hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-13 18:59:27 +02:00
Code Issues Packages Projects Releases Wiki Activity
40,325 Commits 1,760 Branches 167 Tags
b078430faf91b32392997c6ea5220fff7d51bfa9
Commit Graph

117 Commits

Author SHA1 Message Date
Alex Ford
8d195e3188 Merge pull request #9157 from alexrford/crypto-op-block-mode 
Ruby/Python: Add a `BlockMode` concept for `CryptographicOperations`
 2022-06-13 21:32:36 +02:00
Nick Rolfe
385e442f7f Ruby: fix spelling errors 2022-05-25 16:38:48 +01:00
Alex Ford
4752c45fe5 ruby: update rb/weak-cryptographic-algorithm to specify the block mode if appropriate 2022-05-13 16:32:30 +01:00
yoff
6c3e2db7fd Merge branch 'main' into python/simple-csrf 2022-05-10 10:55:28 +02:00
Harry Maclean
ba1d43dd42 Merge pull request #8658 from hmac/hmac/insecure-download 
Ruby: Add InsecureDownload query
 2022-04-28 11:07:35 +12:00
Harry Maclean
f4453f4da2 Merge pull request #8573 from hmac/hmac/missing-regexp-anchor 
Ruby: Add MissingRegExpAnchor query
 2022-04-28 11:06:33 +12:00
Erik Krogh Kristensen
e1c7d369be Merge pull request #8796 from erik-krogh/redundantImport 
Remove redundant imports
 2022-04-27 12:39:51 +02:00
Harry Maclean
f35379bf8c Ruby: Add change note for rb/insecure-download 2022-04-27 12:47:09 +12:00
Harry Maclean
bb3fb0325b Ruby: Add InsecureDownload query 
This query finds cases where a potentially unsafe file is downloaded
over an unsecured connection.
 2022-04-27 12:47:09 +12:00
Harry Maclean
af2965c2a0 Explain anchors in MissingRegExpAnchor qlhelp 2022-04-27 10:12:33 +12:00
Harry Maclean
6f9dc5eb7e Ruby: Update import for file move 2022-04-27 10:12:33 +12:00
Harry Maclean
2feb4a48be Ruby: Add hasMisleadingAnchorPrecedence to MissingRegExpAnchor 2022-04-27 10:12:33 +12:00
Harry Maclean
e3c3c00c68 Ruby: Add MissingRegExpAnchor query 2022-04-27 10:12:33 +12:00
Nick Rolfe
649d7dd022 Merge pull request #8607 from github/nickrolfe/incomplete_sanitization 
Ruby: port of `js/incomplete-sanitization`
 2022-04-26 17:10:24 +01:00
Erik Krogh Kristensen
ff73dbc35c delete redundant imports 2022-04-22 12:55:28 +02:00
Erik Krogh Kristensen
a737350f27 RB: dont import the PathGraph module from Query.qll files 2022-04-22 11:46:06 +02:00
Nick Rolfe
9b2a98326c Ruby: update use of PostUpdateNode now that it's public 2022-04-20 12:08:41 +01:00
Nick Rolfe
9b6e610e24 Merge remote-tracking branch 'origin/main' into nickrolfe/incomplete_sanitization 2022-04-20 12:05:22 +01:00
Nick Rolfe
08f6fbbe10 Ruby: make comment about backslash escaping clearer 2022-04-19 14:05:17 +01:00
Nick Rolfe
76c6a521fd Ruby: add clarifying comment 2022-04-19 13:10:57 +01:00
Nick Rolfe
76587c4144 Ruby: fix capitalisation of String in qhelp 2022-04-19 11:42:31 +01:00
Nick Rolfe
ac805f0cdc Ruby: simplify predicate by using DataFlow::CallNode 2022-04-19 11:27:33 +01:00
Nick Rolfe
ca4dc0583d Ruby: fix comment typos 2022-04-19 11:15:34 +01:00
Harry Maclean
c3f1fba985 Merge pull request #8598 from hmac/hmac/insecure-dep-resolution 
Ruby: Add rb/insecure-dependency query
 2022-04-14 02:09:44 +02:00
Nick Rolfe
fdca896614 Ruby: improve handling of [g]sub! 
rb/incomplete-sanitization has a few cases where we find flow from one
one string substitution call to another, e.g.

    a.sub(...).sub(...)

But this didn't find typical chained uses of the destructive variants,
e.g.

    a.sub!(...)
    a.sub!(...)

We now handle those cases by tracking flow from the post-update node for
the receiver of the first call.
 2022-04-13 17:19:25 +01:00
Nick Rolfe
bbb8177176 Ruby: add rc/incomplete-sanitization query 2022-04-13 16:48:43 +01:00
Harry Maclean
ae60d40511 Ruby: Fix typo in rb/insecure-dependency qhelp 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2022-04-01 15:35:53 +13:00
Alex Ford
882f78c6f9 Merge remote-tracking branch 'origin/main' into ruby/weak-cryptographic-algorithm 2022-03-31 17:17:46 +01:00
Tom Hvitved
40986bfcb1 Ruby: Fix broken import 2022-03-31 12:32:03 +02:00
Arthur Baars
15c54f6100 Merge pull request #8354 from aibaars/incomplete-url-string-sanitization 
Incomplete url string sanitization
 2022-03-31 10:59:51 +02:00
Harry Maclean
37cedda63a Ruby: Add InsecureDependencyResolution query 
This query looks for places in a Gemfile where URLs with insecure
protocols (HTTP or FTP) are specified.
 2022-03-30 13:39:15 +13:00
Arthur Baars
85c4daa2bf Address comments 2022-03-28 13:15:32 +02:00
Rasmus Lerchedahl Petersen
d39410aa2d python: backport review comment to Ruby 2022-03-28 07:35:14 +02:00
Arthur Baars
74aea81fe3 Ruby: refactor regex libraries 2022-03-24 11:37:02 +01:00
Arthur Baars
65f8f56095 Merge branch 'main' into incomplete-url-string-sanitization 2022-03-24 11:27:30 +01:00
Harry Maclean
91a7e9405c Share HttpToFileAccessQuery between JS and Ruby 
There's so little in this query that it may not be worth sharing, but
it's an interesting exercise in figuring out how we do it nicely.
 2022-03-22 11:10:08 +13:00
Harry Maclean
ff1d96c922 Ruby: Add rb/http-to-file-access query 2022-03-22 11:09:08 +13:00
Harry Maclean
6c18e1d7ac Merge pull request #8272 from hmac/hmac/tainted-format-string 2022-03-22 08:37:47 +13:00
Alex Ford
c891c53835 Merge pull request #8395 from alexrford/ruby/clear-text-storage 
Ruby: add `rb/clear-text-storage-sensitive-data` query
 2022-03-21 10:05:39 +00:00
Harry Maclean
10a411e5cc Ruby: Remove duplicate CWE reference 2022-03-21 12:51:47 +13:00
Harry Maclean
d79a6ddcb2 Ruby: Improve qhelp for rb/tainted-format-string 2022-03-21 12:51:47 +13:00
Harry Maclean
0cfe37dff4 Share TaintedFormatString between Ruby and JS 2022-03-21 12:51:46 +13:00
Harry Maclean
f6215d4c7e Ruby: Add rb/tainted-format-string query 2022-03-21 12:51:18 +13:00
Arthur Baars
bf888f0f0b Merge remote-tracking branch 'upstream/main' into incomplete-url-string-sanitization 
Conflicts:
	config/identical-files.json
	javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.ql
	javascript/ql/src/Security/CWE-020/IncompleteUrlSubstringSanitization.qll
	ruby/ql/src/queries/security/cwe-020/IncompleteUrlSubstringSanitization.qll
 2022-03-18 16:09:20 +01:00
Arthur Baars
4a27928728 Ruby/JS add missing ^ in qhelp 2022-03-18 14:00:10 +01:00
Arthur Baars
f2ec5132ba Apply suggestions from code review 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2022-03-16 14:46:34 +01:00
Arthur Baars
ab93b3784b Merge remote-tracking branch 'upstream/main' into incomplete-hostname 2022-03-16 12:31:12 +01:00
Alex Ford
94d5f3bb1f Ruby: Add rb/weak-cryptographic-algorithm query 2022-03-13 21:25:28 +00:00
Alex Ford
446141ada3 Ruby: qhelp for rb/weak-cryptographic-algorithm 2022-03-13 21:25:12 +00:00
Arthur Baars
cf4b834536 Address comments 2022-03-11 14:25:34 +01:00