- CodeQL package management is now generally available, and all GitHub-produced CodeQL packages have had their version numbers increased to 1.0.0.
- Additional heuristics for a new sensitive data classification for private information (e.g. credit card numbers) have been added to the shared
SensitiveDataHeuristics.qlllibrary. This may result in additional results for queries that use sensitive data such asrb/sensitive-get-query.
No user-facing changes.
- Deleted the deprecated
RegExpPatternsmodule fromRegexp.qll. - Deleted the deprecated
security/cwe-020/HostnameRegexpShared.qllfile.
No user-facing changes.
- Data flow is now tracked through
ActiveRecordscopes. - Modeled instances of
ActionDispatch::Http::UploadedFilethat can be obtained from element reads ofActionController::Parameters, with calls tooriginal_filename,content_type, andreadnow propagating taint from their receiver. - The second argument,
subquery_name, of theActiveRecord::QueryMethods::frommethod, is now recognized as an sql injection sink. - Calls to
Typhoeus::Request.neware now considered as instances of theHttp::Client::Requestconcept, with the response body being treated as a remote flow source. - New command injection sinks have been added, including
Process.spawn,Process.exec,Terrapin::CommandLineand theopen4gem.
No user-facing changes.
No user-facing changes.
- Calls to
I18n.translateas well as Rails helper translate methods now propagate taint from their keyword arguments. The Rails translate methods are also recognized as XSS sanitizers when using keys marked as html safe. - Calls to
Arel::Nodes::SqlLiteral.neware now modeled as instances of theSqlConstructionconcept, as well as propagating taint from their argument. - Additional arguments beyond the first of calls to the
ActiveRecordmethodsselect,reselect,order,reorder,joins,group, andpluckare now recognized as sql injection sinks. - Calls to several methods of
ActiveRecord::Connection, such asActiveRecord::Connection#exec_query, are now recognized as SQL executions, including those via subclasses.
- Raw output ERB tags of the form
<%== ... %>are now recognised as cross-site scripting sinks. - The name "certification" is no longer seen as possibly being a certificate, and will therefore no longer be flagged in queries like "clear-text-logging" which look for sensitive data.
- Flow is now tracked through Rails
rendercalls, when the argument is aViewComponent. In this case, data flow is tracked into the accompanying.html.erbfile.
- Deleted many deprecated predicates and classes with uppercase
HTTP,CSRFetc. in their names. Use the PascalCased versions instead. - Deleted the deprecated
getAUseandgetARhspredicates fromAPI::Node, usegetASourceandgetASinkinstead. - Deleted the deprecated
disablesCertificateValidationpredicate from theHttpmodule. - Deleted the deprecated
ParamsCall,CookiesCall, andActionControllerControllerClassclasses fromActionController.qll, use the simarly named classes fromcodeql.ruby.frameworks.Rails::Railsinstead. - Deleted the deprecated
HtmlSafeCall,HtmlEscapeCall,RenderCall, andRenderToCallclasses fromActionView.qll, use the simarly named classes fromcodeql.ruby.frameworks.Rails::Railsinstead. - Deleted the deprecated
HtmlSafeCallclass fromRails.qll. - Deleted the deprecated
codeql/ruby/security/BadTagFilterQuery.qll,codeql/ruby/security/OverlyLargeRangeQuery.qll,codeql/ruby/security/regexp/ExponentialBackTracking.qll,codeql/ruby/security/regexp/NfaUtils.qll,codeql/ruby/security/regexp/RegexpMatching.qll, andcodeql/ruby/security/regexp/SuperlinearBackTracking.qllfiles. - Deleted the deprecated
localSourceStoreSteppredicate fromTypeTracker.qll, useflowsToStoreStepinstead. - The diagnostic query
rb/diagnostics/successfully-extracted-files, and therefore the Code Scanning UI measure of scanned Ruby files, now considers any Ruby file seen during extraction, even one with some errors, to be extracted / scanned.
- Parsing of division operators (
/) at the end of a line has been improved. Before they were wrongly interpreted as the start of a regular expression literal (/.../) leading to syntax errors. - Parsing of
casestatements that are formatted with the value expression on a different line than thecasekeyword has been improved and should no longer lead to syntax errors. - Ruby now makes use of the shared type tracking library, exposed as
codeql.ruby.typetracking.TypeTracking. The existing type tracking library,codeql.ruby.typetracking.TypeTracker, has consequently been deprecated.
No user-facing changes.
- Improved modeling for
ActiveRecordsupdate_allmethod
No user-facing changes.
No user-facing changes.
- Deleted the deprecated
isBarrierGuardpredicate from the dataflow library and its uses, useisBarrierand theBarrierGuardmodule instead. - Deleted the deprecated
isWeakpredicate from theCryptographicOperationclass. - Deleted the deprecated
getStringOrSymbolandisStringOrSymbolpredicates from theConstantValueclass. - Deleted the deprecated
getAPIfrom theIOOrFileMethodCallclass. - Deleted the deprecated
codeql.ruby.security.performancefolder, usecodeql.ruby.security.regexpinstead. - GraphQL enums are no longer considered remote flow sources.
- Improved support for flow through captured variables that properly adheres to inter-procedural control flow.
No user-facing changes.
No user-facing changes.
- Flow between positional arguments and splat parameters (
*args) is now tracked more precisely. - Flow between splat arguments (
*args) and positional parameters is now tracked more precisely.
No user-facing changes.
- The
DataFlow::StateConfigSigsignature module has gained default implementations forisBarrier/2andisAdditionalFlowStep/4. Hence it is no longer needed to providenone()implementations of these predicates if they are not needed.
- The API graph library (
codeql.ruby.ApiGraphs) has been significantly improved, with better support for inheritance, and data-flow nodes can now be converted to API nodes by calling.track()or.backtrack()on the node. API graphs allow for efficient modelling of how a given value is used by the code base, or how values produced by the code base are consumed by a library. See the documentation forAPI::Nodefor details and examples.
- Data flow configurations can now include a predicate
neverSkip(Node node)in order to ensure inclusion of certain nodes in the path explanations. The predicate defaults to the end-points of the additional flow steps provided in the configuration, which means that such steps now always are visible by default in path explanations. - The
'QUERY_STRING'field of a Rackenvparameter is now recognized as a source of remote user input. - Query parameters and cookies from
Rack::Responseobjects are recognized as potential sources of remote flow input. - Calls to
Rack::Utils.parse_querynow propagate taint.
- The
Configurationtaint flow configuration class fromcodeql.ruby.security.InsecureDownloadQueryhas been deprecated. Use theFlowmodule instead.
- More kinds of rack applications are now recognized.
- Rack::Response instances are now recognized as potential responses from rack applications.
- HTTP redirect responses from Rack applications are now recognized as a potential sink for open redirect alerts.
- Additional sinks for
rb/unsafe-deserializationhave been added. This includes various methods from theyamlandplistgems, which deserialize YAML and Property List data, respectively.
No user-facing changes.
- Deleted many deprecated predicates and classes with uppercase
URL,XSS, etc. in their names. Use the PascalCased versions instead. - Deleted the deprecated
getValueTextpredicate from theExpr,StringComponent, andExprCfgNodeclasses. UsegetConstantValueinstead. - Deleted the deprecated
VariableReferencePatternclass, useReferencePatterninstead. - Deleted all deprecated aliases in
StandardLibrary.qll, usecodeql.ruby.frameworks.Coreandcodeql.ruby.frameworks.Stdlibinstead. - Support for the
sequelgem has been added. Method calls that execute queries against a database that may be vulnerable to injection attacks will now be recognized. - Support for the
mysql2gem has been added. Method calls that execute queries against an MySQL database that may be vulnerable to injection attacks will now be recognized. - Support for the
pggem has been added. Method calls that execute queries against a PostgreSQL database that may be vulnerable to injection attacks will now be recognized.
- Support for the
sqlite3gem has been added. Method calls that execute queries against an SQLite3 database that may be vulnerable to injection attacks will now be recognized.
No user-facing changes.
- The recently introduced new data flow and taint tracking APIs have had a number of module and predicate renamings. The old APIs remain in place for now.
- Control flow graph: the evaluation order of scope expressions and receivers in multiple assignments has been adjusted to match the changes made in Ruby 3.1 and 3.2.
- The clear-text storage (
rb/clear-text-storage-sensitive-data) and logging (rb/clear-text-logging-sensitive-data) queries now use built-in flow through hashes, for improved precision. This may result in both new true positives and less false positives. - Accesses of
paramsin Sinatra applications are now recognized as HTTP input accesses. - Data flow is tracked from Sinatra route handlers to ERB files.
- Data flow is tracked between basic Sinatra filters (those without URL patterns) and their corresponding route handlers.
- Fixed some accidental predicate visibility in the backwards-compatible wrapper for data flow configurations. In particular
DataFlow::hasFlowPath,DataFlow::hasFlow,DataFlow::hasFlowTo, andDataFlow::hasFlowToExprwere accidentally exposed in a single version.
No user-facing changes.
- Added support for merging two
PathGraphs via disjoint union to allow results from multiple data flow computations in a singlepath-problemquery.
- The main data flow and taint tracking APIs have been changed. The old APIs remain in place for now and translate to the new through a backwards-compatible wrapper. If multiple configurations are in scope simultaneously, then this may affect results slightly. The new API is quite similar to the old, but makes use of a configuration module instead of a configuration class.
- Data flow through
initializemethods is now taken into account also when the receiver of anewcall is an (implicit or explicit)self. - The Active Record query methods
reorderandcount_by_sqlare now recognized as SQL executions. - Calls to
ActiveRecord::Connection#execute, including those via subclasses, are now recognized as SQL executions. - Data flow through
ActionController::Parameters#requireis now tracked properly. - The severity of parse errors was reduced to warning (previously error).
- Deleted the deprecated
getQualifiedNamepredicate from theConstantWriteAccessclass. - Deleted the deprecated
getWhenBranchandgetAWhenBranchpredicates from theCaseExprclass. - Deleted the deprecated
Self,PatternParameter,Pattern,VariablePattern,TuplePattern, andTuplePatternParameterclasses.
- Flow is now tracked between ActionController
before_filterandafter_filtercallbacks and their associated action methods. - Calls to
ApplicationController#renderandApplicationController::Renderer#renderare recognized as Rails rendering calls. - Support for Twirp framework.
- Ruby 3.1: one-line pattern matches are now supported. The AST nodes are named
TestPattern(expr in pattern) andMatchPattern(expr => pattern).
- Data flowing from the
localsargument of a Railsrendercall is now tracked to uses of that data in an associated view. - Access to headers stored in the
envof Rack requests is now recognized as a source of remote input. - Ruby 3.2: anonymous rest and keyword rest arguments can now be passed as arguments, instead of just used in method parameters.
No user-facing changes.
- Flow through
initializeconstructors is now taken into account. For example, inthere will be flow fromclass C def initialize(x) @field = x end end C.new(y)
yto the field@fieldon the constructedCobject.
- Calls to
Kernel.load,Kernel.require,Kernel.autoloadare now modeled as sinks for path injection. - Calls to
mailandinbound_mailinActionMailboxcontrollers are now considered sources of remote input. - Calls to
GlobalID::Locator.locateand its variants are now recognized as instances ofOrmInstantiation. - Data flow through the
ActiveSupportextensionsEnumerable#index_with,Enumerable#pick,Enumerable#pluckandEnumerable#soleare now modeled. - When resolving a method call, the analysis now also searches in sub-classes of the receiver's type.
- Taint flow is now tracked through many common JSON parsing and generation methods.
- The ReDoS libraries in
codeql.ruby.security.regexphas been moved to a shared pack inside theshared/folder, and the previous location has been deprecated. - String literals and arrays of string literals in case expression patterns are now recognised as barrier guards.
No user-facing changes.
No user-facing changes.
- Data flow through the
ActiveSupportextensionEnumerable#index_byis now modeled. - The
codeql.ruby.Conceptslibrary now has aSqlConstructionclass, in addition to the existingSqlExecutionclass. - Calls to
Arel.sqlare now modeled as instances of the newSqlConstructionconcept. - Arguments to RPC endpoints (public methods) on subclasses of
ActionCable::Channel::Baseare now recognized as sources of remote user input. - Taint flow through the
ActiveSupportextensionsHash#reverse_mergeandHash:reverse_merge!, and their aliases, is now modeled more generally, where previously it was only modeled in the context ofActionControllerparameters. - Calls to
loggerinActiveSupportactions are now recognised as logger instances. - Calls to
send_datainActiveSupportactions are recognised as HTTP responses. - Calls to
body_streaminActiveSupportactions are recognised as HTTP request accesses. - The
ActiveSupportextensionsObject#tryandObject#try!are now recognised as code executions.
- There was a bug in
TaintTracking::localTaintandTaintTracking::localTaintStepsuch that they only tracked non-value-preserving flow steps. They have been fixed and now also include value-preserving steps. - Instantiations using
Faraday::Connection.neware now recognized as part ofFaradayHttpRequests, meaning they will be considered as sinks for queries such asrb/request-forgery. - Taint flow is now tracked through extension methods on
Hash,StringandObjectprovided byActiveSupport.
- The hashing algorithms from
DigestandOpenSSL::Digestare now recognized and can be flagged by therb/weak-cryptographic-algorithmquery. - More sources of remote input arising from methods on
ActionDispatch::Requestare now recognized. - The response value returned by the
Faraday#run_requestmethod is now also considered a source of remote input. ActiveJob::Serializers.deserializeis considered to be a code execution sink.- Calls to
paramsinActionMailerclasses are now treated as sources of remote user input. - Taint flow through
ActionController::Parametersis tracked more accurately.
- The following classes have been moved from
codeql.ruby.frameworks.ActionControllertocodeql.ruby.frameworks.Rails:ParamsCall, now accessed asRails::ParamsCall.CookieCall, now accessed asRails::CookieCall.
- The following classes have been moved from
codeql.ruby.frameworks.ActionViewtocodeql.ruby.frameworks.Rails:HtmlSafeCall, now accessed asRails::HtmlSafeCall.HtmlEscapeCall, now accessed asRails::HtmlEscapeCall.RenderCall, now accessed asRails::RenderCall.RenderToCall, now accessed asRails::RenderToCall.
- Subclasses of
ActionController::Metalare now recognised as controllers. ActionController::DataStreaming::send_fileis now recognized as aFileSystemAccess.- Various XSS sinks in the ActionView library are now recognized.
- Calls to
ActiveRecord::Base.createare now recognized as model instantiations. - Various code executions, command executions and HTTP requests in the ActiveStorage library are now recognized.
MethodBasenow has two new predicates related to visibility:isPublicandisProtected. These hold, respectively, if the method is public or protected.
import rubyno longer brings the standard Ruby AST library into scope; it instead brings a moduleAstinto scope, which must be imported. Alternatively, it is also possible to importcodeql.ruby.AST.- Changed the
HTTP::Client::Requestconcept from usingMethodCallas base class, to usingDataFlow::Nodeas base class. Any class that extendsHTTP::Client::Request::Rangemust be changed, but if you only use the member predicates ofHTTP::Client::Request, no changes are required.
- Some classes/modules with upper-case acronyms in their name have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- Uses of
ActionView::FileSystemResolverare now recognized as filesystem accesses. - Accesses of ActiveResource models are now recognized as HTTP requests.
- Fixed an issue in the taint tracking analysis where implicit reads were not allowed by default in sinks or additional taint steps that used flow states.
- The utility files previously in the
codeql.ruby.security.performancepackage have been moved to thecodeql.ruby.security.regexppackage.
The previous files still exist as deprecated aliases.
- Most deprecated predicates/classes/modules that have been deprecated for over a year have been deleted.
- Calls to
renderin Rails controllers and views are now recognized as HTTP response bodies.
- Calls to methods generated by ActiveRecord associations are now recognised as
instantiations of ActiveRecord objects. This increases the sensitivity of
queries such as
rb/sql-injectionandrb/stored-xss. - Calls to
ActiveRecord::Base.createandActiveRecord::Base.updateare now recognised as write accesses. - Arguments to
Mime::Type#match?andMime::Type#=~are now recognised as regular expression sources.
- Calls to
Arel.sqlare now recognised as propagating taint from their argument. - Calls to
ActiveRecord::Relation#annotateare now recognized asSqlExecutions so that it will be considered as a sink for queries like rb/sql-injection.
- Fixed a bug causing every expression in the database to be considered a system-command execution sink when calls to any of the following methods exist:
- The
spawn,fspawn,popen4,pspawn,system,_pspawnmethods and the backtick operator from thePOSIX::spawngem. - The
execute_command,rake,rails_command, andgitmethods inRails::Generation::Actions.
- The
- Improved modeling of sensitive data sources, so common words like
certainandsecretaryare no longer considered a certificate and a secret (respectively).
- The
BarrierGuardclass has been deprecated. Such barriers and sanitizers can now instead be created using the newBarrierGuardparameterized module.
- Calls to
Zip::File.openandZip::File.newhave been added asFileSystemAccesssinks. As a result queries likerb/path-injectionnow flag up cases where users may access arbitrary archive files.
- Added data-flow support for hashes.
- Support for data flow through instance variables has been added.
- Support of the safe navigation operator (
&.) has been added; there is a new predicateMethodCall.isSafeNavigation().
- The Tree-sitter Ruby grammar has been updated; this fixes several issues where Ruby code was parsed incorrectly.
- The signature of
allowImplicitReadonDataFlow::ConfigurationandTaintTracking::Configurationhas changed fromallowImplicitRead(DataFlow::Node node, DataFlow::Content c)toallowImplicitRead(DataFlow::Node node, DataFlow::ContentSet c).
- The recently added flow-state versions of
isBarrierIn,isBarrierOut,isSanitizerIn, andisSanitizerOutin the data flow and taint tracking libraries have been removed. - The
getURLmember-predicates of theHTTP::Client::RequestandHTTP::Client::Request::Rangeclasses fromConcepts.qllhave been renamed togetAUrlPart.
ConstantValue::getStringOrSymbolandConstantValue::isStringOrSymbol, which return/hold for all string-like values (strings, symbols, and regular expressions), have been renamed toConstantValue::getStringlikeValueandConstantValue::isStringlikeValue, respectively. The old names have been marked asdeprecated.
- Whereas
ConstantValue::getString()previously returned both string and regular-expression values, it now returns only string values. The same applies toConstantValue::isString(value). - Regular-expression values can now be accessed with the new predicates
ConstantValue::getRegExp(),ConstantValue::isRegExp(value), andConstantValue::isRegExpWithFlags(value, flags). - The
ParseRegExpandRegExpTreeViewmodules are now "internal" modules. Users should usecodeql.ruby.Regexpinstead.
- The flow state variants of
isBarrierandisAdditionalFlowStepare no longer exposed in the taint tracking library. TheisSanitizerandisAdditionalTaintSteppredicates should be used instead.
- Many classes/predicates/modules that had upper-case acronyms have been renamed to follow our style-guide. The old name still exists as a deprecated alias.
- The data flow and taint tracking libraries have been extended with versions of
isBarrierIn,isBarrierOut, andisBarrierGuard, respectivelyisSanitizerIn,isSanitizerOut, andisSanitizerGuard, that support flow states.
getConstantValue()now returns the contents of strings and symbols after escape sequences have been interpreted. For example, for the Ruby string literal"\n",getConstantValue().getString()previously returned a QL string with two characters, a backslash followed byn; now it returns the single-character string "\n" (U+000A, known as newline).getConstantValue().getInt()previously returned incorrect values for integers larger than 231-1 (the largest value that can be represented by the QLinttype). It now returns no result in those cases.- Added
OrmWriteAccessconcept to model data written to a database using an object-relational mapping (ORM) library.
- The
Regexclass is now an abstract class that extendsStringlikeLiteralwith implementations forRegExpLiteraland string literals that 'flow' into functions that are known to interpret string arguments as regular expressions such asRegex.newandString.match. - The regular expression parser now groups sequences of normal characters. This reduces the number of instances of
RegExpNormalChar.
- Added
FileSystemWriteAccessconcept to model data written to the filesystem.
ConstantWriteAccess.getQualifiedName()has been deprecated in favor ofgetAQualifiedName()which can return multiple possible qualified names for a given constant write access.
- A new library,
Customizations.qll, has been added, which allows for global customizations that affect all queries.