hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-12 02:24:00 +02:00
Code Issues Packages Projects Releases Wiki Activity
1,348 Commits 1,740 Branches 164 Tags
e419fc9599e951f88a5fde9ec95096ed5ca0a178
Commit Graph

424 Commits

Author SHA1 Message Date
Harry Maclean
e419fc9599 Make Code execution query more specific 
Only the first argument to eval, instance_eval, send, class_send and
module_send is interpreted as Ruby code.
 2021-10-05 10:28:34 +01:00
Arthur Baars
2f462771bb Merge pull request #286 from github/aibaars/xxe 
XXE query
 2021-10-01 16:14:41 +02:00
Arthur Baars
c78d02d00d Fix module of Parser::Options 2021-10-01 11:18:03 +02:00
Arthur Baars
b06bb7a789 Improve test cases 
Set NONET (2048) by default.
 2021-10-01 11:16:56 +02:00
Harry Maclean
8c0c08e887 Identify more instance of code injection 
`class_eval` and `module_eval` both take a string as argument and
execute it as Ruby code.
 2021-09-30 14:19:24 +01:00
Harry Maclean
7f103b9450 Merge pull request #319 from github/hmac-activerecord-updates 
Add some more vulnerable ActiveRecord methods
 2021-09-30 12:09:09 +01:00
Arthur Baars
089f9d87d4 Address comments 2021-09-30 11:20:23 +02:00
Arthur Baars
2b077595ae Also track DTDLOAD and NONET 2021-09-30 11:20:23 +02:00
Arthur Baars
4268d9c565 XXE query 2021-09-30 11:20:17 +02:00
Harry Maclean
7191e1c007 Re-add delete_all and destroy_all methods 
These methods don't take any arguments in Rails versions > 3, but
there's no harm in checking for them anyway, and some people might be
using very old Rails versions.
 2021-09-30 09:39:58 +01:00
Harry Maclean
75bbc51e73 Make room for new test cases 
This just bumps the other code down a bit so that the .expected diff is
easier to read.
 2021-09-30 09:33:39 +01:00
Harry Maclean
0ea228e86f Merge pull request #315 from github/hmac-outgoing-http 
Model more HTTP clients
 2021-09-29 14:26:56 +01:00
Harry Maclean
a9c00a05fe HTTP -> Http 
Change the capitalisation of HTTP to Http, to conform to the QL style
guide.

Leave the HTTP module in Concepts alone, so it remains consistent with
the Concepts in other language libraries.
 2021-09-29 13:50:05 +01:00
Harry Maclean
f5f79a81bc Update ActionController fixture 2021-09-29 12:51:26 +01:00
Harry Maclean
615beeec80 Identify more vulnerable ActiveRecord methods 
This change identifies the following patterns:

- `Model.select(input)`
- `Model.reselect(input)`
- `Model.rewhere(input)`
- `Model.update_all(input)`
- `model.reload(lock: input)`
 2021-09-29 11:47:07 +01:00
Harry Maclean
270d13e4ac Identify more vulnerable ActiveRecord methods 
`find_by!`, `find_or_create_by`, `find_or_create_by!` and
`find_or_initialize_by` act similarly to `find_by`.
 2021-09-29 10:49:14 +01:00
Harry Maclean
56919eee0b delete/destroy_all -> delete/destroy_by 
The ActiveRecord `delete_all` and `destroy_all` methods do not take a
condition argument - they act on the scope of their receiver.

The `delete_by` and `destroy_by` methods do take an argument which can
be raw SQL, and are therefore vulnerable to SQL injection.

For more info:

https://api.rubyonrails.org/v6.1.4/classes/ActiveRecord/Relation.html#method-i-delete_all
https://api.rubyonrails.org/v6.1.4/classes/ActiveRecord/Relation.html#method-i-delete_by
 2021-09-29 10:45:54 +01:00
Harry Maclean
3a1b294c21 Identify more ActiveRecord calculate methods 
`average`, `count`, `maximum`, `minimum` and `sum` are all convenience
methods that call `calculate(:<method name>, ...)` under the hood.
Therefore they are vulnerable to SQL injection too.
 2021-09-29 10:11:38 +01:00
Harry Maclean
6d7a04a222 Move Files test to its own folder 
This prevents it picking up fixtures from other tests.
 2021-09-28 10:06:53 +01:00
Harry Maclean
b34fcc65d1 Model the Typhoeus http client 2021-09-28 10:06:53 +01:00
Harry Maclean
b5dec5e8cf Model the OpenURI http client 2021-09-28 10:06:53 +01:00
Tom Hvitved
5219b1a8b9 Merge pull request #310 from github/hvitved/more-instanceof 
More uses of `instanceof` in the external/internal AST layer
 2021-09-27 16:11:04 +02:00
Harry Maclean
ca1fc44f21 Model the HTTPClient http client 2021-09-27 14:44:25 +01:00
Harry Maclean
3a4ddc4b4e Model the HTTParty http client 
We currently model direct calls like

    HTTParty.get("http://example.com")

but we don't yet handle calls on other classes that have included the
`HTTParty` module, like

    class MyClient
      include HTTParty
    end
    MyClient.get("http://example.com")
 2021-09-27 14:44:04 +01:00
Tom Hvitved
793368d670 More uses of instanceof in the external/internal AST layer 2021-09-24 15:55:15 +02:00
Harry Maclean
74982cb3aa Merge pull request #307 from github/hmac-outgoing-http-2 
Model some more HTTP clients
 2021-09-24 12:30:48 +01:00
Tom Hvitved
30d2df53c6 Include MethodCall.getAChild in {Unary,Binary}Operation.getAChild 2021-09-24 12:08:54 +02:00
Tom Hvitved
edfdfb1fa4 Make {Unary,Binary}Operation a sub class of MethodCall 2021-09-23 19:13:55 +02:00
Harry Maclean
88885a222e Model the RestClient HTTP client 2021-09-23 16:32:15 +01:00
Harry Maclean
4cf520c2df Model the Faraday HTTP client 2021-09-23 16:32:15 +01:00
Harry Maclean
ee51298633 Model the Excon HTTP client 2021-09-23 16:32:15 +01:00
Tom Hvitved
ca2ff9a863 Merge pull request #305 from github/hvitved/desugar/array-literals 
Desugar array literals to `::Array.[]`
 2021-09-23 17:30:34 +02:00
Arthur Baars
40f0112e8a Merge pull request #297 from github/aibaars/alert-suppression 
Alert suppression and file classifier query
 2021-09-23 15:37:19 +02:00
Harry Maclean
4f9518a9c6 Merge pull request #293 from github/hmac-code-injection 
Add query for Code Injection
 2021-09-23 13:50:48 +01:00
Tom Hvitved
f347505542 Merge pull request #277 from github/hvitved/flow-summaries 
Add support for flow summaries
 2021-09-23 14:31:52 +02:00
Harry Maclean
5826f2c279 Move Net::HTTP modelling into http_clients module 
This seems a more convenient place to keep all the HTTP client
modelling.
 2021-09-23 09:04:20 +01:00
Harry Maclean
3000587849 Add Net::HTTP request modelling 2021-09-23 09:04:01 +01:00
Alex Ford
b769aa67c2 test for IO.open as a way of creating an IO instance 2021-09-22 16:29:10 +01:00
Tom Hvitved
a37737d065 Replace string kind with boolean preservesValue 2021-09-22 09:28:55 +02:00
Tom Hvitved
888183f26d Desugar array literals to ::Array.[] 2021-09-21 21:27:29 +02:00
Alex Ford
70c2be8ca3 Files library tests 2021-09-21 19:08:03 +01:00
Alex Ford
d1f2258d45 revamp weak file permissions query 2021-09-21 19:02:11 +01:00
Tom Hvitved
cdc359527a Resolve semantic conflicts after rebase 2021-09-21 11:14:11 +02:00
Tom Hvitved
08dc6d79ef Add support for flow summaries 2021-09-21 11:04:53 +02:00
Nick Rolfe
d27f8a6d24 Add empty subpaths section to expected test output 2021-09-20 15:56:58 +01:00
Nick Rolfe
6f7d4fef70 Merge pull request #287 from github/unsafe-deserialization 
rb/unsafe-deserialization query
 2021-09-20 14:23:30 +01:00
Harry Maclean
95e50cedad Add query for Code Injection 
This query finds cases where user input flows to an argument to `eval`
or `send`, which can execute arbitrary Ruby code.
 2021-09-20 11:35:45 +01:00
Harry Maclean
916b844557 Merge pull request #280 from github/hmac-cli-injection 
Add CLI Injection query
 2021-09-20 08:54:01 +01:00
Alex Ford
36289aa9d9 Merge pull request #255 from github/reflected-xss 
rb/reflected-xss query
 2021-09-17 18:32:48 +01:00
Harry Maclean
739661eb10 Test that KernelMethodCall is specific enough 
Calls to `UnknownModule.system`, where `UnknownModule` is a module that
we know nothing about, should not be identified as instances of
`KernelMethodCall`.
 2021-09-17 17:02:17 +01:00