Ruby: rack - add tests for env['QUERY_STRING']

2025-12-18 18:10:39 +01:00 · 2023-07-05 15:46:31 +01:00
parent ec2c9f20f6
commit 08784d24b4
3 changed files with 18 additions and 4 deletions
--- a/ruby/ql/test/library-tests/frameworks/rack/Rack.expected
+++ b/ruby/ql/test/library-tests/frameworks/rack/Rack.expected
@@ -3,9 +3,10 @@ rackRequestHandlers
 | rack.rb:17:3:21:5 | call | rack.rb:17:12:17:18 | the_env | rack.rb:20:5:20:27 | call to [] |
 | rack.rb:30:3:36:5 | call | rack.rb:30:12:30:14 | env | rack.rb:35:5:35:26 | call to [] |
 | rack.rb:40:3:44:5 | call | rack.rb:40:12:40:14 | env | rack.rb:43:5:43:45 | call to [] |
-| rack.rb:60:3:62:5 | call | rack.rb:60:12:60:14 | env | rack.rb:66:7:66:22 | call to [] |
+| rack.rb:60:3:62:5 | call | rack.rb:60:12:60:14 | env | rack.rb:66:7:66:24 | call to [] |
-| rack.rb:60:3:62:5 | call | rack.rb:60:12:60:14 | env | rack.rb:73:5:73:21 | call to [] |
+| rack.rb:60:3:62:5 | call | rack.rb:60:12:60:14 | env | rack.rb:73:5:73:23 | call to [] |
 | rack.rb:79:3:81:5 | call | rack.rb:79:17:79:19 | env | rack.rb:93:5:93:78 | call to finish |
 | rack.rb:98:3:102:5 | call | rack.rb:98:12:98:14 | env | rack.rb:101:5:101:42 | call to [] |
 | rack_apps.rb:6:3:12:5 | call | rack_apps.rb:6:12:6:14 | env | rack_apps.rb:10:12:10:34 | call to [] |
 | rack_apps.rb:16:3:18:5 | call | rack_apps.rb:16:17:16:19 | env | rack_apps.rb:17:5:17:28 | call to [] |
 | rack_apps.rb:21:14:21:50 | -> { ... } | rack_apps.rb:21:17:21:19 | env | rack_apps.rb:21:24:21:48 | call to [] |
@@ -16,3 +17,5 @@ rackResponseContentTypes
 redirectResponses
 | rack.rb:43:5:43:45 | call to [] | rack.rb:42:30:42:40 | "/foo.html" |
 | rack.rb:93:5:93:78 | call to finish | rack.rb:93:60:93:70 | redirect_to |
 requestInputAccesses
 | rack.rb:99:14:99:32 | ...[...] |
--- a/ruby/ql/test/library-tests/frameworks/rack/Rack.ql
+++ b/ruby/ql/test/library-tests/frameworks/rack/Rack.ql
@@ -1,4 +1,5 @@
 private import codeql.ruby.AST
 private import codeql.ruby.Concepts
 private import codeql.ruby.frameworks.Rack
 private import codeql.ruby.DataFlow
@@ -17,3 +18,5 @@ query predicate rackResponseContentTypes(
 query predicate redirectResponses(Rack::Response::RedirectResponse resp, DataFlow::Node location) {
  location = resp.getRedirectLocation()
 }
 query predicate requestInputAccesses(Http::Server::RequestInputAccess ria) { any() }
--- a/ruby/ql/test/library-tests/frameworks/rack/rack.rb
+++ b/ruby/ql/test/library-tests/frameworks/rack/rack.rb
@@ -63,14 +63,14 @@ class Baz
  def run(env)
    if env[:foo] == "foo"
-      [200, {}, "foo"]
+      [200, {}, ["foo"]]
    else
      error
    end
  end
  def error
-    [400, {}, "nope"]
+    [400, {}, ["nope"]]
  end
 end
@@ -93,3 +93,11 @@ class Qux
    Rack::Response.new(['redirecting'], 302, 'Location' => redirect_to).finish
  end
 end
 class UsesEnvQueryParams
  def call(env)
    params = env['QUERY_STRING']
    user = Rack::Utils.parse_query(params)["user"]
    [200, {}, [lookup_user_profile(user)]]
  end
 end