hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-05 15:16:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
74,382 Commits 1,700 Branches 161 Tags
baec4adbb1fd8c0550091517f9eb59cb3d94de0a
Commit Graph

40 Commits

Author SHA1 Message Date
Tom Hvitved
978a816f11 Ruby: Track types in data flow 2025-01-06 13:26:10 +01:00
Asger F
f9c0ba3826 Ruby: use DeduplicatePathGraph in CodeInjection query 2024-12-11 11:48:15 +01:00
Tom Hvitved
f287216060 Update expected test output 2024-09-24 14:21:38 +02:00
Tom Hvitved
c92c96fa78 Data flow: Compute local big step relation per stage 2024-08-26 09:15:27 +02:00
Tom Hvitved
04de315e0e Ruby: Deprecate models-as-data CSV interface 2024-04-12 13:40:14 +02:00
Anders Schack-Mulligen
7cc8fd00aa Ruby: Update expected output (uninteresting). 2024-04-12 09:20:35 +02:00
Tom Hvitved
914a605a87 Ruby: Rework hidden synthetic data-flow nodes 2024-02-27 15:33:58 +01:00
Anders Schack-Mulligen
35a3aa0a09 Ruby: Add empty provenance column to expected files. 2024-02-09 11:32:08 +01:00
Tom Hvitved
e258324960 Ruby: Allow for implicit array reads at all sinks during taint tracking 2023-09-14 09:40:05 +02:00
Anders Schack-Mulligen
90f84bb516 Ruby: Update expected output. 2023-04-26 13:08:16 +02:00
Tom Hvitved
b816c79248 Ruby: Include all assignments in data flow paths 2023-03-24 10:09:30 +01:00
erik-krogh
25a6d496d9 Merge branch 'main' into HEAD 2023-03-13 17:33:06 +01:00
erik-krogh
31336b09c4 add summary for the Array method on Kernel 2023-03-01 12:53:13 +01:00
erik-krogh
36b33765a5 use allowImplicitRead instead of a taint-step from elements to the array 2023-02-28 16:09:52 +01:00
Harry Maclean
ae3d91b546 Ruby: First draft of rails callback flow 2023-02-21 19:26:36 +13:00
erik-krogh
c2e8206090 add more array taint steps that taint the entire array 2023-01-30 21:14:27 +01:00
erik-krogh
8fc3b268e8 add string concat as a sink for code-construction 2023-01-17 14:48:06 +01:00
erik-krogh
f98ff65b11 use eval() instead of send() in test 2023-01-05 20:04:04 +01:00
erik-krogh
378cc1aed2 add support for string-like-literals 2022-11-25 10:32:06 +01:00
erik-krogh
80c92dc3e6 add support for array pushes 2022-11-25 10:32:05 +01:00
erik-krogh
3461404bbb add basic support for arrays 2022-11-25 10:31:35 +01:00
erik-krogh
2033dd2dcc remove parameters named "code" as source 2022-11-25 10:25:31 +01:00
erik-krogh
e7c6571f52 remove the "send(..)" and similar from unsafe-code-construction 2022-11-25 10:25:31 +01:00
erik-krogh
f1668801d3 add a rb/unsafe-code-construction query 
rebase
 2022-11-25 10:25:30 +01:00
erik-krogh
5f6cb1684b move the code-injection tests into a subfolder 2022-11-24 17:23:25 +01:00
erik-krogh
e8dce25cc2 fix rb/code-injection 2022-10-25 14:44:23 +02:00
erik-krogh
3dd89bb7bf remove duplicate alerts due to multiple states reaching the same sink 2022-10-19 13:19:18 +02:00
erik-krogh
3e51f6fa8e use flow-states to remove FPs related to an attacker only controlling a substring in code-injection 2022-10-19 13:00:44 +02:00
erik-krogh
d77b31672d add failing test for safe-ish uses of Object.send 2022-10-19 11:27:08 +02:00
erik-krogh
cb33d5aeff add test for .send(..) in code-injection 2022-10-19 11:25:30 +02:00
Alex Ford
ee77404006 Ruby: Add ActiveJob::Serializers.deserialize as a code execution sink 2022-10-09 22:28:22 +01:00
Alex Ford
4a39e4aac0 Ruby: Add new test case for rb/code-injection 2022-10-09 22:26:29 +01:00
Alex Ford
c4baf0b8fa Ruby: add space for test case 2022-10-09 22:16:23 +01:00
erik-krogh
063c76b6d1 apply suggestions from review 2022-09-13 10:52:23 +02:00
erik-krogh
79a048968e make the alert messages of taint-tracking queries more consistent 2022-09-07 12:22:50 +02:00
erik-krogh
7e0bd5bde4 update expected output of tests 2022-08-22 21:41:47 +02:00
Asger Feldthaus
cbd044a768 Ruby: add a code injection test for flwo through Regexp.escape 2022-03-01 14:08:21 +01:00
Harry Maclean
43ddc54f2b Ruby: Add Module#const_get as a code execution 
Module#const_get takes a single string argument and interprets it as the
name of a constant. It then looks up the constant and returns its value.

    Object.const_get("Math::PI")
    # => 3.141592653589793

By itself, this method is not as dangerous as e.g. eval, but if the
value returned is a class that is then instantiated, this can allow an
attacker to instantiate arbitrary Ruby classes.

As a result, I think it's safe to say that any remote input flowing into
this call is a potential vulnerability. A real-world example of this is
https://github.com/advisories/GHSA-52p9-v744-mwjj.
 2022-01-06 13:03:41 +13:00
Tom Hvitved
400802c5ce Ruby: Add flow summaries for Array/Enumerable methods 2021-12-22 15:56:20 +01:00
Arthur Baars
976daddd36 Move files to ruby subfolder 2021-10-15 11:47:28 +02:00