codeql

mirror of https://github.com/github/codeql.git synced 2026-04-17 13:04:02 +02:00

Author	SHA1	Message	Date
Nick Rolfe	eb2a487433	Ruby: update expected test output	2022-11-09 17:38:33 +00:00
Nick Rolfe	0d9aa0cdac	Ruby: fix clashing method names from merge conflict	2022-11-09 17:06:43 +00:00
Nick Rolfe	c8c53cb424	Merge remote-tracking branch 'origin/main' into nickrolfe/active_support_flow_summaries	2022-11-09 17:02:05 +00:00
Asger F	859dc7beb7	Merge pull request #11024 from asgerf/rb/data-flow-layer-capture2 Ruby: expand DataFlow API	2022-11-09 15:06:03 +01:00
Nick Rolfe	a9ff0bdbbf	Ruby: accept changed test output	2022-11-08 17:36:31 +00:00
Nick Rolfe	04575674db	Ruby: generalise summaries for ActiveSupport Hash extensions	2022-11-08 15:48:20 +00:00
Asger F	9be2512050	Ruby: rename one of the PostsController2 classes These had the same name and ended up being unified	2022-10-31 13:33:41 +01:00
Asger F	b4b34cc994	Ruby: port part of ActionController model	2022-10-31 13:33:41 +01:00
Harry Maclean	fd61a5253d	Ruby: Recognise try/try! as code executions	2022-10-31 11:53:22 +13:00
Harry Maclean	5e781f24b6	Ruby: Remove duplicate test This is already tested in hash-flow.	2022-10-28 11:31:55 +13:00
Harry Maclean	6e8446b6ae	Fix tests	2022-10-28 11:31:55 +13:00
Harry Maclean	71d703f2a5	Ruby: Add ActiveSupport extensions	2022-10-28 11:31:55 +13:00
Harry Maclean	0454642220	Ruby: Model deep_dup and presence	2022-10-28 11:31:55 +13:00
Harry Maclean	9f260853ac	Ruby: Model more ActiveSupport string extensions	2022-10-28 11:31:55 +13:00
Harry Maclean	b389d50943	Ruby: Identify safe_constantize	2022-10-28 11:31:54 +13:00
thiggy1342	244a3329e0	Merge branch 'main' into expand-ruby-ssrf-sinks-faraday-connection-new	2022-10-20 16:37:57 -04:00
thiggy1342	4c3e3e442a	Add Faraday::Connection.new as sink for SSRF query	2022-10-20 20:32:08 +00:00
erik-krogh	e47e20c5e7	remove use of HtmlSafeCall from tests	2022-10-18 10:43:24 +02:00
Harry Maclean	0e6322d673	Ruby: Restrict XSS header sinks Not all header writes are relevant to XSS. Restrict these to just content-type and access-control-allow-origin.	2022-10-17 09:34:44 +13:00
Harry Maclean	73ca595b56	Ruby: Model ActionDispatch::Response	2022-10-17 08:17:37 +13:00
Harry Maclean	7d23170fb2	Merge pull request #10602 from hmac/hmac/actiondispatch-request Ruby: Model ActionDispatch::Request	2022-10-14 22:17:20 +13:00
Harry Maclean	e6dc27a7b5	Add content_mime_type, fix env/filtered_env	2022-10-14 19:49:22 +13:00
Alex Ford	a65850e922	Merge pull request #10784 from alexrford/ruby/pathname-existence Ruby: model `Pathname#existence` extension from `ActiveSupport`	2022-10-13 11:38:22 +01:00
Harry Maclean	a3c14f7f46	Update test	2022-10-13 13:57:28 +13:00
Harry Maclean	ad464abde2	Ruby: Model more params accesses	2022-10-13 13:24:16 +13:00
Alex Ford	d3c8ce3f48	Ruby: ActiveSupport extends Pathname with an existence method that may return itself	2022-10-11 21:35:58 +01:00
Nick Rolfe	d61f0559a0	Ruby: add ActionMailer#params as a RemoteFlowSource	2022-10-10 10:23:48 +01:00
Nick Rolfe	a6674a5313	Ruby: fix uses of deprecated class name	2022-10-07 13:17:05 +01:00
Harry Maclean	75cb0efecb	Merge pull request #10538 from hmac/hmac/actioncontroller-parameters Ruby: Model flow through ActionController::Parameters	2022-10-07 22:21:40 +13:00
Asger F	8b7ec20573	Merge branch 'main' into rb/summarize-more	2022-10-05 09:43:52 +02:00
Arthur Baars	c1c16e44ee	Merge pull request #10559 from aibaars/cve-2019-3881 Ruby: some improvements	2022-10-04 21:24:14 +02:00
Nick Rolfe	227100d883	Ruby: make old class names available as deprecated aliases	2022-10-04 16:11:43 +01:00
Arthur Baars	e95b5468d9	Ruby: use Dataflow for Pathname instead of TypeTracking	2022-10-04 12:58:49 +02:00
Nick Rolfe	a738f1d5cf	Ruby: remove public abstract classes for Action{View,Controller}	2022-10-04 10:53:41 +01:00
Asger F	6e7aea85ef	Ruby: update benign test output API graph tests only report the shortest path, and a new shortest path has appeared, but the old path is still there, so this is not a regression.	2022-10-04 11:14:31 +02:00
Harry Maclean	42a97b26bb	Merge pull request #10316 from hmac/hmac/actionview Ruby: Model ActionView	2022-10-04 08:16:16 +13:00
Harry Maclean	a5998fbe4d	Ruby: Model ActionController::Parameters Add flow summaries for methods on ActionController::Parameters, which mostly propagate taint from receiver to return value.	2022-10-03 09:45:59 +13:00
Harry Maclean	4a39bc8f47	Merge pull request #10598 from hmac/hmac/actioncontroller-metal Ruby: Identify ActionController::Metal controllers	2022-09-30 13:07:03 +13:00
Harry Maclean	4217a50900	Treat ActiveRecord.create as a model instantiation	2022-09-29 09:24:42 +13:00
Harry Maclean	424f31a24a	Add test for AR Model.create instantiations These currently aren't recognised.	2022-09-29 09:24:42 +13:00
Harry Maclean	63309150e0	Make some space	2022-09-29 09:24:37 +13:00
Harry Maclean	e7d19e849f	Merge pull request #10090 from hmac/hmac/activestorage Ruby: Model Activestorage	2022-09-29 09:16:25 +13:00
Harry Maclean	28a23209a5	Ruby: Identify ActionController::Metal controllers Subclasses of `ActionController::Metal` are stripped-down controllers. We want to recognise them as ActionController controllers. There are some common ActionController methods that are not available in Metal, but these are not likely to be used anyway as they would throw an exception, so I don't think there's much harm in including them in the modelling.	2022-09-28 07:10:09 +13:00
Harry Maclean	49572a5218	Remove redundant import	2022-09-27 10:35:39 +13:00
Harry Maclean	3beed54e35	Ruby: Fix imports in test	2022-09-27 10:09:26 +13:00
Harry Maclean	dea5036912	Ruby: Update for Http concept changes	2022-09-27 10:03:17 +13:00
Harry Maclean	fa20a476a6	Add test code	2022-09-26 20:56:11 +13:00
Harry Maclean	9f234e9f5a	Ruby: Merge duplicate tests	2022-09-26 20:56:11 +13:00
Harry Maclean	1d693d336f	Ruby: Model javascript_include_tag and friends	2022-09-26 20:56:09 +13:00
Harry Maclean	35a05f6dea	Ruby: Add summaries for ActiveSupport::SafeBuffer	2022-09-26 20:55:05 +13:00

1 2 3

143 Commits