hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-05 15:16:47 +01:00
Code Issues Packages Projects Releases Wiki Activity
75,137 Commits 1,700 Branches 161 Tags
db4370d1491c709fd0ea2ea9f149f758fb718874
Commit Graph

2815 Commits

Author SHA1 Message Date
Tom Hvitved
dddba3228b Merge pull request #15867 from hvitved/dataflow/ap-limit 
Data flow: Add `ConfigSig::accessPathLimit`
 2024-03-12 14:57:51 +01:00
Tom Hvitved
4291290277 Ruby: Implement new data flow interface 2024-03-11 20:56:38 +01:00
Joe Farebrother
9c51514bd9 Merge pull request #15857 from joefarebrother/ruby-activerecord-from 
Ruby: Model second argument of `ActiveRecord` `from`
 2024-03-11 16:49:52 +00:00
Tom Hvitved
da66281fef Sync files 2024-03-11 13:02:04 +01:00
Tom Hvitved
7a39f077d9 Data flow: Add ConfigSig::accessPathLimit 2024-03-11 13:01:58 +01:00
Joe Farebrother
dbd33d1cf0 Model Argument[1] of ActiveRecord from 2024-03-08 14:04:01 +00:00
Tom Hvitved
85782ff1d4 Ruby: Exclude calls with arguments from OrmFieldAsSource 2024-03-07 17:34:01 +01:00
Harry Maclean
350dab4621 Merge pull request #15722 from hmac/mad-sinks 2024-03-06 08:18:19 +00:00
Joe Farebrother
dcc6f83d3b Merge pull request #15782 from joefarebrother/ruby-typhoeus 
Ruby: Model `Typhoeus::Request.new`
 2024-03-05 16:55:38 +00:00
Joe Farebrother
7027b7fe82 Apply review suggestions: Use getInstance and clarify predicate name/qldoc. Also fix changenote formatting. 2024-03-05 16:34:48 +00:00
Harry Maclean
91cb2a37fd Ruby: Model Process.exec 2024-03-05 10:19:22 +00:00
Harry Maclean
179aaa1342 Ruby: model Open4.popen4ext 2024-03-05 09:35:18 +00:00
Harry Maclean
87f3b43576 Ruby: remove deprecated private class 2024-03-05 08:28:16 +00:00
Joe Farebrother
31687afd5d Fix performance 2024-03-04 09:47:12 +00:00
Joe Farebrother
5a1c0f60e6 Fix qldoc typo 2024-03-01 15:12:16 +00:00
Joe Farebrother
65b30c1dff Add tests and qldoc 2024-03-01 14:46:55 +00:00
Joe Farebrother
a08b292099 Add models for Typhoeus::Request 2024-03-01 14:23:24 +00:00
Peter Stöckli
a693c6d9b4 Ruby: sinks for code injection via calls to method 2024-03-01 14:42:22 +01:00
Joe Farebrother
0b7b7ea1b8 Add test cases and improve controller model 2024-03-01 09:57:24 +00:00
Joe Farebrother
ef0a1d2873 Implement models for translation methods 2024-03-01 09:52:53 +00:00
Tom Hvitved
914a605a87 Ruby: Rework hidden synthetic data-flow nodes 2024-02-27 15:33:58 +01:00
Joe Farebrother
3ab6f222d0 Merge pull request #15718 from joefarebrother/ruby-arel-sqlliteral 
Ruby: Model Arel::Nodes::SqlLiteral.new
 2024-02-27 12:43:47 +00:00
Joe Farebrother
cb733dcf85 Simplify model defenition 2024-02-26 14:59:03 +00:00
Harry Maclean
f7b8e8af41 Ruby: Include request forgery sinks from MaD 2024-02-26 11:34:11 +00:00
Harry Maclean
8bed3fbed4 Ruby: Add basic model for Terrapin library 2024-02-26 11:32:41 +00:00
Harry Maclean
9d13a1ff51 Ruby: Add model for Process.spawn 2024-02-26 11:26:38 +00:00
Harry Maclean
d1847566b6 Ruby: Ql4QL fix 2024-02-26 11:26:38 +00:00
Harry Maclean
beef9965cc Ruby: Model Open4 library 
Also remove duplicate modeling of Process.spawn.
 2024-02-26 11:26:38 +00:00
Harry Maclean
a03c06802e Ruby: Add some more command injection sinks 2024-02-26 11:26:38 +00:00
Joe Farebrother
2257df5c6f Model Arel::Nodes::SqlLiteral.new 2024-02-26 10:09:33 +00:00
Tom Hvitved
2683e40038 Merge pull request #15708 from hvitved/share-ide-contextual 
Share `getFileBySourceArchiveName` implementation
 2024-02-23 19:56:33 +01:00
Harry Maclean
f5be407989 Ruby: deprecate old ProtectFromForgeryCall class 2024-02-23 12:02:26 +00:00
Harry Maclean
7b3f1a0982 Ruby: fix comment 2024-02-23 11:14:52 +00:00
Harry Maclean
3ee425cc47 Ruby: Identify ActionController::API 
`ActionController::API < ActionController::Base` is a base controller
class, so we should recognise it as such.
 2024-02-23 11:13:17 +00:00
Harry Maclean
1fbf177b54 Ruby: QLDoc fix 2024-02-23 11:13:16 +00:00
Harry Maclean
3499d169f9 Ruby: Add missing QLDoc 2024-02-23 11:13:16 +00:00
Harry Maclean
3c69ab10f2 Ruby: Restrict rb/csrf-protection-not-enabled 
This query only applies to codebases using Ruby on Rails < 5.2, or where
there is no call to `csrf_meta_tags` in the base ERb template.
 2024-02-23 11:13:15 +00:00
Harry Maclean
49d826f667 Ruby: Add a query for CSRF protection not enabled 
Specifically in Rails apps, we look for root ActionController classes
without a call to `protect_from_forgery`.
 2024-02-23 11:13:14 +00:00
Tom Hvitved
62b16c0fa3 Share getFileBySourceArchiveName implementation 2024-02-23 11:25:49 +01:00
Tom Hvitved
94113521d1 Merge pull request #15689 from hvitved/ruby/no-field-branch-limit-summarized-callable 
Ruby: No `fieldFlowBranchLimit` for `SummarizedCallable`s
 2024-02-23 10:47:22 +01:00
Harry Maclean
fbc689227d Merge pull request #15604 from p-/p--rails-more-request-sources 
Ruby: add additional sources on the request object of Rails
 2024-02-22 16:35:59 +00:00
Joe Farebrother
67e8f17c4c Merge pull request #15619 from joefarebrother/ruby-activerecord-connection 
Ruby: Add additional sql sinks for ActiveRecord connection methods
 2024-02-22 14:02:31 +00:00
Joe Farebrother
1f409b0456 Merge pull request #15671 from joefarebrother/ruby-activerecord-extra-args 
Ruby: Consider additional arguments to certain `ActiveRecord` methods as sql injection sinks.
 2024-02-22 14:01:56 +00:00
Joe Farebrother
92bdd637a3 Address reveiw comment - add create nd remove select_insert 2024-02-22 09:55:46 +00:00
Tom Hvitved
ebee35b385 Ruby: No fieldFlowBranchLimit for SummarizedCallables 2024-02-22 10:27:25 +01:00
Tom Hvitved
23869fc8e6 Ruby: Fix bug in allowParameterReturnInSelf 2024-02-22 09:43:52 +01:00
Joe Farebrother
10da4d14d9 Add addtional arguments as sinks to certain methods 2024-02-20 16:35:29 +00:00
Harry Maclean
a9abba5859 Merge pull request #15520 from hmac/hmac-erb-raw-output-directive 
Ruby: Recognise raw Erb output as XSS sink
 2024-02-15 08:05:16 +00:00
Joe Farebrother
37eb81097f Add additional sinks for connection methods 2024-02-14 22:42:03 +00:00
Peter Stöckli
2f7b946c9f Ruby: add sources on request object of Rails 2024-02-13 15:52:18 +01:00