hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-26 17:25:19 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'main' into experimental-decompression-api

Browse Source
This commit is contained in:
thiggy1342
2022-06-16 17:23:55 -04:00
committed by GitHub
parent 6416b8ddb9 e95194ce67
commit 01cb408393
38 changed files with 1153 additions and 123 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ruby/ql/lib/change-notes/released/0.2.3.md Normal file
View File

@@ -0,0 +1,5 @@
## 0.2.3
### Minor Analysis Improvements
- Calls to `Zip::File.open` and `Zip::File.new` have been added as `FileSystemAccess` sinks. As a result queries like `rb/path-injection` now flag up cases where users may access arbitrary archive files.

36
ruby/ql/lib/codeql/ruby/ApiGraphs.qll
View File

@@ -780,6 +780,24 @@ module API {
or
pos.isBlock() and
result = Label::blockParameter()
or
pos.isAny() and
(
result = Label::parameter(_)
or
result = Label::keywordParameter(_)
or
result = Label::blockParameter()
// NOTE: `self` should NOT be included, as described in the QLDoc for `isAny()`
)
or
pos.isAnyNamed() and
result = Label::keywordParameter(_)
//
// Note: there is currently no API graph label for `self`.
// It was omitted since in practice it means going back to where you came from.
// For example, `base.getMethod("foo").getSelf()` would just be `base`.
// However, it's possible we'll need it later, for identifying `self` parameters or post-update nodes.
}
/** Gets the API graph label corresponding to the given parameter position. */
@@ -796,6 +814,24 @@ module API {
or
pos.isBlock() and
result = Label::blockParameter()
or
pos.isAny() and
(
result = Label::parameter(_)
or
result = Label::keywordParameter(_)
or
result = Label::blockParameter()
// NOTE: `self` should NOT be included, as described in the QLDoc for `isAny()`
)
or
pos.isAnyNamed() and
result = Label::keywordParameter(_)
//
// Note: there is currently no API graph label for `self`.
// It was omitted since in practice it means going back to where you came from.
// For example, `base.getMethod("foo").getSelf()` would just be `base`.
// However, it's possible we'll need it later, for identifying `self` parameters or post-update nodes.
}
}
}

2
ruby/ql/lib/codeql/ruby/Frameworks.qll
View File

@@ -8,6 +8,7 @@ private import codeql.ruby.frameworks.ActiveRecord
private import codeql.ruby.frameworks.ActiveStorage
private import codeql.ruby.frameworks.ActionView
private import codeql.ruby.frameworks.ActiveSupport
private import codeql.ruby.frameworks.Archive
private import codeql.ruby.frameworks.GraphQL
private import codeql.ruby.frameworks.Rails
private import codeql.ruby.frameworks.Stdlib
@@ -15,3 +16,4 @@ private import codeql.ruby.frameworks.Files
private import codeql.ruby.frameworks.HttpClients
private import codeql.ruby.frameworks.XmlParsing
private import codeql.ruby.frameworks.ActionDispatch
private import codeql.ruby.frameworks.PosixSpawn

39
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
View File

@@ -260,7 +260,9 @@ private module Cached {
or
FlowSummaryImplSpecific::ParsePositions::isParsedKeywordParameterPosition(_, name)
} or
THashSplatArgumentPosition()
THashSplatArgumentPosition() or
TAnyArgumentPosition() or
TAnyKeywordArgumentPosition()
cached
newtype TParameterPosition =
@@ -280,7 +282,8 @@ private module Cached {
FlowSummaryImplSpecific::ParsePositions::isParsedKeywordArgumentPosition(_, name)
} or
THashSplatParameterPosition() or
TAnyParameterPosition()
TAnyParameterPosition() or
TAnyKeywordParameterPosition()
}
import Cached
@@ -482,11 +485,14 @@ class ParameterPosition extends TParameterPosition {
predicate isHashSplat() { this = THashSplatParameterPosition() }
/**
* Holds if this position represents any parameter. This includes both positional
* and named parameters.
* Holds if this position represents any parameter, except `self` parameters. This
* includes both positional, named, and block parameters.
*/
predicate isAny() { this = TAnyParameterPosition() }
/** Holds if this position represents any positional parameter. */
predicate isAnyNamed() { this = TAnyKeywordParameterPosition() }
/** Gets a textual representation of this position. */
string toString() {
this.isSelf() and result = "self"
@@ -502,6 +508,8 @@ class ParameterPosition extends TParameterPosition {
this.isHashSplat() and result = "**"
or
this.isAny() and result = "any"
or
this.isAnyNamed() and result = "any-named"
}
}
@@ -519,6 +527,15 @@ class ArgumentPosition extends TArgumentPosition {
/** Holds if this position represents a keyword argument named `name`. */
predicate isKeyword(string name) { this = TKeywordArgumentPosition(name) }
/**
* Holds if this position represents any argument, except `self` arguments. This
* includes both positional, named, and block arguments.
*/
predicate isAny() { this = TAnyArgumentPosition() }
/** Holds if this position represents any positional parameter. */
predicate isAnyNamed() { this = TAnyKeywordArgumentPosition() }
/**
* Holds if this position represents a synthesized argument containing all keyword
* arguments wrapped in a hash.
@@ -535,12 +552,16 @@ class ArgumentPosition extends TArgumentPosition {
or
exists(string name | this.isKeyword(name) and result = "keyword " + name)
or
this.isAny() and result = "any"
or
this.isAnyNamed() and result = "any-named"
or
this.isHashSplat() and result = "**"
}
}
/** Holds if arguments at position `apos` match parameters at position `ppos`. */
pragma[inline]
pragma[nomagic]
predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
ppos.isSelf() and apos.isSelf()
or
@@ -556,5 +577,11 @@ predicate parameterMatch(ParameterPosition ppos, ArgumentPosition apos) {
or
ppos.isHashSplat() and apos.isHashSplat()
or
ppos.isAny() and exists(apos)
ppos.isAny() and not apos.isSelf()
or
apos.isAny() and not ppos.isSelf()
or
ppos.isAnyNamed() and apos.isKeyword(_)
or
apos.isAnyNamed() and ppos.isKeyword(_)
}

12
ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImplSpecific.qll
View File

@@ -293,6 +293,12 @@ ArgumentPosition parseParamBody(string s) {
or
s = "block" and
result.isBlock()
or
s = "any" and
result.isAny()
or
s = "any-named" and
result.isAnyNamed()
}
/** Gets the parameter position obtained by parsing `X` in `Argument[X]`. */
@@ -317,4 +323,10 @@ ParameterPosition parseArgBody(string s) {
or
s = "block" and
result.isBlock()
or
s = "any" and
result.isAny()
or
s = "any-named" and
result.isAnyNamed()
}

105
ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll
View File

@@ -6,6 +6,10 @@
private import ruby
private import codeql.ruby.Concepts
private import codeql.ruby.DataFlow
private import codeql.ruby.dataflow.FlowSummary
private import codeql.ruby.Concepts
private import codeql.ruby.ApiGraphs
private import codeql.ruby.frameworks.stdlib.Logger::Logger as StdlibLogger
/**
* Modeling for `ActiveSupport`.
@@ -32,6 +36,107 @@ module ActiveSupport {
override DataFlow::Node getCode() { result = this.getReceiver() }
}
/**
* Flow summary for methods which transform the receiver in some way, possibly preserving taint.
*/
private class StringTransformSummary extends SummarizedCallable {
// We're modelling a lot of different methods, so we make up a name for this summary.
StringTransformSummary() { this = "ActiveSupportStringTransform" }
override MethodCall getACall() {
result.getMethodName() =
[
"camelize", "camelcase", "classify", "dasherize", "deconstantize", "demodulize",
"foreign_key", "humanize", "indent", "parameterize", "pluralize", "singularize",
"squish", "strip_heredoc", "tableize", "titlecase", "titleize", "underscore",
"upcase_first"
]
}
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
input = "Argument[self]" and output = "ReturnValue" and preservesValue = false
}
}
}
/**
* Extensions to the `Enumerable` module.
*/
module Enumerable {
private class ArrayIndex extends int {
ArrayIndex() { this = any(DataFlow::Content::KnownElementContent c).getIndex().getInt() }
}
private class CompactBlankSummary extends SimpleSummarizedCallable {
CompactBlankSummary() { this = "compact_blank" }
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
input = "Argument[self].Element[any]" and
output = "ReturnValue.Element[?]" and
preservesValue = true
}
}
private class ExcludingSummary extends SimpleSummarizedCallable {
ExcludingSummary() { this = ["excluding", "without"] }
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
input = "Argument[self].Element[any]" and
output = "ReturnValue.Element[?]" and
preservesValue = true
}
}
private class InOrderOfSummary extends SimpleSummarizedCallable {
InOrderOfSummary() { this = "in_order_of" }
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
input = "Argument[self].Element[any]" and
output = "ReturnValue.Element[?]" and
preservesValue = true
}
}
/**
* Like `Array#push` but doesn't update the receiver.
*/
private class IncludingSummary extends SimpleSummarizedCallable {
IncludingSummary() { this = "including" }
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
(
exists(ArrayIndex i |
input = "Argument[self].Element[" + i + "]" and
output = "ReturnValue.Element[" + i + "]"
)
or
input = "Argument[self].Element[?]" and
output = "ReturnValue.Element[?]"
or
exists(int i | i in [0 .. (mc.getNumberOfArguments() - 1)] |
input = "Argument[" + i + "]" and
output = "ReturnValue.Element[?]"
)
) and
preservesValue = true
}
}
// TODO: index_by, index_with, pick, pluck (they require Hash dataflow)
}
}
/**
* `ActiveSupport::Logger`
*/
module Logger {
private class ActiveSupportLoggerInstantiation extends StdlibLogger::LoggerInstantiation {
ActiveSupportLoggerInstantiation() {
this =
API::getTopLevelMember("ActiveSupport")
.getMember(["Logger", "TaggedLogging"])
.getAnInstantiation()
}
}
}
}

33
ruby/ql/lib/codeql/ruby/frameworks/Archive.qll Normal file
View File

@@ -0,0 +1,33 @@
/**
* Provides classes for working with archive libraries.
*/
private import ruby
private import codeql.ruby.Concepts
private import codeql.ruby.DataFlow
private import codeql.ruby.ApiGraphs
/**
* Classes and predicates for modeling the RubyZip library
*/
module RubyZip {
/**
* A call to `Zip::File.new`, considered as a `FileSystemAccess`
*/
class RubyZipFileNew extends DataFlow::CallNode, FileSystemAccess::Range {
RubyZipFileNew() { this = API::getTopLevelMember("Zip").getMember("File").getAnInstantiation() }
override DataFlow::Node getAPathArgument() { result = this.getArgument(0) }
}
/**
* A call to `Zip::File.open`, considered as a `FileSystemAccess`.
*/
class RubyZipFileOpen extends DataFlow::CallNode, FileSystemAccess::Range {
RubyZipFileOpen() {
this = API::getTopLevelMember("Zip").getMember("File").getAMethodCall("open")
}
override DataFlow::Node getAPathArgument() { result = this.getArgument(0) }
}
}

80
ruby/ql/lib/codeql/ruby/frameworks/PosixSpawn.qll Normal file
View File

@@ -0,0 +1,80 @@
/**
* Provides modeling for the `posix-spawn` gem.
* Version: 0.3.15
*/
private import codeql.ruby.Concepts
private import codeql.ruby.ApiGraphs
private import codeql.ruby.DataFlow
private import codeql.ruby.controlflow.CfgNodes
/**
* Provides modeling for the `posix-spawn` gem.
* Version: 0.3.15
*/
module PosixSpawn {
private API::Node posixSpawnModule() {
result = API::getTopLevelMember("POSIX").getMember("Spawn")
}
/**
* A call to `POSIX::Spawn::Child.new` or `POSIX::Spawn::Child.build`.
*/
class ChildCall extends SystemCommandExecution::Range, DataFlow::CallNode {
ChildCall() {
this =
[
posixSpawnModule().getMember("Child").getAMethodCall("build"),
posixSpawnModule().getMember("Child").getAnInstantiation()
]
}
override DataFlow::Node getAnArgument() {
result = this.getArgument(_) and not result.asExpr() instanceof ExprNodes::PairCfgNode
}
override predicate isShellInterpreted(DataFlow::Node arg) { none() }
}
/**
* A call to `POSIX::Spawn.spawn` or a related method.
*/
class SystemCall extends SystemCommandExecution::Range, DataFlow::CallNode {
SystemCall() {
this =
posixSpawnModule()
.getAMethodCall(["spawn", "fspawn", "popen4", "pspawn", "system", "_pspawn", "`"])
}
override DataFlow::Node getAnArgument() { this.argument(result) }
// From the docs:
// When only command is given and includes a space character, the command
// text is executed by the system shell interpreter.
// This means the following signatures are shell interpreted:
//
// spawn(cmd)
// spawn(cmd, opts)
// spawn(env, cmd)
// spawn(env, cmd, opts)
//
// env and opts will be hashes. We over-approximate by assuming the argument
// is shell interpreted unless there is another argument with a string
// constant value.
override predicate isShellInterpreted(DataFlow::Node arg) {
not exists(DataFlow::Node otherArg |
otherArg != arg and
this.argument(arg) and
this.argument(otherArg) and
otherArg.asExpr().getConstantValue().isString(_)
)
}
private predicate argument(DataFlow::Node arg) {
arg = this.getArgument(_) and
not arg.asExpr() instanceof ExprNodes::HashLiteralCfgNode and
not arg.asExpr() instanceof ExprNodes::ArrayLiteralCfgNode and
not arg.asExpr() instanceof ExprNodes::PairCfgNode
}
}
}

8
ruby/ql/lib/codeql/ruby/frameworks/core/Hash.qll
View File

@@ -378,10 +378,10 @@ private class MergeSummary extends SimpleSummarizedCallable {
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
(
input = "Argument[any].WithElement[any]" and
input = "Argument[self,any].WithElement[any]" and
output = "ReturnValue"
or
input = "Argument[any].Element[any]" and
input = "Argument[self,any].Element[any]" and
output = "Argument[block].Parameter[1,2]"
) and
preservesValue = true
@@ -393,10 +393,10 @@ private class MergeBangSummary extends SimpleSummarizedCallable {
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
(
input = "Argument[any].WithElement[any]" and
input = "Argument[self,any].WithElement[any]" and
output = ["ReturnValue", "Argument[self]"]
or
input = "Argument[any].Element[any]" and
input = "Argument[self,any].Element[any]" and
output = "Argument[block].Parameter[1,2]"
) and
preservesValue = true

6
ruby/ql/lib/codeql/ruby/frameworks/data/internal/ApiGraphModelsSpecific.qll
View File

@@ -115,7 +115,7 @@ API::Node getExtraSuccessorFromNode(API::Node node, AccessPathToken token) {
or
token.getName() = "Parameter" and
result =
node.getASuccessor(API::Label::getLabelFromArgumentPosition(FlowSummaryImplSpecific::parseParamBody(token
node.getASuccessor(API::Label::getLabelFromParameterPosition(FlowSummaryImplSpecific::parseArgBody(token
.getAnArgument())))
// Note: The "Element" token is not implemented yet, as it ultimately requires type-tracking and
// API graphs to be aware of the steps involving Element contributed by the standard library model.
@@ -129,7 +129,7 @@ bindingset[token]
API::Node getExtraSuccessorFromInvoke(InvokeNode node, AccessPathToken token) {
token.getName() = "Argument" and
result =
node.getASuccessor(API::Label::getLabelFromParameterPosition(FlowSummaryImplSpecific::parseArgBody(token
node.getASuccessor(API::Label::getLabelFromArgumentPosition(FlowSummaryImplSpecific::parseParamBody(token
.getAnArgument())))
}
@@ -181,7 +181,7 @@ predicate isExtraValidTokenArgumentInIdentifyingAccessPath(string name, string a
or
name = ["Argument", "Parameter"] and
(
argument = ["self", "block"]
argument = ["self", "block", "any", "any-named"]
or
argument.regexpMatch("\\w+:") // keyword argument
)

22
ruby/ql/lib/codeql/ruby/frameworks/stdlib/Logger.qll
View File

@@ -16,7 +16,7 @@ private import codeql.ruby.dataflow.internal.DataFlowDispatch
module Logger {
/** A reference to a `Logger` instance */
private DataFlow::Node loggerInstance() {
result = API::getTopLevelMember("Logger").getAnInstantiation()
result instanceof LoggerInstantiation
or
exists(DataFlow::Node inst |
inst = loggerInstance() and
@@ -33,11 +33,29 @@ module Logger {
)
}
/**
* An instantiation of a logger that responds to the std lib logging methods.
* This can be extended to recognize additional instances that conform to the
* same interface.
*/
abstract class LoggerInstantiation extends DataFlow::Node { }
/**
* An instantiation of the std lib `Logger` class.
*/
private class StdlibLoggerInstantiation extends LoggerInstantiation {
StdlibLoggerInstantiation() { this = API::getTopLevelMember("Logger").getAnInstantiation() }
}
private class LoggerInstance extends DataFlow::Node {
LoggerInstance() { this = loggerInstance() }
}
/**
* A call to a `Logger` instance method that causes a message to be logged.
*/
abstract class LoggerLoggingCall extends Logging::Range, DataFlow::CallNode {
LoggerLoggingCall() { this.getReceiver() = loggerInstance() }
LoggerLoggingCall() { this.getReceiver() instanceof LoggerInstance }
}
/**

4
ruby/ql/test/library-tests/dataflow/hash-flow/hash-flow.expected
View File

@@ -248,9 +248,7 @@ edges
| hash_flow.rb:414:11:414:14 | hash [element :f] : | hash_flow.rb:414:11:414:18 | ...[...] : |
| hash_flow.rb:414:11:414:18 | ...[...] : | hash_flow.rb:414:10:414:19 | ( ... ) |
| hash_flow.rb:421:15:421:25 | call to taint : | hash_flow.rb:430:12:430:16 | hash1 [element :a] : |
| hash_flow.rb:421:15:421:25 | call to taint : | hash_flow.rb:442:11:442:15 | hash1 [element :a] : |
| hash_flow.rb:423:15:423:25 | call to taint : | hash_flow.rb:430:12:430:16 | hash1 [element :c] : |
| hash_flow.rb:423:15:423:25 | call to taint : | hash_flow.rb:444:11:444:15 | hash1 [element :c] : |
| hash_flow.rb:426:15:426:25 | call to taint : | hash_flow.rb:430:25:430:29 | hash2 [element :d] : |
| hash_flow.rb:428:15:428:25 | call to taint : | hash_flow.rb:430:25:430:29 | hash2 [element :f] : |
| hash_flow.rb:430:12:430:16 | [post] hash1 [element :a] : | hash_flow.rb:442:11:442:15 | hash1 [element :a] : |
@@ -444,9 +442,7 @@ edges
| hash_flow.rb:663:11:663:14 | hash [element] : | hash_flow.rb:663:11:663:18 | ...[...] : |
| hash_flow.rb:663:11:663:18 | ...[...] : | hash_flow.rb:663:10:663:19 | ( ... ) |
| hash_flow.rb:670:15:670:25 | call to taint : | hash_flow.rb:679:12:679:16 | hash1 [element :a] : |
| hash_flow.rb:670:15:670:25 | call to taint : | hash_flow.rb:691:11:691:15 | hash1 [element :a] : |
| hash_flow.rb:672:15:672:25 | call to taint : | hash_flow.rb:679:12:679:16 | hash1 [element :c] : |
| hash_flow.rb:672:15:672:25 | call to taint : | hash_flow.rb:693:11:693:15 | hash1 [element :c] : |
| hash_flow.rb:675:15:675:25 | call to taint : | hash_flow.rb:679:25:679:29 | hash2 [element :d] : |
| hash_flow.rb:677:15:677:25 | call to taint : | hash_flow.rb:679:25:679:29 | hash2 [element :f] : |
| hash_flow.rb:679:12:679:16 | [post] hash1 [element :a] : | hash_flow.rb:691:11:691:15 | hash1 [element :a] : |

236
ruby/ql/test/library-tests/dataflow/summaries/Summaries.expected
View File

@@ -21,8 +21,17 @@ edges
| summaries.rb:1:11:1:36 | call to identity : | summaries.rb:51:24:51:30 | tainted : |
| summaries.rb:1:11:1:36 | call to identity : | summaries.rb:54:22:54:28 | tainted : |
| summaries.rb:1:11:1:36 | call to identity : | summaries.rb:55:17:55:23 | tainted : |
| summaries.rb:1:11:1:36 | call to identity : | summaries.rb:58:32:58:38 | tainted : |
| summaries.rb:1:11:1:36 | call to identity : | summaries.rb:60:23:60:29 | tainted : |
| summaries.rb:1:11:1:36 | call to identity : | summaries.rb:57:27:57:33 | tainted : |
| summaries.rb:1:11:1:36 | call to identity : | summaries.rb:61:32:61:38 | tainted : |
| summaries.rb:1:11:1:36 | call to identity : | summaries.rb:63:23:63:29 | tainted : |
| summaries.rb:1:11:1:36 | call to identity : | summaries.rb:102:16:102:22 | tainted : |
| summaries.rb:1:11:1:36 | call to identity : | summaries.rb:108:14:108:20 | tainted : |
| summaries.rb:1:11:1:36 | call to identity : | summaries.rb:111:16:111:22 | tainted |
| summaries.rb:1:11:1:36 | call to identity : | summaries.rb:111:16:111:22 | tainted |
| summaries.rb:1:11:1:36 | call to identity : | summaries.rb:112:21:112:27 | tainted |
| summaries.rb:1:11:1:36 | call to identity : | summaries.rb:112:21:112:27 | tainted |
| summaries.rb:1:11:1:36 | call to identity : | summaries.rb:115:26:115:32 | tainted |
| summaries.rb:1:11:1:36 | call to identity : | summaries.rb:115:26:115:32 | tainted |
| summaries.rb:1:20:1:36 | call to source : | summaries.rb:1:11:1:36 | call to identity : |
| summaries.rb:1:20:1:36 | call to source : | summaries.rb:1:11:1:36 | call to identity : |
| summaries.rb:4:12:7:3 | call to apply_block : | summaries.rb:9:6:9:13 | tainted2 |
@@ -57,41 +66,53 @@ edges
| summaries.rb:51:24:51:30 | tainted : | summaries.rb:51:6:51:31 | call to namedArg |
| summaries.rb:54:22:54:28 | tainted : | summaries.rb:54:6:54:29 | call to anyArg |
| summaries.rb:55:17:55:23 | tainted : | summaries.rb:55:6:55:24 | call to anyArg |
| summaries.rb:58:32:58:38 | tainted : | summaries.rb:58:6:58:39 | call to anyPositionFromOne |
| summaries.rb:60:23:60:29 | tainted : | summaries.rb:60:40:60:40 | x : |
| summaries.rb:60:40:60:40 | x : | summaries.rb:61:8:61:8 | x |
| summaries.rb:68:24:68:53 | call to source : | summaries.rb:68:8:68:54 | call to preserveTaint |
| summaries.rb:71:26:71:56 | call to source : | summaries.rb:71:8:71:57 | call to preserveTaint |
| summaries.rb:74:15:74:29 | call to source : | summaries.rb:76:6:76:6 | a [element 1] : |
| summaries.rb:74:15:74:29 | call to source : | summaries.rb:76:6:76:6 | a [element 1] : |
| summaries.rb:74:15:74:29 | call to source : | summaries.rb:78:5:78:5 | a [element 1] : |
| summaries.rb:74:15:74:29 | call to source : | summaries.rb:78:5:78:5 | a [element 1] : |
| summaries.rb:74:32:74:46 | call to source : | summaries.rb:77:6:77:6 | a [element 2] : |
| summaries.rb:74:32:74:46 | call to source : | summaries.rb:77:6:77:6 | a [element 2] : |
| summaries.rb:74:32:74:46 | call to source : | summaries.rb:82:1:82:1 | a [element 2] : |
| summaries.rb:74:32:74:46 | call to source : | summaries.rb:82:1:82:1 | a [element 2] : |
| summaries.rb:76:6:76:6 | a [element 1] : | summaries.rb:76:6:76:9 | ...[...] |
| summaries.rb:76:6:76:6 | a [element 1] : | summaries.rb:76:6:76:9 | ...[...] |
| summaries.rb:77:6:77:6 | a [element 2] : | summaries.rb:77:6:77:9 | ...[...] |
| summaries.rb:77:6:77:6 | a [element 2] : | summaries.rb:77:6:77:9 | ...[...] |
| summaries.rb:78:5:78:5 | a [element 1] : | summaries.rb:78:5:78:22 | call to withElementOne [element 1] : |
| summaries.rb:78:5:78:5 | a [element 1] : | summaries.rb:78:5:78:22 | call to withElementOne [element 1] : |
| summaries.rb:78:5:78:22 | call to withElementOne [element 1] : | summaries.rb:80:6:80:6 | b [element 1] : |
| summaries.rb:78:5:78:22 | call to withElementOne [element 1] : | summaries.rb:80:6:80:6 | b [element 1] : |
| summaries.rb:80:6:80:6 | b [element 1] : | summaries.rb:80:6:80:9 | ...[...] |
| summaries.rb:80:6:80:6 | b [element 1] : | summaries.rb:80:6:80:9 | ...[...] |
| summaries.rb:82:1:82:1 | [post] a [element 2] : | summaries.rb:85:6:85:6 | a [element 2] : |
| summaries.rb:82:1:82:1 | [post] a [element 2] : | summaries.rb:85:6:85:6 | a [element 2] : |
| summaries.rb:82:1:82:1 | a [element 2] : | summaries.rb:82:1:82:1 | [post] a [element 2] : |
| summaries.rb:82:1:82:1 | a [element 2] : | summaries.rb:82:1:82:1 | [post] a [element 2] : |
| summaries.rb:85:6:85:6 | a [element 2] : | summaries.rb:85:6:85:9 | ...[...] |
| summaries.rb:85:6:85:6 | a [element 2] : | summaries.rb:85:6:85:9 | ...[...] |
| summaries.rb:88:1:88:1 | [post] x [@value] : | summaries.rb:89:6:89:6 | x [@value] : |
| summaries.rb:88:1:88:1 | [post] x [@value] : | summaries.rb:89:6:89:6 | x [@value] : |
| summaries.rb:88:13:88:26 | call to source : | summaries.rb:88:1:88:1 | [post] x [@value] : |
| summaries.rb:88:13:88:26 | call to source : | summaries.rb:88:1:88:1 | [post] x [@value] : |
| summaries.rb:89:6:89:6 | x [@value] : | summaries.rb:89:6:89:16 | call to get_value |
| summaries.rb:89:6:89:6 | x [@value] : | summaries.rb:89:6:89:16 | call to get_value |
| summaries.rb:57:27:57:33 | tainted : | summaries.rb:57:6:57:34 | call to anyNamedArg |
| summaries.rb:61:32:61:38 | tainted : | summaries.rb:61:6:61:39 | call to anyPositionFromOne |
| summaries.rb:63:23:63:29 | tainted : | summaries.rb:63:40:63:40 | x : |
| summaries.rb:63:40:63:40 | x : | summaries.rb:64:8:64:8 | x |
| summaries.rb:71:24:71:53 | call to source : | summaries.rb:71:8:71:54 | call to preserveTaint |
| summaries.rb:74:26:74:56 | call to source : | summaries.rb:74:8:74:57 | call to preserveTaint |
| summaries.rb:77:15:77:29 | call to source : | summaries.rb:79:6:79:6 | a [element 1] : |
| summaries.rb:77:15:77:29 | call to source : | summaries.rb:79:6:79:6 | a [element 1] : |
| summaries.rb:77:15:77:29 | call to source : | summaries.rb:81:5:81:5 | a [element 1] : |
| summaries.rb:77:15:77:29 | call to source : | summaries.rb:81:5:81:5 | a [element 1] : |
| summaries.rb:77:32:77:46 | call to source : | summaries.rb:80:6:80:6 | a [element 2] : |
| summaries.rb:77:32:77:46 | call to source : | summaries.rb:80:6:80:6 | a [element 2] : |
| summaries.rb:77:32:77:46 | call to source : | summaries.rb:85:1:85:1 | a [element 2] : |
| summaries.rb:77:32:77:46 | call to source : | summaries.rb:85:1:85:1 | a [element 2] : |
| summaries.rb:79:6:79:6 | a [element 1] : | summaries.rb:79:6:79:9 | ...[...] |
| summaries.rb:79:6:79:6 | a [element 1] : | summaries.rb:79:6:79:9 | ...[...] |
| summaries.rb:80:6:80:6 | a [element 2] : | summaries.rb:80:6:80:9 | ...[...] |
| summaries.rb:80:6:80:6 | a [element 2] : | summaries.rb:80:6:80:9 | ...[...] |
| summaries.rb:81:5:81:5 | a [element 1] : | summaries.rb:81:5:81:22 | call to withElementOne [element 1] : |
| summaries.rb:81:5:81:5 | a [element 1] : | summaries.rb:81:5:81:22 | call to withElementOne [element 1] : |
| summaries.rb:81:5:81:22 | call to withElementOne [element 1] : | summaries.rb:83:6:83:6 | b [element 1] : |
| summaries.rb:81:5:81:22 | call to withElementOne [element 1] : | summaries.rb:83:6:83:6 | b [element 1] : |
| summaries.rb:83:6:83:6 | b [element 1] : | summaries.rb:83:6:83:9 | ...[...] |
| summaries.rb:83:6:83:6 | b [element 1] : | summaries.rb:83:6:83:9 | ...[...] |
| summaries.rb:85:1:85:1 | [post] a [element 2] : | summaries.rb:88:6:88:6 | a [element 2] : |
| summaries.rb:85:1:85:1 | [post] a [element 2] : | summaries.rb:88:6:88:6 | a [element 2] : |
| summaries.rb:85:1:85:1 | a [element 2] : | summaries.rb:85:1:85:1 | [post] a [element 2] : |
| summaries.rb:85:1:85:1 | a [element 2] : | summaries.rb:85:1:85:1 | [post] a [element 2] : |
| summaries.rb:88:6:88:6 | a [element 2] : | summaries.rb:88:6:88:9 | ...[...] |
| summaries.rb:88:6:88:6 | a [element 2] : | summaries.rb:88:6:88:9 | ...[...] |
| summaries.rb:91:1:91:1 | [post] x [@value] : | summaries.rb:92:6:92:6 | x [@value] : |
| summaries.rb:91:1:91:1 | [post] x [@value] : | summaries.rb:92:6:92:6 | x [@value] : |
| summaries.rb:91:13:91:26 | call to source : | summaries.rb:91:1:91:1 | [post] x [@value] : |
| summaries.rb:91:13:91:26 | call to source : | summaries.rb:91:1:91:1 | [post] x [@value] : |
| summaries.rb:92:6:92:6 | x [@value] : | summaries.rb:92:6:92:16 | call to get_value |
| summaries.rb:92:6:92:6 | x [@value] : | summaries.rb:92:6:92:16 | call to get_value |
| summaries.rb:102:16:102:22 | [post] tainted : | summaries.rb:108:14:108:20 | tainted : |
| summaries.rb:102:16:102:22 | [post] tainted : | summaries.rb:111:16:111:22 | tainted |
| summaries.rb:102:16:102:22 | [post] tainted : | summaries.rb:112:21:112:27 | tainted |
| summaries.rb:102:16:102:22 | [post] tainted : | summaries.rb:115:26:115:32 | tainted |
| summaries.rb:102:16:102:22 | tainted : | summaries.rb:102:16:102:22 | [post] tainted : |
| summaries.rb:102:16:102:22 | tainted : | summaries.rb:102:25:102:25 | [post] y : |
| summaries.rb:102:16:102:22 | tainted : | summaries.rb:102:33:102:33 | [post] z : |
| summaries.rb:102:25:102:25 | [post] y : | summaries.rb:104:6:104:6 | y |
| summaries.rb:102:33:102:33 | [post] z : | summaries.rb:105:6:105:6 | z |
| summaries.rb:108:1:108:1 | [post] x : | summaries.rb:109:6:109:6 | x |
| summaries.rb:108:14:108:20 | tainted : | summaries.rb:108:1:108:1 | [post] x : |
nodes
| summaries.rb:1:11:1:36 | call to identity : | semmle.label | call to identity : |
| summaries.rb:1:11:1:36 | call to identity : | semmle.label | call to identity : |
@@ -152,51 +173,68 @@ nodes
| summaries.rb:54:22:54:28 | tainted : | semmle.label | tainted : |
| summaries.rb:55:6:55:24 | call to anyArg | semmle.label | call to anyArg |
| summaries.rb:55:17:55:23 | tainted : | semmle.label | tainted : |
| summaries.rb:58:6:58:39 | call to anyPositionFromOne | semmle.label | call to anyPositionFromOne |
| summaries.rb:58:32:58:38 | tainted : | semmle.label | tainted : |
| summaries.rb:60:23:60:29 | tainted : | semmle.label | tainted : |
| summaries.rb:60:40:60:40 | x : | semmle.label | x : |
| summaries.rb:61:8:61:8 | x | semmle.label | x |
| summaries.rb:68:8:68:54 | call to preserveTaint | semmle.label | call to preserveTaint |
| summaries.rb:68:24:68:53 | call to source : | semmle.label | call to source : |
| summaries.rb:71:8:71:57 | call to preserveTaint | semmle.label | call to preserveTaint |
| summaries.rb:71:26:71:56 | call to source : | semmle.label | call to source : |
| summaries.rb:74:15:74:29 | call to source : | semmle.label | call to source : |
| summaries.rb:74:15:74:29 | call to source : | semmle.label | call to source : |
| summaries.rb:74:32:74:46 | call to source : | semmle.label | call to source : |
| summaries.rb:74:32:74:46 | call to source : | semmle.label | call to source : |
| summaries.rb:76:6:76:6 | a [element 1] : | semmle.label | a [element 1] : |
| summaries.rb:76:6:76:6 | a [element 1] : | semmle.label | a [element 1] : |
| summaries.rb:76:6:76:9 | ...[...] | semmle.label | ...[...] |
| summaries.rb:76:6:76:9 | ...[...] | semmle.label | ...[...] |
| summaries.rb:77:6:77:6 | a [element 2] : | semmle.label | a [element 2] : |
| summaries.rb:77:6:77:6 | a [element 2] : | semmle.label | a [element 2] : |
| summaries.rb:77:6:77:9 | ...[...] | semmle.label | ...[...] |
| summaries.rb:77:6:77:9 | ...[...] | semmle.label | ...[...] |
| summaries.rb:78:5:78:5 | a [element 1] : | semmle.label | a [element 1] : |
| summaries.rb:78:5:78:5 | a [element 1] : | semmle.label | a [element 1] : |
| summaries.rb:78:5:78:22 | call to withElementOne [element 1] : | semmle.label | call to withElementOne [element 1] : |
| summaries.rb:78:5:78:22 | call to withElementOne [element 1] : | semmle.label | call to withElementOne [element 1] : |
| summaries.rb:80:6:80:6 | b [element 1] : | semmle.label | b [element 1] : |
| summaries.rb:80:6:80:6 | b [element 1] : | semmle.label | b [element 1] : |
| summaries.rb:57:6:57:34 | call to anyNamedArg | semmle.label | call to anyNamedArg |
| summaries.rb:57:27:57:33 | tainted : | semmle.label | tainted : |
| summaries.rb:61:6:61:39 | call to anyPositionFromOne | semmle.label | call to anyPositionFromOne |
| summaries.rb:61:32:61:38 | tainted : | semmle.label | tainted : |
| summaries.rb:63:23:63:29 | tainted : | semmle.label | tainted : |
| summaries.rb:63:40:63:40 | x : | semmle.label | x : |
| summaries.rb:64:8:64:8 | x | semmle.label | x |
| summaries.rb:71:8:71:54 | call to preserveTaint | semmle.label | call to preserveTaint |
| summaries.rb:71:24:71:53 | call to source : | semmle.label | call to source : |
| summaries.rb:74:8:74:57 | call to preserveTaint | semmle.label | call to preserveTaint |
| summaries.rb:74:26:74:56 | call to source : | semmle.label | call to source : |
| summaries.rb:77:15:77:29 | call to source : | semmle.label | call to source : |
| summaries.rb:77:15:77:29 | call to source : | semmle.label | call to source : |
| summaries.rb:77:32:77:46 | call to source : | semmle.label | call to source : |
| summaries.rb:77:32:77:46 | call to source : | semmle.label | call to source : |
| summaries.rb:79:6:79:6 | a [element 1] : | semmle.label | a [element 1] : |
| summaries.rb:79:6:79:6 | a [element 1] : | semmle.label | a [element 1] : |
| summaries.rb:79:6:79:9 | ...[...] | semmle.label | ...[...] |
| summaries.rb:79:6:79:9 | ...[...] | semmle.label | ...[...] |
| summaries.rb:80:6:80:6 | a [element 2] : | semmle.label | a [element 2] : |
| summaries.rb:80:6:80:6 | a [element 2] : | semmle.label | a [element 2] : |
| summaries.rb:80:6:80:9 | ...[...] | semmle.label | ...[...] |
| summaries.rb:80:6:80:9 | ...[...] | semmle.label | ...[...] |
| summaries.rb:82:1:82:1 | [post] a [element 2] : | semmle.label | [post] a [element 2] : |
| summaries.rb:82:1:82:1 | [post] a [element 2] : | semmle.label | [post] a [element 2] : |
| summaries.rb:82:1:82:1 | a [element 2] : | semmle.label | a [element 2] : |
| summaries.rb:82:1:82:1 | a [element 2] : | semmle.label | a [element 2] : |
| summaries.rb:85:6:85:6 | a [element 2] : | semmle.label | a [element 2] : |
| summaries.rb:85:6:85:6 | a [element 2] : | semmle.label | a [element 2] : |
| summaries.rb:85:6:85:9 | ...[...] | semmle.label | ...[...] |
| summaries.rb:85:6:85:9 | ...[...] | semmle.label | ...[...] |
| summaries.rb:88:1:88:1 | [post] x [@value] : | semmle.label | [post] x [@value] : |
| summaries.rb:88:1:88:1 | [post] x [@value] : | semmle.label | [post] x [@value] : |
| summaries.rb:88:13:88:26 | call to source : | semmle.label | call to source : |
| summaries.rb:88:13:88:26 | call to source : | semmle.label | call to source : |
| summaries.rb:89:6:89:6 | x [@value] : | semmle.label | x [@value] : |
| summaries.rb:89:6:89:6 | x [@value] : | semmle.label | x [@value] : |
| summaries.rb:89:6:89:16 | call to get_value | semmle.label | call to get_value |
| summaries.rb:89:6:89:16 | call to get_value | semmle.label | call to get_value |
| summaries.rb:81:5:81:5 | a [element 1] : | semmle.label | a [element 1] : |
| summaries.rb:81:5:81:5 | a [element 1] : | semmle.label | a [element 1] : |
| summaries.rb:81:5:81:22 | call to withElementOne [element 1] : | semmle.label | call to withElementOne [element 1] : |
| summaries.rb:81:5:81:22 | call to withElementOne [element 1] : | semmle.label | call to withElementOne [element 1] : |
| summaries.rb:83:6:83:6 | b [element 1] : | semmle.label | b [element 1] : |
| summaries.rb:83:6:83:6 | b [element 1] : | semmle.label | b [element 1] : |
| summaries.rb:83:6:83:9 | ...[...] | semmle.label | ...[...] |
| summaries.rb:83:6:83:9 | ...[...] | semmle.label | ...[...] |
| summaries.rb:85:1:85:1 | [post] a [element 2] : | semmle.label | [post] a [element 2] : |
| summaries.rb:85:1:85:1 | [post] a [element 2] : | semmle.label | [post] a [element 2] : |
| summaries.rb:85:1:85:1 | a [element 2] : | semmle.label | a [element 2] : |
| summaries.rb:85:1:85:1 | a [element 2] : | semmle.label | a [element 2] : |
| summaries.rb:88:6:88:6 | a [element 2] : | semmle.label | a [element 2] : |
| summaries.rb:88:6:88:6 | a [element 2] : | semmle.label | a [element 2] : |
| summaries.rb:88:6:88:9 | ...[...] | semmle.label | ...[...] |
| summaries.rb:88:6:88:9 | ...[...] | semmle.label | ...[...] |
| summaries.rb:91:1:91:1 | [post] x [@value] : | semmle.label | [post] x [@value] : |
| summaries.rb:91:1:91:1 | [post] x [@value] : | semmle.label | [post] x [@value] : |
| summaries.rb:91:13:91:26 | call to source : | semmle.label | call to source : |
| summaries.rb:91:13:91:26 | call to source : | semmle.label | call to source : |
| summaries.rb:92:6:92:6 | x [@value] : | semmle.label | x [@value] : |
| summaries.rb:92:6:92:6 | x [@value] : | semmle.label | x [@value] : |
| summaries.rb:92:6:92:16 | call to get_value | semmle.label | call to get_value |
| summaries.rb:92:6:92:16 | call to get_value | semmle.label | call to get_value |
| summaries.rb:102:16:102:22 | [post] tainted : | semmle.label | [post] tainted : |
| summaries.rb:102:16:102:22 | tainted : | semmle.label | tainted : |
| summaries.rb:102:25:102:25 | [post] y : | semmle.label | [post] y : |
| summaries.rb:102:33:102:33 | [post] z : | semmle.label | [post] z : |
| summaries.rb:104:6:104:6 | y | semmle.label | y |
| summaries.rb:105:6:105:6 | z | semmle.label | z |
| summaries.rb:108:1:108:1 | [post] x : | semmle.label | [post] x : |
| summaries.rb:108:14:108:20 | tainted : | semmle.label | tainted : |
| summaries.rb:109:6:109:6 | x | semmle.label | x |
| summaries.rb:111:16:111:22 | tainted | semmle.label | tainted |
| summaries.rb:111:16:111:22 | tainted | semmle.label | tainted |
| summaries.rb:112:21:112:27 | tainted | semmle.label | tainted |
| summaries.rb:112:21:112:27 | tainted | semmle.label | tainted |
| summaries.rb:115:26:115:32 | tainted | semmle.label | tainted |
| summaries.rb:115:26:115:32 | tainted | semmle.label | tainted |
subpaths
invalidSpecComponent
#select
@@ -229,20 +267,30 @@ invalidSpecComponent
| summaries.rb:51:6:51:31 | call to namedArg | summaries.rb:1:20:1:36 | call to source : | summaries.rb:51:6:51:31 | call to namedArg | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
| summaries.rb:54:6:54:29 | call to anyArg | summaries.rb:1:20:1:36 | call to source : | summaries.rb:54:6:54:29 | call to anyArg | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
| summaries.rb:55:6:55:24 | call to anyArg | summaries.rb:1:20:1:36 | call to source : | summaries.rb:55:6:55:24 | call to anyArg | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
| summaries.rb:58:6:58:39 | call to anyPositionFromOne | summaries.rb:1:20:1:36 | call to source : | summaries.rb:58:6:58:39 | call to anyPositionFromOne | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
| summaries.rb:61:8:61:8 | x | summaries.rb:1:20:1:36 | call to source : | summaries.rb:61:8:61:8 | x | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
| summaries.rb:68:8:68:54 | call to preserveTaint | summaries.rb:68:24:68:53 | call to source : | summaries.rb:68:8:68:54 | call to preserveTaint | $@ | summaries.rb:68:24:68:53 | call to source : | call to source : |
| summaries.rb:71:8:71:57 | call to preserveTaint | summaries.rb:71:26:71:56 | call to source : | summaries.rb:71:8:71:57 | call to preserveTaint | $@ | summaries.rb:71:26:71:56 | call to source : | call to source : |
| summaries.rb:76:6:76:9 | ...[...] | summaries.rb:74:15:74:29 | call to source : | summaries.rb:76:6:76:9 | ...[...] | $@ | summaries.rb:74:15:74:29 | call to source : | call to source : |
| summaries.rb:76:6:76:9 | ...[...] | summaries.rb:74:15:74:29 | call to source : | summaries.rb:76:6:76:9 | ...[...] | $@ | summaries.rb:74:15:74:29 | call to source : | call to source : |
| summaries.rb:77:6:77:9 | ...[...] | summaries.rb:74:32:74:46 | call to source : | summaries.rb:77:6:77:9 | ...[...] | $@ | summaries.rb:74:32:74:46 | call to source : | call to source : |
| summaries.rb:77:6:77:9 | ...[...] | summaries.rb:74:32:74:46 | call to source : | summaries.rb:77:6:77:9 | ...[...] | $@ | summaries.rb:74:32:74:46 | call to source : | call to source : |
| summaries.rb:80:6:80:9 | ...[...] | summaries.rb:74:15:74:29 | call to source : | summaries.rb:80:6:80:9 | ...[...] | $@ | summaries.rb:74:15:74:29 | call to source : | call to source : |
| summaries.rb:80:6:80:9 | ...[...] | summaries.rb:74:15:74:29 | call to source : | summaries.rb:80:6:80:9 | ...[...] | $@ | summaries.rb:74:15:74:29 | call to source : | call to source : |
| summaries.rb:85:6:85:9 | ...[...] | summaries.rb:74:32:74:46 | call to source : | summaries.rb:85:6:85:9 | ...[...] | $@ | summaries.rb:74:32:74:46 | call to source : | call to source : |
| summaries.rb:85:6:85:9 | ...[...] | summaries.rb:74:32:74:46 | call to source : | summaries.rb:85:6:85:9 | ...[...] | $@ | summaries.rb:74:32:74:46 | call to source : | call to source : |
| summaries.rb:89:6:89:16 | call to get_value | summaries.rb:88:13:88:26 | call to source : | summaries.rb:89:6:89:16 | call to get_value | $@ | summaries.rb:88:13:88:26 | call to source : | call to source : |
| summaries.rb:89:6:89:16 | call to get_value | summaries.rb:88:13:88:26 | call to source : | summaries.rb:89:6:89:16 | call to get_value | $@ | summaries.rb:88:13:88:26 | call to source : | call to source : |
| summaries.rb:57:6:57:34 | call to anyNamedArg | summaries.rb:1:20:1:36 | call to source : | summaries.rb:57:6:57:34 | call to anyNamedArg | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
| summaries.rb:61:6:61:39 | call to anyPositionFromOne | summaries.rb:1:20:1:36 | call to source : | summaries.rb:61:6:61:39 | call to anyPositionFromOne | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
| summaries.rb:64:8:64:8 | x | summaries.rb:1:20:1:36 | call to source : | summaries.rb:64:8:64:8 | x | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
| summaries.rb:71:8:71:54 | call to preserveTaint | summaries.rb:71:24:71:53 | call to source : | summaries.rb:71:8:71:54 | call to preserveTaint | $@ | summaries.rb:71:24:71:53 | call to source : | call to source : |
| summaries.rb:74:8:74:57 | call to preserveTaint | summaries.rb:74:26:74:56 | call to source : | summaries.rb:74:8:74:57 | call to preserveTaint | $@ | summaries.rb:74:26:74:56 | call to source : | call to source : |
| summaries.rb:79:6:79:9 | ...[...] | summaries.rb:77:15:77:29 | call to source : | summaries.rb:79:6:79:9 | ...[...] | $@ | summaries.rb:77:15:77:29 | call to source : | call to source : |
| summaries.rb:79:6:79:9 | ...[...] | summaries.rb:77:15:77:29 | call to source : | summaries.rb:79:6:79:9 | ...[...] | $@ | summaries.rb:77:15:77:29 | call to source : | call to source : |
| summaries.rb:80:6:80:9 | ...[...] | summaries.rb:77:32:77:46 | call to source : | summaries.rb:80:6:80:9 | ...[...] | $@ | summaries.rb:77:32:77:46 | call to source : | call to source : |
| summaries.rb:80:6:80:9 | ...[...] | summaries.rb:77:32:77:46 | call to source : | summaries.rb:80:6:80:9 | ...[...] | $@ | summaries.rb:77:32:77:46 | call to source : | call to source : |
| summaries.rb:83:6:83:9 | ...[...] | summaries.rb:77:15:77:29 | call to source : | summaries.rb:83:6:83:9 | ...[...] | $@ | summaries.rb:77:15:77:29 | call to source : | call to source : |
| summaries.rb:83:6:83:9 | ...[...] | summaries.rb:77:15:77:29 | call to source : | summaries.rb:83:6:83:9 | ...[...] | $@ | summaries.rb:77:15:77:29 | call to source : | call to source : |
| summaries.rb:88:6:88:9 | ...[...] | summaries.rb:77:32:77:46 | call to source : | summaries.rb:88:6:88:9 | ...[...] | $@ | summaries.rb:77:32:77:46 | call to source : | call to source : |
| summaries.rb:88:6:88:9 | ...[...] | summaries.rb:77:32:77:46 | call to source : | summaries.rb:88:6:88:9 | ...[...] | $@ | summaries.rb:77:32:77:46 | call to source : | call to source : |
| summaries.rb:92:6:92:16 | call to get_value | summaries.rb:91:13:91:26 | call to source : | summaries.rb:92:6:92:16 | call to get_value | $@ | summaries.rb:91:13:91:26 | call to source : | call to source : |
| summaries.rb:92:6:92:16 | call to get_value | summaries.rb:91:13:91:26 | call to source : | summaries.rb:92:6:92:16 | call to get_value | $@ | summaries.rb:91:13:91:26 | call to source : | call to source : |
| summaries.rb:104:6:104:6 | y | summaries.rb:1:20:1:36 | call to source : | summaries.rb:104:6:104:6 | y | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
| summaries.rb:105:6:105:6 | z | summaries.rb:1:20:1:36 | call to source : | summaries.rb:105:6:105:6 | z | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
| summaries.rb:109:6:109:6 | x | summaries.rb:1:20:1:36 | call to source : | summaries.rb:109:6:109:6 | x | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
| summaries.rb:111:16:111:22 | tainted | summaries.rb:1:20:1:36 | call to source : | summaries.rb:111:16:111:22 | tainted | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
| summaries.rb:111:16:111:22 | tainted | summaries.rb:1:20:1:36 | call to source : | summaries.rb:111:16:111:22 | tainted | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
| summaries.rb:112:21:112:27 | tainted | summaries.rb:1:20:1:36 | call to source : | summaries.rb:112:21:112:27 | tainted | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
| summaries.rb:112:21:112:27 | tainted | summaries.rb:1:20:1:36 | call to source : | summaries.rb:112:21:112:27 | tainted | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
| summaries.rb:115:26:115:32 | tainted | summaries.rb:1:20:1:36 | call to source : | summaries.rb:115:26:115:32 | tainted | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
| summaries.rb:115:26:115:32 | tainted | summaries.rb:1:20:1:36 | call to source : | summaries.rb:115:26:115:32 | tainted | $@ | summaries.rb:1:20:1:36 | call to source : | call to source : |
warning
| CSV type row should have 5 columns but has 2: test;TooFewColumns |
| CSV type row should have 5 columns but has 8: test;TooManyColumns;;;Member[Foo].Instance;too;many;columns |

12
ruby/ql/test/library-tests/dataflow/summaries/Summaries.ql
View File

@@ -75,11 +75,14 @@ private class StepsFromModel extends ModelInput::SummaryModelCsv {
";;Member[Foo].Method[blockArg].Argument[block].Parameter[0].Method[preserveTaint];Argument[0];ReturnValue;taint",
";;Member[Foo].Method[namedArg];Argument[foo:];ReturnValue;taint",
";;Member[Foo].Method[anyArg];Argument[any];ReturnValue;taint",
";;Member[Foo].Method[anyNamedArg];Argument[any-named];ReturnValue;taint",
";;Member[Foo].Method[anyPositionFromOne];Argument[1..];ReturnValue;taint",
";;Member[Foo].Method[intoNamedCallback];Argument[0];Argument[foo:].Parameter[0];taint",
";;Member[Foo].Method[intoNamedParameter];Argument[0];Argument[0].Parameter[foo:];taint",
";;Member[Foo].Method[startInNamedCallback].Argument[foo:].Parameter[0].Method[preserveTaint];Argument[0];ReturnValue;taint",
";;Member[Foo].Method[startInNamedParameter].Argument[0].Parameter[foo:].Method[preserveTaint];Argument[0];ReturnValue;taint",
";;Member[Foo].Instance.Method[flowToAnyArg];Argument[0];Argument[any];taint",
";;Member[Foo].Instance.Method[flowToSelf];Argument[0];Argument[self];taint",
";any;Method[matchedByName];Argument[0];ReturnValue;taint",
";any;Method[matchedByNameRcv];Argument[self];ReturnValue;taint",
";any;Method[withElementOne];Argument[self].WithElement[1];ReturnValue;value",
@@ -115,7 +118,14 @@ private class InvalidTypeModel extends ModelInput::TypeModelCsv {
}
private class SinkFromModel extends ModelInput::SinkModelCsv {
override predicate row(string row) { row = "test;FooOrBar;Method[method].Argument[0];test-sink" }
override predicate row(string row) {
row =
[
"test;FooOrBar;Method[method].Argument[0];test-sink", //
";;Member[Foo].Method[sinkAnyArg].Argument[any];test-sink", //
";;Member[Foo].Method[sinkAnyNamedArg].Argument[any-named];test-sink", //
]
}
}
class CustomValueSink extends DefaultValueFlowConf {

28
ruby/ql/test/library-tests/dataflow/summaries/summaries.rb
View File

@@ -54,6 +54,9 @@ sink(Foo.namedArg(tainted))
sink(Foo.anyArg(foo: tainted)) # $ hasTaintFlow=tainted
sink(Foo.anyArg(tainted)) # $ hasTaintFlow=tainted
sink(Foo.anyNamedArg(foo: tainted)) # $ hasTaintFlow=tainted
sink(Foo.anyNamedArg(tainted))
sink(Foo.anyPositionFromOne(tainted))
sink(Foo.anyPositionFromOne(0, tainted)) # $ hasTaintFlow=tainted
@@ -86,4 +89,27 @@ sink(a[2]) # $ hasValueFlow=elem2
x = Foo.new
x.set_value(source("attr"))
sink(x.get_value) # $ hasValueFlow=attr
sink(x.get_value) # $ hasValueFlow=attr
x = Foo.new
y = []
z = []
# This just highlights that none of x,y,z was tainted before
sink(x)
sink(y)
sink(z)
x.flowToAnyArg(tainted, y, key: z)
sink(x)
sink(y) # $ hasTaintFlow=tainted
sink(z) # $ hasTaintFlow=tainted
x = Foo.new
x.flowToSelf(tainted)
sink(x) # $ hasTaintFlow=tainted
Foo.sinkAnyArg(tainted) # $ hasValueFlow=tainted
Foo.sinkAnyArg(key: tainted) # $ hasValueFlow=tainted
Foo.sinkAnyNamedArg(tainted)
Foo.sinkAnyNamedArg(key: tainted) # $ hasValueFlow=tainted

29
ruby/ql/test/library-tests/frameworks/PosixSpawn.expected Normal file
View File

@@ -0,0 +1,29 @@
systemCalls
| PosixSpawn.rb:1:1:1:32 | call to popen4 | PosixSpawn.rb:1:22:1:25 | "ls" | false |
| PosixSpawn.rb:1:1:1:32 | call to popen4 | PosixSpawn.rb:1:28:1:31 | "-l" | false |
| PosixSpawn.rb:2:1:2:31 | call to popen4 | PosixSpawn.rb:2:21:2:24 | "ls" | false |
| PosixSpawn.rb:2:1:2:31 | call to popen4 | PosixSpawn.rb:2:27:2:30 | "-l" | false |
| PosixSpawn.rb:7:1:7:40 | call to spawn | PosixSpawn.rb:7:20:7:39 | * ... | true |
| PosixSpawn.rb:8:1:8:30 | call to spawn | PosixSpawn.rb:8:21:8:29 | "sleep 5" | true |
| PosixSpawn.rb:9:1:9:23 | call to spawn | PosixSpawn.rb:9:20:9:22 | call to cmd | true |
| PosixSpawn.rb:10:1:10:29 | call to spawn | PosixSpawn.rb:10:20:10:22 | call to env | false |
| PosixSpawn.rb:10:1:10:29 | call to spawn | PosixSpawn.rb:10:25:10:28 | "ls" | true |
| PosixSpawn.rb:15:1:15:60 | call to system | PosixSpawn.rb:15:21:15:25 | "foo" | false |
| PosixSpawn.rb:15:1:15:60 | call to system | PosixSpawn.rb:15:28:15:32 | "bar" | false |
| PosixSpawn.rb:15:1:15:60 | call to system | PosixSpawn.rb:15:35:15:44 | "--a-flag" | false |
| PosixSpawn.rb:15:1:15:60 | call to system | PosixSpawn.rb:15:47:15:52 | call to before | false |
| PosixSpawn.rb:15:1:15:60 | call to system | PosixSpawn.rb:15:55:15:59 | call to after | false |
| PosixSpawn.rb:17:1:17:28 | call to fspawn | PosixSpawn.rb:17:21:17:27 | call to command | true |
| PosixSpawn.rb:18:1:18:28 | call to pspawn | PosixSpawn.rb:18:21:18:27 | call to command | true |
| PosixSpawn.rb:19:1:19:28 | call to popen4 | PosixSpawn.rb:19:21:19:27 | call to command | true |
| PosixSpawn.rb:21:1:21:28 | call to ` | PosixSpawn.rb:21:16:21:20 | "foo" | false |
| PosixSpawn.rb:21:1:21:28 | call to ` | PosixSpawn.rb:21:23:21:27 | "bar" | false |
childCalls
| PosixSpawn.rb:4:1:4:77 | call to new | PosixSpawn.rb:4:25:4:39 | call to [] | false |
| PosixSpawn.rb:4:1:4:77 | call to new | PosixSpawn.rb:4:42:4:51 | ... + ... | false |
| PosixSpawn.rb:4:1:4:77 | call to new | PosixSpawn.rb:4:54:4:58 | * ... | false |
| PosixSpawn.rb:5:1:5:80 | call to new | PosixSpawn.rb:5:25:5:32 | * ... | false |
| PosixSpawn.rb:12:1:12:35 | call to new | PosixSpawn.rb:12:25:12:28 | "ls" | false |
| PosixSpawn.rb:12:1:12:35 | call to new | PosixSpawn.rb:12:31:12:34 | "-l" | false |
| PosixSpawn.rb:13:1:13:38 | call to build | PosixSpawn.rb:13:27:13:32 | "echo" | false |
| PosixSpawn.rb:13:1:13:38 | call to build | PosixSpawn.rb:13:35:13:37 | call to msg | false |

15
ruby/ql/test/library-tests/frameworks/PosixSpawn.ql Normal file
View File

@@ -0,0 +1,15 @@
import ruby
import codeql.ruby.frameworks.PosixSpawn
import codeql.ruby.DataFlow
query predicate systemCalls(
PosixSpawn::SystemCall call, DataFlow::Node arg, boolean shellInterpreted
) {
arg = call.getAnArgument() and
if call.isShellInterpreted(arg) then shellInterpreted = true else shellInterpreted = false
}
query predicate childCalls(PosixSpawn::ChildCall call, DataFlow::Node arg, boolean shellInterpreted) {
arg = call.getAnArgument() and
if call.isShellInterpreted(arg) then shellInterpreted = true else shellInterpreted = false
}

21
ruby/ql/test/library-tests/frameworks/PosixSpawn.rb Normal file
View File

@@ -0,0 +1,21 @@
POSIX::Spawn::popen4("ls", "-l")
POSIX::Spawn.popen4("ls", "-l")
POSIX::Spawn::Child.new({'ENV' => @var}, "foo/"+cmd, *argv, :chdir=>root_dir)
POSIX::Spawn::Child.new(*command, input: options[:stdin].to_s, timeout: timeout)
POSIX::Spawn.spawn(*(argv+[{:in => f}]))
POSIX::Spawn::spawn('sleep 5')
POSIX::Spawn.spawn(cmd)
POSIX::Spawn.spawn(env, "ls")
POSIX::Spawn::Child.new("ls", "-l")
POSIX::Spawn::Child.build("echo", msg)
POSIX::Spawn.system("foo", "bar", "--a-flag", before, after)
POSIX::Spawn.fspawn(command)
POSIX::Spawn.pspawn(command)
POSIX::Spawn.popen4(command)
POSIX::Spawn.`("foo", "bar")

3
ruby/ql/test/library-tests/frameworks/active_support.rb
View File

@@ -1,3 +0,0 @@
"Foo::Bar".constantize
a.constantize

4
ruby/ql/test/library-tests/frameworks/ActiveSupport.expected → ruby/ql/test/library-tests/frameworks/active_support/ActiveSupport.expected
View File

@@ -1,2 +1,6 @@
constantizeCalls
| active_support.rb:1:1:1:22 | call to constantize | active_support.rb:1:1:1:10 | "Foo::Bar" |
| active_support.rb:3:1:3:13 | call to constantize | active_support.rb:3:1:3:1 | call to a |
loggerInstantiations
| active_support.rb:5:1:5:33 | call to new |
| active_support.rb:6:1:6:40 | call to new |

3
ruby/ql/test/library-tests/frameworks/ActiveSupport.ql → ruby/ql/test/library-tests/frameworks/active_support/ActiveSupport.ql
View File

@@ -1,6 +1,9 @@
import codeql.ruby.frameworks.ActiveSupport
import codeql.ruby.DataFlow
import codeql.ruby.frameworks.stdlib.Logger
query DataFlow::Node constantizeCalls(ActiveSupport::CoreExtensions::String::Constantize c) {
result = c.getCode()
}
query predicate loggerInstantiations(Logger::LoggerInstantiation l) { any() }

252
ruby/ql/test/library-tests/frameworks/active_support/ActiveSupportDataFlow.expected Normal file
View File

@@ -0,0 +1,252 @@
failures
edges
| active_support.rb:9:9:9:18 | call to source : | active_support.rb:10:10:10:10 | x : |
| active_support.rb:10:10:10:10 | x : | active_support.rb:10:10:10:19 | call to camelize |
| active_support.rb:14:9:14:18 | call to source : | active_support.rb:15:10:15:10 | x : |
| active_support.rb:15:10:15:10 | x : | active_support.rb:15:10:15:20 | call to camelcase |
| active_support.rb:19:9:19:18 | call to source : | active_support.rb:20:10:20:10 | x : |
| active_support.rb:20:10:20:10 | x : | active_support.rb:20:10:20:19 | call to classify |
| active_support.rb:24:9:24:18 | call to source : | active_support.rb:25:10:25:10 | x : |
| active_support.rb:25:10:25:10 | x : | active_support.rb:25:10:25:20 | call to dasherize |
| active_support.rb:29:9:29:18 | call to source : | active_support.rb:30:10:30:10 | x : |
| active_support.rb:30:10:30:10 | x : | active_support.rb:30:10:30:24 | call to deconstantize |
| active_support.rb:34:9:34:18 | call to source : | active_support.rb:35:10:35:10 | x : |
| active_support.rb:35:10:35:10 | x : | active_support.rb:35:10:35:21 | call to demodulize |
| active_support.rb:39:9:39:18 | call to source : | active_support.rb:40:10:40:10 | x : |
| active_support.rb:40:10:40:10 | x : | active_support.rb:40:10:40:22 | call to foreign_key |
| active_support.rb:44:9:44:18 | call to source : | active_support.rb:45:10:45:10 | x : |
| active_support.rb:45:10:45:10 | x : | active_support.rb:45:10:45:19 | call to humanize |
| active_support.rb:49:9:49:18 | call to source : | active_support.rb:50:10:50:10 | x : |
| active_support.rb:50:10:50:10 | x : | active_support.rb:50:10:50:20 | call to indent |
| active_support.rb:54:9:54:18 | call to source : | active_support.rb:55:10:55:10 | x : |
| active_support.rb:55:10:55:10 | x : | active_support.rb:55:10:55:23 | call to parameterize |
| active_support.rb:59:9:59:18 | call to source : | active_support.rb:60:10:60:10 | x : |
| active_support.rb:60:10:60:10 | x : | active_support.rb:60:10:60:20 | call to pluralize |
| active_support.rb:64:9:64:18 | call to source : | active_support.rb:65:10:65:10 | x : |
| active_support.rb:65:10:65:10 | x : | active_support.rb:65:10:65:22 | call to singularize |
| active_support.rb:69:9:69:18 | call to source : | active_support.rb:70:10:70:10 | x : |
| active_support.rb:70:10:70:10 | x : | active_support.rb:70:10:70:17 | call to squish |
| active_support.rb:74:9:74:18 | call to source : | active_support.rb:75:10:75:10 | x : |
| active_support.rb:75:10:75:10 | x : | active_support.rb:75:10:75:24 | call to strip_heredoc |
| active_support.rb:79:9:79:18 | call to source : | active_support.rb:80:10:80:10 | x : |
| active_support.rb:80:10:80:10 | x : | active_support.rb:80:10:80:19 | call to tableize |
| active_support.rb:84:9:84:18 | call to source : | active_support.rb:85:10:85:10 | x : |
| active_support.rb:85:10:85:10 | x : | active_support.rb:85:10:85:20 | call to titlecase |
| active_support.rb:89:9:89:18 | call to source : | active_support.rb:90:10:90:10 | x : |
| active_support.rb:90:10:90:10 | x : | active_support.rb:90:10:90:19 | call to titleize |
| active_support.rb:94:9:94:18 | call to source : | active_support.rb:95:10:95:10 | x : |
| active_support.rb:95:10:95:10 | x : | active_support.rb:95:10:95:21 | call to underscore |
| active_support.rb:99:9:99:18 | call to source : | active_support.rb:100:10:100:10 | x : |
| active_support.rb:100:10:100:10 | x : | active_support.rb:100:10:100:23 | call to upcase_first |
| active_support.rb:104:10:104:17 | call to source : | active_support.rb:105:9:105:9 | x [element 0] : |
| active_support.rb:104:10:104:17 | call to source : | active_support.rb:105:9:105:9 | x [element 0] : |
| active_support.rb:105:9:105:9 | x [element 0] : | active_support.rb:105:9:105:23 | call to compact_blank [element] : |
| active_support.rb:105:9:105:9 | x [element 0] : | active_support.rb:105:9:105:23 | call to compact_blank [element] : |
| active_support.rb:105:9:105:23 | call to compact_blank [element] : | active_support.rb:106:10:106:10 | y [element] : |
| active_support.rb:105:9:105:23 | call to compact_blank [element] : | active_support.rb:106:10:106:10 | y [element] : |
| active_support.rb:106:10:106:10 | y [element] : | active_support.rb:106:10:106:13 | ...[...] |
| active_support.rb:106:10:106:10 | y [element] : | active_support.rb:106:10:106:13 | ...[...] |
| active_support.rb:110:10:110:18 | call to source : | active_support.rb:111:9:111:9 | x [element 0] : |
| active_support.rb:110:10:110:18 | call to source : | active_support.rb:111:9:111:9 | x [element 0] : |
| active_support.rb:111:9:111:9 | x [element 0] : | active_support.rb:111:9:111:21 | call to excluding [element] : |
| active_support.rb:111:9:111:9 | x [element 0] : | active_support.rb:111:9:111:21 | call to excluding [element] : |
| active_support.rb:111:9:111:21 | call to excluding [element] : | active_support.rb:112:10:112:10 | y [element] : |
| active_support.rb:111:9:111:21 | call to excluding [element] : | active_support.rb:112:10:112:10 | y [element] : |
| active_support.rb:112:10:112:10 | y [element] : | active_support.rb:112:10:112:13 | ...[...] |
| active_support.rb:112:10:112:10 | y [element] : | active_support.rb:112:10:112:13 | ...[...] |
| active_support.rb:116:10:116:18 | call to source : | active_support.rb:117:9:117:9 | x [element 0] : |
| active_support.rb:116:10:116:18 | call to source : | active_support.rb:117:9:117:9 | x [element 0] : |
| active_support.rb:117:9:117:9 | x [element 0] : | active_support.rb:117:9:117:19 | call to without [element] : |
| active_support.rb:117:9:117:9 | x [element 0] : | active_support.rb:117:9:117:19 | call to without [element] : |
| active_support.rb:117:9:117:19 | call to without [element] : | active_support.rb:118:10:118:10 | y [element] : |
| active_support.rb:117:9:117:19 | call to without [element] : | active_support.rb:118:10:118:10 | y [element] : |
| active_support.rb:118:10:118:10 | y [element] : | active_support.rb:118:10:118:13 | ...[...] |
| active_support.rb:118:10:118:10 | y [element] : | active_support.rb:118:10:118:13 | ...[...] |
| active_support.rb:122:10:122:18 | call to source : | active_support.rb:123:9:123:9 | x [element 0] : |
| active_support.rb:122:10:122:18 | call to source : | active_support.rb:123:9:123:9 | x [element 0] : |
| active_support.rb:123:9:123:9 | x [element 0] : | active_support.rb:123:9:123:37 | call to in_order_of [element] : |
| active_support.rb:123:9:123:9 | x [element 0] : | active_support.rb:123:9:123:37 | call to in_order_of [element] : |
| active_support.rb:123:9:123:37 | call to in_order_of [element] : | active_support.rb:124:10:124:10 | y [element] : |
| active_support.rb:123:9:123:37 | call to in_order_of [element] : | active_support.rb:124:10:124:10 | y [element] : |
| active_support.rb:124:10:124:10 | y [element] : | active_support.rb:124:10:124:13 | ...[...] |
| active_support.rb:124:10:124:10 | y [element] : | active_support.rb:124:10:124:13 | ...[...] |
| active_support.rb:128:10:128:18 | call to source : | active_support.rb:129:9:129:9 | a [element 0] : |
| active_support.rb:128:10:128:18 | call to source : | active_support.rb:129:9:129:9 | a [element 0] : |
| active_support.rb:128:10:128:18 | call to source : | active_support.rb:130:10:130:10 | a [element 0] : |
| active_support.rb:128:10:128:18 | call to source : | active_support.rb:130:10:130:10 | a [element 0] : |
| active_support.rb:129:9:129:9 | a [element 0] : | active_support.rb:129:9:129:41 | call to including [element 0] : |
| active_support.rb:129:9:129:9 | a [element 0] : | active_support.rb:129:9:129:41 | call to including [element 0] : |
| active_support.rb:129:9:129:41 | call to including [element 0] : | active_support.rb:132:10:132:10 | b [element 0] : |
| active_support.rb:129:9:129:41 | call to including [element 0] : | active_support.rb:132:10:132:10 | b [element 0] : |
| active_support.rb:129:9:129:41 | call to including [element] : | active_support.rb:132:10:132:10 | b [element] : |
| active_support.rb:129:9:129:41 | call to including [element] : | active_support.rb:132:10:132:10 | b [element] : |
| active_support.rb:129:9:129:41 | call to including [element] : | active_support.rb:133:10:133:10 | b [element] : |
| active_support.rb:129:9:129:41 | call to including [element] : | active_support.rb:133:10:133:10 | b [element] : |
| active_support.rb:129:9:129:41 | call to including [element] : | active_support.rb:134:10:134:10 | b [element] : |
| active_support.rb:129:9:129:41 | call to including [element] : | active_support.rb:134:10:134:10 | b [element] : |
| active_support.rb:129:9:129:41 | call to including [element] : | active_support.rb:135:10:135:10 | b [element] : |
| active_support.rb:129:9:129:41 | call to including [element] : | active_support.rb:135:10:135:10 | b [element] : |
| active_support.rb:129:21:129:29 | call to source : | active_support.rb:129:9:129:41 | call to including [element] : |
| active_support.rb:129:21:129:29 | call to source : | active_support.rb:129:9:129:41 | call to including [element] : |
| active_support.rb:129:32:129:40 | call to source : | active_support.rb:129:9:129:41 | call to including [element] : |
| active_support.rb:129:32:129:40 | call to source : | active_support.rb:129:9:129:41 | call to including [element] : |
| active_support.rb:130:10:130:10 | a [element 0] : | active_support.rb:130:10:130:13 | ...[...] |
| active_support.rb:130:10:130:10 | a [element 0] : | active_support.rb:130:10:130:13 | ...[...] |
| active_support.rb:132:10:132:10 | b [element 0] : | active_support.rb:132:10:132:13 | ...[...] |
| active_support.rb:132:10:132:10 | b [element 0] : | active_support.rb:132:10:132:13 | ...[...] |
| active_support.rb:132:10:132:10 | b [element] : | active_support.rb:132:10:132:13 | ...[...] |
| active_support.rb:132:10:132:10 | b [element] : | active_support.rb:132:10:132:13 | ...[...] |
| active_support.rb:133:10:133:10 | b [element] : | active_support.rb:133:10:133:13 | ...[...] |
| active_support.rb:133:10:133:10 | b [element] : | active_support.rb:133:10:133:13 | ...[...] |
| active_support.rb:134:10:134:10 | b [element] : | active_support.rb:134:10:134:13 | ...[...] |
| active_support.rb:134:10:134:10 | b [element] : | active_support.rb:134:10:134:13 | ...[...] |
| active_support.rb:135:10:135:10 | b [element] : | active_support.rb:135:10:135:13 | ...[...] |
| active_support.rb:135:10:135:10 | b [element] : | active_support.rb:135:10:135:13 | ...[...] |
nodes
| active_support.rb:9:9:9:18 | call to source : | semmle.label | call to source : |
| active_support.rb:10:10:10:10 | x : | semmle.label | x : |
| active_support.rb:10:10:10:19 | call to camelize | semmle.label | call to camelize |
| active_support.rb:14:9:14:18 | call to source : | semmle.label | call to source : |
| active_support.rb:15:10:15:10 | x : | semmle.label | x : |
| active_support.rb:15:10:15:20 | call to camelcase | semmle.label | call to camelcase |
| active_support.rb:19:9:19:18 | call to source : | semmle.label | call to source : |
| active_support.rb:20:10:20:10 | x : | semmle.label | x : |
| active_support.rb:20:10:20:19 | call to classify | semmle.label | call to classify |
| active_support.rb:24:9:24:18 | call to source : | semmle.label | call to source : |
| active_support.rb:25:10:25:10 | x : | semmle.label | x : |
| active_support.rb:25:10:25:20 | call to dasherize | semmle.label | call to dasherize |
| active_support.rb:29:9:29:18 | call to source : | semmle.label | call to source : |
| active_support.rb:30:10:30:10 | x : | semmle.label | x : |
| active_support.rb:30:10:30:24 | call to deconstantize | semmle.label | call to deconstantize |
| active_support.rb:34:9:34:18 | call to source : | semmle.label | call to source : |
| active_support.rb:35:10:35:10 | x : | semmle.label | x : |
| active_support.rb:35:10:35:21 | call to demodulize | semmle.label | call to demodulize |
| active_support.rb:39:9:39:18 | call to source : | semmle.label | call to source : |
| active_support.rb:40:10:40:10 | x : | semmle.label | x : |
| active_support.rb:40:10:40:22 | call to foreign_key | semmle.label | call to foreign_key |
| active_support.rb:44:9:44:18 | call to source : | semmle.label | call to source : |
| active_support.rb:45:10:45:10 | x : | semmle.label | x : |
| active_support.rb:45:10:45:19 | call to humanize | semmle.label | call to humanize |
| active_support.rb:49:9:49:18 | call to source : | semmle.label | call to source : |
| active_support.rb:50:10:50:10 | x : | semmle.label | x : |
| active_support.rb:50:10:50:20 | call to indent | semmle.label | call to indent |
| active_support.rb:54:9:54:18 | call to source : | semmle.label | call to source : |
| active_support.rb:55:10:55:10 | x : | semmle.label | x : |
| active_support.rb:55:10:55:23 | call to parameterize | semmle.label | call to parameterize |
| active_support.rb:59:9:59:18 | call to source : | semmle.label | call to source : |
| active_support.rb:60:10:60:10 | x : | semmle.label | x : |
| active_support.rb:60:10:60:20 | call to pluralize | semmle.label | call to pluralize |
| active_support.rb:64:9:64:18 | call to source : | semmle.label | call to source : |
| active_support.rb:65:10:65:10 | x : | semmle.label | x : |
| active_support.rb:65:10:65:22 | call to singularize | semmle.label | call to singularize |
| active_support.rb:69:9:69:18 | call to source : | semmle.label | call to source : |
| active_support.rb:70:10:70:10 | x : | semmle.label | x : |
| active_support.rb:70:10:70:17 | call to squish | semmle.label | call to squish |
| active_support.rb:74:9:74:18 | call to source : | semmle.label | call to source : |
| active_support.rb:75:10:75:10 | x : | semmle.label | x : |
| active_support.rb:75:10:75:24 | call to strip_heredoc | semmle.label | call to strip_heredoc |
| active_support.rb:79:9:79:18 | call to source : | semmle.label | call to source : |
| active_support.rb:80:10:80:10 | x : | semmle.label | x : |
| active_support.rb:80:10:80:19 | call to tableize | semmle.label | call to tableize |
| active_support.rb:84:9:84:18 | call to source : | semmle.label | call to source : |
| active_support.rb:85:10:85:10 | x : | semmle.label | x : |
| active_support.rb:85:10:85:20 | call to titlecase | semmle.label | call to titlecase |
| active_support.rb:89:9:89:18 | call to source : | semmle.label | call to source : |
| active_support.rb:90:10:90:10 | x : | semmle.label | x : |
| active_support.rb:90:10:90:19 | call to titleize | semmle.label | call to titleize |
| active_support.rb:94:9:94:18 | call to source : | semmle.label | call to source : |
| active_support.rb:95:10:95:10 | x : | semmle.label | x : |
| active_support.rb:95:10:95:21 | call to underscore | semmle.label | call to underscore |
| active_support.rb:99:9:99:18 | call to source : | semmle.label | call to source : |
| active_support.rb:100:10:100:10 | x : | semmle.label | x : |
| active_support.rb:100:10:100:23 | call to upcase_first | semmle.label | call to upcase_first |
| active_support.rb:104:10:104:17 | call to source : | semmle.label | call to source : |
| active_support.rb:104:10:104:17 | call to source : | semmle.label | call to source : |
| active_support.rb:105:9:105:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:105:9:105:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:105:9:105:23 | call to compact_blank [element] : | semmle.label | call to compact_blank [element] : |
| active_support.rb:105:9:105:23 | call to compact_blank [element] : | semmle.label | call to compact_blank [element] : |
| active_support.rb:106:10:106:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:106:10:106:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:106:10:106:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:106:10:106:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:110:10:110:18 | call to source : | semmle.label | call to source : |
| active_support.rb:110:10:110:18 | call to source : | semmle.label | call to source : |
| active_support.rb:111:9:111:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:111:9:111:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:111:9:111:21 | call to excluding [element] : | semmle.label | call to excluding [element] : |
| active_support.rb:111:9:111:21 | call to excluding [element] : | semmle.label | call to excluding [element] : |
| active_support.rb:112:10:112:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:112:10:112:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:112:10:112:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:112:10:112:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:116:10:116:18 | call to source : | semmle.label | call to source : |
| active_support.rb:116:10:116:18 | call to source : | semmle.label | call to source : |
| active_support.rb:117:9:117:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:117:9:117:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:117:9:117:19 | call to without [element] : | semmle.label | call to without [element] : |
| active_support.rb:117:9:117:19 | call to without [element] : | semmle.label | call to without [element] : |
| active_support.rb:118:10:118:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:118:10:118:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:118:10:118:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:118:10:118:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:122:10:122:18 | call to source : | semmle.label | call to source : |
| active_support.rb:122:10:122:18 | call to source : | semmle.label | call to source : |
| active_support.rb:123:9:123:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:123:9:123:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:123:9:123:37 | call to in_order_of [element] : | semmle.label | call to in_order_of [element] : |
| active_support.rb:123:9:123:37 | call to in_order_of [element] : | semmle.label | call to in_order_of [element] : |
| active_support.rb:124:10:124:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:124:10:124:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:124:10:124:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:124:10:124:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:128:10:128:18 | call to source : | semmle.label | call to source : |
| active_support.rb:128:10:128:18 | call to source : | semmle.label | call to source : |
| active_support.rb:129:9:129:9 | a [element 0] : | semmle.label | a [element 0] : |
| active_support.rb:129:9:129:9 | a [element 0] : | semmle.label | a [element 0] : |
| active_support.rb:129:9:129:41 | call to including [element 0] : | semmle.label | call to including [element 0] : |
| active_support.rb:129:9:129:41 | call to including [element 0] : | semmle.label | call to including [element 0] : |
| active_support.rb:129:9:129:41 | call to including [element] : | semmle.label | call to including [element] : |
| active_support.rb:129:9:129:41 | call to including [element] : | semmle.label | call to including [element] : |
| active_support.rb:129:21:129:29 | call to source : | semmle.label | call to source : |
| active_support.rb:129:21:129:29 | call to source : | semmle.label | call to source : |
| active_support.rb:129:32:129:40 | call to source : | semmle.label | call to source : |
| active_support.rb:129:32:129:40 | call to source : | semmle.label | call to source : |
| active_support.rb:130:10:130:10 | a [element 0] : | semmle.label | a [element 0] : |
| active_support.rb:130:10:130:10 | a [element 0] : | semmle.label | a [element 0] : |
| active_support.rb:130:10:130:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:130:10:130:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:132:10:132:10 | b [element 0] : | semmle.label | b [element 0] : |
| active_support.rb:132:10:132:10 | b [element 0] : | semmle.label | b [element 0] : |
| active_support.rb:132:10:132:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:132:10:132:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:132:10:132:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:132:10:132:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:133:10:133:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:133:10:133:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:133:10:133:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:133:10:133:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:134:10:134:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:134:10:134:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:134:10:134:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:134:10:134:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:135:10:135:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:135:10:135:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:135:10:135:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:135:10:135:13 | ...[...] | semmle.label | ...[...] |
subpaths
#select
| active_support.rb:106:10:106:13 | ...[...] | active_support.rb:104:10:104:17 | call to source : | active_support.rb:106:10:106:13 | ...[...] | $@ | active_support.rb:104:10:104:17 | call to source : | call to source : |
| active_support.rb:112:10:112:13 | ...[...] | active_support.rb:110:10:110:18 | call to source : | active_support.rb:112:10:112:13 | ...[...] | $@ | active_support.rb:110:10:110:18 | call to source : | call to source : |
| active_support.rb:118:10:118:13 | ...[...] | active_support.rb:116:10:116:18 | call to source : | active_support.rb:118:10:118:13 | ...[...] | $@ | active_support.rb:116:10:116:18 | call to source : | call to source : |
| active_support.rb:124:10:124:13 | ...[...] | active_support.rb:122:10:122:18 | call to source : | active_support.rb:124:10:124:13 | ...[...] | $@ | active_support.rb:122:10:122:18 | call to source : | call to source : |
| active_support.rb:130:10:130:13 | ...[...] | active_support.rb:128:10:128:18 | call to source : | active_support.rb:130:10:130:13 | ...[...] | $@ | active_support.rb:128:10:128:18 | call to source : | call to source : |
| active_support.rb:132:10:132:13 | ...[...] | active_support.rb:128:10:128:18 | call to source : | active_support.rb:132:10:132:13 | ...[...] | $@ | active_support.rb:128:10:128:18 | call to source : | call to source : |
| active_support.rb:132:10:132:13 | ...[...] | active_support.rb:129:21:129:29 | call to source : | active_support.rb:132:10:132:13 | ...[...] | $@ | active_support.rb:129:21:129:29 | call to source : | call to source : |
| active_support.rb:132:10:132:13 | ...[...] | active_support.rb:129:32:129:40 | call to source : | active_support.rb:132:10:132:13 | ...[...] | $@ | active_support.rb:129:32:129:40 | call to source : | call to source : |
| active_support.rb:133:10:133:13 | ...[...] | active_support.rb:129:21:129:29 | call to source : | active_support.rb:133:10:133:13 | ...[...] | $@ | active_support.rb:129:21:129:29 | call to source : | call to source : |
| active_support.rb:133:10:133:13 | ...[...] | active_support.rb:129:32:129:40 | call to source : | active_support.rb:133:10:133:13 | ...[...] | $@ | active_support.rb:129:32:129:40 | call to source : | call to source : |
| active_support.rb:134:10:134:13 | ...[...] | active_support.rb:129:21:129:29 | call to source : | active_support.rb:134:10:134:13 | ...[...] | $@ | active_support.rb:129:21:129:29 | call to source : | call to source : |
| active_support.rb:134:10:134:13 | ...[...] | active_support.rb:129:32:129:40 | call to source : | active_support.rb:134:10:134:13 | ...[...] | $@ | active_support.rb:129:32:129:40 | call to source : | call to source : |
| active_support.rb:135:10:135:13 | ...[...] | active_support.rb:129:21:129:29 | call to source : | active_support.rb:135:10:135:13 | ...[...] | $@ | active_support.rb:129:21:129:29 | call to source : | call to source : |
| active_support.rb:135:10:135:13 | ...[...] | active_support.rb:129:32:129:40 | call to source : | active_support.rb:135:10:135:13 | ...[...] | $@ | active_support.rb:129:32:129:40 | call to source : | call to source : |

11
ruby/ql/test/library-tests/frameworks/active_support/ActiveSupportDataFlow.ql Normal file
View File

@@ -0,0 +1,11 @@
/**
* @kind path-problem
*/
import ruby
import TestUtilities.InlineFlowTest
import PathGraph
from DataFlow::PathNode source, DataFlow::PathNode sink, DefaultValueFlowConf conf
where conf.hasFlowPath(source, sink)
select sink, source, sink, "$@", source, source.toString()

136
ruby/ql/test/library-tests/frameworks/active_support/active_support.rb Normal file
View File

@@ -0,0 +1,136 @@
"Foo::Bar".constantize
a.constantize
ActiveSupport::Logger.new(STDOUT)
ActiveSupport::TaggedLogging.new(STDOUT)
def m_camelize
x = source "a"
sink x.camelize # $hasTaintFlow=a
end
def m_camelcase
x = source "a"
sink x.camelcase # $hasTaintFlow=a
end
def m_classify
x = source "a"
sink x.classify # $hasTaintFlow=a
end
def m_dasherize
x = source "a"
sink x.dasherize # $hasTaintFlow=a
end
def m_deconstantize
x = source "a"
sink x.deconstantize # $hasTaintFlow=a
end
def m_demodulize
x = source "a"
sink x.demodulize # $hasTaintFlow=a
end
def m_foreign_key
x = source "a"
sink x.foreign_key # $hasTaintFlow=a
end
def m_humanize
x = source "a"
sink x.humanize # $hasTaintFlow=a
end
def m_indent
x = source "a"
sink x.indent(1) # $hasTaintFlow=a
end
def m_parameterize
x = source "a"
sink x.parameterize # $hasTaintFlow=a
end
def m_pluralize
x = source "a"
sink x.pluralize # $hasTaintFlow=a
end
def m_singularize
x = source "a"
sink x.singularize # $hasTaintFlow=a
end
def m_squish
x = source "a"
sink x.squish # $hasTaintFlow=a
end
def m_strip_heredoc
x = source "a"
sink x.strip_heredoc # $hasTaintFlow=a
end
def m_tableize
x = source "a"
sink x.tableize # $hasTaintFlow=a
end
def m_titlecase
x = source "a"
sink x.titlecase # $hasTaintFlow=a
end
def m_titleize
x = source "a"
sink x.titleize # $hasTaintFlow=a
end
def m_underscore
x = source "a"
sink x.underscore # $hasTaintFlow=a
end
def m_upcase_first
x = source "a"
sink x.upcase_first # $hasTaintFlow=a
end
def m_compact_blank
x = [source 1]
y = x.compact_blank
sink y[0] # $hasValueFlow=1
end
def m_excluding
x = [source(1), 2]
y = x.excluding 2
sink y[0] # $hasValueFlow=1
end
def m_without
x = [source(1), 2]
y = x.without 2
sink y[0] # $hasValueFlow=1
end
def m_in_order_of
x = [source(1), 2]
y = x.in_order_of(:itself, [2,1])
sink y[0] # $hasValueFlow=1
end
def m_including
a = [source(1), 2]
b = a.including(source(3), source(4))
sink a[0] # $ hasValueFlow=1
sink a[1]
sink b[0] # $ hasValueFlow=1 $ hasValueFlow=3 $ hasValueFlow=4
sink b[1] # $ hasValueFlow=3 $ hasValueFlow=4
sink b[2] # $ hasValueFlow=3 $ hasValueFlow=4
sink b[3] # $ hasValueFlow=3 $ hasValueFlow=4
end

4
ruby/ql/test/library-tests/frameworks/archive/Archive.expected Normal file
View File

@@ -0,0 +1,4 @@
rubyZipFileOpens
| Archive.rb:2:12:2:35 | call to open |
rubyZipFileNew
| Archive.rb:5:12:5:34 | call to new |

6
ruby/ql/test/library-tests/frameworks/archive/Archive.ql Normal file
View File

@@ -0,0 +1,6 @@
private import ruby
private import codeql.ruby.frameworks.Archive
query predicate rubyZipFileOpens(RubyZip::RubyZipFileOpen f) { any() }
query predicate rubyZipFileNew(RubyZip::RubyZipFileNew f) { any() }

5
ruby/ql/test/library-tests/frameworks/archive/Archive.rb Normal file
View File

@@ -0,0 +1,5 @@
# `foo_file` is a RubyZip `Zip::File.open` instance
foo_file = Zip::File.open(filename)
# `new_file` is a RubyZip `Zip::File.new` instance
new_file = Zip::File.new(filename)

2
ruby/ql/test/library-tests/frameworks/stdlib/Logger.expected
View File

@@ -21,3 +21,5 @@
| Logging.rb:73:5:73:63 | call to log | Logging.rb:73:36:73:45 | "message1" |
| Logging.rb:74:5:74:76 | call to log | Logging.rb:74:36:74:45 | "message2" |
| Logging.rb:74:5:74:76 | call to log | Logging.rb:74:48:74:58 | "progname2" |
| Logging.rb:81:1:81:21 | call to debug | Logging.rb:81:16:81:20 | "msg" |
| Logging.rb:82:1:82:21 | call to debug | Logging.rb:82:16:82:20 | "msg" |

1
ruby/ql/test/library-tests/frameworks/stdlib/Logger.ql
View File

@@ -1,4 +1,5 @@
import codeql.ruby.frameworks.stdlib.Logger::Logger
import codeql.ruby.frameworks.ActiveSupport::ActiveSupport::Logger
import codeql.ruby.DataFlow
query DataFlow::Node loggerLoggingCallInputs(LoggerLoggingCall c) { result = c.getAnInput() }

6
ruby/ql/test/library-tests/frameworks/stdlib/Logging.rb
View File

@@ -74,3 +74,9 @@ class LoggerTest
@@cls_logger.log(Logger::WARN, "message2", "progname2") { "not logged" }
end
end
logger_1 = ActiveSupport::Logger.new(STDOUT)
logger_2 = ActiveSupport::TaggedLogging.new(ActiveSupport::Logger.new(STDOUT))
logger_1.debug("msg")
logger_2.debug("msg")

82
ruby/ql/test/query-tests/security/cwe-022/ArchiveApiPathTraversal.rb Normal file
View File

@@ -0,0 +1,82 @@
class TestContoller < ActionController::Base
# this is vulnerable
def upload
untar params[:file], params[:filename]
end
# this is vulnerable
def unpload_zip
unzip params[:file]
end
# this is vulnerable
def create_new_zip
zip params[:filename], files
end
# these are not vulnerable because of the string compare sanitizer
def safe_upload_string_compare
filename = params[:filename]
if filename == "safefile.tar"
untar params[:file], filename
end
end
def safe_upload_zip_string_compare
filename = params[:filename]
if filename == "safefile.zip"
unzip filename
end
end
# these are not vulnerable beacuse of the string array compare sanitizer
def safe_upload_string_array_compare
filename = params[:filename]
if ["safefile1.tar", "safefile2.tar"].include? filename
untar params[:file], filename
end
end
def safe_upload_zip_string_array_compare
filename = params[:filename]
if ["safefile1.zip", "safefile2.zip"].include? filename
unzip filename
end
end
# these are our two sinks
def untar(io, destination)
Gem::Package::TarReader.new io do |tar|
tar.each do |tarfile|
destination_file = File.join destination, tarfile.full_name
if tarfile.directory?
FileUtils.mkdir_p destination_file
else
destination_directory = File.dirname(destination_file)
FileUtils.mkdir_p destination_directory unless File.directory?(destination_directory)
File.open destination_file, "wb" do |f|
f.print tarfile.read
end
end
end
end
end
def unzip(file)
Zip::File.open(file) do |zip_file|
zip_file.each do |entry|
entry.extract
end
end
end
def zip(filename, files = [])
Zip::File.new(filename) do |zf|
files.each do |f|
zf.add f
end
end
end
end

28
ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected
View File

@@ -1,4 +1,15 @@
edges
| ArchiveApiPathTraversal.rb:5:26:5:31 | call to params : | ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] : |
| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] : | ArchiveApiPathTraversal.rb:49:17:49:27 | destination : |
| ArchiveApiPathTraversal.rb:10:11:10:16 | call to params : | ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] : |
| ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] : | ArchiveApiPathTraversal.rb:67:13:67:16 | file : |
| ArchiveApiPathTraversal.rb:15:9:15:14 | call to params : | ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] : |
| ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] : | ArchiveApiPathTraversal.rb:75:11:75:18 | filename : |
| ArchiveApiPathTraversal.rb:49:17:49:27 | destination : | ArchiveApiPathTraversal.rb:52:38:52:48 | destination : |
| ArchiveApiPathTraversal.rb:52:28:52:67 | call to join : | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file |
| ArchiveApiPathTraversal.rb:52:38:52:48 | destination : | ArchiveApiPathTraversal.rb:52:28:52:67 | call to join : |
| ArchiveApiPathTraversal.rb:67:13:67:16 | file : | ArchiveApiPathTraversal.rb:68:20:68:23 | file |
| ArchiveApiPathTraversal.rb:75:11:75:18 | filename : | ArchiveApiPathTraversal.rb:76:19:76:26 | filename |
| tainted_path.rb:4:12:4:17 | call to params : | tainted_path.rb:4:12:4:24 | ...[...] : |
| tainted_path.rb:4:12:4:24 | ...[...] : | tainted_path.rb:5:26:5:29 | path |
| tainted_path.rb:10:12:10:43 | call to absolute_path : | tainted_path.rb:11:26:11:29 | path |
@@ -26,6 +37,20 @@ edges
| tainted_path.rb:59:40:59:45 | call to params : | tainted_path.rb:59:40:59:52 | ...[...] : |
| tainted_path.rb:59:40:59:52 | ...[...] : | tainted_path.rb:59:12:59:53 | call to new : |
nodes
| ArchiveApiPathTraversal.rb:5:26:5:31 | call to params : | semmle.label | call to params : |
| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] : | semmle.label | ...[...] : |
| ArchiveApiPathTraversal.rb:10:11:10:16 | call to params : | semmle.label | call to params : |
| ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] : | semmle.label | ...[...] : |
| ArchiveApiPathTraversal.rb:15:9:15:14 | call to params : | semmle.label | call to params : |
| ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] : | semmle.label | ...[...] : |
| ArchiveApiPathTraversal.rb:49:17:49:27 | destination : | semmle.label | destination : |
| ArchiveApiPathTraversal.rb:52:28:52:67 | call to join : | semmle.label | call to join : |
| ArchiveApiPathTraversal.rb:52:38:52:48 | destination : | semmle.label | destination : |
| ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | semmle.label | destination_file |
| ArchiveApiPathTraversal.rb:67:13:67:16 | file : | semmle.label | file : |
| ArchiveApiPathTraversal.rb:68:20:68:23 | file | semmle.label | file |
| ArchiveApiPathTraversal.rb:75:11:75:18 | filename : | semmle.label | filename : |
| ArchiveApiPathTraversal.rb:76:19:76:26 | filename | semmle.label | filename |
| tainted_path.rb:4:12:4:17 | call to params : | semmle.label | call to params : |
| tainted_path.rb:4:12:4:24 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:5:26:5:29 | path | semmle.label | path |
@@ -63,6 +88,9 @@ nodes
| tainted_path.rb:60:26:60:29 | path | semmle.label | path |
subpaths
#select
| ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params : | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | This path depends on $@. | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params | a user-provided value |
| ArchiveApiPathTraversal.rb:68:20:68:23 | file | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params : | ArchiveApiPathTraversal.rb:68:20:68:23 | file | This path depends on $@. | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params | a user-provided value |
| ArchiveApiPathTraversal.rb:76:19:76:26 | filename | ArchiveApiPathTraversal.rb:15:9:15:14 | call to params : | ArchiveApiPathTraversal.rb:76:19:76:26 | filename | This path depends on $@. | ArchiveApiPathTraversal.rb:15:9:15:14 | call to params | a user-provided value |
| tainted_path.rb:5:26:5:29 | path | tainted_path.rb:4:12:4:17 | call to params : | tainted_path.rb:5:26:5:29 | path | This path depends on $@. | tainted_path.rb:4:12:4:17 | call to params | a user-provided value |
| tainted_path.rb:11:26:11:29 | path | tainted_path.rb:10:31:10:36 | call to params : | tainted_path.rb:11:26:11:29 | path | This path depends on $@. | tainted_path.rb:10:31:10:36 | call to params | a user-provided value |
| tainted_path.rb:17:26:17:29 | path | tainted_path.rb:16:28:16:33 | call to params : | tainted_path.rb:17:26:17:29 | path | This path depends on $@. | tainted_path.rb:16:28:16:33 | call to params | a user-provided value |