hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-12 02:24:00 +02:00
Code Issues Packages Projects Releases Wiki Activity
1,348 Commits 1,740 Branches 164 Tags
e419fc9599e951f88a5fde9ec95096ed5ca0a178
Commit Graph

327 Commits

Author SHA1 Message Date
Harry Maclean
e419fc9599 Make Code execution query more specific 
Only the first argument to eval, instance_eval, send, class_send and
module_send is interpreted as Ruby code.
 2021-10-05 10:28:34 +01:00
Harry Maclean
7f103b9450 Merge pull request #319 from github/hmac-activerecord-updates 
Add some more vulnerable ActiveRecord methods
 2021-09-30 12:09:09 +01:00
Harry Maclean
0ea228e86f Merge pull request #315 from github/hmac-outgoing-http 
Model more HTTP clients
 2021-09-29 14:26:56 +01:00
Harry Maclean
a9c00a05fe HTTP -> Http 
Change the capitalisation of HTTP to Http, to conform to the QL style
guide.

Leave the HTTP module in Concepts alone, so it remains consistent with
the Concepts in other language libraries.
 2021-09-29 13:50:05 +01:00
Harry Maclean
f5f79a81bc Update ActionController fixture 2021-09-29 12:51:26 +01:00
Harry Maclean
56919eee0b delete/destroy_all -> delete/destroy_by 
The ActiveRecord `delete_all` and `destroy_all` methods do not take a
condition argument - they act on the scope of their receiver.

The `delete_by` and `destroy_by` methods do take an argument which can
be raw SQL, and are therefore vulnerable to SQL injection.

For more info:

https://api.rubyonrails.org/v6.1.4/classes/ActiveRecord/Relation.html#method-i-delete_all
https://api.rubyonrails.org/v6.1.4/classes/ActiveRecord/Relation.html#method-i-delete_by
 2021-09-29 10:45:54 +01:00
Harry Maclean
6d7a04a222 Move Files test to its own folder 
This prevents it picking up fixtures from other tests.
 2021-09-28 10:06:53 +01:00
Harry Maclean
b34fcc65d1 Model the Typhoeus http client 2021-09-28 10:06:53 +01:00
Harry Maclean
b5dec5e8cf Model the OpenURI http client 2021-09-28 10:06:53 +01:00
Tom Hvitved
5219b1a8b9 Merge pull request #310 from github/hvitved/more-instanceof 
More uses of `instanceof` in the external/internal AST layer
 2021-09-27 16:11:04 +02:00
Harry Maclean
ca1fc44f21 Model the HTTPClient http client 2021-09-27 14:44:25 +01:00
Harry Maclean
3a4ddc4b4e Model the HTTParty http client 
We currently model direct calls like

    HTTParty.get("http://example.com")

but we don't yet handle calls on other classes that have included the
`HTTParty` module, like

    class MyClient
      include HTTParty
    end
    MyClient.get("http://example.com")
 2021-09-27 14:44:04 +01:00
Tom Hvitved
793368d670 More uses of instanceof in the external/internal AST layer 2021-09-24 15:55:15 +02:00
Harry Maclean
74982cb3aa Merge pull request #307 from github/hmac-outgoing-http-2 
Model some more HTTP clients
 2021-09-24 12:30:48 +01:00
Tom Hvitved
30d2df53c6 Include MethodCall.getAChild in {Unary,Binary}Operation.getAChild 2021-09-24 12:08:54 +02:00
Tom Hvitved
edfdfb1fa4 Make {Unary,Binary}Operation a sub class of MethodCall 2021-09-23 19:13:55 +02:00
Harry Maclean
88885a222e Model the RestClient HTTP client 2021-09-23 16:32:15 +01:00
Harry Maclean
4cf520c2df Model the Faraday HTTP client 2021-09-23 16:32:15 +01:00
Harry Maclean
ee51298633 Model the Excon HTTP client 2021-09-23 16:32:15 +01:00
Tom Hvitved
ca2ff9a863 Merge pull request #305 from github/hvitved/desugar/array-literals 
Desugar array literals to `::Array.[]`
 2021-09-23 17:30:34 +02:00
Harry Maclean
4f9518a9c6 Merge pull request #293 from github/hmac-code-injection 
Add query for Code Injection
 2021-09-23 13:50:48 +01:00
Tom Hvitved
f347505542 Merge pull request #277 from github/hvitved/flow-summaries 
Add support for flow summaries
 2021-09-23 14:31:52 +02:00
Harry Maclean
5826f2c279 Move Net::HTTP modelling into http_clients module 
This seems a more convenient place to keep all the HTTP client
modelling.
 2021-09-23 09:04:20 +01:00
Harry Maclean
3000587849 Add Net::HTTP request modelling 2021-09-23 09:04:01 +01:00
Alex Ford
b769aa67c2 test for IO.open as a way of creating an IO instance 2021-09-22 16:29:10 +01:00
Tom Hvitved
a37737d065 Replace string kind with boolean preservesValue 2021-09-22 09:28:55 +02:00
Tom Hvitved
888183f26d Desugar array literals to ::Array.[] 2021-09-21 21:27:29 +02:00
Alex Ford
70c2be8ca3 Files library tests 2021-09-21 19:08:03 +01:00
Tom Hvitved
cdc359527a Resolve semantic conflicts after rebase 2021-09-21 11:14:11 +02:00
Tom Hvitved
08dc6d79ef Add support for flow summaries 2021-09-21 11:04:53 +02:00
Harry Maclean
95e50cedad Add query for Code Injection 
This query finds cases where user input flows to an argument to `eval`
or `send`, which can execute arbitrary Ruby code.
 2021-09-20 11:35:45 +01:00
Harry Maclean
916b844557 Merge pull request #280 from github/hmac-cli-injection 
Add CLI Injection query
 2021-09-20 08:54:01 +01:00
Harry Maclean
739661eb10 Test that KernelMethodCall is specific enough 
Calls to `UnknownModule.system`, where `UnknownModule` is a module that
we know nothing about, should not be identified as instances of
`KernelMethodCall`.
 2021-09-17 17:02:17 +01:00
Harry Maclean
d046fb0591 Separate open3 pipeline methods 
These have a slightly different structure than the other open3 methods.
 2021-09-17 17:02:17 +01:00
Harry Maclean
cbc14ccda9 Make KernelSystemCall more specific 
Test that calls to`system` on modules other than `Kernel` are excluded,
such as in this example:

    module Foo
      def self.system(*args); end
    end

    # This is not a call to Kernel.system
    Foo.system("bar")
 2021-09-17 17:02:17 +01:00
Harry Maclean
fb23a2e3bf Add SubshellHeredocExecution 
This is a form of command execution:

    result = <<`EOF`
    echo foo bar #{baz}
    EOF
 2021-09-17 17:02:17 +01:00
Harry Maclean
799ef4e4c9 Add barrier guards for CLI injection 2021-09-17 17:02:17 +01:00
Harry Maclean
a8f0bce1d1 Add SystemCommandExecution concept 
A SystemCommandExecution is a method call or builtin that executes a
system command, either directly or via a subshell.
 2021-09-17 17:02:17 +01:00
Nick Rolfe
3c05101961 Merge pull request #290 from github/extract_gemfile 
Automatically extract Gemfiles
 2021-09-17 16:42:30 +01:00
Nick Rolfe
3d23575a38 Merge pull request #292 from github/regexp_slash_az 
Don't parse `\A` and `\Z` as `RegExpConstant`
 2021-09-17 16:42:13 +01:00
Tom Hvitved
9e67382f06 Bump codeql submodule 2021-09-15 14:59:42 +02:00
Nick Rolfe
ec13133317 Automatically extract .gemspec and Gemfile files 
They are just Ruby code, after all.
 2021-09-14 18:23:57 +01:00
Nick Rolfe
ebf23d00d1 Don't parse \A and \Z as RegExpConstant 
Fixes some FPs for the ReDoS queries.
 2021-09-14 16:49:35 +01:00
Harry Maclean
4763312e55 Merge ConditionBlock and BarrierGuard 2021-09-14 11:11:12 +01:00
Harry Maclean
6f32401e5c Add unless x != test to barrier guards 
This tests that the following call to `foo bar` is guarded:

    unless bar != "bar"
      foo bar
    end
 2021-09-13 11:58:17 +01:00
Harry Maclean
800e18349f Add != to StringConstCompare 
This means we treat != comparisons against strings as taint tracking guards:

    if foo != "A"
      foo         # still tainted
    else
      foo         # not tainted, because we know foo == "A"
    end
 2021-09-10 16:42:45 +01:00
Harry Maclean
b4c29425ea Make barrier guards more specific 
Following examples from the other libraries, this change introduces a
member predicate `checks(CfgNode expr, boolean branch)` to
`BarrierGuard`, which holds if the guard validates `expr` for a
particular value of `branch`, which represents the value of the
condition in the guard.

For example, in the following guard...

    if foo == "foo"
      do_something foo
    else
      do_something_else foo
    end

...the variable `foo` is validated when the condition `foo == "foo"` is
true.

We also introduce the concept that a guard "controls" a code block based
on the value of `branch`. In the example above, the "then" branch of the
if statement is controlled when `branch` is true. The else branch is
not controlled because `foo` can take (almost) any value in that branch.

Based on these concepts, we define a guarded node to be a read of a
validated variable in a controlled block.

In the above example, the `foo` in `do_something foo` is guarded, but
the `foo` in `do_something_else foo` is not.
 2021-09-09 11:04:52 +01:00
Alex Ford
86073776b7 Merge pull request #249 from github/erb-lib 
Add codeql_ruby.ast.Erb library
 2021-09-02 16:26:52 +01:00
Tom Hvitved
c176d344ab Merge pull request #274 from github/hvitved/cfg/may-raise 
CFG: Model calls that may raise an exception
 2021-09-01 17:42:13 +02:00
Tom Hvitved
ae70af01cd API graphs: Fix bug for resolvable modules 2021-09-01 16:57:52 +02:00