- The query
rb/useless-assignment-to-localnow comes with query help and has been tweaked to produce fewer false positives. - The query
rb/uninitialized-local-variablenow only produces alerts when the variable is the receiver of a method call and should produce very few false positives. It also now comes with a help file.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- The
rb/diagnostics/extraction-errorsdiagnostic query has been split intorb/diagnostics/extraction-errorsandrb/diagnostics/extraction-warnings, counting extraction errors and warnings respectively.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Added a new query,
rb/weak-sensitive-data-hashing, to detect cases where sensitive data is hashed using a weak cryptographic hashing algorithm.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
No user-facing changes.
No user-facing changes.
- Added a new query,
rb/insecure-mass-assignment, for finding instances of mass assignment operations accepting arbitrary parameters from remote user input. - Added a new query,
rb/csrf-protection-not-enabled, to detect cases where Cross-Site Request Forgery protection is not enabled in Ruby on Rails controllers.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Calls to
Object#method,Object#public_methodandObject#singleton_methodwith untrusted data are now recognised as sinks for code injection. - Added additional request sources for Ruby on Rails.
No user-facing changes.
- Added a new experimental query,
rb/insecure-randomness, to detect when application uses random values that are not cryptographically secure.
- Added new unsafe deserialization sinks for the ox gem.
- Added an additional unsafe deserialization sink for the oj gem.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
No user-facing changes.
- Added a new experimental query,
rb/jwt-empty-secret-or-algorithm, to detect when application uses an empty secret or weak algorithm. - Added a new experimental query,
rb/jwt-missing-verification, to detect when the application does not verify a JWT payload.
- Built-in Ruby queries now use the new DataFlow API.
No user-facing changes.
- Added a new experimental query,
rb/improper-ldap-auth, to detect cases where user input is used during LDAP authentication without proper validation or sanitization, potentially leading to authentication bypass.
No user-facing changes.
- Added a new experimental query,
rb/ldap-injection, to detect cases where user input is incorporated into LDAP queries without proper validation or sanitization, potentially leading to LDAP injection vulnerabilities.
- Added a new experimental query,
rb/xpath-injection, to detect cases where XPath statements are constructed from user input in an unsafe manner.
- Improved resolution of calls performed on an object created with
Proc.new.
- Fixed a bug in how
map_filtercalls are analyzed. Previously, such calls would appear to the return the receiver of the call, but now the return value of the callback is properly taken into account.
- The experimental query "Arbitrary file write during zipfile/tarfile extraction" (
ruby/zipslip) has been renamed to "Arbitrary file access during archive extraction ("Zip Slip")."
No user-facing changes.
- Fixed a bug that would occur when an
initializemethod returnsselfor one of its parameters. In such cases, the corresponding calls tonewwould be associated with an incorrect return type. This could result in inaccurate call target resolution and cause false positive alerts. - Fixed an issue where calls to
deleteorassocwith a constant-valued argument would be analyzed imprecisely, as if the argument value was not a known constant.
No user-facing changes.
No user-facing changes.
- Added a new experimental query,
rb/server-side-template-injection, to detect cases where user input may be embedded into a template's code in an unsafe manner.
rb/sensitive-get-queryno longer reports flow paths from input parameters to sensitive use nodes. This avoids cases where many flow paths could be generated for a single parameter, which caused excessive paths to be generated.
- Added a new query,
rb/zip-slip, to detect arbitrary file writes during extraction of zip/tar archives.
No user-facing changes.
- Added a new query,
rb/regex/badly-anchored-regexp, to detect regular expression validators that use^and$as anchors and therefore might match only a single line of a multi-line string.
- The
rb/polynomial-redosquery now considers the entrypoints of the API of a gem as sources.
- Added a new query,
rb/html-constructed-from-input, to detect libraries that unsafely construct HTML from their inputs.
- Added a new query,
rb/unsafe-code-construction, to detect libraries that unsafely construct code from their inputs.
- The
rb/unsafe-deserializationquery now recognizes input from STDIN as a source.
- Added a new query,
rb/stack-trace-exposure, to detect exposure of stack-traces to users via HTTP responses.
- The
AlertSuppression.qlquery has been updated to support the new# codeql[query-id]supression comments. These comments can be used to suppress an alert and must be placed on a blank line before the alert. In addition the legacy# lgtmand# lgtm[query-id]comments can now also be placed on the line before an alert. - Extended the
rb/kernel-openquery with following sinks:IO.write,IO.binread,IO.binwrite,IO.foreach,IO.readlines, andURI.open.
No user-facing changes.
No user-facing changes.
- Added a new query,
rb/shell-command-constructed-from-input, to detect libraries that unsafely construct shell commands from their inputs.
- The
rb/sql-injectionquery now considers consider SQL constructions, such as calls toArel.sql, as sinks.
- The
rb/weak-cryptographic-algorithmhas been updated to no longer report uses of hash functions such asMD5andSHA1even if they are known to be weak. These hash algorithms are used very often in non-sensitive contexts, making the query too imprecise in practice.
- Added a new query,
rb/non-constant-kernel-open, to detect uses of Kernel.open and related methods with non-constant values. - Added a new query,
rb/sensitive-get-query, to detect cases where sensitive data is read from the query parameters of an HTTPGETrequest.
- HTTP response header and body writes via
ActionDispatch::Responseare now recognized. - The
rb/path-injectionquery now treats thefile:argument of the Railsrendermethod as a sink. - The alert messages of many queries were changed to better follow the style guide and make the messages consistent with other languages.
- The
rb/xxequery has been updated to add the following sinks for XML external entity expansion:- Calls to parse XML using
LibXMLwhen itsdefault_substitute_entitiesoption is enabled. - Uses of the Rails methods
ActiveSupport::XmlMini.parse,Hash.from_xml, andHash.from_trusted_xmlwhenActiveSupport::XmlMiniis configured to useLibXMLas its backend, and itsdefault_substitute_entitiesoption is enabled.
- Calls to parse XML using
- Added a new query,
rb/hardcoded-data-interpreted-as-code, to detect cases where hardcoded data is executed as code, a technique associated with backdoors.
- The
rb/unsafe-deserializationquery now includes alerts for user-controlled data passed toHash.from_trusted_xml, since that method can deserialize YAML embedded in the XML, which in turn can result in deserialization of arbitrary objects. - The alert message of many queries have been changed to make the message consistent with other languages.
- Added a new query,
rb/log-injection, to detect cases where a malicious user may be able to forge log entries. - Added a new query,
rb/incomplete-multi-character-sanitization. The query finds string transformations that do not replace all occurrences of a multi-character substring. - Added a new query,
rb/suspicious-regexp-range, to detect character ranges in regular expressions that seem to match too many characters.
- Added a new experimental query,
rb/manually-checking-http-verb, to detect cases when the HTTP verb for an incoming request is checked and then used as part of control flow. - Added a new experimental query,
rb/weak-params, to detect cases when the rails strong parameters pattern isn't followed and values flow into persistent store writes.
- Contextual queries and the query libraries they depend on have been moved to the
codeql/ruby-allpackage.
- Added a new query,
rb/improper-memoization. The query finds cases where the parameter of a memoization method is not used in the memoization key.
- The query "Use of a broken or weak cryptographic algorithm" (
rb/weak-cryptographic-algorithm) now reports if a cryptographic operation is potentially insecure due to use of a weak block mode.
- Added a new query,
rb/insecure-download. The query finds cases where executables and other sensitive files are downloaded over an insecure connection, which may allow for man-in-the-middle attacks. - Added a new query,
rb/regex/missing-regexp-anchor, which finds regular expressions which are improperly anchored. Validations using such expressions are at risk of being bypassed. - Added a new query,
rb/incomplete-sanitization. The query finds string transformations that do not replace or escape all occurrences of a meta-character.
- Added a new query,
rb/insecure-dependency. The query finds cases where Ruby gems may be downloaded over an insecure communication channel. - Added a new query,
rb/weak-cryptographic-algorithm. The query finds uses of cryptographic algorithms that are known to be weak, such as DES. - Added a new query,
rb/http-tainted-format-string. The query finds cases where data from remote user input is used in a string formatting method in a way that allows arbitrary format specifiers to be inserted. - Added a new query,
rb/http-to-file-access. The query finds cases where data from remote user input is written to a file. - Added a new query,
rb/incomplete-url-substring-sanitization. The query finds instances where a URL is incompletely sanitized due to insufficient checks.
- Added a new query,
rb/clear-text-storage-sensitive-data. The query finds cases where sensitive information, such as user credentials, are stored as cleartext. - Added a new query,
rb/incomplete-hostname-regexp. The query finds instances where a hostname is incompletely sanitized due to an unescaped character in a regular expression.
- Added a new query,
rb/clear-text-logging-sensitive-data. The query finds cases where sensitive information, such as user credentials, are logged as cleartext.
- Added a new query,
rb/weak-cookie-configuration. The query finds cases where cookie configuration options are set to values that may make an application more vulnerable to certain attacks.
- The query
rb/csrf-protection-disabledhas been extended to find calls to the Rails methodprotect_from_forgerythat may weaken CSRF protection.
- A new query (
rb/request-forgery) has been added. The query finds HTTP requests made with user-controlled URLs. - A new query (
rb/csrf-protection-disabled) has been added. The query finds cases where cross-site forgery protection is explicitly disabled.
- The precision of "Hard-coded credentials" (
rb/hardcoded-credentials) has been decreased from "high" to "medium". This query will no longer be run and displayed by default on Code Scanning and LGTM.