hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-18 18:10:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
35,614 Commits 1,671 Branches 157 Tags
c20ee76826e10318f8f39c6fae901b743c2e8254
Commit Graph

1094 Commits

Author SHA1 Message Date
Nick Rolfe
ed00f2b0d2 Ruby: address some feedback on array flow summaries 2022-02-04 13:40:39 +00:00
Nick Rolfe
161d766ba9 Ruby: address review comments on array_flow.rb 2022-02-04 11:59:59 +00:00
Rasmus Wriedt Larsen
0bcfc4b657 Ruby: Update consistency-queries/qlpack.yml 
I'm not sure whether this means the consistency queries were run using
the 0.0.1 release of the `codeql/ruby-all` qlpack, but using `"*"` at
least ensures that it is always using the version from the CodeQL repo.
 2022-02-04 12:06:50 +01:00
Asger Feldthaus
0a0d9583b4 Ruby: rephase comment for MkDef 2022-02-04 11:37:54 +01:00
Asger Feldthaus
0189e8abb4 Ruby: autoformat 2022-02-04 11:32:31 +01:00
Asger Feldthaus
87c62db781 Ruby: disable test line not currently working 2022-02-04 11:20:42 +01:00
Asger Feldthaus
75b72361ce Ruby: add toString and locations to the new node types 2022-02-04 11:20:42 +01:00
Asger Feldthaus
7373a503f6 Ruby: Populate ArgumentPosition based on keyword arguments 2022-02-04 11:20:42 +01:00
Asger Feldthaus
5e350a0270 Ruby: Derive edge labels from {Argument,Parameter}Position 2022-02-04 11:20:42 +01:00
Asger Feldthaus
040e56623c Ruby: add getAValueReachingRhs 2022-02-04 11:20:42 +01:00
Asger Feldthaus
17dd5cd581 Ruby: remove a stray TODO 2022-02-04 11:20:42 +01:00
Asger Feldthaus
d2e381aa79 Ruby: more def-node tests 2022-02-04 11:20:41 +01:00
Asger Feldthaus
32e0f42969 Ruby: refactor Return(x) to Method(x).return 2022-02-04 11:20:39 +01:00
Asger Feldthaus
55b5f19b92 Ruby: Add def-nodes to API graphs 2022-02-04 11:06:35 +01:00
Asger Feldthaus
9c17a5ce99 Ruby: replace "instance" label with a call to new 2022-02-04 11:03:25 +01:00
Asger Feldthaus
5858732da1 Ruby: change useStep signature 2022-02-04 11:01:04 +01:00
Asger Feldthaus
e6fdd4d34a Ruby: Make hasLocalSource private/cached 2022-02-04 11:01:03 +01:00
Asger Feldthaus
9a496e647f Ruby: Drive-by fix type-tracking through params with default values 2022-02-04 11:01:03 +01:00
Harry Maclean
ab7fd89653 Merge pull request #7663 from github/hmac/api-graph-subclass 
Ruby: Add basic subclassing support to API Graphs
 2022-02-04 10:19:07 +13:00
Harry Maclean
e328c6222a Merge pull request #7797 from github/hmac/pin-rust 
Ruby: Pin Rust to 1.54
 2022-02-04 10:18:46 +13:00
Harry Maclean
912842623d Simplify cache key 2022-02-04 07:41:29 +13:00
Arthur Baars
6525035f0a Address comments 2022-02-03 13:47:03 +01:00
Tom Hvitved
6bb71f051b Merge pull request #7791 from hvitved/dataflow/inline-local-flow-star 
Data flow: Inline `local(Expr|Instruction)?(Flow|Taint)`
 2022-02-03 09:02:43 +01:00
Harry Maclean
c65ca8ff86 Model calls to constantize as code executions 
`constantize` is an ActiveSupport extension to `String` that attempts to
look up a constant with a name matching the receiver.
 2022-02-03 15:22:07 +13:00
Harry Maclean
704b58519f Ruby: Include subclasses in more API calls 
Change the behaviour of `API::getInstance()` and `API::getReturn()` to
include results on subclasses of the current API node.
 2022-02-03 11:35:59 +13:00
Harry Maclean
61cd05cfc5 Ruby: Ensure TRoute and TRouteBlock are private 2022-02-03 10:55:28 +13:00
Harry Maclean
80835a5a19 Ruby: Don't expose abstract class 
Make ActionDispatch::Route into a private class
ActionDispatch::RouteImpl, defining a new class Route which exposes the
necessary public API from RouteImpl.

Also rename getHTTPMethod to getHttpMethod.
 2022-02-03 10:41:30 +13:00
Harry Maclean
a8a7c156d0 via - update tests 2022-02-03 10:40:23 +13:00
Arthur Baars
a22868ba27 Merge branch 'main' into ruby-3.1 2022-02-02 19:00:03 +01:00
Arthur Baars
3b05cb621c Address comment 2022-02-02 14:11:45 +01:00
Arthur Baars
fdcef6225b Ruby: fix QL warnings 2022-02-02 13:29:09 +01:00
Tom Hvitved
712418e5f8 Merge pull request #7781 from hvitved/dataflow/summary-stack-bottom-less-nonlinear 
Data flow: Reduce non-linear recursion in `SummaryComponentStack::bottom`
 2022-02-02 10:35:53 +01:00
Harry Maclean
5adcdf1cf8 Ruby: Minor refactor 2022-02-02 17:32:11 +13:00
Harry Maclean
8f5380122a Ruby: Cache ActionDispatch IPA types 2022-02-02 17:31:47 +13:00
Harry Maclean
749dc092ae Ruby: Attempt to mitigate potential bad join 
By joining simultaneously on controller class and name.
 2022-02-02 17:03:46 +13:00
Harry Maclean
a38bc9fe89 Ruby Fix handling of via: in ActionDispatch 2022-02-02 17:03:27 +13:00
Harry Maclean
856c3d332c Minor cleanup to ActionDispatch modelling 
`x.isStringOrSymbol(result)` is slightly terser than
`result = x.getStringOrSymbol()`.
 2022-02-02 16:26:20 +13:00
Harry Maclean
47823b5a9a Handle via: :all in Rails routes 
ActionDispatch modelling now understands that

    match "/foo", to: "foo#bar", via: :all

is equivalent to

    match "/foo",
      to: "foo#bar",
      via: [:get, :post, :put, :patch, :delete]
 2022-02-02 16:26:20 +13:00
Harry Maclean
8bdc05ddaf getValueText -> getConstantValue 2022-02-02 16:26:20 +13:00
Harry Maclean
417287153b Ruby: QL style fixes 2022-02-02 16:26:20 +13:00
Harry Maclean
e975f92091 Ruby: remove unused predicate 2022-02-02 16:26:20 +13:00
Harry Maclean
3786fbfc7d Ruby: Rewrite ActionDispatch::underscore 
This version is much shorter and hopefully performs a bit better.
 2022-02-02 16:26:20 +13:00
Harry Maclean
eff2136f52 Ruby: remove unused predicate 2022-02-02 16:26:20 +13:00
Harry Maclean
dead7a8059 Ruby: Make most of ActionDispatch private 
Any classes/predicates not used externally or in tests are now private.
Also fix some typos.
 2022-02-02 16:26:20 +13:00
Harry Maclean
fa28e55645 Add a test for ActionDispatch::underscore 
This shows how the predicate behaves, as well as a case where it goes
wrong.
 2022-02-02 16:26:20 +13:00
Harry Maclean
9c67869875 Remove ActionDispatch::capitalize 
This predicate isn't used.
 2022-02-02 16:26:20 +13:00
Harry Maclean
ad71fdbb24 Add missing documentation to ActionDispatch::Route 2022-02-02 16:26:20 +13:00
Harry Maclean
1766916fc5 Ruby: Document ActionDispatch modelling 2022-02-02 16:26:20 +13:00
Harry Maclean
314683d5fb Ruby: Improve UrlRedirect query using Rails routes 
Handlers for non-GET requests aren't vulnerable to URL redirect attacks,
because browsers won't initiate non-GET requests when you click a link.

We can use Rails routing information, if present, to filter out any
handlers for non-GET requests.
 2022-02-02 16:26:20 +13:00
Harry Maclean
751d8a7f59 Ruby: Document getACapture 2022-02-02 16:26:20 +13:00