hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-01-25 04:12:58 +01:00
Code Issues Packages Projects Releases Wiki Activity
43,504 Commits 1,686 Branches 158 Tags
b545bbb477cbf7fb3d67d44ec65ae8bb69730313
Commit Graph

157 Commits

Author SHA1 Message Date
Rasmus Wriedt Larsen
a9e1e72196 Merge branch 'main' into shared-http-client-request 2022-09-06 10:52:27 +02:00
erik-krogh
7fd426e748 print a correct range for ranges that doesn't contain any alpha-numeric chars 2022-08-30 13:57:11 +02:00
Nick Rolfe
898689f550 Merge pull request #9896 from github/nickrolfe/hardcoded_code 
Ruby: port js/hardcoded-data-interpreted-as-code
 2022-08-26 13:49:25 +01:00
Nick Rolfe
95bf18fdc9 Ruby: make hex-escaped strings ("\xCD\xEF" etc.) sources of hardcoded data 2022-08-26 09:33:03 +01:00
Nick Rolfe
acf5b11139 Merge remote-tracking branch 'origin/main' into nickrolfe/hardcoded_code 2022-08-25 11:44:55 +01:00
erik-krogh
7e0bd5bde4 update expected output of tests 2022-08-22 21:41:47 +02:00
Rasmus Wriedt Larsen
10968bf115 Ruby: Fix alert-msg logic for RequestWithoutValidation.ql 
This really surprised me, but as shown on the results, it does actually
make a difference in the alert-message.
 2022-08-19 15:50:09 +02:00
Rasmus Wriedt Larsen
0ac3624342 Ruby: Implement new disablesCertificateValidation for all HTTP client models 
Sadly most alert text changed, but the two important changes are:

1. The request on RestClient.rb:19 now has an expanded alert text,
   highlighting where the origin of the value that disables certificate
   validation comes from. (in this case, it's trivial since it's the
   line right above)
2. We handle passing `false`/`OpenSSL::SSL::VERIFY_NONE` the same in the
   argument passing examples in Faraday.rb
 2022-08-19 15:46:22 +02:00
Rasmus Wriedt Larsen
1f028ac206 Ruby: Implement new disablesCertificateValidation for RestClient 2022-08-19 15:43:19 +02:00
Rasmus Wriedt Larsen
07d95918f2 Ruby: Add more RequestWithoutValidation.ql tests 
Added:
- one where the value is not directly used when disabling certificate
  validation.
- one with argument passing, Faraday, where it is only the passing of
  `OpenSSL::SSL::VERIFY_NONE` that is recognized.
 2022-08-19 15:42:50 +02:00
Rasmus Wriedt Larsen
47c9c5bddd Ruby: Update RequestWithoutValidation.ql to match Python version 
No library modeling currently has support for the new disablesCertificateValidation/2, so only the alert text has changed

(removed an import from Python so the queries would ACTUALLY match)
 2022-08-18 14:32:41 +02:00
Rasmus Wriedt Larsen
4a82025087 Ruby: Base HTTP::Client::Request on shared concept 
Fixing up deprecation errors in next commit
 2022-08-18 13:42:53 +02:00
Rasmus Wriedt Larsen
9d96b73b8b Ruby: Fixup test annotation 2022-08-18 13:42:49 +02:00
Harry Maclean
70ec70940a Merge pull request #8142 from github/hmac/incomplete-multi-char-sanitization 2022-08-18 10:02:39 +12:00
Alex Ford
d4d6657cb7 Merge pull request #10008 from alexrford/rb/log-injection 
Ruby: Add `rb/log-injection` query
 2022-08-17 15:01:22 +01:00
Harry Maclean
f1a546c4d6 Rename IncompleteMultiCharacterSanitization[Query] 2022-08-17 16:03:49 +12:00
Harry Maclean
f2384a6a8f Ruby: Share more code with JS 2022-08-17 16:03:49 +12:00
Harry Maclean
025e34d8e1 Ruby: Simplify imports 2022-08-17 16:03:48 +12:00
Harry Maclean
b7d9bf4066 Share IncompleteMultiCharacterSanitization JS/Ruby 
Most of the classes and predicates in this query can be shared between
the two languages. There's just a few language-specific things that we
place in IncompleteMultiCharacterSanitizationSpecific.
 2022-08-17 16:03:46 +12:00
Harry Maclean
c234bd94d1 Ruby: IncompleteMultiCharacterSanitization Query 
This query is similar to IncompleteSanitization but for multi-character
sequences.
 2022-08-17 16:02:48 +12:00
Erik Krogh Kristensen
f106e064fa Merge pull request #9422 from erik-krogh/refacReDoS 
Refactorizations of the ReDoS libraries
 2022-08-16 09:32:08 +02:00
Erik Krogh Kristensen
0adb588fe8 Merge pull request #9712 from erik-krogh/badRange 
JS/RB/PY/Java: add suspicious range query
 2022-08-15 13:55:44 +02:00
Alex Ford
44c4b9ba5c Ruby: add rb/log-injection test cases 2022-08-10 16:17:37 +01:00
Erik Krogh Kristensen
49276b1f38 Merge branch 'main' into refacReDoS 2022-08-09 16:18:46 +02:00
Nick Rolfe
6356b20928 Ruby: port js/hardcoded-data-interpreted-as-code 2022-07-26 16:05:22 +01:00
Erik Krogh Kristensen
ff25451699 rename query to overly-large-range, and rewrite the @description 2022-07-12 16:02:46 +02:00
thiggy1342
b4869158f2 expand query tests for cwe-089 2022-07-07 19:23:57 +00:00
thiggy1342
2f1cfa816f Add annotate arguments as sqli sink 2022-07-07 19:23:06 +00:00
Erik Krogh Kristensen
2e295e4a04 filter out potential misparses from rb/suspicious-regexp-range 2022-06-29 13:16:28 +02:00
Erik Krogh Kristensen
a343ceaf8b add suspicious-regexp-range query 2022-06-28 09:49:27 +02:00
Harry Maclean
101111bd2f Merge pull request #9574 from hmac/hmac/action-cable-logger 
Ruby: More Rails modeling
 2022-06-27 19:56:54 +12:00
Erik Krogh Kristensen
7fb3d81d2f add further normalization of char classses 2022-06-23 14:36:25 +02:00
thiggy1342
c5bf1b8aab update test expectation 2022-06-20 17:27:33 +00:00
thiggy1342
7932d3e4ab Update ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected 
Co-authored-by: Arthur Baars <aibaars@github.com>
 2022-06-20 11:05:56 -04:00
thiggy1342
b4c893d857 Update ruby/ql/test/query-tests/security/decompression-api/decompression_api.rb 
Co-authored-by: Arthur Baars <aibaars@github.com>
 2022-06-20 09:50:12 -04:00
Harry Maclean
7dfab371f6 Ruby: Model redirect_back and redirect_back_or_to 
These are ActionController methods that redirect to the HTTP Referer,
falling back to the given location if there is no Referer.
 2022-06-20 13:36:02 +12:00
thiggy1342
7c2b19baad tweaks and add Zip::File.open_buffer to query 2022-06-17 02:43:54 +00:00
thiggy1342
01cb408393 Merge branch 'main' into experimental-decompression-api 2022-06-16 17:23:55 -04:00
thiggy1342
b078430faf add Zip::File.new query to tests 2022-06-16 00:51:50 +00:00
thiggy1342
0281dbd532 remove Zip::Entry.extract from query 2022-06-16 00:04:31 +00:00
thiggy1342
0fce620536 Merge branch 'main' into experimental-decompression-api 2022-06-14 21:54:08 -04:00
thiggy1342
df226ee610 remove standalone archive api query 2022-06-15 01:39:47 +00:00
thiggy1342
0832e299f2 move archive api path traversal tests to cwe-022 2022-06-15 01:39:47 +00:00
thiggy1342
af6fbd439c Merge branch 'main' into experimental-archive-api 2022-06-14 20:09:02 -04:00
Alex Ford
8d195e3188 Merge pull request #9157 from alexrford/crypto-op-block-mode 
Ruby/Python: Add a `BlockMode` concept for `CryptographicOperations`
 2022-06-13 21:32:36 +02:00
thiggy1342
c7e67eb2e2 expand test coverage for sanitizers 2022-06-10 21:30:41 +00:00
thiggy1342
62291124ff remove constraint for Zip::File.open 2022-06-06 21:20:44 +00:00
thiggy1342
3c62271dba fix casing of Api 2022-06-06 21:18:08 +00:00
thiggy1342
074583eab8 add archive api file open query and test 2022-06-06 21:09:57 +00:00
thiggy1342
c5db11ee2e use select placeholder correctly 2022-06-06 14:01:02 +00:00