codeql/ruby/ql/src/change-notes/released/0.4.0.md

0.4.0

New Queries

• Added a new query, rb/hardcoded-data-interpreted-as-code, to detect cases where hardcoded data is executed as code, a technique associated with backdoors.

Minor Analysis Improvements

• The rb/unsafe-deserialization query now includes alerts for user-controlled data passed to Hash.from_trusted_xml, since that method can deserialize YAML embedded in the XML, which in turn can result in deserialization of arbitrary objects.
• The alert message of many queries have been changed to make the message consistent with other languages.