github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
58 206 коммитов 1 534 Ветки 130 Теги 471 MiB
Граф коммитов

3781 Коммитов

Автор SHA1 Сообщение Дата
Tom Hvitved c4b626a416 Ruby: Use data flow consistency checks from shared pack 2023-08-30 15:29:41 +02:00
Jeroen Ketema 0d1fd88729
Merge pull request #14050 from jketema/inline-6 
Consolidate all `InlineFlowTest` libraries in the dataflow qlpack
 2023-08-29 09:30:35 +02:00
Dave Bartolomeo 3343b78015
Merge pull request #14074 from github/post-release-prep/codeql-cli-2.14.3 
Post-release preparation for codeql-cli-2.14.3
 2023-08-28 13:34:10 -04:00
github-actions[bot] 3eba77421a Post-release preparation for codeql-cli-2.14.3 2023-08-28 15:53:49 +00:00
Alex Ford 9957e2683b
Merge pull request #13313 from maikypedia/maikypedia/ldap-improper-auth 
Ruby: Add Improper LDAP Authentication query (CWE-287)
 2023-08-25 20:52:34 +01:00
Alex Ford ae635c609f Ruby: autoformat 2023-08-25 17:11:07 +01:00
Maiky ffd618d6cc Revert "Add `""` and `nil` as sources" 
This reverts commit 664c1eba72.
 2023-08-25 15:23:55 +02:00
Jeroen Ketema 9d573e5544
Consolidate all `InlineFlowTest` libraries in the dataflow qlpack 2023-08-24 21:38:46 +02:00
Harry Maclean 54c2221f35
Merge pull request #14033 from hmac/excon-bugfix 
Ruby: Fix bug in excon model
 2023-08-23 14:24:53 +01:00
Harry Maclean d18ca3f5d7 Ruby: Fix bug in excon model 
If a codebase included a definition for `Excon.new`, we matched
connection nodes to unrelated request nodes.
 2023-08-23 12:55:36 +01:00
Harry Maclean 842da58269 Ruby: Update test fixture 2023-08-23 09:59:04 +01:00
Harry Maclean fb4b774c0d
Merge pull request #13967 from hmac/remove-splat-all 
Ruby: Remove isSplatAll
 2023-08-23 09:40:06 +01:00
Maiky 664c1eba72 Add `""` and `nil` as sources 2023-08-22 18:10:33 +02:00
Maiky f301e46175 Remove `isEmptyPassword` predicate 2023-08-22 12:23:32 +02:00
Tom Hvitved 5192d7c137
Merge pull request #13997 from hvitved/ruby/type-tracking-splats 
Ruby: Include more (hash) splat flow in type tracking
 2023-08-22 11:33:39 +02:00
Tom Hvitved 3f54ecbcc2
Update ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll 
Co-authored-by: Harry Maclean <hmac@github.com>
 2023-08-22 11:18:12 +02:00
Michael Nebel ce6fd8ac5f
Merge pull request #13432 from michaelnebel/updateissupported 
Java/C#: Update telemetry queries to report callables with sink/source neutrals as being supported.
 2023-08-22 08:39:38 +02:00
Harry Maclean 414ae76ae1 Ruby: Add another splat flow test 2023-08-21 16:21:55 +01:00
Harry Maclean c615f183c1 Ruby: Add test for spurious splat flow 
We don't yet properly model splat flow when a positional argument
follows a splat argument.
 2023-08-21 16:11:10 +01:00
Jeroen Ketema 2d0f73d7c2
Merge pull request #13881 from jketema/shared-taint-tracking 
Introduce shared taint tracking library
 2023-08-21 12:45:49 +02:00
Michael Nebel 106ba11e10 Address review comments. 2023-08-21 09:59:02 +02:00
Michael Nebel d66fe08661 Add QLDoc for the getKind predicate. 2023-08-21 09:59:02 +02:00
Michael Nebel 4c06fbdc65 Ruby: Sync files and make manual changes. 2023-08-21 09:59:01 +02:00
github-actions[bot] 098dfb4242 Release preparation for version 2.14.3 2023-08-18 14:48:15 +00:00
Tom Hvitved deaa37d9d3 Ruby: Include more (hash)splat flow in type tracking 2023-08-18 14:07:12 +02:00
Tom Hvitved da05e3e0e8 Ruby: Add more type tracking tests 2023-08-18 13:51:29 +02:00
Harry Maclean 0bbda992fb Ruby: Remove isSplatAll arg/parameter position 
This is equivalent to isSplat(0).
 2023-08-18 12:09:04 +01:00
Harry Maclean 222aa41bbf
Merge pull request #13938 from hmac/splat-flow-2 
Ruby: More precise flow into splat parameters
 2023-08-18 12:07:58 +01:00
Tom Hvitved da8005dbd3 Code review suggestions 2023-08-17 09:26:58 +02:00
Jeroen Ketema 33e8310625
Merge branch 'main' into shared-taint-tracking 2023-08-17 00:14:25 +02:00
Maiky 5f502ec6bb
rename change-note 2023-08-16 15:32:53 +02:00
Tom Hvitved 44b734e120
Merge pull request #13955 from hvitved/ruby/type-tracking-capture-insensitive 
Ruby: Make type tracking flow-insensitive for captured variables
 2023-08-15 11:42:41 +02:00
Erik Krogh Kristensen 6a3b9e10eb
Merge pull request #13914 from erik-krogh/escape-unicode 
ReDoS: escape unicode chars in the output for the ReDoS queries
 2023-08-15 11:21:21 +02:00
Tom Hvitved 061575ff77
Merge pull request #13937 from hvitved/ruby/for-loop-desugar 
Ruby: Improve desugaring of `for` loops
 2023-08-14 20:12:12 +02:00
Arthur Baars 77db0cf547
Merge pull request #13334 from aibaars/print-cfg-2 
Ruby: printCfg: only show graph for selected CfgScope
 2023-08-14 18:24:20 +02:00
Tom Hvitved e96cbeb00a Ruby: Adjust locations of synthesized nodes 2023-08-14 14:37:47 +02:00
Tom Hvitved c084a9b27a Ruby: Make type tracking flow-insensitive for captured variables 2023-08-14 13:44:37 +02:00
Harry Maclean d45e9101ba Ruby: Add change note 2023-08-14 11:20:58 +01:00
Harry Maclean ca5456a54a Ruby: Remove duplicate disjuncts 2023-08-14 09:45:57 +01:00
Henry Mercer 75e6fd9c8e
Merge pull request #13918 from github/post-release-prep/codeql-cli-2.14.2 
Post-release preparation for codeql-cli-2.14.2
 2023-08-11 16:28:16 +01:00
Harry Maclean 6011d26823 Ruby: Restrict parameter nodes 2023-08-11 15:14:32 +01:00
Tom Hvitved e39fb093e9
Merge pull request #13945 from hvitved/ruby/destruct-param-test 
Ruby: Add test for documenting missing flow through destructured parameters
 2023-08-11 15:11:39 +02:00
Henry Mercer 1213eba630
Merge branch 'main' into post-release-prep/codeql-cli-2.14.2 2023-08-11 13:54:55 +01:00
Tom Hvitved b28f60ccd2 Ruby: Add test for documenting missing flow through destructured parameters 2023-08-10 20:22:11 +02:00
Tom Hvitved f19232f800 Ruby: Fix another bug in `isCapturedAccess` 2023-08-10 14:02:58 +02:00
Harry Maclean b365ff095a Ruby: Fix SynthSplatParameterElementNode 
Make this class into a proper subclass of `ParameterNodeImpl`, to
prevent some consistency test failures.
 2023-08-10 12:35:12 +01:00
Tom Hvitved 77fca277fe Ruby: Improve desugaring of `for` loops 2023-08-10 13:22:01 +02:00
Tom Hvitved 4e954c29a2
Merge pull request #13936 from hvitved/ruby/captured-access-fix 
Ruby: Fix bug in `isCapturedAccess`
 2023-08-10 13:15:48 +02:00
Harry Maclean 5fff9fa8da More precise flow into splat parameters 
We now precisely track flow from positional arguments to splat
parameters, provided that splat arguments are not used and there are no
positional parameters after the splat parameter. For example, in this
case:

    def f(x, y, *z); end

    f(a, b, c, d)

we get flow from `c` to `z[0]` and `d` to `z[1]`.

We get false flow if there are positional parameters after the splat
parameter. For example in this case:

    def g(x, y, *z, w); end

    g(a, b, c, d)

we get flow from `d` to `z[0]` instead of `w`.

We also track flow in this case

    def f(a, *b)
      sink b[0]
    end

    f(1, *[taint, 2])
 2023-08-10 12:02:47 +01:00
Tom Hvitved e40f0a7350 Ruby: Fix bug in `isCapturedAccess` 2023-08-10 09:37:04 +02:00