hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-21 15:05:56 +02:00
Code Issues Packages Projects Releases Wiki Activity
1,424 Commits 1,738 Branches 165 Tags
e2db11b31f9a0ec802003b2e0460f35a85b937e3
Commit Graph

196 Commits

Author SHA1 Message Date
Tom Hvitved
e2db11b31f Performance improvements in XSS.qll 
Various performance improvements to make sure that we never join methods
and calls (or variables and accesses) on only name (or file), but always
perform a multi-join on both values.
 2021-10-13 11:53:49 +02:00
Alex Ford
ad5c1f9b32 ql format 2021-10-12 20:43:20 +01:00
Alex Ford
d7b5e4c779 update predicate visibility 2021-10-12 20:43:20 +01:00
Alex Ford
9083cda8df improve XSS::Shared::isFlowFromHelperMethod performance 2021-10-12 20:43:20 +01:00
Alex Ford
9afc1f9275 split out isAdditionalXSSFlowStep components 2021-10-12 20:43:20 +01:00
Arthur Baars
8531174d30 Merge pull request #333 from github/hvitved/api-graphs-non-linear-rec 
API graphs: Avoid non-linear recursion
 2021-10-12 20:24:07 +02:00
Arthur Baars
80ebfed226 Merge pull request #336 from github/improve-getTemplateFile 
Improve `RenderCall#getTemplateFile` performance and accuracy
 2021-10-12 20:21:12 +02:00
Arthur Baars
06e91c1182 Merge pull request #322 from github/request-without-validation 
rb/request-without-cert-validation
 2021-10-12 20:19:11 +02:00
Nick Rolfe
ceef9762a7 Fix comment typo 
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2021-10-12 17:45:34 +01:00
Arthur Baars
398ed4c0c9 Merge pull request #338 from github/aibaars/update-grammar 
Update tree-sitter-ruby
 2021-10-12 18:39:34 +02:00
Arthur Baars
8c9d3b88df Update dbscheme stats 2021-10-12 17:48:59 +02:00
Arthur Baars
e44064cda7 Add forward parameter/arguments to AST 2021-10-12 17:31:31 +02:00
Nick Rolfe
ecc9f07c50 Merge pull request #311 from github/nickrolfe/oj 
Consider Oj.load a sink for unsafe deserialization
 2021-10-12 16:17:08 +01:00
Alex Ford
e35ad020d5 ql format 2021-10-12 15:56:00 +01:00
Alex Ford
909cdacb1a remove cast to StringlikeLiteral 2021-10-12 15:27:26 +01:00
Alex Ford
44499cab51 replace an abstract predicate 2021-10-12 15:27:10 +01:00
Arthur Baars
2a7f3fbfaf Add upgrade script 2021-10-12 11:36:10 +02:00
Nick Rolfe
8e14b6582d Remove unused predicate 2021-10-11 18:15:41 +01:00
Alex Ford
7270fe0ee7 slightly limit viable template files from render calls 2021-10-11 17:12:08 +01:00
Alex Ford
cdfee1f27d better RenderCall#getTemplateFile performance and accuracy 2021-10-11 16:46:10 +01:00
Arthur Baars
fac4df203a Update tree-sitter-ruby 2021-10-11 12:53:16 +02:00
Tom Hvitved
98d1ee5178 API graphs: Avoid non-linear recursion 2021-10-11 12:01:33 +02:00
Nick Rolfe
f500e5b2d7 Use Expr::getValueText 2021-10-08 16:41:06 +01:00
Alex Ford
16ab4da812 Update ql/lib/codeql/ruby/security/XSS.qll 
Co-authored-by: Harry Maclean <hmac@github.com>
 2021-10-07 20:03:07 +01:00
Nick Rolfe
eafe22ef93 Merge remote-tracking branch 'origin/main' into nickrolfe/oj 2021-10-07 16:40:36 +01:00
Alex Ford
168e67dd6d deduplicate string constantQualifiedName(ConstantWriteAccess) as string ConstantWriteAccess#getQualifiedName 2021-10-07 15:30:36 +01:00
Alex Ford
5b38e06765 Rename ActiveRecordModelClass#methodMayAccessField() as ActiveRecordModelClass#getAPotentialFieldAccessMethod() 2021-10-07 15:30:36 +01:00
Alex Ford
3bdc680434 Drop a comment that is no longer relevant 2021-10-07 15:30:36 +01:00
Alex Ford
8262247ed7 Minor simplification of finderMethodName predicate 2021-10-07 15:30:36 +01:00
Alex Ford
eb8c48d10f Remove some unused predicates 2021-10-07 15:30:36 +01:00
Alex Ford
c9edbd98d5 Update ql/lib/codeql/ruby/frameworks/ActiveRecord.qll 
Co-authored-by: Harry Maclean <hmac@github.com>
 2021-10-07 15:30:36 +01:00
Alex Ford
e4fe1d5c13 check for superclass method definitions in ActiveRecordModelClass#methodMayAccessField 2021-10-07 15:30:36 +01:00
Alex Ford
fb5cfcc9b0 OrmTracking goes through or expressions 2021-10-07 15:30:36 +01:00
Alex Ford
955080234b partial support for rails layouts 2021-10-07 15:30:36 +01:00
Alex Ford
1929a95e89 format 2021-10-07 15:30:36 +01:00
Alex Ford
6065e29aba Fix performance issues related to a x-product between ActiveRecordModelInstantiation and MethodCall 2021-10-07 15:30:36 +01:00
Alex Ford
43a49689d7 reorganize ActiveRecord field access heuristics 2021-10-07 15:30:36 +01:00
Alex Ford
b2434950d3 abstract away some ActiveRecord specific parts of XSS.qll 2021-10-07 15:30:36 +01:00
Alex Ford
6dc3ce335b make rb/stored-xss track ActiveRecord db accesses 2021-10-07 15:30:36 +01:00
Alex Ford
f6dd6bb00c expand ActiveRecord modelling to cover how to access fields 2021-10-07 15:30:36 +01:00
Alex Ford
eb5f26ce06 duplicate DataFlow implementation 2021-10-07 15:30:36 +01:00
Alex Ford
a2084f813e rb/stored-xss structure and initial implementation (FileSystemReadAccess sources) 2021-10-07 15:30:36 +01:00
Tom Hvitved
1c08592637 Merge pull request #329 from github/hvitved/dataflow/synth-return 
Data flow: Add a synthetic return node
 2021-10-07 13:06:39 +02:00
Nick Rolfe
ffda527da9 Tidy up 2021-10-06 18:07:29 +01:00
Tom Hvitved
953821c443 Avoid potential tuple explosion in reverse type tracking 2021-10-06 15:21:43 +02:00
Tom Hvitved
fdf1cd38fd Data flow: Add a synthetic return node 2021-10-06 15:21:43 +02:00
Nick Rolfe
1ce458fa33 Add query to find HTTP requests that disable SSL validation 2021-10-06 14:06:09 +01:00
Harry Maclean
c50a6c180f Merge pull request #318 from github/hmac-open-query 
Add a query for uses of `Kernel.open` and `IO.read`
 2021-10-06 10:05:43 +01:00
Tom Hvitved
1d1215923c Merge pull request #323 from github/hvitved/get-value-text 
Introduce `Expr::getValueText`
 2021-10-05 14:26:25 +02:00
Harry Maclean
7bf818fdf5 Refactor KernelMethodCall modelling 
By extending `DataFlow::CallNode` instead of `MethodCall`, we get rid of
a lot of `.asExpr().getExpr()` calls.
 2021-10-05 12:26:59 +01:00