CodeQL adds beta support for Ruby! #6922
Replies: 3 comments 6 replies
-
|
Hi! I'm getting a warning from Rule ID case params[:path]
when *%w[some safe redirection locations]
path = params[:path]
redirect_to(File.join(root_path, path))
endCodeQL detects this as an issue because Thanks! |
Beta Was this translation helpful? Give feedback.
-
|
Would it trigger with: case path = params[:path]
when *%w[some safe redirection locations]
redirect_to(File.join(root_path, path))
end |
Beta Was this translation helpful? Give feedback.
-
|
I just tested. Yes, it does. |
Beta Was this translation helpful? Give feedback.
-
|
I think that the issue is that we don't properly account for control flow through |
Beta Was this translation helpful? Give feedback.
-
|
The same seems to be true for |
Beta Was this translation helpful? Give feedback.
-
|
We're seeing a report for use of broken/weak cryptographic algorithm (MD5), used to auto-generate identicon avatars: The scanner is not just looking at the code we're modifying in the PR, and appears to be flagging hundreds of commits in the past half-day it's been running (based on the timeline from the link above). I dismissed it because it's not a cryptographically sensitive use and is longstanding code that is not being modified; I don't expect we'd want to alter everyone's identicon suddenly without warning by modifying the algorithm. I've dismissed the warning, perhaps that is enough to prevent it from retriggering on the next PR? |
Beta Was this translation helpful? Give feedback.
-
|
The reason why this alert pops up now is because a new version of CodeQL was deployed yesterday. Apparently the |
Beta Was this translation helpful? Give feedback.
-
|
Please also see: #11107 (comment) |
Beta Was this translation helpful? Give feedback.
-
|
CodeQL support for Ruby is now generally available: https://github.blog/changelog/2022-11-09-codeql-code-scanning-launches-ruby-analysis-support-in-ga/ |
Beta Was this translation helpful? Give feedback.
-
If you have been following the Universe 2021 announcement, you've already heard about it, but now it's official: We've launched beta Ruby support for CodeQL and GitHub code scanning 🚀 !
What's in the box?
Ruby is the 10th most popular language within the open-source community. To help secure services and tools created with Ruby, this beta release spots many of the most common security issues including SQL injection, regular expression denial-of-service (ReDoS), multiple cross-site scripting attack vectors, command-line injection, and more.
How do I enable it?
CodeQL for Ruby is available by default in GitHub.com code scanning, the CodeQL CLI, and the CodeQL extension for VS Code starting today. It will also be included in GitHub Enterprise Server 3.4. Ruby joins the list of supported CodeQL languages, which also includes C/C++, C#, Java, JavaScript/TypeScript, Python, and Go.
To start using the new Ruby analysis in code scanning, simply update your existing workflow file. Or if you’re new to code scanning, set up an analysis workflow from the Security tab in your repository.
Want to contribute or write your own CodeQL queries for Ruby? This guide will help you get started.
How can I give feedback?
If you run into any problems or have a question about the Ruby/CodeQL beta (setup, alerts, etc.), please respond to this thread. Please supply as much detail as you can about the issue you encountered, as well as information to reproduce if available. If you don't feel comfortable posting in this public discussion, please open a support ticket.
We also encourage you to use the CodeQL Discussions forum for any questions related to running or writing CodeQL.
Beta Was this translation helpful? Give feedback.
All reactions