github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
47 550 коммитов 1 544 Ветки 131 Тег 485 MiB
Граф коммитов

2562 Коммитов

Автор SHA1 Сообщение Дата
Dave Bartolomeo 013b7eff1c
Apply suggestions from code review 
Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com>
 2022-11-04 18:46:32 -04:00
github-actions[bot] 508327235a Release preparation for version 2.11.3 2022-11-04 20:16:23 +00:00
Arthur Baars 98f4c29913 Ruby: weak crypto: do not report weak hash algorithms 
Weak hash algorithms such as MD5 and SHA1 are often
used in non security sensitive contexts and reporting
all uses is far too noisy.
 2022-11-04 15:58:50 +01:00
Anders Schack-Mulligen a1dba82360 Dataflow: Sync. 2022-11-04 12:41:55 +01:00
Asger F 4ae90e35d5 Ruby: inline transitive class-hierarchy getters 2022-11-04 08:50:33 +01:00
Asger F 472a10fd54 Ruby: direct -> immediate 2022-11-04 08:49:01 +01:00
Michael Nebel 3c8fb0520e C#: Sync files. 2022-11-04 08:20:53 +01:00
Tom Hvitved d3488da0c2 Data flow: Sync files 2022-11-03 15:52:30 +01:00
Tom Hvitved cc87d2e38b Data flow: Restrict public `PathNode`s to those that may reach a sink 2022-11-03 15:52:30 +01:00
Henry Mercer dd264c6dfb Consistently mention language in metric names 
This improves consistency between the lines of code queries and the
number of successfully extracted files queries.
 2022-11-03 11:44:10 +00:00
Henry Mercer c60d071239 Lowercase "lines" 2022-11-03 11:40:22 +00:00
Asger F 0f1b3486de Ruby: Use another join order for nested constant lookup 2022-11-03 10:47:39 +01:00
Asger F a195ea942e Ruby: only drop to CFG layer for getConstantValue() 2022-11-03 10:18:31 +01:00
Asger F cf4a3e0bbe Ruby: 'a' -> 'an' in a qldoc 2022-11-03 10:13:39 +01:00
Asger F fe8945b5c9 Ruby: Rename getCanonicalEnclosing/Nested module 
getCanonicalEnclosingModule -> getParentModule
getCanonicalNestedModule -> getNestedModule
 2022-11-03 10:10:47 +01:00
Asger F bd2a065562 Ruby: rename ConstantValue::getX -> fromX 2022-11-03 10:03:40 +01:00
erik-krogh f3741ff1e4
changes based on review 2022-11-03 09:41:05 +01:00
Dave Bartolomeo 499f20f6e8
Merge pull request #11004 from dbartol/dbartol/use-workspace-versions 2022-11-02 20:02:48 -04:00
Tom Hvitved 46631d6eaf
Merge pull request #10931 from hvitved/ruby/fix-flow-into-phis 
Ruby: Fix flow steps into phi nodes
 2022-11-02 21:07:06 +01:00
Dave Bartolomeo a475e5758d Merge remote-tracking branch 'upstream/main' into dbartol/use-workspace-versions 2022-11-02 12:38:03 -04:00
erik-krogh 6bc12e8f2b
Merge branch 'main' into formatTaint 2022-11-02 13:39:30 +01:00
Tom Hvitved 1e3adcd14e
Revert "Revert "SSA: Turn consistency predicates into `query` predicates"" 2022-11-02 11:37:37 +01:00
Tom Hvitved f603d96f48
Merge pull request #11074 from github/revert-10576-ssa/consistency-queries 
Revert "SSA: Turn consistency predicates into `query` predicates"
 2022-11-02 11:29:42 +01:00
erik-krogh 33cca29a8e
drop down to the CFG instead of the AST to better support de-sugaring 2022-11-02 11:23:01 +01:00
Tom Hvitved 2d5b9c12a6 Ruby: Avoid calls to deprecated SSA predicates 2022-11-02 09:37:28 +01:00
Tom Hvitved 780ea72b3b
Revert "SSA: Turn consistency predicates into `query` predicates" 2022-11-02 09:11:45 +01:00
erik-krogh c15f63ce62
sync files 2022-11-01 21:35:27 +01:00
Dave Bartolomeo 9d5e5e3ee7 `${workspace}` all the things 2022-11-01 13:29:05 -04:00
Dave Bartolomeo 49c4c554c4 Merge from `main` 2022-11-01 13:22:40 -04:00
Tom Hvitved ee9163aa40 Ruby: Fix flow steps into phi nodes 
- Add missing flow from post-update nodes into phi nodes.
- Prevent flow from reads into phi nodes when use-use flow is prohibited.
 2022-11-01 16:33:06 +01:00
Tom Hvitved a191edfbd5 Ruby: Add data flow tests that illustrate problems with flow into SSA phi nodes 2022-11-01 16:32:46 +01:00
Tom Hvitved e8f9429b92
Merge pull request #10917 from hvitved/ruby/singleton-call-sensitivity 
Ruby: Call-context sensitivity for singleton method calls
 2022-11-01 14:13:26 +01:00
Arthur Baars aba87a139d
Merge pull request #10668 from aibaars/ruby-deps 
Ruby: update dependencies
 2022-11-01 13:55:42 +01:00
Tom Hvitved 4edef874d6 SSA: Turn consistency predicates into `query` predicates 2022-11-01 10:01:56 +01:00
erik-krogh 84a7fddd95
remove explicit versions in lock files, as the dependencies are all installed locally 2022-11-01 09:09:26 +01:00
Asger F 2619f3f667 Ruby: include overridden methods in getAnInstanceSelf 2022-11-01 08:32:55 +01:00
Asger F ab4e341e65 Ruby: fix handling of namespaces with no 'self' 2022-10-31 14:05:11 +01:00
Asger F 9da5ec79c5 Ruby: Drive-by fix a QL4QL alert 2022-10-31 14:05:11 +01:00
Asger F e549f15b1c Ruby: fix implicit 'this' 2022-10-31 14:05:11 +01:00
Asger F 056b1e8d63 Ruby: add some basic tests 2022-10-31 14:05:11 +01:00
Asger F 9be2512050 Ruby: rename one of the PostsController2 classes 
These had the same name and ended up being unified
 2022-10-31 13:33:41 +01:00
Asger F b4b34cc994 Ruby: port part of ActionController model 2022-10-31 13:33:41 +01:00
Asger F 12ce46e4b1 Ruby: port part of Railties model 2022-10-31 13:33:41 +01:00
Asger F 38955d1761 Ruby: port part of the Rails model 2022-10-31 13:33:41 +01:00
Asger F 9f59b6b439 Update type-tracking test 2022-10-31 13:33:41 +01:00
Asger F 0a8f39fe96 Ruby: recover some incomplete capture flow 2022-10-31 13:33:41 +01:00
Asger F ff02ba5965 Ruby: include SSA param input step for flowsTo 2022-10-31 13:33:41 +01:00
Asger F 017157820a Ruby: make ParameterNode extend LocalSourceNode 2022-10-31 13:33:41 +01:00
Asger F b29ac5249e Ruby: add type-tracking inline test in global flow test 2022-10-31 13:33:41 +01:00
Asger F 4ed61c13f8 Ruby: add some captured-variable flow tests 2022-10-31 13:33:41 +01:00
Asger F b632e21ba0 Ruby: add ConstRef 2022-10-31 13:33:41 +01:00
Harry Maclean 0dd63c007e Ruby: Add change note 2022-10-31 11:53:22 +13:00
Harry Maclean fd61a5253d Ruby: Recognise try/try! as code executions 2022-10-31 11:53:22 +13:00
Harry Maclean 3f403f0f87
Merge pull request #10700 from hmac/activesupport 
Ruby: Model some ActiveSupport methods
 2022-10-31 11:50:44 +13:00
Asger F 06ec03de74 Ruby: add convenience-accessors for ConstantValue 2022-10-28 15:16:14 +02:00
Asger F 046e669c78 Ruby: add getAncestorExpr 2022-10-28 15:16:14 +02:00
Asger F 77d1788619 Ruby: add data flow versions of ArrayLiteral, HashLiteral, Pair 2022-10-28 15:16:14 +02:00
Asger F 2546d09fe2 Ruby: add SetterCallNode 2022-10-28 15:16:14 +02:00
Asger F 515b8366d2 Ruby: add getAnAncestor, getADescendent 2022-10-28 15:16:14 +02:00
Asger F c8f7519cee Ruby: add Module.getNamespaceOrTopLevel 2022-10-28 15:16:14 +02:00
Asger F 1f644a9c1d Ruby: add getEnclosingToplevel 2022-10-28 15:16:14 +02:00
Asger F 436cc60138 Ruby: update some uses of getConstantValue() 2022-10-28 15:16:14 +02:00
Asger F 156964bfc9 Ruby: add getEnclosingModule and getNestedModule 2022-10-28 15:16:14 +02:00
Asger F 67772bbc43 Ruby: Accessors for attributes and elements 2022-10-28 15:16:14 +02:00
Asger F 8976ba5583 Ruby: Add CallableNode, MethodNode, and accessors 2022-10-28 15:16:13 +02:00
Rasmus Wriedt Larsen 8628ff5e52
Merge pull request #10999 from RasmusWL/inline-fail-tag 
InlineExpectationsTest: Fail if missing `getARelevantTag`
 2022-10-28 10:35:49 +02:00
Erik Krogh Kristensen 93fb2930c8
Merge pull request #10968 from erik-krogh/fixRbCode 
RB: fix rb/code-injection
 2022-10-28 09:14:14 +02:00
Harry Maclean 368ce69198 Fix qldoc formatting 2022-10-28 11:31:55 +13:00
Harry Maclean 9df8edcb1c Ruby: fix formatting 2022-10-28 11:31:55 +13:00
Harry Maclean cd34686967 Ruby: Document flow summary for Hash#extract! 2022-10-28 11:31:55 +13:00
Harry Maclean ca7b48c3d5 Add change note 2022-10-28 11:31:55 +13:00
Harry Maclean 5e781f24b6 Ruby: Remove duplicate test 
This is already tested in hash-flow.
 2022-10-28 11:31:55 +13:00
Harry Maclean 4ec527a9ea Ruby: Explain difference between flow tests 
The type-tracking flow tests document the difference in sensitivity
between type-tracking and dataflow, so failures in that test are
expected.
 2022-10-28 11:31:55 +13:00
Harry Maclean 6e8446b6ae Fix tests 2022-10-28 11:31:55 +13:00
Harry Maclean ef260db76e Fix singleton set literal 2022-10-28 11:31:55 +13:00
Harry Maclean 71d703f2a5 Ruby: Add ActiveSupport extensions 2022-10-28 11:31:55 +13:00
Harry Maclean cb37a0e835 Ruby: Add summaries for Hash#deep_merge(!) 2022-10-28 11:31:55 +13:00
Harry Maclean 3dea1d6a60 Ruby: Add flow summary for Hash#except! 2022-10-28 11:31:55 +13:00
Harry Maclean 0454642220 Ruby: Model deep_dup and presence 2022-10-28 11:31:55 +13:00
Harry Maclean 9f260853ac Ruby: Model more ActiveSupport string extensions 2022-10-28 11:31:55 +13:00
Harry Maclean b389d50943 Ruby: Identify safe_constantize 2022-10-28 11:31:54 +13:00
Rasmus Wriedt Larsen adf109b624
Merge branch 'main' into inline-fail-tag 2022-10-27 13:42:32 +02:00
Rasmus Wriedt Larsen 6d43db43dd
Ruby: Fix tag missing from `getARelevantTag` 2022-10-27 09:12:06 +02:00
Rasmus Wriedt Larsen fc7eb5b4fc
InlineExpectationsTest: sync 2022-10-27 09:02:28 +02:00
Dave Bartolomeo 23b572e9b7 Use `${workspace}` for intra-workspace dependencies 
Now that the released CLI supports replacement variables in dependency version ranges, we can now mark our published library packs as depending on whatever version of their dependency is in our workspace, without having to manually bump the dependency version every release.

Note that when the packs are published, the dependencies in the published pack file are rewritten to have the correct specific version.
 2022-10-26 16:40:01 -04:00
Rasmus Wriedt Larsen 5e9897d150
InlineExpectationsTest: sync 2022-10-26 18:21:13 +02:00
thiggy1342 9c1fbfd330
Merge branch 'main' into expand-ruby-ssrf-sinks-faraday-connection-new 2022-10-25 13:09:17 -04:00
thiggy1342 3659eaa780
add markdown file extension 2022-10-25 10:13:19 -04:00
erik-krogh e8dce25cc2
fix rb/code-injection 2022-10-25 14:44:23 +02:00
Erik Krogh Kristensen ef5132b0ae
Merge pull request #10883 from erik-krogh/codeSink 
RB: don't flag code-injection for dynamic loading where an attacker only controls a substring
 2022-10-24 18:59:36 +02:00
erik-krogh aafef382dc
refactor StringPercentCall#getFormatArgument 2022-10-24 18:57:24 +02:00
thiggy1342 952ad6ea46
Merge branch 'main' into expand-ruby-ssrf-sinks-faraday-connection-new 2022-10-24 09:52:24 -04:00
Asger F ac4cac889f Ruby: add DataFlow::ModuleNode 
sdf
 2022-10-24 15:35:17 +02:00
Asger F 65add15416 Ruby: add getALocalUse() 
This is the inverse of getALocalSource()
 2022-10-24 15:35:17 +02:00
Asger F aab1e1f5b4 Ruby: add some helpers at the AST level 2022-10-24 15:35:17 +02:00
Erik Krogh Kristensen 5ff98cd80e
Merge pull request #10888 from erik-krogh/glob 
Ruby: add model for Dir.glob and other Dir methods
 2022-10-24 14:17:37 +02:00
Asger F bcfe4ece6f
Merge pull request #10918 from asgerf/rb/constant-compound-assignment 
Ruby: handle compound constant-assignment
 2022-10-24 14:07:28 +02:00
Asger F cac2e2e2e4
Merge pull request #10928 from asgerf/rb/assumed-global-const 
Ruby: assume some global constants are defined
 2022-10-24 14:06:34 +02:00
Asger F 0ffb0f6d4d Ruby: constant lookup is unaffected by blocks 2022-10-24 13:07:21 +02:00
erik-krogh 07d90b34df
use instanceof in DirPathAccess 2022-10-24 12:05:26 +02:00
Erik Krogh Kristensen 669b0c35fe
fix qldoc 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2022-10-24 12:05:26 +02:00
erik-krogh 85cd7f9121
add model for Dir.glob and other Dir methods 2022-10-24 12:05:26 +02:00
Arthur Baars b3855b089a Ruby: some more tests 2022-10-22 14:15:29 +02:00
Arthur Baars ccaa12998d Ruby: desugar compound constant-assignments 2022-10-22 01:11:35 +02:00
Nick Rolfe 9fb436e22b Ruby: add change note for localTaintStep fix 2022-10-21 16:33:29 +01:00
Nick Rolfe 269c27757d Ruby: include value-preserving flow in localTaintStep 2022-10-21 16:17:11 +01:00
Nick Rolfe 5319216c18 Ruby: add test of TaintTracking::localFlowStep 2022-10-21 16:04:04 +01:00
Asger F 84ae17dcbb Ruby: ensure Object is a transitive superclass 2022-10-21 15:18:59 +02:00
Arthur Baars a56ed88db2
Merge pull request #10920 from github/post-release-prep/codeql-cli-2.11.2 
Post-release preparation for codeql-cli-2.11.2
 2022-10-21 11:58:12 +02:00
Tom Hvitved 4422327c00 Ruby: Call-context sensitivity for singleton method calls 2022-10-21 11:48:25 +02:00
Asger F 3fd2b9ad7b Ruby: add a comment 
This would have saved me some time
 2022-10-21 11:44:12 +02:00
Asger F ee7970afcb Ruby: treat String as a builtin 2022-10-21 11:44:11 +02:00
Asger F db58e3357b Ruby: allow speculative container qname resolution 2022-10-21 11:44:11 +02:00
github-actions[bot] be7693283b Post-release preparation for codeql-cli-2.11.2 2022-10-21 08:07:17 +00:00
Tom Hvitved 6feff7e3ed Ruby: Add more data-flow call sensitivity tests 2022-10-21 09:36:34 +02:00
Asger F d26b0892cf Ruby: also add an AST test 2022-10-21 09:23:21 +02:00
Asger F 038bdecad7 Ruby: add test with compound assignment to a constant 2022-10-21 09:20:03 +02:00
Tom Hvitved db699ae314 Ruby: Refactor call graph logic for singleton methods 2022-10-21 07:27:41 +02:00
thiggy1342 4e5c1f210d
Update ruby/ql/lib/change-notes/2022-10-20-expand-faraday-model-for-ssrf-sink 
Co-authored-by: Rahul Zhade <rzhade3@users.noreply.github.com>
 2022-10-20 17:33:17 -04:00
thiggy1342 244a3329e0
Merge branch 'main' into expand-ruby-ssrf-sinks-faraday-connection-new 2022-10-20 16:37:57 -04:00
thiggy1342 4c3e3e442a Add Faraday::Connection.new as sink for SSRF query 2022-10-20 20:32:08 +00:00
Asger F 8c2c28dd56 Ruby: add test showing missing superclass edge 2022-10-20 15:56:58 +02:00
Arthur Baars a520de3986
Merge pull request #10902 from github/release-prep/2.11.2 
Release preparation for version 2.11.2
 2022-10-20 15:55:44 +02:00
Arthur Baars 45c9a0d0b1
Apply suggestions from code review 
Co-authored-by: Jeroen Ketema <93738568+jketema@users.noreply.github.com>
 2022-10-20 15:22:29 +02:00
github-actions[bot] 9a0848bbc4 Release preparation for version 2.11.2 2022-10-20 11:05:19 +00:00
Tom Hvitved faaead682e Ruby: Block for steps into `self` parameters in `trackModuleAccess` 2022-10-20 13:00:12 +02:00
Tom Hvitved bda98261cc Ruby: Add more call graph tests 2022-10-20 12:59:32 +02:00
erik-krogh bb8bcd4643
fix typo 2022-10-20 10:48:02 +02:00
erik-krogh c13e8e4f48
Merge branch 'main' into formatTaint 2022-10-20 10:46:16 +02:00
erik-krogh 7797211118
Merge branch 'main' into unsafeRbCmd 2022-10-20 10:34:17 +02:00
erik-krogh 24916f8538
rename `runsImmediately` to `runsArbitraryCode` 2022-10-20 10:10:11 +02:00
erik-krogh 3dd89bb7bf
remove duplicate alerts due to multiple states reaching the same sink 2022-10-19 13:19:18 +02:00
erik-krogh 226bd1f321
add flow-state support to sanitizers in code-execution, and use that to refactor the string-concatenation-sanitizer 2022-10-19 13:06:54 +02:00
erik-krogh 3e51f6fa8e
use flow-states to remove FPs related to an attacker only controlling a substring in code-injection 2022-10-19 13:00:44 +02:00
erik-krogh 2a72e89090
add a runsImmediately predicate to CodeExecution (name chosen by Copilot) 2022-10-19 12:30:47 +02:00
erik-krogh d77b31672d
add failing test for safe-ish uses of Object.send 2022-10-19 11:27:08 +02:00
erik-krogh cb33d5aeff
add test for .send(..) in code-injection 2022-10-19 11:25:30 +02:00
erik-krogh e29bf8ced2
Merge branch 'main' into html_safe 2022-10-18 19:49:37 +02:00
Tom Hvitved 6208071575
Merge pull request #10874 from hvitved/ruby/fix-test-syntax-error 
Ruby: Fix syntax error in a test
 2022-10-18 19:28:17 +02:00
Tom Hvitved 61b9065135 Ruby: Fix syntax error in a test 2022-10-18 16:49:32 +02:00
Arthur Baars 14f150c1f3
Merge pull request #10872 from aibaars/set-output 
CI: update actions/cache to v3
 2022-10-18 15:09:29 +02:00
Arthur Baars f56e155080 CI: update actions/cache to v3 2022-10-18 14:07:52 +02:00
erik-krogh 8a3e255e12
remove FPs in rb/stored-xss from spurious sources 2022-10-18 11:07:48 +02:00
erik-krogh e47e20c5e7
remove use of HtmlSafeCall from tests 2022-10-18 10:43:24 +02:00
erik-krogh 5a98f66bef
simplify the modeling of html_safe. Any call to html_safe is now considered an XSS sink 2022-10-18 10:43:22 +02:00
Tom Hvitved 19bcd287cb
Merge pull request #10867 from hvitved/ruby/orm-tracking-redundant-additional-step 
Ruby: Remove redundant additional flow step from `OrmTracking::Configuration`
 2022-10-18 10:03:51 +02:00
Tom Hvitved d362296f1c
Merge pull request #10864 from hvitved/ruby/get-a-barrier-node-join-fix 
Ruby: Fix bad join-order in `BarrierGuard::getABarrierNode`
 2022-10-18 10:03:02 +02:00
Tom Hvitved 1266d248ed Ruby: Remove redundant additional flow step from `OrmTracking::Configuration` 2022-10-18 09:33:29 +02:00
Tom Hvitved 6c765a95ff Ruby: Fix bad join-order in `BarrierGuard::getABarrierNode` 
Before
```
Evaluated relational algebra for predicate XSS#e59174e9::Shared::Sanitizer#class#f@6c9d334e with tuple counts:
                 0   ~0%    {1} r1 = JOIN ActionView#3462bac2::RailsHtmlEscaping#f WITH project#DataFlowPublic#e1781e31::CallNode::getArgument#1#dispred#fff#3 ON FIRST 1 OUTPUT Lhs.0

            554860   ~0%    {2} r2 = JOIN SsaImpl#ff97b16a::Cached::getARead#1#ff_10#join_rhs WITH DataFlowPrivate#462ff392::Cached::TExprNode#ff ON FIRST 1 OUTPUT Lhs.1, Rhs.1

                 1   ~0%    {1} r3 = JOIN r2 WITH DataFlowPublic#e1781e31::BarrierGuard#BarrierGuards#2462899b::stringConstArrayInclusionCall#::getAMaybeGuardedCapturedDef#0#f ON FIRST 1 OUTPUT Lhs.1

                 1   ~0%    {1} r4 = r1 UNION r3

                 7   ~0%    {1} r5 = JOIN r2 WITH DataFlowPublic#e1781e31::BarrierGuard#BarrierGuards#2462899b::stringConstCompare#::getAMaybeGuardedCapturedDef#0#f ON FIRST 1 OUTPUT Lhs.1

           3045081   ~1%    {3} r6 = JOIN DataFlowPrivate#462ff392::Cached::TExprNode#ff_10#join_rhs WITH DataFlowPrivate#462ff392::Cached::TExprNode#ff_10#join_rhs ON FIRST 1 OUTPUT Lhs.1, Lhs.0, Rhs.1
           3045081   ~1%    {3} r7 = JOIN r6 WITH ControlFlowGraph#46cebcbd::CfgNode::getBasicBlock#0#dispred#ff ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Rhs.1
            554860   ~1%    {3} r8 = JOIN r7 WITH SsaImpl#ff97b16a::Cached::getARead#1#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2
        1462917146   ~0%    {3} r9 = JOIN r8 WITH SsaImpl#ff97b16a::Cached::getARead#1#ff ON FIRST 1 OUTPUT Lhs.2, Lhs.1, Rhs.1
           5082692   ~1%    {4} r10 = JOIN r9 WITH DataFlowPublic#e1781e31::guardControlsBlock#3#fff_102#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.2, Rhs.2, Lhs.1

                33   ~0%    {1} r11 = JOIN r10 WITH BarrierGuards#2462899b::stringConstArrayInclusionCall#3#fff ON FIRST 3 OUTPUT Lhs.3

                57   ~0%    {1} r12 = JOIN r10 WITH BarrierGuards#2462899b::stringConstCompare#3#fff ON FIRST 3 OUTPUT Lhs.3

                90   ~0%    {1} r13 = r11 UNION r12
                97   ~0%    {1} r14 = r5 UNION r13
                98   ~0%    {1} r15 = r4 UNION r14
                            return r15
```

After
```
[2022-10-17 20:35:01] Evaluated non-recursive predicate XSS#e59174e9::Shared::Sanitizer#class#f@487a64ar in 65ms (size: 98).
Evaluated relational algebra for predicate XSS#e59174e9::Shared::Sanitizer#class#f@487a64ar with tuple counts:
             0   ~0%    {1} r1 = JOIN ActionView#3462bac2::RailsHtmlEscaping#f WITH project#DataFlowPublic#e1781e31::CallNode::getArgument#1#dispred#fff#3 ON FIRST 1 OUTPUT Lhs.0

            33   ~0%    {1} r2 = JOIN DataFlowPublic#e1781e31::BarrierGuard#BarrierGuards#2462899b::stringConstArrayInclusionCall#::guardChecksSsaDef#3#fff WITH DataFlowPublic#e1781e31::BarrierGuard#BarrierGuards#2462899b::stringConstArrayInclusionCall#::guardControlsSsaDef#4#ffff ON FIRST 3 OUTPUT Rhs.3

            33   ~0%    {1} r3 = r1 UNION r2

            57   ~1%    {1} r4 = JOIN DataFlowPublic#e1781e31::BarrierGuard#BarrierGuards#2462899b::stringConstCompare#::guardChecksSsaDef#3#fff WITH DataFlowPublic#e1781e31::BarrierGuard#BarrierGuards#2462899b::stringConstArrayInclusionCall#::guardControlsSsaDef#4#ffff ON FIRST 3 OUTPUT Rhs.3

        554860   ~0%    {2} r5 = JOIN SsaImpl#ff97b16a::Cached::getARead#1#ff_10#join_rhs WITH DataFlowPrivate#462ff392::Cached::TExprNode#ff ON FIRST 1 OUTPUT Lhs.1, Rhs.1

             1   ~0%    {1} r6 = JOIN r5 WITH DataFlowPublic#e1781e31::BarrierGuard#BarrierGuards#2462899b::stringConstArrayInclusionCall#::getAMaybeGuardedCapturedDef#0#f ON FIRST 1 OUTPUT Lhs.1

             7   ~0%    {1} r7 = JOIN r5 WITH DataFlowPublic#e1781e31::BarrierGuard#BarrierGuards#2462899b::stringConstCompare#::getAMaybeGuardedCapturedDef#0#f ON FIRST 1 OUTPUT Lhs.1

             8   ~0%    {1} r8 = r6 UNION r7
            65   ~2%    {1} r9 = r4 UNION r8
            98   ~1%    {1} r10 = r3 UNION r9
                        return r10
```
 2022-10-17 20:39:30 +02:00
erik-krogh bb4bc55c6a
update expected output 2022-10-17 15:52:21 +02:00
erik-krogh f09e3bd3ac
add String#% as a printf like call 2022-10-17 13:51:43 +02:00
Arthur Baars f7ff2cdc0d
Merge branch 'main' into actiondispatch-response 2022-10-17 13:22:17 +02:00
erik-krogh d4919d04ba
add a taint-step for format-calls 2022-10-17 13:16:38 +02:00
erik-krogh f222cc1f3e
refactor the existing taint-step for string interpolation into StringFormatters.qll 2022-10-17 13:16:38 +02:00
erik-krogh 6de1abcb0e
add a returnsFormatted predicate to the printf model, similar to the JS implementation 2022-10-17 13:16:38 +02:00
erik-krogh a2b924bbdf
move model of printf style calls to StringFormatters.qll 2022-10-17 13:16:34 +02:00
erik-krogh dbf2673a91
add returnsFormatted predicate to PrintfStyleCall (similar to JS) 2022-10-17 12:15:31 +02:00
erik-krogh 46627a737e
add an AdditionalTaintStep class for Ruby 2022-10-17 12:15:30 +02:00
Erik Krogh Kristensen 122d188f1d
Merge pull request #10832 from erik-krogh/passRb 
RB: add model for the `Digest` and `OpenSSL::Digest` modules
 2022-10-17 10:02:33 +02:00
erik-krogh 191efdf6e0
replace `getMethod("new").getReturn()` with `getInstance()` 2022-10-17 09:35:44 +02:00
Anders Schack-Mulligen 6ef5fac239
Merge pull request #10814 from aschackmull/dataflow/synth-global 
Dataflow: Add support for synthetic global fields in MaD.
 2022-10-17 08:34:26 +02:00
Harry Maclean aa6c433529 Ruby: Update test fixture 
This change is due to a8fdda65fb.
 2022-10-17 09:44:32 +13:00
Harry Maclean eddb8493d8 Apply suggestions from code review 
Co-authored-by: Nick Rolfe <nickrolfe@github.com>
 2022-10-17 09:34:44 +13:00
Harry Maclean 0e6322d673 Ruby: Restrict XSS header sinks 
Not all header writes are relevant to XSS. Restrict these to just
content-type and access-control-allow-origin.
 2022-10-17 09:34:44 +13:00
Harry Maclean 8ae86cf443 Ruby: Consider header writes as XSS sinks 2022-10-17 08:17:37 +13:00
Harry Maclean 545222d1e9 Ruby: Add change note 2022-10-17 08:17:37 +13:00
Harry Maclean 73ca595b56 Ruby: Model ActionDispatch::Response 2022-10-17 08:17:37 +13:00
Arthur Baars ae0c9b76e0
Merge pull request #10843 from aibaars/fix-self 
Ruby: fix self variables in blocks
 2022-10-15 00:48:14 +02:00
Alex Ford 2c5129e720
Merge pull request #10369 from alexrford/rb/sensitive-get-query 
Ruby: add `rb/sensitive-get-query` query
 2022-10-14 22:34:47 +01:00
Arthur Baars a8fdda65fb Ruby: fix self variables in blocks 2022-10-14 16:02:39 +02:00
Asger F 8cb4f230d8 Merge branch 'main' into rb/fix-spurious-singleton-calls 2022-10-14 15:52:38 +02:00
Tom Hvitved 407f7072e4
Merge pull request #10829 from hvitved/ruby/call-graph-perf 
Ruby: Call graph performance improvements
 2022-10-14 15:24:27 +02:00
Asger F 1bd3d29409 Ruby: workaround issue with 'def self.method' in a block 2022-10-14 15:07:33 +02:00
erik-krogh 5f826d0eef
fix typo 2022-10-14 14:43:51 +02:00
Asger F 17a246b321 Ruby: more uninteresting test updates 2022-10-14 13:59:52 +02:00
erik-krogh dfdf8c7869
add change-note 2022-10-14 13:28:36 +02:00
erik-krogh 7c76645157
add model for the core OpenSSL::Digest module 2022-10-14 13:25:34 +02:00
erik-krogh e2476949b9
add model for the core Digest module 2022-10-14 12:49:37 +02:00
Arthur Baars 9ccf5a7798
Merge pull request #10749 from aibaars/run_request 
Ruby: treat Faraday#run_request as remote source
 2022-10-14 12:24:39 +02:00
Asger F 8228730634 Ruby: fix regression for methods in singleton classes 2022-10-14 11:57:35 +02:00
Alex Ford b29bf82e05 Ruby: fix merge error 2022-10-14 10:51:12 +01:00
Alex Ford 3baad89e57 Merge remote-tracking branch 'origin/main' into rb/sensitive-get-query 2022-10-14 10:50:09 +01:00
Asger F 30f7380f74 Ruby: Add regression test for lost calls 2022-10-14 11:49:55 +02:00
Alex Ford 24dad5599a Ruby: fix SensitiveNode detection relating to class/instance variables 2022-10-14 10:41:46 +01:00
Harry Maclean 7d23170fb2
Merge pull request #10602 from hmac/hmac/actiondispatch-request 
Ruby: Model ActionDispatch::Request
 2022-10-14 22:17:20 +13:00
Alex Ford 36a1b18f5b Ruby: revert SensitiveDataHeuristics changes 2022-10-14 09:19:41 +01:00
Asger F a06cc30f05 Ruby: fix some more spurious call edges 2022-10-14 10:11:22 +02:00
Asger F b1dadc224c Ruby: uninteresting test output update 2022-10-14 10:10:39 +02:00
Asger F ae71828fc4 Ruby: add more tests for singleton up/down calls 2022-10-14 10:09:59 +02:00
Asger F 789f591de4 Ruby: add another spurious call edge test 2022-10-14 10:09:57 +02:00
Asger F 1476efbe2c Ruby: restrict to a use of 'self' in singleton methods 2022-10-14 10:09:11 +02:00
Asger F 329ab9156a Ruby: add test showing spurious call 2022-10-14 10:07:34 +02:00
Tom Hvitved 81bc6c2d49 Ruby: Call graph performance improvements 2022-10-14 09:47:27 +02:00
Erik Krogh Kristensen 332bc35ff1
Merge pull request #10708 from erik-krogh/kernelSink 
RB: add a query flagging uses of `Kernel.open()` that are not with a constant string
 2022-10-14 09:13:26 +02:00
Harry Maclean e6dc27a7b5 Add content_mime_type, fix env/filtered_env 2022-10-14 19:49:22 +13:00
Harry Maclean 0130e4ba7f Re-add path methods that are user-controlled 2022-10-14 16:49:15 +13:00
Alex Ford cda7d84633 Ruby: update rb/sensitive-get-query tests 2022-10-13 22:41:34 +01:00
Alex Ford 3d478a3951 Ruby: clarify qhelp 2022-10-13 22:39:54 +01:00
Alex Ford 9fbd293944 Ruby: avoid making notSensitiveRegexp always flag instance/class variables as not sensitive 2022-10-13 22:38:42 +01:00
Alex Ford 15cab6eed5
Update ruby/ql/src/queries/security/cwe-598/SensitiveGetQuery.qhelp 
Co-authored-by: Arthur Baars <aibaars@github.com>
 2022-10-13 21:43:59 +01:00