hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-11 18:14:01 +02:00
Code Issues Packages Projects Releases Wiki Activity
1,376 Commits 1,740 Branches 164 Tags
c9edbd98d5249ecb79011fa45f975e63076b692d
Commit Graph

714 Commits

Author SHA1 Message Date
Alex Ford
8e1b48e607 StoredXSS.qhelp 2021-10-07 15:30:36 +01:00
Alex Ford
182a926eeb rename some example files 2021-10-07 15:30:36 +01:00
Alex Ford
a2084f813e rb/stored-xss structure and initial implementation (FileSystemReadAccess sources) 2021-10-07 15:30:36 +01:00
Harry Maclean
7bf818fdf5 Refactor KernelMethodCall modelling 
By extending `DataFlow::CallNode` instead of `MethodCall`, we get rid of
a lot of `.asExpr().getExpr()` calls.
 2021-10-05 12:26:59 +01:00
Harry Maclean
232fb9ad5b Add cwe-073 tag to KernelOpen query 
CWE-073 is External Control of File Name or Path, which applies here.
 2021-10-05 11:13:58 +01:00
Harry Maclean
6f293c7a5e Add a query for uses of Kernel.open and IO.read 2021-10-05 11:13:58 +01:00
Arthur Baars
4268d9c565 XXE query 2021-09-30 11:20:17 +02:00
Arthur Baars
40f0112e8a Merge pull request #297 from github/aibaars/alert-suppression 
Alert suppression and file classifier query
 2021-09-23 15:37:19 +02:00
Harry Maclean
4f9518a9c6 Merge pull request #293 from github/hmac-code-injection 
Add query for Code Injection
 2021-09-23 13:50:48 +01:00
Tom Hvitved
f347505542 Merge pull request #277 from github/hvitved/flow-summaries 
Add support for flow summaries
 2021-09-23 14:31:52 +02:00
Alex Ford
d1f2258d45 revamp weak file permissions query 2021-09-21 19:02:11 +01:00
Tom Hvitved
08dc6d79ef Add support for flow summaries 2021-09-21 11:04:53 +02:00
Nick Rolfe
6f7d4fef70 Merge pull request #287 from github/unsafe-deserialization 
rb/unsafe-deserialization query
 2021-09-20 14:23:30 +01:00
Harry Maclean
95e50cedad Add query for Code Injection 
This query finds cases where user input flows to an argument to `eval`
or `send`, which can execute arbitrary Ruby code.
 2021-09-20 11:35:45 +01:00
Harry Maclean
916b844557 Merge pull request #280 from github/hmac-cli-injection 
Add CLI Injection query
 2021-09-20 08:54:01 +01:00
Harry Maclean
4ecc78effc Kernel#system -> Kernel.system 2021-09-17 17:02:17 +01:00
Harry Maclean
fe8fc0697b Add qhelp for CLI Injection query 2021-09-17 17:02:17 +01:00
Harry Maclean
4a0d7c528a Add top-level CLI injection query and tests 2021-09-17 17:02:17 +01:00
Alex Ford
98fd0e1c24 Update ql/src/queries/security/cwe-079/ReflectedXSS.qhelp 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2021-09-15 20:50:46 +01:00
Alex Ford
ed708c1903 Update ql/src/queries/security/cwe-079/ReflectedXSS.qhelp 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2021-09-15 20:50:46 +01:00
Alex Ford
eed87b3319 Apply suggestions from code review 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2021-09-15 20:50:46 +01:00
Alex Ford
dbb239b04e reorder and format rb/reflected-xss qhelp 2021-09-15 20:50:46 +01:00
Alex Ford
d71dd3f6c7 rb/reflected-xss 2021-09-15 20:50:46 +01:00
Arthur Baars
e03fe0fcd4 Add ClassifyFiles.ql 2021-09-14 16:30:34 +02:00
Arthur Baars
c2ec6407f5 Add AlertSuppression.ql 2021-09-14 11:53:53 +02:00
Nick Rolfe
6dbf6d7e82 Merge pull request #278 from github/aibaars/revert-hotfix 
Revert "Use hotfixed version of `codeql/suite-helpers` with workaround for bug in released CLI"
 2021-09-09 11:21:20 +01:00
Nick Rolfe
2ddca2c0db Document and test YAML.safe_load 2021-09-08 18:22:31 +01:00
Nick Rolfe
adceb0a2a1 Add query rb/unsafe-deserialization 2021-09-08 17:49:23 +01:00
Nick Rolfe
414362db8d Rename .qll to match our naming scheme for other dataflow queries. 2021-09-07 17:38:08 +01:00
Nick Rolfe
7666d856b7 Merge remote-tracking branch 'origin/main' into polynomial_redos 2021-09-07 17:35:07 +01:00
Nick Rolfe
4d5928ae5a Add @security-severity tag 2021-09-07 12:15:44 +01:00
Harry Maclean
87253032e2 Add a query for URL redirect vulnerabilities 
This query finds instances of CWE-601: Redirection to Untrusted Site.

The structure is copied from a query of the same name in the Python
library. We add customisations specific to `ActionController`.
 2021-09-03 13:17:14 +01:00
Nick Rolfe
d62b41bdf4 Add query for polynomial ReDoS 2021-09-02 17:57:56 +01:00
Arthur Baars
ab4cc753b0 Revert "Use hotfixed version of codeql/suite-helpers with workaround for bug in released CLI" 
This reverts commit 9d7b77496e.
 2021-09-02 16:01:51 +02:00
Harry Maclean
3490e328e1 codeql_ruby -> codeql.ruby 2021-08-31 15:43:02 +01:00
Harry Maclean
d3f683e573 Minor refactor of constantQualifiedName 2021-08-31 15:42:06 +01:00
Harry Maclean
34f02ee622 Fix constantQualifiedName 
Exclude partial results

Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2021-08-31 15:42:06 +01:00
Harry Maclean
91d56cd802 Use dataflow to find method call targets 
This includes both local and non-local methods, and is also simpler than
the previous definition.
 2021-08-31 15:42:06 +01:00
Harry Maclean
cd3192e8f1 Fix ordering for definitionOf 
Actually select the lexicographically least location, not the greatest.
 2021-08-31 15:42:06 +01:00
Harry Maclean
8901eba978 Include constants in jump-to-def query 
The previous version of this query inadvertently excluded constants
which weren't classes or modules. This version includes them, by
introducing a laxer version of `resolveScopeExpr` that doesn't require
the result to be a `TResolved`.
 2021-08-31 15:42:06 +01:00
Harry Maclean
155b385981 Simplify LocalVariable constraint in jump-to-def 2021-08-31 15:42:06 +01:00
Harry Maclean
e72f1399cb Include class variables in jump-to-def query 2021-08-31 15:42:06 +01:00
Harry Maclean
e84ebe2b94 Include instance variables in jump-to-def query 
By convention, instance variables are considered to be "defined" in the
`#initialize` method of their containing class. If an instance variable
is written to in `#initialize` and then read elsewhere in the program,
we will point from the read to the write. If it is not written to in
`#initialize` then we won't provide any jump-to-definition information
for it.
 2021-08-31 15:42:06 +01:00
Harry Maclean
a16cd8967b Ignore synthesised reads for jump-to-definition 
We synthesise variables for things like tuple patterns. For example,
this Ruby code:

    a, b = ...

becomes:

    __synth__0 = ...
    a = __synth__0[0]
    b = __synth__0[1]

The `__synth__` variables should be ignored when calculating
jump-to-definition information, since they don't appear in the original
source code.
 2021-08-31 15:42:05 +01:00
Harry Maclean
a814010665 Small refactor to constantQualifiedName 2021-08-31 15:42:05 +01:00
Harry Maclean
95e2b8a4a4 Simplify jump-to-def query 
The expected output format is a tuple (a, b, k) where `a` and `b` are any
`AstNode` subclass and `k` is a string indicating the kind of
definition (e.g. variable, method, ...).

By ensuring that every value in `DefLoc` is a subclass of `Expr` (itself
a subclass of `AstNode`) we can simplify the query by removing all the
use of `getLocation()`.
 2021-08-31 15:42:05 +01:00
Harry Maclean
19e135fb6f Remove redundant imports 2021-08-31 15:42:05 +01:00
Harry Maclean
2fbbabda2d First draft of a jump-to-definition query 
TODO: flesh out this message
 2021-08-31 15:42:05 +01:00
Dave Bartolomeo
42629b969f Move initial dbscheme 2021-08-26 19:43:06 -04:00
Dave Bartolomeo
2c1620f25e Move missed library file 2021-08-26 18:59:58 -04:00