зеркало из https://github.com/github/codeql.git
21 KiB
21 KiB
0.8.5
No user-facing changes.
0.8.4
Minor Analysis Improvements
- Improved modeling for
ActiveRecord
supdate_all
method
0.8.3
No user-facing changes.
0.8.2
No user-facing changes.
0.8.1
Minor Analysis Improvements
- Deleted the deprecated
isBarrierGuard
predicate from the dataflow library and its uses, useisBarrier
and theBarrierGuard
module instead. - Deleted the deprecated
isWeak
predicate from theCryptographicOperation
class. - Deleted the deprecated
getStringOrSymbol
andisStringOrSymbol
predicates from theConstantValue
class. - Deleted the deprecated
getAPI
from theIOOrFileMethodCall
class. - Deleted the deprecated
codeql.ruby.security.performance
folder, usecodeql.ruby.security.regexp
instead. - GraphQL enums are no longer considered remote flow sources.
0.8.0
Major Analysis Improvements
- Improved support for flow through captured variables that properly adheres to inter-procedural control flow.
0.7.5
No user-facing changes.
0.7.4
No user-facing changes.
0.7.3
Minor Analysis Improvements
- Flow between positional arguments and splat parameters (
*args
) is now tracked more precisely. - Flow between splat arguments (
*args
) and positional parameters is now tracked more precisely.
0.7.2
No user-facing changes.
0.7.1
New Features
- The
DataFlow::StateConfigSig
signature module has gained default implementations forisBarrier/2
andisAdditionalFlowStep/4
. Hence it is no longer needed to providenone()
implementations of these predicates if they are not needed.
Major Analysis Improvements
- The API graph library (
codeql.ruby.ApiGraphs
) has been significantly improved, with better support for inheritance, and data-flow nodes can now be converted to API nodes by calling.track()
or.backtrack()
on the node. API graphs allow for efficient modelling of how a given value is used by the code base, or how values produced by the code base are consumed by a library. See the documentation forAPI::Node
for details and examples.
Minor Analysis Improvements
- Data flow configurations can now include a predicate
neverSkip(Node node)
in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations. - The
'QUERY_STRING'
field of a Rackenv
parameter is now recognized as a source of remote user input. - Query parameters and cookies from
Rack::Response
objects are recognized as potential sources of remote flow input. - Calls to
Rack::Utils.parse_query
now propagate taint.
0.7.0
Deprecated APIs
- The
Configuration
taint flow configuration class fromcodeql.ruby.security.InsecureDownloadQuery
has been deprecated. Use theFlow
module instead.
Minor Analysis Improvements
- More kinds of rack applications are now recognized.
- Rack::Response instances are now recognized as potential responses from rack applications.
- HTTP redirect responses from Rack applications are now recognized as a potential sink for open redirect alerts.
- Additional sinks for
rb/unsafe-deserialization
have been added. This includes various methods from theyaml
andplist
gems, which deserialize YAML and Property List data, respectively.
0.6.4
No user-facing changes.
0.6.3
Minor Analysis Improvements
- Deleted many deprecated predicates and classes with uppercase
URL
,XSS
, etc. in their names. Use the PascalCased versions instead. - Deleted the deprecated
getValueText
predicate from theExpr
,StringComponent
, andExprCfgNode
classes. UsegetConstantValue
instead. - Deleted the deprecated
VariableReferencePattern
class, useReferencePattern
instead. - Deleted all deprecated aliases in
StandardLibrary.qll
, usecodeql.ruby.frameworks.Core
andcodeql.ruby.frameworks.Stdlib
instead. - Support for the
sequel
gem has been added. Method calls that execute queries against a database that may be vulnerable to injection attacks will now be recognized. - Support for the
mysql2
gem has been added. Method calls that execute queries against an MySQL database that may be vulnerable to injection attacks will now be recognized. - Support for the
pg
gem has been added. Method calls that execute queries against a PostgreSQL database that may be vulnerable to injection attacks will now be recognized.
0.6.2
Minor Analysis Improvements
- Support for the
sqlite3
gem has been added. Method calls that execute queries against an SQLite3 database that may be vulnerable to injection attacks will now be recognized.
0.6.1
No user-facing changes.
0.6.0
Deprecated APIs
- The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
Minor Analysis Improvements
- Control flow graph: the evaluation order of scope expressions and receivers in multiple assignments has been adjusted to match the changes made in Ruby 3.1 and 3.2.
- The clear-text storage (
rb/clear-text-storage-sensitive-data
) and logging (rb/clear-text-logging-sensitive-data
) queries now use built-in flow through hashes, for improved precision. This may result in both new true positives and less false positives. - Accesses of
params
in Sinatra applications are now recognized as HTTP input accesses. - Data flow is tracked from Sinatra route handlers to ERB files.
- Data flow is tracked between basic Sinatra filters (those without URL patterns) and their corresponding route handlers.
Bug Fixes
- Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular
DataFlow::hasFlowPath
,DataFlow::hasFlow
,DataFlow::hasFlowTo
, andDataFlow::hasFlowToExpr
were accidentally exposed in a single version.
0.5.6
No user-facing changes.
0.5.5
New Features
- Added support for merging two
PathGraph
s via disjoint union to allow results from multiple data flow computations in a singlepath-problem
query.
Major Analysis Improvements
- The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
Minor Analysis Improvements
- Data flow through
initialize
methods is now taken into account also when the receiver of anew
call is an (implicit or explicit)self
. - The Active Record query methods
reorder
andcount_by_sql
are now recognized as SQL executions. - Calls to
ActiveRecord::Connection#execute
, including those via subclasses, are now recognized as SQL executions. - Data flow through
ActionController::Parameters#require
is now tracked properly. - The severity of parse errors was reduced to warning (previously error).
- Deleted the deprecated
getQualifiedName
predicate from theConstantWriteAccess
class. - Deleted the deprecated
getWhenBranch
andgetAWhenBranch
predicates from theCaseExpr
class. - Deleted the deprecated
Self
,PatternParameter
,Pattern
,VariablePattern
,TuplePattern
, andTuplePatternParameter
classes.
0.5.4
Minor Analysis Improvements
- Flow is now tracked between ActionController
before_filter
andafter_filter
callbacks and their associated action methods. - Calls to
ApplicationController#render
andApplicationController::Renderer#render
are recognized as Rails rendering calls. - Support for Twirp framework.
0.5.3
Minor Analysis Improvements
- Ruby 3.1: one-line pattern matches are now supported. The AST nodes are named
TestPattern
(expr in pattern
) andMatchPattern
(expr => pattern
).
0.5.2
Minor Analysis Improvements
- Data flowing from the
locals
argument of a Railsrender
call is now tracked to uses of that data in an associated view. - Access to headers stored in the
env
of Rack requests is now recognized as a source of remote input. - Ruby 3.2: anonymous rest and keyword rest arguments can now be passed as arguments, instead of just used in method parameters.
0.5.1
No user-facing changes.
0.5.0
Major Analysis Improvements
- Flow through
initialize
constructors is now taken into account. For example, in
there will be flow fromclass C def initialize(x) @field = x end end C.new(y)
y
to the field@field
on the constructedC
object.
Minor Analysis Improvements
- Calls to
Kernel.load
,Kernel.require
,Kernel.autoload
are now modeled as sinks for path injection. - Calls to
mail
andinbound_mail
inActionMailbox
controllers are now considered sources of remote input. - Calls to
GlobalID::Locator.locate
and its variants are now recognized as instances ofOrmInstantiation
. - Data flow through the
ActiveSupport
extensionsEnumerable#index_with
,Enumerable#pick
,Enumerable#pluck
andEnumerable#sole
are now modeled. - When resolving a method call, the analysis now also searches in sub-classes of the receiver's type.
- Taint flow is now tracked through many common JSON parsing and generation methods.
- The ReDoS libraries in
codeql.ruby.security.regexp
has been moved to a shared pack inside theshared/
folder, and the previous location has been deprecated. - String literals and arrays of string literals in case expression patterns are now recognised as barrier guards.
0.4.6
No user-facing changes.
0.4.5
No user-facing changes.
0.4.4
Minor Analysis Improvements
- Data flow through the
ActiveSupport
extensionEnumerable#index_by
is now modeled. - The
codeql.ruby.Concepts
library now has aSqlConstruction
class, in addition to the existingSqlExecution
class. - Calls to
Arel.sql
are now modeled as instances of the newSqlConstruction
concept. - Arguments to RPC endpoints (public methods) on subclasses of
ActionCable::Channel::Base
are now recognized as sources of remote user input. - Taint flow through the
ActiveSupport
extensionsHash#reverse_merge
andHash:reverse_merge!
, and their aliases, is now modeled more generally, where previously it was only modeled in the context ofActionController
parameters. - Calls to
logger
inActiveSupport
actions are now recognised as logger instances. - Calls to
send_data
inActiveSupport
actions are recognised as HTTP responses. - Calls to
body_stream
inActiveSupport
actions are recognised as HTTP request accesses. - The
ActiveSupport
extensionsObject#try
andObject#try!
are now recognised as code executions.
0.4.3
Minor Analysis Improvements
- There was a bug in
TaintTracking::localTaint
andTaintTracking::localTaintStep
such that they only tracked non-value-preserving flow steps. They have been fixed and now also include value-preserving steps. - Instantiations using
Faraday::Connection.new
are now recognized as part ofFaradayHttpRequest
s, meaning they will be considered as sinks for queries such asrb/request-forgery
. - Taint flow is now tracked through extension methods on
Hash
,String
andObject
provided byActiveSupport
.
0.4.2
Minor Analysis Improvements
- The hashing algorithms from
Digest
andOpenSSL::Digest
are now recognized and can be flagged by therb/weak-cryptographic-algorithm
query. - More sources of remote input arising from methods on
ActionDispatch::Request
are now recognized. - The response value returned by the
Faraday#run_request
method is now also considered a source of remote input. ActiveJob::Serializers.deserialize
is considered to be a code execution sink.- Calls to
params
inActionMailer
classes are now treated as sources of remote user input. - Taint flow through
ActionController::Parameters
is tracked more accurately.
0.4.1
Minor Analysis Improvements
- The following classes have been moved from
codeql.ruby.frameworks.ActionController
tocodeql.ruby.frameworks.Rails
:ParamsCall
, now accessed asRails::ParamsCall
.CookieCall
, now accessed asRails::CookieCall
.
- The following classes have been moved from
codeql.ruby.frameworks.ActionView
tocodeql.ruby.frameworks.Rails
:HtmlSafeCall
, now accessed asRails::HtmlSafeCall
.HtmlEscapeCall
, now accessed asRails::HtmlEscapeCall
.RenderCall
, now accessed asRails::RenderCall
.RenderToCall
, now accessed asRails::RenderToCall
.
- Subclasses of
ActionController::Metal
are now recognised as controllers. ActionController::DataStreaming::send_file
is now recognized as aFileSystemAccess
.- Various XSS sinks in the ActionView library are now recognized.
- Calls to
ActiveRecord::Base.create
are now recognized as model instantiations. - Various code executions, command executions and HTTP requests in the ActiveStorage library are now recognized.
MethodBase
now has two new predicates related to visibility:isPublic
andisProtected
. These hold, respectively, if the method is public or protected.
0.4.0
Breaking Changes
import ruby
no longer brings the standard Ruby AST library into scope; it instead brings a moduleAst
into scope, which must be imported. Alternatively, it is also possible to importcodeql.ruby.AST
.- Changed the
HTTP::Client::Request
concept from usingMethodCall
as base class, to usingDataFlow::Node
as base class. Any class that extendsHTTP::Client::Request::Range
must be changed, but if you only use the member predicates ofHTTP::Client::Request
, no changes are required.
Deprecated APIs
- Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
Minor Analysis Improvements
- Uses of
ActionView::FileSystemResolver
are now recognized as filesystem accesses. - Accesses of ActiveResource models are now recognized as HTTP requests.
Bug Fixes
- Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
0.3.5
0.3.4
Deprecated APIs
- The utility files previously in the
codeql.ruby.security.performance
package have been moved to thecodeql.ruby.security.regexp
package.
The previous files still exist as deprecated aliases.
Minor Analysis Improvements
- Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
- Calls to
render
in Rails controllers and views are now recognized as HTTP response bodies.
0.3.3
Minor Analysis Improvements
- Calls to methods generated by ActiveRecord associations are now recognised as
instantiations of ActiveRecord objects. This increases the sensitivity of
queries such as
rb/sql-injection
andrb/stored-xss
. - Calls to
ActiveRecord::Base.create
andActiveRecord::Base.update
are now recognised as write accesses. - Arguments to
Mime::Type#match?
andMime::Type#=~
are now recognised as regular expression sources.
0.3.2
Minor Analysis Improvements
- Calls to
Arel.sql
are now recognised as propagating taint from their argument. - Calls to
ActiveRecord::Relation#annotate
are now recognized asSqlExecution
s so that it will be considered as a sink for queries like rb/sql-injection.
0.3.1
Minor Analysis Improvements
- Fixed a bug causing every expression in the database to be considered a system-command execution sink when calls to any of the following methods exist:
- The
spawn
,fspawn
,popen4
,pspawn
,system
,_pspawn
methods and the backtick operator from thePOSIX::spawn
gem. - The
execute_command
,rake
,rails_command
, andgit
methods inRails::Generation::Actions
.
- The
- Improved modeling of sensitive data sources, so common words like
certain
andsecretary
are no longer considered a certificate and a secret (respectively).
0.3.0
Deprecated APIs
- The
BarrierGuard
class has been deprecated. Such barriers and sanitizers can now instead be created using the newBarrierGuard
parameterized module.
0.2.3
Minor Analysis Improvements
- Calls to
Zip::File.open
andZip::File.new
have been added asFileSystemAccess
sinks. As a result queries likerb/path-injection
now flag up cases where users may access arbitrary archive files.
0.2.2
Major Analysis Improvements
- Added data-flow support for hashes.
Minor Analysis Improvements
- Support for data flow through instance variables has been added.
- Support of the safe navigation operator (
&.
) has been added; there is a new predicateMethodCall.isSafeNavigation()
.
0.2.1
Bug Fixes
- The Tree-sitter Ruby grammar has been updated; this fixes several issues where Ruby code was parsed incorrectly.
0.2.0
Breaking Changes
- The signature of
allowImplicitRead
onDataFlow::Configuration
andTaintTracking::Configuration
has changed fromallowImplicitRead(DataFlow::Node node, DataFlow::Content c)
toallowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c)
.
0.1.0
Breaking Changes
- The recently added flow-state versions of
isBarrierIn
,isBarrierOut
,isSanitizerIn
, andisSanitizerOut
in the data flow and taint tracking libraries have been removed. - The
getURL
member-predicates of theHTTP::Client::Request
andHTTP::Client::Request::Range
classes fromConcepts.qll
have been renamed togetAUrlPart
.
Deprecated APIs
ConstantValue::getStringOrSymbol
andConstantValue::isStringOrSymbol
, which return/hold for all string-like values (strings, symbols, and regular expressions), have been renamed toConstantValue::getStringlikeValue
andConstantValue::isStringlikeValue
, respectively. The old names have been marked asdeprecated
.
Minor Analysis Improvements
- Whereas
ConstantValue::getString()
previously returned both string and regular-expression values, it now returns only string values. The same applies toConstantValue::isString(value)
. - Regular-expression values can now be accessed with the new predicates
ConstantValue::getRegExp()
,ConstantValue::isRegExp(value)
, andConstantValue::isRegExpWithFlags(value, flags)
. - The
ParseRegExp
andRegExpTreeView
modules are now "internal" modules. Users should usecodeql.ruby.Regexp
instead.
0.0.13
0.0.12
Breaking Changes
- The flow state variants of
isBarrier
andisAdditionalFlowStep
are no longer exposed in the taint tracking library. TheisSanitizer
andisAdditionalTaintStep
predicates should be used instead.
Deprecated APIs
- Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
New Features
- The data flow and taint tracking libraries have been extended with versions of
isBarrierIn
,isBarrierOut
, andisBarrierGuard
, respectivelyisSanitizerIn
,isSanitizerOut
, andisSanitizerGuard
, that support flow states.
Minor Analysis Improvements
getConstantValue()
now returns the contents of strings and symbols after escape sequences have been interpreted. For example, for the Ruby string literal"\n"
,getConstantValue().getString()
previously returned a QL string with two characters, a backslash followed byn
; now it returns the single-character string "\n" (U+000A, known as newline).getConstantValue().getInt()
previously returned incorrect values for integers larger than 231-1 (the largest value that can be represented by the QLint
type). It now returns no result in those cases.- Added
OrmWriteAccess
concept to model data written to a database using an object-relational mapping (ORM) library.
0.0.11
Minor Analysis Improvements
- The
Regex
class is now an abstract class that extendsStringlikeLiteral
with implementations forRegExpLiteral
and string literals that 'flow' into functions that are known to interpret string arguments as regular expressions such asRegex.new
andString.match
. - The regular expression parser now groups sequences of normal characters. This reduces the number of instances of
RegExpNormalChar
.
0.0.10
Minor Analysis Improvements
- Added
FileSystemWriteAccess
concept to model data written to the filesystem.
0.0.9
0.0.8
0.0.7
0.0.6
Deprecated APIs
ConstantWriteAccess.getQualifiedName()
has been deprecated in favor ofgetAQualifiedName()
which can return multiple possible qualified names for a given constant write access.
0.0.5
New Features
- A new library,
Customizations.qll
, has been added, which allows for global customizations that affect all queries.