Tom Hvitved
aae9a58ca3
Ruby: Remove ValuePairContent
2022-10-04 20:10:51 +02:00
Nick Rolfe
d69a658e06
Merge pull request #10673 from github/nickrolfe/no_abstract
...
Ruby: remove public abstract classes for Action{View,Controller}
2022-10-04 17:49:59 +01:00
Mathias Vorreiter Pedersen
4d697cd369
C++: Rephrase QLDoc.
2022-10-04 17:15:08 +01:00
Nick Rolfe
2e80926951
Ruby: fix a couple of references to deprecated names
2022-10-04 16:45:08 +01:00
Mathias Vorreiter Pedersen
32839021f8
C++: Fix join that might blow up in the future.
2022-10-04 16:43:02 +01:00
Nick Rolfe
445241fd95
Ruby: add missing qldoc comment
2022-10-04 16:31:54 +01:00
Nick Rolfe
2315a177fe
Ruby: add changenote for ActionView/Controller class renames
2022-10-04 16:22:11 +01:00
Nick Rolfe
227100d883
Ruby: make old class names available as deprecated aliases
2022-10-04 16:11:43 +01:00
Geoffrey White
6380cc82ce
Merge pull request #10681 from geoffw0/classorstruct
...
Swift: Use ClassOrStructDecl
2022-10-04 15:44:28 +01:00
Geoffrey White
0ed89fb11a
Swift: Use ClassOrStructDecl.
2022-10-04 15:10:41 +01:00
Geoffrey White
d4742d22a0
Swift: 'Data' should be a struct.
2022-10-04 15:10:41 +01:00
Geoffrey White
e196caa7bd
Merge pull request #10595 from MathiasVP/swift-class-or-struct
...
Swift: Add `ClassOrStructDecl` class
2022-10-04 14:56:53 +01:00
Tamas Vajk
ea0a04a74f
Kotlin: extract unary plus and minus operators
2022-10-04 15:18:35 +02:00
Tamas Vajk
2e72ec748f
Kotlin: add numeric unary operator test cases
2022-10-04 15:18:35 +02:00
Erik Krogh Kristensen
264d74f996
Merge pull request #10676 from erik-krogh/kernelOpenMsg
...
RB: add a link to the source in the alert-message for `rb/kernel-open`
2022-10-04 15:18:15 +02:00
Ian Lynagh
db673c0355
Merge pull request #10646 from tamasvajk/kotlin-java-kotlin-function-mapping
...
Kotlin: Simplify `kotlinFunctionToJavaEquivalent`
2022-10-04 13:46:22 +01:00
erik-krogh
dedbe66619
update expected output
2022-10-04 14:16:07 +02:00
Tamas Vajk
81fffce79b
Kotlin: Extract parameter modifiers (noinline, crossinline)
2022-10-04 14:02:06 +02:00
Erik Krogh Kristensen
5ba7c13ecd
fix alert-message by adding the link
...
Co-authored-by: Arthur Baars <aibaars@github.com >
2022-10-04 13:50:25 +02:00
erik-krogh
d370b2a51e
simplify the where clause of rb/kernel-open
2022-10-04 13:49:50 +02:00
erik-krogh
bf74481f65
add a link to the source in the alert-message for rb/kernel-open
2022-10-04 13:41:50 +02:00
Tamas Vajk
09051e76cf
Kotlin: extract isEnumConstant relation
2022-10-04 13:30:02 +02:00
Tamas Vajk
876bea653d
Kotlin: Add test case for missing enum constants
2022-10-04 13:29:15 +02:00
Tamas Vajk
d2861361d9
Kotlin: extract implInterface
2022-10-04 13:12:01 +02:00
Tamas Vajk
d50be83f57
Kotlin: add test to distinguish implements vs extends
2022-10-04 13:10:19 +02:00
Arthur Baars
88b5d4da16
Ruby: extend may have multiple arguments
2022-10-04 12:58:50 +02:00
Arthur Baars
ab3a62de3c
Update ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
2022-10-04 12:58:50 +02:00
Tom Hvitved
6e61ef10b8
Ruby: Add another dataflow copy
2022-10-04 12:58:50 +02:00
Tom Hvitved
9d7d6c29f9
Review comments
2022-10-04 12:58:50 +02:00
Tom Hvitved
77c47bc856
Ruby: Add another call graph test
2022-10-04 12:58:49 +02:00
Arthur Baars
44cc6f7350
Ruby: improve tracking of regular expressions
...
There are two flavours of `match?`. If the receiver of `match?` has type String
then the argument to `match?` is a regular expression. However, if the receiver of
`match?` has type Regexp then the argument is the text.
The role of receiver and argument flips depending on the type of the receiver, this
caused a lot of false positives when looking for string-like literals that are
used as a regular expression.
This commit attempts to improve things by trying to determine whether the type of the
receiver is known to be of type Regexp. In such cases we know that the argument
is unlikely to be regular expression.
2022-10-04 12:58:49 +02:00
Arthur Baars
0160c374e4
Ruby: add flow summaries for Object#dup and Kernel#tap
2022-10-04 12:58:49 +02:00
Arthur Baars
5d55daa491
Ruby: use resolveConstantReadAccess instead of trackModuleAccess for 'extend' calls
...
This avoids non-linear recursion at the cost of losing some results.
2022-10-04 12:58:49 +02:00
Arthur Baars
c2b98a4761
Ruby: add support for 'extend' method
2022-10-04 12:58:49 +02:00
Arthur Baars
09bc78eafc
Ruby: local dataflow step for || and &&
2022-10-04 12:58:49 +02:00
Arthur Baars
e95b5468d9
Ruby: use Dataflow for Pathname instead of TypeTracking
2022-10-04 12:58:49 +02:00
Arthur Baars
f9b952f04f
Ruby: Pathname use TypeTracker instead of local flow
2022-10-04 12:58:49 +02:00
Nick Rolfe
dd1b302fce
Ruby: revert making inActionViewContext private
2022-10-04 11:29:09 +01:00
Tony Torralba
9db65eae7f
Address review comments
2022-10-04 12:27:01 +02:00
Tony Torralba
b8fa9433be
Fix duplicated test
2022-10-04 12:27:01 +02:00
Tony Torralba
264d6db9d7
Rename AllowListGuard to AllowedPrefixGuard
2022-10-04 12:27:01 +02:00
Tony Torralba
90020b6aab
Make block lists work with substring matching too
...
A block list approach doesn't need to restrict itself to prefix matching
2022-10-04 12:27:01 +02:00
Tony Torralba
69d1895175
Update java/ql/lib/semmle/code/java/security/PathSanitizer.qll
2022-10-04 12:27:01 +02:00
Tony Torralba
6fcaae20e7
Add tests and fix bugs highlighted by them
2022-10-04 12:27:01 +02:00
Tony Torralba
f19eb783be
Generalize file/path taint steps
...
This is needed by PathSanitizer but also helps simplify ZipSlip.ql
2022-10-04 12:27:01 +02:00
Tony Torralba
4e29c39c78
Merge ZipSlip sanitization logic into PathSanitizer.qll
...
Apply code review suggestions regarding weak sanitizers
2022-10-04 12:27:01 +02:00
Tony Torralba
89d905cc03
Add change note
2022-10-04 12:27:01 +02:00
Tony Torralba
08c67fb174
Use PathInjectionSanitizer in relevant queries
2022-10-04 12:27:01 +02:00
Tony Torralba
dff878e531
Apply TaintedPath recent changes to TaintedPathLocal
2022-10-04 12:26:59 +02:00
Tony Torralba
5706e8b377
Improve PathSanitizer
...
Rename PathTraversalSanitizer to PathInjectionSanitizer
2022-10-04 12:26:17 +02:00
