Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ruby: Use the new dataflow API for checked in queries #14124

Merged
merged 51 commits into from
Sep 13, 2023
Merged

Ruby: Use the new dataflow API for checked in queries #14124

merged 51 commits into from
Sep 13, 2023

Conversation

alexrford
Copy link
Contributor

@alexrford alexrford commented Sep 3, 2023
edited
Loading

Uses the DataFlow::ConfigSig module signature instead of the DataFlow::Configuration class.

The general naming convention is SomeQueryFlow for the flow module for the SomeQuery.ql query.

In most cases the old configuration has been left in place and deprecated. For cases where the configuration was defined in the query file itself (i.e. within src), I've just deleted the old configuration as it's not part of a CodeQL library.

Any barrier guard predicates have been dropped. I don't think we have any cases where this makes a difference, unless the barrier guard abstract classes are extended externally (i.e. not within this repo).

There are some very tiny changes to flow steps in some places, reflected in updated .expected output. These seem to be benign or minor improvements as far as I can tell.

Two queries, rb/http-to-file-access and rb/tainted-format-string share a *Query.qll file with JS. I've reverted the changes to these queries for now - I think it'll be slightly cleaner to do the Ruby and JS changes for these in a separate PR.

@alexrford alexrford added the Ruby label Sep 3, 2023
@alexrford
Ruby: configsig rb/clear-text-logging-sensitive-data
2a2f21d
@alexrford
Ruby: configsig rb/clear-text-storage-sensitive-data
6fa267a
@alexrford
Ruby: configsig rb/code-injection
b1a49dd
@alexrford
Ruby: configsig rb/command-line-injection
377570f
@alexrford
Ruby: configsig rb/user-controlled-bypass
2536f1a
@alexrford
Ruby: configsig rb/http-to-file-access
c973fc1
@alexrford
Ruby: renames for rb/insecure-download
a8ad0d8
@alexrford
Ruby: configsig rb/kernel-open
d46eceb
@alexrford
Ruby: renames for rb/ldap-injection
eb34bbb
@alexrford
Ruby: renames for rb/log-injection
867e47b
@alexrford
Ruby: configsig rb/path-injection
ad2bbfb
@alexrford
Ruby: configsig rb/reflected-xss
593d9a4
@alexrford
Ruby: configsig rb/sensitive-get-query
df91735
@alexrford
Ruby: configsig rb/request-forgery
ba8ff07
@alexrford
Ruby: configsig rb/sql-injection
bf1cb33
@alexrford
Ruby: configsig rb/stack-trace-exposure
030aae5
@alexrford
Ruby: renames for rb/stored-xss
f5e4339
@alexrford
Ruby: configsig rb/tainted-format-string
0a73ebd
@alexrford
Ruby: configsig rb/server-side-template-injection
3e23a6e
@alexrford
Ruby: configsig rb/unsafe-code-construction
461bc0d
@alexrford
Ruby: configsig rb/unsafe-deserialization
8ad6c72
@alexrford
Ruby: configsig rb/html-constructed-from-input
f03f670
@alexrford
Ruby: configsig rb/shell-command-constructed-from-input
f79796a
@alexrford
Ruby: configsig rb/url-redirection
42cd586
@alexrford
Ruby: renames for rb/xpath-injection
77f3a70
@alexrford
Ruby: configsig rb/regex/badly-anchored-regexp
04d3d04
@alexrford
Ruby: configsig rb/polynomial-redos
494b7b3
@alexrford alexrford marked this pull request as ready for review September 5, 2023 14:04
@alexrford alexrford requested a review from a team as a code owner September 5, 2023 14:04
@alexrford
Copy link
Contributor Author

Worth noting - this increases cache sizes significantly. This seems to be expected and has also occurred in other languages that have made this change.

hvitved
hvitved requested changes Sep 6, 2023
View reviewed changes
Copy link
Contributor

@hvitved hvitved left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks a lot for doing this. Some minor comments.

ruby/ql/lib/codeql/ruby/experimental/UnicodeBypassValidationQuery.qll Outdated Show resolved Hide resolved
ruby/ql/lib/codeql/ruby/security/CodeInjectionQuery.qll Outdated Show resolved Hide resolved
ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll Outdated Show resolved Hide resolved
ruby/ql/lib/codeql/ruby/security/HardcodedDataInterpretedAsCodeQuery.qll Outdated Show resolved Hide resolved
ruby/ql/lib/codeql/ruby/security/InsecureDownloadQuery.qll Outdated Show resolved Hide resolved
ruby/ql/src/queries/security/cwe-094/CodeInjection.ql Outdated Show resolved Hide resolved
ruby/ql/src/queries/security/cwe-506/HardcodedDataInterpretedAsCode.ql Outdated Show resolved Hide resolved
ruby/ql/src/queries/security/cwe-611/Xxe.ql Outdated Show resolved Hide resolved
ruby/ql/src/queries/security/cwe-732/WeakFilePermissions.ql Outdated Show resolved Hide resolved
ruby/ql/src/queries/security/cwe-798/HardcodedCredentials.ql Outdated Show resolved Hide resolved
@alexrford
Copy link
Contributor Author

@hvitved thanks for the review - updated this branch.

hvitved
hvitved previously approved these changes Sep 13, 2023
View reviewed changes
@alexrford alexrford merged commit 79c305c into github:main Sep 13, 2023
19 of 21 checks passed
@alexrford alexrford deleted the rb/dataflow-query-refactor branch September 13, 2023 13:24
@alexrford alexrford mentioned this pull request Sep 20, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hvitved hvitved hvitved approved these changes

Assignees
No one assigned
Labels
documentation Ruby
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@alexrford @hvitved