hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-09 09:04:03 +02:00
Code Issues Packages Projects Releases Wiki Activity
1,210 Commits 1,732 Branches 164 Tags
ed708c1903edb96fa04e85646041350a82251ac6
Commit Graph

31 Commits

Author SHA1 Message Date
Alex Ford
76864a82be remove an incorrect test case 2021-09-15 20:50:46 +01:00
Alex Ford
3445a6a5e7 fix flow steps from controller instance var assignement to view read access 2021-09-15 20:50:46 +01:00
Alex Ford
b993723595 remove spurious ivar -> locals hash mapping (actionview/controller) 2021-09-15 20:50:46 +01:00
Alex Ford
3430a46440 fix some local variable mappings between view and controller 2021-09-15 20:50:46 +01:00
Alex Ford
d71dd3f6c7 rb/reflected-xss 2021-09-15 20:50:46 +01:00
Tom Hvitved
9e67382f06 Bump codeql submodule 2021-09-15 14:59:42 +02:00
Harry Maclean
8f36b0d7fe Simplify guard in SQL injection tests 
We don't (yet) properly sanitize taint in cases like this

    foo = "A" unless foo == "B"

So for now, use a simpler guard in the SQL injection test.
We can resurrect the old, more idiomatic guard when we can support it.
 2021-09-10 16:27:57 +01:00
Nick Rolfe
7666d856b7 Merge remote-tracking branch 'origin/main' into polynomial_redos 2021-09-07 17:35:07 +01:00
Harry Maclean
87253032e2 Add a query for URL redirect vulnerabilities 
This query finds instances of CWE-601: Redirection to Untrusted Site.

The structure is copied from a query of the same name in the Python
library. We add customisations specific to `ActionController`.
 2021-09-03 13:17:14 +01:00
Nick Rolfe
47e5a8fd09 Add test for polynomial ReDoS query 2021-09-02 17:57:56 +01:00
Nick Rolfe
cbe23661ed Rename exponential ReDoS test directory 2021-09-02 17:57:56 +01:00
Erik Krogh Kristensen
632ad518f0 enable unicode parsing in the ruby ReDoS query 2021-08-02 07:13:41 +00:00
Nick Rolfe
d99b5510e5 Merge pull request #219 from github/regex 
Add regexp parser and exponential ReDoS query
 2021-06-30 17:23:29 +01:00
Alex Ford
31cbf818ab fix rb/sql-injection FPs due to not accounting for overridden ActiveRecord methods 2021-06-29 13:54:15 +01:00
Nick Rolfe
ba7021086b Merge remote-tracking branch 'origin/main' into regex 2021-06-25 15:00:26 +01:00
Nick Rolfe
bee94757dd Add query test for ReDoS.ql, ported from JS 2021-06-25 12:51:35 +01:00
Alex Ford
9883a9b606 update SqlInjection tests 2021-06-24 18:12:26 +01:00
Alex Ford
d62f4f5bd4 Address review comments 2021-06-24 18:12:26 +01:00
Alex Ford
12e4c9ee90 update SqlInjection tests 2021-06-24 18:12:25 +01:00
Alex Ford
5386c776b3 Implement rb/sql-injection 2021-06-24 18:12:25 +01:00
Alex Ford
f74dff560b Merge pull request #187 from github/hardcoded-credentials 
Add rb/hardcoded-credentials query
 2021-06-10 16:12:32 +01:00
Alex Ford
e26afe91b5 move rb/hardcoded-credential alert location to the source 2021-06-07 14:53:04 +01:00
Alex Ford
5d79a8cec0 account for keyword args in rb/hardcoded-credentials and simplify query 2021-06-07 14:49:49 +01:00
Alex Ford
8a3ffb6dca add missing toString 2021-06-04 13:25:03 +01:00
Alex Ford
b2d36babc4 report rb/weak-file-permission alerts at source rather than sink and improve alert message 2021-06-04 13:10:18 +01:00
Alex Ford
fdd4f7f616 attempt to use typetracker in rb/hardcoded-credentials 2021-06-01 12:22:04 +01:00
Alex Ford
f1303e0ced remove WIP files 2021-06-01 12:22:04 +01:00
Alex Ford
4fdd072603 WIP: HardcodedCredentials query 2021-06-01 12:22:04 +01:00
Alex Ford
2c8a4f833f make rb/overly-permissive-file a proper path-problem 2021-04-29 19:11:39 +01:00
Alex Ford
0a6dc6f150 update WeakFilePermissions.expected 2021-04-28 16:31:07 +01:00
Alex Ford
e5862a942f WIP rb/overly-permissive-file query 2021-04-27 21:22:17 +01:00