codeql/ruby/ql/lib/CHANGELOG.md

0.4.1

Minor Analysis Improvements

• The following classes have been moved from codeql.ruby.frameworks.ActionController to codeql.ruby.frameworks.Rails:
  • ParamsCall, now accessed as Rails::ParamsCall.
  • CookieCall, now accessed as Rails::CookieCall.
• The following classes have been moved from codeql.ruby.frameworks.ActionView to codeql.ruby.frameworks.Rails:
  • HtmlSafeCall, now accessed as Rails::HtmlSafeCall.
  • HtmlEscapeCall, now accessed as Rails::HtmlEscapeCall.
  • RenderCall, now accessed as Rails::RenderCall.
  • RenderToCall, now accessed as Rails::RenderToCall.
• Subclasses of ActionController::Metal are now recognised as controllers.
• ActionController::DataStreaming::send_file is now recognized as a FileSystemAccess.
• Various XSS sinks in the ActionView library are now recognized.
• Calls to ActiveRecord::Base.create are now recognized as model instantiations.
• Various code executions, command executions and HTTP requests in the ActiveStorage library are now recognized.
• MethodBase now has two new predicates related to visibility: isPublic and isProtected. These hold, respectively, if the method is public or protected.

0.4.0

Breaking Changes

• import ruby no longer brings the standard Ruby AST library into scope; it instead brings a module Ast into scope, which must be imported. Alternatively, it is also possible to import codeql.ruby.AST.
• Changed the HTTP::Client::Request concept from using MethodCall as base class, to using DataFlow::Node as base class. Any class that extends HTTP::Client::Request::Range must be changed, but if you only use the member predicates of HTTP::Client::Request, no changes are required.

Deprecated APIs

• Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.

Minor Analysis Improvements

• Uses of ActionView::FileSystemResolver are now recognized as filesystem accesses.
• Accesses of ActiveResource models are now recognized as HTTP requests.

Bug Fixes

• Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.

0.3.5

0.3.4

Deprecated APIs

• The utility files previously in the codeql.ruby.security.performance package have been moved to the codeql.ruby.security.regexp package.
  The previous files still exist as deprecated aliases.

Minor Analysis Improvements

• Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
• Calls to render in Rails controllers and views are now recognized as HTTP response bodies.

0.3.3

Minor Analysis Improvements

• Calls to methods generated by ActiveRecord associations are now recognised as instantiations of ActiveRecord objects. This increases the sensitivity of queries such as rb/sql-injection and rb/stored-xss.
• Calls to ActiveRecord::Base.create and ActiveRecord::Base.update are now recognised as write accesses.
• Arguments to Mime::Type#match? and Mime::Type#=~ are now recognised as regular expression sources.

0.3.2

Minor Analysis Improvements

• Calls to Arel.sql are now recognised as propagating taint from their argument.
• Calls to ActiveRecord::Relation#annotate are now recognized as SqlExecutions so that it will be considered as a sink for queries like rb/sql-injection.

0.3.1

Minor Analysis Improvements

• Fixed a bug causing every expression in the database to be considered a system-command execution sink when calls to any of the following methods exist:
  • The spawn, fspawn, popen4, pspawn, system, _pspawn methods and the backtick operator from the POSIX::spawn gem.
  • The execute_command, rake, rails_command, and git methods in Rails::Generation::Actions.
• Improved modeling of sensitive data sources, so common words like certain and secretary are no longer considered a certificate and a secret (respectively).

0.3.0

Deprecated APIs

• The BarrierGuard class has been deprecated. Such barriers and sanitizers can now instead be created using the new BarrierGuard parameterized module.

0.2.3

Minor Analysis Improvements

• Calls to Zip::File.open and Zip::File.new have been added as FileSystemAccess sinks. As a result queries like rb/path-injection now flag up cases where users may access arbitrary archive files.

0.2.2

Major Analysis Improvements

• Added data-flow support for hashes.

Minor Analysis Improvements

• Support for data flow through instance variables has been added.
• Support of the safe navigation operator (&.) has been added; there is a new predicate MethodCall.isSafeNavigation().

0.2.1

Bug Fixes

• The Tree-sitter Ruby grammar has been updated; this fixes several issues where Ruby code was parsed incorrectly.

0.2.0

Breaking Changes

• The signature of allowImplicitRead on DataFlow::Configuration and TaintTracking::Configuration has changed from allowImplicitRead(DataFlow::Node node, DataFlow::Content c) to allowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c).

0.1.0

Breaking Changes

• The recently added flow-state versions of isBarrierIn, isBarrierOut, isSanitizerIn, and isSanitizerOut in the data flow and taint tracking libraries have been removed.
• The getURL member-predicates of the HTTP::Client::Request and HTTP::Client::Request::Range classes from Concepts.qll have been renamed to getAUrlPart.

Deprecated APIs

• ConstantValue::getStringOrSymbol and ConstantValue::isStringOrSymbol, which return/hold for all string-like values (strings, symbols, and regular expressions), have been renamed to ConstantValue::getStringlikeValue and ConstantValue::isStringlikeValue, respectively. The old names have been marked as deprecated.

Minor Analysis Improvements

• Whereas ConstantValue::getString() previously returned both string and regular-expression values, it now returns only string values. The same applies to ConstantValue::isString(value).
• Regular-expression values can now be accessed with the new predicates ConstantValue::getRegExp(), ConstantValue::isRegExp(value), and ConstantValue::isRegExpWithFlags(value, flags).
• The ParseRegExp and RegExpTreeView modules are now "internal" modules. Users should use codeql.ruby.Regexp instead.

0.0.13

0.0.12

Breaking Changes

• The flow state variants of isBarrier and isAdditionalFlowStep are no longer exposed in the taint tracking library. The isSanitizer and isAdditionalTaintStep predicates should be used instead.

Deprecated APIs

• Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.

New Features

• The data flow and taint tracking libraries have been extended with versions of isBarrierIn, isBarrierOut, and isBarrierGuard, respectively isSanitizerIn, isSanitizerOut, and isSanitizerGuard, that support flow states.

Minor Analysis Improvements

• getConstantValue() now returns the contents of strings and symbols after escape sequences have been interpreted. For example, for the Ruby string literal "\n", getConstantValue().getString() previously returned a QL string with two characters, a backslash followed by n; now it returns the single-character string "\n" (U+000A, known as newline).
• getConstantValue().getInt() previously returned incorrect values for integers larger than 2³¹-1 (the largest value that can be represented by the QL int type). It now returns no result in those cases.
• Added OrmWriteAccess concept to model data written to a database using an object-relational mapping (ORM) library.

0.0.11

Minor Analysis Improvements

• The Regex class is now an abstract class that extends StringlikeLiteral with implementations for RegExpLiteral and string literals that 'flow' into functions that are known to interpret string arguments as regular expressions such as Regex.new and String.match.
• The regular expression parser now groups sequences of normal characters. This reduces the number of instances of RegExpNormalChar.

0.0.10

Minor Analysis Improvements

• Added FileSystemWriteAccess concept to model data written to the filesystem.

0.0.9

0.0.8

0.0.7

0.0.6

Deprecated APIs

• ConstantWriteAccess.getQualifiedName() has been deprecated in favor of getAQualifiedName() which can return multiple possible qualified names for a given constant write access.

0.0.5

New Features

• A new library, Customizations.qll, has been added, which allows for global customizations that affect all queries.

0.0.4