe Ruby: add changenote for ActionView/Controller class renames 2022-10-04 16:22:11 +01:00
Nick Rolfe
227100d883 Ruby: make old class names available as deprecated aliases 2022-10-04 16:11:43 +01:00
Alex Ford
703829c647 Ruby: use taint tracking for rb/sensitive-get-query 2022-10-04 15:04:41 +01:00
erik-krogh
dedbe66619 update expected output 2022-10-04 14:16:07 +02:00
Erik Krogh Kristensen
5ba7c13ecd fix alert-message by adding the link 
Co-authored-by: Arthur Baars <aibaars@github.com>
 2022-10-04 13:50:25 +02:00
erik-krogh
d370b2a51e simplify the where clause of rb/kernel-open 2022-10-04 13:49:50 +02:00
erik-krogh
bf74481f65 add a link to the source in the alert-message for rb/kernel-open 2022-10-04 13:41:50 +02:00
Arthur Baars
88b5d4da16 Ruby: extend may have multiple arguments 2022-10-04 12:58:50 +02:00
Arthur Baars
ab3a62de3c Update ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll 2022-10-04 12:58:50 +02:00
Tom Hvitved
6e61ef10b8 Ruby: Add another dataflow copy 2022-10-04 12:58:50 +02:00
Tom Hvitved
9d7d6c29f9 Review comments 2022-10-04 12:58:50 +02:00
Tom Hvitved
77c47bc856 Ruby: Add another call graph test 2022-10-04 12:58:49 +02:00
Arthur Baars
44cc6f7350 Ruby: improve tracking of regular expressions 
There are two flavours of `match?`. If the receiver of `match?` has type String
then the argument to `match?` is a regular expression. However, if the receiver of
`match?` has type Regexp then the argument is the text.

The role of receiver and argument flips depending on the type of the receiver, this
caused a lot of false positives when looking for string-like literals that are
used as a regular expression.

This commit attempts to improve things by trying to determine whether the type of the
receiver is known to be of type Regexp. In such cases we know that the argument
is unlikely to be  regular expression.
 2022-10-04 12:58:49 +02:00
Arthur Baars
0160c374e4 Ruby: add flow summaries for Object#dup and Kernel#tap 2022-10-04 12:58:49 +02:00
Arthur Baars
5d55daa491 Ruby: use resolveConstantReadAccess instead of trackModuleAccess for 'extend' calls 
This avoids non-linear recursion at the cost of losing some results.
 2022-10-04 12:58:49 +02:00
Arthur Baars
c2b98a4761 Ruby: add support for 'extend' method 2022-10-04 12:58:49 +02:00
Arthur Baars
09bc78eafc Ruby: local dataflow step for || and && 2022-10-04 12:58:49 +02:00
Arthur Baars
e95b5468d9 Ruby: use Dataflow for Pathname instead of TypeTracking 2022-10-04 12:58:49 +02:00
Arthur Baars
f9b952f04f Ruby: Pathname use TypeTracker instead of local flow 2022-10-04 12:58:49 +02:00
Nick Rolfe
dd1b302fce Ruby: revert making inActionViewContext private 2022-10-04 11:29:09 +01:00
Nick Rolfe
a738f1d5cf Ruby: remove public abstract classes for Action{View,Controller} 2022-10-04 10:53:41 +01:00
Tom Hvitved
12536578d4 Merge pull request #10664 from hvitved/type-tracking-more-caching 
Ruby/Python: Cache more type tracking predicates
 2022-10-04 10:58:41 +02:00
Harry Maclean
42a97b26bb Merge pull request #10316 from hmac/hmac/actionview 
Ruby: Model ActionView
 2022-10-04 08:16:16 +13:00
Tom Hvitved
bc3e9339dc Ruby: Cache more type tracking predicates 2022-10-03 20:29:17 +02:00
Tom Hvitved
d52d3d7b75 Merge pull request #10644 from hvitved/ruby/prevent-reevaluation 
Ruby: Prevent reevaluation of expensive predicates
 2022-10-03 13:10:39 +02:00
Asger F
47e5623b90 Merge pull request #10639 from hvitved/ruby/dataflow/known-element-no-floats-complexs 
Ruby: Do not attempt to track precise hash indices for floats and complex numbers
 2022-10-03 09:23:33 +02:00
Harry Maclean
e48665ad9f Fix doc 2022-10-03 14:13:12 +13:00
Harry Maclean
ba83b7c6c7 Merge pull request #10599 from hmac/hmac/actioncontroller-datastreaming 
Ruby: Model send_file
 2022-10-03 09:44:05 +13:00
Alex Ford
5c32c8badf Merge pull request #10560 from alexrford/ruby/yaml-load_file 
Ruby: treat `Psych` and `YAML` as aliases for rb/unsafe-deserialization
 2022-10-02 20:19:10 +01:00
Tom Hvitved
292bc67125 Merge pull request #10620 from hvitved/ruby/call-graph-protected-methods 
Ruby: Account for `protected` methods in call graph
 2022-09-30 19:31:36 +02:00
Tom Hvitved
dd7458acc8 Ruby: Add more call graph tests for protected methods 2022-09-30 16:24:34 +02:00
Tom Hvitved
32d002ed60 Merge pull request #10627 from hvitved/ruby/synthesis-reduce-non-linear-rec 
Ruby: Reduce size of input predicate for non-linear recursion
 2022-09-30 15:36:21 +02:00