hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-08 08:34:02 +02:00
Code Issues Packages Projects Releases Wiki Activity
1,210 Commits 1,731 Branches 164 Tags
ed708c1903edb96fa04e85646041350a82251ac6
Commit Graph

813 Commits

Author SHA1 Message Date
Alex Ford
ed708c1903 Update ql/src/queries/security/cwe-079/ReflectedXSS.qhelp 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2021-09-15 20:50:46 +01:00
Alex Ford
eed87b3319 Apply suggestions from code review 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2021-09-15 20:50:46 +01:00
Alex Ford
205b141482 format 2021-09-15 20:50:46 +01:00
Alex Ford
76864a82be remove an incorrect test case 2021-09-15 20:50:46 +01:00
Alex Ford
3445a6a5e7 fix flow steps from controller instance var assignement to view read access 2021-09-15 20:50:46 +01:00
Alex Ford
b993723595 remove spurious ivar -> locals hash mapping (actionview/controller) 2021-09-15 20:50:46 +01:00
Alex Ford
3430a46440 fix some local variable mappings between view and controller 2021-09-15 20:50:46 +01:00
Alex Ford
b264a05288 Update ql/lib/codeql/ruby/security/ReflectedXSSCustomizations.qll 
Co-authored-by: Harry Maclean <hmac@github.com>
 2021-09-15 20:50:46 +01:00
Alex Ford
dbb239b04e reorder and format rb/reflected-xss qhelp 2021-09-15 20:50:46 +01:00
Alex Ford
d71dd3f6c7 rb/reflected-xss 2021-09-15 20:50:46 +01:00
Tom Hvitved
9e67382f06 Bump codeql submodule 2021-09-15 14:59:42 +02:00
Harry Maclean
12723f0f13 Merge pull request #288 from github/hmac-barrier-guard-checks 
Make barrier guards more specific
 2021-09-14 16:16:20 +01:00
Tom Hvitved
8ac3dc29e0 Speedup RegExp::multiples 
Use regexps to perform matching to avoid constructing sub strings.
 2021-09-14 13:58:24 +02:00
Harry Maclean
4763312e55 Merge ConditionBlock and BarrierGuard 2021-09-14 11:11:12 +01:00
Harry Maclean
6f32401e5c Add unless x != test to barrier guards 
This tests that the following call to `foo bar` is guarded:

    unless bar != "bar"
      foo bar
    end
 2021-09-13 11:58:17 +01:00
Harry Maclean
800e18349f Add != to StringConstCompare 
This means we treat != comparisons against strings as taint tracking guards:

    if foo != "A"
      foo         # still tainted
    else
      foo         # not tainted, because we know foo == "A"
    end
 2021-09-10 16:42:45 +01:00
Harry Maclean
8f36b0d7fe Simplify guard in SQL injection tests 
We don't (yet) properly sanitize taint in cases like this

    foo = "A" unless foo == "B"

So for now, use a simpler guard in the SQL injection test.
We can resurrect the old, more idiomatic guard when we can support it.
 2021-09-10 16:27:57 +01:00
Harry Maclean
56983565fe Update ReDoS length guard 
Changes to barrier guards in a previous commit mean we need to update
this guard to match.
 2021-09-10 16:21:17 +01:00
Nick Rolfe
6dbf6d7e82 Merge pull request #278 from github/aibaars/revert-hotfix 
Revert "Use hotfixed version of `codeql/suite-helpers` with workaround for bug in released CLI"
 2021-09-09 11:21:20 +01:00
Harry Maclean
b4c29425ea Make barrier guards more specific 
Following examples from the other libraries, this change introduces a
member predicate `checks(CfgNode expr, boolean branch)` to
`BarrierGuard`, which holds if the guard validates `expr` for a
particular value of `branch`, which represents the value of the
condition in the guard.

For example, in the following guard...

    if foo == "foo"
      do_something foo
    else
      do_something_else foo
    end

...the variable `foo` is validated when the condition `foo == "foo"` is
true.

We also introduce the concept that a guard "controls" a code block based
on the value of `branch`. In the example above, the "then" branch of the
if statement is controlled when `branch` is true. The else branch is
not controlled because `foo` can take (almost) any value in that branch.

Based on these concepts, we define a guarded node to be a read of a
validated variable in a controlled block.

In the above example, the `foo` in `do_something foo` is guarded, but
the `foo` in `do_something_else foo` is not.
 2021-09-09 11:04:52 +01:00
Nick Rolfe
414362db8d Rename .qll to match our naming scheme for other dataflow queries. 2021-09-07 17:38:08 +01:00
Nick Rolfe
7666d856b7 Merge remote-tracking branch 'origin/main' into polynomial_redos 2021-09-07 17:35:07 +01:00
Nick Rolfe
4d5928ae5a Add @security-severity tag 2021-09-07 12:15:44 +01:00
Nick Rolfe
8fbe5c0adf Merge pull request #261 from github/getPrimaryQlClasses 
Implement getPrimaryQlClasses
 2021-09-07 12:02:15 +01:00
Nick Rolfe
060060bc0b Merge remote-tracking branch 'origin/main' into getPrimaryQlClasses 2021-09-06 19:34:34 +01:00
Tom Hvitved
3594794875 Use instanceof base classes in range patterns 2021-09-06 16:15:52 +02:00
Tom Hvitved
9b3b9a731f Move instanceof check from charpred in CfgScope 2021-09-06 10:31:16 +02:00
Harry Maclean
87253032e2 Add a query for URL redirect vulnerabilities 
This query finds instances of CWE-601: Redirection to Untrusted Site.

The structure is copied from a query of the same name in the Python
library. We add customisations specific to `ActionController`.
 2021-09-03 13:17:14 +01:00
Nick Rolfe
47e5a8fd09 Add test for polynomial ReDoS query 2021-09-02 17:57:56 +01:00
Nick Rolfe
cbe23661ed Rename exponential ReDoS test directory 2021-09-02 17:57:56 +01:00
Nick Rolfe
d62b41bdf4 Add query for polynomial ReDoS 2021-09-02 17:57:56 +01:00
Alex Ford
86073776b7 Merge pull request #249 from github/erb-lib 
Add codeql_ruby.ast.Erb library
 2021-09-02 16:26:52 +01:00
Arthur Baars
ab4cc753b0 Revert "Use hotfixed version of codeql/suite-helpers with workaround for bug in released CLI" 
This reverts commit 9d7b77496e.
 2021-09-02 16:01:51 +02:00
Tom Hvitved
2d0febeb04 Fix typo in comment 2021-09-02 10:24:37 +02:00
Tom Hvitved
c176d344ab Merge pull request #274 from github/hvitved/cfg/may-raise 
CFG: Model calls that may raise an exception
 2021-09-01 17:42:13 +02:00
Tom Hvitved
6e23a9ae7a Merge pull request #275 from github/hvitved/api-graphs-fix 
API graphs: Fix bug for resolvable modules
 2021-09-01 17:10:27 +02:00
Tom Hvitved
03e91a22bc API graphs: Performance fixes 2021-09-01 16:57:56 +02:00
Tom Hvitved
ae70af01cd API graphs: Fix bug for resolvable modules 2021-09-01 16:57:52 +02:00
Tom Hvitved
031a73ff0f Add API graph test that exhibits a missing edge 2021-09-01 16:56:09 +02:00
Tom Hvitved
89e6c0e838 CFG: Model calls that may raise an exception 
In order to avoid dead `rescue`s, we assume that any call that happens in a
`rescue`/`ensure` context may raise an exception.
 2021-09-01 14:07:28 +02:00
Tom Hvitved
4eaa31d800 Add hasName predicates 2021-09-01 13:32:19 +02:00
Alex Ford
41e7ef11e6 add missing pragma back 2021-08-31 21:19:56 +01:00
Alex Ford
d47c8ee9a5 format 2021-08-31 21:04:43 +01:00
Tom Hvitved
2d08b0156a Merge pull request #271 from github/hvitved/cfg/shared 
Adopt shared CFG library
 2021-08-31 19:41:02 +02:00
Alex Ford
20b851a6e0 improve ErbExecutionDirective definition 2021-08-31 17:49:15 +01:00
Alex Ford
df9e0dfcb2 make strictlyBefore a member predicate on Location 2021-08-31 16:24:38 +01:00
Alex Ford
d84731bcc7 Add a library for working with the ERB AST 2021-08-31 16:24:38 +01:00
Harry Maclean
3490e328e1 codeql_ruby -> codeql.ruby 2021-08-31 15:43:02 +01:00
Harry Maclean
d3f683e573 Minor refactor of constantQualifiedName 2021-08-31 15:42:06 +01:00
Harry Maclean
34f02ee622 Fix constantQualifiedName 
Exclude partial results

Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2021-08-31 15:42:06 +01:00