hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-02-17 15:33:45 +01:00
Code Issues Packages Projects Releases Wiki Activity
64,070 Commits 1,692 Branches 160 Tags
dd092fd18f2778645896b5c2a557ccfbdd884601
Commit Graph

807 Commits

Author SHA1 Message Date
Harry Maclean
081c1201ed Ruby: Make csrf query more specific 
CSRF protection only needs to be explicitly enabled on Rails
applications < 5.2 _or_ those that don't include a `load_defaults` call
with a version >= 5.2.
 2024-02-23 11:13:17 +00:00
Harry Maclean
32b775fdc3 Ruby: reduce duplicate alerts for csrf query 
Only generate an alert on the top-most vulnerable Rails controller in
the controller tree.
 2024-02-23 11:13:17 +00:00
Harry Maclean
0597b2ed1b Ruby: recognise csrf_meta_tag 
csrf_meta_tag is an alias for csrf_meta_tags, retained for backwards
compatibility.
 2024-02-23 11:13:16 +00:00
Harry Maclean
3c69ab10f2 Ruby: Restrict rb/csrf-protection-not-enabled 
This query only applies to codebases using Ruby on Rails < 5.2, or where
there is no call to `csrf_meta_tags` in the base ERb template.
 2024-02-23 11:13:15 +00:00
Harry Maclean
581072721c Ruby: Add change note 2024-02-23 11:13:15 +00:00
Harry Maclean
6d6f8ba512 Ruby: Make CSRF query more sensitive 
Generate an alert for every controller class that doesn't have or
inherity a `protect_from_forgery` setting.
 2024-02-23 11:13:15 +00:00
Harry Maclean
49d826f667 Ruby: Add a query for CSRF protection not enabled 
Specifically in Rails apps, we look for root ActionController classes
without a call to `protect_from_forgery`.
 2024-02-23 11:13:14 +00:00
Harry Maclean
fbc689227d Merge pull request #15604 from p-/p--rails-more-request-sources 
Ruby: add additional sources on the request object of Rails
 2024-02-22 16:35:59 +00:00
github-actions[bot]
37f8fa3413 Post-release preparation for codeql-cli-2.16.3 2024-02-20 16:50:47 +00:00
github-actions[bot]
6d061fbc35 Release preparation for version 2.16.3 2024-02-20 14:26:23 +00:00
Peter Stöckli
2f7b946c9f Ruby: add sources on request object of Rails 2024-02-13 15:52:18 +01:00
Koen Vlaswinkel
e596862074 Merge pull request #15541 from github/koesie10/ruby-access-path-constructor-returnvalue 
Ruby: Remove `ReturnValue` as access path for constructors
 2024-02-08 16:25:34 +01:00
Dave Bartolomeo
92bd550c55 Merge pull request #15531 from github/post-release-prep/codeql-cli-2.16.2 
Post-release preparation for codeql-cli-2.16.2
 2024-02-08 05:58:17 -08:00
Koen Vlaswinkel
87eb1ab103 Ruby: Include ReturnValue and exclude self for constructors 2024-02-08 13:40:10 +01:00
Koen Vlaswinkel
8646bffaea Ruby: Remove ReturnValue as access path for constructors 2024-02-07 14:35:19 +01:00
github-actions[bot]
b5139078d0 Post-release preparation for codeql-cli-2.16.2 2024-02-06 19:22:35 +00:00
github-actions[bot]
c1b35fbf47 Release preparation for version 2.16.2 2024-02-05 17:58:57 +00:00
Koen Vlaswinkel
6a098120e3 Rename details to node 2024-02-05 16:33:29 +01:00
Koen Vlaswinkel
49dbad96f9 Switch from details string to DataFlow::Node 2024-02-05 16:33:01 +01:00
Koen Vlaswinkel
f83d2a7d55 Ruby: Avoid using toString where possible 2024-02-02 14:18:21 +01:00
Koen Vlaswinkel
ac1ebf27a7 Ruby: Rename suggestion predicates 2024-02-02 14:18:16 +01:00
Koen Vlaswinkel
8853acb4dd Ruby: Add query for access paths in model editor 2024-02-01 16:20:00 +01:00
Koen Vlaswinkel
ce4d8d6b51 Merge pull request #15490 from github/koesie10/ruby-model-constructor-on-new 
Ruby: Model constructors in endpoint query on new instead of initialize
 2024-02-01 09:31:49 +01:00
Harry Maclean
06334eee2e Merge pull request #14554 from maikypedia/maikypedia/insecure-randomness 
Ruby: Add Insecure Randomness Query
 2024-01-31 17:16:32 +00:00
Koen Vlaswinkel
d5f0a5ce72 Use predicate for isConstructor 2024-01-31 14:19:14 +01:00
Koen Vlaswinkel
c1aaf5a574 Ruby: Model constructors in endpoint query on new 2024-01-31 13:54:48 +01:00
Koen Vlaswinkel
817fd8c097 Ruby: Move TestFile to modeling Util module 
The TestFile class in the ModelEditor module is more accurate than the
existing RelevantFile class in the Util module, so this moves the
TestFile class to Util and redefines RelevantFile in terms of the
TestFile.
 2024-01-31 11:53:30 +01:00
Koen Vlaswinkel
b51379b533 Ruby: Only model relevant files for type models 2024-01-31 11:30:16 +01:00
Harry Maclean
a298a395e6 Merge pull request #15473 from github/koesie10/ruby-model-only-public-methods 
Ruby: Only generate models for public methods
 2024-01-31 09:27:27 +00:00
Arthur Baars
4591560692 Merge pull request #14544 from p-/p--oj-ox-unsafe-deser 
Ruby: additional unsafe deserialization sinks for ox and one for oj
 2024-01-30 19:28:32 +01:00
Peter Stöckli
fb075a9e88 Rename 2023-10-19-unsafe-deserialization-sinks.md to 2024-01-30-unsafe-deserialization-sinks.md 2024-01-30 17:31:33 +01:00
Sid Shankar
f557110d9b Merge pull request #15465 from sidshank/sidshank/rename-file-name-for-extracted-files-diagnostic 
JS/TS/Python/Ruby: Renames diagnostic query files and tests
 2024-01-30 10:19:00 -05:00
Koen Vlaswinkel
0442631c68 Ruby: Only generate models for public methods 2024-01-30 16:07:34 +01:00
Peter Stöckli
1947dee46a Merge branch 'main' into p--oj-ox-unsafe-deser 2024-01-30 15:33:39 +01:00
Koen Vlaswinkel
b32071999b Ruby: Correctly report supported status of summary and neutral models 2024-01-30 15:00:13 +01:00
Sid Shankar
b1d7a635f5 Renames diagnostic query files and tests 
This commit renames the files relating to the diagnostic query that produces information on the number of files extracted. The files have been renamed from "SuccessfullExtractedFiles.*" to "ExtractedFiles.*". All related tests and test files have been renamed too.

The `@tags` and `@id` attributes of the queries have been left untouched, consistent with the `@tags` and `@id` for similar queries in other languages.
 2024-01-29 20:19:20 +00:00
Maiky
c2c4d9e4d1 ` change to <code> 
Co-authored-by: intrigus-lgtm <60750685+intrigus-lgtm@users.noreply.github.com>
 2024-01-27 14:08:55 +01:00
github-actions[bot]
d0b74c00fe Post-release preparation for codeql-cli-2.16.1 2024-01-23 23:02:29 +00:00
github-actions[bot]
7ef611e6dc Release preparation for version 2.16.1 2024-01-23 19:45:16 +00:00
Sid Shankar
59098be8c4 Merge branch 'main' into change/adjust-extracted-files-diagnostics 2024-01-16 21:51:41 -05:00
github-actions[bot]
57df8b92df Post-release preparation for codeql-cli-2.16.0 2024-01-15 15:00:50 +00:00
Sid Shankar
b26fef816a Rb: Report any extracted file as successfully extracted 2024-01-08 22:21:30 +00:00
github-actions[bot]
a6c8cc9551 Release preparation for version 2.16.0 2024-01-08 13:11:26 +00:00
Harry Maclean
c96be39474 Merge pull request #15048 from hmac/hmac-model-editor-ruby-modules 
Ruby: Model editor improvements
 2024-01-03 12:53:43 +00:00
Harry Maclean
22830c7311 Ruby: Address review comments 2024-01-02 14:39:53 +00:00
Harry Maclean
4c6855ed93 Ruby: Address review comments 2024-01-02 13:51:12 +00:00
Aditya Sharad
b1803d0ac2 Merge rc/3.12 into main 2023-12-21 16:40:51 -08:00
github-actions[bot]
8f72b0e4f7 Post-release preparation for codeql-cli-2.15.5 2023-12-19 10:32:57 +00:00
github-actions[bot]
19af35b29a Release preparation for version 2.15.5 2023-12-18 21:22:44 +00:00
maikypedia
a3ae8bd2c0 Add change note 2023-12-18 12:28:35 +01:00