Ruby: some improvements #10559
Merged
Ruby: some improvements #10559
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
aibaars
force-pushed
the
cve-2019-3881
branch
2 times, most recently
from
d34d30f to
fffa052
Compare
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
aibaars
force-pushed
the
cve-2019-3881
branch
from
fffa052 to
ecbf48f
Compare
aibaars
force-pushed
the
cve-2019-3881
branch
4 times, most recently
from
9648d1a to
34fc1cb
Compare
hvitved
reviewed
Sep 30, 2022
hvitved
reviewed
Oct 3, 2022
hvitved
force-pushed
the
cve-2019-3881
branch
2 times, most recently
from
940e48e to
2d9fa98
Compare
aibaars
commented
Oct 4, 2022
aibaars
commented
Oct 4, 2022
…'extend' calls This avoids non-linear recursion at the cost of losing some results.
There are two flavours of `match?`. If the receiver of `match?` has type String then the argument to `match?` is a regular expression. However, if the receiver of `match?` has type Regexp then the argument is the text. The role of receiver and argument flips depending on the type of the receiver, this caused a lot of false positives when looking for string-like literals that are used as a regular expression. This commit attempts to improve things by trying to determine whether the type of the receiver is known to be of type Regexp. In such cases we know that the argument is unlikely to be regular expression.
hvitved
approved these changes
Oct 4, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
I investigated a case where we didn't flag up a result for the rb/overly-permissive-file query .
This pull request implements the improvements needed to flag up that result, and makes the following changes:
The dataflow improvements caused a fairly large number of false positives on our test suite for the missing regex anchor and incomplete hostname regex queries. This was caused by misclassifying some string literals as regular expression due to confusing
Regexp#matchandString#match. Commit f93bc90 improves this and remove the false positive results.