github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
47 550 коммитов 1 541 ветка 130 Теги 483 MiB
Граф коммитов

2562 Коммитов

Автор SHA1 Сообщение Дата
Harry Maclean 375403fb9d
Merge pull request #11114 from hmac/case-barrier-guard-3 
Ruby: Add case string comparison barrier guard
 2022-11-30 11:21:07 +13:00
Arthur Baars 52cf27653f
Ruby: fix upgrade script 2022-11-29 13:12:14 +01:00
Arthur Baars cf7ebe2fa8
Merge pull request #11471 from github/rc/3.8 
Merge rc/3.8 into main
 2022-11-29 12:57:34 +01:00
Tom Hvitved f3dca95958
Merge pull request #11087 from hvitved/dataflow/summary-ctx 
Data flow: Add summary/return context to pruning stages 2-4
 2022-11-29 10:36:53 +01:00
Erik Krogh Kristensen 0cd50aac40
Merge pull request #11398 from erik-krogh/splat-stuff 
Rb: add some more flow through splat parameters
 2022-11-28 22:31:25 +01:00
Felicity Chapman b5f849463b Update QL library references 2022-11-28 15:26:24 +01:00
Tom Hvitved cde05e1190 Data flow: Sync files 2022-11-28 12:11:38 +01:00
Tom Hvitved c65780ee99 Data flow: Inline `revFlowInNotToReturn` 2022-11-28 12:11:18 +01:00
Tom Hvitved bdb205a318 Data flow: Track return kind instead of return position in pruning stages 2-4 2022-11-28 12:11:18 +01:00
Tom Hvitved 4346a7f426 Data flow: Inline `fwdFlowOutNotFromArg` 2022-11-28 12:11:18 +01:00
Tom Hvitved 70d2a0df8a Data flow: Track parameter position instead of parameter in pruning stages 2-4 2022-11-28 12:11:12 +01:00
Nick Rolfe 8a94cabdbf
Merge pull request #11250 from github/nickrolfe/stack-trace-exposure 
Ruby: add stack-trace exposure query
 2022-11-28 10:45:59 +00:00
erik-krogh 0c2ff98dc2
add flow from the first splat argument to the first splat parameter 2022-11-28 09:54:05 +01:00
erik-krogh d5725255fe
add failing test for splat parameter flow 2022-11-28 09:53:03 +01:00
Alex Ford 8362caa9d9
Merge pull request #11417 from alexrford/ruby/activesupport-json_escape 
Ruby: model ActiveSupport `json_escape` flow
 2022-11-25 10:46:34 +00:00
Harry Maclean 2822c94aa7 Ruby: Minor refactor of barrier guard code 2022-11-25 09:12:51 +13:00
Harry Maclean 6897fb46cb Ruby: Clean up WhenClause CFG 2022-11-25 09:12:51 +13:00
Alex Ford e6446e501c Ruby: fix docs failure 2022-11-24 15:37:03 +00:00
Alex Ford 893c8763bb Ruby: model ActiveSupport json_escape flow 2022-11-24 15:33:08 +00:00
Erik Krogh Kristensen 03737543d4
Merge pull request #11403 from erik-krogh/additional 
ReDoS: add missing additional keywords
 2022-11-24 15:53:51 +01:00
Nick Rolfe 50b10be2db Ruby: StackTraceExposure: add test for a specific rescue type 2022-11-24 14:08:34 +00:00
Nick Rolfe 1c407a28cd Apply suggestions from code review 
Co-authored-by: Harry Maclean <hmac@github.com>
 2022-11-24 14:02:32 +00:00
Tom Hvitved 4e4ee32dbc Data flow: Join on one more column in `flowThroughIntoCall` 2022-11-24 10:48:29 +01:00
Harry Maclean 57f689401e Ruby: SplatExprCfgNode extends UnaryOperationCfgNode 2022-11-24 17:33:57 +13:00
Erik Krogh Kristensen 3d4f64f168
Merge pull request #11397 from erik-krogh/call-instanceof 
Rb: use `instanceof` instead of `extends` on `DataFlow::CallNode` in some case
 2022-11-23 22:20:17 +01:00
erik-krogh 95f35196e4
add missing additional keywords 2022-11-23 20:45:51 +01:00
erik-krogh 33216f3867
cleanup imports 2022-11-23 15:22:19 +01:00
erik-krogh 19b5f64a11
use `instanceof` instead of `extends` on `DataFlow::CallNode` in some case 2022-11-23 14:58:17 +01:00
Nick Rolfe e16bdc4d07 Ruby/QL: only create dbscheme case-splits for columns on defining tables 2022-11-23 10:00:08 +00:00
Edoardo Pirovano 6c33ddcd47
Merge pull request #11349 from github/edoardo/2.11.4-mergeback 
Merge `rc/3.8` into `main`
 2022-11-21 18:08:27 +00:00
erik-krogh 9c792902c7
Ruby: cache the entire extractor 2022-11-21 17:55:57 +01:00
Erik Krogh Kristensen b4661f4a59
Merge pull request #11245 from erik-krogh/rb-redosMod 
Ruby: use the shared regex pack
 2022-11-21 15:34:20 +01:00
Tom Hvitved 2fac505221 Ruby: Update expected test output 2022-11-21 12:52:27 +01:00
Tom Hvitved e7ed056b6f Sync files 2022-11-21 12:00:36 +01:00
Tom Hvitved 99e70e9a50 Data flow: Sync files 2022-11-20 10:19:23 +01:00
Tom Hvitved a3a3b46d54 Data flow: Account for return nodes with multiple return kinds when restricting flow through 
For example, flow out via parameters allows for return nodes with multiple
return kinds:

```csharp
void SetXOrY(C x, C y, bool b)
{
    C c = x;
    if (b)
        c = y;
    c.Field = taint; // post-update node for `c` has two return kinds
}
```
 2022-11-20 10:18:46 +01:00
Tom Hvitved 5adf10fcba Data flow: Add return context to pruning stages 2-4 2022-11-20 10:18:46 +01:00
Tom Hvitved ca17c5b053 Data flow: Add summary context to pruning stages 2-4 2022-11-20 10:18:40 +01:00
github-actions[bot] 5b14ebf22a Post-release preparation for codeql-cli-2.11.4 2022-11-18 11:26:00 +00:00
Harry Maclean 376d4e03a1 Ruby: Cache some barrier guard predicates 2022-11-18 18:17:02 +13:00
Harry Maclean 5deb16e58c Ruby: Remove redundant predicate 
The existing barrier guard machinery recognises guards such as `if x and y`,
so there's no need to explicitly model them.
 2022-11-18 18:14:55 +13:00
github-actions[bot] e105c13e77 Release preparation for version 2.11.4 2022-11-17 16:40:45 +00:00
Tom Hvitved f24fa402f3 Adjust CFG 2022-11-17 10:32:28 +01:00
Harry Maclean a6f6936719
Merge pull request #11058 from hmac/actioncontroller-logger 
Ruby: Model various ActionController methods
 2022-11-17 08:21:00 +13:00
Tom Hvitved 67b6a82cf1
Merge pull request #11198 from hvitved/ssa/expose-phi-reads 
SSA: Expose phi-read nodes
 2022-11-16 15:11:58 +01:00
Anders Schack-Mulligen 94bca4399a
Merge pull request #11183 from aschackmull/dataflow/groupflow 
Dataflow: Introduce support for src/sink grouping in path results.
 2022-11-16 12:59:01 +01:00
Erik Krogh Kristensen 7d4ea47611
Merge pull request #10855 from erik-krogh/formatTaint 
Ruby: taint-steps for printf calls - and add a `AdditionalTaintStep` class
 2022-11-16 12:08:45 +01:00
Harry Maclean ed3270fb04 Ruby: Update for upstream changes 2022-11-16 14:06:32 +13:00
Harry Maclean 2e2fcd49bf Ruby: Consider Object#inspect a log sanitizer 
The behaviour of `Object#inspect` depends on whether it has been
overridden by a subclass, but it will typically produce output on a
single line. Calling `inspect` on a String will replace newlines with
`\n`, which is then safe for interpolation into a log line.
 2022-11-16 13:46:51 +13:00
Harry Maclean 762ebad66e Ruby: Add change note 2022-11-16 13:46:51 +13:00