github
/
codeql
зеркало из https://github.com/github/codeql.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность
50 351 коммит 1 532 Ветки 130 Теги 474 MiB
Граф коммитов

2953 Коммитов

Автор SHA1 Сообщение Дата
dependabot[bot] b1f73b59cd
Bump flate2 from 1.0.22 to 1.0.25 in /ruby 
Bumps [flate2](https://github.com/rust-lang/flate2-rs) from 1.0.22 to 1.0.25.
- [Release notes](https://github.com/rust-lang/flate2-rs/releases)
- [Commits](https://github.com/rust-lang/flate2-rs/compare/1.0.22...1.0.25)

---
updated-dependencies:
- dependency-name: flate2
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
 2023-01-24 06:39:03 +00:00
Harry Maclean e6e4e29bf8 Ruby: newline 2023-01-23 21:53:52 +00:00
Harry Maclean 224db456af Ruby: Simplify isRackResponse 2023-01-23 21:53:09 +00:00
Harry Maclean 60f9635ada Ruby: Move import 2023-01-23 21:51:27 +00:00
Harry Maclean c1207e0938 Ruby: Fix rack response tracking 
Use type tracking instead of getReturningNode, which seems to be faster
and works correctly for the cases I've tried.
 2023-01-23 21:43:04 +00:00
Erik Krogh Kristensen 240248b9cf
Merge pull request #11453 from erik-krogh/unsafeHtmlConstruction 
RB: add unsafe-html-construction query
 2023-01-23 16:40:25 +01:00
Erik Krogh Kristensen 5be97f3761
Merge pull request #11909 from erik-krogh/concatCode 
Rb: recognize string concatenations as sinks for unsafe-code-construction
 2023-01-23 16:22:46 +01:00
erik-krogh ae00518ddf
remove the isAdditionalTaintStep predicate from UnsafeHtmlConstructionQuery, as it was not needed 2023-01-23 15:27:19 +01:00
erik-krogh 7c6ee5f293
Merge branch 'main' into unsafeHtmlConstruction 2023-01-23 15:01:01 +01:00
Erik Krogh Kristensen 32c4cf5769
Apply suggestions from code review 
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2023-01-23 14:58:04 +01:00
erik-krogh 800077dabe
changes based on feedback 2023-01-23 14:54:36 +01:00
Alex Ford 3b10a2de11
Merge branch 'main' into rails/render_locals_shared 2023-01-23 10:00:22 +00:00
Alex Ford 55550e7980
Merge pull request #11941 from alexrford/summary-component-tostring-syntheticglobal 
Add missing toString case for synthetic globals
 2023-01-23 10:00:00 +00:00
Arthur Baars 99148244a4
Merge pull request #11856 from aibaars/update-grammars 
Update grammars
 2023-01-23 09:46:50 +01:00
Michael Nebel 69a42d8b1f
Merge pull request #11931 from michaelnebel/csharp/refactor 
Remove the Csv postfix of some predicate names.
 2023-01-23 09:09:48 +01:00
Harry Maclean 21ce9b448a Ruby: Attempt to fix performance of AppCandidate 
`DataFlow::MethodNode.getAReturningNode` is expensive to compute.
Instead we look for rack responses which flow to the `SynthReturnNode`.
Each method has only one of these (vs many "returning" nodes) so it is
a lot faster.
I'm not sure yet whether the results are the same.
 2023-01-23 15:25:52 +13:00
github-actions[bot] b62cb6ba84 Post-release preparation for codeql-cli-2.12.1 2023-01-20 19:49:56 +00:00
Arthur Baars 2b9bc3c7e3 Ruby: write errors to json log 2023-01-20 20:11:55 +01:00
Alex Ford 8ae993185c Ruby: fix missing docs 2023-01-20 13:40:19 +00:00
Alex Ford c986ea1070 Ruby: scope local_assigns synthetic globals to both render call and template file 2023-01-20 13:40:19 +00:00
Alex Ford 14c896215c Ruby: factor out some RenderCall methods into a helper module 2023-01-20 13:40:19 +00:00
Alex Ford 03070c9fd0 Ruby: restrict AccessLocalsKeySummary to method calls against self 2023-01-20 13:40:19 +00:00
Alex Ford f6516db105 Ruby: correct preservesValue in AccessLocalsKeySummary 2023-01-20 13:40:19 +00:00
Alex Ford ab72301a4c Ruby: add a change note for rails render locals dataflow 2023-01-20 13:40:19 +00:00
Alex Ford 8fec4b804f Ruby: StoredXSS test whitespace change 2023-01-20 13:40:19 +00:00
Alex Ford fd8dd5e103 Ruby: update StoredXSS test output 2023-01-20 13:40:19 +00:00
Alex Ford 8845157d08 Ruby: slightly limit AccessLocalsKeySummary summarized callables 2023-01-20 13:40:19 +00:00
Alex Ford b5cc1087fe Ruby: add LocalAssignsHashSyntheticGlobal#getARenderCall predicate 2023-01-20 13:40:19 +00:00
Alex Ford 022171923c Ruby: fix some ql for ql alerts 2023-01-20 13:40:19 +00:00
Alex Ford bea110b598 Ruby: remove blank line in test file 2023-01-20 13:40:19 +00:00
Alex Ford b78ae1608e Ruby: remove a fixed TODO 2023-01-20 13:40:19 +00:00
Alex Ford e5fbc92856 Ruby: generalize rails flow step for accessing render locals hash in view 2023-01-20 13:40:19 +00:00
Alex Ford e4df1f5a6f Ruby: add missing toString case for synthetic globals 2023-01-20 13:31:43 +00:00
github-actions[bot] 005b3e4a47 Release preparation for version 2.12.1 2023-01-20 12:03:19 +00:00
Harry Maclean 16baea22c0
Ruby: doc fix 
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2023-01-20 22:06:29 +13:00
Michael Nebel dc223cb82e Sync files and make corresponding changes for other languages. 2023-01-19 15:14:06 +01:00
Arthur Baars d5e60dfb22 Ruby: pass diagnostics::LogWriter to extractor 2023-01-19 13:53:56 +01:00
Erik Krogh Kristensen ee9b01b5e6
Apply suggestions from code review 
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2023-01-18 22:14:46 +01:00
Arthur Baars e85e61b6d7 Ruby: add diagnostics module 2023-01-18 16:28:16 +01:00
erik-krogh e4d4873d0d
remove the dataflow copy for regexp tracking now that type-tracking is used 2023-01-18 11:04:51 +01:00
erik-krogh 1477974bf1
the RegexExecution concept does not need to have getTerm() 2023-01-18 10:10:36 +01:00
erik-krogh 1a3c9c8305
improve performance of regular-expression type-tracking by adding an exploratory initial analysis 2023-01-18 10:10:36 +01:00
erik-krogh b8f6feb68b
delete old test 2023-01-18 10:10:36 +01:00
erik-krogh 45316b6381
rename RegExpConfiguration to RegExpTracking 2023-01-18 10:10:36 +01:00
erik-krogh 25e65e0d9f
rewrite the regexp tracking DataFlow::Configuration to TypeTracking 2023-01-18 10:10:36 +01:00
erik-krogh d0b627b018
move the implementation detail of how regular-expressions are tracked into RegExpConfiguration.qll" 2023-01-18 10:10:05 +01:00
erik-krogh f516ccb4e2
limit the fieldFlowBranchLimit for the regexp tracker to improve performance 2023-01-18 09:31:04 +01:00
erik-krogh 2fceee4e35
track regular expressions that gets compiled with Regexp.compile 2023-01-18 09:31:04 +01:00
erik-krogh acf28ebd98
add a `RegexExecution`, and use it to track regular expressions to their uses in a nice way in `rb/polynomial-redos` 2023-01-18 09:31:04 +01:00
erik-krogh 6e33dd5df6
add failing test 2023-01-18 09:31:04 +01:00
erik-krogh 8251ad5e99
add unsafe-html-construction query 2023-01-17 15:35:17 +01:00
erik-krogh 8715790fe7
add explicit this 2023-01-17 15:17:48 +01:00
erik-krogh a562568522
add string concat as a sink for command-construction 2023-01-17 14:48:09 +01:00
erik-krogh 9d9de18bc9
add a generalized `AddExprRoot` into `Operation.qll` 2023-01-17 14:48:08 +01:00
erik-krogh 8fc3b268e8
add string concat as a sink for code-construction 2023-01-17 14:48:06 +01:00
Rasmus Wriedt Larsen a0b1c2ea79
DataFlow: Add `uniqueParameterNodePositionExclude` 2023-01-17 14:05:22 +01:00
Rasmus Wriedt Larsen 2b0a5fd5d1
DataFlow: Add `uniqueParameterNodeAtPositionExclude` 2023-01-17 14:05:17 +01:00
erik-krogh 713599963b
add --working-dir to Ruby qltest.cmd to fix Windows 2023-01-16 15:37:35 +01:00
Erik Krogh Kristensen 59a8b21851
Merge pull request #10862 from erik-krogh/unsafeCodeConstruction 
Rb: Add an `unsafe-code-construction` query
 2023-01-16 13:22:58 +01:00
Arthur Baars 5865b51a94 Ruby: build extractor using cross 2023-01-13 10:25:27 +01:00
Arthur Baars dc6f5f60d1 Ruby: update stats 2023-01-13 10:22:42 +01:00
Arthur Baars 28c9b52dce Ruby: add change note 2023-01-13 10:22:42 +01:00
Arthur Baars 46063c7d04 Ruby: update expected output 2023-01-13 10:22:41 +01:00
Arthur Baars c4ec674057 Ruby: support anonymous (hash)splat parameters/arguments 2023-01-13 10:22:41 +01:00
Arthur Baars 4d3e2bb814 Ruby: upgrade/downgrade scripts 2023-01-13 10:22:41 +01:00
Arthur Baars 290167e1a3 Ruby: re-generated dbscheme/library 2023-01-13 10:22:41 +01:00
Arthur Baars 3a887d1c92 Ruby: update tree-sitter-{ruby, embedded-template} 2023-01-13 10:22:41 +01:00
Arthur Baars af8cb65b2e
Merge pull request #11877 from aibaars/ql-ql-cross 
QL/Ruby: include OS version in cache keys for Rust binaries
 2023-01-12 20:02:25 +01:00
Arthur Baars e29e077a03 Ruby/QL4QL: include OS version in cache keys 2023-01-12 15:47:10 +01:00
Michael Nebel 18a815ca8b
Merge pull request #11721 from michaelnebel/csharpjava/refactorprovenance 
C#/Java: Re-factor provenance related predicates.
 2023-01-12 10:50:31 +01:00
Harry Maclean 33a1469a56 Ruby: Add change note 2023-01-12 16:29:00 +13:00
Harry Maclean 8219465389 Ruby: fix missing doc 2023-01-12 11:35:35 +13:00
Harry Maclean 0626d693f5 Ruby: Recognise rack applications 
This is a basic first step in modelling rack apps. We recognise classes
that look like rack applications and then treat the argument to `call`
in the same way that we treat `request.env` in ActionController classes.

This finds a TP in CVE-2021-43840.
 2023-01-12 11:28:31 +13:00
Pierre c3116b3f0f
Merge branch 'main' into turbo/experimental/combined 2023-01-11 18:02:55 +01:00
Michael Nebel 7e4f7a0c17 C#: Address review comments and sync files. 2023-01-11 16:29:24 +01:00
Michael Nebel 67cbe38255 Sync files. 2023-01-11 16:20:55 +01:00
Michael Nebel c01361a1fd Ruby: Re-factor provenance related predicates for summarized callable. 2023-01-11 16:20:55 +01:00
Michael Nebel ea173f9516 Sync files. 2023-01-11 16:20:55 +01:00
Tony Torralba c9d1cd97fb Ruby: Remove omittable exists variables 2023-01-10 13:39:49 +01:00
Erik Krogh Kristensen f2658a0936
apply suggestions from doc review 
Co-authored-by: mc <42146119+mchammer01@users.noreply.github.com>
 2023-01-10 12:56:22 +01:00
Arthur Baars 664fdc3b2a
Merge pull request #11815 from aibaars/too-many-fields 
Ruby: use record_parse_error_for_node to report extractor error
 2023-01-09 15:40:19 +01:00
Erik Krogh Kristensen 5157d4df7b
Merge pull request #11581 from erik-krogh/stdin 
Rb: add stdin as source for unsafe-deserialization
 2023-01-09 13:57:47 +01:00
yoff c01ce955ba
Merge pull request #11778 from yoff/shared/inline-tests 
Shared: Inline test expectations
 2023-01-09 13:21:18 +01:00
erik-krogh d67e756f42
make the import of Gem private 2023-01-09 09:13:01 +01:00
Harry Maclean 5b117084db
Merge pull request #11534 from hmac/array-inclusion-barrier-guard-constant 
Ruby: Make array inclusion barrier more sensitive
 2023-01-09 20:57:09 +13:00
github-actions[bot] cdb8f67601 Post-release preparation for codeql-cli-2.12.0 2023-01-06 10:36:34 +00:00
erik-krogh 0a1769657d
add change-note 2023-01-06 09:09:09 +01:00
erik-krogh 19d2b49562
drive-by: make Base64.decode64(..) into a flowsummary that is shared with all queries 2023-01-06 09:04:37 +01:00
erik-krogh 1a27441cfb
drive-by: delete code-execution sinks from unsafe-deserialization, we risked duplicate alerts 2023-01-06 09:04:36 +01:00
erik-krogh 0e6028a7f3
add stdin as source for unsafe-deserialization 2023-01-06 09:04:36 +01:00
erik-krogh f98ff65b11
use eval() instead of send() in test 2023-01-05 20:04:04 +01:00
Erik Krogh Kristensen d9176541c6
Apply suggestions from code review 
Co-authored-by: Alex Ford <alexrford@users.noreply.github.com>
 2023-01-05 20:02:54 +01:00
Jeroen Ketema de37f3b7d5
Properly indent code block in change log 2023-01-05 18:38:33 +01:00
Jeroen Ketema 170242f79c
Apply suggestions from code review 2023-01-05 17:57:19 +01:00
Nick Rolfe 6e07076151 tweak wording in 2.12 release notes 2023-01-05 16:46:44 +00:00
github-actions[bot] b6a8193785 Release preparation for version 2.12.0 2023-01-05 16:32:14 +00:00
Rasmus Lerchedahl Petersen c3b3c05cf3 Revert "Merge pull request #37 from erik-krogh/shared/inline-tests" 
This reverts commit 65fe9abcfe, reversing
changes made to 08e9d3391f.
 2023-01-05 09:19:43 +01:00
Arthur Baars 799e0c1bcc Ruby: use record_parse_error_for_node to report extractor error 2023-01-04 17:35:47 +01:00
Aditya Sharad ed73875fac
Merge pull request #11747 from adityasharad/tutorial/library-pack 
Tutorial: Move QL detective tutorial library into shared `codeql/tutorial` library pack
 2023-01-04 08:24:53 -08:00
Henry Mercer b96160f0f3
Merge pull request #11783 from github/henrymercer/specify-baseline-languages 
Specify language names in extractor packs
 2023-01-04 10:42:18 +00:00
Harry Maclean 4d228bcddf Ruby: Recognise more string-valued variables 
This increases the sensitivity of our barrier guards.
 2023-01-04 11:45:10 +13:00
Harry Maclean 9944252c43 Ruby: Add test for barrier guards 
This demonstrates that we are missing a guard when a case branch
compares against a string-valued variable rather than a string literal.
 2023-01-04 11:45:10 +13:00
Harry Maclean 698a679c78 Ruby: add test 2023-01-04 11:45:10 +13:00
Harry Maclean 0fbb6bf608 Ruby: Make array inclusion barrier more sensitive 2023-01-04 11:45:09 +13:00
Aditya Sharad 9988c19a42
Merge branch 'main' into tutorial/library-pack 2023-01-03 14:08:37 -08:00
Calum Grant ad55706527
Merge branch 'main' into calumgrant/remove-lgtm 2023-01-03 10:27:30 +00:00
erik-krogh 3811eae679
simplify the qhelp for unsafe-code-construction 
The `send()` example is not flagged by any current query, so it was weird talking about it as "vulnerable".
 2023-01-02 13:33:56 +01:00
Erik Krogh Kristensen 79a2b6d0b0
use `any()` instead of `this = this` 
Co-authored-by: Arthur Baars <aibaars@github.com>
 2023-01-02 10:49:54 +01:00
erik-krogh 99dc0a8356
fix binding 2023-01-02 10:30:28 +01:00
erik-krogh 3815a5a096
fix qhelp syntax 2023-01-02 10:19:05 +01:00
Harry Maclean a6571a05ab Ruby: Include send example in qhelp 2022-12-28 11:34:55 +13:00
Harry Maclean d3812f5906 Ruby: Add another code injection example to qhelp 2022-12-28 11:20:56 +13:00
Harry Maclean b70ca77afc
Merge pull request #10899 from hmac/flow-summary-docs 
Ruby: Document flow summary syntax
 2022-12-28 10:47:38 +13:00
Henry Mercer 6be790929d Specify language names in extractor packs 2022-12-23 13:15:04 +00:00
erik-krogh b3dd50bc36
inline Location into the shared implementation of InlineExpectationsTest 2022-12-22 11:09:43 +01:00
Rasmus Lerchedahl Petersen 0d6c643d77 ruby: use shared inline tests 
- remove from identical-files
 2022-12-22 10:20:07 +01:00
Arthur Baars 98c5b81456
Merge pull request #11723 from aibaars/alert-suppression 
CodeQL alert suppression
 2022-12-21 10:59:57 +01:00
Arthur Baars 035ad65e43 AlertSuppression: move library into util folder 2022-12-21 10:39:57 +01:00
Jami c9258effb6
Merge pull request #11572 from jcogs33/jcogs33/model-top-jdk-apis 
Java: model top 100 JDK APIs
 2022-12-20 09:13:53 -05:00
Erik Krogh Kristensen b1e6a86a4b
Merge pull request #11757 from erik-krogh/treesitter-qldoc 
QL/RB: make top TreeSitter.qll comment into a qldoc
 2022-12-20 13:36:31 +01:00
erik-krogh 2ff23a6fc0
make top TreeSitter.qll comment into a qldoc 2022-12-20 11:39:06 +01:00
Aditya Sharad ed29b3e4d6
Shared packs: Depend on `codeql/tutorial` from all language libraries 
This allows `import tutorial` from queries targeting
any language, just like before, while removing the
duplicate copies of `tutorial.qll`.
 2022-12-19 15:52:11 -08:00
Arthur Baars a8be5d7274 AlertSuppression: add change notes 2022-12-19 17:02:52 +01:00
Arthur Baars 0f313231bc AlertSuppression: add more tests 2022-12-19 16:43:11 +01:00
Calum Grant 0894059d33 Ruby: Remove reference to LGTM 2022-12-19 15:15:43 +00:00
Arthur Baars c176606be5 AlertSuppression: allow //lgtm comments to scope over the next line 2022-12-19 16:10:26 +01:00
Arthur Baars 016c7a8ca7
Merge pull request #11719 from aibaars/alert-suppression-shared 
Shared AlertSuppression library
 2022-12-19 16:04:44 +01:00
Erik Krogh Kristensen f136651384
Merge pull request #11575 from erik-krogh/kernelLoad 
Rb: add Kernel methods as sinks to path-injection
 2022-12-19 15:09:21 +01:00
erik-krogh d0af30b40a
cleanup the implementation of `toString()` for `SuperCall 2022-12-19 14:28:01 +01:00
Arthur Baars 06736e3e91 Add .gitattributes for Windows test files 2022-12-19 12:39:01 +01:00
Arthur Baars 621a108846 Ruby: use shared AlertSuppression.qll 2022-12-19 12:26:06 +01:00
erik-krogh db49cfb723
Merge branch 'main' into kernelLoad 2022-12-19 09:46:25 +01:00
erik-krogh 35e8d6afd4
move getACommonTld into a utility module without parameters 2022-12-18 17:23:45 +01:00
erik-krogh ba7321ac5c
add qldoc to RegExpCharEscape 2022-12-18 17:23:45 +01:00
erik-krogh 26c5480ee6
share {js,rb}/regex/missing-regexp-anchor 2022-12-18 17:23:41 +01:00
turbo 1e5426fca2 Create security-experimental suite helper and all language suite implementations 2022-12-18 15:44:08 +01:00
erik-krogh 355499ea52
move `getACommonTld` to the shared pack 2022-12-17 17:26:18 +01:00
erik-krogh f67d0bc8c0
put the shared HostnameRegexp code in the shared regex pack 2022-12-17 17:26:18 +01:00
Jami ff652f7dee
Merge branch 'main' into jcogs33/model-top-jdk-apis 2022-12-16 15:32:50 -05:00
Henry Mercer 30451ee950
Merge pull request #11681 from github/henrymercer/mergeback-3.8 
Merge `rc/3.8` back to `main`
 2022-12-16 17:43:12 +00:00
Tom Hvitved e629568eda
Merge pull request #11720 from hvitved/ruby/call-sensitive-initialize-bug-fix 
Ruby: Fix bug in call-sensitivity logic for `initialize` calls
 2022-12-16 16:36:31 +01:00
Tom Hvitved 5fba5e4895
Merge pull request #11718 from hvitved/ruby/self-allocate 
Ruby: Recognize custom `self.new` methods that return `self.allocate`
 2022-12-16 14:46:08 +01:00
Tom Hvitved bfc257147c Ruby: Fix bug in call-sensitivity logic for `initialize` calls 2022-12-16 11:17:15 +01:00
Tom Hvitved e45edcc159
Merge pull request #11674 from hvitved/dataflow/param-context 
Data flow: Track callable in flow-through pruning
 2022-12-16 09:25:15 +01:00
Tom Hvitved accf4ca364 Ruby: Recognize custom `self.new` methods that return `self.allocate` 2022-12-16 09:23:36 +01:00
Tom Hvitved b64083d08e Ruby: Add more call graph tests 2022-12-16 09:21:00 +01:00
Jami Cogswell f01ee9e4c2 Java: remove PR-merging comment 2022-12-15 22:56:15 -05:00
Jami fd63348549
Merge pull request #11585 from jcogs33/jcogs33/mad-metrics-query 
Java: add MaD metrics query
 2022-12-15 19:26:51 -05:00
Tom Hvitved f8571dd0b6 Data flow: Work around functionality-induced misoptimization 2022-12-15 15:29:14 +01:00
Tom Hvitved 6eda042229 Data flow: Sync files 2022-12-15 15:29:13 +01:00