hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-19 05:54:00 +02:00
Code Issues Packages Projects Releases Wiki Activity
86,758 Commits 1,740 Branches 165 Tags
f2292643a35362236f1e729bf7833839fb36bb56
Commit Graph

434 Commits

Author SHA1 Message Date
Owen Mansel-Chan
056aa342fe Change @security-severity for log injection queries from 7.8 to 6.1 2026-03-13 10:02:01 +00:00
Owen Mansel-Chan
f58a6e5d3a Change @security-severity for XSS queries from 6.1 to 7.8 2026-03-13 10:01:02 +00:00
Anders Schack-Mulligen
78e1879c9e Use more flowTo. 2025-12-03 14:12:08 +01:00
Felicity Chapman
caf6b950ac Remove trailing periods from @name metadata in query files 
Fixed 73 .ql query files where the @name metadata contained an ending period.
This ensures consistency with the CodeQL query metadata style guidelines.
 2025-11-26 14:29:51 +00:00
Owen Mansel-Chan
7d7af193dc Fix small mistake in Ruby query help 2025-11-19 14:36:26 +00:00
Napalys Klicius
d122534398 Merge pull request #20671 from github/napalys/adjust_query_severity 
Adjust query severity ratings
 2025-11-11 12:37:31 +01:00
Nora Dimitrijević
6ede0a7950 Ruby/WeakFilePermissions 2025-10-28 09:40:46 +01:00
Chris Smowton
2e0e9e0834 Merge pull request #20550 from github/smowton/admin/document-rails-5-csrf 
Ruby: Update CSRF protection notes in documentation
 2025-10-27 12:19:16 +00:00
Napalys Klicius
fa47174013 CWE-020: Lower security-severity for OverlyLargeRange queries to 4.0 2025-10-22 11:32:33 +00:00
Owen Mansel-Chan
2f22acdd06 Remove hashing example when not covered by query 2025-10-08 16:48:57 +01:00
Owen Mansel-Chan
0bcdb91639 Improve qhelp for broken crypto algo queries 
Previously it focussed too much on the risk of data being decrypted,
and didn't explain why using weak algorithms is a problem in other
contexts.
 2025-10-08 14:10:54 +01:00
Owen Mansel-Chan
2a1c9d8ec1 Remove erroneous comma 2025-10-08 14:08:36 +01:00
Owen Mansel-Chan
90db349f4b State that ruby broken crypto algo doesn't deal with hashing 2025-10-08 14:05:00 +01:00
Chris Smowton
ff4b97bf2d Reword 2025-09-30 13:08:03 +01:00
Chris Smowton
f1239352ce Note issue in related query 2025-09-29 18:43:59 +01:00
Chris Smowton
18c5cb10d9 Ruby: Update CSRF protection notes in documentation 
Autofix is confused about how the `protect_from_forgery` method works in Rails >= 5: GPT-5 says:

> In modern Rails versions (>=5, including 6 and 7 which this gem permits), ActionController::Base already enables CSRF protection by default with the `:exception` strategy; an explicit call to `protect_from_forgery` without options does not weaken security.

This is false: manual testing confirms that it actually does downgrade from `:exception` to `:null-session` behaviour when a manual call is made.

I can't find any authoritative source showing this gotcha, so I can see how the AI is confused and how humans might also struggle to verify the truth.
 2025-09-29 18:42:11 +01:00
Anders Schack-Mulligen
e2eb6dbbf2 Ruby: Fix query compilation. 2025-09-01 11:26:37 +02:00
Owen Mansel-Chan
2ed451c9e3 Reformat references 2025-06-26 15:20:07 +01:00
Owen Mansel-Chan
10bb88825e Add full stop at the end of each reference 2025-06-26 15:20:06 +01:00
Owen Mansel-Chan
9f0f40d6ce Add "Correct Usage" and "Incorrect Usage" headings 2025-06-26 14:40:49 +01:00
Owen Mansel-Chan
9521994adc Fix format of markdown query help files 2025-06-26 14:40:07 +01:00
Nora Dimitrijević
11bccdd753 Merge pull request #19798 from d10c/d10c/ruby/diff-informed-2 
Ruby: mass enable diff-informed data flow `none()` location overrides
 2025-06-19 14:14:39 +02:00
Nora Dimitrijević
6f7e0d6bc8 Ruby: mass enable diff-informed data flow none() location overrides 
An auto-generated patch that enables diff-informed data flow in the obvious cases.

Adds `getASelected{Source,Sink}Location() { none() }` override to queries that select a dataflow source or sink as a location, but not both.
 2025-06-17 15:48:11 +02:00
Michael Nebel
ddc429cfeb Ruby: Update quality related tags. 2025-06-17 13:16:20 +02:00
Michael Nebel
03ecd24469 Lower the precision of a range of harcoded password queries to remove them from query suites. 2025-05-19 09:26:45 +02:00
yoff
a50167812d ruby: adjust precision of rb/useless-assignment-to-local 
from `medium` to `high`
 2025-05-12 23:26:21 +02:00
Tamas Vajk
e9e6d68a6e Use code-quality-selectors in Ruby suite 2025-04-29 16:23:33 +02:00
Nick Rolfe
69bc12dd4f Fix spelling/wording in qhelp for rb/uninitialized-local-variable 2025-04-28 14:41:21 +01:00
yoff
b988be8ff6 ruby: improve help file 
This has improved autofixes
I hope it also helps humans
 2025-04-11 21:29:01 +02:00
yoff
6a76a40cf4 ruby: adjust change notes 2025-04-11 16:18:03 +02:00
yoff
2477233508 ruby: only report on method calls 
Interviewing a Ruby developer, I learned that
dealing with nil is common practice.
So alerts are mostly useful, if we can point to a place where this has gone wrong.
 2025-04-11 15:01:57 +02:00
yoff
b641d5f177 ruby: fix FP 2025-04-11 13:22:42 +02:00
yoff
4167e96058 ruby: more complete impleemntation of isInBooleanContext 
Co-authored-by: Tom Hvitved <hvitved@github.com>
 2025-04-11 11:00:22 +02:00
yoff
f675a143d6 ruby: remove redundant cases 
The CFG handles the negation
 2025-04-11 10:48:41 +02:00
yoff
8555e8c8c8 ruby: add change notes 2025-04-11 03:07:19 +02:00
yoff
53c88da91b ruby: refine query for uninitialised local variables 
- there are places where uninitialised reads are intentional
- there are also some places where they are impossible
 2025-04-11 03:07:19 +02:00
Tom Hvitved
35f9157e42 Ruby: Fix bad join in DeadStoreOfLocal.ql 2025-04-09 09:28:55 +02:00
yoff
6a8484f843 ruby: adjust precision of rb/useless-assignment-to-local to medium 2025-04-07 13:28:05 +02:00
yoff
385598d46d ruby: remove some FPs from rb/useless-assignment-to-local 2025-04-07 13:28:05 +02:00
yoff
e5fc1b0b00 ruby: add qhelp to rb/useless-assignment-to-local 2025-04-07 13:27:27 +02:00
yoff
921104306a ruby: clean up logic and add test 
use the CFG more than the AST
 2025-02-07 23:43:27 +01:00
yoff
9d810130e1 ruby: simplify and document 2025-02-07 16:33:28 +01:00
yoff
b3eaac0ab7 ruby: remove superflous logic 2025-02-07 14:03:57 +01:00
yoff
d7ffc3fc77 Ruby: remove test code filtering 2025-02-06 18:10:06 +01:00
yoff
74155a0214 ruby: start adding comments 
I apuse here, because the code may be simplified
 2025-02-06 18:09:38 +01:00
yoff
51a2d8c72f ruby: rename query 2025-02-06 17:07:12 +01:00
yoff
d9d0d3c18b ruby: add code block 2025-02-06 16:59:23 +01:00
yoff
8aa195d838 ruby: remove comment (we can create issues) 2025-02-06 16:59:08 +01:00
yoff
7af8fa75e6 Apply suggestions from code review 
Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
 2025-02-06 15:45:28 +01:00
Rasmus Lerchedahl Petersen
5feb401607 ruby: Add query for hoisting Rails ActiveRecord calls 
This does not take assicoations into account.
It uses ActiveRecordModelFinderCall to identify relevant calls.
This class has therefor been made public.
 2025-02-05 16:47:48 +01:00