hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 17:23:36 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
dd31be43e07d901bafb543c8f65be8e9b5abb364
codeql/ruby/ql/lib/change-notes/released/0.5.0.md
Jeroen Ketema de37f3b7d5 Properly indent code block in change log
2023-01-05 18:38:33 +01:00

1.3 KiB
Raw Blame History

0.5.0

Major Analysis Improvements

  • Flow through initialize constructors is now taken into account. For example, in 
    class C
  def initialize(x)
    @field = x
  end
end

C.new(y)
    there will be flow from y to the field @field on the constructed C object.

Minor Analysis Improvements

  • Calls to Kernel.load, Kernel.require, Kernel.autoload are now modeled as sinks for path injection.
  • Calls to mail and inbound_mail in ActionMailbox controllers are now considered sources of remote input.
  • Calls to GlobalID::Locator.locate and its variants are now recognized as instances of OrmInstantiation.
  • Data flow through the ActiveSupport extensions Enumerable#index_with, Enumerable#pick, Enumerable#pluck and Enumerable#sole are now modeled.
  • When resolving a method call, the analysis now also searches in sub-classes of the receiver's type.
  • Taint flow is now tracked through many common JSON parsing and generation methods.
  • The ReDoS libraries in codeql.ruby.security.regexp has been moved to a shared pack inside the shared/ folder, and the previous location has been deprecated.
  • String literals and arrays of string literals in case expression patterns are now recognised as barrier guards.