codeql

mirror of https://github.com/github/codeql.git synced 2025-12-19 10:23:15 +01:00

Author	SHA1	Message	Date
Harry Maclean	ce7675ef43	Ruby: Identify domain in Net::HTTP requests	2022-04-27 12:47:09 +12:00
Rasmus Wriedt Larsen	9254b2904e	Ruby: Adjust HttpClients test	2022-03-22 11:19:55 +01:00
Nick Rolfe	94ce578ea4	Ruby: implement getComponent(n) for simple and hash-key symbols	2022-03-16 11:43:46 +00:00
Tom Hvitved	1e1b2e284d	Ruby: Cleanup flow through `self`	2022-03-09 13:17:11 +01:00
Alex Ford	9196b64d6e	Merge pull request #8138 from github/ruby/file-write Ruby: Implement `FileSystemWriteAccess` concept	2022-02-21 10:13:27 +00:00
Harry Maclean	9a60c7e4ac	Ruby: Update filename in test fixture	2022-02-21 09:43:36 +13:00
Alex Ford	baabe66551	Ruby: update Files.ql tests for write accesses	2022-02-20 19:28:12 +00:00
Harry Maclean	459f949c24	Ruby: fix old import in ActiveSupport codeql.ruby.frameworks.StandardLibrary is deprecated	2022-02-17 20:44:04 +13:00
Harry Maclean	546bfcb8ea	Ruby: split tests to match stdlib changes	2022-02-17 20:44:04 +13:00
Harry Maclean	d966ca8466	Ruby: recognise additional form for OpenURI	2022-02-10 15:42:15 +13:00
Harry Maclean	f30222256f	Merge pull request #7061 from github/hmac/actiondispatch Ruby: Rails route resolution	2022-02-10 09:46:36 +13:00
Harry Maclean	3206384884	Merge pull request #7824 from github/hmac/constantize	2022-02-09 08:30:21 +13:00
Harry Maclean	ab7fd89653	Merge pull request #7663 from github/hmac/api-graph-subclass Ruby: Add basic subclassing support to API Graphs	2022-02-04 10:19:07 +13:00
Harry Maclean	c65ca8ff86	Model calls to `constantize` as code executions `constantize` is an ActiveSupport extension to `String` that attempts to look up a constant with a name matching the receiver.	2022-02-03 15:22:07 +13:00
Harry Maclean	80835a5a19	Ruby: Don't expose abstract class Make ActionDispatch::Route into a private class ActionDispatch::RouteImpl, defining a new class Route which exposes the necessary public API from RouteImpl. Also rename getHTTPMethod to getHttpMethod.	2022-02-03 10:41:30 +13:00
Harry Maclean	a8a7c156d0	via - update tests	2022-02-03 10:40:23 +13:00
Harry Maclean	47823b5a9a	Handle via: :all in Rails routes ActionDispatch modelling now understands that match "/foo", to: "foo#bar", via: :all is equivalent to match "/foo", to: "foo#bar", via: [:get, :post, :put, :patch, :delete]	2022-02-02 16:26:20 +13:00
Harry Maclean	3786fbfc7d	Ruby: Rewrite ActionDispatch::underscore This version is much shorter and hopefully performs a bit better.	2022-02-02 16:26:20 +13:00
Harry Maclean	fa28e55645	Add a test for ActionDispatch::underscore This shows how the predicate behaves, as well as a case where it goes wrong.	2022-02-02 16:26:20 +13:00
Harry Maclean	870c6d7412	Ruby: Rails route resolution Add `Route` classes which model Rails routing information, typically defined in a `routes.rb` file. We extract only the most basic information: HTTP method, path, controller and action. This is enough to determine whether a given controller method is a route handler, and what HTTP method it handles, which is useful for, among other things, the URL redirect query.	2022-02-02 16:26:19 +13:00
Harry Maclean	fb00a6c61b	Merge pull request #7666 from github/hmac/file-open-access Ruby: Add File.open as a FileSystemAccess	2022-02-02 07:32:16 +13:00
Harry Maclean	5e7a29a979	Ruby: Use API graph subclassing in Rails modelling Now that API graphs have basic subclassing support, we can simplify some of the ActiveRecord and ActionController code.	2022-01-25 16:40:14 +13:00
Harry Maclean	8e40899dfd	Merge pull request #7419 from github/hmac/const-get	2022-01-22 07:01:09 +13:00
Harry Maclean	5dcee6ba27	Ruby: Add File.open as a FileSystemAccess	2022-01-20 21:09:41 +13:00
Jeff Gran	47697f59c1	Ruby: Add classes for detecting user input from `graphql-ruby`	2022-01-18 09:13:58 -07:00
Harry Maclean	43ddc54f2b	Ruby: Add Module#const_get as a code execution Module#const_get takes a single string argument and interprets it as the name of a constant. It then looks up the constant and returns its value. Object.const_get("Math::PI") # => 3.141592653589793 By itself, this method is not as dangerous as e.g. eval, but if the value returned is a class that is then instantiated, this can allow an attacker to instantiate arbitrary Ruby classes. As a result, I think it's safe to say that any remote input flowing into this call is a potential vulnerability. A real-world example of this is https://github.com/advisories/GHSA-52p9-v744-mwjj.	2022-01-06 13:03:41 +13:00
Alex Ford	5fa6ecc5f1	Ruby: Model what is written to the log from stdlib `Logger` methods	2021-12-14 17:39:12 +00:00
Harry Maclean	e1d290d4c0	Ruby: Don't count private methods as Rails actions Private instance methods on ActionController classes aren't valid request handlers. Routing to them will raise an exception.	2021-12-13 15:36:55 +13:00
Nick Rolfe	d46564caa6	Ruby: treat ActionController#cookies as a remote flow source	2021-12-09 12:13:17 +00:00
Nick Rolfe	f6a8b9a7e5	Ruby: add cookies call to frameworks test	2021-12-09 12:07:04 +00:00
Alex Ford	6adfea2365	Merge pull request #7163 from github/ruby/file-reader-extend Ruby: Extend `FileSystemReadAccess` to include more potential sources of input from the filesystem	2021-12-05 23:32:43 +00:00
Harry Maclean	c297a68acf	Model more of the `RestClient` API We now handle this form: RestClient::Request.execute(url: "http://example.com")	2021-11-19 11:28:09 +00:00
Harry Maclean	38ff584307	Model more Faraday behaviour You can instantiate a Faraday connection by passing a URL as an keyword argument: conn = Faraday.new(url: "http://example.com")	2021-11-19 11:28:09 +00:00
Harry Maclean	b6ce37b241	Add getURL to HTTP::Client::Request This member predicate gets dataflow nodes which contribute to the URL of the request. Also consolidate the identical tests for each HTTP client.	2021-11-19 11:28:08 +00:00
Alex Ford	12a3251649	Ruby: extend FileSystemReadAccess and restructure some Files.qll classes	2021-11-17 23:01:18 +00:00
Arthur Baars	976daddd36	Move files to ruby subfolder	2021-10-15 11:47:28 +02:00

36 Commits