hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
ginsbach/OverlayLocalJava
codeql/ruby/ql/lib/change-notes/released/0.5.0.md
Jeroen Ketema de37f3b7d5 Properly indent code block in change log
2023-01-05 18:38:33 +01:00

27 lines
1.3 KiB
Markdown
Raw Permalink Blame History

## 0.5.0
### Major Analysis Improvements
* Flow through `initialize` constructors is now taken into account. For example, in
```rb
class C
def initialize(x)
@field = x
end
end
C.new(y)
```
there will be flow from `y` to the field `@field` on the constructed `C` object.
### Minor Analysis Improvements
* Calls to `Kernel.load`, `Kernel.require`, `Kernel.autoload` are now modeled as sinks for path injection.
* Calls to `mail` and `inbound_mail` in `ActionMailbox` controllers are now considered sources of remote input.
* Calls to `GlobalID::Locator.locate` and its variants are now recognized as instances of `OrmInstantiation`.
* Data flow through the `ActiveSupport` extensions `Enumerable#index_with`, `Enumerable#pick`, `Enumerable#pluck` and `Enumerable#sole` are now modeled.
* When resolving a method call, the analysis now also searches in sub-classes of the receiver's type.
* Taint flow is now tracked through many common JSON parsing and generation methods.
* The ReDoS libraries in `codeql.ruby.security.regexp` has been moved to a shared pack inside the `shared/` folder, and the previous location has been deprecated.
* String literals and arrays of string literals in case expression patterns are now recognised as barrier guards.
Reference in New Issue View Git Blame Copy Permalink