hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-03-12 02:26:52 +01:00
Code Issues Packages Projects Releases Wiki Activity
77,755 Commits 1,711 Branches 162 Tags
f54d8325ae1de4d667dae196616031c3d477fcea
Commit Graph

394 Commits

Author SHA1 Message Date
yoff
921104306a ruby: clean up logic and add test 
use the CFG more than the AST
 2025-02-07 23:43:27 +01:00
yoff
9d810130e1 ruby: simplify and document 2025-02-07 16:33:28 +01:00
yoff
b3eaac0ab7 ruby: remove superflous logic 2025-02-07 14:03:57 +01:00
yoff
d7ffc3fc77 Ruby: remove test code filtering 2025-02-06 18:10:06 +01:00
yoff
74155a0214 ruby: start adding comments 
I apuse here, because the code may be simplified
 2025-02-06 18:09:38 +01:00
yoff
51a2d8c72f ruby: rename query 2025-02-06 17:07:12 +01:00
yoff
d9d0d3c18b ruby: add code block 2025-02-06 16:59:23 +01:00
yoff
8aa195d838 ruby: remove comment (we can create issues) 2025-02-06 16:59:08 +01:00
yoff
7af8fa75e6 Apply suggestions from code review 
Co-authored-by: Aditya Sharad <6874315+adityasharad@users.noreply.github.com>
 2025-02-06 15:45:28 +01:00
Rasmus Lerchedahl Petersen
5feb401607 ruby: Add query for hoisting Rails ActiveRecord calls 
This does not take assicoations into account.
It uses ActiveRecordModelFinderCall to identify relevant calls.
This class has therefor been made public.
 2025-02-05 16:47:48 +01:00
Asger F
fcb8cac930 Ruby: resolve inserted TODOs 2025-01-23 11:48:46 +01:00
Asger F
1c136e3cd0 Ruby: rerun patch query after bugfix 2025-01-23 10:33:58 +01:00
Asger F
4dc632f742 Ruby: mass enable diff-informed data flow 2025-01-17 13:21:52 +01:00
Asger F
f9c0ba3826 Ruby: use DeduplicatePathGraph in CodeInjection query 2024-12-11 11:48:15 +01:00
Geoffrey White
86cc2dc5a1 Ruby: Add rb/diagnostics/extraction-warnings so that we don't miss anything we had before. 2024-10-03 17:40:17 +01:00
Geoffrey White
1ea94faccf Ruby: Make similar changes to differentiate extraction errors and warnings, and mostly restore original behaviour. 2024-10-03 17:39:56 +01:00
Joe Farebrother
d08713f66c Merge branch 'main' into patch-7 2024-08-12 15:12:33 +01:00
Jonathan Leitschuh
1728e5dfd5 Align Ruby NonConstantKernelOpen.ql Severity 
Align severity with other command injection vulnerabilities:

 - 4a448f445e/cpp/ql/src/Security/CWE/CWE-078/ExecTainted.ql (L8)
- 4a448f445e/go/ql/src/Security/CWE-078/CommandInjection.ql (L7)
- 4a448f445e/swift/ql/src/queries/Security/CWE-078/CommandInjection.ql (L7)
- 4a448f445e/javascript/ql/src/Security/CWE-078/CommandInjection.ql (L7)
 2024-06-21 10:27:47 -04:00
Alex Ford
f017821062 Ruby: rb/weak-sensitive-data-hashing qhelp 2024-06-17 15:29:53 +01:00
Alex Ford
d4203d9286 Ruby: minimal port of py/weak-sensitive-data-hashing 2024-06-17 15:27:00 +01:00
Harry Maclean
c00d0d302d Ruby: fix wording in rb/request-without-cert-validation 2024-05-01 17:25:58 +01:00
Erik Krogh Kristensen
7e839792da Merge pull request #16330 from erik-krogh/del-deps-apr-2024 
All: delete outdated deprecations
 2024-04-30 10:43:39 +02:00
Harry Maclean
8b23f6db10 Ruby: Add URI.open example to rb/kernel-open qhelp 2024-04-27 09:53:54 +01:00
erik-krogh
baa31e1469 delete outdated deprecations 2024-04-25 22:19:28 +02:00
Joe Farebrother
5cebcadc56 Merge pull request #15987 from joefarebrother/ruby-mass-reassignment 
Ruby: Add query for insecure mass assignment
 2024-04-12 10:18:41 +01:00
Erik Krogh Kristensen
c00e2075a4 Merge pull request #16111 from erik-krogh/rb-url 
RB: Improve QHelp for `rb/url-redirect`, and fix an FP.
 2024-04-11 13:03:35 +02:00
erik-krogh
4ae25c2d34 don't mention arrays in the qhelp for rb/shell-command-constructed-from-input, because there are no array 2024-04-10 14:26:00 +02:00
erik-krogh
59c72b683c update the url-redirect QHelp 2024-04-08 12:00:27 +02:00
Erik Krogh Kristensen
0cfac605bd Merge pull request #16100 from erik-krogh/fix-js-rb-typo 
RB: fix language specifier typo in qhelp for rb/multi-char-san
 2024-04-04 15:42:45 +02:00
erik-krogh
ec32bdce63 fix unsanitized -> sanitized typo, and don't add a new variable just to remove newlines 2024-04-03 09:19:18 +02:00
erik-krogh
572d3ba542 fix language specifier typo in qhelp for rb/multi-char-san 2024-04-02 19:40:46 +02:00
Harry Maclean
409f46ef7b Merge pull request #14308 from hmac/hmac-rb-csrf-not-enabled 
Ruby: Add a query for CSRF protection not enabled
 2024-04-02 11:30:36 +01:00
Joe Farebrother
fb19288981 Address review comments - Fix docs typo and add a reference 2024-03-25 15:46:45 +00:00
Joe Farebrother
a6ee19ca2d Fix query id 2024-03-22 14:36:47 +00:00
Joe Farebrother
01f712476b Add change note and update severity 2024-03-22 14:07:11 +00:00
Joe Farebrother
a8aac318d0 Add qhelp 2024-03-22 14:04:52 +00:00
Joe Farebrother
0f45a53adc Add mass assignment query 2024-03-22 14:04:52 +00:00
Henry Mercer
a76832f4e0 Mark LOC queries as debug instead 2024-03-20 21:18:55 +00:00
Henry Mercer
c325ff8a23 Mark lines of code queries as telemetry queries 
The new file coverage metrics are available in all supported GHES
versions. This PR tags lines of code queries as telemetry queries. Lines
of code information will still be available in the SARIF file, but it
will no longer be displayed in the logging output of the CLI.

The one exception is the metric queries for Java/Kotlin that provides
separate lines of code information for Java and Kotlin. I've kept these
since separate file coverage information for languages like Java and
Kotlin is only available for GHES 3.12 and later.
 2024-03-11 16:40:31 +00:00
Harry Maclean
081c1201ed Ruby: Make csrf query more specific 
CSRF protection only needs to be explicitly enabled on Rails
applications < 5.2 _or_ those that don't include a `load_defaults` call
with a version >= 5.2.
 2024-02-23 11:13:17 +00:00
Harry Maclean
32b775fdc3 Ruby: reduce duplicate alerts for csrf query 
Only generate an alert on the top-most vulnerable Rails controller in
the controller tree.
 2024-02-23 11:13:17 +00:00
Harry Maclean
0597b2ed1b Ruby: recognise csrf_meta_tag 
csrf_meta_tag is an alias for csrf_meta_tags, retained for backwards
compatibility.
 2024-02-23 11:13:16 +00:00
Harry Maclean
3c69ab10f2 Ruby: Restrict rb/csrf-protection-not-enabled 
This query only applies to codebases using Ruby on Rails < 5.2, or where
there is no call to `csrf_meta_tags` in the base ERb template.
 2024-02-23 11:13:15 +00:00
Harry Maclean
6d6f8ba512 Ruby: Make CSRF query more sensitive 
Generate an alert for every controller class that doesn't have or
inherity a `protect_from_forgery` setting.
 2024-02-23 11:13:15 +00:00
Harry Maclean
49d826f667 Ruby: Add a query for CSRF protection not enabled 
Specifically in Rails apps, we look for root ActionController classes
without a call to `protect_from_forgery`.
 2024-02-23 11:13:14 +00:00
Koen Vlaswinkel
817fd8c097 Ruby: Move TestFile to modeling Util module 
The TestFile class in the ModelEditor module is more accurate than the
existing RelevantFile class in the Util module, so this moves the
TestFile class to Util and redefines RelevantFile in terms of the
TestFile.
 2024-01-31 11:53:30 +01:00
Koen Vlaswinkel
b51379b533 Ruby: Only model relevant files for type models 2024-01-31 11:30:16 +01:00
Harry Maclean
a298a395e6 Merge pull request #15473 from github/koesie10/ruby-model-only-public-methods 
Ruby: Only generate models for public methods
 2024-01-31 09:27:27 +00:00
Arthur Baars
4591560692 Merge pull request #14544 from p-/p--oj-ox-unsafe-deser 
Ruby: additional unsafe deserialization sinks for ox and one for oj
 2024-01-30 19:28:32 +01:00
Koen Vlaswinkel
0442631c68 Ruby: Only generate models for public methods 2024-01-30 16:07:34 +01:00