github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
62 622 коммитов 1 541 ветка 132 Теги 497 MiB
Граф коммитов

2953 Коммитов

Автор SHA1 Сообщение Дата
Maiky a3c58c66e9 Using `DataFlow::ConfigSig` instead of `TaintTracking::Configuration` 2023-07-06 03:14:49 +02:00
Maiky 25814f76b9 Apply suggested changes 2023-07-06 02:20:42 +02:00
Alex Ford ec2c9f20f6 Ruby: rack - env['QUERY_STRING'] changenote 2023-07-05 15:46:56 +01:00
Alex Ford 2b0b2855e1 Ruby: rack - Rack::Response changenote 2023-07-05 15:15:34 +01:00
Alex Ford df62cf8a5a qlformat 2023-07-05 12:19:57 +01:00
Alex Ford 9a263e12ec Ruby: rack - add some qldoc 2023-07-05 12:18:52 +01:00
Alex Ford 175d524146 Ruby: rack - add Rack#Utils.parse_query summary 2023-07-05 12:18:52 +01:00
Alex Ford cc6f6418f5 Ruby: rack - start modelling request inputs 2023-07-05 12:18:52 +01:00
Alex Ford 9b2cd768e1 Ruby: rack - add env['QUERY_STRING'] as an http request input 2023-07-05 11:59:18 +01:00
Alex Ford 5fafd9ecc1
Merge branch 'main' into rb/rack-extend-app-and-resp 2023-07-04 11:43:30 +01:00
Michael Nebel 238f390738
Merge pull request #13452 from michaelnebel/refactorstackprinting 
Re-factor printing of summary component stacks.
 2023-07-04 08:29:10 +02:00
Michael Nebel 243c592447 Address review comments. 2023-07-03 17:01:08 +02:00
Michael Nebel e06bc8fd8d Ruby: Use serialize to for the string representation of ConstantValue. 2023-07-03 14:36:07 +02:00
Michael Nebel bddd22f522 Sync files and make language specific adjustments. 2023-07-03 14:36:07 +02:00
Michael Nebel 6aded7b461 Ruby: Improve AccessPath printing. 2023-07-03 14:36:06 +02:00
Michael Nebel c18f4b1604 Sync files and make language specific rename. 2023-07-03 14:36:06 +02:00
erik-krogh 8c871621f1
sync to ruby 2023-07-01 20:33:02 +02:00
Chuan-kai Lin ce464a7d69 Remove pragma[assume_small_delta] 2023-06-30 11:09:29 -07:00
Alex Ford 9d36ab9204
Merge pull request #13606 from alexrford/rb/sqlite3-getSql 
Ruby: fix sqlite3 `PreparedStatementExecution.getSql()` predicate
 2023-06-30 12:18:46 +01:00
github-actions[bot] 668aaa2dc8 Post-release preparation for codeql-cli-2.13.5 2023-06-30 08:51:48 +00:00
Asger F 5d1a437e9c
Revert "Ruby: overhaul API graphs" 2023-06-29 15:39:19 +02:00
github-actions[bot] 9d7987f822 Release preparation for version 2.13.5 2023-06-29 09:26:18 +00:00
Tom Hvitved 9a26fc3178
Merge pull request #13573 from hvitved/ruby/inline-late-members 
Ruby/Python: Use `inline_late` on member predicates
 2023-06-29 09:07:14 +02:00
Alex Ford ede6b262cd Ruby: fix sqlite3 PreparedStatementExecution.getSql() predicate 2023-06-28 17:09:43 +01:00
Asger F f0517028b9
Merge pull request #13496 from asgerf/rb/tracking-on-demand 
Ruby: overhaul API graphs
 2023-06-28 15:01:37 +02:00
Asger F 39789d4050 Ruby: use a valid change note category 2023-06-28 13:42:05 +02:00
Asger F 2f1223426a Ruby: add change note 2023-06-28 13:36:47 +02:00
Asger F 7af3d226c9 Ruby: simplify Twirp model 2023-06-28 13:20:59 +02:00
Asger F 423da55fb9 Ruby: use asCallable() in Twirp model 2023-06-28 13:20:59 +02:00
Asger F dd868437ce Ruby: add asCallable() 2023-06-28 13:20:59 +02:00
Asger F 6feda75dd6 Ruby: preserve comment in SQLite3 2023-06-28 13:20:58 +02:00
Asger F f171c21002 Ruby: remove forwarder for getADescendentModule 2023-06-28 13:20:58 +02:00
Asger F 174ab25867 Ruby: address some review comments 2023-06-28 13:20:58 +02:00
Tom Hvitved fa92e79bea Ruby/Python: Use `inline_late` on member predicates 2023-06-28 09:04:06 +02:00
Alex Ford 9cf165ac55 Ruby: rack - update a deprecation notice 2023-06-26 15:37:34 +01:00
Alex Ford 8fdc48753c Ruby: rack - replace RackApplication with just the rack RequestHandler 2023-06-26 15:36:37 +01:00
Asger F f6e244995a
Update ruby/ql/lib/codeql/ruby/ApiGraphs.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-06-26 15:32:11 +02:00
Asger F b61e823cab Ruby: clarify qldoc for getADescendentModule 2023-06-26 15:31:18 +02:00
Asger F ef9d910a07
Update ruby/ql/lib/codeql/ruby/ApiGraphs.qll 
Co-authored-by: Erik Krogh Kristensen <erik-krogh@github.com>
 2023-06-26 15:28:30 +02:00
Rasmus Wriedt Larsen 0121263e03
Merge branch 'main' into python/enable-summaries-from-models 2023-06-26 11:34:12 +02:00
Alex Ford 6008c7bee4 Ruby: rack - change note for response and app recognition improvements 2023-06-23 16:16:15 +01:00
Alex Ford b67b80ca2a Ruby: rack - rename App as RackApplication 2023-06-23 16:12:23 +01:00
Alex Ford de6547341f qlformat 2023-06-23 13:36:39 +01:00
Alex Ford 4b3d99529a Ruby: rack - rename getResponse as getAResponse 2023-06-23 13:13:07 +01:00
Alex Ford 4f9f41acd5 Ruby: rack - fix qldoc 2023-06-23 13:11:00 +01:00
Tom Hvitved f28aefad8b Ruby: Reduce string pool preasure by late-inlining `locationRelativePathToString` 
```
[2023-06-23 13:48:23] Evaluated non-recursive predicate Sinatra#e09174a3::Sinatra::locationRelativePathToString#1#ff@683a25ce in 34682ms (size: 8048121).
Evaluated relational algebra for predicate Sinatra#e09174a3::Sinatra::locationRelativePathToString#1#ff@683a25ce with tuple counts:
        8048122  ~0%    {6} r1 = SCAN locations_default OUTPUT In.1, In.0, toString(In.5), toString(In.2), toString(In.3), toString(In.4)
        8048121  ~0%    {2} r2 = JOIN r1 WITH FileSystem#df18ed9a::Make#FileSystem#e91ad87f::Input#::Container::getRelativePath#0#dispred#ff ON FIRST 1 OUTPUT Lhs.1, (Rhs.1 ++ "@" ++ Lhs.3 ++ ":" ++ Lhs.4 ++ ":" ++ Lhs.5 ++ ":" ++ Lhs.2)
                        return r2
```
 2023-06-23 14:01:16 +02:00
Asger F 0039cb141e Merge branch 'main' into rb/tracking-on-demand 2023-06-23 12:55:54 +02:00
yoff 26856a82a6
Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-23 10:15:20 +02:00
Geoffrey White fe71207475
Merge pull request #13537 from geoffw0/regexqldoc 
Ruby: Fix some QLDoc errors in ParseRegExp.qll
 2023-06-22 14:55:39 +01:00
Geoffrey White d06f4b9567 Ruby: Correct QLDoc for qualifiedPart. 2023-06-22 13:56:42 +01:00
Geoffrey White 1c1637a886 Ruby: Correct QLDoc for charRange. 2023-06-22 13:56:06 +01:00
Alex Ford f8140bcad3 Ruby: rack - improve performance of trackRackResponse 2023-06-22 13:45:44 +01:00
Alex Ford 4d59181571 Ruby: rack - Rack::Response#finish constructs a valid rack response 2023-06-22 13:45:44 +01:00
Alex Ford 521e65c5bd Ruby: rack - extend rack applications to include instance methods, lambdas, and procs 2023-06-22 13:45:44 +01:00
Alex Ford 7a3b6f107b Ruby: add predicates to DataFlow::ModuleNode to get singleton methods 2023-06-22 13:45:44 +01:00
Alex Ford 24e83165ee
Merge pull request #13289 from alexrford/rb/rack-redirect 
Ruby: rack - model redirect responses
 2023-06-22 13:45:02 +01:00
Henry Mercer 5afdaf8fe1
Merge pull request #13525 from github/rc/3.10 
Merge `rc/3.10` back to `main`
 2023-06-21 17:13:36 +01:00
Jami 5259a6ecfc
Merge pull request #13324 from jcogs33/jcogs33/shared-sink-kind-validation 
Shared: share MaD kind validation across languages
 2023-06-20 11:56:12 -04:00
Alex Ford 8ef8a0d2f6 qlformat 2023-06-20 14:59:13 +01:00
Alex Ford 7aec22c1e4 Ruby: rack - remove MIME modelling 2023-06-20 14:57:23 +01:00
Owen Mansel-Chan d7c97f8759
Merge pull request #13455 from owen-mc/dataflow/add-flowCheckNodeSpecific 
Dataflow: add language-specific hook for breaking up big step relation
 2023-06-20 13:24:26 +01:00
github-actions[bot] 18b678e69e Post-release preparation for codeql-cli-2.13.4 2023-06-20 10:20:05 +00:00
yoff 579c56c744
Merge pull request #13178 from yoff/python-ruby/track-through-summaries-pm 
ruby/python: Shared module for typetracking through flow summaries
 2023-06-20 11:19:45 +02:00
Jeroen Ketema 9c774ac97f
Merge pull request #13426 from jketema/inline-3 
Update inline flow tests to use parameterized module
 2023-06-19 17:39:29 +02:00
Asger F e3a04499f6 Ruby: minor overhaul of ActiveResource model 2023-06-19 12:15:57 +02:00
Asger F 8bc4193ce0 Ruby: minor overhaul of ActiveRecord model 
Old version had scalability issues when adding taking more interprocedural flow and inheritance into account.
 2023-06-19 12:15:44 +02:00
Asger F bb3b973b32 Ruby: use new features in ActionController 2023-06-19 12:06:35 +02:00
Asger F fbfa31937f Ruby: use new features in ActionMailer 2023-06-19 12:05:57 +02:00
Asger F 1ae41484da Ruby: Use new features in ActionMailbox model 2023-06-19 12:05:15 +02:00
Asger F f8ae5301a4 Ruby: update Twirp 
This used right-to-left evaluation for API graphs, which is not supported anymore
 2023-06-19 12:04:53 +02:00
Asger F b305c13b65 Ruby: update SQLite3 model 2023-06-19 12:04:12 +02:00
Asger F 2ef010f1c0 Ruby: update GraphQL model 2023-06-19 12:04:00 +02:00
Asger F 61cda97163 Ruby: rename some call sites 2023-06-19 12:03:25 +02:00
Asger F 5b05e72d27 Ruby: switch to local dataflow when dealing with Kernel/IO 2023-06-19 12:02:39 +02:00
Asger F 0110610c6a Ruby: overhaul API graphs 2023-06-19 12:01:42 +02:00
Maiky 849e732c48 typos 2023-06-19 01:16:27 +02:00
Rasmus Lerchedahl Petersen 3cf9e3e692 Py/js/ruby: sync files 2023-06-18 21:52:49 +02:00
Jeroen Ketema d82c3ce11a
Ruby: Rewrite `InlineFlowTest` as a parameterized module 2023-06-15 10:52:23 +02:00
Maiky f6887c86b3
Rename Libxml.qll to LibXml.qll 2023-06-15 00:19:23 +02:00
Maiky e5fe5403b7 Apply requested changes 2023-06-14 22:55:14 +02:00
Rasmus Lerchedahl Petersen 0e713e6fc1 ruby/python: more consistent naming of parameters 2023-06-14 21:02:42 +02:00
Owen Mansel-Chan 3ff6d033d3
Rename to `neverSkipInPathGraph` 2023-06-14 15:29:54 +01:00
Owen Mansel-Chan e34bcef2bd
Ruby: Move path summary visibility code into flowCheckNodeSpecific 2023-06-14 14:46:41 +01:00
Owen Mansel-Chan 5f72ce0935
Add stub implementations of flowCheckNodeSpecific 2023-06-14 14:46:35 +01:00
Owen Mansel-Chan e0f7437d40
Sync dataflow library 2023-06-14 14:29:56 +01:00
Jami 35591113c2
Merge branch 'main' into jcogs33/shared-sink-kind-validation 2023-06-14 08:06:34 -04:00
Michael Nebel afec9b05e9
Merge pull request #13147 from michaelnebel/csharp/entityframeworkrefactor 
C#: Use synthetic global in the EntityFramework code instead of jump steps.
 2023-06-14 13:47:56 +02:00
Anders Schack-Mulligen 1a4fca334f
Merge pull request #13273 from aschackmull/dataflow/summarynode-refactor 
Dataflow: Refactor FlowSummaryImpl to synthesize nodes independently from DataFlow::Node.
 2023-06-14 09:38:36 +02:00
Alex Ford 75ccbe58ee Ruby: rack - use Mimetype rather than MimeType in predicate names for consistency with concepts 2023-06-13 12:44:29 +01:00
Alex Ford 977ceb89fd Ruby: rack - remove PotentialResponseNode#getAStatusCode 2023-06-13 12:42:46 +01:00
Alex Ford af1ca7fec7
Update ruby/ql/lib/codeql/ruby/frameworks/rack/internal/App.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-13 12:37:31 +01:00
Rasmus Lerchedahl Petersen 33ad15e989 ruby: use aliases 2023-06-13 11:49:30 +02:00
Rasmus Lerchedahl Petersen e11f6b5107 ruby/python: adjust shared file 
- move `isNonLocal` to the top
- missing backtics
 2023-06-13 11:49:30 +02:00
Rasmus Lerchedahl Petersen b5961c7f6b ruby: move to internal folder 2023-06-13 11:49:30 +02:00
Rasmus Lerchedahl Petersen 203f8226cb ruby/python: make `SummaryTypeTracker` private 2023-06-13 11:32:06 +02:00
Anders Schack-Mulligen 2d616d494e C#/Ruby: Add fields as per review comments. 2023-06-13 11:26:30 +02:00
Asger F 0d45074caa
Merge pull request #13422 from asgerf/rb/map_filter 
Ruby: fix bug in filter_map summary
 2023-06-13 09:43:47 +02:00
Arthur Baars fad73d71e5
Merge pull request #13307 from hmac/amammad-ruby-YAMLunsafeLoad 
Ruby: Add YAML unsafe deserialization sinks
 2023-06-12 10:43:37 +02:00
Jami Cogswell 9abe3e3da4 Shared: use a module as input to 'KindValidation' 2023-06-09 14:35:37 -04:00
Anders Schack-Mulligen 5062442982 Go/Python/Ruby/Swift: Add stub. 2023-06-09 15:39:28 +02:00
Anders Schack-Mulligen 98f51d7f29 Dataflow: Sync. 2023-06-09 15:39:28 +02:00
Anders Schack-Mulligen 4e531af71b Ruby: Adjust to FlowSummaryImpl changes. 2023-06-09 15:30:35 +02:00
Anders Schack-Mulligen 2cc5bde925 Dataflow: Sync. 2023-06-09 15:27:17 +02:00
Asger F a50d91ea48 Ruby: fix bug in filter_map summary 2023-06-09 14:31:10 +02:00
Rasmus Lerchedahl Petersen b294f48dbe Merge branch 'main' of https://github.com/github/codeql into python-ruby/track-through-summaries-pm 2023-06-09 14:16:34 +02:00
Anders Schack-Mulligen 1b7bbf6320
Merge pull request #13083 from aschackmull/dataflow/typestrengthen 
Dataflow: Strengthen tracked types.
 2023-06-09 13:23:30 +02:00
Arthur Baars a5410bd52d
Merge pull request #13419 from asgerf/rb/restrict-orm-tracking 
Ruby: restrict ORM tracking to calls
 2023-06-09 11:01:05 +02:00
Anders Schack-Mulligen d230509905 Dataflow: Address review comments. 2023-06-09 08:37:36 +02:00
Anders Schack-Mulligen 4399138c82 Dataflow: Fix QL4QL alert. 2023-06-09 08:37:36 +02:00
Anders Schack-Mulligen 53f2b8aab0 Dataflow: Sync. 2023-06-09 08:37:36 +02:00
Anders Schack-Mulligen fd832416d8 Dataflow: Add empty type strengthening predicate for languages without type pruning. 2023-06-09 08:37:35 +02:00
Anders Schack-Mulligen e8cea79f1d Dataflow: Sync. 2023-06-09 08:37:35 +02:00
Jami Cogswell da58b2afc8 Shared: move shared file to 'shared' folder and add parameterized module for 'getInvalidModelKind' 2023-06-08 20:05:27 -04:00
github-actions[bot] e4be303a23 Release preparation for version 2.13.4 2023-06-08 19:57:37 +00:00
Asger F d6741f655d Ruby: restrict ORM tracking to calls 2023-06-08 14:01:51 +02:00
Alex Ford b4620042a5 Ruby: fix use of deprecated predicate 2023-06-08 12:09:22 +01:00
Alex Ford 397a809426 Merge remote-tracking branch 'origin/main' into rb/rack-redirect 2023-06-08 12:07:57 +01:00
Alex Ford 21b4f885a6 ruby: fix qldoc 2023-06-08 12:01:42 +01:00
Alex Ford c531b94594 Ruby: add a change note for rack redirect support 2023-06-08 11:59:10 +01:00
Alex Ford 22b9ab43c6
Merge pull request #13259 from alexrford/rb/actiondispatch-refactor 
Ruby: Refactor and slightly expand `ActionDispatch` modelling
 2023-06-08 11:08:36 +01:00
Tom Hvitved cee70883f0
Merge pull request #12964 from hvitved/ruby/remove-synth-returns 
Ruby: Remove canonical return nodes
 2023-06-08 10:07:48 +02:00
Alex Ford 0a7ae58710 Ruby: revert to simpler Rack PotentialResponseNode def and use TypeBackTracker to track instances 2023-06-07 16:30:53 +01:00
Alex Ford a5d8db6317 Ruby: fix qldoc 2023-06-07 15:55:28 +01:00
Alex Ford 57508b2b3b ruby: Limit rack PotentialResponseNode to things that look like they occur in a rack application 2023-06-07 15:55:05 +01:00
Rasmus Lerchedahl Petersen 6ddf1f7eaf ruby/python: remove predicates from interface 2023-06-07 14:07:08 +02:00
yoff 7ab3cde3aa
Apply suggestions from code review 
Co-authored-by: Asger F <asgerf@github.com>
 2023-06-07 13:54:31 +02:00
Erik Krogh Kristensen 6ba7f9a238
Merge pull request #13352 from erik-krogh/once-again-deps-not-py-cpp 
delete old deprecations
 2023-06-07 13:00:57 +02:00
Tom Hvitved 88c5700c24 Ruby: Use `CallGraphConstruction` in call graph construction 2023-06-07 09:02:03 +02:00
Tom Hvitved 4bf124bffe Ruby/Python: Add `CallGraphConstruction` module for recursive type-tracking based call graph construction 2023-06-07 09:02:03 +02:00
Arthur Baars 7324d1705e
Merge branch 'main' into amammad-ruby-YAMLunsafeLoad 2023-06-06 12:09:06 +02:00
Jami Cogswell 5a23421d9a Shared: minor updates to comments 2023-06-05 13:46:56 -04:00
Jami Cogswell 9d5972acc2 Shared: update qldocs 2023-06-05 12:18:34 -04:00
Jami Cogswell 3f1dc8e5c7 Shared: add outdated Swift sink kinds 2023-06-05 12:18:34 -04:00
Jami Cogswell 62ac0dc471 Shared: add outdated sink kind msg to 'getInvalidModelKind' for all languages 2023-06-05 12:18:33 -04:00
Jami Cogswell 76f5dca861 Shared: move 'OutdatedSinkKind' to shared file and add outdated JS and C# sink kinds 2023-06-05 12:18:33 -04:00
Jami Cogswell 7b629f5d63 Shared: include 'qltest%' and 'test-%' 2023-06-05 12:18:33 -04:00
Jami Cogswell 254e447923 JS/Python/Ruby: update getInvalidModelKind 2023-06-05 12:18:33 -04:00
Jami Cogswell 7317c29eea Shared: update kind information 2023-06-05 12:18:33 -04:00
Jami Cogswell 0ab1848b70 JS/Python/Ruby: use 'SharedModelValidation' file 2023-06-05 12:18:33 -04:00
Jami Cogswell ddb5d92ef8 Shared: add source, summary, and neutral shared valid kinds 2023-06-05 12:18:33 -04:00
Jami Cogswell 869f820fcf Shared: add 'SharedModelValidation' file as experiment 2023-06-05 12:18:33 -04:00
Jami Cogswell e24e3a6115 JS/Python/Ruby: add getInvalidModelKind as experiment 2023-06-05 12:18:33 -04:00
erik-krogh ac9ede4ec0
add change-notes 2023-06-02 11:58:11 +02:00
erik-krogh c3e57382f7
Ruby: fix compilation 2023-06-02 11:58:08 +02:00
erik-krogh 44b6366586
delete old deprecations 2023-06-02 11:58:08 +02:00
Alex Ford 606d601923 qlformat 2023-06-01 16:26:05 +01:00
Alex Ford d09f6d318c
Merge branch 'main' into maikypedia/sqli-sink 2023-06-01 15:02:44 +01:00
Alex Ford b62a02f0ad ruby: remove unused field 2023-06-01 14:01:40 +01:00
Alex Ford 23e22799a9 ruby: rack - modelling -> modeling 2023-06-01 14:01:40 +01:00
Alex Ford 24635df1a3 ruby: add some qldoc for rack 2023-06-01 14:01:40 +01:00
Alex Ford 40da7d45c2 ruby: make a predicate private 2023-06-01 14:01:40 +01:00
Alex Ford 19664879c8 ruby: slightly expand a TODO 2023-06-01 14:01:40 +01:00
Alex Ford a5a15f3804 Ruby: restructure rack model 2023-06-01 14:01:40 +01:00
Alex Ford b2958f87b2 ruby: rack - add redirect responses 2023-06-01 14:01:40 +01:00
Alex Ford c3ab867595 ruby: start restructuring rack 2023-06-01 14:01:40 +01:00
Alex Ford f8d2cbbe79 ruby: rack responses implement are HTTP responses 2023-06-01 14:01:39 +01:00
Alex Ford c87c266871 ruby: add Rack::ResponseNode#getAStatusCode 2023-06-01 14:01:39 +01:00
Alex Ford e7e0cf5cb3 ruby: add Rack::ResponseNode class 2023-06-01 14:01:39 +01:00
Alex Ford 4794066d3c
Merge branch 'main' into maikypedia/sqli-sink-2 2023-06-01 13:04:54 +01:00
Maiky 7579f182ad Add requested changes 2023-06-01 11:00:35 +02:00
Michael Nebel 06b02eb3ce Sync files. 2023-06-01 09:30:31 +02:00
Maiky 13ce6a6d8e
Update Frameworks.qll 2023-06-01 00:53:01 +02:00
Arthur Baars e93b44670f Ruby: printCfg: only show graph for selected CfgScope 2023-05-31 16:08:01 +02:00
Arthur Baars c211b704f3
Merge pull request #13272 from github/post-release-prep/codeql-cli-2.13.3 
Post-release preparation for codeql-cli-2.13.3
 2023-05-31 15:33:12 +02:00
Michael Nebel 2266e28583
Merge pull request #13262 from michaelnebel/flowsummary/refactorgetcomponentstack 
C#: Re-factor getComponent.
 2023-05-31 08:22:44 +02:00
Arthur Baars 490d22d123 Merge remote-tracking branch 'upstream/main' into post-release-prep/codeql-cli-2.13.3 2023-05-30 21:31:28 +02:00
Arthur Baars d91fa2d038 Ruby: add print-cfg query 2023-05-30 17:30:04 +02:00
Rasmus Lerchedahl Petersen 2daa9577bb ruby/python: implement shared module 
ruby:
- create new shared file `SummaryTypeTracker.qll`
- move much logic into the module
- instantiate the module
- remove old logic, now provided by module

python:
- clone shared file
- instantiate module
- use (some of the) steps provided by the module
 2023-05-30 13:31:24 +02:00
Maiky 345f43fbae fix concepts 2023-05-29 21:17:48 +02:00
Maiky 62353122c0 Add Improper LDAP Authentication query (CWE-287) 2023-05-29 21:16:13 +02:00
Maiky 03b7c5e5e8
naming error 2023-05-29 16:34:40 +02:00
Maiky a8f887e3f9
naming error 2023-05-29 16:33:58 +02:00
Maiky 2d8318dc02 remove unnecessary imports and edit .qhelp 2023-05-28 17:40:31 +02:00
Maiky 065b69460d remove space 2023-05-28 17:34:16 +02:00
Maiky 5e33f14ff1 Undo Concepts changes 2023-05-28 17:33:05 +02:00
Harry Maclean 562065f29e Ruby: Add change note 2023-05-27 01:20:09 +00:00
Harry Maclean b8c3cba4ff Ruby: Consolidate unsafe deserialization queries 
Merge the experimental YAMLUnsafeDeserialization and
PlistUnsafeDeserialization queries into the generate
UnsafeDeserialization query in the default suite.

These queries look for some specific sinks that we now find in the
general query.

Also apply some small code and comment refactors.
 2023-05-27 01:20:04 +00:00
amammad d727d573d5 v4.2 write exact version of yaml.load default loader change 2023-05-27 01:15:29 +00:00
amammad 335441ce04 v4: make variable names camelCase, some inhancement, remove some duplicates 2023-05-27 01:15:29 +00:00
amammad e76ed9454a v3 add global taint steps for to_ruby of YAML/Psych 2023-05-27 01:15:24 +00:00
amammad ad7e107ff5 add the new YAML/PLIST sinks into the existing rb/unsafe-deserialization query 2023-05-27 01:14:36 +00:00
Maiky dfbf259e2d typo 2023-05-26 18:14:49 +02:00
Maiky 9ab6eabd15 add `filterTaintStep`, qhelp file and test files 2023-05-26 18:13:58 +02:00
Asger F 3831dc7785
Merge pull request #13288 from asgerf/rb/super-and-flow-through 
Ruby: two bug fixes
 2023-05-26 15:04:52 +02:00
Arthur Baars e0466900ad
Merge pull request #12992 from Sim4n6/ruby-UBV 
[Ruby] Add Unicode Bypass Validation query, test and help file
 2023-05-26 13:00:21 +02:00
Alex Ford baabd2d1fa
Merge pull request #12832 from maikypedia/maikypedia/pg-sqli 
Ruby: Add SQL Injection Sinks
 2023-05-26 11:36:17 +01:00
Michael Nebel 915042a881 Minor cleanup and sync files. 2023-05-26 12:25:00 +02:00
Michael Nebel 58fcbc136c Ruby: Re-factor getComponent. 2023-05-26 12:25:00 +02:00
Maiky 026d94c457 Add LDAP Injection query (incomplete) 2023-05-25 22:51:25 +02:00
Asger F 9e8cef5e1b Ruby: fix type-tracking flow-through for new->initialize calls 2023-05-25 15:03:38 +02:00
Asger F 93678e5d36 Ruby: fix name of super calls in singleton methods 2023-05-25 15:03:34 +02:00
Sim4n6 52dd247a81
Removed redundant cast 2023-05-25 11:55:13 +01:00
Sim4n6 7d68f6afc9
added ActiveSupport::Multibyte::Chars normalize() sink 2023-05-25 09:21:55 +01:00
Sim4n6 d772bb213a
Added three more Unicode Normalization sinks 2023-05-25 03:10:00 +01:00
Maiky 40450a2792
typo 2023-05-24 17:02:48 +02:00
github-actions[bot] d2e192020b Post-release preparation for codeql-cli-2.13.3 2023-05-24 11:26:12 +00:00
Tom Hvitved 13ada1e6ad Ruby: Remove canonical return nodes 2023-05-24 11:11:50 +02:00
Tom Hvitved deee314370 Python/Ruby: Optimize join-order in `TypeTracker::[small]step` 2023-05-24 11:11:07 +02:00
Tom Hvitved 05f3934042
Merge pull request #13251 from hvitved/ruby/call-graph-self-param 
Ruby: Include both `self` parameters and SSA definitions in call graph construction
 2023-05-24 11:10:34 +02:00
Asger F 818753e922
Merge pull request #13265 from asgerf/rb/delete-name-clash 
Ruby: fix some name clashes between summarized callables
 2023-05-24 11:08:56 +02:00
Tom Hvitved b486a4d52c
Merge pull request #13255 from hvitved/ruby/ssa-param-capture-input 
Ruby: Include underlying SSA parameter definition in `localFlowSsaParamCaptureInput`
 2023-05-24 10:40:54 +02:00
Maiky 27c1e47ece
Update ruby/ql/lib/change-notes/2023-05-06-pg.md 
Co-authored-by: Jorge <46056498+jorgectf@users.noreply.github.com>
 2023-05-24 01:44:51 +02:00
Maiky ad5355a04a Pg Library, change note and Frameworks.qll 2023-05-23 19:49:03 +02:00
Arthur Baars e33f3a6668
Merge pull request #13154 from aibaars/sync-dbscheme-py 
JS/Ruby/QL/Python: sync dbscheme fragments
 2023-05-23 19:14:29 +02:00
Asger F 0592c8ba99 Ruby: avoid name clash for "assoc" summary 2023-05-23 17:34:19 +02:00
Asger F 50a7b21928 Ruby: fix a name clash for summaries called "delete" 2023-05-23 16:49:17 +02:00
Alex Ford 9ccfec0571 Ruby: move actiondispatch components to an internal subdirectory 2023-05-23 15:26:52 +01:00
Alex Ford c2f5bacc47 Ruby: consider more calls to e.g. ActionDispatch::Request#params as remote input sources 2023-05-23 14:50:16 +01:00
Alex Ford 27729af088 Ruby: move ActionDispatch::Request logic out of ActionController.qll 2023-05-23 14:49:57 +01:00
Alex Ford 9b4914c3f6 Ruby: split ActionDispatch modelling into multiple component files 2023-05-23 14:48:45 +01:00
Tom Hvitved eaa84cb819 Ruby: Include underlying SSA parameter definition in `localFlowSsaParamCaptureInput` 2023-05-23 13:56:29 +02:00
Tom Hvitved 349de77474 Ruby: Include both `self` parameters and SSA definitions in call graph construction 2023-05-23 12:28:06 +02:00
github-actions[bot] 7aa23cf11d Release preparation for version 2.13.3 2023-05-22 20:47:00 +00:00
Arthur Baars bec2b7fef9 QL/Ruby: update dbscheme stats 2023-05-22 19:37:58 +02:00
Arthur Baars 294cc930e6 Ruby: add upgrade/downgrade scripts 2023-05-22 19:37:51 +02:00
Arthur Baars d2bc66e393 QL: switch to shared YAML extractor 2023-05-22 19:28:59 +02:00
Arthur Baars 9f83dd5c7a Tree-sitter extractor: extract shared dbscheme fragments into 'prefix.dbscheme' 2023-05-22 19:28:51 +02:00
Tom Hvitved 20efe81f10
Update ruby/ql/lib/codeql/ruby/typetracking/TypeTrackerSpecific.qll 
Co-authored-by: Asger F <asgerf@github.com>
 2023-05-22 12:43:05 +02:00
Tom Hvitved 33be52f0b7 Ruby: Allow for flow out of callbacks passed to summarized methods in type tracking 2023-05-22 11:01:08 +02:00
Tom Hvitved 128168a7e7 Ruby: Allow for flow through callbacks to summarized methods in type tracking 2023-05-21 20:51:45 +02:00
Sim4n6 97e8e0bd8e Add String Manipulation Method Calls & CGI.escapeHTML() support 2023-05-21 11:52:29 +01:00
Sim4n6 ad754f1385 use of all normalization forms without the ":" prefix 2023-05-20 17:59:08 +01:00
Sim4n6 957023ec44 nfd and nfkd are considered 2023-05-20 12:51:24 +01:00
Sim4n6 eb7e1de65b
Update ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll 
Co-authored-by: Arthur Baars <aibaars@github.com>
 2023-05-20 12:43:05 +01:00
Tom Hvitved 826b6219a0 Ruby: Include `self` parameters in type tracking flow-through logic 2023-05-15 16:02:33 +02:00
Tom Hvitved 9dede31c0d
Merge pull request #13077 from hvitved/ruby/track-regexp-improvements 
Ruby: Improvements to `RegExpTracking`
 2023-05-15 16:02:00 +02:00
Maiky 3c00235375 Add SqlSanitization to `Concepts` and turn private 2023-05-15 15:56:52 +02:00
Maiky f46620c455 Var only used in one side of disjunct 2023-05-15 15:09:44 +02:00
Maiky 071a77cedc Ruby : XPath Injection Query (CWE-643) 2023-05-11 15:29:54 +02:00
Tom Hvitved 425ebba278 Address review comments 2023-05-10 14:04:41 +02:00
Kasper Svendsen e6ca3fe272 Ruby: Enable implicit this warnings 2023-05-10 13:03:39 +02:00
Kasper Svendsen 6b8a7c2f6f Ruby: Make implicit this receivers explicit 2023-05-10 13:03:39 +02:00
Tom Hvitved 51087d090b Address review comments 2023-05-10 09:42:41 +02:00
Tom Hvitved 60b0f25a9a Ruby: Improvements to `RegExpTracking` 2023-05-10 09:35:59 +02:00
Calum Grant 3d713ed4a9
Merge pull request #13067 from hvitved/ruby/no-self-flow 
Ruby: Remove local identity flow steps
 2023-05-09 09:33:35 +01:00
Michael Nebel 4ac0396b67 Go/Python/Ruby/Swift: Sync files and make dummy implementation. 2023-05-08 16:18:59 +02:00
Tom Hvitved 2f95af8ef2 Ruby: Remove self edges 2023-05-08 10:26:01 +02:00
Maiky 3960853af0 CWE-089 Add Sequel SQL Injection Sink 2023-05-07 23:56:56 +02:00
Maiky 6a3d995b35 Add Mysql2 as SQL Injection Sink 2023-05-06 12:25:25 +02:00
Mathias Vorreiter Pedersen 09ba9a74ce
Merge pull request #12959 from MathiasVP/identity-consistency-check 
DataFlow: Add an "identity-step" consistency check
 2023-05-05 10:03:20 +01:00
Mathias Vorreiter Pedersen 77001a070b Merge branch 'main' into identity-consistency-check 2023-05-03 22:01:06 +01:00
Sim4n6 14ca20e782 removed redundant imports 2023-05-03 17:43:54 +01:00
Alex Ford e7213e92cf Merge remote-tracking branch 'origin/main' into rb/sqlite3 2023-05-03 15:18:07 +01:00
Alex Ford a26f9736f1 Ruby: add change note for sqlite3 support 2023-05-03 15:12:06 +01:00
Erik Krogh Kristensen f29db40371
Merge pull request #13011 from kaspersv/kaspersv/explicit-this-receivers-shared2 
JS, Python, Ruby: Make implicit this receivers explicit
 2023-05-03 15:34:59 +02:00
Kasper Svendsen ea75996932
Merge pull request #13005 from kaspersv/kaspersv/ruby-explicit-this-receivers 
Ruby: Make implicit this receivers explicit
 2023-05-03 14:57:43 +02:00
Ian Lynagh b56b843d13
Merge pull request #12987 from github/post-release-prep/codeql-cli-2.13.1 
Post-release preparation for codeql-cli-2.13.1
 2023-05-03 13:12:10 +01:00
Kasper Svendsen aca2ace843 JS, Python, Ruby: Make implicit this receivers explicit 2023-05-03 13:51:51 +02:00
Kasper Svendsen 68cf33e791 Ruby: Make implicit this receivers explicit 2023-05-03 12:25:01 +02:00
Alex Ford 82c025020d Merge remote-tracking branch 'origin/main' into maikypedia/ruby-ssti 2023-05-02 16:18:41 +01:00
Sim4n6 019b85beb6 Add Unicode Bypass Validation query, test and help file 2023-05-02 15:36:39 +01:00
github-actions[bot] 18d4af994d Post-release preparation for codeql-cli-2.13.1 2023-05-02 10:50:20 +00:00
Anders Schack-Mulligen ca09649679 Dataflow: Forward hasLocationInfo. 2023-05-02 10:48:32 +02:00
Anders Schack-Mulligen 5927bb2030 Dataflow: Replace "extends Node" with "instanceof Node". 2023-05-02 09:48:34 +02:00
github-actions[bot] 3bd29171fb Release preparation for version 2.13.1 2023-04-28 12:14:35 +00:00
Mathias Vorreiter Pedersen e506f638fc DataFlow: Sync identical files. 2023-04-27 18:40:33 +01:00
Anders Schack-Mulligen 71ae0909d8 Dataflow: Enforce type pruning in all forward stages. 2023-04-27 14:55:26 +02:00
Anders Schack-Mulligen 9140cbefc0 Dataflow: Sync. 2023-04-27 14:55:23 +02:00
Anders Schack-Mulligen 246d904712
Merge pull request #12948 from aschackmull/dataflow/pathnode-type-tostring 
Dataflow: Add type to PathNode.toString.
 2023-04-27 14:14:10 +02:00
Tom Hvitved f888382d35
Merge pull request #12906 from hvitved/ruby/track-block-no-self 
Ruby: Prevent flow into `self` in `trackBlock`
 2023-04-27 12:48:05 +02:00
Tom Hvitved fc66aacf92
Merge pull request #12922 from hvitved/ruby/controller-template-file-join 
Ruby: Fix bad join in `controllerTemplateFile`
 2023-04-26 21:26:54 +02:00
Anders Schack-Mulligen d681671356 Dataflow: Sync. 2023-04-26 14:45:07 +02:00
Anders Schack-Mulligen 81ce6c7779 Ruby: Remove empty string DataFlowType in PathNode. 2023-04-26 12:54:41 +02:00
Tom Hvitved b94289fde1 Ruby: Prevent flow into `self` in `trackBlock` 2023-04-26 10:33:04 +02:00
Tom Hvitved e5f2b90aec Ruby: Fix bad join in `controllerTemplateFile` 
Before
```
Evaluated relational algebra for predicate ActionController#32b59475::controllerTemplateFile#2#ff@6f4b2395 with tuple counts:
        31304524   ~0%    {2} r1 = JOIN locations_default_10#join_rhs WITH FileSystem#df18ed9a::Make#FileSystem#e91ad87f::Input#::Container::getRelativePath#0#dispred#ff ON FIRST 1 OUTPUT Lhs.1, Rhs.1
           34453   ~3%    {2} r2 = JOIN r1 WITH DataFlowPublic#e1781e31::ModuleNode::getLocation#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1

            1236   ~0%    {2} r3 = JOIN r2 WITH ActionController#32b59475::ActionControllerClass#f ON FIRST 1 OUTPUT Lhs.0, InverseAppend(("" ++ "app/controllers/"),"_controller.rb",Lhs.1)

            1236   ~1%    {2} r4 = SCAN r3 OUTPUT In.0, ("" ++ "app/views/layouts/" ++ In.1 ++ "%")

            1320   ~1%    {3} r5 = JOIN r2 WITH ActionController#32b59475::ActionControllerClass#f ON FIRST 1 OUTPUT Lhs.1, Lhs.0, "^(.*/)app/controllers/(?:.*?)/(?:[^/]*)$"
              14   ~7%    {5} r6 = JOIN r5 WITH PRIMITIVE regexpCapture#bbff ON Lhs.0,Lhs.2
              14   ~7%    {5} r7 = SELECT r6 ON In.3 = 1
              14   ~0%    {3} r8 = SCAN r7 OUTPUT In.1, In.4, InverseAppend((In.4 ++ "app/controllers/"),"_controller.rb",In.0)

              14   ~0%    {2} r9 = SCAN r8 OUTPUT In.0, (In.1 ++ "app/views/layouts/" ++ In.2 ++ "%")

            1250   ~1%    {2} r10 = r4 UNION r9
         8813750   ~2%    {3} r11 = JOIN r10 WITH Erb#b2b9e6ed::ErbFile#ff CARTESIAN PRODUCT OUTPUT Rhs.0, Lhs.0, Lhs.1
         8813750   ~6%    {4} r12 = JOIN r11 WITH FileSystem#df18ed9a::Make#FileSystem#e91ad87f::Input#::Container::getRelativePath#0#dispred#ff ON FIRST 1 OUTPUT Lhs.1, Lhs.2, Lhs.0, Rhs.1
              41   ~6%    {4} r13 = SELECT r12 ON In.3 matches In.1
              41   ~0%    {2} r14 = SCAN r13 OUTPUT In.0, In.2

            1236   ~0%    {2} r15 = SCAN r3 OUTPUT ("" ++ "app/views/" ++ In.1), In.0

              14   ~0%    {2} r16 = SCAN r8 OUTPUT (In.1 ++ "app/views/" ++ In.2), In.0

            1250   ~0%    {2} r17 = r15 UNION r16
             581   ~0%    {2} r18 = JOIN r17 WITH FileSystem#df18ed9a::Make#FileSystem#e91ad87f::Input#::Container::getRelativePath#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1
            3243   ~2%    {2} r19 = JOIN r18 WITH containerparent ON FIRST 1 OUTPUT Rhs.1, Lhs.1
            2767   ~0%    {2} r20 = JOIN r19 WITH Erb#b2b9e6ed::ErbFile#ff ON FIRST 1 OUTPUT Lhs.1, Lhs.0

            2808   ~0%    {2} r21 = r14 UNION r20
                          return r21
```

After
```
Evaluated relational algebra for predicate ActionController#32b59475::controllerTemplateFile#2#ff@4b56c4f9 with tuple counts:
          1236   ~0%    {2} r1 = SCAN ActionController#32b59475::getActionControllerClassRelativePath#1#ff OUTPUT In.0, InverseAppend(("" ++ "app/controllers/"),"_controller.rb",In.1)

          1236   ~0%    {2} r2 = SCAN r1 OUTPUT ("" ++ "app/views/" ++ In.1), In.0

          1320   ~0%    {3} r3 = SCAN ActionController#32b59475::getActionControllerClassRelativePath#1#ff OUTPUT In.0, In.1, "^(.*/)app/controllers/(?:.*?)/(?:[^/]*)$"
            14   ~0%    {5} r4 = JOIN r3 WITH PRIMITIVE regexpCapture#bbff ON Lhs.1,Lhs.2
            14   ~0%    {5} r5 = SELECT r4 ON In.3 = 1
            14   ~0%    {3} r6 = SCAN r5 OUTPUT In.0, In.4, InverseAppend((In.4 ++ "app/controllers/"),"_controller.rb",In.1)

            14   ~0%    {2} r7 = SCAN r6 OUTPUT (In.1 ++ "app/views/" ++ In.2), In.0

          1250   ~0%    {2} r8 = r2 UNION r7
           581   ~0%    {2} r9 = JOIN r8 WITH FileSystem#df18ed9a::Make#FileSystem#e91ad87f::Input#::Container::getRelativePath#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1
          3243   ~0%    {2} r10 = JOIN r9 WITH containerparent ON FIRST 1 OUTPUT Rhs.1, Lhs.1
          2767   ~0%    {2} r11 = JOIN r10 WITH Erb#b2b9e6ed::ErbFile#ff ON FIRST 1 OUTPUT Lhs.1, Lhs.0

          1236   ~1%    {3} r12 = SCAN r1 OUTPUT In.0, "", In.1

          1250   ~1%    {3} r13 = r12 UNION r6
        102500   ~0%    {4} r14 = JOIN r13 WITH project#ActionController#32b59475::getErbFileRelativePath#1#ff CARTESIAN PRODUCT OUTPUT Rhs.0, Lhs.0, Lhs.1, Lhs.2
        102500   ~0%    {5} r15 = JOIN r14 WITH ActionController#32b59475::getErbFileRelativePath#1#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2, Lhs.3, Lhs.0
        102500   ~0%    {4} r16 = JOIN r15 WITH Erb#b2b9e6ed::ErbFile#ff ON FIRST 1 OUTPUT Lhs.1, Lhs.4, Lhs.0, (Lhs.2 ++ "app/views/layouts/" ++ Lhs.3 ++ "%")
            41   ~0%    {4} r17 = SELECT r16 ON In.1 matches In.3
            41   ~3%    {2} r18 = SCAN r17 OUTPUT In.0, In.2

          2808   ~1%    {2} r19 = r11 UNION r18
                        return r19
```
 2023-04-25 21:04:30 +02:00
Tom Hvitved 65835cdb92
Merge pull request #12907 from hvitved/ruby/destructured-assign-join 
Ruby: Fix bad join in `DestructuredAssignDesugar`
 2023-04-25 08:50:27 +02:00
Tom Hvitved 71cd973b42 Ruby: Fix bad join in `DestructuredAssignDesugar` 
```
Evaluated relational algebra for predicate Synthesis#d9ff06b1::DestructuredAssignDesugar::LhsWithReceiver::getSynthKind#0#dispred#ff@0c55fb0w on iteration 4 running pipeline order_500000 with tuple counts:
                 0   ~0%    {2} r1 = JOIN Synthesis#d9ff06b1::ConstantWriteAccessKind#ff#prev_delta WITH Constant#c70e4e0a::ScopeResolutionConstantAccess::getName#0#dispred#ff_10#join_rhs ON FIRST 1 OUTPUT Rhs.1, Lhs.1
                 0   ~0%    {2} r2 = JOIN r1 WITH Constant#c70e4e0a::ScopeResolutionConstantAccess::getScopeExpr#0#dispred#ff#prev ON FIRST 1 OUTPUT Lhs.0, Lhs.1

                 0   ~0%    {4} r3 = JOIN Call#841c84e8::MethodCall::getMethodName#0#dispred#ff#prev_delta WITH Call#841c84e8::Call::getNumberOfArguments#0#dispred#ff#prev ON FIRST 1 OUTPUT Lhs.1, false, Rhs.1, Lhs.0
                 0   ~0%    {2} r4 = JOIN r3 WITH Synthesis#d9ff06b1::MethodCallKind#ffff#prev ON FIRST 3 OUTPUT Lhs.3, Rhs.3

                 0   ~0%    {2} r5 = r2 UNION r4

            336618   ~3%    {1} r6 = SCAN Constant#c70e4e0a::ScopeResolutionConstantAccess::getScopeExpr#0#dispred#ff#prev_delta OUTPUT In.0
            336618   ~0%    {2} r7 = JOIN r6 WITH Constant#c70e4e0a::ScopeResolutionConstantAccess::getName#0#dispred#ff ON FIRST 1 OUTPUT Rhs.1, Lhs.0
                 0   ~0%    {2} r8 = JOIN r7 WITH Synthesis#d9ff06b1::ConstantWriteAccessKind#ff#prev ON FIRST 1 OUTPUT Lhs.1, Rhs.1

                 0   ~0%    {3} r9 = SCAN Call#841c84e8::Call::getNumberOfArguments#0#dispred#ff#prev_delta OUTPUT false, In.1, In.0
                 0   ~0%    {3} r10 = JOIN r9 WITH Synthesis#d9ff06b1::MethodCallKind#ffff#reorder_1_2_0_3#prev ON FIRST 2 OUTPUT Lhs.2, Rhs.2, Rhs.3
                 0   ~0%    {2} r11 = JOIN r10 WITH Call#841c84e8::MethodCall::getMethodName#0#dispred#ff#prev ON FIRST 2 OUTPUT Lhs.0, Lhs.2

              2119   ~2%    {3} r12 = JOIN Synthesis#d9ff06b1::MethodCallKind#ffff#reorder_1_2_0_3#prev_delta WITH const_false ON FIRST 1 OUTPUT Lhs.1, Lhs.2, Lhs.3
        2657005103   ~5%    {3} r13 = JOIN r12 WITH Call#841c84e8::Call::getNumberOfArguments#0#dispred#ff#reorder_1_0#prev ON FIRST 1 OUTPUT Rhs.1, Lhs.1, Lhs.2
           1184200   ~0%    {2} r14 = JOIN r13 WITH Call#841c84e8::MethodCall::getMethodName#0#dispred#ff#prev ON FIRST 2 OUTPUT Lhs.0, Lhs.2

           1184200   ~0%    {2} r15 = r11 UNION r14
           1184200   ~0%    {2} r16 = r8 UNION r15
           1184200   ~0%    {2} r17 = r5 UNION r16
           1184200   ~0%    {2} r18 = r17 AND NOT Synthesis#d9ff06b1::DestructuredAssignDesugar::LhsWithReceiver::getSynthKind#0#dispred#ff#prev(Lhs.0, Lhs.1)
                            return r18
```
 2023-04-24 13:44:18 +02:00
Kasper Svendsen bfe5db20a3
Merge pull request #12891 from kaspersv/kaspersv/prevent-ruby-join-regression2 
Prevent Ruby join order regression
 2023-04-24 13:27:33 +02:00
Michael Nebel 8ade7247a1
Merge pull request #12885 from michaelnebel/mergepathgraph3 
Dataflow: Introduce param module for merging three path graphs.
 2023-04-24 12:49:28 +02:00
Alex Ford edf48f4839 Ruby: add sqlite3 to Frameworks.qll 2023-04-24 09:11:14 +01:00
Asger F f3b14e13b2
Merge pull request #12841 from asgerf/rb/api-graph-class-nodes 
Ruby: add API node representing a module/class object
 2023-04-21 10:59:51 +02:00
Alex Ford 9dc04f30ac Ruby: model sqlite3 2023-04-20 15:47:14 +01:00
Kasper Svendsen b707c8162e Prevent Ruby join order regression 2023-04-20 15:52:32 +02:00
Michael Nebel 656d8d2451 Sync files. 2023-04-20 11:29:51 +02:00
Kasper Svendsen ba6bb79dd3 Prevent Ruby join order regression 2023-04-19 14:42:27 +02:00
Alex Ford 924ce250dd
Merge pull request #12847 from github/post-release-prep/codeql-cli-2.13.0 
Post-release preparation for codeql-cli-2.13.0
 2023-04-18 14:40:40 +01:00
github-actions[bot] 648f0e19ec Post-release preparation for codeql-cli-2.13.0 2023-04-17 15:39:24 +00:00
Asger F e180b7e2ba Ruby: add locations for module object nodes 2023-04-17 12:49:35 +02:00
Asger F 8363171f1f Ruby: Add MkModuleObject as API node for a module/class 2023-04-17 12:47:23 +02:00
Asger F 7332cec9a5 Ruby: fix missing 'self' parameters in ModuleNode.getAnImmediateReferenc 2023-04-17 12:47:23 +02:00
Asger F 29a20550f6 Ruby: use MkUse/MkDef for successors, use/def for predecessors 2023-04-17 12:47:23 +02:00
Asger F ccb57f2a84
Merge pull request #12804 from asgerf/rb/api-graphs-cached 
Ruby: restrict join order of API graph predicates
 2023-04-17 08:24:07 +02:00
Jeroen Ketema 0c7346707b
Fix minor issues with change notes 2023-04-14 15:37:04 +02:00
github-actions[bot] 075d063370 Release preparation for version 2.13.0 2023-04-14 13:31:30 +00:00
Asger F f4e8656c17 Ruby: move internal methods to API::Node::Internal 2023-04-14 13:35:13 +02:00
Alex Eyers-Taylor c6a482819a Bump all qlpacks major versions 2023-04-13 19:15:27 +01:00
Maiky 820db43945 Add ERB Template Injection Sink 2023-04-13 17:21:31 +02:00
Michael Nebel 52bc43b22b
Merge pull request #12595 from michaelnebel/enhanceprovenance 
Java/C# : Enhance provenance.
 2023-04-13 14:27:53 +02:00
Alex Ford 8c46bfd051
Merge pull request #12816 from github/rc/3.9 
Merge `rc/3.9` into `main`
 2023-04-13 12:35:41 +01:00
Michael Nebel 1d82b09ec1 Sync files. 2023-04-13 09:21:05 +02:00
Asger F 69cb138912 Ruby: Tweak caching/inlining or API graph predicates 2023-04-12 15:56:58 +02:00
Chris Smowton 7eefa43f5a Rename and document `viableArgParamSpecific` to make clear it is a temporary hook. 2023-04-12 14:33:46 +01:00
Asger F 7e23bf3938 Ruby: remove some redundant getASubclass() calls 2023-04-12 15:32:01 +02:00
Chris Smowton 4d8ca3d759 Add dataflow callback to filter out receiver argument flow to Golang interface dispatch candidates. 
Other langauges stub the callback.
 2023-04-12 14:19:06 +01:00
github-actions[bot] ac426b1302 Post-release preparation for codeql-cli-2.12.6 2023-04-04 16:49:26 +00:00
Asger F 7c9100c782
Merge pull request #12730 from asgerf/rb/net-http 
Ruby: Minor fix in NetHttpRequest
 2023-04-04 09:44:11 +02:00
Asger F c699afd07f Ruby: instantiate NetHttpRequest even if body is not accessed 2023-03-31 12:56:09 +02:00
Asger F 008ffea94f
Merge pull request #12703 from asgerf/rb/api-graphs-trackdef 
Ruby: do not depend on trackDefNode in isDef
 2023-03-31 10:30:18 +02:00
github-actions[bot] 0a3218676c Release preparation for version 2.12.6 2023-03-30 19:25:06 +00:00
github-actions[bot] e87ce62f95 Post-release preparation for codeql-cli-2.12.5 2023-03-30 13:48:58 +00:00
Jeroen Ketema 0acca2ba76
Merge pull request #12687 from jketema/unit-2 
Make imports of `codeql.util.Unit` private
 2023-03-29 13:07:12 +02:00
Asger F f8e76b5347 Ruby: do not depend on trackDefNode in isDef 2023-03-29 10:31:42 +02:00
Anders Schack-Mulligen 7c74fd07e9
Merge pull request #12684 from aschackmull/dataflow/remove-footgun 
Dataflow: Remove accidentally exposed predicates.
 2023-03-28 15:14:58 +02:00
Jeroen Ketema 3b8ad087eb
Make imports of `codeql.util.Unit` private 2023-03-28 14:14:13 +02:00
Anders Schack-Mulligen 47e7aa9566 Dataflow: Add change note. 2023-03-28 13:17:48 +02:00
Anders Schack-Mulligen d406b051fc Dataflow: Remove accidentally exposed predicates. 2023-03-28 10:04:21 +02:00
Asger F 32bab0b8b2
Merge pull request #12654 from asgerf/rb/always-resolve-toplevel-namespace 
RB: always resolve toplevel namespaces to their locally qualified name
 2023-03-28 09:54:59 +02:00
Tom Hvitved f8c28bee6a Ruby: Order synthetic children in PrintAST based on their index instead of location 2023-03-27 11:38:30 +02:00
Arthur Baars 4964f86df5
Merge pull request #12540 from aibaars/destructured-assign 
Ruby: change evaluation order of destructured assignments
 2023-03-27 11:30:44 +02:00
Jeroen Ketema 977f15f8a4
Merge pull request #12649 from jketema/unit 
Replace all definitions of `Unit` by `import codeql.util.Unit`
 2023-03-27 08:49:50 +02:00
Arthur Baars 3b12ddfdc2 Address comments 2023-03-24 16:58:53 +01:00
Arthur Baars 052bc95639 Ruby: add change note 2023-03-24 16:58:53 +01:00
Arthur Baars 9a8e138684 Ruby: also change evaluation order for scoped constants 2023-03-24 16:57:55 +01:00
Arthur Baars 8b90d021fa Ruby: change evaluation order of destructured assignments 2023-03-24 16:57:25 +01:00
Anders Schack-Mulligen 6db8c8b19f
Merge pull request #12656 from aschackmull/dataflow/qldoc 
Dataflow: Minor qldoc fix
 2023-03-24 14:57:39 +01:00
Asger F 179d0b36cf Ruby: make up qnames for top-level namespaces 2023-03-24 13:42:51 +01:00
Anders Schack-Mulligen 85511ba19d Dataflow: Sync 2023-03-24 12:42:06 +01:00
Tom Hvitved a5b7a0fe16
Merge pull request #12566 from hvitved/ruby/dataflow-assignments-in-paths 2023-03-24 12:31:59 +01:00
Jeroen Ketema a87a9438c7
Replace all definitions of `Unit` by `import codeql.util.Unit` 2023-03-24 10:39:34 +01:00
Tom Hvitved b816c79248 Ruby: Include all assignments in data flow paths 2023-03-24 10:09:30 +01:00
Anders Schack-Mulligen 9d88f01c82
Merge pull request #12645 from aschackmull/dataflow/renaming 
Dataflow: Rename Make to Global and hasFlow to flow
 2023-03-24 08:48:31 +01:00
Asger F a59a404752 Ruby: redundant check is implied by isToplevel() 2023-03-23 14:28:09 +01:00
Anders Schack-Mulligen d440bc2d0c Dataflow: Sync. 2023-03-23 13:40:23 +01:00
Anders Schack-Mulligen 1c1aa7ecdd Dataflow: Add change notes. 2023-03-23 13:17:36 +01:00
Anders Schack-Mulligen d0b7ffda70 Python/Ruby/Swift: Rename references. 2023-03-23 13:06:19 +01:00
Anders Schack-Mulligen 2761aa73ca Dataflow: Sync. 2023-03-23 13:06:19 +01:00
Kasper Svendsen ce6be1f636 Dataflow: Instantiate stage 1 access paths with proper unit type 2023-03-23 08:32:16 +01:00
Anders Schack-Mulligen b2d436ccc1
Merge pull request #12533 from aschackmull/java/misc-perf 
Java/dataflow: Misc performance fixes
 2023-03-22 08:39:43 +01:00
Anders Schack-Mulligen 0d6dd7d25a DataFlow: Sync. 2023-03-21 14:27:25 +01:00
Tom Hvitved 5260d9815a
Merge pull request #12582 from hvitved/ruby/element-of-type-content-set 
Ruby: Introduce `ContentSet::isElementOfType[OrUnknown]/1`
 2023-03-21 13:41:15 +01:00
Asger F 6d665da4dc
Merge pull request #12570 from github/post-release-prep/codeql-cli-2.12.5 
Post-release preparation for codeql-cli-2.12.5
 2023-03-21 13:06:25 +01:00
Anders Schack-Mulligen 3876e4335f
Merge pull request #12420 from kaspersv/kaspersv/dataflow-remove-alias-preds 
Dataflow: Remove revFlowAlias and revFlowApAlias predicates
 2023-03-20 16:30:15 +01:00
Alex Ford be163cfc38
Merge pull request #12311 from maikypedia/maikypedia/ruby-ssti 
Ruby: Add Server Side Template Injection query
 2023-03-20 15:26:27 +00:00
Kasper Svendsen 1d2f1b6ae6 Address comments 2023-03-20 13:34:14 +01:00
Kasper Svendsen e0e3a1d621 Dataflow: remove revFlowApAlias trick 2023-03-20 13:04:13 +01:00
Alex Ford 4b1171ce64
Merge branch 'main' into maikypedia/ruby-ssti 2023-03-20 09:55:53 +00:00
Tom Hvitved a9ef3f95a2 Ruby: Introduce `ContentSet::isElementOfType[OrUnknown]/1` 2023-03-20 10:03:15 +01:00
Michael Nebel 37484a415f Sync files. 2023-03-20 09:38:40 +01:00
Kasper Svendsen 9630feb5e4 Dataflow: Remove revFlowAlias trick 2023-03-20 09:04:35 +01:00
Erik Krogh Kristensen af98ceb3c3
Merge pull request #11478 from erik-krogh/more-shell-taint 
Rb: more taint-steps for shell-command-construction
 2023-03-20 08:41:22 +01:00
github-actions[bot] 981e171525 Post-release preparation for codeql-cli-2.12.5 2023-03-17 13:27:00 +00:00
Alex Ford c12a85b07b Ruby: autoformat 2023-03-17 11:49:10 +00:00
Alex Ford 60f313863a
Merge branch 'main' into maikypedia/ruby-ssti 2023-03-17 11:31:49 +00:00
Michael Nebel 282b5d4836
Merge pull request #12538 from michaelnebel/emptypredworkaround 
DataFlow: Workaround empty predicate usage in IPA branch.
 2023-03-17 10:29:19 +01:00
Tom Hvitved e69e90db4a Ruby: Remove some redundant `super` type qualifiers 2023-03-17 09:32:13 +01:00
Tom Hvitved 75746cbacc
Merge pull request #12549 from hvitved/ruby/ssa-write-access 
Ruby: `Ssa::WriteDefinition::getWriteAccess` should return a CFG node
 2023-03-17 09:31:14 +01:00
Tom Hvitved ee01e9ab35
Merge pull request #12554 from hvitved/ruby/clear-text-logging-hashes 
Ruby: Rely on built-in hash-flow in clear text storage query
 2023-03-17 09:21:11 +01:00
Harry Maclean 2c63dbad67
Merge pull request #11954 from hmac/sinatra 
Ruby: Model Sinatra
 2023-03-17 10:46:52 +13:00
Maiky a229f7a832 Solve merge conflict and add a change note 2023-03-16 16:15:02 +01:00
Tom Hvitved f35fb13723 Add change note 2023-03-16 15:18:47 +01:00