codeql

mirror of https://github.com/github/codeql.git synced 2026-01-06 19:20:25 +01:00

Author	SHA1	Message	Date
Tom Hvitved	a2912cd72b	Ruby: Use proper `PathGraph` module in inline flow tests Gets rid of ``` PathNode is incompatible with PathNode (the type of the edge relation). ``` warnings.	2023-09-04 20:27:34 +02:00
Jeroen Ketema	9d573e5544	Consolidate all `InlineFlowTest` libraries in the dataflow qlpack	2023-08-24 21:38:46 +02:00
Harry Maclean	222aa41bbf	Merge pull request #13938 from hmac/splat-flow-2 Ruby: More precise flow into splat parameters	2023-08-18 12:07:58 +01:00
Tom Hvitved	e96cbeb00a	Ruby: Adjust locations of synthesized nodes	2023-08-14 14:37:47 +02:00
Harry Maclean	6011d26823	Ruby: Restrict parameter nodes	2023-08-11 15:14:32 +01:00
Tom Hvitved	77fca277fe	Ruby: Improve desugaring of `for` loops	2023-08-10 13:22:01 +02:00
Harry Maclean	5fff9fa8da	More precise flow into splat parameters We now precisely track flow from positional arguments to splat parameters, provided that splat arguments are not used and there are no positional parameters after the splat parameter. For example, in this case: def f(x, y, z); end f(a, b, c, d) we get flow from `c` to `z[0]` and `d` to `z[1]`. We get false flow if there are positional parameters after the splat parameter. For example in this case: def g(x, y, z, w); end g(a, b, c, d) we get flow from `d` to `z[0]` instead of `w`. We also track flow in this case def f(a, b) sink b[0] end f(1, [taint, 2])	2023-08-10 12:02:47 +01:00
Harry Maclean	72356d1515	Ruby: track flow from args to positional params This models flow in the following case: def foo(x, y) sink x # 1 sink y # 2 end args = [source 1, source 2] foo(args) We do this by introducing a SynthSplatParameterNode which accepts content from the splat argument, if one is given at the callsite. From this node we add read steps to each positional parameter.	2023-08-09 15:01:40 +01:00
Alex Ford	f437a6f729	Merge branch 'main' into maikypedia/ldap-injection	2023-07-31 16:00:41 +01:00
Alex Ford	558238a9be	Ruby: update TaintStep test output	2023-07-31 16:00:27 +01:00
Alex Ford	082f26bcb1	Ruby: update TaintStep.ql output	2023-07-05 12:19:55 +01:00
Michael Nebel	0665f4f004	Ruby: Update TaintStep expected test output.	2023-07-03 14:36:06 +02:00
Jeroen Ketema	d82c3ce11a	Ruby: Rewrite `InlineFlowTest` as a parameterized module	2023-06-15 10:52:23 +02:00
Anders Schack-Mulligen	0c62901a67	Ruby: Fix tests.	2023-06-09 15:39:18 +02:00
Tom Hvitved	cee70883f0	Merge pull request #12964 from hvitved/ruby/remove-synth-returns Ruby: Remove canonical return nodes	2023-06-08 10:07:48 +02:00
Alex Ford	6fa9e13a2e	Ruby: update TaintStep output	2023-06-01 16:27:20 +01:00
Alex Ford	7d943c7621	Ruby: update test output	2023-06-01 13:50:32 +01:00
Alex Ford	baabd2d1fa	Merge pull request #12832 from maikypedia/maikypedia/pg-sqli Ruby: Add SQL Injection Sinks	2023-05-26 11:36:17 +01:00
Alex Ford	609319da20	ruby: update TaintStep.ql test output	2023-05-25 17:53:01 +01:00
Tom Hvitved	13ada1e6ad	Ruby: Remove canonical return nodes	2023-05-24 11:11:50 +02:00
Asger F	6d1a4451fb	Ruby: update a test expectation	2023-05-24 10:15:51 +02:00
Anders Schack-Mulligen	09d4fe21e8	Ruby: Update more expected output.	2023-04-26 13:37:07 +02:00
Tom Hvitved	b816c79248	Ruby: Include all assignments in data flow paths	2023-03-24 10:09:30 +01:00
Alex Ford	e84b08409c	Ruby: test fixes	2023-03-17 12:08:38 +00:00
Tom Hvitved	1d0b3d4112	Ruby: `Ssa::WriteDefinition::getWriteAccess` should return a CFG node	2023-03-16 11:28:24 +01:00
erik-krogh	1a27441cfb	drive-by: delete code-execution sinks from unsafe-deserialization, we risked duplicate alerts	2023-01-06 09:04:36 +01:00
Peter Stöckli	d2c8e70be1	Adjust expected file for TaintStep (due to changes to File.join)	2022-12-09 09:57:19 +01:00
Arthur Baars	d862972d5e	Ruby: Add use-use stress test	2022-12-07 15:28:51 +01:00
Arthur Baars	f11f2cb1a0	Ruby: Update tests	2022-12-07 15:28:50 +01:00
Asger F	22316ee4fe	Ruby: merge package/type columns	2022-11-23 11:17:42 +01:00
Tom Hvitved	32f60fd112	Ruby: Add more local flow tests for use-use flow	2022-11-15 11:45:31 +01:00
Tom Hvitved	e18442069b	Ruby: Fix SSA entry definitions for `self` in top-level	2022-11-10 15:08:17 +01:00
Asger F	859dc7beb7	Merge pull request #11024 from asgerf/rb/data-flow-layer-capture2 Ruby: expand DataFlow API	2022-11-09 15:06:03 +01:00
Asger F	43769ad464	Ruby: update test output	2022-11-08 19:20:57 +01:00
Asger F	0a8f39fe96	Ruby: recover some incomplete capture flow	2022-10-31 13:33:41 +01:00
Nick Rolfe	269c27757d	Ruby: include value-preserving flow in localTaintStep	2022-10-21 16:17:11 +01:00
Nick Rolfe	5319216c18	Ruby: add test of TaintTracking::localFlowStep	2022-10-21 16:04:04 +01:00
Arthur Baars	0160c374e4	Ruby: add flow summaries for Object#dup and Kernel#tap	2022-10-04 12:58:49 +02:00
Arthur Baars	09bc78eafc	Ruby: local dataflow step for \|\| and &&	2022-10-04 12:58:49 +02:00
Tom Hvitved	007ab2b7ce	Ruby: Do not expose AST layer through `ruby.qll`	2022-09-13 19:59:56 +02:00
Tom Hvitved	1e1b2e284d	Ruby: Cleanup flow through `self`	2022-03-09 13:17:11 +01:00
Arthur Baars	0cef887683	Ruby: address comments	2022-01-24 11:27:26 +01:00
Arthur Baars	e9a01f9e8f	Ruby: fix test case	2022-01-24 10:31:08 +01:00
Arthur Baars	fcec8a8388	Address comments	2022-01-24 10:31:08 +01:00
Arthur Baars	26a0167d6d	Ruby: add taint step test for hash patterns	2022-01-24 10:31:06 +01:00
Arthur Baars	49c452239e	Ruby: add taint steps from case value to variables in patterns	2022-01-24 10:10:22 +01:00
Tom Hvitved	8c18aaae74	Ruby: Prepare for data flow through arrays	2021-12-22 15:35:34 +01:00
Tom Hvitved	27f786b41e	Merge pull request #7442 from hvitved/ruby/dataflow/keyword-params Ruby: Data flow for keyword arguments/parameters	2021-12-22 15:23:22 +01:00
Arthur Baars	6c7114804e	Ruby: remove CaseExprChildMapping::getBranch	2021-12-20 19:21:36 +01:00
Tom Hvitved	1e27ddf7c7	Ruby: Data flow for keyword arguments/parameters	2021-12-17 15:42:29 +01:00

1 2

59 Commits