github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
62 622 коммитов 1 541 ветка 130 Теги 483 MiB
Граф коммитов

2953 Коммитов

Автор SHA1 Сообщение Дата
Michael Nebel 106ba11e10 Address review comments. 2023-08-21 09:59:02 +02:00
Michael Nebel d66fe08661 Add QLDoc for the getKind predicate. 2023-08-21 09:59:02 +02:00
Michael Nebel 4c06fbdc65 Ruby: Sync files and make manual changes. 2023-08-21 09:59:01 +02:00
github-actions[bot] 098dfb4242 Release preparation for version 2.14.3 2023-08-18 14:48:15 +00:00
Tom Hvitved deaa37d9d3 Ruby: Include more (hash)splat flow in type tracking 2023-08-18 14:07:12 +02:00
Harry Maclean 0bbda992fb Ruby: Remove isSplatAll arg/parameter position 
This is equivalent to isSplat(0).
 2023-08-18 12:09:04 +01:00
Harry Maclean 222aa41bbf
Merge pull request #13938 from hmac/splat-flow-2 
Ruby: More precise flow into splat parameters
 2023-08-18 12:07:58 +01:00
Tom Hvitved da8005dbd3 Code review suggestions 2023-08-17 09:26:58 +02:00
Jeroen Ketema 33e8310625
Merge branch 'main' into shared-taint-tracking 2023-08-17 00:14:25 +02:00
Tom Hvitved 44b734e120
Merge pull request #13955 from hvitved/ruby/type-tracking-capture-insensitive 
Ruby: Make type tracking flow-insensitive for captured variables
 2023-08-15 11:42:41 +02:00
Tom Hvitved 061575ff77
Merge pull request #13937 from hvitved/ruby/for-loop-desugar 
Ruby: Improve desugaring of `for` loops
 2023-08-14 20:12:12 +02:00
Arthur Baars 77db0cf547
Merge pull request #13334 from aibaars/print-cfg-2 
Ruby: printCfg: only show graph for selected CfgScope
 2023-08-14 18:24:20 +02:00
Tom Hvitved e96cbeb00a Ruby: Adjust locations of synthesized nodes 2023-08-14 14:37:47 +02:00
Tom Hvitved c084a9b27a Ruby: Make type tracking flow-insensitive for captured variables 2023-08-14 13:44:37 +02:00
Harry Maclean d45e9101ba Ruby: Add change note 2023-08-14 11:20:58 +01:00
Harry Maclean ca5456a54a Ruby: Remove duplicate disjuncts 2023-08-14 09:45:57 +01:00
Harry Maclean 6011d26823 Ruby: Restrict parameter nodes 2023-08-11 15:14:32 +01:00
Henry Mercer 1213eba630
Merge branch 'main' into post-release-prep/codeql-cli-2.14.2 2023-08-11 13:54:55 +01:00
Tom Hvitved f19232f800 Ruby: Fix another bug in `isCapturedAccess` 2023-08-10 14:02:58 +02:00
Harry Maclean b365ff095a Ruby: Fix SynthSplatParameterElementNode 
Make this class into a proper subclass of `ParameterNodeImpl`, to
prevent some consistency test failures.
 2023-08-10 12:35:12 +01:00
Tom Hvitved 77fca277fe Ruby: Improve desugaring of `for` loops 2023-08-10 13:22:01 +02:00
Tom Hvitved 4e954c29a2
Merge pull request #13936 from hvitved/ruby/captured-access-fix 
Ruby: Fix bug in `isCapturedAccess`
 2023-08-10 13:15:48 +02:00
Harry Maclean 5fff9fa8da More precise flow into splat parameters 
We now precisely track flow from positional arguments to splat
parameters, provided that splat arguments are not used and there are no
positional parameters after the splat parameter. For example, in this
case:

    def f(x, y, *z); end

    f(a, b, c, d)

we get flow from `c` to `z[0]` and `d` to `z[1]`.

We get false flow if there are positional parameters after the splat
parameter. For example in this case:

    def g(x, y, *z, w); end

    g(a, b, c, d)

we get flow from `d` to `z[0]` instead of `w`.

We also track flow in this case

    def f(a, *b)
      sink b[0]
    end

    f(1, *[taint, 2])
 2023-08-10 12:02:47 +01:00
Tom Hvitved e40f0a7350 Ruby: Fix bug in `isCapturedAccess` 2023-08-10 09:37:04 +02:00
Maiky 97f8d1fca9 add `getValue()` method 2023-08-10 00:39:35 +02:00
Maiky e60fa6f1a7 Remove unnecesary } 2023-08-10 00:25:47 +02:00
Maiky c5c2df4593 fix `Singleton set literal` 2023-08-10 00:13:02 +02:00
github-actions[bot] 432c21d4fb Post-release preparation for codeql-cli-2.14.2 2023-08-09 18:45:18 +00:00
Harry Maclean b03f6efa60 Ruby: Refactor 2023-08-09 15:01:40 +01:00
Harry Maclean 142393b599 Ruby: Handle unknown content in splat flow 2023-08-09 15:01:40 +01:00
Harry Maclean 4239268efd Ruby: Prevent some false flow into splat params 
In cases where there are positional parameters after a splat parameter,
don't attempt to match the splat parameter to a splat argument. We need
more sophisticated modelling to handle these cases, which is future
work.
 2023-08-09 15:01:40 +01:00
Harry Maclean 6f3e2cdde3 Ruby: Add change note 2023-08-09 15:01:40 +01:00
Harry Maclean 72356d1515 Ruby: track flow from *args to positional params 
This models flow in the following case:

    def foo(x, y)
      sink x # 1
      sink y # 2
    end

    args = [source 1, source 2]
    foo(*args)

We do this by introducing a SynthSplatParameterNode which accepts
content from the splat argument, if one is given at the callsite.
From this node we add read steps to each positional parameter.
 2023-08-09 15:01:40 +01:00
github-actions[bot] 79c90fa36a Release preparation for version 2.14.2 2023-08-07 18:08:52 +00:00
Jeroen Ketema 8b6a7985db
Refactor the traint-tracking library to follow the dataflow library refactoring 2023-08-07 15:23:15 +02:00
Jeroen Ketema 5d2984b7a5
Merge branch 'main' into shared-taint-tracking 2023-08-07 15:22:29 +02:00
Tom Hvitved db88b7da88 Ruby: Adjust to data flow refactor 2023-08-07 11:35:21 +02:00
Jeroen Ketema 747cd1745a
Update all languages to use the shared taint-tracking library 2023-08-04 22:53:25 +02:00
Mathias Vorreiter Pedersen abe3a816ce
Merge pull request #13851 from MathiasVP/sink-without-states 
DataFlow: Support stateless `isSink` in `StateConfigSig`s
 2023-08-04 18:01:42 +02:00
Maiky 0cd1c1e2e5
Make private 
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2023-08-03 17:08:50 +02:00
Maiky 0dec4876f1
Replace cast to `DataFlow::CallNode` 
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2023-08-03 17:08:35 +02:00
Maiky c54561e775
Merge branch 'main' into maikypedia/ldap-improper-auth 2023-08-03 16:49:30 +02:00
Maiky fd649c1702 Fix `getHost()` (ldap.host = ip is not covered) 2023-08-03 16:37:48 +02:00
Maiky f7a662814d simplify `usesSsl()` 2023-08-03 16:20:20 +02:00
Maiky 2d87489dfa change `useSsl()` to `usesSsl()` 2023-08-03 16:18:44 +02:00
Tom Hvitved e011480114
Merge pull request #13509 from hvitved/cfg-pack 
Convert shared CFG construction library to a parameterized module
 2023-08-03 14:11:56 +02:00
Tom Hvitved 2ac646770e Merge `ControlFlowTreeBase` and `AstNode` 2023-08-03 10:59:26 +02:00
Tom Hvitved 525ed65b0b Rename `getNode` to `getAstNode` 2023-08-03 10:56:50 +02:00
Asger F c38cbe859d
Merge pull request #13737 from asgerf/dynamic/fuzzy-models 
Dynamic: add Fuzzy token
 2023-08-03 09:58:24 +02:00
Tom Hvitved 2f3e52646c Add class wrappers around `newtype` in `Cfg.qll` 2023-08-03 09:39:30 +02:00
Tom Hvitved 5d69e14cc1 Rename `ControlFlowElement` to `AstNode` 2023-08-03 09:39:30 +02:00
Tom Hvitved 1988397f93 Make shared CFG construction library a parameterized module 2023-08-03 09:39:30 +02:00
Mathias Vorreiter Pedersen 3007fdab5e Sync identical files. 2023-08-02 14:33:33 +02:00
Anders Schack-Mulligen 7bc8bf616f
Merge pull request #13863 from aschackmull/dataflow/pack4 
Dataflow: Move the shared library to a properly shared qlpack.
 2023-08-02 14:19:49 +02:00
Anders Schack-Mulligen 73d4b126cf Ruby: Adjust to use the qlpack data-flow api. 2023-08-01 14:02:33 +02:00
Alex Ford f437a6f729
Merge branch 'main' into maikypedia/ldap-injection 2023-07-31 16:00:41 +01:00
Alex Ford f272b0786a Ruby: fix qldoc typo 2023-07-31 14:58:05 +01:00
Alex Ford 7f82aba7d4 qlformat 2023-07-31 14:57:14 +01:00
Maiky 2d88ac1846 Suggested Changes 2023-07-27 23:40:52 +02:00
Maiky f5e17d7d39 Add additional Filter Methods 2023-07-27 23:04:55 +02:00
Owen Mansel-Chan 9b2b58a823
Sync files 2023-07-26 21:48:10 +01:00
github-actions[bot] f91b7a9342 Post-release preparation for codeql-cli-2.14.1 2023-07-21 16:16:25 +00:00
github-actions[bot] c936a920b0 Release preparation for version 2.14.1 2023-07-20 16:32:27 +00:00
Anders Schack-Mulligen e72a0b2f8c Dataflow: Add change notes. 2023-07-19 11:41:15 +02:00
Anders Schack-Mulligen 95d17045c9 Dataflow: Sync. 2023-07-19 11:41:15 +02:00
Alex Ford 27ee72c265 Merge remote-tracking branch 'origin/main' into rb/rack-env-query-string 2023-07-17 14:11:25 +01:00
Alex Ford 06aefe01b8
Update ruby/ql/lib/codeql/ruby/frameworks/rack/internal/App.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2023-07-17 14:08:44 +01:00
Alex Ford ab1f341aa6
Merge pull request #13566 from alexrford/rb/rack-params 
Ruby: add `Rack::Request` params and cookies as remote input sources
 2023-07-17 14:07:20 +01:00
Maiky 3f36d3244b Fix singleton set literal 2023-07-15 00:18:21 +02:00
Alex Ford bdf1aa0807
Merge pull request #13746 from asgerf/rb/fix-rack-todo 
Ruby: Use API graphs asCallable() instead of Proc.new workaround
 2023-07-14 16:29:00 +01:00
Alex Ford d89c10dd85
Merge pull request #13130 from maikypedia/maikypedia/xpath-injection 
Ruby :  XPath Injection Query (CWE-643)
 2023-07-14 14:10:09 +01:00
Asger F 2962727f0f Ruby: Use API graphs asCallable() instead of Proc.new workaround 2023-07-14 13:50:07 +02:00
Alex Ford dbb55ff2b4 Ruby: fix xpathinjection deprecation warnings 2023-07-14 12:45:27 +01:00
Alex Ford a524735236
Merge branch 'main' into maikypedia/ldap-injection 2023-07-14 12:05:17 +01:00
Alex Ford c0009379d1 qlformat 2023-07-14 12:04:03 +01:00
Asger F 31bed36231
Merge pull request #13612 from asgerf/rb/api-graph-explicit-proc-lambda 
Ruby: Improve support for explicit proc-creation
 2023-07-14 13:02:44 +02:00
Anders Schack-Mulligen 80a799df01
Merge pull request #13735 from aschackmull/dataflow/forcehighprecision-fix 
Dataflow: Fix forceHighPrecision for length-2 prefixes.
 2023-07-14 11:42:35 +02:00
Asger F f1c82b650f Ruby: Implement Fuzzy for Ruby 2023-07-13 15:42:34 +02:00
Asger F 919cb07c1e Sync ApiGraphModels.qll 2023-07-13 15:42:33 +02:00
Asger F 18762db0fb Ruby: factor out isProcCreationCall 2023-07-13 11:53:16 +02:00
Asger F f232669ea5 Ruby: support Proc.new alongside 'proc' and 'lambda' 2023-07-13 11:53:16 +02:00
Asger F 194fe85442 Ruby: Use asCallable() to generate epsilon edges 2023-07-13 11:53:16 +02:00
Anders Schack-Mulligen 91de43f918 C#/Java/Ruby: Remove superfluous module members. 2023-07-13 11:38:35 +02:00
Anders Schack-Mulligen 837df2ad37 Dataflow: Sync. 2023-07-13 10:55:39 +02:00
Maiky db0f38fe06
Update XpathInjectionQuery.qll 2023-07-12 23:46:47 +02:00
Ed Minnix 63299688d5 Add change notes for default implementations of isBarrier and isAdditionalFlowStep 2023-07-12 15:21:16 -04:00
Ed Minnix 94638c9997 Ruby: Add default implementation of StateConfigSig::isAdditionalFlowStep/4 2023-07-12 15:06:25 -04:00
Ed Minnix 8a7081753d Ruby: Add default implementation of StateConfigSig::isBarrier/2 2023-07-12 15:06:25 -04:00
Maiky 1559b7da3c
Update Frameworks.qll 2023-07-12 17:45:45 +02:00
Maiky c4f72dd2f2
Change make to global 
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2023-07-11 19:20:34 +02:00
Mathias Vorreiter Pedersen a4c0063ab1
Merge pull request #13679 from MathiasVP/speedup-big-step 
DataFlow: Speed up the big step relation
 2023-07-11 09:44:17 +01:00
Asger F d88f557dbe
Merge pull request #13683 from asgerf/rb/api-graph-noobject 
Ruby: exclude Object class from API graph
 2023-07-10 12:51:15 +02:00
github-actions[bot] 13cf054a9d Post-release preparation for codeql-cli-2.14.0 2023-07-07 14:55:41 +00:00
github-actions[bot] 6484ee106e Release preparation for version 2.14.0 2023-07-07 08:22:14 +00:00
Asger F d8604ff390 Ruby: exclude Object class from API graph 2023-07-07 09:49:21 +02:00
Asger F 86b5f0adc7 Revert "Merge pull request #13620 from github/revert-13496-rb/tracking-on-demand" 
This reverts commit 133de56ac2, reversing
changes made to 28a8e48351.
 2023-07-07 09:42:34 +02:00
Dave Bartolomeo 9631e9f2f1 Bump minor version numbers post-GHES 2023-07-06 10:10:01 -04:00
Dave Bartolomeo 2bb9adfbf1 Merge remote-tracking branch 'origin/main' into dbartol/mergeback-3.10 2023-07-06 10:00:46 -04:00
Erik Krogh Kristensen b2a60bf3d1
Merge pull request #13642 from erik-krogh/san-script 
JS/RB: Fix FP in incomplete-multi-character-sanitization
 2023-07-06 15:38:39 +02:00
Mathias Vorreiter Pedersen 83d0dec0fb DataFlow: Sync identical files. 2023-07-06 14:00:00 +01:00
Maiky a3c58c66e9 Using `DataFlow::ConfigSig` instead of `TaintTracking::Configuration` 2023-07-06 03:14:49 +02:00
Maiky 25814f76b9 Apply suggested changes 2023-07-06 02:20:42 +02:00
Alex Ford ec2c9f20f6 Ruby: rack - env['QUERY_STRING'] changenote 2023-07-05 15:46:56 +01:00
Alex Ford 2b0b2855e1 Ruby: rack - Rack::Response changenote 2023-07-05 15:15:34 +01:00
Alex Ford df62cf8a5a qlformat 2023-07-05 12:19:57 +01:00
Alex Ford 9a263e12ec Ruby: rack - add some qldoc 2023-07-05 12:18:52 +01:00
Alex Ford 175d524146 Ruby: rack - add Rack#Utils.parse_query summary 2023-07-05 12:18:52 +01:00
Alex Ford cc6f6418f5 Ruby: rack - start modelling request inputs 2023-07-05 12:18:52 +01:00
Alex Ford 9b2cd768e1 Ruby: rack - add env['QUERY_STRING'] as an http request input 2023-07-05 11:59:18 +01:00
Alex Ford 5fafd9ecc1
Merge branch 'main' into rb/rack-extend-app-and-resp 2023-07-04 11:43:30 +01:00
Michael Nebel 238f390738
Merge pull request #13452 from michaelnebel/refactorstackprinting 
Re-factor printing of summary component stacks.
 2023-07-04 08:29:10 +02:00
Michael Nebel 243c592447 Address review comments. 2023-07-03 17:01:08 +02:00
Michael Nebel e06bc8fd8d Ruby: Use serialize to for the string representation of ConstantValue. 2023-07-03 14:36:07 +02:00
Michael Nebel bddd22f522 Sync files and make language specific adjustments. 2023-07-03 14:36:07 +02:00
Michael Nebel 6aded7b461 Ruby: Improve AccessPath printing. 2023-07-03 14:36:06 +02:00
Michael Nebel c18f4b1604 Sync files and make language specific rename. 2023-07-03 14:36:06 +02:00
erik-krogh 8c871621f1
sync to ruby 2023-07-01 20:33:02 +02:00
Chuan-kai Lin ce464a7d69 Remove pragma[assume_small_delta] 2023-06-30 11:09:29 -07:00
Alex Ford 9d36ab9204
Merge pull request #13606 from alexrford/rb/sqlite3-getSql 
Ruby: fix sqlite3 `PreparedStatementExecution.getSql()` predicate
 2023-06-30 12:18:46 +01:00
github-actions[bot] 668aaa2dc8 Post-release preparation for codeql-cli-2.13.5 2023-06-30 08:51:48 +00:00
Asger F 5d1a437e9c
Revert "Ruby: overhaul API graphs" 2023-06-29 15:39:19 +02:00
github-actions[bot] 9d7987f822 Release preparation for version 2.13.5 2023-06-29 09:26:18 +00:00
Tom Hvitved 9a26fc3178
Merge pull request #13573 from hvitved/ruby/inline-late-members 
Ruby/Python: Use `inline_late` on member predicates
 2023-06-29 09:07:14 +02:00
Alex Ford ede6b262cd Ruby: fix sqlite3 PreparedStatementExecution.getSql() predicate 2023-06-28 17:09:43 +01:00
Asger F f0517028b9
Merge pull request #13496 from asgerf/rb/tracking-on-demand 
Ruby: overhaul API graphs
 2023-06-28 15:01:37 +02:00
Asger F 39789d4050 Ruby: use a valid change note category 2023-06-28 13:42:05 +02:00
Asger F 2f1223426a Ruby: add change note 2023-06-28 13:36:47 +02:00
Asger F 7af3d226c9 Ruby: simplify Twirp model 2023-06-28 13:20:59 +02:00
Asger F 423da55fb9 Ruby: use asCallable() in Twirp model 2023-06-28 13:20:59 +02:00
Asger F dd868437ce Ruby: add asCallable() 2023-06-28 13:20:59 +02:00
Asger F 6feda75dd6 Ruby: preserve comment in SQLite3 2023-06-28 13:20:58 +02:00
Asger F f171c21002 Ruby: remove forwarder for getADescendentModule 2023-06-28 13:20:58 +02:00
Asger F 174ab25867 Ruby: address some review comments 2023-06-28 13:20:58 +02:00
Tom Hvitved fa92e79bea Ruby/Python: Use `inline_late` on member predicates 2023-06-28 09:04:06 +02:00
Alex Ford 9cf165ac55 Ruby: rack - update a deprecation notice 2023-06-26 15:37:34 +01:00
Alex Ford 8fdc48753c Ruby: rack - replace RackApplication with just the rack RequestHandler 2023-06-26 15:36:37 +01:00
Asger F f6e244995a
Update ruby/ql/lib/codeql/ruby/ApiGraphs.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-06-26 15:32:11 +02:00
Asger F b61e823cab Ruby: clarify qldoc for getADescendentModule 2023-06-26 15:31:18 +02:00
Asger F ef9d910a07
Update ruby/ql/lib/codeql/ruby/ApiGraphs.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-06-26 15:28:30 +02:00
Rasmus Wriedt Larsen 0121263e03
Merge branch 'main' into python/enable-summaries-from-models 2023-06-26 11:34:12 +02:00
Alex Ford 6008c7bee4 Ruby: rack - change note for response and app recognition improvements 2023-06-23 16:16:15 +01:00
Alex Ford b67b80ca2a Ruby: rack - rename App as RackApplication 2023-06-23 16:12:23 +01:00
Alex Ford de6547341f qlformat 2023-06-23 13:36:39 +01:00
Alex Ford 4b3d99529a Ruby: rack - rename getResponse as getAResponse 2023-06-23 13:13:07 +01:00
Alex Ford 4f9f41acd5 Ruby: rack - fix qldoc 2023-06-23 13:11:00 +01:00
Tom Hvitved f28aefad8b Ruby: Reduce string pool preasure by late-inlining `locationRelativePathToString` 
```
[2023-06-23 13:48:23] Evaluated non-recursive predicate Sinatra#e09174a3::Sinatra::locationRelativePathToString#1#ff@683a25ce in 34682ms (size: 8048121).
Evaluated relational algebra for predicate Sinatra#e09174a3::Sinatra::locationRelativePathToString#1#ff@683a25ce with tuple counts:
        8048122  ~0%    {6} r1 = SCAN locations_default OUTPUT In.1, In.0, toString(In.5), toString(In.2), toString(In.3), toString(In.4)
        8048121  ~0%    {2} r2 = JOIN r1 WITH FileSystem#df18ed9a::Make#FileSystem#e91ad87f::Input#::Container::getRelativePath#0#dispred#ff ON FIRST 1 OUTPUT Lhs.1, (Rhs.1 ++ "@" ++ Lhs.3 ++ ":" ++ Lhs.4 ++ ":" ++ Lhs.5 ++ ":" ++ Lhs.2)
                        return r2
```
 2023-06-23 14:01:16 +02:00
Asger F 0039cb141e Merge branch 'main' into rb/tracking-on-demand 2023-06-23 12:55:54 +02:00
yoff 26856a82a6
Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-23 10:15:20 +02:00
Geoffrey White fe71207475
Merge pull request #13537 from geoffw0/regexqldoc 
Ruby: Fix some QLDoc errors in ParseRegExp.qll
 2023-06-22 14:55:39 +01:00
Geoffrey White d06f4b9567 Ruby: Correct QLDoc for qualifiedPart. 2023-06-22 13:56:42 +01:00
Geoffrey White 1c1637a886 Ruby: Correct QLDoc for charRange. 2023-06-22 13:56:06 +01:00
Alex Ford f8140bcad3 Ruby: rack - improve performance of trackRackResponse 2023-06-22 13:45:44 +01:00
Alex Ford 4d59181571 Ruby: rack - Rack::Response#finish constructs a valid rack response 2023-06-22 13:45:44 +01:00
Alex Ford 521e65c5bd Ruby: rack - extend rack applications to include instance methods, lambdas, and procs 2023-06-22 13:45:44 +01:00
Alex Ford 7a3b6f107b Ruby: add predicates to DataFlow::ModuleNode to get singleton methods 2023-06-22 13:45:44 +01:00
Alex Ford 24e83165ee
Merge pull request #13289 from alexrford/rb/rack-redirect 
Ruby: rack - model redirect responses
 2023-06-22 13:45:02 +01:00
Henry Mercer 5afdaf8fe1
Merge pull request #13525 from github/rc/3.10 
Merge `rc/3.10` back to `main`
 2023-06-21 17:13:36 +01:00
Jami 5259a6ecfc
Merge pull request #13324 from jcogs33/jcogs33/shared-sink-kind-validation 
Shared: share MaD kind validation across languages
 2023-06-20 11:56:12 -04:00
Alex Ford 8ef8a0d2f6 qlformat 2023-06-20 14:59:13 +01:00
Alex Ford 7aec22c1e4 Ruby: rack - remove MIME modelling 2023-06-20 14:57:23 +01:00
Owen Mansel-Chan d7c97f8759
Merge pull request #13455 from owen-mc/dataflow/add-flowCheckNodeSpecific 
Dataflow: add language-specific hook for breaking up big step relation
 2023-06-20 13:24:26 +01:00
github-actions[bot] 18b678e69e Post-release preparation for codeql-cli-2.13.4 2023-06-20 10:20:05 +00:00
yoff 579c56c744
Merge pull request #13178 from yoff/python-ruby/track-through-summaries-pm 
ruby/python: Shared module for typetracking through flow summaries
 2023-06-20 11:19:45 +02:00
Jeroen Ketema 9c774ac97f
Merge pull request #13426 from jketema/inline-3 
Update inline flow tests to use parameterized module
 2023-06-19 17:39:29 +02:00
Asger F e3a04499f6 Ruby: minor overhaul of ActiveResource model 2023-06-19 12:15:57 +02:00
Asger F 8bc4193ce0 Ruby: minor overhaul of ActiveRecord model 
Old version had scalability issues when adding taking more interprocedural flow and inheritance into account.
 2023-06-19 12:15:44 +02:00
Asger F bb3b973b32 Ruby: use new features in ActionController 2023-06-19 12:06:35 +02:00
Asger F fbfa31937f Ruby: use new features in ActionMailer 2023-06-19 12:05:57 +02:00
Asger F 1ae41484da Ruby: Use new features in ActionMailbox model 2023-06-19 12:05:15 +02:00
Asger F f8ae5301a4 Ruby: update Twirp 
This used right-to-left evaluation for API graphs, which is not supported anymore
 2023-06-19 12:04:53 +02:00
Asger F b305c13b65 Ruby: update SQLite3 model 2023-06-19 12:04:12 +02:00
Asger F 2ef010f1c0 Ruby: update GraphQL model 2023-06-19 12:04:00 +02:00
Asger F 61cda97163 Ruby: rename some call sites 2023-06-19 12:03:25 +02:00
Asger F 5b05e72d27 Ruby: switch to local dataflow when dealing with Kernel/IO 2023-06-19 12:02:39 +02:00
Asger F 0110610c6a Ruby: overhaul API graphs 2023-06-19 12:01:42 +02:00
Maiky 849e732c48 typos 2023-06-19 01:16:27 +02:00
Rasmus Lerchedahl Petersen 3cf9e3e692 Py/js/ruby: sync files 2023-06-18 21:52:49 +02:00
Jeroen Ketema d82c3ce11a
Ruby: Rewrite `InlineFlowTest` as a parameterized module 2023-06-15 10:52:23 +02:00
Maiky f6887c86b3
Rename Libxml.qll to LibXml.qll 2023-06-15 00:19:23 +02:00
Maiky e5fe5403b7 Apply requested changes 2023-06-14 22:55:14 +02:00
Rasmus Lerchedahl Petersen 0e713e6fc1 ruby/python: more consistent naming of parameters 2023-06-14 21:02:42 +02:00
Owen Mansel-Chan 3ff6d033d3
Rename to `neverSkipInPathGraph` 2023-06-14 15:29:54 +01:00
Owen Mansel-Chan e34bcef2bd
Ruby: Move path summary visibility code into flowCheckNodeSpecific 2023-06-14 14:46:41 +01:00
Owen Mansel-Chan 5f72ce0935
Add stub implementations of flowCheckNodeSpecific 2023-06-14 14:46:35 +01:00
Owen Mansel-Chan e0f7437d40
Sync dataflow library 2023-06-14 14:29:56 +01:00
Jami 35591113c2
Merge branch 'main' into jcogs33/shared-sink-kind-validation 2023-06-14 08:06:34 -04:00
Michael Nebel afec9b05e9
Merge pull request #13147 from michaelnebel/csharp/entityframeworkrefactor 
C#: Use synthetic global in the EntityFramework code instead of jump steps.
 2023-06-14 13:47:56 +02:00
Anders Schack-Mulligen 1a4fca334f
Merge pull request #13273 from aschackmull/dataflow/summarynode-refactor 
Dataflow: Refactor FlowSummaryImpl to synthesize nodes independently from DataFlow::Node.
 2023-06-14 09:38:36 +02:00
Alex Ford 75ccbe58ee Ruby: rack - use Mimetype rather than MimeType in predicate names for consistency with concepts 2023-06-13 12:44:29 +01:00
Alex Ford 977ceb89fd Ruby: rack - remove PotentialResponseNode#getAStatusCode 2023-06-13 12:42:46 +01:00
Alex Ford af1ca7fec7
Update ruby/ql/lib/codeql/ruby/frameworks/rack/internal/App.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-13 12:37:31 +01:00
Rasmus Lerchedahl Petersen 33ad15e989 ruby: use aliases 2023-06-13 11:49:30 +02:00
Rasmus Lerchedahl Petersen e11f6b5107 ruby/python: adjust shared file 
- move `isNonLocal` to the top
- missing backtics
 2023-06-13 11:49:30 +02:00
Rasmus Lerchedahl Petersen b5961c7f6b ruby: move to internal folder 2023-06-13 11:49:30 +02:00
Rasmus Lerchedahl Petersen 203f8226cb ruby/python: make `SummaryTypeTracker` private 2023-06-13 11:32:06 +02:00
Anders Schack-Mulligen 2d616d494e C#/Ruby: Add fields as per review comments. 2023-06-13 11:26:30 +02:00
Asger F 0d45074caa
Merge pull request #13422 from asgerf/rb/map_filter 
Ruby: fix bug in filter_map summary
 2023-06-13 09:43:47 +02:00
Arthur Baars fad73d71e5
Merge pull request #13307 from hmac/amammad-ruby-YAMLunsafeLoad 
Ruby: Add YAML unsafe deserialization sinks
 2023-06-12 10:43:37 +02:00
Jami Cogswell 9abe3e3da4 Shared: use a module as input to 'KindValidation' 2023-06-09 14:35:37 -04:00
Anders Schack-Mulligen 5062442982 Go/Python/Ruby/Swift: Add stub. 2023-06-09 15:39:28 +02:00
Anders Schack-Mulligen 98f51d7f29 Dataflow: Sync. 2023-06-09 15:39:28 +02:00
Anders Schack-Mulligen 4e531af71b Ruby: Adjust to FlowSummaryImpl changes. 2023-06-09 15:30:35 +02:00
Anders Schack-Mulligen 2cc5bde925 Dataflow: Sync. 2023-06-09 15:27:17 +02:00
Asger F a50d91ea48 Ruby: fix bug in filter_map summary 2023-06-09 14:31:10 +02:00
Rasmus Lerchedahl Petersen b294f48dbe Merge branch 'main' of https://github.com/github/codeql into python-ruby/track-through-summaries-pm 2023-06-09 14:16:34 +02:00
Anders Schack-Mulligen 1b7bbf6320
Merge pull request #13083 from aschackmull/dataflow/typestrengthen 
Dataflow: Strengthen tracked types.
 2023-06-09 13:23:30 +02:00
Arthur Baars a5410bd52d
Merge pull request #13419 from asgerf/rb/restrict-orm-tracking 
Ruby: restrict ORM tracking to calls
 2023-06-09 11:01:05 +02:00
Anders Schack-Mulligen d230509905 Dataflow: Address review comments. 2023-06-09 08:37:36 +02:00
Anders Schack-Mulligen 4399138c82 Dataflow: Fix QL4QL alert. 2023-06-09 08:37:36 +02:00
Anders Schack-Mulligen 53f2b8aab0 Dataflow: Sync. 2023-06-09 08:37:36 +02:00
Anders Schack-Mulligen fd832416d8 Dataflow: Add empty type strengthening predicate for languages without type pruning. 2023-06-09 08:37:35 +02:00
Anders Schack-Mulligen e8cea79f1d Dataflow: Sync. 2023-06-09 08:37:35 +02:00
Jami Cogswell da58b2afc8 Shared: move shared file to 'shared' folder and add parameterized module for 'getInvalidModelKind' 2023-06-08 20:05:27 -04:00
github-actions[bot] e4be303a23 Release preparation for version 2.13.4 2023-06-08 19:57:37 +00:00
Asger F d6741f655d Ruby: restrict ORM tracking to calls 2023-06-08 14:01:51 +02:00
Alex Ford b4620042a5 Ruby: fix use of deprecated predicate 2023-06-08 12:09:22 +01:00
Alex Ford 397a809426 Merge remote-tracking branch 'origin/main' into rb/rack-redirect 2023-06-08 12:07:57 +01:00
Alex Ford 21b4f885a6 ruby: fix qldoc 2023-06-08 12:01:42 +01:00
Alex Ford c531b94594 Ruby: add a change note for rack redirect support 2023-06-08 11:59:10 +01:00
Alex Ford 22b9ab43c6
Merge pull request #13259 from alexrford/rb/actiondispatch-refactor 
Ruby: Refactor and slightly expand `ActionDispatch` modelling
 2023-06-08 11:08:36 +01:00
Tom Hvitved cee70883f0
Merge pull request #12964 from hvitved/ruby/remove-synth-returns 
Ruby: Remove canonical return nodes
 2023-06-08 10:07:48 +02:00
Alex Ford 0a7ae58710 Ruby: revert to simpler Rack PotentialResponseNode def and use TypeBackTracker to track instances 2023-06-07 16:30:53 +01:00
Alex Ford a5d8db6317 Ruby: fix qldoc 2023-06-07 15:55:28 +01:00
Alex Ford 57508b2b3b ruby: Limit rack PotentialResponseNode to things that look like they occur in a rack application 2023-06-07 15:55:05 +01:00
Rasmus Lerchedahl Petersen 6ddf1f7eaf ruby/python: remove predicates from interface 2023-06-07 14:07:08 +02:00
yoff 7ab3cde3aa
Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-07 13:54:31 +02:00
Erik Krogh Kristensen 6ba7f9a238
Merge pull request #13352 from erik-krogh/once-again-deps-not-py-cpp 
delete old deprecations
 2023-06-07 13:00:57 +02:00
Tom Hvitved 88c5700c24 Ruby: Use `CallGraphConstruction` in call graph construction 2023-06-07 09:02:03 +02:00
Tom Hvitved 4bf124bffe Ruby/Python: Add `CallGraphConstruction` module for recursive type-tracking based call graph construction 2023-06-07 09:02:03 +02:00
Arthur Baars 7324d1705e
Merge branch 'main' into amammad-ruby-YAMLunsafeLoad 2023-06-06 12:09:06 +02:00
Jami Cogswell 5a23421d9a Shared: minor updates to comments 2023-06-05 13:46:56 -04:00
Jami Cogswell 9d5972acc2 Shared: update qldocs 2023-06-05 12:18:34 -04:00
Jami Cogswell 3f1dc8e5c7 Shared: add outdated Swift sink kinds 2023-06-05 12:18:34 -04:00
Jami Cogswell 62ac0dc471 Shared: add outdated sink kind msg to 'getInvalidModelKind' for all languages 2023-06-05 12:18:33 -04:00
Jami Cogswell 76f5dca861 Shared: move 'OutdatedSinkKind' to shared file and add outdated JS and C# sink kinds 2023-06-05 12:18:33 -04:00
Jami Cogswell 7b629f5d63 Shared: include 'qltest%' and 'test-%' 2023-06-05 12:18:33 -04:00
Jami Cogswell 254e447923 JS/Python/Ruby: update getInvalidModelKind 2023-06-05 12:18:33 -04:00
Jami Cogswell 7317c29eea Shared: update kind information 2023-06-05 12:18:33 -04:00
Jami Cogswell 0ab1848b70 JS/Python/Ruby: use 'SharedModelValidation' file 2023-06-05 12:18:33 -04:00
Jami Cogswell ddb5d92ef8 Shared: add source, summary, and neutral shared valid kinds 2023-06-05 12:18:33 -04:00
Jami Cogswell 869f820fcf Shared: add 'SharedModelValidation' file as experiment 2023-06-05 12:18:33 -04:00
Jami Cogswell e24e3a6115 JS/Python/Ruby: add getInvalidModelKind as experiment 2023-06-05 12:18:33 -04:00
erik-krogh ac9ede4ec0
add change-notes 2023-06-02 11:58:11 +02:00
erik-krogh c3e57382f7
Ruby: fix compilation 2023-06-02 11:58:08 +02:00
erik-krogh 44b6366586
delete old deprecations 2023-06-02 11:58:08 +02:00
Alex Ford 606d601923 qlformat 2023-06-01 16:26:05 +01:00
Alex Ford d09f6d318c
Merge branch 'main' into maikypedia/sqli-sink 2023-06-01 15:02:44 +01:00
Alex Ford b62a02f0ad ruby: remove unused field 2023-06-01 14:01:40 +01:00
Alex Ford 23e22799a9 ruby: rack - modelling -> modeling 2023-06-01 14:01:40 +01:00
Alex Ford 24635df1a3 ruby: add some qldoc for rack 2023-06-01 14:01:40 +01:00