hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: Update more expected output.

Browse Source
This commit is contained in:
Anders Schack-Mulligen
2023-04-26 13:37:07 +02:00
parent 90f84bb516
commit 09d4fe21e8
35 changed files with 1910 additions and 1910 deletions
Download Patch File Download Diff File Expand all files Collapse all files

64
ruby/ql/test/query-tests/experimental/TemplateInjection/TemplateInjection.expected
View File

@@ -1,39 +1,39 @@
edges
| ErbInjection.rb:5:5:5:8 | name : | ErbInjection.rb:8:5:8:12 | bad_text : |
| ErbInjection.rb:5:5:5:8 | name : | ErbInjection.rb:11:11:11:14 | name : |
| ErbInjection.rb:5:12:5:17 | call to params : | ErbInjection.rb:5:12:5:24 | ...[...] : |
| ErbInjection.rb:5:12:5:24 | ...[...] : | ErbInjection.rb:5:5:5:8 | name : |
| ErbInjection.rb:8:5:8:12 | bad_text : | ErbInjection.rb:15:24:15:31 | bad_text |
| ErbInjection.rb:8:16:11:14 | ... % ... : | ErbInjection.rb:8:5:8:12 | bad_text : |
| ErbInjection.rb:11:11:11:14 | name : | ErbInjection.rb:8:16:11:14 | ... % ... : |
| SlimInjection.rb:5:5:5:8 | name : | SlimInjection.rb:8:5:8:12 | bad_text : |
| SlimInjection.rb:5:5:5:8 | name : | SlimInjection.rb:11:11:11:14 | name : |
| SlimInjection.rb:5:5:5:8 | name : | SlimInjection.rb:17:5:17:13 | bad2_text : |
| SlimInjection.rb:5:12:5:17 | call to params : | SlimInjection.rb:5:12:5:24 | ...[...] : |
| SlimInjection.rb:5:12:5:24 | ...[...] : | SlimInjection.rb:5:5:5:8 | name : |
| SlimInjection.rb:8:5:8:12 | bad_text : | SlimInjection.rb:14:25:14:32 | bad_text |
| SlimInjection.rb:8:16:11:14 | ... % ... : | SlimInjection.rb:8:5:8:12 | bad_text : |
| SlimInjection.rb:11:11:11:14 | name : | SlimInjection.rb:8:16:11:14 | ... % ... : |
| SlimInjection.rb:17:5:17:13 | bad2_text : | SlimInjection.rb:23:25:23:33 | bad2_text |
| ErbInjection.rb:5:5:5:8 | name | ErbInjection.rb:8:5:8:12 | bad_text |
| ErbInjection.rb:5:5:5:8 | name | ErbInjection.rb:11:11:11:14 | name |
| ErbInjection.rb:5:12:5:17 | call to params | ErbInjection.rb:5:12:5:24 | ...[...] |
| ErbInjection.rb:5:12:5:24 | ...[...] | ErbInjection.rb:5:5:5:8 | name |
| ErbInjection.rb:8:5:8:12 | bad_text | ErbInjection.rb:15:24:15:31 | bad_text |
| ErbInjection.rb:8:16:11:14 | ... % ... | ErbInjection.rb:8:5:8:12 | bad_text |
| ErbInjection.rb:11:11:11:14 | name | ErbInjection.rb:8:16:11:14 | ... % ... |
| SlimInjection.rb:5:5:5:8 | name | SlimInjection.rb:8:5:8:12 | bad_text |
| SlimInjection.rb:5:5:5:8 | name | SlimInjection.rb:11:11:11:14 | name |
| SlimInjection.rb:5:5:5:8 | name | SlimInjection.rb:17:5:17:13 | bad2_text |
| SlimInjection.rb:5:12:5:17 | call to params | SlimInjection.rb:5:12:5:24 | ...[...] |
| SlimInjection.rb:5:12:5:24 | ...[...] | SlimInjection.rb:5:5:5:8 | name |
| SlimInjection.rb:8:5:8:12 | bad_text | SlimInjection.rb:14:25:14:32 | bad_text |
| SlimInjection.rb:8:16:11:14 | ... % ... | SlimInjection.rb:8:5:8:12 | bad_text |
| SlimInjection.rb:11:11:11:14 | name | SlimInjection.rb:8:16:11:14 | ... % ... |
| SlimInjection.rb:17:5:17:13 | bad2_text | SlimInjection.rb:23:25:23:33 | bad2_text |
nodes
| ErbInjection.rb:5:5:5:8 | name : | semmle.label | name : |
| ErbInjection.rb:5:12:5:17 | call to params : | semmle.label | call to params : |
| ErbInjection.rb:5:12:5:24 | ...[...] : | semmle.label | ...[...] : |
| ErbInjection.rb:8:5:8:12 | bad_text : | semmle.label | bad_text : |
| ErbInjection.rb:8:16:11:14 | ... % ... : | semmle.label | ... % ... : |
| ErbInjection.rb:11:11:11:14 | name : | semmle.label | name : |
| ErbInjection.rb:5:5:5:8 | name | semmle.label | name |
| ErbInjection.rb:5:12:5:17 | call to params | semmle.label | call to params |
| ErbInjection.rb:5:12:5:24 | ...[...] | semmle.label | ...[...] |
| ErbInjection.rb:8:5:8:12 | bad_text | semmle.label | bad_text |
| ErbInjection.rb:8:16:11:14 | ... % ... | semmle.label | ... % ... |
| ErbInjection.rb:11:11:11:14 | name | semmle.label | name |
| ErbInjection.rb:15:24:15:31 | bad_text | semmle.label | bad_text |
| SlimInjection.rb:5:5:5:8 | name : | semmle.label | name : |
| SlimInjection.rb:5:12:5:17 | call to params : | semmle.label | call to params : |
| SlimInjection.rb:5:12:5:24 | ...[...] : | semmle.label | ...[...] : |
| SlimInjection.rb:8:5:8:12 | bad_text : | semmle.label | bad_text : |
| SlimInjection.rb:8:16:11:14 | ... % ... : | semmle.label | ... % ... : |
| SlimInjection.rb:11:11:11:14 | name : | semmle.label | name : |
| SlimInjection.rb:5:5:5:8 | name | semmle.label | name |
| SlimInjection.rb:5:12:5:17 | call to params | semmle.label | call to params |
| SlimInjection.rb:5:12:5:24 | ...[...] | semmle.label | ...[...] |
| SlimInjection.rb:8:5:8:12 | bad_text | semmle.label | bad_text |
| SlimInjection.rb:8:16:11:14 | ... % ... | semmle.label | ... % ... |
| SlimInjection.rb:11:11:11:14 | name | semmle.label | name |
| SlimInjection.rb:14:25:14:32 | bad_text | semmle.label | bad_text |
| SlimInjection.rb:17:5:17:13 | bad2_text : | semmle.label | bad2_text : |
| SlimInjection.rb:17:5:17:13 | bad2_text | semmle.label | bad2_text |
| SlimInjection.rb:23:25:23:33 | bad2_text | semmle.label | bad2_text |
subpaths
#select
| ErbInjection.rb:15:24:15:31 | bad_text | ErbInjection.rb:5:12:5:17 | call to params : | ErbInjection.rb:15:24:15:31 | bad_text | This template depends on a $@. | ErbInjection.rb:5:12:5:17 | call to params | user-provided value |
| SlimInjection.rb:14:25:14:32 | bad_text | SlimInjection.rb:5:12:5:17 | call to params : | SlimInjection.rb:14:25:14:32 | bad_text | This template depends on a $@. | SlimInjection.rb:5:12:5:17 | call to params | user-provided value |
| SlimInjection.rb:23:25:23:33 | bad2_text | SlimInjection.rb:5:12:5:17 | call to params : | SlimInjection.rb:23:25:23:33 | bad2_text | This template depends on a $@. | SlimInjection.rb:5:12:5:17 | call to params | user-provided value |
| ErbInjection.rb:15:24:15:31 | bad_text | ErbInjection.rb:5:12:5:17 | call to params | ErbInjection.rb:15:24:15:31 | bad_text | This template depends on a $@. | ErbInjection.rb:5:12:5:17 | call to params | user-provided value |
| SlimInjection.rb:14:25:14:32 | bad_text | SlimInjection.rb:5:12:5:17 | call to params | SlimInjection.rb:14:25:14:32 | bad_text | This template depends on a $@. | SlimInjection.rb:5:12:5:17 | call to params | user-provided value |
| SlimInjection.rb:23:25:23:33 | bad2_text | SlimInjection.rb:5:12:5:17 | call to params | SlimInjection.rb:23:25:23:33 | bad2_text | This template depends on a $@. | SlimInjection.rb:5:12:5:17 | call to params | user-provided value |

108
ruby/ql/test/query-tests/experimental/cwe-022-ZipSlip/ZipSlip.expected
View File

@@ -1,64 +1,64 @@
edges
| zip_slip.rb:8:5:8:11 | tarfile : | zip_slip.rb:9:5:9:11 | tarfile : |
| zip_slip.rb:8:15:8:54 | call to new : | zip_slip.rb:8:5:8:11 | tarfile : |
| zip_slip.rb:9:5:9:11 | tarfile : | zip_slip.rb:9:22:9:26 | entry : |
| zip_slip.rb:9:22:9:26 | entry : | zip_slip.rb:10:19:10:33 | call to full_name |
| zip_slip.rb:20:50:20:56 | tarfile : | zip_slip.rb:21:7:21:13 | tarfile : |
| zip_slip.rb:21:7:21:13 | tarfile : | zip_slip.rb:21:30:21:34 | entry : |
| zip_slip.rb:21:30:21:34 | entry : | zip_slip.rb:22:21:22:35 | call to full_name |
| zip_slip.rb:46:5:46:24 | call to open : | zip_slip.rb:46:35:46:39 | entry : |
| zip_slip.rb:46:35:46:39 | entry : | zip_slip.rb:47:17:47:26 | call to name |
| zip_slip.rb:56:30:56:37 | zip_file : | zip_slip.rb:57:7:57:14 | zip_file : |
| zip_slip.rb:57:7:57:14 | zip_file : | zip_slip.rb:57:25:57:29 | entry : |
| zip_slip.rb:57:25:57:29 | entry : | zip_slip.rb:58:19:58:28 | call to name |
| zip_slip.rb:90:5:90:8 | gzip : | zip_slip.rb:91:11:91:14 | gzip : |
| zip_slip.rb:90:12:90:54 | call to open : | zip_slip.rb:90:5:90:8 | gzip : |
| zip_slip.rb:91:11:91:14 | gzip : | zip_slip.rb:97:42:97:56 | compressed_file : |
| zip_slip.rb:97:42:97:56 | compressed_file : | zip_slip.rb:98:7:98:21 | compressed_file : |
| zip_slip.rb:98:7:98:21 | compressed_file : | zip_slip.rb:98:32:98:36 | entry : |
| zip_slip.rb:98:32:98:36 | entry : | zip_slip.rb:99:9:99:18 | entry_path : |
| zip_slip.rb:99:9:99:18 | entry_path : | zip_slip.rb:100:21:100:30 | entry_path |
| zip_slip.rb:123:7:123:8 | gz : | zip_slip.rb:124:7:124:8 | gz : |
| zip_slip.rb:123:12:123:34 | call to new : | zip_slip.rb:123:7:123:8 | gz : |
| zip_slip.rb:124:7:124:8 | gz : | zip_slip.rb:124:19:124:23 | entry : |
| zip_slip.rb:124:19:124:23 | entry : | zip_slip.rb:125:9:125:18 | entry_path : |
| zip_slip.rb:125:9:125:18 | entry_path : | zip_slip.rb:126:21:126:30 | entry_path |
| zip_slip.rb:8:5:8:11 | tarfile | zip_slip.rb:9:5:9:11 | tarfile |
| zip_slip.rb:8:15:8:54 | call to new | zip_slip.rb:8:5:8:11 | tarfile |
| zip_slip.rb:9:5:9:11 | tarfile | zip_slip.rb:9:22:9:26 | entry |
| zip_slip.rb:9:22:9:26 | entry | zip_slip.rb:10:19:10:33 | call to full_name |
| zip_slip.rb:20:50:20:56 | tarfile | zip_slip.rb:21:7:21:13 | tarfile |
| zip_slip.rb:21:7:21:13 | tarfile | zip_slip.rb:21:30:21:34 | entry |
| zip_slip.rb:21:30:21:34 | entry | zip_slip.rb:22:21:22:35 | call to full_name |
| zip_slip.rb:46:5:46:24 | call to open | zip_slip.rb:46:35:46:39 | entry |
| zip_slip.rb:46:35:46:39 | entry | zip_slip.rb:47:17:47:26 | call to name |
| zip_slip.rb:56:30:56:37 | zip_file | zip_slip.rb:57:7:57:14 | zip_file |
| zip_slip.rb:57:7:57:14 | zip_file | zip_slip.rb:57:25:57:29 | entry |
| zip_slip.rb:57:25:57:29 | entry | zip_slip.rb:58:19:58:28 | call to name |
| zip_slip.rb:90:5:90:8 | gzip | zip_slip.rb:91:11:91:14 | gzip |
| zip_slip.rb:90:12:90:54 | call to open | zip_slip.rb:90:5:90:8 | gzip |
| zip_slip.rb:91:11:91:14 | gzip | zip_slip.rb:97:42:97:56 | compressed_file |
| zip_slip.rb:97:42:97:56 | compressed_file | zip_slip.rb:98:7:98:21 | compressed_file |
| zip_slip.rb:98:7:98:21 | compressed_file | zip_slip.rb:98:32:98:36 | entry |
| zip_slip.rb:98:32:98:36 | entry | zip_slip.rb:99:9:99:18 | entry_path |
| zip_slip.rb:99:9:99:18 | entry_path | zip_slip.rb:100:21:100:30 | entry_path |
| zip_slip.rb:123:7:123:8 | gz | zip_slip.rb:124:7:124:8 | gz |
| zip_slip.rb:123:12:123:34 | call to new | zip_slip.rb:123:7:123:8 | gz |
| zip_slip.rb:124:7:124:8 | gz | zip_slip.rb:124:19:124:23 | entry |
| zip_slip.rb:124:19:124:23 | entry | zip_slip.rb:125:9:125:18 | entry_path |
| zip_slip.rb:125:9:125:18 | entry_path | zip_slip.rb:126:21:126:30 | entry_path |
nodes
| zip_slip.rb:8:5:8:11 | tarfile : | semmle.label | tarfile : |
| zip_slip.rb:8:15:8:54 | call to new : | semmle.label | call to new : |
| zip_slip.rb:9:5:9:11 | tarfile : | semmle.label | tarfile : |
| zip_slip.rb:9:22:9:26 | entry : | semmle.label | entry : |
| zip_slip.rb:8:5:8:11 | tarfile | semmle.label | tarfile |
| zip_slip.rb:8:15:8:54 | call to new | semmle.label | call to new |
| zip_slip.rb:9:5:9:11 | tarfile | semmle.label | tarfile |
| zip_slip.rb:9:22:9:26 | entry | semmle.label | entry |
| zip_slip.rb:10:19:10:33 | call to full_name | semmle.label | call to full_name |
| zip_slip.rb:20:50:20:56 | tarfile : | semmle.label | tarfile : |
| zip_slip.rb:21:7:21:13 | tarfile : | semmle.label | tarfile : |
| zip_slip.rb:21:30:21:34 | entry : | semmle.label | entry : |
| zip_slip.rb:20:50:20:56 | tarfile | semmle.label | tarfile |
| zip_slip.rb:21:7:21:13 | tarfile | semmle.label | tarfile |
| zip_slip.rb:21:30:21:34 | entry | semmle.label | entry |
| zip_slip.rb:22:21:22:35 | call to full_name | semmle.label | call to full_name |
| zip_slip.rb:46:5:46:24 | call to open : | semmle.label | call to open : |
| zip_slip.rb:46:35:46:39 | entry : | semmle.label | entry : |
| zip_slip.rb:46:5:46:24 | call to open | semmle.label | call to open |
| zip_slip.rb:46:35:46:39 | entry | semmle.label | entry |
| zip_slip.rb:47:17:47:26 | call to name | semmle.label | call to name |
| zip_slip.rb:56:30:56:37 | zip_file : | semmle.label | zip_file : |
| zip_slip.rb:57:7:57:14 | zip_file : | semmle.label | zip_file : |
| zip_slip.rb:57:25:57:29 | entry : | semmle.label | entry : |
| zip_slip.rb:56:30:56:37 | zip_file | semmle.label | zip_file |
| zip_slip.rb:57:7:57:14 | zip_file | semmle.label | zip_file |
| zip_slip.rb:57:25:57:29 | entry | semmle.label | entry |
| zip_slip.rb:58:19:58:28 | call to name | semmle.label | call to name |
| zip_slip.rb:90:5:90:8 | gzip : | semmle.label | gzip : |
| zip_slip.rb:90:12:90:54 | call to open : | semmle.label | call to open : |
| zip_slip.rb:91:11:91:14 | gzip : | semmle.label | gzip : |
| zip_slip.rb:97:42:97:56 | compressed_file : | semmle.label | compressed_file : |
| zip_slip.rb:98:7:98:21 | compressed_file : | semmle.label | compressed_file : |
| zip_slip.rb:98:32:98:36 | entry : | semmle.label | entry : |
| zip_slip.rb:99:9:99:18 | entry_path : | semmle.label | entry_path : |
| zip_slip.rb:90:5:90:8 | gzip | semmle.label | gzip |
| zip_slip.rb:90:12:90:54 | call to open | semmle.label | call to open |
| zip_slip.rb:91:11:91:14 | gzip | semmle.label | gzip |
| zip_slip.rb:97:42:97:56 | compressed_file | semmle.label | compressed_file |
| zip_slip.rb:98:7:98:21 | compressed_file | semmle.label | compressed_file |
| zip_slip.rb:98:32:98:36 | entry | semmle.label | entry |
| zip_slip.rb:99:9:99:18 | entry_path | semmle.label | entry_path |
| zip_slip.rb:100:21:100:30 | entry_path | semmle.label | entry_path |
| zip_slip.rb:123:7:123:8 | gz : | semmle.label | gz : |
| zip_slip.rb:123:12:123:34 | call to new : | semmle.label | call to new : |
| zip_slip.rb:124:7:124:8 | gz : | semmle.label | gz : |
| zip_slip.rb:124:19:124:23 | entry : | semmle.label | entry : |
| zip_slip.rb:125:9:125:18 | entry_path : | semmle.label | entry_path : |
| zip_slip.rb:123:7:123:8 | gz | semmle.label | gz |
| zip_slip.rb:123:12:123:34 | call to new | semmle.label | call to new |
| zip_slip.rb:124:7:124:8 | gz | semmle.label | gz |
| zip_slip.rb:124:19:124:23 | entry | semmle.label | entry |
| zip_slip.rb:125:9:125:18 | entry_path | semmle.label | entry_path |
| zip_slip.rb:126:21:126:30 | entry_path | semmle.label | entry_path |
subpaths
#select
| zip_slip.rb:10:19:10:33 | call to full_name | zip_slip.rb:8:15:8:54 | call to new : | zip_slip.rb:10:19:10:33 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:8:15:8:54 | call to new | potentially untrusted source |
| zip_slip.rb:22:21:22:35 | call to full_name | zip_slip.rb:20:50:20:56 | tarfile : | zip_slip.rb:22:21:22:35 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:20:50:20:56 | tarfile | potentially untrusted source |
| zip_slip.rb:47:17:47:26 | call to name | zip_slip.rb:46:5:46:24 | call to open : | zip_slip.rb:47:17:47:26 | call to name | This file extraction depends on a $@. | zip_slip.rb:46:5:46:24 | call to open | potentially untrusted source |
| zip_slip.rb:58:19:58:28 | call to name | zip_slip.rb:56:30:56:37 | zip_file : | zip_slip.rb:58:19:58:28 | call to name | This file extraction depends on a $@. | zip_slip.rb:56:30:56:37 | zip_file | potentially untrusted source |
| zip_slip.rb:100:21:100:30 | entry_path | zip_slip.rb:90:12:90:54 | call to open : | zip_slip.rb:100:21:100:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:90:12:90:54 | call to open | potentially untrusted source |
| zip_slip.rb:126:21:126:30 | entry_path | zip_slip.rb:123:12:123:34 | call to new : | zip_slip.rb:126:21:126:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:123:12:123:34 | call to new | potentially untrusted source |
| zip_slip.rb:10:19:10:33 | call to full_name | zip_slip.rb:8:15:8:54 | call to new | zip_slip.rb:10:19:10:33 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:8:15:8:54 | call to new | potentially untrusted source |
| zip_slip.rb:22:21:22:35 | call to full_name | zip_slip.rb:20:50:20:56 | tarfile | zip_slip.rb:22:21:22:35 | call to full_name | This file extraction depends on a $@. | zip_slip.rb:20:50:20:56 | tarfile | potentially untrusted source |
| zip_slip.rb:47:17:47:26 | call to name | zip_slip.rb:46:5:46:24 | call to open | zip_slip.rb:47:17:47:26 | call to name | This file extraction depends on a $@. | zip_slip.rb:46:5:46:24 | call to open | potentially untrusted source |
| zip_slip.rb:58:19:58:28 | call to name | zip_slip.rb:56:30:56:37 | zip_file | zip_slip.rb:58:19:58:28 | call to name | This file extraction depends on a $@. | zip_slip.rb:56:30:56:37 | zip_file | potentially untrusted source |
| zip_slip.rb:100:21:100:30 | entry_path | zip_slip.rb:90:12:90:54 | call to open | zip_slip.rb:100:21:100:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:90:12:90:54 | call to open | potentially untrusted source |
| zip_slip.rb:126:21:126:30 | entry_path | zip_slip.rb:123:12:123:34 | call to new | zip_slip.rb:126:21:126:30 | entry_path | This file extraction depends on a $@. | zip_slip.rb:123:12:123:34 | call to new | potentially untrusted source |

60
ruby/ql/test/query-tests/experimental/manually-check-http-verb/ManuallyCheckHttpVerb.expected
View File

@@ -1,42 +1,42 @@
edges
| ManuallyCheckHttpVerb.rb:11:5:11:10 | method : | ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... |
| ManuallyCheckHttpVerb.rb:11:14:11:24 | call to env : | ManuallyCheckHttpVerb.rb:11:14:11:42 | ...[...] : |
| ManuallyCheckHttpVerb.rb:11:14:11:42 | ...[...] : | ManuallyCheckHttpVerb.rb:11:5:11:10 | method : |
| ManuallyCheckHttpVerb.rb:19:5:19:10 | method : | ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... |
| ManuallyCheckHttpVerb.rb:19:14:19:35 | call to request_method : | ManuallyCheckHttpVerb.rb:19:5:19:10 | method : |
| ManuallyCheckHttpVerb.rb:27:5:27:10 | method : | ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... |
| ManuallyCheckHttpVerb.rb:27:14:27:27 | call to method : | ManuallyCheckHttpVerb.rb:27:5:27:10 | method : |
| ManuallyCheckHttpVerb.rb:35:5:35:10 | method : | ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... |
| ManuallyCheckHttpVerb.rb:35:14:35:39 | call to raw_request_method : | ManuallyCheckHttpVerb.rb:35:5:35:10 | method : |
| ManuallyCheckHttpVerb.rb:51:7:51:12 | method : | ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... |
| ManuallyCheckHttpVerb.rb:51:16:51:44 | call to request_method_symbol : | ManuallyCheckHttpVerb.rb:51:7:51:12 | method : |
| ManuallyCheckHttpVerb.rb:59:10:59:20 | call to env : | ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] |
| ManuallyCheckHttpVerb.rb:11:5:11:10 | method | ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... |
| ManuallyCheckHttpVerb.rb:11:14:11:24 | call to env | ManuallyCheckHttpVerb.rb:11:14:11:42 | ...[...] |
| ManuallyCheckHttpVerb.rb:11:14:11:42 | ...[...] | ManuallyCheckHttpVerb.rb:11:5:11:10 | method |
| ManuallyCheckHttpVerb.rb:19:5:19:10 | method | ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... |
| ManuallyCheckHttpVerb.rb:19:14:19:35 | call to request_method | ManuallyCheckHttpVerb.rb:19:5:19:10 | method |
| ManuallyCheckHttpVerb.rb:27:5:27:10 | method | ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... |
| ManuallyCheckHttpVerb.rb:27:14:27:27 | call to method | ManuallyCheckHttpVerb.rb:27:5:27:10 | method |
| ManuallyCheckHttpVerb.rb:35:5:35:10 | method | ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... |
| ManuallyCheckHttpVerb.rb:35:14:35:39 | call to raw_request_method | ManuallyCheckHttpVerb.rb:35:5:35:10 | method |
| ManuallyCheckHttpVerb.rb:51:7:51:12 | method | ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... |
| ManuallyCheckHttpVerb.rb:51:16:51:44 | call to request_method_symbol | ManuallyCheckHttpVerb.rb:51:7:51:12 | method |
| ManuallyCheckHttpVerb.rb:59:10:59:20 | call to env | ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] |
nodes
| ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | semmle.label | call to get? |
| ManuallyCheckHttpVerb.rb:11:5:11:10 | method : | semmle.label | method : |
| ManuallyCheckHttpVerb.rb:11:14:11:24 | call to env : | semmle.label | call to env : |
| ManuallyCheckHttpVerb.rb:11:14:11:42 | ...[...] : | semmle.label | ...[...] : |
| ManuallyCheckHttpVerb.rb:11:5:11:10 | method | semmle.label | method |
| ManuallyCheckHttpVerb.rb:11:14:11:24 | call to env | semmle.label | call to env |
| ManuallyCheckHttpVerb.rb:11:14:11:42 | ...[...] | semmle.label | ...[...] |
| ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... | semmle.label | ... == ... |
| ManuallyCheckHttpVerb.rb:19:5:19:10 | method : | semmle.label | method : |
| ManuallyCheckHttpVerb.rb:19:14:19:35 | call to request_method : | semmle.label | call to request_method : |
| ManuallyCheckHttpVerb.rb:19:5:19:10 | method | semmle.label | method |
| ManuallyCheckHttpVerb.rb:19:14:19:35 | call to request_method | semmle.label | call to request_method |
| ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... | semmle.label | ... == ... |
| ManuallyCheckHttpVerb.rb:27:5:27:10 | method : | semmle.label | method : |
| ManuallyCheckHttpVerb.rb:27:14:27:27 | call to method : | semmle.label | call to method : |
| ManuallyCheckHttpVerb.rb:27:5:27:10 | method | semmle.label | method |
| ManuallyCheckHttpVerb.rb:27:14:27:27 | call to method | semmle.label | call to method |
| ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... | semmle.label | ... == ... |
| ManuallyCheckHttpVerb.rb:35:5:35:10 | method : | semmle.label | method : |
| ManuallyCheckHttpVerb.rb:35:14:35:39 | call to raw_request_method : | semmle.label | call to raw_request_method : |
| ManuallyCheckHttpVerb.rb:35:5:35:10 | method | semmle.label | method |
| ManuallyCheckHttpVerb.rb:35:14:35:39 | call to raw_request_method | semmle.label | call to raw_request_method |
| ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... | semmle.label | ... == ... |
| ManuallyCheckHttpVerb.rb:51:7:51:12 | method : | semmle.label | method : |
| ManuallyCheckHttpVerb.rb:51:16:51:44 | call to request_method_symbol : | semmle.label | call to request_method_symbol : |
| ManuallyCheckHttpVerb.rb:51:7:51:12 | method | semmle.label | method |
| ManuallyCheckHttpVerb.rb:51:16:51:44 | call to request_method_symbol | semmle.label | call to request_method_symbol |
| ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... | semmle.label | ... == ... |
| ManuallyCheckHttpVerb.rb:59:10:59:20 | call to env : | semmle.label | call to env : |
| ManuallyCheckHttpVerb.rb:59:10:59:20 | call to env | semmle.label | call to env |
| ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] | semmle.label | ...[...] |
subpaths
#select
| ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | ManuallyCheckHttpVerb.rb:4:8:4:19 | call to get? | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. |
| ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... | ManuallyCheckHttpVerb.rb:11:14:11:24 | call to env : | ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. |
| ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... | ManuallyCheckHttpVerb.rb:19:14:19:35 | call to request_method : | ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. |
| ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... | ManuallyCheckHttpVerb.rb:27:14:27:27 | call to method : | ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. |
| ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... | ManuallyCheckHttpVerb.rb:35:14:35:39 | call to raw_request_method : | ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. |
| ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... | ManuallyCheckHttpVerb.rb:51:16:51:44 | call to request_method_symbol : | ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. |
| ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] | ManuallyCheckHttpVerb.rb:59:10:59:20 | call to env : | ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. |
| ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... | ManuallyCheckHttpVerb.rb:11:14:11:24 | call to env | ManuallyCheckHttpVerb.rb:12:8:12:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. |
| ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... | ManuallyCheckHttpVerb.rb:19:14:19:35 | call to request_method | ManuallyCheckHttpVerb.rb:20:8:20:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. |
| ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... | ManuallyCheckHttpVerb.rb:27:14:27:27 | call to method | ManuallyCheckHttpVerb.rb:28:8:28:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. |
| ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... | ManuallyCheckHttpVerb.rb:35:14:35:39 | call to raw_request_method | ManuallyCheckHttpVerb.rb:36:8:36:22 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. |
| ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... | ManuallyCheckHttpVerb.rb:51:16:51:44 | call to request_method_symbol | ManuallyCheckHttpVerb.rb:52:10:52:23 | ... == ... | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. |
| ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] | ManuallyCheckHttpVerb.rb:59:10:59:20 | call to env | ManuallyCheckHttpVerb.rb:59:10:59:38 | ...[...] | Manually checking HTTP verbs is an indication that multiple requests are routed to the same controller action. This could lead to bypassing necessary authorization methods and other protections, like CSRF protection. Prefer using different controller actions for each HTTP method and relying Rails routing to handle mapping resources and verbs to specific methods. |

24
ruby/ql/test/query-tests/experimental/weak-params/WeakParams.expected
View File

@@ -1,20 +1,20 @@
edges
| WeakParams.rb:5:28:5:53 | call to request_parameters : | WeakParams.rb:5:28:5:59 | ...[...] |
| WeakParams.rb:10:28:10:51 | call to query_parameters : | WeakParams.rb:10:28:10:57 | ...[...] |
| WeakParams.rb:15:28:15:39 | call to POST : | WeakParams.rb:15:28:15:45 | ...[...] |
| WeakParams.rb:20:28:20:38 | call to GET : | WeakParams.rb:20:28:20:44 | ...[...] |
| WeakParams.rb:5:28:5:53 | call to request_parameters | WeakParams.rb:5:28:5:59 | ...[...] |
| WeakParams.rb:10:28:10:51 | call to query_parameters | WeakParams.rb:10:28:10:57 | ...[...] |
| WeakParams.rb:15:28:15:39 | call to POST | WeakParams.rb:15:28:15:45 | ...[...] |
| WeakParams.rb:20:28:20:38 | call to GET | WeakParams.rb:20:28:20:44 | ...[...] |
nodes
| WeakParams.rb:5:28:5:53 | call to request_parameters : | semmle.label | call to request_parameters : |
| WeakParams.rb:5:28:5:53 | call to request_parameters | semmle.label | call to request_parameters |
| WeakParams.rb:5:28:5:59 | ...[...] | semmle.label | ...[...] |
| WeakParams.rb:10:28:10:51 | call to query_parameters : | semmle.label | call to query_parameters : |
| WeakParams.rb:10:28:10:51 | call to query_parameters | semmle.label | call to query_parameters |
| WeakParams.rb:10:28:10:57 | ...[...] | semmle.label | ...[...] |
| WeakParams.rb:15:28:15:39 | call to POST : | semmle.label | call to POST : |
| WeakParams.rb:15:28:15:39 | call to POST | semmle.label | call to POST |
| WeakParams.rb:15:28:15:45 | ...[...] | semmle.label | ...[...] |
| WeakParams.rb:20:28:20:38 | call to GET : | semmle.label | call to GET : |
| WeakParams.rb:20:28:20:38 | call to GET | semmle.label | call to GET |
| WeakParams.rb:20:28:20:44 | ...[...] | semmle.label | ...[...] |
subpaths
#select
| WeakParams.rb:5:28:5:59 | ...[...] | WeakParams.rb:5:28:5:53 | call to request_parameters : | WeakParams.rb:5:28:5:59 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html |
| WeakParams.rb:10:28:10:57 | ...[...] | WeakParams.rb:10:28:10:51 | call to query_parameters : | WeakParams.rb:10:28:10:57 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html |
| WeakParams.rb:15:28:15:45 | ...[...] | WeakParams.rb:15:28:15:39 | call to POST : | WeakParams.rb:15:28:15:45 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html |
| WeakParams.rb:20:28:20:44 | ...[...] | WeakParams.rb:20:28:20:38 | call to GET : | WeakParams.rb:20:28:20:44 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html |
| WeakParams.rb:5:28:5:59 | ...[...] | WeakParams.rb:5:28:5:53 | call to request_parameters | WeakParams.rb:5:28:5:59 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html |
| WeakParams.rb:10:28:10:57 | ...[...] | WeakParams.rb:10:28:10:51 | call to query_parameters | WeakParams.rb:10:28:10:57 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html |
| WeakParams.rb:15:28:15:45 | ...[...] | WeakParams.rb:15:28:15:39 | call to POST | WeakParams.rb:15:28:15:45 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html |
| WeakParams.rb:20:28:20:44 | ...[...] | WeakParams.rb:20:28:20:38 | call to GET | WeakParams.rb:20:28:20:44 | ...[...] | By exposing all keys in request parameters or by blindy accessing them, unintended parameters could be used and lead to mass-assignment or have other unexpected side-effects. It is safer to follow the 'strong parameters' pattern in Rails, which is outlined here: https://api.rubyonrails.org/classes/ActionController/StrongParameters.html |

18
ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.expected
View File

@@ -1,16 +1,16 @@
edges
| impl/miss-anchor.rb:2:12:2:15 | name : | impl/miss-anchor.rb:3:39:3:42 | name |
| impl/miss-anchor.rb:6:12:6:15 | name : | impl/miss-anchor.rb:7:43:7:46 | name |
| impl/miss-anchor.rb:14:12:14:15 | name : | impl/miss-anchor.rb:15:47:15:50 | name |
| impl/miss-anchor.rb:2:12:2:15 | name | impl/miss-anchor.rb:3:39:3:42 | name |
| impl/miss-anchor.rb:6:12:6:15 | name | impl/miss-anchor.rb:7:43:7:46 | name |
| impl/miss-anchor.rb:14:12:14:15 | name | impl/miss-anchor.rb:15:47:15:50 | name |
nodes
| impl/miss-anchor.rb:2:12:2:15 | name : | semmle.label | name : |
| impl/miss-anchor.rb:2:12:2:15 | name | semmle.label | name |
| impl/miss-anchor.rb:3:39:3:42 | name | semmle.label | name |
| impl/miss-anchor.rb:6:12:6:15 | name : | semmle.label | name : |
| impl/miss-anchor.rb:6:12:6:15 | name | semmle.label | name |
| impl/miss-anchor.rb:7:43:7:46 | name | semmle.label | name |
| impl/miss-anchor.rb:14:12:14:15 | name : | semmle.label | name : |
| impl/miss-anchor.rb:14:12:14:15 | name | semmle.label | name |
| impl/miss-anchor.rb:15:47:15:50 | name | semmle.label | name |
subpaths
#select
| impl/miss-anchor.rb:3:39:3:42 | name | impl/miss-anchor.rb:2:12:2:15 | name : | impl/miss-anchor.rb:3:39:3:42 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:2:12:2:15 | name | library input | impl/miss-anchor.rb:3:39:3:89 | ... !~ ... | checked | impl/miss-anchor.rb:3:48:3:88 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression |
| impl/miss-anchor.rb:7:43:7:46 | name | impl/miss-anchor.rb:6:12:6:15 | name : | impl/miss-anchor.rb:7:43:7:46 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:6:12:6:15 | name | library input | impl/miss-anchor.rb:7:43:7:93 | ... !~ ... | checked | impl/miss-anchor.rb:7:52:7:92 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression |
| impl/miss-anchor.rb:15:47:15:50 | name | impl/miss-anchor.rb:14:12:14:15 | name : | impl/miss-anchor.rb:15:47:15:50 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:14:12:14:15 | name | library input | impl/miss-anchor.rb:15:47:15:97 | ... !~ ... | checked | impl/miss-anchor.rb:15:56:15:96 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression |
| impl/miss-anchor.rb:3:39:3:42 | name | impl/miss-anchor.rb:2:12:2:15 | name | impl/miss-anchor.rb:3:39:3:42 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:2:12:2:15 | name | library input | impl/miss-anchor.rb:3:39:3:89 | ... !~ ... | checked | impl/miss-anchor.rb:3:48:3:88 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression |
| impl/miss-anchor.rb:7:43:7:46 | name | impl/miss-anchor.rb:6:12:6:15 | name | impl/miss-anchor.rb:7:43:7:46 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:6:12:6:15 | name | library input | impl/miss-anchor.rb:7:43:7:93 | ... !~ ... | checked | impl/miss-anchor.rb:7:52:7:92 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression |
| impl/miss-anchor.rb:15:47:15:50 | name | impl/miss-anchor.rb:14:12:14:15 | name | impl/miss-anchor.rb:15:47:15:50 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:14:12:14:15 | name | library input | impl/miss-anchor.rb:15:47:15:97 | ... !~ ... | checked | impl/miss-anchor.rb:15:56:15:96 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression |

292
ruby/ql/test/query-tests/security/cwe-022/PathInjection.expected
View File

@@ -1,168 +1,168 @@
edges
| ArchiveApiPathTraversal.rb:5:26:5:31 | call to params : | ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] : |
| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] : | ArchiveApiPathTraversal.rb:49:17:49:27 | destination : |
| ArchiveApiPathTraversal.rb:10:11:10:16 | call to params : | ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] : |
| ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] : | ArchiveApiPathTraversal.rb:67:13:67:16 | file : |
| ArchiveApiPathTraversal.rb:15:9:15:14 | call to params : | ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] : |
| ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] : | ArchiveApiPathTraversal.rb:75:11:75:18 | filename : |
| ArchiveApiPathTraversal.rb:49:17:49:27 | destination : | ArchiveApiPathTraversal.rb:52:38:52:48 | destination : |
| ArchiveApiPathTraversal.rb:52:9:52:24 | destination_file : | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file |
| ArchiveApiPathTraversal.rb:52:28:52:67 | call to join : | ArchiveApiPathTraversal.rb:52:9:52:24 | destination_file : |
| ArchiveApiPathTraversal.rb:52:38:52:48 | destination : | ArchiveApiPathTraversal.rb:52:28:52:67 | call to join : |
| ArchiveApiPathTraversal.rb:67:13:67:16 | file : | ArchiveApiPathTraversal.rb:68:20:68:23 | file |
| ArchiveApiPathTraversal.rb:75:11:75:18 | filename : | ArchiveApiPathTraversal.rb:76:19:76:26 | filename |
| tainted_path.rb:4:5:4:8 | path : | tainted_path.rb:5:26:5:29 | path |
| tainted_path.rb:4:12:4:17 | call to params : | tainted_path.rb:4:12:4:24 | ...[...] : |
| tainted_path.rb:4:12:4:24 | ...[...] : | tainted_path.rb:4:5:4:8 | path : |
| tainted_path.rb:10:5:10:8 | path : | tainted_path.rb:11:26:11:29 | path |
| tainted_path.rb:10:12:10:43 | call to absolute_path : | tainted_path.rb:10:5:10:8 | path : |
| tainted_path.rb:10:31:10:36 | call to params : | tainted_path.rb:10:31:10:43 | ...[...] : |
| tainted_path.rb:10:31:10:43 | ...[...] : | tainted_path.rb:10:12:10:43 | call to absolute_path : |
| tainted_path.rb:16:5:16:8 | path : | tainted_path.rb:17:26:17:29 | path |
| tainted_path.rb:16:15:16:41 | call to dirname : | tainted_path.rb:16:5:16:8 | path : |
| tainted_path.rb:16:28:16:33 | call to params : | tainted_path.rb:16:28:16:40 | ...[...] : |
| tainted_path.rb:16:28:16:40 | ...[...] : | tainted_path.rb:16:15:16:41 | call to dirname : |
| tainted_path.rb:22:5:22:8 | path : | tainted_path.rb:23:26:23:29 | path |
| tainted_path.rb:22:12:22:41 | call to expand_path : | tainted_path.rb:22:5:22:8 | path : |
| tainted_path.rb:22:29:22:34 | call to params : | tainted_path.rb:22:29:22:41 | ...[...] : |
| tainted_path.rb:22:29:22:41 | ...[...] : | tainted_path.rb:22:12:22:41 | call to expand_path : |
| tainted_path.rb:28:5:28:8 | path : | tainted_path.rb:29:26:29:29 | path |
| tainted_path.rb:28:12:28:34 | call to path : | tainted_path.rb:28:5:28:8 | path : |
| tainted_path.rb:28:22:28:27 | call to params : | tainted_path.rb:28:22:28:34 | ...[...] : |
| tainted_path.rb:28:22:28:34 | ...[...] : | tainted_path.rb:28:12:28:34 | call to path : |
| tainted_path.rb:34:5:34:8 | path : | tainted_path.rb:35:26:35:29 | path |
| tainted_path.rb:34:12:34:41 | call to realdirpath : | tainted_path.rb:34:5:34:8 | path : |
| tainted_path.rb:34:29:34:34 | call to params : | tainted_path.rb:34:29:34:41 | ...[...] : |
| tainted_path.rb:34:29:34:41 | ...[...] : | tainted_path.rb:34:12:34:41 | call to realdirpath : |
| tainted_path.rb:40:5:40:8 | path : | tainted_path.rb:41:26:41:29 | path |
| tainted_path.rb:40:12:40:38 | call to realpath : | tainted_path.rb:40:5:40:8 | path : |
| tainted_path.rb:40:26:40:31 | call to params : | tainted_path.rb:40:26:40:38 | ...[...] : |
| tainted_path.rb:40:26:40:38 | ...[...] : | tainted_path.rb:40:12:40:38 | call to realpath : |
| tainted_path.rb:47:5:47:8 | path : | tainted_path.rb:48:26:48:29 | path |
| tainted_path.rb:47:12:47:63 | call to join : | tainted_path.rb:47:5:47:8 | path : |
| tainted_path.rb:47:43:47:48 | call to params : | tainted_path.rb:47:43:47:55 | ...[...] : |
| tainted_path.rb:47:43:47:55 | ...[...] : | tainted_path.rb:47:12:47:63 | call to join : |
| tainted_path.rb:59:5:59:8 | path : | tainted_path.rb:60:26:60:29 | path |
| tainted_path.rb:59:12:59:53 | call to new : | tainted_path.rb:59:5:59:8 | path : |
| tainted_path.rb:59:40:59:45 | call to params : | tainted_path.rb:59:40:59:52 | ...[...] : |
| tainted_path.rb:59:40:59:52 | ...[...] : | tainted_path.rb:59:12:59:53 | call to new : |
| tainted_path.rb:71:5:71:8 | path : | tainted_path.rb:72:15:72:18 | path |
| tainted_path.rb:71:12:71:53 | call to new : | tainted_path.rb:71:5:71:8 | path : |
| tainted_path.rb:71:40:71:45 | call to params : | tainted_path.rb:71:40:71:52 | ...[...] : |
| tainted_path.rb:71:40:71:52 | ...[...] : | tainted_path.rb:71:12:71:53 | call to new : |
| tainted_path.rb:77:5:77:8 | path : | tainted_path.rb:78:19:78:22 | path |
| tainted_path.rb:77:5:77:8 | path : | tainted_path.rb:79:14:79:17 | path |
| tainted_path.rb:77:12:77:53 | call to new : | tainted_path.rb:77:5:77:8 | path : |
| tainted_path.rb:77:40:77:45 | call to params : | tainted_path.rb:77:40:77:52 | ...[...] : |
| tainted_path.rb:77:40:77:52 | ...[...] : | tainted_path.rb:77:12:77:53 | call to new : |
| tainted_path.rb:84:5:84:8 | path : | tainted_path.rb:85:10:85:13 | path |
| tainted_path.rb:84:5:84:8 | path : | tainted_path.rb:86:25:86:28 | path |
| tainted_path.rb:84:12:84:53 | call to new : | tainted_path.rb:84:5:84:8 | path : |
| tainted_path.rb:84:40:84:45 | call to params : | tainted_path.rb:84:40:84:52 | ...[...] : |
| tainted_path.rb:84:40:84:52 | ...[...] : | tainted_path.rb:84:12:84:53 | call to new : |
| tainted_path.rb:90:5:90:8 | path : | tainted_path.rb:92:11:92:14 | path |
| tainted_path.rb:90:12:90:53 | call to new : | tainted_path.rb:90:5:90:8 | path : |
| tainted_path.rb:90:40:90:45 | call to params : | tainted_path.rb:90:40:90:52 | ...[...] : |
| tainted_path.rb:90:40:90:52 | ...[...] : | tainted_path.rb:90:12:90:53 | call to new : |
| ArchiveApiPathTraversal.rb:5:26:5:31 | call to params | ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] |
| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] | ArchiveApiPathTraversal.rb:49:17:49:27 | destination |
| ArchiveApiPathTraversal.rb:10:11:10:16 | call to params | ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] |
| ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] | ArchiveApiPathTraversal.rb:67:13:67:16 | file |
| ArchiveApiPathTraversal.rb:15:9:15:14 | call to params | ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] |
| ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] | ArchiveApiPathTraversal.rb:75:11:75:18 | filename |
| ArchiveApiPathTraversal.rb:49:17:49:27 | destination | ArchiveApiPathTraversal.rb:52:38:52:48 | destination |
| ArchiveApiPathTraversal.rb:52:9:52:24 | destination_file | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file |
| ArchiveApiPathTraversal.rb:52:28:52:67 | call to join | ArchiveApiPathTraversal.rb:52:9:52:24 | destination_file |
| ArchiveApiPathTraversal.rb:52:38:52:48 | destination | ArchiveApiPathTraversal.rb:52:28:52:67 | call to join |
| ArchiveApiPathTraversal.rb:67:13:67:16 | file | ArchiveApiPathTraversal.rb:68:20:68:23 | file |
| ArchiveApiPathTraversal.rb:75:11:75:18 | filename | ArchiveApiPathTraversal.rb:76:19:76:26 | filename |
| tainted_path.rb:4:5:4:8 | path | tainted_path.rb:5:26:5:29 | path |
| tainted_path.rb:4:12:4:17 | call to params | tainted_path.rb:4:12:4:24 | ...[...] |
| tainted_path.rb:4:12:4:24 | ...[...] | tainted_path.rb:4:5:4:8 | path |
| tainted_path.rb:10:5:10:8 | path | tainted_path.rb:11:26:11:29 | path |
| tainted_path.rb:10:12:10:43 | call to absolute_path | tainted_path.rb:10:5:10:8 | path |
| tainted_path.rb:10:31:10:36 | call to params | tainted_path.rb:10:31:10:43 | ...[...] |
| tainted_path.rb:10:31:10:43 | ...[...] | tainted_path.rb:10:12:10:43 | call to absolute_path |
| tainted_path.rb:16:5:16:8 | path | tainted_path.rb:17:26:17:29 | path |
| tainted_path.rb:16:15:16:41 | call to dirname | tainted_path.rb:16:5:16:8 | path |
| tainted_path.rb:16:28:16:33 | call to params | tainted_path.rb:16:28:16:40 | ...[...] |
| tainted_path.rb:16:28:16:40 | ...[...] | tainted_path.rb:16:15:16:41 | call to dirname |
| tainted_path.rb:22:5:22:8 | path | tainted_path.rb:23:26:23:29 | path |
| tainted_path.rb:22:12:22:41 | call to expand_path | tainted_path.rb:22:5:22:8 | path |
| tainted_path.rb:22:29:22:34 | call to params | tainted_path.rb:22:29:22:41 | ...[...] |
| tainted_path.rb:22:29:22:41 | ...[...] | tainted_path.rb:22:12:22:41 | call to expand_path |
| tainted_path.rb:28:5:28:8 | path | tainted_path.rb:29:26:29:29 | path |
| tainted_path.rb:28:12:28:34 | call to path | tainted_path.rb:28:5:28:8 | path |
| tainted_path.rb:28:22:28:27 | call to params | tainted_path.rb:28:22:28:34 | ...[...] |
| tainted_path.rb:28:22:28:34 | ...[...] | tainted_path.rb:28:12:28:34 | call to path |
| tainted_path.rb:34:5:34:8 | path | tainted_path.rb:35:26:35:29 | path |
| tainted_path.rb:34:12:34:41 | call to realdirpath | tainted_path.rb:34:5:34:8 | path |
| tainted_path.rb:34:29:34:34 | call to params | tainted_path.rb:34:29:34:41 | ...[...] |
| tainted_path.rb:34:29:34:41 | ...[...] | tainted_path.rb:34:12:34:41 | call to realdirpath |
| tainted_path.rb:40:5:40:8 | path | tainted_path.rb:41:26:41:29 | path |
| tainted_path.rb:40:12:40:38 | call to realpath | tainted_path.rb:40:5:40:8 | path |
| tainted_path.rb:40:26:40:31 | call to params | tainted_path.rb:40:26:40:38 | ...[...] |
| tainted_path.rb:40:26:40:38 | ...[...] | tainted_path.rb:40:12:40:38 | call to realpath |
| tainted_path.rb:47:5:47:8 | path | tainted_path.rb:48:26:48:29 | path |
| tainted_path.rb:47:12:47:63 | call to join | tainted_path.rb:47:5:47:8 | path |
| tainted_path.rb:47:43:47:48 | call to params | tainted_path.rb:47:43:47:55 | ...[...] |
| tainted_path.rb:47:43:47:55 | ...[...] | tainted_path.rb:47:12:47:63 | call to join |
| tainted_path.rb:59:5:59:8 | path | tainted_path.rb:60:26:60:29 | path |
| tainted_path.rb:59:12:59:53 | call to new | tainted_path.rb:59:5:59:8 | path |
| tainted_path.rb:59:40:59:45 | call to params | tainted_path.rb:59:40:59:52 | ...[...] |
| tainted_path.rb:59:40:59:52 | ...[...] | tainted_path.rb:59:12:59:53 | call to new |
| tainted_path.rb:71:5:71:8 | path | tainted_path.rb:72:15:72:18 | path |
| tainted_path.rb:71:12:71:53 | call to new | tainted_path.rb:71:5:71:8 | path |
| tainted_path.rb:71:40:71:45 | call to params | tainted_path.rb:71:40:71:52 | ...[...] |
| tainted_path.rb:71:40:71:52 | ...[...] | tainted_path.rb:71:12:71:53 | call to new |
| tainted_path.rb:77:5:77:8 | path | tainted_path.rb:78:19:78:22 | path |
| tainted_path.rb:77:5:77:8 | path | tainted_path.rb:79:14:79:17 | path |
| tainted_path.rb:77:12:77:53 | call to new | tainted_path.rb:77:5:77:8 | path |
| tainted_path.rb:77:40:77:45 | call to params | tainted_path.rb:77:40:77:52 | ...[...] |
| tainted_path.rb:77:40:77:52 | ...[...] | tainted_path.rb:77:12:77:53 | call to new |
| tainted_path.rb:84:5:84:8 | path | tainted_path.rb:85:10:85:13 | path |
| tainted_path.rb:84:5:84:8 | path | tainted_path.rb:86:25:86:28 | path |
| tainted_path.rb:84:12:84:53 | call to new | tainted_path.rb:84:5:84:8 | path |
| tainted_path.rb:84:40:84:45 | call to params | tainted_path.rb:84:40:84:52 | ...[...] |
| tainted_path.rb:84:40:84:52 | ...[...] | tainted_path.rb:84:12:84:53 | call to new |
| tainted_path.rb:90:5:90:8 | path | tainted_path.rb:92:11:92:14 | path |
| tainted_path.rb:90:12:90:53 | call to new | tainted_path.rb:90:5:90:8 | path |
| tainted_path.rb:90:40:90:45 | call to params | tainted_path.rb:90:40:90:52 | ...[...] |
| tainted_path.rb:90:40:90:52 | ...[...] | tainted_path.rb:90:12:90:53 | call to new |
nodes
| ArchiveApiPathTraversal.rb:5:26:5:31 | call to params : | semmle.label | call to params : |
| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] : | semmle.label | ...[...] : |
| ArchiveApiPathTraversal.rb:10:11:10:16 | call to params : | semmle.label | call to params : |
| ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] : | semmle.label | ...[...] : |
| ArchiveApiPathTraversal.rb:15:9:15:14 | call to params : | semmle.label | call to params : |
| ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] : | semmle.label | ...[...] : |
| ArchiveApiPathTraversal.rb:49:17:49:27 | destination : | semmle.label | destination : |
| ArchiveApiPathTraversal.rb:52:9:52:24 | destination_file : | semmle.label | destination_file : |
| ArchiveApiPathTraversal.rb:52:28:52:67 | call to join : | semmle.label | call to join : |
| ArchiveApiPathTraversal.rb:52:38:52:48 | destination : | semmle.label | destination : |
| ArchiveApiPathTraversal.rb:5:26:5:31 | call to params | semmle.label | call to params |
| ArchiveApiPathTraversal.rb:5:26:5:42 | ...[...] | semmle.label | ...[...] |
| ArchiveApiPathTraversal.rb:10:11:10:16 | call to params | semmle.label | call to params |
| ArchiveApiPathTraversal.rb:10:11:10:23 | ...[...] | semmle.label | ...[...] |
| ArchiveApiPathTraversal.rb:15:9:15:14 | call to params | semmle.label | call to params |
| ArchiveApiPathTraversal.rb:15:9:15:25 | ...[...] | semmle.label | ...[...] |
| ArchiveApiPathTraversal.rb:49:17:49:27 | destination | semmle.label | destination |
| ArchiveApiPathTraversal.rb:52:9:52:24 | destination_file | semmle.label | destination_file |
| ArchiveApiPathTraversal.rb:52:28:52:67 | call to join | semmle.label | call to join |
| ArchiveApiPathTraversal.rb:52:38:52:48 | destination | semmle.label | destination |
| ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | semmle.label | destination_file |
| ArchiveApiPathTraversal.rb:67:13:67:16 | file : | semmle.label | file : |
| ArchiveApiPathTraversal.rb:67:13:67:16 | file | semmle.label | file |
| ArchiveApiPathTraversal.rb:68:20:68:23 | file | semmle.label | file |
| ArchiveApiPathTraversal.rb:75:11:75:18 | filename : | semmle.label | filename : |
| ArchiveApiPathTraversal.rb:75:11:75:18 | filename | semmle.label | filename |
| ArchiveApiPathTraversal.rb:76:19:76:26 | filename | semmle.label | filename |
| tainted_path.rb:4:5:4:8 | path : | semmle.label | path : |
| tainted_path.rb:4:12:4:17 | call to params : | semmle.label | call to params : |
| tainted_path.rb:4:12:4:24 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:4:5:4:8 | path | semmle.label | path |
| tainted_path.rb:4:12:4:17 | call to params | semmle.label | call to params |
| tainted_path.rb:4:12:4:24 | ...[...] | semmle.label | ...[...] |
| tainted_path.rb:5:26:5:29 | path | semmle.label | path |
| tainted_path.rb:10:5:10:8 | path : | semmle.label | path : |
| tainted_path.rb:10:12:10:43 | call to absolute_path : | semmle.label | call to absolute_path : |
| tainted_path.rb:10:31:10:36 | call to params : | semmle.label | call to params : |
| tainted_path.rb:10:31:10:43 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:10:5:10:8 | path | semmle.label | path |
| tainted_path.rb:10:12:10:43 | call to absolute_path | semmle.label | call to absolute_path |
| tainted_path.rb:10:31:10:36 | call to params | semmle.label | call to params |
| tainted_path.rb:10:31:10:43 | ...[...] | semmle.label | ...[...] |
| tainted_path.rb:11:26:11:29 | path | semmle.label | path |
| tainted_path.rb:16:5:16:8 | path : | semmle.label | path : |
| tainted_path.rb:16:15:16:41 | call to dirname : | semmle.label | call to dirname : |
| tainted_path.rb:16:28:16:33 | call to params : | semmle.label | call to params : |
| tainted_path.rb:16:28:16:40 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:16:5:16:8 | path | semmle.label | path |
| tainted_path.rb:16:15:16:41 | call to dirname | semmle.label | call to dirname |
| tainted_path.rb:16:28:16:33 | call to params | semmle.label | call to params |
| tainted_path.rb:16:28:16:40 | ...[...] | semmle.label | ...[...] |
| tainted_path.rb:17:26:17:29 | path | semmle.label | path |
| tainted_path.rb:22:5:22:8 | path : | semmle.label | path : |
| tainted_path.rb:22:12:22:41 | call to expand_path : | semmle.label | call to expand_path : |
| tainted_path.rb:22:29:22:34 | call to params : | semmle.label | call to params : |
| tainted_path.rb:22:29:22:41 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:22:5:22:8 | path | semmle.label | path |
| tainted_path.rb:22:12:22:41 | call to expand_path | semmle.label | call to expand_path |
| tainted_path.rb:22:29:22:34 | call to params | semmle.label | call to params |
| tainted_path.rb:22:29:22:41 | ...[...] | semmle.label | ...[...] |
| tainted_path.rb:23:26:23:29 | path | semmle.label | path |
| tainted_path.rb:28:5:28:8 | path : | semmle.label | path : |
| tainted_path.rb:28:12:28:34 | call to path : | semmle.label | call to path : |
| tainted_path.rb:28:22:28:27 | call to params : | semmle.label | call to params : |
| tainted_path.rb:28:22:28:34 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:28:5:28:8 | path | semmle.label | path |
| tainted_path.rb:28:12:28:34 | call to path | semmle.label | call to path |
| tainted_path.rb:28:22:28:27 | call to params | semmle.label | call to params |
| tainted_path.rb:28:22:28:34 | ...[...] | semmle.label | ...[...] |
| tainted_path.rb:29:26:29:29 | path | semmle.label | path |
| tainted_path.rb:34:5:34:8 | path : | semmle.label | path : |
| tainted_path.rb:34:12:34:41 | call to realdirpath : | semmle.label | call to realdirpath : |
| tainted_path.rb:34:29:34:34 | call to params : | semmle.label | call to params : |
| tainted_path.rb:34:29:34:41 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:34:5:34:8 | path | semmle.label | path |
| tainted_path.rb:34:12:34:41 | call to realdirpath | semmle.label | call to realdirpath |
| tainted_path.rb:34:29:34:34 | call to params | semmle.label | call to params |
| tainted_path.rb:34:29:34:41 | ...[...] | semmle.label | ...[...] |
| tainted_path.rb:35:26:35:29 | path | semmle.label | path |
| tainted_path.rb:40:5:40:8 | path : | semmle.label | path : |
| tainted_path.rb:40:12:40:38 | call to realpath : | semmle.label | call to realpath : |
| tainted_path.rb:40:26:40:31 | call to params : | semmle.label | call to params : |
| tainted_path.rb:40:26:40:38 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:40:5:40:8 | path | semmle.label | path |
| tainted_path.rb:40:12:40:38 | call to realpath | semmle.label | call to realpath |
| tainted_path.rb:40:26:40:31 | call to params | semmle.label | call to params |
| tainted_path.rb:40:26:40:38 | ...[...] | semmle.label | ...[...] |
| tainted_path.rb:41:26:41:29 | path | semmle.label | path |
| tainted_path.rb:47:5:47:8 | path : | semmle.label | path : |
| tainted_path.rb:47:12:47:63 | call to join : | semmle.label | call to join : |
| tainted_path.rb:47:43:47:48 | call to params : | semmle.label | call to params : |
| tainted_path.rb:47:43:47:55 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:47:5:47:8 | path | semmle.label | path |
| tainted_path.rb:47:12:47:63 | call to join | semmle.label | call to join |
| tainted_path.rb:47:43:47:48 | call to params | semmle.label | call to params |
| tainted_path.rb:47:43:47:55 | ...[...] | semmle.label | ...[...] |
| tainted_path.rb:48:26:48:29 | path | semmle.label | path |
| tainted_path.rb:59:5:59:8 | path : | semmle.label | path : |
| tainted_path.rb:59:12:59:53 | call to new : | semmle.label | call to new : |
| tainted_path.rb:59:40:59:45 | call to params : | semmle.label | call to params : |
| tainted_path.rb:59:40:59:52 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:59:5:59:8 | path | semmle.label | path |
| tainted_path.rb:59:12:59:53 | call to new | semmle.label | call to new |
| tainted_path.rb:59:40:59:45 | call to params | semmle.label | call to params |
| tainted_path.rb:59:40:59:52 | ...[...] | semmle.label | ...[...] |
| tainted_path.rb:60:26:60:29 | path | semmle.label | path |
| tainted_path.rb:71:5:71:8 | path : | semmle.label | path : |
| tainted_path.rb:71:12:71:53 | call to new : | semmle.label | call to new : |
| tainted_path.rb:71:40:71:45 | call to params : | semmle.label | call to params : |
| tainted_path.rb:71:40:71:52 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:71:5:71:8 | path | semmle.label | path |
| tainted_path.rb:71:12:71:53 | call to new | semmle.label | call to new |
| tainted_path.rb:71:40:71:45 | call to params | semmle.label | call to params |
| tainted_path.rb:71:40:71:52 | ...[...] | semmle.label | ...[...] |
| tainted_path.rb:72:15:72:18 | path | semmle.label | path |
| tainted_path.rb:77:5:77:8 | path : | semmle.label | path : |
| tainted_path.rb:77:12:77:53 | call to new : | semmle.label | call to new : |
| tainted_path.rb:77:40:77:45 | call to params : | semmle.label | call to params : |
| tainted_path.rb:77:40:77:52 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:77:5:77:8 | path | semmle.label | path |
| tainted_path.rb:77:12:77:53 | call to new | semmle.label | call to new |
| tainted_path.rb:77:40:77:45 | call to params | semmle.label | call to params |
| tainted_path.rb:77:40:77:52 | ...[...] | semmle.label | ...[...] |
| tainted_path.rb:78:19:78:22 | path | semmle.label | path |
| tainted_path.rb:79:14:79:17 | path | semmle.label | path |
| tainted_path.rb:84:5:84:8 | path : | semmle.label | path : |
| tainted_path.rb:84:12:84:53 | call to new : | semmle.label | call to new : |
| tainted_path.rb:84:40:84:45 | call to params : | semmle.label | call to params : |
| tainted_path.rb:84:40:84:52 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:84:5:84:8 | path | semmle.label | path |
| tainted_path.rb:84:12:84:53 | call to new | semmle.label | call to new |
| tainted_path.rb:84:40:84:45 | call to params | semmle.label | call to params |
| tainted_path.rb:84:40:84:52 | ...[...] | semmle.label | ...[...] |
| tainted_path.rb:85:10:85:13 | path | semmle.label | path |
| tainted_path.rb:86:25:86:28 | path | semmle.label | path |
| tainted_path.rb:90:5:90:8 | path : | semmle.label | path : |
| tainted_path.rb:90:12:90:53 | call to new : | semmle.label | call to new : |
| tainted_path.rb:90:40:90:45 | call to params : | semmle.label | call to params : |
| tainted_path.rb:90:40:90:52 | ...[...] : | semmle.label | ...[...] : |
| tainted_path.rb:90:5:90:8 | path | semmle.label | path |
| tainted_path.rb:90:12:90:53 | call to new | semmle.label | call to new |
| tainted_path.rb:90:40:90:45 | call to params | semmle.label | call to params |
| tainted_path.rb:90:40:90:52 | ...[...] | semmle.label | ...[...] |
| tainted_path.rb:92:11:92:14 | path | semmle.label | path |
subpaths
#select
| ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params : | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | This path depends on a $@. | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params | user-provided value |
| ArchiveApiPathTraversal.rb:68:20:68:23 | file | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params : | ArchiveApiPathTraversal.rb:68:20:68:23 | file | This path depends on a $@. | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params | user-provided value |
| ArchiveApiPathTraversal.rb:76:19:76:26 | filename | ArchiveApiPathTraversal.rb:15:9:15:14 | call to params : | ArchiveApiPathTraversal.rb:76:19:76:26 | filename | This path depends on a $@. | ArchiveApiPathTraversal.rb:15:9:15:14 | call to params | user-provided value |
| tainted_path.rb:5:26:5:29 | path | tainted_path.rb:4:12:4:17 | call to params : | tainted_path.rb:5:26:5:29 | path | This path depends on a $@. | tainted_path.rb:4:12:4:17 | call to params | user-provided value |
| tainted_path.rb:11:26:11:29 | path | tainted_path.rb:10:31:10:36 | call to params : | tainted_path.rb:11:26:11:29 | path | This path depends on a $@. | tainted_path.rb:10:31:10:36 | call to params | user-provided value |
| tainted_path.rb:17:26:17:29 | path | tainted_path.rb:16:28:16:33 | call to params : | tainted_path.rb:17:26:17:29 | path | This path depends on a $@. | tainted_path.rb:16:28:16:33 | call to params | user-provided value |
| tainted_path.rb:23:26:23:29 | path | tainted_path.rb:22:29:22:34 | call to params : | tainted_path.rb:23:26:23:29 | path | This path depends on a $@. | tainted_path.rb:22:29:22:34 | call to params | user-provided value |
| tainted_path.rb:29:26:29:29 | path | tainted_path.rb:28:22:28:27 | call to params : | tainted_path.rb:29:26:29:29 | path | This path depends on a $@. | tainted_path.rb:28:22:28:27 | call to params | user-provided value |
| tainted_path.rb:35:26:35:29 | path | tainted_path.rb:34:29:34:34 | call to params : | tainted_path.rb:35:26:35:29 | path | This path depends on a $@. | tainted_path.rb:34:29:34:34 | call to params | user-provided value |
| tainted_path.rb:41:26:41:29 | path | tainted_path.rb:40:26:40:31 | call to params : | tainted_path.rb:41:26:41:29 | path | This path depends on a $@. | tainted_path.rb:40:26:40:31 | call to params | user-provided value |
| tainted_path.rb:48:26:48:29 | path | tainted_path.rb:47:43:47:48 | call to params : | tainted_path.rb:48:26:48:29 | path | This path depends on a $@. | tainted_path.rb:47:43:47:48 | call to params | user-provided value |
| tainted_path.rb:60:26:60:29 | path | tainted_path.rb:59:40:59:45 | call to params : | tainted_path.rb:60:26:60:29 | path | This path depends on a $@. | tainted_path.rb:59:40:59:45 | call to params | user-provided value |
| tainted_path.rb:72:15:72:18 | path | tainted_path.rb:71:40:71:45 | call to params : | tainted_path.rb:72:15:72:18 | path | This path depends on a $@. | tainted_path.rb:71:40:71:45 | call to params | user-provided value |
| tainted_path.rb:78:19:78:22 | path | tainted_path.rb:77:40:77:45 | call to params : | tainted_path.rb:78:19:78:22 | path | This path depends on a $@. | tainted_path.rb:77:40:77:45 | call to params | user-provided value |
| tainted_path.rb:79:14:79:17 | path | tainted_path.rb:77:40:77:45 | call to params : | tainted_path.rb:79:14:79:17 | path | This path depends on a $@. | tainted_path.rb:77:40:77:45 | call to params | user-provided value |
| tainted_path.rb:85:10:85:13 | path | tainted_path.rb:84:40:84:45 | call to params : | tainted_path.rb:85:10:85:13 | path | This path depends on a $@. | tainted_path.rb:84:40:84:45 | call to params | user-provided value |
| tainted_path.rb:86:25:86:28 | path | tainted_path.rb:84:40:84:45 | call to params : | tainted_path.rb:86:25:86:28 | path | This path depends on a $@. | tainted_path.rb:84:40:84:45 | call to params | user-provided value |
| tainted_path.rb:92:11:92:14 | path | tainted_path.rb:90:40:90:45 | call to params : | tainted_path.rb:92:11:92:14 | path | This path depends on a $@. | tainted_path.rb:90:40:90:45 | call to params | user-provided value |
| ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params | ArchiveApiPathTraversal.rb:59:21:59:36 | destination_file | This path depends on a $@. | ArchiveApiPathTraversal.rb:5:26:5:31 | call to params | user-provided value |
| ArchiveApiPathTraversal.rb:68:20:68:23 | file | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params | ArchiveApiPathTraversal.rb:68:20:68:23 | file | This path depends on a $@. | ArchiveApiPathTraversal.rb:10:11:10:16 | call to params | user-provided value |
| ArchiveApiPathTraversal.rb:76:19:76:26 | filename | ArchiveApiPathTraversal.rb:15:9:15:14 | call to params | ArchiveApiPathTraversal.rb:76:19:76:26 | filename | This path depends on a $@. | ArchiveApiPathTraversal.rb:15:9:15:14 | call to params | user-provided value |
| tainted_path.rb:5:26:5:29 | path | tainted_path.rb:4:12:4:17 | call to params | tainted_path.rb:5:26:5:29 | path | This path depends on a $@. | tainted_path.rb:4:12:4:17 | call to params | user-provided value |
| tainted_path.rb:11:26:11:29 | path | tainted_path.rb:10:31:10:36 | call to params | tainted_path.rb:11:26:11:29 | path | This path depends on a $@. | tainted_path.rb:10:31:10:36 | call to params | user-provided value |
| tainted_path.rb:17:26:17:29 | path | tainted_path.rb:16:28:16:33 | call to params | tainted_path.rb:17:26:17:29 | path | This path depends on a $@. | tainted_path.rb:16:28:16:33 | call to params | user-provided value |
| tainted_path.rb:23:26:23:29 | path | tainted_path.rb:22:29:22:34 | call to params | tainted_path.rb:23:26:23:29 | path | This path depends on a $@. | tainted_path.rb:22:29:22:34 | call to params | user-provided value |
| tainted_path.rb:29:26:29:29 | path | tainted_path.rb:28:22:28:27 | call to params | tainted_path.rb:29:26:29:29 | path | This path depends on a $@. | tainted_path.rb:28:22:28:27 | call to params | user-provided value |
| tainted_path.rb:35:26:35:29 | path | tainted_path.rb:34:29:34:34 | call to params | tainted_path.rb:35:26:35:29 | path | This path depends on a $@. | tainted_path.rb:34:29:34:34 | call to params | user-provided value |
| tainted_path.rb:41:26:41:29 | path | tainted_path.rb:40:26:40:31 | call to params | tainted_path.rb:41:26:41:29 | path | This path depends on a $@. | tainted_path.rb:40:26:40:31 | call to params | user-provided value |
| tainted_path.rb:48:26:48:29 | path | tainted_path.rb:47:43:47:48 | call to params | tainted_path.rb:48:26:48:29 | path | This path depends on a $@. | tainted_path.rb:47:43:47:48 | call to params | user-provided value |
| tainted_path.rb:60:26:60:29 | path | tainted_path.rb:59:40:59:45 | call to params | tainted_path.rb:60:26:60:29 | path | This path depends on a $@. | tainted_path.rb:59:40:59:45 | call to params | user-provided value |
| tainted_path.rb:72:15:72:18 | path | tainted_path.rb:71:40:71:45 | call to params | tainted_path.rb:72:15:72:18 | path | This path depends on a $@. | tainted_path.rb:71:40:71:45 | call to params | user-provided value |
| tainted_path.rb:78:19:78:22 | path | tainted_path.rb:77:40:77:45 | call to params | tainted_path.rb:78:19:78:22 | path | This path depends on a $@. | tainted_path.rb:77:40:77:45 | call to params | user-provided value |
| tainted_path.rb:79:14:79:17 | path | tainted_path.rb:77:40:77:45 | call to params | tainted_path.rb:79:14:79:17 | path | This path depends on a $@. | tainted_path.rb:77:40:77:45 | call to params | user-provided value |
| tainted_path.rb:85:10:85:13 | path | tainted_path.rb:84:40:84:45 | call to params | tainted_path.rb:85:10:85:13 | path | This path depends on a $@. | tainted_path.rb:84:40:84:45 | call to params | user-provided value |
| tainted_path.rb:86:25:86:28 | path | tainted_path.rb:84:40:84:45 | call to params | tainted_path.rb:86:25:86:28 | path | This path depends on a $@. | tainted_path.rb:84:40:84:45 | call to params | user-provided value |
| tainted_path.rb:92:11:92:14 | path | tainted_path.rb:90:40:90:45 | call to params | tainted_path.rb:92:11:92:14 | path | This path depends on a $@. | tainted_path.rb:90:40:90:45 | call to params | user-provided value |

110
ruby/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected
View File

@@ -1,32 +1,32 @@
edges
| CommandInjection.rb:6:9:6:11 | cmd : | CommandInjection.rb:7:10:7:15 | #{...} |
| CommandInjection.rb:6:9:6:11 | cmd : | CommandInjection.rb:8:16:8:18 | cmd |
| CommandInjection.rb:6:9:6:11 | cmd : | CommandInjection.rb:10:14:10:16 | cmd |
| CommandInjection.rb:6:9:6:11 | cmd : | CommandInjection.rb:11:17:11:22 | #{...} |
| CommandInjection.rb:6:9:6:11 | cmd : | CommandInjection.rb:13:9:13:14 | #{...} |
| CommandInjection.rb:6:9:6:11 | cmd : | CommandInjection.rb:29:19:29:24 | #{...} |
| CommandInjection.rb:6:9:6:11 | cmd : | CommandInjection.rb:33:24:33:36 | "echo #{...}" |
| CommandInjection.rb:6:9:6:11 | cmd : | CommandInjection.rb:34:39:34:51 | "grep #{...}" |
| CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:6:15:6:26 | ...[...] : |
| CommandInjection.rb:6:15:6:26 | ...[...] : | CommandInjection.rb:6:9:6:11 | cmd : |
| CommandInjection.rb:46:9:46:11 | cmd : | CommandInjection.rb:50:24:50:36 | "echo #{...}" |
| CommandInjection.rb:46:15:46:20 | call to params : | CommandInjection.rb:46:15:46:26 | ...[...] : |
| CommandInjection.rb:46:15:46:26 | ...[...] : | CommandInjection.rb:46:9:46:11 | cmd : |
| CommandInjection.rb:54:7:54:9 | cmd : | CommandInjection.rb:59:14:59:16 | cmd |
| CommandInjection.rb:54:13:54:18 | call to params : | CommandInjection.rb:54:13:54:24 | ...[...] : |
| CommandInjection.rb:54:13:54:24 | ...[...] : | CommandInjection.rb:54:7:54:9 | cmd : |
| CommandInjection.rb:73:18:73:23 | number : | CommandInjection.rb:74:14:74:29 | "echo #{...}" |
| CommandInjection.rb:81:23:81:33 | blah_number : | CommandInjection.rb:82:14:82:34 | "echo #{...}" |
| CommandInjection.rb:90:20:90:25 | **args : | CommandInjection.rb:91:22:91:25 | args : |
| CommandInjection.rb:91:22:91:25 | args : | CommandInjection.rb:91:22:91:37 | ...[...] : |
| CommandInjection.rb:91:22:91:37 | ...[...] : | CommandInjection.rb:91:14:91:39 | "echo #{...}" |
| CommandInjection.rb:103:9:103:12 | file : | CommandInjection.rb:104:16:104:28 | "cat #{...}" |
| CommandInjection.rb:103:16:103:21 | call to params : | CommandInjection.rb:103:16:103:28 | ...[...] : |
| CommandInjection.rb:103:16:103:28 | ...[...] : | CommandInjection.rb:103:9:103:12 | file : |
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:7:10:7:15 | #{...} |
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:8:16:8:18 | cmd |
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:10:14:10:16 | cmd |
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:11:17:11:22 | #{...} |
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:13:9:13:14 | #{...} |
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:29:19:29:24 | #{...} |
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:33:24:33:36 | "echo #{...}" |
| CommandInjection.rb:6:9:6:11 | cmd | CommandInjection.rb:34:39:34:51 | "grep #{...}" |
| CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:6:15:6:26 | ...[...] |
| CommandInjection.rb:6:15:6:26 | ...[...] | CommandInjection.rb:6:9:6:11 | cmd |
| CommandInjection.rb:46:9:46:11 | cmd | CommandInjection.rb:50:24:50:36 | "echo #{...}" |
| CommandInjection.rb:46:15:46:20 | call to params | CommandInjection.rb:46:15:46:26 | ...[...] |
| CommandInjection.rb:46:15:46:26 | ...[...] | CommandInjection.rb:46:9:46:11 | cmd |
| CommandInjection.rb:54:7:54:9 | cmd | CommandInjection.rb:59:14:59:16 | cmd |
| CommandInjection.rb:54:13:54:18 | call to params | CommandInjection.rb:54:13:54:24 | ...[...] |
| CommandInjection.rb:54:13:54:24 | ...[...] | CommandInjection.rb:54:7:54:9 | cmd |
| CommandInjection.rb:73:18:73:23 | number | CommandInjection.rb:74:14:74:29 | "echo #{...}" |
| CommandInjection.rb:81:23:81:33 | blah_number | CommandInjection.rb:82:14:82:34 | "echo #{...}" |
| CommandInjection.rb:90:20:90:25 | **args | CommandInjection.rb:91:22:91:25 | args |
| CommandInjection.rb:91:22:91:25 | args | CommandInjection.rb:91:22:91:37 | ...[...] |
| CommandInjection.rb:91:22:91:37 | ...[...] | CommandInjection.rb:91:14:91:39 | "echo #{...}" |
| CommandInjection.rb:103:9:103:12 | file | CommandInjection.rb:104:16:104:28 | "cat #{...}" |
| CommandInjection.rb:103:16:103:21 | call to params | CommandInjection.rb:103:16:103:28 | ...[...] |
| CommandInjection.rb:103:16:103:28 | ...[...] | CommandInjection.rb:103:9:103:12 | file |
nodes
| CommandInjection.rb:6:9:6:11 | cmd : | semmle.label | cmd : |
| CommandInjection.rb:6:15:6:20 | call to params : | semmle.label | call to params : |
| CommandInjection.rb:6:15:6:26 | ...[...] : | semmle.label | ...[...] : |
| CommandInjection.rb:6:9:6:11 | cmd | semmle.label | cmd |
| CommandInjection.rb:6:15:6:20 | call to params | semmle.label | call to params |
| CommandInjection.rb:6:15:6:26 | ...[...] | semmle.label | ...[...] |
| CommandInjection.rb:7:10:7:15 | #{...} | semmle.label | #{...} |
| CommandInjection.rb:8:16:8:18 | cmd | semmle.label | cmd |
| CommandInjection.rb:10:14:10:16 | cmd | semmle.label | cmd |
@@ -35,39 +35,39 @@ nodes
| CommandInjection.rb:29:19:29:24 | #{...} | semmle.label | #{...} |
| CommandInjection.rb:33:24:33:36 | "echo #{...}" | semmle.label | "echo #{...}" |
| CommandInjection.rb:34:39:34:51 | "grep #{...}" | semmle.label | "grep #{...}" |
| CommandInjection.rb:46:9:46:11 | cmd : | semmle.label | cmd : |
| CommandInjection.rb:46:15:46:20 | call to params : | semmle.label | call to params : |
| CommandInjection.rb:46:15:46:26 | ...[...] : | semmle.label | ...[...] : |
| CommandInjection.rb:46:9:46:11 | cmd | semmle.label | cmd |
| CommandInjection.rb:46:15:46:20 | call to params | semmle.label | call to params |
| CommandInjection.rb:46:15:46:26 | ...[...] | semmle.label | ...[...] |
| CommandInjection.rb:50:24:50:36 | "echo #{...}" | semmle.label | "echo #{...}" |
| CommandInjection.rb:54:7:54:9 | cmd : | semmle.label | cmd : |
| CommandInjection.rb:54:13:54:18 | call to params : | semmle.label | call to params : |
| CommandInjection.rb:54:13:54:24 | ...[...] : | semmle.label | ...[...] : |
| CommandInjection.rb:54:7:54:9 | cmd | semmle.label | cmd |
| CommandInjection.rb:54:13:54:18 | call to params | semmle.label | call to params |
| CommandInjection.rb:54:13:54:24 | ...[...] | semmle.label | ...[...] |
| CommandInjection.rb:59:14:59:16 | cmd | semmle.label | cmd |
| CommandInjection.rb:73:18:73:23 | number : | semmle.label | number : |
| CommandInjection.rb:73:18:73:23 | number | semmle.label | number |
| CommandInjection.rb:74:14:74:29 | "echo #{...}" | semmle.label | "echo #{...}" |
| CommandInjection.rb:81:23:81:33 | blah_number : | semmle.label | blah_number : |
| CommandInjection.rb:81:23:81:33 | blah_number | semmle.label | blah_number |
| CommandInjection.rb:82:14:82:34 | "echo #{...}" | semmle.label | "echo #{...}" |
| CommandInjection.rb:90:20:90:25 | **args : | semmle.label | **args : |
| CommandInjection.rb:90:20:90:25 | **args | semmle.label | **args |
| CommandInjection.rb:91:14:91:39 | "echo #{...}" | semmle.label | "echo #{...}" |
| CommandInjection.rb:91:22:91:25 | args : | semmle.label | args : |
| CommandInjection.rb:91:22:91:37 | ...[...] : | semmle.label | ...[...] : |
| CommandInjection.rb:103:9:103:12 | file : | semmle.label | file : |
| CommandInjection.rb:103:16:103:21 | call to params : | semmle.label | call to params : |
| CommandInjection.rb:103:16:103:28 | ...[...] : | semmle.label | ...[...] : |
| CommandInjection.rb:91:22:91:25 | args | semmle.label | args |
| CommandInjection.rb:91:22:91:37 | ...[...] | semmle.label | ...[...] |
| CommandInjection.rb:103:9:103:12 | file | semmle.label | file |
| CommandInjection.rb:103:16:103:21 | call to params | semmle.label | call to params |
| CommandInjection.rb:103:16:103:28 | ...[...] | semmle.label | ...[...] |
| CommandInjection.rb:104:16:104:28 | "cat #{...}" | semmle.label | "cat #{...}" |
subpaths
#select
| CommandInjection.rb:7:10:7:15 | #{...} | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:7:10:7:15 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
| CommandInjection.rb:8:16:8:18 | cmd | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:8:16:8:18 | cmd | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
| CommandInjection.rb:10:14:10:16 | cmd | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:10:14:10:16 | cmd | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
| CommandInjection.rb:11:17:11:22 | #{...} | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:11:17:11:22 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
| CommandInjection.rb:13:9:13:14 | #{...} | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:13:9:13:14 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
| CommandInjection.rb:29:19:29:24 | #{...} | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:29:19:29:24 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
| CommandInjection.rb:33:24:33:36 | "echo #{...}" | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:33:24:33:36 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
| CommandInjection.rb:34:39:34:51 | "grep #{...}" | CommandInjection.rb:6:15:6:20 | call to params : | CommandInjection.rb:34:39:34:51 | "grep #{...}" | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
| CommandInjection.rb:50:24:50:36 | "echo #{...}" | CommandInjection.rb:46:15:46:20 | call to params : | CommandInjection.rb:50:24:50:36 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:46:15:46:20 | call to params | user-provided value |
| CommandInjection.rb:59:14:59:16 | cmd | CommandInjection.rb:54:13:54:18 | call to params : | CommandInjection.rb:59:14:59:16 | cmd | This command depends on a $@. | CommandInjection.rb:54:13:54:18 | call to params | user-provided value |
| CommandInjection.rb:74:14:74:29 | "echo #{...}" | CommandInjection.rb:73:18:73:23 | number : | CommandInjection.rb:74:14:74:29 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:73:18:73:23 | number | user-provided value |
| CommandInjection.rb:82:14:82:34 | "echo #{...}" | CommandInjection.rb:81:23:81:33 | blah_number : | CommandInjection.rb:82:14:82:34 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:81:23:81:33 | blah_number | user-provided value |
| CommandInjection.rb:91:14:91:39 | "echo #{...}" | CommandInjection.rb:90:20:90:25 | **args : | CommandInjection.rb:91:14:91:39 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:90:20:90:25 | **args | user-provided value |
| CommandInjection.rb:104:16:104:28 | "cat #{...}" | CommandInjection.rb:103:16:103:21 | call to params : | CommandInjection.rb:104:16:104:28 | "cat #{...}" | This command depends on a $@. | CommandInjection.rb:103:16:103:21 | call to params | user-provided value |
| CommandInjection.rb:7:10:7:15 | #{...} | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:7:10:7:15 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
| CommandInjection.rb:8:16:8:18 | cmd | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:8:16:8:18 | cmd | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
| CommandInjection.rb:10:14:10:16 | cmd | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:10:14:10:16 | cmd | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
| CommandInjection.rb:11:17:11:22 | #{...} | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:11:17:11:22 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
| CommandInjection.rb:13:9:13:14 | #{...} | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:13:9:13:14 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
| CommandInjection.rb:29:19:29:24 | #{...} | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:29:19:29:24 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
| CommandInjection.rb:33:24:33:36 | "echo #{...}" | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:33:24:33:36 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
| CommandInjection.rb:34:39:34:51 | "grep #{...}" | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:34:39:34:51 | "grep #{...}" | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
| CommandInjection.rb:50:24:50:36 | "echo #{...}" | CommandInjection.rb:46:15:46:20 | call to params | CommandInjection.rb:50:24:50:36 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:46:15:46:20 | call to params | user-provided value |
| CommandInjection.rb:59:14:59:16 | cmd | CommandInjection.rb:54:13:54:18 | call to params | CommandInjection.rb:59:14:59:16 | cmd | This command depends on a $@. | CommandInjection.rb:54:13:54:18 | call to params | user-provided value |
| CommandInjection.rb:74:14:74:29 | "echo #{...}" | CommandInjection.rb:73:18:73:23 | number | CommandInjection.rb:74:14:74:29 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:73:18:73:23 | number | user-provided value |
| CommandInjection.rb:82:14:82:34 | "echo #{...}" | CommandInjection.rb:81:23:81:33 | blah_number | CommandInjection.rb:82:14:82:34 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:81:23:81:33 | blah_number | user-provided value |
| CommandInjection.rb:91:14:91:39 | "echo #{...}" | CommandInjection.rb:90:20:90:25 | **args | CommandInjection.rb:91:14:91:39 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:90:20:90:25 | **args | user-provided value |
| CommandInjection.rb:104:16:104:28 | "cat #{...}" | CommandInjection.rb:103:16:103:21 | call to params | CommandInjection.rb:104:16:104:28 | "cat #{...}" | This command depends on a $@. | CommandInjection.rb:103:16:103:21 | call to params | user-provided value |

54
ruby/ql/test/query-tests/security/cwe-078/KernelOpen/KernelOpen.expected
View File

@@ -1,21 +1,21 @@
edges
| KernelOpen.rb:3:5:3:8 | file : | KernelOpen.rb:4:10:4:13 | file |
| KernelOpen.rb:3:5:3:8 | file : | KernelOpen.rb:5:13:5:16 | file |
| KernelOpen.rb:3:5:3:8 | file : | KernelOpen.rb:6:14:6:17 | file |
| KernelOpen.rb:3:5:3:8 | file : | KernelOpen.rb:7:16:7:19 | file |
| KernelOpen.rb:3:5:3:8 | file : | KernelOpen.rb:8:17:8:20 | file |
| KernelOpen.rb:3:5:3:8 | file : | KernelOpen.rb:9:16:9:19 | file |
| KernelOpen.rb:3:5:3:8 | file : | KernelOpen.rb:10:18:10:21 | file |
| KernelOpen.rb:3:5:3:8 | file : | KernelOpen.rb:11:14:11:17 | file |
| KernelOpen.rb:3:5:3:8 | file : | KernelOpen.rb:13:23:13:26 | file : |
| KernelOpen.rb:3:5:3:8 | file : | KernelOpen.rb:26:10:26:13 | file |
| KernelOpen.rb:3:12:3:17 | call to params : | KernelOpen.rb:3:12:3:24 | ...[...] : |
| KernelOpen.rb:3:12:3:24 | ...[...] : | KernelOpen.rb:3:5:3:8 | file : |
| KernelOpen.rb:13:23:13:26 | file : | KernelOpen.rb:13:13:13:31 | call to join |
| KernelOpen.rb:3:5:3:8 | file | KernelOpen.rb:4:10:4:13 | file |
| KernelOpen.rb:3:5:3:8 | file | KernelOpen.rb:5:13:5:16 | file |
| KernelOpen.rb:3:5:3:8 | file | KernelOpen.rb:6:14:6:17 | file |
| KernelOpen.rb:3:5:3:8 | file | KernelOpen.rb:7:16:7:19 | file |
| KernelOpen.rb:3:5:3:8 | file | KernelOpen.rb:8:17:8:20 | file |
| KernelOpen.rb:3:5:3:8 | file | KernelOpen.rb:9:16:9:19 | file |
| KernelOpen.rb:3:5:3:8 | file | KernelOpen.rb:10:18:10:21 | file |
| KernelOpen.rb:3:5:3:8 | file | KernelOpen.rb:11:14:11:17 | file |
| KernelOpen.rb:3:5:3:8 | file | KernelOpen.rb:13:23:13:26 | file |
| KernelOpen.rb:3:5:3:8 | file | KernelOpen.rb:26:10:26:13 | file |
| KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:3:12:3:24 | ...[...] |
| KernelOpen.rb:3:12:3:24 | ...[...] | KernelOpen.rb:3:5:3:8 | file |
| KernelOpen.rb:13:23:13:26 | file | KernelOpen.rb:13:13:13:31 | call to join |
nodes
| KernelOpen.rb:3:5:3:8 | file : | semmle.label | file : |
| KernelOpen.rb:3:12:3:17 | call to params : | semmle.label | call to params : |
| KernelOpen.rb:3:12:3:24 | ...[...] : | semmle.label | ...[...] : |
| KernelOpen.rb:3:5:3:8 | file | semmle.label | file |
| KernelOpen.rb:3:12:3:17 | call to params | semmle.label | call to params |
| KernelOpen.rb:3:12:3:24 | ...[...] | semmle.label | ...[...] |
| KernelOpen.rb:4:10:4:13 | file | semmle.label | file |
| KernelOpen.rb:5:13:5:16 | file | semmle.label | file |
| KernelOpen.rb:6:14:6:17 | file | semmle.label | file |
@@ -25,17 +25,17 @@ nodes
| KernelOpen.rb:10:18:10:21 | file | semmle.label | file |
| KernelOpen.rb:11:14:11:17 | file | semmle.label | file |
| KernelOpen.rb:13:13:13:31 | call to join | semmle.label | call to join |
| KernelOpen.rb:13:23:13:26 | file : | semmle.label | file : |
| KernelOpen.rb:13:23:13:26 | file | semmle.label | file |
| KernelOpen.rb:26:10:26:13 | file | semmle.label | file |
subpaths
#select
| KernelOpen.rb:4:10:4:13 | file | KernelOpen.rb:3:12:3:17 | call to params : | KernelOpen.rb:4:10:4:13 | file | This call to Kernel.open depends on a $@. Consider replacing it with File.open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:5:13:5:16 | file | KernelOpen.rb:3:12:3:17 | call to params : | KernelOpen.rb:5:13:5:16 | file | This call to IO.read depends on a $@. Consider replacing it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:6:14:6:17 | file | KernelOpen.rb:3:12:3:17 | call to params : | KernelOpen.rb:6:14:6:17 | file | This call to IO.write depends on a $@. Consider replacing it with File.write. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:7:16:7:19 | file | KernelOpen.rb:3:12:3:17 | call to params : | KernelOpen.rb:7:16:7:19 | file | This call to IO.binread depends on a $@. Consider replacing it with File.binread. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:8:17:8:20 | file | KernelOpen.rb:3:12:3:17 | call to params : | KernelOpen.rb:8:17:8:20 | file | This call to IO.binwrite depends on a $@. Consider replacing it with File.binwrite. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:9:16:9:19 | file | KernelOpen.rb:3:12:3:17 | call to params : | KernelOpen.rb:9:16:9:19 | file | This call to IO.foreach depends on a $@. Consider replacing it with File.foreach. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:10:18:10:21 | file | KernelOpen.rb:3:12:3:17 | call to params : | KernelOpen.rb:10:18:10:21 | file | This call to IO.readlines depends on a $@. Consider replacing it with File.readlines. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:11:14:11:17 | file | KernelOpen.rb:3:12:3:17 | call to params : | KernelOpen.rb:11:14:11:17 | file | This call to URI.open depends on a $@. Consider replacing it with URI(<uri>).open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:13:13:13:31 | call to join | KernelOpen.rb:3:12:3:17 | call to params : | KernelOpen.rb:13:13:13:31 | call to join | This call to IO.read depends on a $@. Consider replacing it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:26:10:26:13 | file | KernelOpen.rb:3:12:3:17 | call to params : | KernelOpen.rb:26:10:26:13 | file | This call to Kernel.open depends on a $@. Consider replacing it with File.open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:4:10:4:13 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:4:10:4:13 | file | This call to Kernel.open depends on a $@. Consider replacing it with File.open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:5:13:5:16 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:5:13:5:16 | file | This call to IO.read depends on a $@. Consider replacing it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:6:14:6:17 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:6:14:6:17 | file | This call to IO.write depends on a $@. Consider replacing it with File.write. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:7:16:7:19 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:7:16:7:19 | file | This call to IO.binread depends on a $@. Consider replacing it with File.binread. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:8:17:8:20 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:8:17:8:20 | file | This call to IO.binwrite depends on a $@. Consider replacing it with File.binwrite. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:9:16:9:19 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:9:16:9:19 | file | This call to IO.foreach depends on a $@. Consider replacing it with File.foreach. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:10:18:10:21 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:10:18:10:21 | file | This call to IO.readlines depends on a $@. Consider replacing it with File.readlines. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:11:14:11:17 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:11:14:11:17 | file | This call to URI.open depends on a $@. Consider replacing it with URI(<uri>).open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:13:13:13:31 | call to join | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:13:13:13:31 | call to join | This call to IO.read depends on a $@. Consider replacing it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
| KernelOpen.rb:26:10:26:13 | file | KernelOpen.rb:3:12:3:17 | call to params | KernelOpen.rb:26:10:26:13 | file | This call to Kernel.open depends on a $@. Consider replacing it with File.open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |

18
ruby/ql/test/query-tests/security/cwe-079/UnsafeHtmlConstruction.expected
View File

@@ -1,16 +1,16 @@
edges
| lib/unsafeHtml.rb:2:31:2:34 | name : | lib/unsafeHtml.rb:3:10:3:16 | #{...} |
| lib/unsafeHtml.rb:9:27:9:30 | name : | lib/unsafeHtml.rb:11:13:11:19 | #{...} |
| lib/unsafeHtml.rb:16:19:16:22 | name : | lib/unsafeHtml.rb:17:28:17:31 | name |
| lib/unsafeHtml.rb:2:31:2:34 | name | lib/unsafeHtml.rb:3:10:3:16 | #{...} |
| lib/unsafeHtml.rb:9:27:9:30 | name | lib/unsafeHtml.rb:11:13:11:19 | #{...} |
| lib/unsafeHtml.rb:16:19:16:22 | name | lib/unsafeHtml.rb:17:28:17:31 | name |
nodes
| lib/unsafeHtml.rb:2:31:2:34 | name : | semmle.label | name : |
| lib/unsafeHtml.rb:2:31:2:34 | name | semmle.label | name |
| lib/unsafeHtml.rb:3:10:3:16 | #{...} | semmle.label | #{...} |
| lib/unsafeHtml.rb:9:27:9:30 | name : | semmle.label | name : |
| lib/unsafeHtml.rb:9:27:9:30 | name | semmle.label | name |
| lib/unsafeHtml.rb:11:13:11:19 | #{...} | semmle.label | #{...} |
| lib/unsafeHtml.rb:16:19:16:22 | name : | semmle.label | name : |
| lib/unsafeHtml.rb:16:19:16:22 | name | semmle.label | name |
| lib/unsafeHtml.rb:17:28:17:31 | name | semmle.label | name |
subpaths
#select
| lib/unsafeHtml.rb:3:10:3:16 | #{...} | lib/unsafeHtml.rb:2:31:2:34 | name : | lib/unsafeHtml.rb:3:10:3:16 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:2:31:2:34 | name | library input | lib/unsafeHtml.rb:3:5:3:22 | "<h2>#{...}</h2>" | cross-site scripting |
| lib/unsafeHtml.rb:11:13:11:19 | #{...} | lib/unsafeHtml.rb:9:27:9:30 | name : | lib/unsafeHtml.rb:11:13:11:19 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:9:27:9:30 | name | library input | lib/unsafeHtml.rb:13:5:13:5 | h | cross-site scripting |
| lib/unsafeHtml.rb:17:28:17:31 | name | lib/unsafeHtml.rb:16:19:16:22 | name : | lib/unsafeHtml.rb:17:28:17:31 | name | This string format which depends on $@ might later allow $@. | lib/unsafeHtml.rb:16:19:16:22 | name | library input | lib/unsafeHtml.rb:17:5:17:32 | call to sprintf | cross-site scripting |
| lib/unsafeHtml.rb:3:10:3:16 | #{...} | lib/unsafeHtml.rb:2:31:2:34 | name | lib/unsafeHtml.rb:3:10:3:16 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:2:31:2:34 | name | library input | lib/unsafeHtml.rb:3:5:3:22 | "<h2>#{...}</h2>" | cross-site scripting |
| lib/unsafeHtml.rb:11:13:11:19 | #{...} | lib/unsafeHtml.rb:9:27:9:30 | name | lib/unsafeHtml.rb:11:13:11:19 | #{...} | This string interpolation which depends on $@ might later allow $@. | lib/unsafeHtml.rb:9:27:9:30 | name | library input | lib/unsafeHtml.rb:13:5:13:5 | h | cross-site scripting |
| lib/unsafeHtml.rb:17:28:17:31 | name | lib/unsafeHtml.rb:16:19:16:22 | name | lib/unsafeHtml.rb:17:28:17:31 | name | This string format which depends on $@ might later allow $@. | lib/unsafeHtml.rb:16:19:16:22 | name | library input | lib/unsafeHtml.rb:17:5:17:32 | call to sprintf | cross-site scripting |

268
ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected
View File

@@ -1,161 +1,161 @@
edges
| ActiveRecordInjection.rb:8:25:8:28 | name : | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" |
| ActiveRecordInjection.rb:8:31:8:34 | pass : | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" |
| ActiveRecordInjection.rb:20:22:20:30 | condition : | ActiveRecordInjection.rb:23:16:23:24 | condition |
| ActiveRecordInjection.rb:35:30:35:35 | call to params : | ActiveRecordInjection.rb:35:30:35:44 | ...[...] |
| ActiveRecordInjection.rb:39:18:39:23 | call to params : | ActiveRecordInjection.rb:39:18:39:32 | ...[...] |
| ActiveRecordInjection.rb:43:29:43:34 | call to params : | ActiveRecordInjection.rb:43:29:43:39 | ...[...] : |
| ActiveRecordInjection.rb:43:29:43:39 | ...[...] : | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" |
| ActiveRecordInjection.rb:48:30:48:35 | call to params : | ActiveRecordInjection.rb:48:30:48:40 | ...[...] : |
| ActiveRecordInjection.rb:48:30:48:40 | ...[...] : | ActiveRecordInjection.rb:48:21:48:43 | "id = '#{...}'" |
| ActiveRecordInjection.rb:52:31:52:36 | call to params : | ActiveRecordInjection.rb:52:31:52:41 | ...[...] : |
| ActiveRecordInjection.rb:52:31:52:41 | ...[...] : | ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" |
| ActiveRecordInjection.rb:57:32:57:37 | call to params : | ActiveRecordInjection.rb:57:32:57:42 | ...[...] : |
| ActiveRecordInjection.rb:57:32:57:42 | ...[...] : | ActiveRecordInjection.rb:57:23:57:45 | "id = '#{...}'" |
| ActiveRecordInjection.rb:62:21:62:26 | call to params : | ActiveRecordInjection.rb:62:21:62:35 | ...[...] : |
| ActiveRecordInjection.rb:62:21:62:35 | ...[...] : | ActiveRecordInjection.rb:61:16:61:21 | <<-SQL |
| ActiveRecordInjection.rb:68:34:68:39 | call to params : | ActiveRecordInjection.rb:68:34:68:44 | ...[...] : |
| ActiveRecordInjection.rb:68:34:68:44 | ...[...] : | ActiveRecordInjection.rb:68:20:68:47 | "user.id = '#{...}'" |
| ActiveRecordInjection.rb:70:23:70:28 | call to params : | ActiveRecordInjection.rb:70:23:70:35 | ...[...] : |
| ActiveRecordInjection.rb:70:23:70:35 | ...[...] : | ActiveRecordInjection.rb:8:25:8:28 | name : |
| ActiveRecordInjection.rb:70:38:70:43 | call to params : | ActiveRecordInjection.rb:70:38:70:50 | ...[...] : |
| ActiveRecordInjection.rb:70:38:70:50 | ...[...] : | ActiveRecordInjection.rb:8:31:8:34 | pass : |
| ActiveRecordInjection.rb:74:41:74:46 | call to params : | ActiveRecordInjection.rb:74:41:74:51 | ...[...] : |
| ActiveRecordInjection.rb:74:41:74:51 | ...[...] : | ActiveRecordInjection.rb:74:32:74:54 | "id = '#{...}'" |
| ActiveRecordInjection.rb:83:17:83:22 | call to params : | ActiveRecordInjection.rb:83:17:83:31 | ...[...] |
| ActiveRecordInjection.rb:84:19:84:24 | call to params : | ActiveRecordInjection.rb:84:19:84:33 | ...[...] |
| ActiveRecordInjection.rb:88:18:88:23 | call to params : | ActiveRecordInjection.rb:88:18:88:35 | ...[...] |
| ActiveRecordInjection.rb:92:21:92:26 | call to params : | ActiveRecordInjection.rb:92:21:92:35 | ...[...] |
| ActiveRecordInjection.rb:94:18:94:23 | call to params : | ActiveRecordInjection.rb:94:18:94:35 | ...[...] |
| ActiveRecordInjection.rb:96:23:96:28 | call to params : | ActiveRecordInjection.rb:96:23:96:47 | ...[...] |
| ActiveRecordInjection.rb:102:5:102:6 | ps : | ActiveRecordInjection.rb:103:11:103:12 | ps : |
| ActiveRecordInjection.rb:102:10:102:15 | call to params : | ActiveRecordInjection.rb:102:5:102:6 | ps : |
| ActiveRecordInjection.rb:103:5:103:7 | uid : | ActiveRecordInjection.rb:104:5:104:9 | uidEq : |
| ActiveRecordInjection.rb:103:11:103:12 | ps : | ActiveRecordInjection.rb:103:11:103:17 | ...[...] : |
| ActiveRecordInjection.rb:103:11:103:17 | ...[...] : | ActiveRecordInjection.rb:103:5:103:7 | uid : |
| ActiveRecordInjection.rb:104:5:104:9 | uidEq : | ActiveRecordInjection.rb:108:20:108:32 | ... + ... |
| ActiveRecordInjection.rb:141:21:141:26 | call to params : | ActiveRecordInjection.rb:141:21:141:44 | ...[...] : |
| ActiveRecordInjection.rb:141:21:141:44 | ...[...] : | ActiveRecordInjection.rb:20:22:20:30 | condition : |
| ActiveRecordInjection.rb:155:59:155:64 | call to params : | ActiveRecordInjection.rb:155:59:155:74 | ...[...] : |
| ActiveRecordInjection.rb:155:59:155:74 | ...[...] : | ActiveRecordInjection.rb:155:27:155:76 | "this is an unsafe annotation:..." |
| ActiveRecordInjection.rb:166:5:166:13 | my_params : | ActiveRecordInjection.rb:167:47:167:55 | my_params : |
| ActiveRecordInjection.rb:166:17:166:32 | call to permitted_params : | ActiveRecordInjection.rb:166:5:166:13 | my_params : |
| ActiveRecordInjection.rb:167:5:167:9 | query : | ActiveRecordInjection.rb:168:37:168:41 | query |
| ActiveRecordInjection.rb:167:47:167:55 | my_params : | ActiveRecordInjection.rb:167:47:167:65 | ...[...] : |
| ActiveRecordInjection.rb:167:47:167:65 | ...[...] : | ActiveRecordInjection.rb:167:5:167:9 | query : |
| ActiveRecordInjection.rb:173:5:173:10 | call to params : | ActiveRecordInjection.rb:173:5:173:27 | call to require : |
| ActiveRecordInjection.rb:173:5:173:27 | call to require : | ActiveRecordInjection.rb:173:5:173:59 | call to permit : |
| ActiveRecordInjection.rb:173:5:173:59 | call to permit : | ActiveRecordInjection.rb:166:17:166:32 | call to permitted_params : |
| ActiveRecordInjection.rb:173:5:173:59 | call to permit : | ActiveRecordInjection.rb:177:77:177:92 | call to permitted_params : |
| ActiveRecordInjection.rb:173:5:173:59 | call to permit : | ActiveRecordInjection.rb:178:69:178:84 | call to permitted_params : |
| ActiveRecordInjection.rb:177:77:177:92 | call to permitted_params : | ActiveRecordInjection.rb:177:77:177:102 | ...[...] : |
| ActiveRecordInjection.rb:177:77:177:102 | ...[...] : | ActiveRecordInjection.rb:177:43:177:104 | "SELECT * FROM users WHERE id ..." |
| ActiveRecordInjection.rb:178:69:178:84 | call to permitted_params : | ActiveRecordInjection.rb:178:69:178:94 | ...[...] : |
| ActiveRecordInjection.rb:178:69:178:94 | ...[...] : | ActiveRecordInjection.rb:178:35:178:96 | "SELECT * FROM users WHERE id ..." |
| ArelInjection.rb:4:5:4:8 | name : | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." |
| ArelInjection.rb:4:12:4:17 | call to params : | ArelInjection.rb:4:12:4:29 | ...[...] : |
| ArelInjection.rb:4:12:4:29 | ...[...] : | ArelInjection.rb:4:5:4:8 | name : |
| ActiveRecordInjection.rb:8:25:8:28 | name | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" |
| ActiveRecordInjection.rb:8:31:8:34 | pass | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" |
| ActiveRecordInjection.rb:20:22:20:30 | condition | ActiveRecordInjection.rb:23:16:23:24 | condition |
| ActiveRecordInjection.rb:35:30:35:35 | call to params | ActiveRecordInjection.rb:35:30:35:44 | ...[...] |
| ActiveRecordInjection.rb:39:18:39:23 | call to params | ActiveRecordInjection.rb:39:18:39:32 | ...[...] |
| ActiveRecordInjection.rb:43:29:43:34 | call to params | ActiveRecordInjection.rb:43:29:43:39 | ...[...] |
| ActiveRecordInjection.rb:43:29:43:39 | ...[...] | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" |
| ActiveRecordInjection.rb:48:30:48:35 | call to params | ActiveRecordInjection.rb:48:30:48:40 | ...[...] |
| ActiveRecordInjection.rb:48:30:48:40 | ...[...] | ActiveRecordInjection.rb:48:21:48:43 | "id = '#{...}'" |
| ActiveRecordInjection.rb:52:31:52:36 | call to params | ActiveRecordInjection.rb:52:31:52:41 | ...[...] |
| ActiveRecordInjection.rb:52:31:52:41 | ...[...] | ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" |
| ActiveRecordInjection.rb:57:32:57:37 | call to params | ActiveRecordInjection.rb:57:32:57:42 | ...[...] |
| ActiveRecordInjection.rb:57:32:57:42 | ...[...] | ActiveRecordInjection.rb:57:23:57:45 | "id = '#{...}'" |
| ActiveRecordInjection.rb:62:21:62:26 | call to params | ActiveRecordInjection.rb:62:21:62:35 | ...[...] |
| ActiveRecordInjection.rb:62:21:62:35 | ...[...] | ActiveRecordInjection.rb:61:16:61:21 | <<-SQL |
| ActiveRecordInjection.rb:68:34:68:39 | call to params | ActiveRecordInjection.rb:68:34:68:44 | ...[...] |
| ActiveRecordInjection.rb:68:34:68:44 | ...[...] | ActiveRecordInjection.rb:68:20:68:47 | "user.id = '#{...}'" |
| ActiveRecordInjection.rb:70:23:70:28 | call to params | ActiveRecordInjection.rb:70:23:70:35 | ...[...] |
| ActiveRecordInjection.rb:70:23:70:35 | ...[...] | ActiveRecordInjection.rb:8:25:8:28 | name |
| ActiveRecordInjection.rb:70:38:70:43 | call to params | ActiveRecordInjection.rb:70:38:70:50 | ...[...] |
| ActiveRecordInjection.rb:70:38:70:50 | ...[...] | ActiveRecordInjection.rb:8:31:8:34 | pass |
| ActiveRecordInjection.rb:74:41:74:46 | call to params | ActiveRecordInjection.rb:74:41:74:51 | ...[...] |
| ActiveRecordInjection.rb:74:41:74:51 | ...[...] | ActiveRecordInjection.rb:74:32:74:54 | "id = '#{...}'" |
| ActiveRecordInjection.rb:83:17:83:22 | call to params | ActiveRecordInjection.rb:83:17:83:31 | ...[...] |
| ActiveRecordInjection.rb:84:19:84:24 | call to params | ActiveRecordInjection.rb:84:19:84:33 | ...[...] |
| ActiveRecordInjection.rb:88:18:88:23 | call to params | ActiveRecordInjection.rb:88:18:88:35 | ...[...] |
| ActiveRecordInjection.rb:92:21:92:26 | call to params | ActiveRecordInjection.rb:92:21:92:35 | ...[...] |
| ActiveRecordInjection.rb:94:18:94:23 | call to params | ActiveRecordInjection.rb:94:18:94:35 | ...[...] |
| ActiveRecordInjection.rb:96:23:96:28 | call to params | ActiveRecordInjection.rb:96:23:96:47 | ...[...] |
| ActiveRecordInjection.rb:102:5:102:6 | ps | ActiveRecordInjection.rb:103:11:103:12 | ps |
| ActiveRecordInjection.rb:102:10:102:15 | call to params | ActiveRecordInjection.rb:102:5:102:6 | ps |
| ActiveRecordInjection.rb:103:5:103:7 | uid | ActiveRecordInjection.rb:104:5:104:9 | uidEq |
| ActiveRecordInjection.rb:103:11:103:12 | ps | ActiveRecordInjection.rb:103:11:103:17 | ...[...] |
| ActiveRecordInjection.rb:103:11:103:17 | ...[...] | ActiveRecordInjection.rb:103:5:103:7 | uid |
| ActiveRecordInjection.rb:104:5:104:9 | uidEq | ActiveRecordInjection.rb:108:20:108:32 | ... + ... |
| ActiveRecordInjection.rb:141:21:141:26 | call to params | ActiveRecordInjection.rb:141:21:141:44 | ...[...] |
| ActiveRecordInjection.rb:141:21:141:44 | ...[...] | ActiveRecordInjection.rb:20:22:20:30 | condition |
| ActiveRecordInjection.rb:155:59:155:64 | call to params | ActiveRecordInjection.rb:155:59:155:74 | ...[...] |
| ActiveRecordInjection.rb:155:59:155:74 | ...[...] | ActiveRecordInjection.rb:155:27:155:76 | "this is an unsafe annotation:..." |
| ActiveRecordInjection.rb:166:5:166:13 | my_params | ActiveRecordInjection.rb:167:47:167:55 | my_params |
| ActiveRecordInjection.rb:166:17:166:32 | call to permitted_params | ActiveRecordInjection.rb:166:5:166:13 | my_params |
| ActiveRecordInjection.rb:167:5:167:9 | query | ActiveRecordInjection.rb:168:37:168:41 | query |
| ActiveRecordInjection.rb:167:47:167:55 | my_params | ActiveRecordInjection.rb:167:47:167:65 | ...[...] |
| ActiveRecordInjection.rb:167:47:167:65 | ...[...] | ActiveRecordInjection.rb:167:5:167:9 | query |
| ActiveRecordInjection.rb:173:5:173:10 | call to params | ActiveRecordInjection.rb:173:5:173:27 | call to require |
| ActiveRecordInjection.rb:173:5:173:27 | call to require | ActiveRecordInjection.rb:173:5:173:59 | call to permit |
| ActiveRecordInjection.rb:173:5:173:59 | call to permit | ActiveRecordInjection.rb:166:17:166:32 | call to permitted_params |
| ActiveRecordInjection.rb:173:5:173:59 | call to permit | ActiveRecordInjection.rb:177:77:177:92 | call to permitted_params |
| ActiveRecordInjection.rb:173:5:173:59 | call to permit | ActiveRecordInjection.rb:178:69:178:84 | call to permitted_params |
| ActiveRecordInjection.rb:177:77:177:92 | call to permitted_params | ActiveRecordInjection.rb:177:77:177:102 | ...[...] |
| ActiveRecordInjection.rb:177:77:177:102 | ...[...] | ActiveRecordInjection.rb:177:43:177:104 | "SELECT * FROM users WHERE id ..." |
| ActiveRecordInjection.rb:178:69:178:84 | call to permitted_params | ActiveRecordInjection.rb:178:69:178:94 | ...[...] |
| ActiveRecordInjection.rb:178:69:178:94 | ...[...] | ActiveRecordInjection.rb:178:35:178:96 | "SELECT * FROM users WHERE id ..." |
| ArelInjection.rb:4:5:4:8 | name | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." |
| ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:4:12:4:29 | ...[...] |
| ArelInjection.rb:4:12:4:29 | ...[...] | ArelInjection.rb:4:5:4:8 | name |
nodes
| ActiveRecordInjection.rb:8:25:8:28 | name : | semmle.label | name : |
| ActiveRecordInjection.rb:8:31:8:34 | pass : | semmle.label | pass : |
| ActiveRecordInjection.rb:8:25:8:28 | name | semmle.label | name |
| ActiveRecordInjection.rb:8:31:8:34 | pass | semmle.label | pass |
| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | semmle.label | "name='#{...}' and pass='#{...}'" |
| ActiveRecordInjection.rb:20:22:20:30 | condition : | semmle.label | condition : |
| ActiveRecordInjection.rb:20:22:20:30 | condition | semmle.label | condition |
| ActiveRecordInjection.rb:23:16:23:24 | condition | semmle.label | condition |
| ActiveRecordInjection.rb:35:30:35:35 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:35:30:35:35 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:35:30:35:44 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:39:18:39:23 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:39:18:39:23 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:39:18:39:32 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
| ActiveRecordInjection.rb:43:29:43:34 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:43:29:43:39 | ...[...] : | semmle.label | ...[...] : |
| ActiveRecordInjection.rb:43:29:43:34 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:43:29:43:39 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:48:21:48:43 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
| ActiveRecordInjection.rb:48:30:48:35 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:48:30:48:40 | ...[...] : | semmle.label | ...[...] : |
| ActiveRecordInjection.rb:48:30:48:35 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:48:30:48:40 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
| ActiveRecordInjection.rb:52:31:52:36 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:52:31:52:41 | ...[...] : | semmle.label | ...[...] : |
| ActiveRecordInjection.rb:52:31:52:36 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:52:31:52:41 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:57:23:57:45 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
| ActiveRecordInjection.rb:57:32:57:37 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:57:32:57:42 | ...[...] : | semmle.label | ...[...] : |
| ActiveRecordInjection.rb:57:32:57:37 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:57:32:57:42 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:61:16:61:21 | <<-SQL | semmle.label | <<-SQL |
| ActiveRecordInjection.rb:62:21:62:26 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:62:21:62:35 | ...[...] : | semmle.label | ...[...] : |
| ActiveRecordInjection.rb:62:21:62:26 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:62:21:62:35 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:68:20:68:47 | "user.id = '#{...}'" | semmle.label | "user.id = '#{...}'" |
| ActiveRecordInjection.rb:68:34:68:39 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:68:34:68:44 | ...[...] : | semmle.label | ...[...] : |
| ActiveRecordInjection.rb:70:23:70:28 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:70:23:70:35 | ...[...] : | semmle.label | ...[...] : |
| ActiveRecordInjection.rb:70:38:70:43 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:70:38:70:50 | ...[...] : | semmle.label | ...[...] : |
| ActiveRecordInjection.rb:68:34:68:39 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:68:34:68:44 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:70:23:70:28 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:70:23:70:35 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:70:38:70:43 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:70:38:70:50 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:74:32:74:54 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
| ActiveRecordInjection.rb:74:41:74:46 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:74:41:74:51 | ...[...] : | semmle.label | ...[...] : |
| ActiveRecordInjection.rb:83:17:83:22 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:74:41:74:46 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:74:41:74:51 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:83:17:83:22 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:83:17:83:31 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:84:19:84:24 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:84:19:84:24 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:84:19:84:33 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:88:18:88:23 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:88:18:88:23 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:88:18:88:35 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:92:21:92:26 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:92:21:92:26 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:92:21:92:35 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:94:18:94:23 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:94:18:94:23 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:94:18:94:35 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:96:23:96:28 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:96:23:96:28 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:96:23:96:47 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:102:5:102:6 | ps : | semmle.label | ps : |
| ActiveRecordInjection.rb:102:10:102:15 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:103:5:103:7 | uid : | semmle.label | uid : |
| ActiveRecordInjection.rb:103:11:103:12 | ps : | semmle.label | ps : |
| ActiveRecordInjection.rb:103:11:103:17 | ...[...] : | semmle.label | ...[...] : |
| ActiveRecordInjection.rb:104:5:104:9 | uidEq : | semmle.label | uidEq : |
| ActiveRecordInjection.rb:102:5:102:6 | ps | semmle.label | ps |
| ActiveRecordInjection.rb:102:10:102:15 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:103:5:103:7 | uid | semmle.label | uid |
| ActiveRecordInjection.rb:103:11:103:12 | ps | semmle.label | ps |
| ActiveRecordInjection.rb:103:11:103:17 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:104:5:104:9 | uidEq | semmle.label | uidEq |
| ActiveRecordInjection.rb:108:20:108:32 | ... + ... | semmle.label | ... + ... |
| ActiveRecordInjection.rb:141:21:141:26 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:141:21:141:44 | ...[...] : | semmle.label | ...[...] : |
| ActiveRecordInjection.rb:141:21:141:26 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:141:21:141:44 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:155:27:155:76 | "this is an unsafe annotation:..." | semmle.label | "this is an unsafe annotation:..." |
| ActiveRecordInjection.rb:155:59:155:64 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:155:59:155:74 | ...[...] : | semmle.label | ...[...] : |
| ActiveRecordInjection.rb:166:5:166:13 | my_params : | semmle.label | my_params : |
| ActiveRecordInjection.rb:166:17:166:32 | call to permitted_params : | semmle.label | call to permitted_params : |
| ActiveRecordInjection.rb:167:5:167:9 | query : | semmle.label | query : |
| ActiveRecordInjection.rb:167:47:167:55 | my_params : | semmle.label | my_params : |
| ActiveRecordInjection.rb:167:47:167:65 | ...[...] : | semmle.label | ...[...] : |
| ActiveRecordInjection.rb:155:59:155:64 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:155:59:155:74 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:166:5:166:13 | my_params | semmle.label | my_params |
| ActiveRecordInjection.rb:166:17:166:32 | call to permitted_params | semmle.label | call to permitted_params |
| ActiveRecordInjection.rb:167:5:167:9 | query | semmle.label | query |
| ActiveRecordInjection.rb:167:47:167:55 | my_params | semmle.label | my_params |
| ActiveRecordInjection.rb:167:47:167:65 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:168:37:168:41 | query | semmle.label | query |
| ActiveRecordInjection.rb:173:5:173:10 | call to params : | semmle.label | call to params : |
| ActiveRecordInjection.rb:173:5:173:27 | call to require : | semmle.label | call to require : |
| ActiveRecordInjection.rb:173:5:173:59 | call to permit : | semmle.label | call to permit : |
| ActiveRecordInjection.rb:173:5:173:10 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:173:5:173:27 | call to require | semmle.label | call to require |
| ActiveRecordInjection.rb:173:5:173:59 | call to permit | semmle.label | call to permit |
| ActiveRecordInjection.rb:177:43:177:104 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
| ActiveRecordInjection.rb:177:77:177:92 | call to permitted_params : | semmle.label | call to permitted_params : |
| ActiveRecordInjection.rb:177:77:177:102 | ...[...] : | semmle.label | ...[...] : |
| ActiveRecordInjection.rb:177:77:177:92 | call to permitted_params | semmle.label | call to permitted_params |
| ActiveRecordInjection.rb:177:77:177:102 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:178:35:178:96 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
| ActiveRecordInjection.rb:178:69:178:84 | call to permitted_params : | semmle.label | call to permitted_params : |
| ActiveRecordInjection.rb:178:69:178:94 | ...[...] : | semmle.label | ...[...] : |
| ArelInjection.rb:4:5:4:8 | name : | semmle.label | name : |
| ArelInjection.rb:4:12:4:17 | call to params : | semmle.label | call to params : |
| ArelInjection.rb:4:12:4:29 | ...[...] : | semmle.label | ...[...] : |
| ActiveRecordInjection.rb:178:69:178:84 | call to permitted_params | semmle.label | call to permitted_params |
| ActiveRecordInjection.rb:178:69:178:94 | ...[...] | semmle.label | ...[...] |
| ArelInjection.rb:4:5:4:8 | name | semmle.label | name |
| ArelInjection.rb:4:12:4:17 | call to params | semmle.label | call to params |
| ArelInjection.rb:4:12:4:29 | ...[...] | semmle.label | ...[...] |
| ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | semmle.label | "SELECT * FROM users WHERE nam..." |
subpaths
#select
| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:70:23:70:28 | call to params : | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:70:23:70:28 | call to params | user-provided value |
| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:70:38:70:43 | call to params : | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:70:38:70:43 | call to params | user-provided value |
| ActiveRecordInjection.rb:23:16:23:24 | condition | ActiveRecordInjection.rb:141:21:141:26 | call to params : | ActiveRecordInjection.rb:23:16:23:24 | condition | This SQL query depends on a $@. | ActiveRecordInjection.rb:141:21:141:26 | call to params | user-provided value |
| ActiveRecordInjection.rb:35:30:35:44 | ...[...] | ActiveRecordInjection.rb:35:30:35:35 | call to params : | ActiveRecordInjection.rb:35:30:35:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:35:30:35:35 | call to params | user-provided value |
| ActiveRecordInjection.rb:39:18:39:32 | ...[...] | ActiveRecordInjection.rb:39:18:39:23 | call to params : | ActiveRecordInjection.rb:39:18:39:32 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:39:18:39:23 | call to params | user-provided value |
| ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | ActiveRecordInjection.rb:43:29:43:34 | call to params : | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:43:29:43:34 | call to params | user-provided value |
| ActiveRecordInjection.rb:48:21:48:43 | "id = '#{...}'" | ActiveRecordInjection.rb:48:30:48:35 | call to params : | ActiveRecordInjection.rb:48:21:48:43 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:48:30:48:35 | call to params | user-provided value |
| ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" | ActiveRecordInjection.rb:52:31:52:36 | call to params : | ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:52:31:52:36 | call to params | user-provided value |
| ActiveRecordInjection.rb:57:23:57:45 | "id = '#{...}'" | ActiveRecordInjection.rb:57:32:57:37 | call to params : | ActiveRecordInjection.rb:57:23:57:45 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:57:32:57:37 | call to params | user-provided value |
| ActiveRecordInjection.rb:61:16:61:21 | <<-SQL | ActiveRecordInjection.rb:62:21:62:26 | call to params : | ActiveRecordInjection.rb:61:16:61:21 | <<-SQL | This SQL query depends on a $@. | ActiveRecordInjection.rb:62:21:62:26 | call to params | user-provided value |
| ActiveRecordInjection.rb:68:20:68:47 | "user.id = '#{...}'" | ActiveRecordInjection.rb:68:34:68:39 | call to params : | ActiveRecordInjection.rb:68:20:68:47 | "user.id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:68:34:68:39 | call to params | user-provided value |
| ActiveRecordInjection.rb:74:32:74:54 | "id = '#{...}'" | ActiveRecordInjection.rb:74:41:74:46 | call to params : | ActiveRecordInjection.rb:74:32:74:54 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:74:41:74:46 | call to params | user-provided value |
| ActiveRecordInjection.rb:83:17:83:31 | ...[...] | ActiveRecordInjection.rb:83:17:83:22 | call to params : | ActiveRecordInjection.rb:83:17:83:31 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:83:17:83:22 | call to params | user-provided value |
| ActiveRecordInjection.rb:84:19:84:33 | ...[...] | ActiveRecordInjection.rb:84:19:84:24 | call to params : | ActiveRecordInjection.rb:84:19:84:33 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:84:19:84:24 | call to params | user-provided value |
| ActiveRecordInjection.rb:88:18:88:35 | ...[...] | ActiveRecordInjection.rb:88:18:88:23 | call to params : | ActiveRecordInjection.rb:88:18:88:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:88:18:88:23 | call to params | user-provided value |
| ActiveRecordInjection.rb:92:21:92:35 | ...[...] | ActiveRecordInjection.rb:92:21:92:26 | call to params : | ActiveRecordInjection.rb:92:21:92:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:92:21:92:26 | call to params | user-provided value |
| ActiveRecordInjection.rb:94:18:94:35 | ...[...] | ActiveRecordInjection.rb:94:18:94:23 | call to params : | ActiveRecordInjection.rb:94:18:94:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:94:18:94:23 | call to params | user-provided value |
| ActiveRecordInjection.rb:96:23:96:47 | ...[...] | ActiveRecordInjection.rb:96:23:96:28 | call to params : | ActiveRecordInjection.rb:96:23:96:47 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:96:23:96:28 | call to params | user-provided value |
| ActiveRecordInjection.rb:108:20:108:32 | ... + ... | ActiveRecordInjection.rb:102:10:102:15 | call to params : | ActiveRecordInjection.rb:108:20:108:32 | ... + ... | This SQL query depends on a $@. | ActiveRecordInjection.rb:102:10:102:15 | call to params | user-provided value |
| ActiveRecordInjection.rb:155:27:155:76 | "this is an unsafe annotation:..." | ActiveRecordInjection.rb:155:59:155:64 | call to params : | ActiveRecordInjection.rb:155:27:155:76 | "this is an unsafe annotation:..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:155:59:155:64 | call to params | user-provided value |
| ActiveRecordInjection.rb:168:37:168:41 | query | ActiveRecordInjection.rb:173:5:173:10 | call to params : | ActiveRecordInjection.rb:168:37:168:41 | query | This SQL query depends on a $@. | ActiveRecordInjection.rb:173:5:173:10 | call to params | user-provided value |
| ActiveRecordInjection.rb:177:43:177:104 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:173:5:173:10 | call to params : | ActiveRecordInjection.rb:177:43:177:104 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:173:5:173:10 | call to params | user-provided value |
| ActiveRecordInjection.rb:178:35:178:96 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:173:5:173:10 | call to params : | ActiveRecordInjection.rb:178:35:178:96 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:173:5:173:10 | call to params | user-provided value |
| ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params : | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value |
| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:70:23:70:28 | call to params | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:70:23:70:28 | call to params | user-provided value |
| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:70:38:70:43 | call to params | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:70:38:70:43 | call to params | user-provided value |
| ActiveRecordInjection.rb:23:16:23:24 | condition | ActiveRecordInjection.rb:141:21:141:26 | call to params | ActiveRecordInjection.rb:23:16:23:24 | condition | This SQL query depends on a $@. | ActiveRecordInjection.rb:141:21:141:26 | call to params | user-provided value |
| ActiveRecordInjection.rb:35:30:35:44 | ...[...] | ActiveRecordInjection.rb:35:30:35:35 | call to params | ActiveRecordInjection.rb:35:30:35:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:35:30:35:35 | call to params | user-provided value |
| ActiveRecordInjection.rb:39:18:39:32 | ...[...] | ActiveRecordInjection.rb:39:18:39:23 | call to params | ActiveRecordInjection.rb:39:18:39:32 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:39:18:39:23 | call to params | user-provided value |
| ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | ActiveRecordInjection.rb:43:29:43:34 | call to params | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:43:29:43:34 | call to params | user-provided value |
| ActiveRecordInjection.rb:48:21:48:43 | "id = '#{...}'" | ActiveRecordInjection.rb:48:30:48:35 | call to params | ActiveRecordInjection.rb:48:21:48:43 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:48:30:48:35 | call to params | user-provided value |
| ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" | ActiveRecordInjection.rb:52:31:52:36 | call to params | ActiveRecordInjection.rb:52:22:52:44 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:52:31:52:36 | call to params | user-provided value |
| ActiveRecordInjection.rb:57:23:57:45 | "id = '#{...}'" | ActiveRecordInjection.rb:57:32:57:37 | call to params | ActiveRecordInjection.rb:57:23:57:45 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:57:32:57:37 | call to params | user-provided value |
| ActiveRecordInjection.rb:61:16:61:21 | <<-SQL | ActiveRecordInjection.rb:62:21:62:26 | call to params | ActiveRecordInjection.rb:61:16:61:21 | <<-SQL | This SQL query depends on a $@. | ActiveRecordInjection.rb:62:21:62:26 | call to params | user-provided value |
| ActiveRecordInjection.rb:68:20:68:47 | "user.id = '#{...}'" | ActiveRecordInjection.rb:68:34:68:39 | call to params | ActiveRecordInjection.rb:68:20:68:47 | "user.id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:68:34:68:39 | call to params | user-provided value |
| ActiveRecordInjection.rb:74:32:74:54 | "id = '#{...}'" | ActiveRecordInjection.rb:74:41:74:46 | call to params | ActiveRecordInjection.rb:74:32:74:54 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:74:41:74:46 | call to params | user-provided value |
| ActiveRecordInjection.rb:83:17:83:31 | ...[...] | ActiveRecordInjection.rb:83:17:83:22 | call to params | ActiveRecordInjection.rb:83:17:83:31 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:83:17:83:22 | call to params | user-provided value |
| ActiveRecordInjection.rb:84:19:84:33 | ...[...] | ActiveRecordInjection.rb:84:19:84:24 | call to params | ActiveRecordInjection.rb:84:19:84:33 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:84:19:84:24 | call to params | user-provided value |
| ActiveRecordInjection.rb:88:18:88:35 | ...[...] | ActiveRecordInjection.rb:88:18:88:23 | call to params | ActiveRecordInjection.rb:88:18:88:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:88:18:88:23 | call to params | user-provided value |
| ActiveRecordInjection.rb:92:21:92:35 | ...[...] | ActiveRecordInjection.rb:92:21:92:26 | call to params | ActiveRecordInjection.rb:92:21:92:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:92:21:92:26 | call to params | user-provided value |
| ActiveRecordInjection.rb:94:18:94:35 | ...[...] | ActiveRecordInjection.rb:94:18:94:23 | call to params | ActiveRecordInjection.rb:94:18:94:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:94:18:94:23 | call to params | user-provided value |
| ActiveRecordInjection.rb:96:23:96:47 | ...[...] | ActiveRecordInjection.rb:96:23:96:28 | call to params | ActiveRecordInjection.rb:96:23:96:47 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:96:23:96:28 | call to params | user-provided value |
| ActiveRecordInjection.rb:108:20:108:32 | ... + ... | ActiveRecordInjection.rb:102:10:102:15 | call to params | ActiveRecordInjection.rb:108:20:108:32 | ... + ... | This SQL query depends on a $@. | ActiveRecordInjection.rb:102:10:102:15 | call to params | user-provided value |
| ActiveRecordInjection.rb:155:27:155:76 | "this is an unsafe annotation:..." | ActiveRecordInjection.rb:155:59:155:64 | call to params | ActiveRecordInjection.rb:155:27:155:76 | "this is an unsafe annotation:..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:155:59:155:64 | call to params | user-provided value |
| ActiveRecordInjection.rb:168:37:168:41 | query | ActiveRecordInjection.rb:173:5:173:10 | call to params | ActiveRecordInjection.rb:168:37:168:41 | query | This SQL query depends on a $@. | ActiveRecordInjection.rb:173:5:173:10 | call to params | user-provided value |
| ActiveRecordInjection.rb:177:43:177:104 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:173:5:173:10 | call to params | ActiveRecordInjection.rb:177:43:177:104 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:173:5:173:10 | call to params | user-provided value |
| ActiveRecordInjection.rb:178:35:178:96 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:173:5:173:10 | call to params | ActiveRecordInjection.rb:178:35:178:96 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:173:5:173:10 | call to params | user-provided value |
| ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value |

62
ruby/ql/test/query-tests/security/cwe-117/LogInjection.expected
View File

@@ -1,42 +1,42 @@
edges
| app/controllers/users_controller.rb:15:5:15:15 | unsanitized : | app/controllers/users_controller.rb:16:19:16:29 | unsanitized |
| app/controllers/users_controller.rb:15:5:15:15 | unsanitized : | app/controllers/users_controller.rb:17:19:17:41 | ... + ... |
| app/controllers/users_controller.rb:15:5:15:15 | unsanitized : | app/controllers/users_controller.rb:23:20:23:30 | unsanitized : |
| app/controllers/users_controller.rb:15:19:15:24 | call to params : | app/controllers/users_controller.rb:15:19:15:30 | ...[...] : |
| app/controllers/users_controller.rb:15:19:15:30 | ...[...] : | app/controllers/users_controller.rb:15:5:15:15 | unsanitized : |
| app/controllers/users_controller.rb:23:5:23:16 | unsanitized2 : | app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 |
| app/controllers/users_controller.rb:23:5:23:16 | unsanitized2 : | app/controllers/users_controller.rb:27:16:27:39 | ... + ... |
| app/controllers/users_controller.rb:23:20:23:30 | unsanitized : | app/controllers/users_controller.rb:23:20:23:44 | call to sub : |
| app/controllers/users_controller.rb:23:20:23:44 | call to sub : | app/controllers/users_controller.rb:23:5:23:16 | unsanitized2 : |
| app/controllers/users_controller.rb:33:5:33:15 | unsanitized : | app/controllers/users_controller.rb:34:33:34:43 | unsanitized |
| app/controllers/users_controller.rb:33:5:33:15 | unsanitized : | app/controllers/users_controller.rb:35:33:35:55 | ... + ... |
| app/controllers/users_controller.rb:33:19:33:25 | call to cookies : | app/controllers/users_controller.rb:33:19:33:31 | ...[...] : |
| app/controllers/users_controller.rb:33:19:33:31 | ...[...] : | app/controllers/users_controller.rb:33:5:33:15 | unsanitized : |
| app/controllers/users_controller.rb:49:19:49:24 | call to params : | app/controllers/users_controller.rb:49:19:49:30 | ...[...] |
| app/controllers/users_controller.rb:15:5:15:15 | unsanitized | app/controllers/users_controller.rb:16:19:16:29 | unsanitized |
| app/controllers/users_controller.rb:15:5:15:15 | unsanitized | app/controllers/users_controller.rb:17:19:17:41 | ... + ... |
| app/controllers/users_controller.rb:15:5:15:15 | unsanitized | app/controllers/users_controller.rb:23:20:23:30 | unsanitized |
| app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:15:19:15:30 | ...[...] |
| app/controllers/users_controller.rb:15:19:15:30 | ...[...] | app/controllers/users_controller.rb:15:5:15:15 | unsanitized |
| app/controllers/users_controller.rb:23:5:23:16 | unsanitized2 | app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 |
| app/controllers/users_controller.rb:23:5:23:16 | unsanitized2 | app/controllers/users_controller.rb:27:16:27:39 | ... + ... |
| app/controllers/users_controller.rb:23:20:23:30 | unsanitized | app/controllers/users_controller.rb:23:20:23:44 | call to sub |
| app/controllers/users_controller.rb:23:20:23:44 | call to sub | app/controllers/users_controller.rb:23:5:23:16 | unsanitized2 |
| app/controllers/users_controller.rb:33:5:33:15 | unsanitized | app/controllers/users_controller.rb:34:33:34:43 | unsanitized |
| app/controllers/users_controller.rb:33:5:33:15 | unsanitized | app/controllers/users_controller.rb:35:33:35:55 | ... + ... |
| app/controllers/users_controller.rb:33:19:33:25 | call to cookies | app/controllers/users_controller.rb:33:19:33:31 | ...[...] |
| app/controllers/users_controller.rb:33:19:33:31 | ...[...] | app/controllers/users_controller.rb:33:5:33:15 | unsanitized |
| app/controllers/users_controller.rb:49:19:49:24 | call to params | app/controllers/users_controller.rb:49:19:49:30 | ...[...] |
nodes
| app/controllers/users_controller.rb:15:5:15:15 | unsanitized : | semmle.label | unsanitized : |
| app/controllers/users_controller.rb:15:19:15:24 | call to params : | semmle.label | call to params : |
| app/controllers/users_controller.rb:15:19:15:30 | ...[...] : | semmle.label | ...[...] : |
| app/controllers/users_controller.rb:15:5:15:15 | unsanitized | semmle.label | unsanitized |
| app/controllers/users_controller.rb:15:19:15:24 | call to params | semmle.label | call to params |
| app/controllers/users_controller.rb:15:19:15:30 | ...[...] | semmle.label | ...[...] |
| app/controllers/users_controller.rb:16:19:16:29 | unsanitized | semmle.label | unsanitized |
| app/controllers/users_controller.rb:17:19:17:41 | ... + ... | semmle.label | ... + ... |
| app/controllers/users_controller.rb:23:5:23:16 | unsanitized2 : | semmle.label | unsanitized2 : |
| app/controllers/users_controller.rb:23:20:23:30 | unsanitized : | semmle.label | unsanitized : |
| app/controllers/users_controller.rb:23:20:23:44 | call to sub : | semmle.label | call to sub : |
| app/controllers/users_controller.rb:23:5:23:16 | unsanitized2 | semmle.label | unsanitized2 |
| app/controllers/users_controller.rb:23:20:23:30 | unsanitized | semmle.label | unsanitized |
| app/controllers/users_controller.rb:23:20:23:44 | call to sub | semmle.label | call to sub |
| app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | semmle.label | unsanitized2 |
| app/controllers/users_controller.rb:27:16:27:39 | ... + ... | semmle.label | ... + ... |
| app/controllers/users_controller.rb:33:5:33:15 | unsanitized : | semmle.label | unsanitized : |
| app/controllers/users_controller.rb:33:19:33:25 | call to cookies : | semmle.label | call to cookies : |
| app/controllers/users_controller.rb:33:19:33:31 | ...[...] : | semmle.label | ...[...] : |
| app/controllers/users_controller.rb:33:5:33:15 | unsanitized | semmle.label | unsanitized |
| app/controllers/users_controller.rb:33:19:33:25 | call to cookies | semmle.label | call to cookies |
| app/controllers/users_controller.rb:33:19:33:31 | ...[...] | semmle.label | ...[...] |
| app/controllers/users_controller.rb:34:33:34:43 | unsanitized | semmle.label | unsanitized |
| app/controllers/users_controller.rb:35:33:35:55 | ... + ... | semmle.label | ... + ... |
| app/controllers/users_controller.rb:49:19:49:24 | call to params : | semmle.label | call to params : |
| app/controllers/users_controller.rb:49:19:49:24 | call to params | semmle.label | call to params |
| app/controllers/users_controller.rb:49:19:49:30 | ...[...] | semmle.label | ...[...] |
subpaths
#select
| app/controllers/users_controller.rb:16:19:16:29 | unsanitized | app/controllers/users_controller.rb:15:19:15:24 | call to params : | app/controllers/users_controller.rb:16:19:16:29 | unsanitized | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value |
| app/controllers/users_controller.rb:17:19:17:41 | ... + ... | app/controllers/users_controller.rb:15:19:15:24 | call to params : | app/controllers/users_controller.rb:17:19:17:41 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value |
| app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | app/controllers/users_controller.rb:15:19:15:24 | call to params : | app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value |
| app/controllers/users_controller.rb:27:16:27:39 | ... + ... | app/controllers/users_controller.rb:15:19:15:24 | call to params : | app/controllers/users_controller.rb:27:16:27:39 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value |
| app/controllers/users_controller.rb:34:33:34:43 | unsanitized | app/controllers/users_controller.rb:33:19:33:25 | call to cookies : | app/controllers/users_controller.rb:34:33:34:43 | unsanitized | Log entry depends on a $@. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | user-provided value |
| app/controllers/users_controller.rb:35:33:35:55 | ... + ... | app/controllers/users_controller.rb:33:19:33:25 | call to cookies : | app/controllers/users_controller.rb:35:33:35:55 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | user-provided value |
| app/controllers/users_controller.rb:49:19:49:30 | ...[...] | app/controllers/users_controller.rb:49:19:49:24 | call to params : | app/controllers/users_controller.rb:49:19:49:30 | ...[...] | Log entry depends on a $@. | app/controllers/users_controller.rb:49:19:49:24 | call to params | user-provided value |
| app/controllers/users_controller.rb:16:19:16:29 | unsanitized | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:16:19:16:29 | unsanitized | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value |
| app/controllers/users_controller.rb:17:19:17:41 | ... + ... | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:17:19:17:41 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value |
| app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:25:7:25:18 | unsanitized2 | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value |
| app/controllers/users_controller.rb:27:16:27:39 | ... + ... | app/controllers/users_controller.rb:15:19:15:24 | call to params | app/controllers/users_controller.rb:27:16:27:39 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:15:19:15:24 | call to params | user-provided value |
| app/controllers/users_controller.rb:34:33:34:43 | unsanitized | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | app/controllers/users_controller.rb:34:33:34:43 | unsanitized | Log entry depends on a $@. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | user-provided value |
| app/controllers/users_controller.rb:35:33:35:55 | ... + ... | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | app/controllers/users_controller.rb:35:33:35:55 | ... + ... | Log entry depends on a $@. | app/controllers/users_controller.rb:33:19:33:25 | call to cookies | user-provided value |
| app/controllers/users_controller.rb:49:19:49:30 | ...[...] | app/controllers/users_controller.rb:49:19:49:24 | call to params | app/controllers/users_controller.rb:49:19:49:30 | ...[...] | Log entry depends on a $@. | app/controllers/users_controller.rb:49:19:49:24 | call to params | user-provided value |

192
ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected
View File

@@ -1,52 +1,52 @@
edges
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:10:5:10:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:11:5:11:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:12:5:12:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:13:5:13:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:14:5:14:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:15:5:15:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:16:5:16:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:17:5:17:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:18:5:18:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:19:5:19:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:20:5:20:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:21:5:21:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:22:5:22:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:23:17:23:20 | name |
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:24:18:24:21 | name |
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:42:10:42:13 | name |
| PolynomialReDoS.rb:4:5:4:8 | name : | PolynomialReDoS.rb:47:10:47:13 | name |
| PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:4:12:4:24 | ...[...] : |
| PolynomialReDoS.rb:4:12:4:24 | ...[...] : | PolynomialReDoS.rb:4:5:4:8 | name : |
| PolynomialReDoS.rb:27:5:27:5 | a : | PolynomialReDoS.rb:28:5:28:5 | a |
| PolynomialReDoS.rb:27:9:27:14 | call to params : | PolynomialReDoS.rb:27:9:27:18 | ...[...] : |
| PolynomialReDoS.rb:27:9:27:18 | ...[...] : | PolynomialReDoS.rb:27:5:27:5 | a : |
| PolynomialReDoS.rb:29:5:29:5 | b : | PolynomialReDoS.rb:30:5:30:5 | b |
| PolynomialReDoS.rb:29:9:29:14 | call to params : | PolynomialReDoS.rb:29:9:29:18 | ...[...] : |
| PolynomialReDoS.rb:29:9:29:18 | ...[...] : | PolynomialReDoS.rb:29:5:29:5 | b : |
| PolynomialReDoS.rb:31:5:31:5 | c : | PolynomialReDoS.rb:32:5:32:5 | c |
| PolynomialReDoS.rb:31:9:31:14 | call to params : | PolynomialReDoS.rb:31:9:31:18 | ...[...] : |
| PolynomialReDoS.rb:31:9:31:18 | ...[...] : | PolynomialReDoS.rb:31:5:31:5 | c : |
| PolynomialReDoS.rb:54:5:54:8 | name : | PolynomialReDoS.rb:56:38:56:41 | name : |
| PolynomialReDoS.rb:54:5:54:8 | name : | PolynomialReDoS.rb:58:37:58:40 | name : |
| PolynomialReDoS.rb:54:12:54:17 | call to params : | PolynomialReDoS.rb:54:12:54:24 | ...[...] : |
| PolynomialReDoS.rb:54:12:54:24 | ...[...] : | PolynomialReDoS.rb:54:5:54:8 | name : |
| PolynomialReDoS.rb:56:38:56:41 | name : | PolynomialReDoS.rb:61:33:61:37 | input : |
| PolynomialReDoS.rb:58:37:58:40 | name : | PolynomialReDoS.rb:65:42:65:46 | input : |
| PolynomialReDoS.rb:61:33:61:37 | input : | PolynomialReDoS.rb:62:5:62:9 | input |
| PolynomialReDoS.rb:65:42:65:46 | input : | PolynomialReDoS.rb:66:5:66:9 | input |
| PolynomialReDoS.rb:70:5:70:8 | name : | PolynomialReDoS.rb:73:32:73:35 | name : |
| PolynomialReDoS.rb:70:12:70:17 | call to params : | PolynomialReDoS.rb:70:12:70:24 | ...[...] : |
| PolynomialReDoS.rb:70:12:70:24 | ...[...] : | PolynomialReDoS.rb:70:5:70:8 | name : |
| PolynomialReDoS.rb:73:32:73:35 | name : | PolynomialReDoS.rb:76:35:76:39 | input : |
| PolynomialReDoS.rb:76:35:76:39 | input : | PolynomialReDoS.rb:77:5:77:9 | input |
| lib/index.rb:2:11:2:11 | x : | lib/index.rb:4:13:4:13 | x |
| lib/index.rb:8:13:8:13 | x : | lib/index.rb:9:15:9:15 | x |
| lib/index.rb:8:13:8:13 | x : | lib/index.rb:11:16:11:16 | x |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:10:5:10:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:11:5:11:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:12:5:12:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:13:5:13:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:14:5:14:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:15:5:15:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:16:5:16:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:17:5:17:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:18:5:18:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:19:5:19:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:20:5:20:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:21:5:21:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:22:5:22:8 | name |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:23:17:23:20 | name |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:24:18:24:21 | name |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:42:10:42:13 | name |
| PolynomialReDoS.rb:4:5:4:8 | name | PolynomialReDoS.rb:47:10:47:13 | name |
| PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:4:12:4:24 | ...[...] |
| PolynomialReDoS.rb:4:12:4:24 | ...[...] | PolynomialReDoS.rb:4:5:4:8 | name |
| PolynomialReDoS.rb:27:5:27:5 | a | PolynomialReDoS.rb:28:5:28:5 | a |
| PolynomialReDoS.rb:27:9:27:14 | call to params | PolynomialReDoS.rb:27:9:27:18 | ...[...] |
| PolynomialReDoS.rb:27:9:27:18 | ...[...] | PolynomialReDoS.rb:27:5:27:5 | a |
| PolynomialReDoS.rb:29:5:29:5 | b | PolynomialReDoS.rb:30:5:30:5 | b |
| PolynomialReDoS.rb:29:9:29:14 | call to params | PolynomialReDoS.rb:29:9:29:18 | ...[...] |
| PolynomialReDoS.rb:29:9:29:18 | ...[...] | PolynomialReDoS.rb:29:5:29:5 | b |
| PolynomialReDoS.rb:31:5:31:5 | c | PolynomialReDoS.rb:32:5:32:5 | c |
| PolynomialReDoS.rb:31:9:31:14 | call to params | PolynomialReDoS.rb:31:9:31:18 | ...[...] |
| PolynomialReDoS.rb:31:9:31:18 | ...[...] | PolynomialReDoS.rb:31:5:31:5 | c |
| PolynomialReDoS.rb:54:5:54:8 | name | PolynomialReDoS.rb:56:38:56:41 | name |
| PolynomialReDoS.rb:54:5:54:8 | name | PolynomialReDoS.rb:58:37:58:40 | name |
| PolynomialReDoS.rb:54:12:54:17 | call to params | PolynomialReDoS.rb:54:12:54:24 | ...[...] |
| PolynomialReDoS.rb:54:12:54:24 | ...[...] | PolynomialReDoS.rb:54:5:54:8 | name |
| PolynomialReDoS.rb:56:38:56:41 | name | PolynomialReDoS.rb:61:33:61:37 | input |
| PolynomialReDoS.rb:58:37:58:40 | name | PolynomialReDoS.rb:65:42:65:46 | input |
| PolynomialReDoS.rb:61:33:61:37 | input | PolynomialReDoS.rb:62:5:62:9 | input |
| PolynomialReDoS.rb:65:42:65:46 | input | PolynomialReDoS.rb:66:5:66:9 | input |
| PolynomialReDoS.rb:70:5:70:8 | name | PolynomialReDoS.rb:73:32:73:35 | name |
| PolynomialReDoS.rb:70:12:70:17 | call to params | PolynomialReDoS.rb:70:12:70:24 | ...[...] |
| PolynomialReDoS.rb:70:12:70:24 | ...[...] | PolynomialReDoS.rb:70:5:70:8 | name |
| PolynomialReDoS.rb:73:32:73:35 | name | PolynomialReDoS.rb:76:35:76:39 | input |
| PolynomialReDoS.rb:76:35:76:39 | input | PolynomialReDoS.rb:77:5:77:9 | input |
| lib/index.rb:2:11:2:11 | x | lib/index.rb:4:13:4:13 | x |
| lib/index.rb:8:13:8:13 | x | lib/index.rb:9:15:9:15 | x |
| lib/index.rb:8:13:8:13 | x | lib/index.rb:11:16:11:16 | x |
nodes
| PolynomialReDoS.rb:4:5:4:8 | name : | semmle.label | name : |
| PolynomialReDoS.rb:4:12:4:17 | call to params : | semmle.label | call to params : |
| PolynomialReDoS.rb:4:12:4:24 | ...[...] : | semmle.label | ...[...] : |
| PolynomialReDoS.rb:4:5:4:8 | name | semmle.label | name |
| PolynomialReDoS.rb:4:12:4:17 | call to params | semmle.label | call to params |
| PolynomialReDoS.rb:4:12:4:24 | ...[...] | semmle.label | ...[...] |
| PolynomialReDoS.rb:10:5:10:8 | name | semmle.label | name |
| PolynomialReDoS.rb:11:5:11:8 | name | semmle.label | name |
| PolynomialReDoS.rb:12:5:12:8 | name | semmle.label | name |
@@ -62,65 +62,65 @@ nodes
| PolynomialReDoS.rb:22:5:22:8 | name | semmle.label | name |
| PolynomialReDoS.rb:23:17:23:20 | name | semmle.label | name |
| PolynomialReDoS.rb:24:18:24:21 | name | semmle.label | name |
| PolynomialReDoS.rb:27:5:27:5 | a : | semmle.label | a : |
| PolynomialReDoS.rb:27:9:27:14 | call to params : | semmle.label | call to params : |
| PolynomialReDoS.rb:27:9:27:18 | ...[...] : | semmle.label | ...[...] : |
| PolynomialReDoS.rb:27:5:27:5 | a | semmle.label | a |
| PolynomialReDoS.rb:27:9:27:14 | call to params | semmle.label | call to params |
| PolynomialReDoS.rb:27:9:27:18 | ...[...] | semmle.label | ...[...] |
| PolynomialReDoS.rb:28:5:28:5 | a | semmle.label | a |
| PolynomialReDoS.rb:29:5:29:5 | b : | semmle.label | b : |
| PolynomialReDoS.rb:29:9:29:14 | call to params : | semmle.label | call to params : |
| PolynomialReDoS.rb:29:9:29:18 | ...[...] : | semmle.label | ...[...] : |
| PolynomialReDoS.rb:29:5:29:5 | b | semmle.label | b |
| PolynomialReDoS.rb:29:9:29:14 | call to params | semmle.label | call to params |
| PolynomialReDoS.rb:29:9:29:18 | ...[...] | semmle.label | ...[...] |
| PolynomialReDoS.rb:30:5:30:5 | b | semmle.label | b |
| PolynomialReDoS.rb:31:5:31:5 | c : | semmle.label | c : |
| PolynomialReDoS.rb:31:9:31:14 | call to params : | semmle.label | call to params : |
| PolynomialReDoS.rb:31:9:31:18 | ...[...] : | semmle.label | ...[...] : |
| PolynomialReDoS.rb:31:5:31:5 | c | semmle.label | c |
| PolynomialReDoS.rb:31:9:31:14 | call to params | semmle.label | call to params |
| PolynomialReDoS.rb:31:9:31:18 | ...[...] | semmle.label | ...[...] |
| PolynomialReDoS.rb:32:5:32:5 | c | semmle.label | c |
| PolynomialReDoS.rb:42:10:42:13 | name | semmle.label | name |
| PolynomialReDoS.rb:47:10:47:13 | name | semmle.label | name |
| PolynomialReDoS.rb:54:5:54:8 | name : | semmle.label | name : |
| PolynomialReDoS.rb:54:12:54:17 | call to params : | semmle.label | call to params : |
| PolynomialReDoS.rb:54:12:54:24 | ...[...] : | semmle.label | ...[...] : |
| PolynomialReDoS.rb:56:38:56:41 | name : | semmle.label | name : |
| PolynomialReDoS.rb:58:37:58:40 | name : | semmle.label | name : |
| PolynomialReDoS.rb:61:33:61:37 | input : | semmle.label | input : |
| PolynomialReDoS.rb:54:5:54:8 | name | semmle.label | name |
| PolynomialReDoS.rb:54:12:54:17 | call to params | semmle.label | call to params |
| PolynomialReDoS.rb:54:12:54:24 | ...[...] | semmle.label | ...[...] |
| PolynomialReDoS.rb:56:38:56:41 | name | semmle.label | name |
| PolynomialReDoS.rb:58:37:58:40 | name | semmle.label | name |
| PolynomialReDoS.rb:61:33:61:37 | input | semmle.label | input |
| PolynomialReDoS.rb:62:5:62:9 | input | semmle.label | input |
| PolynomialReDoS.rb:65:42:65:46 | input : | semmle.label | input : |
| PolynomialReDoS.rb:65:42:65:46 | input | semmle.label | input |
| PolynomialReDoS.rb:66:5:66:9 | input | semmle.label | input |
| PolynomialReDoS.rb:70:5:70:8 | name : | semmle.label | name : |
| PolynomialReDoS.rb:70:12:70:17 | call to params : | semmle.label | call to params : |
| PolynomialReDoS.rb:70:12:70:24 | ...[...] : | semmle.label | ...[...] : |
| PolynomialReDoS.rb:73:32:73:35 | name : | semmle.label | name : |
| PolynomialReDoS.rb:76:35:76:39 | input : | semmle.label | input : |
| PolynomialReDoS.rb:70:5:70:8 | name | semmle.label | name |
| PolynomialReDoS.rb:70:12:70:17 | call to params | semmle.label | call to params |
| PolynomialReDoS.rb:70:12:70:24 | ...[...] | semmle.label | ...[...] |
| PolynomialReDoS.rb:73:32:73:35 | name | semmle.label | name |
| PolynomialReDoS.rb:76:35:76:39 | input | semmle.label | input |
| PolynomialReDoS.rb:77:5:77:9 | input | semmle.label | input |
| lib/index.rb:2:11:2:11 | x : | semmle.label | x : |
| lib/index.rb:2:11:2:11 | x | semmle.label | x |
| lib/index.rb:4:13:4:13 | x | semmle.label | x |
| lib/index.rb:8:13:8:13 | x : | semmle.label | x : |
| lib/index.rb:8:13:8:13 | x | semmle.label | x |
| lib/index.rb:9:15:9:15 | x | semmle.label | x |
| lib/index.rb:11:16:11:16 | x | semmle.label | x |
subpaths
#select
| PolynomialReDoS.rb:10:5:10:17 | ... =~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:10:5:10:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:11:5:11:17 | ... !~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:11:5:11:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:12:5:12:15 | ...[...] | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:12:5:12:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:13:5:13:23 | call to gsub | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:13:5:13:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:14:5:14:20 | call to index | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:14:5:14:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:15:5:15:20 | call to match | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:15:5:15:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:16:5:16:21 | call to match? | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:16:5:16:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:17:5:17:24 | call to partition | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:17:5:17:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:18:5:18:21 | call to rindex | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:18:5:18:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:19:5:19:25 | call to rpartition | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:19:5:19:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:20:5:20:19 | call to scan | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:20:5:20:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:21:5:21:20 | call to split | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:21:5:21:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:22:5:22:22 | call to sub | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:22:5:22:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:23:5:23:20 | call to match | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:23:17:23:20 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:24:5:24:21 | call to match? | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:24:18:24:21 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:28:5:28:21 | call to gsub! | PolynomialReDoS.rb:27:9:27:14 | call to params : | PolynomialReDoS.rb:28:5:28:5 | a | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:27:9:27:14 | call to params | user-provided value |
| PolynomialReDoS.rb:30:5:30:18 | call to slice! | PolynomialReDoS.rb:29:9:29:14 | call to params : | PolynomialReDoS.rb:30:5:30:5 | b | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:29:9:29:14 | call to params | user-provided value |
| PolynomialReDoS.rb:32:5:32:20 | call to sub! | PolynomialReDoS.rb:31:9:31:14 | call to params : | PolynomialReDoS.rb:32:5:32:5 | c | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:31:9:31:14 | call to params | user-provided value |
| PolynomialReDoS.rb:42:5:45:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:42:10:42:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:47:5:50:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:47:10:47:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:48:14:48:16 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:62:5:62:22 | call to gsub | PolynomialReDoS.rb:54:12:54:17 | call to params : | PolynomialReDoS.rb:62:5:62:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:56:31:56:33 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value |
| PolynomialReDoS.rb:66:5:66:34 | call to match? | PolynomialReDoS.rb:54:12:54:17 | call to params : | PolynomialReDoS.rb:66:5:66:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:58:30:58:32 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value |
| PolynomialReDoS.rb:77:5:77:22 | call to gsub | PolynomialReDoS.rb:70:12:70:17 | call to params : | PolynomialReDoS.rb:77:5:77:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:72:28:72:30 | \\s+ | regular expression | PolynomialReDoS.rb:70:12:70:17 | call to params | user-provided value |
| lib/index.rb:4:13:4:26 | call to match | lib/index.rb:2:11:2:11 | x : | lib/index.rb:4:13:4:13 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:4:22:4:23 | a+ | regular expression | lib/index.rb:2:11:2:11 | x | library input |
| lib/index.rb:9:15:9:28 | call to match | lib/index.rb:8:13:8:13 | x : | lib/index.rb:9:15:9:15 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:9:24:9:25 | a+ | regular expression | lib/index.rb:8:13:8:13 | x | library input |
| lib/index.rb:11:16:11:276 | call to match | lib/index.rb:8:13:8:13 | x : | lib/index.rb:11:16:11:16 | x | This $@ that depends on a $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | lib/index.rb:11:271:11:272 | .* | regular expression | lib/index.rb:8:13:8:13 | x | library input |
| PolynomialReDoS.rb:10:5:10:17 | ... =~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:10:5:10:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:11:5:11:17 | ... !~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:11:5:11:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:12:5:12:15 | ...[...] | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:12:5:12:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:13:5:13:23 | call to gsub | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:13:5:13:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:14:5:14:20 | call to index | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:14:5:14:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:15:5:15:20 | call to match | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:15:5:15:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:16:5:16:21 | call to match? | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:16:5:16:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:17:5:17:24 | call to partition | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:17:5:17:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:18:5:18:21 | call to rindex | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:18:5:18:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:19:5:19:25 | call to rpartition | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:19:5:19:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:20:5:20:19 | call to scan | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:20:5:20:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:21:5:21:20 | call to split | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:21:5:21:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:22:5:22:22 | call to sub | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:22:5:22:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:23:5:23:20 | call to match | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:23:17:23:20 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:24:5:24:21 | call to match? | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:24:18:24:21 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:28:5:28:21 | call to gsub! | PolynomialReDoS.rb:27:9:27:14 | call to params | PolynomialReDoS.rb:28:5:28:5 | a | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:27:9:27:14 | call to params | user-provided value |
| PolynomialReDoS.rb:30:5:30:18 | call to slice! | PolynomialReDoS.rb:29:9:29:14 | call to params | PolynomialReDoS.rb:30:5:30:5 | b | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:29:9:29:14 | call to params | user-provided value |
| PolynomialReDoS.rb:32:5:32:20 | call to sub! | PolynomialReDoS.rb:31:9:31:14 | call to params | PolynomialReDoS.rb:32:5:32:5 | c | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:31:9:31:14 | call to params | user-provided value |
| PolynomialReDoS.rb:42:5:45:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:42:10:42:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:47:5:50:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params | PolynomialReDoS.rb:47:10:47:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:48:14:48:16 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
| PolynomialReDoS.rb:62:5:62:22 | call to gsub | PolynomialReDoS.rb:54:12:54:17 | call to params | PolynomialReDoS.rb:62:5:62:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:56:31:56:33 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value |
| PolynomialReDoS.rb:66:5:66:34 | call to match? | PolynomialReDoS.rb:54:12:54:17 | call to params | PolynomialReDoS.rb:66:5:66:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:58:30:58:32 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value |
| PolynomialReDoS.rb:77:5:77:22 | call to gsub | PolynomialReDoS.rb:70:12:70:17 | call to params | PolynomialReDoS.rb:77:5:77:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:72:28:72:30 | \\s+ | regular expression | PolynomialReDoS.rb:70:12:70:17 | call to params | user-provided value |
| lib/index.rb:4:13:4:26 | call to match | lib/index.rb:2:11:2:11 | x | lib/index.rb:4:13:4:13 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:4:22:4:23 | a+ | regular expression | lib/index.rb:2:11:2:11 | x | library input |
| lib/index.rb:9:15:9:28 | call to match | lib/index.rb:8:13:8:13 | x | lib/index.rb:9:15:9:15 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:9:24:9:25 | a+ | regular expression | lib/index.rb:8:13:8:13 | x | library input |
| lib/index.rb:11:16:11:276 | call to match | lib/index.rb:8:13:8:13 | x | lib/index.rb:11:16:11:16 | x | This $@ that depends on a $@ may run slow on strings starting with 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC' and with many repetitions of 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC'. | lib/index.rb:11:271:11:272 | .* | regular expression | lib/index.rb:8:13:8:13 | x | library input |

70
ruby/ql/test/query-tests/security/cwe-1333-regexp-injection/RegExpInjection.expected
View File

@@ -1,44 +1,44 @@
edges
| RegExpInjection.rb:4:5:4:8 | name : | RegExpInjection.rb:5:13:5:21 | /#{...}/ |
| RegExpInjection.rb:4:12:4:17 | call to params : | RegExpInjection.rb:4:12:4:24 | ...[...] : |
| RegExpInjection.rb:4:12:4:24 | ...[...] : | RegExpInjection.rb:4:5:4:8 | name : |
| RegExpInjection.rb:10:5:10:8 | name : | RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ |
| RegExpInjection.rb:10:12:10:17 | call to params : | RegExpInjection.rb:10:12:10:24 | ...[...] : |
| RegExpInjection.rb:10:12:10:24 | ...[...] : | RegExpInjection.rb:10:5:10:8 | name : |
| RegExpInjection.rb:16:5:16:8 | name : | RegExpInjection.rb:17:24:17:27 | name |
| RegExpInjection.rb:16:12:16:17 | call to params : | RegExpInjection.rb:16:12:16:24 | ...[...] : |
| RegExpInjection.rb:16:12:16:24 | ...[...] : | RegExpInjection.rb:16:5:16:8 | name : |
| RegExpInjection.rb:22:5:22:8 | name : | RegExpInjection.rb:23:24:23:33 | ... + ... |
| RegExpInjection.rb:22:12:22:17 | call to params : | RegExpInjection.rb:22:12:22:24 | ...[...] : |
| RegExpInjection.rb:22:12:22:24 | ...[...] : | RegExpInjection.rb:22:5:22:8 | name : |
| RegExpInjection.rb:54:5:54:8 | name : | RegExpInjection.rb:55:28:55:37 | ... + ... |
| RegExpInjection.rb:54:12:54:17 | call to params : | RegExpInjection.rb:54:12:54:24 | ...[...] : |
| RegExpInjection.rb:54:12:54:24 | ...[...] : | RegExpInjection.rb:54:5:54:8 | name : |
| RegExpInjection.rb:4:5:4:8 | name | RegExpInjection.rb:5:13:5:21 | /#{...}/ |
| RegExpInjection.rb:4:12:4:17 | call to params | RegExpInjection.rb:4:12:4:24 | ...[...] |
| RegExpInjection.rb:4:12:4:24 | ...[...] | RegExpInjection.rb:4:5:4:8 | name |
| RegExpInjection.rb:10:5:10:8 | name | RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ |
| RegExpInjection.rb:10:12:10:17 | call to params | RegExpInjection.rb:10:12:10:24 | ...[...] |
| RegExpInjection.rb:10:12:10:24 | ...[...] | RegExpInjection.rb:10:5:10:8 | name |
| RegExpInjection.rb:16:5:16:8 | name | RegExpInjection.rb:17:24:17:27 | name |
| RegExpInjection.rb:16:12:16:17 | call to params | RegExpInjection.rb:16:12:16:24 | ...[...] |
| RegExpInjection.rb:16:12:16:24 | ...[...] | RegExpInjection.rb:16:5:16:8 | name |
| RegExpInjection.rb:22:5:22:8 | name | RegExpInjection.rb:23:24:23:33 | ... + ... |
| RegExpInjection.rb:22:12:22:17 | call to params | RegExpInjection.rb:22:12:22:24 | ...[...] |
| RegExpInjection.rb:22:12:22:24 | ...[...] | RegExpInjection.rb:22:5:22:8 | name |
| RegExpInjection.rb:54:5:54:8 | name | RegExpInjection.rb:55:28:55:37 | ... + ... |
| RegExpInjection.rb:54:12:54:17 | call to params | RegExpInjection.rb:54:12:54:24 | ...[...] |
| RegExpInjection.rb:54:12:54:24 | ...[...] | RegExpInjection.rb:54:5:54:8 | name |
nodes
| RegExpInjection.rb:4:5:4:8 | name : | semmle.label | name : |
| RegExpInjection.rb:4:12:4:17 | call to params : | semmle.label | call to params : |
| RegExpInjection.rb:4:12:4:24 | ...[...] : | semmle.label | ...[...] : |
| RegExpInjection.rb:4:5:4:8 | name | semmle.label | name |
| RegExpInjection.rb:4:12:4:17 | call to params | semmle.label | call to params |
| RegExpInjection.rb:4:12:4:24 | ...[...] | semmle.label | ...[...] |
| RegExpInjection.rb:5:13:5:21 | /#{...}/ | semmle.label | /#{...}/ |
| RegExpInjection.rb:10:5:10:8 | name : | semmle.label | name : |
| RegExpInjection.rb:10:12:10:17 | call to params : | semmle.label | call to params : |
| RegExpInjection.rb:10:12:10:24 | ...[...] : | semmle.label | ...[...] : |
| RegExpInjection.rb:10:5:10:8 | name | semmle.label | name |
| RegExpInjection.rb:10:12:10:17 | call to params | semmle.label | call to params |
| RegExpInjection.rb:10:12:10:24 | ...[...] | semmle.label | ...[...] |
| RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | semmle.label | /foo#{...}bar/ |
| RegExpInjection.rb:16:5:16:8 | name : | semmle.label | name : |
| RegExpInjection.rb:16:12:16:17 | call to params : | semmle.label | call to params : |
| RegExpInjection.rb:16:12:16:24 | ...[...] : | semmle.label | ...[...] : |
| RegExpInjection.rb:16:5:16:8 | name | semmle.label | name |
| RegExpInjection.rb:16:12:16:17 | call to params | semmle.label | call to params |
| RegExpInjection.rb:16:12:16:24 | ...[...] | semmle.label | ...[...] |
| RegExpInjection.rb:17:24:17:27 | name | semmle.label | name |
| RegExpInjection.rb:22:5:22:8 | name : | semmle.label | name : |
| RegExpInjection.rb:22:12:22:17 | call to params : | semmle.label | call to params : |
| RegExpInjection.rb:22:12:22:24 | ...[...] : | semmle.label | ...[...] : |
| RegExpInjection.rb:22:5:22:8 | name | semmle.label | name |
| RegExpInjection.rb:22:12:22:17 | call to params | semmle.label | call to params |
| RegExpInjection.rb:22:12:22:24 | ...[...] | semmle.label | ...[...] |
| RegExpInjection.rb:23:24:23:33 | ... + ... | semmle.label | ... + ... |
| RegExpInjection.rb:54:5:54:8 | name : | semmle.label | name : |
| RegExpInjection.rb:54:12:54:17 | call to params : | semmle.label | call to params : |
| RegExpInjection.rb:54:12:54:24 | ...[...] : | semmle.label | ...[...] : |
| RegExpInjection.rb:54:5:54:8 | name | semmle.label | name |
| RegExpInjection.rb:54:12:54:17 | call to params | semmle.label | call to params |
| RegExpInjection.rb:54:12:54:24 | ...[...] | semmle.label | ...[...] |
| RegExpInjection.rb:55:28:55:37 | ... + ... | semmle.label | ... + ... |
subpaths
#select
| RegExpInjection.rb:5:13:5:21 | /#{...}/ | RegExpInjection.rb:4:12:4:17 | call to params : | RegExpInjection.rb:5:13:5:21 | /#{...}/ | This regular expression depends on a $@. | RegExpInjection.rb:4:12:4:17 | call to params | user-provided value |
| RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | RegExpInjection.rb:10:12:10:17 | call to params : | RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | This regular expression depends on a $@. | RegExpInjection.rb:10:12:10:17 | call to params | user-provided value |
| RegExpInjection.rb:17:24:17:27 | name | RegExpInjection.rb:16:12:16:17 | call to params : | RegExpInjection.rb:17:24:17:27 | name | This regular expression depends on a $@. | RegExpInjection.rb:16:12:16:17 | call to params | user-provided value |
| RegExpInjection.rb:23:24:23:33 | ... + ... | RegExpInjection.rb:22:12:22:17 | call to params : | RegExpInjection.rb:23:24:23:33 | ... + ... | This regular expression depends on a $@. | RegExpInjection.rb:22:12:22:17 | call to params | user-provided value |
| RegExpInjection.rb:55:28:55:37 | ... + ... | RegExpInjection.rb:54:12:54:17 | call to params : | RegExpInjection.rb:55:28:55:37 | ... + ... | This regular expression depends on a $@. | RegExpInjection.rb:54:12:54:17 | call to params | user-provided value |
| RegExpInjection.rb:5:13:5:21 | /#{...}/ | RegExpInjection.rb:4:12:4:17 | call to params | RegExpInjection.rb:5:13:5:21 | /#{...}/ | This regular expression depends on a $@. | RegExpInjection.rb:4:12:4:17 | call to params | user-provided value |
| RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | RegExpInjection.rb:10:12:10:17 | call to params | RegExpInjection.rb:11:13:11:27 | /foo#{...}bar/ | This regular expression depends on a $@. | RegExpInjection.rb:10:12:10:17 | call to params | user-provided value |
| RegExpInjection.rb:17:24:17:27 | name | RegExpInjection.rb:16:12:16:17 | call to params | RegExpInjection.rb:17:24:17:27 | name | This regular expression depends on a $@. | RegExpInjection.rb:16:12:16:17 | call to params | user-provided value |
| RegExpInjection.rb:23:24:23:33 | ... + ... | RegExpInjection.rb:22:12:22:17 | call to params | RegExpInjection.rb:23:24:23:33 | ... + ... | This regular expression depends on a $@. | RegExpInjection.rb:22:12:22:17 | call to params | user-provided value |
| RegExpInjection.rb:55:28:55:37 | ... + ... | RegExpInjection.rb:54:12:54:17 | call to params | RegExpInjection.rb:55:28:55:37 | ... + ... | This regular expression depends on a $@. | RegExpInjection.rb:54:12:54:17 | call to params | user-provided value |

94
ruby/ql/test/query-tests/security/cwe-134/TaintedFormatString.expected
View File

@@ -1,64 +1,64 @@
edges
| tainted_format_string.rb:4:12:4:17 | call to params : | tainted_format_string.rb:4:12:4:26 | ...[...] |
| tainted_format_string.rb:5:19:5:24 | call to params : | tainted_format_string.rb:5:19:5:33 | ...[...] |
| tainted_format_string.rb:10:23:10:28 | call to params : | tainted_format_string.rb:10:23:10:37 | ...[...] |
| tainted_format_string.rb:11:30:11:35 | call to params : | tainted_format_string.rb:11:30:11:44 | ...[...] |
| tainted_format_string.rb:18:23:18:28 | call to params : | tainted_format_string.rb:18:23:18:37 | ...[...] |
| tainted_format_string.rb:19:30:19:35 | call to params : | tainted_format_string.rb:19:30:19:44 | ...[...] |
| tainted_format_string.rb:21:27:21:32 | call to params : | tainted_format_string.rb:21:27:21:41 | ...[...] |
| tainted_format_string.rb:22:20:22:25 | call to params : | tainted_format_string.rb:22:20:22:34 | ...[...] |
| tainted_format_string.rb:28:19:28:24 | call to params : | tainted_format_string.rb:28:19:28:33 | ...[...] |
| tainted_format_string.rb:33:32:33:37 | call to params : | tainted_format_string.rb:33:32:33:46 | ...[...] : |
| tainted_format_string.rb:33:32:33:46 | ...[...] : | tainted_format_string.rb:33:12:33:46 | ... + ... |
| tainted_format_string.rb:36:30:36:35 | call to params : | tainted_format_string.rb:36:30:36:44 | ...[...] : |
| tainted_format_string.rb:36:30:36:44 | ...[...] : | tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" |
| tainted_format_string.rb:39:22:39:27 | call to params : | tainted_format_string.rb:39:22:39:36 | ...[...] : |
| tainted_format_string.rb:39:22:39:36 | ...[...] : | tainted_format_string.rb:39:5:39:45 | "A log message #{...} %{foo}" |
| tainted_format_string.rb:42:22:42:27 | call to params : | tainted_format_string.rb:42:22:42:36 | ...[...] : |
| tainted_format_string.rb:42:22:42:36 | ...[...] : | tainted_format_string.rb:42:5:42:43 | "A log message #{...} %08x" |
| tainted_format_string.rb:4:12:4:17 | call to params | tainted_format_string.rb:4:12:4:26 | ...[...] |
| tainted_format_string.rb:5:19:5:24 | call to params | tainted_format_string.rb:5:19:5:33 | ...[...] |
| tainted_format_string.rb:10:23:10:28 | call to params | tainted_format_string.rb:10:23:10:37 | ...[...] |
| tainted_format_string.rb:11:30:11:35 | call to params | tainted_format_string.rb:11:30:11:44 | ...[...] |
| tainted_format_string.rb:18:23:18:28 | call to params | tainted_format_string.rb:18:23:18:37 | ...[...] |
| tainted_format_string.rb:19:30:19:35 | call to params | tainted_format_string.rb:19:30:19:44 | ...[...] |
| tainted_format_string.rb:21:27:21:32 | call to params | tainted_format_string.rb:21:27:21:41 | ...[...] |
| tainted_format_string.rb:22:20:22:25 | call to params | tainted_format_string.rb:22:20:22:34 | ...[...] |
| tainted_format_string.rb:28:19:28:24 | call to params | tainted_format_string.rb:28:19:28:33 | ...[...] |
| tainted_format_string.rb:33:32:33:37 | call to params | tainted_format_string.rb:33:32:33:46 | ...[...] |
| tainted_format_string.rb:33:32:33:46 | ...[...] | tainted_format_string.rb:33:12:33:46 | ... + ... |
| tainted_format_string.rb:36:30:36:35 | call to params | tainted_format_string.rb:36:30:36:44 | ...[...] |
| tainted_format_string.rb:36:30:36:44 | ...[...] | tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" |
| tainted_format_string.rb:39:22:39:27 | call to params | tainted_format_string.rb:39:22:39:36 | ...[...] |
| tainted_format_string.rb:39:22:39:36 | ...[...] | tainted_format_string.rb:39:5:39:45 | "A log message #{...} %{foo}" |
| tainted_format_string.rb:42:22:42:27 | call to params | tainted_format_string.rb:42:22:42:36 | ...[...] |
| tainted_format_string.rb:42:22:42:36 | ...[...] | tainted_format_string.rb:42:5:42:43 | "A log message #{...} %08x" |
nodes
| tainted_format_string.rb:4:12:4:17 | call to params : | semmle.label | call to params : |
| tainted_format_string.rb:4:12:4:17 | call to params | semmle.label | call to params |
| tainted_format_string.rb:4:12:4:26 | ...[...] | semmle.label | ...[...] |
| tainted_format_string.rb:5:19:5:24 | call to params : | semmle.label | call to params : |
| tainted_format_string.rb:5:19:5:24 | call to params | semmle.label | call to params |
| tainted_format_string.rb:5:19:5:33 | ...[...] | semmle.label | ...[...] |
| tainted_format_string.rb:10:23:10:28 | call to params : | semmle.label | call to params : |
| tainted_format_string.rb:10:23:10:28 | call to params | semmle.label | call to params |
| tainted_format_string.rb:10:23:10:37 | ...[...] | semmle.label | ...[...] |
| tainted_format_string.rb:11:30:11:35 | call to params : | semmle.label | call to params : |
| tainted_format_string.rb:11:30:11:35 | call to params | semmle.label | call to params |
| tainted_format_string.rb:11:30:11:44 | ...[...] | semmle.label | ...[...] |
| tainted_format_string.rb:18:23:18:28 | call to params : | semmle.label | call to params : |
| tainted_format_string.rb:18:23:18:28 | call to params | semmle.label | call to params |
| tainted_format_string.rb:18:23:18:37 | ...[...] | semmle.label | ...[...] |
| tainted_format_string.rb:19:30:19:35 | call to params : | semmle.label | call to params : |
| tainted_format_string.rb:19:30:19:35 | call to params | semmle.label | call to params |
| tainted_format_string.rb:19:30:19:44 | ...[...] | semmle.label | ...[...] |
| tainted_format_string.rb:21:27:21:32 | call to params : | semmle.label | call to params : |
| tainted_format_string.rb:21:27:21:32 | call to params | semmle.label | call to params |
| tainted_format_string.rb:21:27:21:41 | ...[...] | semmle.label | ...[...] |
| tainted_format_string.rb:22:20:22:25 | call to params : | semmle.label | call to params : |
| tainted_format_string.rb:22:20:22:25 | call to params | semmle.label | call to params |
| tainted_format_string.rb:22:20:22:34 | ...[...] | semmle.label | ...[...] |
| tainted_format_string.rb:28:19:28:24 | call to params : | semmle.label | call to params : |
| tainted_format_string.rb:28:19:28:24 | call to params | semmle.label | call to params |
| tainted_format_string.rb:28:19:28:33 | ...[...] | semmle.label | ...[...] |
| tainted_format_string.rb:33:12:33:46 | ... + ... | semmle.label | ... + ... |
| tainted_format_string.rb:33:32:33:37 | call to params : | semmle.label | call to params : |
| tainted_format_string.rb:33:32:33:46 | ...[...] : | semmle.label | ...[...] : |
| tainted_format_string.rb:33:32:33:37 | call to params | semmle.label | call to params |
| tainted_format_string.rb:33:32:33:46 | ...[...] | semmle.label | ...[...] |
| tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | semmle.label | "A log message: #{...}" |
| tainted_format_string.rb:36:30:36:35 | call to params : | semmle.label | call to params : |
| tainted_format_string.rb:36:30:36:44 | ...[...] : | semmle.label | ...[...] : |
| tainted_format_string.rb:36:30:36:35 | call to params | semmle.label | call to params |
| tainted_format_string.rb:36:30:36:44 | ...[...] | semmle.label | ...[...] |
| tainted_format_string.rb:39:5:39:45 | "A log message #{...} %{foo}" | semmle.label | "A log message #{...} %{foo}" |
| tainted_format_string.rb:39:22:39:27 | call to params : | semmle.label | call to params : |
| tainted_format_string.rb:39:22:39:36 | ...[...] : | semmle.label | ...[...] : |
| tainted_format_string.rb:39:22:39:27 | call to params | semmle.label | call to params |
| tainted_format_string.rb:39:22:39:36 | ...[...] | semmle.label | ...[...] |
| tainted_format_string.rb:42:5:42:43 | "A log message #{...} %08x" | semmle.label | "A log message #{...} %08x" |
| tainted_format_string.rb:42:22:42:27 | call to params : | semmle.label | call to params : |
| tainted_format_string.rb:42:22:42:36 | ...[...] : | semmle.label | ...[...] : |
| tainted_format_string.rb:42:22:42:27 | call to params | semmle.label | call to params |
| tainted_format_string.rb:42:22:42:36 | ...[...] | semmle.label | ...[...] |
subpaths
#select
| tainted_format_string.rb:4:12:4:26 | ...[...] | tainted_format_string.rb:4:12:4:17 | call to params : | tainted_format_string.rb:4:12:4:26 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:4:12:4:17 | call to params | user-provided value |
| tainted_format_string.rb:5:19:5:33 | ...[...] | tainted_format_string.rb:5:19:5:24 | call to params : | tainted_format_string.rb:5:19:5:33 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:5:19:5:24 | call to params | user-provided value |
| tainted_format_string.rb:10:23:10:37 | ...[...] | tainted_format_string.rb:10:23:10:28 | call to params : | tainted_format_string.rb:10:23:10:37 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:10:23:10:28 | call to params | user-provided value |
| tainted_format_string.rb:11:30:11:44 | ...[...] | tainted_format_string.rb:11:30:11:35 | call to params : | tainted_format_string.rb:11:30:11:44 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:11:30:11:35 | call to params | user-provided value |
| tainted_format_string.rb:18:23:18:37 | ...[...] | tainted_format_string.rb:18:23:18:28 | call to params : | tainted_format_string.rb:18:23:18:37 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:18:23:18:28 | call to params | user-provided value |
| tainted_format_string.rb:19:30:19:44 | ...[...] | tainted_format_string.rb:19:30:19:35 | call to params : | tainted_format_string.rb:19:30:19:44 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:19:30:19:35 | call to params | user-provided value |
| tainted_format_string.rb:21:27:21:41 | ...[...] | tainted_format_string.rb:21:27:21:32 | call to params : | tainted_format_string.rb:21:27:21:41 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:21:27:21:32 | call to params | user-provided value |
| tainted_format_string.rb:22:20:22:34 | ...[...] | tainted_format_string.rb:22:20:22:25 | call to params : | tainted_format_string.rb:22:20:22:34 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:22:20:22:25 | call to params | user-provided value |
| tainted_format_string.rb:28:19:28:33 | ...[...] | tainted_format_string.rb:28:19:28:24 | call to params : | tainted_format_string.rb:28:19:28:33 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:28:19:28:24 | call to params | user-provided value |
| tainted_format_string.rb:33:12:33:46 | ... + ... | tainted_format_string.rb:33:32:33:37 | call to params : | tainted_format_string.rb:33:12:33:46 | ... + ... | Format string depends on a $@. | tainted_format_string.rb:33:32:33:37 | call to params | user-provided value |
| tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | tainted_format_string.rb:36:30:36:35 | call to params : | tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | Format string depends on a $@. | tainted_format_string.rb:36:30:36:35 | call to params | user-provided value |
| tainted_format_string.rb:39:5:39:45 | "A log message #{...} %{foo}" | tainted_format_string.rb:39:22:39:27 | call to params : | tainted_format_string.rb:39:5:39:45 | "A log message #{...} %{foo}" | Format string depends on a $@. | tainted_format_string.rb:39:22:39:27 | call to params | user-provided value |
| tainted_format_string.rb:42:5:42:43 | "A log message #{...} %08x" | tainted_format_string.rb:42:22:42:27 | call to params : | tainted_format_string.rb:42:5:42:43 | "A log message #{...} %08x" | Format string depends on a $@. | tainted_format_string.rb:42:22:42:27 | call to params | user-provided value |
| tainted_format_string.rb:4:12:4:26 | ...[...] | tainted_format_string.rb:4:12:4:17 | call to params | tainted_format_string.rb:4:12:4:26 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:4:12:4:17 | call to params | user-provided value |
| tainted_format_string.rb:5:19:5:33 | ...[...] | tainted_format_string.rb:5:19:5:24 | call to params | tainted_format_string.rb:5:19:5:33 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:5:19:5:24 | call to params | user-provided value |
| tainted_format_string.rb:10:23:10:37 | ...[...] | tainted_format_string.rb:10:23:10:28 | call to params | tainted_format_string.rb:10:23:10:37 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:10:23:10:28 | call to params | user-provided value |
| tainted_format_string.rb:11:30:11:44 | ...[...] | tainted_format_string.rb:11:30:11:35 | call to params | tainted_format_string.rb:11:30:11:44 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:11:30:11:35 | call to params | user-provided value |
| tainted_format_string.rb:18:23:18:37 | ...[...] | tainted_format_string.rb:18:23:18:28 | call to params | tainted_format_string.rb:18:23:18:37 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:18:23:18:28 | call to params | user-provided value |
| tainted_format_string.rb:19:30:19:44 | ...[...] | tainted_format_string.rb:19:30:19:35 | call to params | tainted_format_string.rb:19:30:19:44 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:19:30:19:35 | call to params | user-provided value |
| tainted_format_string.rb:21:27:21:41 | ...[...] | tainted_format_string.rb:21:27:21:32 | call to params | tainted_format_string.rb:21:27:21:41 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:21:27:21:32 | call to params | user-provided value |
| tainted_format_string.rb:22:20:22:34 | ...[...] | tainted_format_string.rb:22:20:22:25 | call to params | tainted_format_string.rb:22:20:22:34 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:22:20:22:25 | call to params | user-provided value |
| tainted_format_string.rb:28:19:28:33 | ...[...] | tainted_format_string.rb:28:19:28:24 | call to params | tainted_format_string.rb:28:19:28:33 | ...[...] | Format string depends on a $@. | tainted_format_string.rb:28:19:28:24 | call to params | user-provided value |
| tainted_format_string.rb:33:12:33:46 | ... + ... | tainted_format_string.rb:33:32:33:37 | call to params | tainted_format_string.rb:33:12:33:46 | ... + ... | Format string depends on a $@. | tainted_format_string.rb:33:32:33:37 | call to params | user-provided value |
| tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | tainted_format_string.rb:36:30:36:35 | call to params | tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | Format string depends on a $@. | tainted_format_string.rb:36:30:36:35 | call to params | user-provided value |
| tainted_format_string.rb:39:5:39:45 | "A log message #{...} %{foo}" | tainted_format_string.rb:39:22:39:27 | call to params | tainted_format_string.rb:39:5:39:45 | "A log message #{...} %{foo}" | Format string depends on a $@. | tainted_format_string.rb:39:22:39:27 | call to params | user-provided value |
| tainted_format_string.rb:42:5:42:43 | "A log message #{...} %08x" | tainted_format_string.rb:42:22:42:27 | call to params | tainted_format_string.rb:42:5:42:43 | "A log message #{...} %08x" | Format string depends on a $@. | tainted_format_string.rb:42:22:42:27 | call to params | user-provided value |

10
ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.expected
View File

@@ -1,14 +1,14 @@
edges
| StackTraceExposure.rb:11:5:11:6 | bt : | StackTraceExposure.rb:12:18:12:19 | bt |
| StackTraceExposure.rb:11:10:11:17 | call to caller : | StackTraceExposure.rb:11:5:11:6 | bt : |
| StackTraceExposure.rb:11:5:11:6 | bt | StackTraceExposure.rb:12:18:12:19 | bt |
| StackTraceExposure.rb:11:10:11:17 | call to caller | StackTraceExposure.rb:11:5:11:6 | bt |
nodes
| StackTraceExposure.rb:6:18:6:28 | call to backtrace | semmle.label | call to backtrace |
| StackTraceExposure.rb:11:5:11:6 | bt : | semmle.label | bt : |
| StackTraceExposure.rb:11:10:11:17 | call to caller : | semmle.label | call to caller : |
| StackTraceExposure.rb:11:5:11:6 | bt | semmle.label | bt |
| StackTraceExposure.rb:11:10:11:17 | call to caller | semmle.label | call to caller |
| StackTraceExposure.rb:12:18:12:19 | bt | semmle.label | bt |
| StackTraceExposure.rb:18:18:18:28 | call to backtrace | semmle.label | call to backtrace |
subpaths
#select
| StackTraceExposure.rb:6:18:6:28 | call to backtrace | StackTraceExposure.rb:6:18:6:28 | call to backtrace | StackTraceExposure.rb:6:18:6:28 | call to backtrace | $@ can be exposed to an external user. | StackTraceExposure.rb:6:18:6:28 | call to backtrace | Error information |
| StackTraceExposure.rb:12:18:12:19 | bt | StackTraceExposure.rb:11:10:11:17 | call to caller : | StackTraceExposure.rb:12:18:12:19 | bt | $@ can be exposed to an external user. | StackTraceExposure.rb:11:10:11:17 | call to caller | Error information |
| StackTraceExposure.rb:12:18:12:19 | bt | StackTraceExposure.rb:11:10:11:17 | call to caller | StackTraceExposure.rb:12:18:12:19 | bt | $@ can be exposed to an external user. | StackTraceExposure.rb:11:10:11:17 | call to caller | Error information |
| StackTraceExposure.rb:18:18:18:28 | call to backtrace | StackTraceExposure.rb:18:18:18:28 | call to backtrace | StackTraceExposure.rb:18:18:18:28 | call to backtrace | $@ can be exposed to an external user. | StackTraceExposure.rb:18:18:18:28 | call to backtrace | Error information |

140
ruby/ql/test/query-tests/security/cwe-312/CleartextStorage.expected
View File

@@ -1,96 +1,96 @@
edges
| app/controllers/users_controller.rb:3:5:3:16 | new_password : | app/controllers/users_controller.rb:5:39:5:50 | new_password |
| app/controllers/users_controller.rb:3:5:3:16 | new_password : | app/controllers/users_controller.rb:7:41:7:52 | new_password |
| app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : | app/controllers/users_controller.rb:3:5:3:16 | new_password : |
| app/controllers/users_controller.rb:11:5:11:16 | new_password : | app/controllers/users_controller.rb:13:42:13:53 | new_password |
| app/controllers/users_controller.rb:11:5:11:16 | new_password : | app/controllers/users_controller.rb:15:49:15:60 | new_password |
| app/controllers/users_controller.rb:11:5:11:16 | new_password : | app/controllers/users_controller.rb:15:49:15:60 | new_password : |
| app/controllers/users_controller.rb:11:5:11:16 | new_password : | app/controllers/users_controller.rb:15:87:15:98 | new_password |
| app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | app/controllers/users_controller.rb:11:5:11:16 | new_password : |
| app/controllers/users_controller.rb:15:49:15:60 | new_password : | app/controllers/users_controller.rb:15:87:15:98 | new_password |
| app/controllers/users_controller.rb:19:5:19:16 | new_password : | app/controllers/users_controller.rb:21:45:21:56 | new_password |
| app/controllers/users_controller.rb:19:5:19:16 | new_password : | app/controllers/users_controller.rb:21:45:21:56 | new_password : |
| app/controllers/users_controller.rb:19:5:19:16 | new_password : | app/controllers/users_controller.rb:21:83:21:94 | new_password |
| app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : | app/controllers/users_controller.rb:19:5:19:16 | new_password : |
| app/controllers/users_controller.rb:21:45:21:56 | new_password : | app/controllers/users_controller.rb:21:83:21:94 | new_password |
| app/controllers/users_controller.rb:26:5:26:16 | new_password : | app/controllers/users_controller.rb:28:27:28:38 | new_password |
| app/controllers/users_controller.rb:26:5:26:16 | new_password : | app/controllers/users_controller.rb:30:28:30:39 | new_password |
| app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : | app/controllers/users_controller.rb:26:5:26:16 | new_password : |
| app/controllers/users_controller.rb:35:5:35:16 | new_password : | app/controllers/users_controller.rb:37:39:37:50 | new_password |
| app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" : | app/controllers/users_controller.rb:35:5:35:16 | new_password : |
| app/controllers/users_controller.rb:42:5:42:16 | new_password : | app/controllers/users_controller.rb:44:21:44:32 | new_password |
| app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" : | app/controllers/users_controller.rb:42:5:42:16 | new_password : |
| app/controllers/users_controller.rb:58:5:58:16 | new_password : | app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" |
| app/controllers/users_controller.rb:58:5:58:16 | new_password : | app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" |
| app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : | app/controllers/users_controller.rb:58:5:58:16 | new_password : |
| app/models/user.rb:3:5:3:16 | new_password : | app/models/user.rb:5:27:5:38 | new_password |
| app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" : | app/models/user.rb:3:5:3:16 | new_password : |
| app/models/user.rb:9:5:9:16 | new_password : | app/models/user.rb:11:22:11:33 | new_password |
| app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" : | app/models/user.rb:9:5:9:16 | new_password : |
| app/models/user.rb:15:5:15:16 | new_password : | app/models/user.rb:17:21:17:32 | new_password |
| app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" : | app/models/user.rb:15:5:15:16 | new_password : |
| app/controllers/users_controller.rb:3:5:3:16 | new_password | app/controllers/users_controller.rb:5:39:5:50 | new_password |
| app/controllers/users_controller.rb:3:5:3:16 | new_password | app/controllers/users_controller.rb:7:41:7:52 | new_password |
| app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | app/controllers/users_controller.rb:3:5:3:16 | new_password |
| app/controllers/users_controller.rb:11:5:11:16 | new_password | app/controllers/users_controller.rb:13:42:13:53 | new_password |
| app/controllers/users_controller.rb:11:5:11:16 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password |
| app/controllers/users_controller.rb:11:5:11:16 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password |
| app/controllers/users_controller.rb:11:5:11:16 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password |
| app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | app/controllers/users_controller.rb:11:5:11:16 | new_password |
| app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password |
| app/controllers/users_controller.rb:19:5:19:16 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password |
| app/controllers/users_controller.rb:19:5:19:16 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password |
| app/controllers/users_controller.rb:19:5:19:16 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password |
| app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | app/controllers/users_controller.rb:19:5:19:16 | new_password |
| app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password |
| app/controllers/users_controller.rb:26:5:26:16 | new_password | app/controllers/users_controller.rb:28:27:28:38 | new_password |
| app/controllers/users_controller.rb:26:5:26:16 | new_password | app/controllers/users_controller.rb:30:28:30:39 | new_password |
| app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | app/controllers/users_controller.rb:26:5:26:16 | new_password |
| app/controllers/users_controller.rb:35:5:35:16 | new_password | app/controllers/users_controller.rb:37:39:37:50 | new_password |
| app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" | app/controllers/users_controller.rb:35:5:35:16 | new_password |
| app/controllers/users_controller.rb:42:5:42:16 | new_password | app/controllers/users_controller.rb:44:21:44:32 | new_password |
| app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" | app/controllers/users_controller.rb:42:5:42:16 | new_password |
| app/controllers/users_controller.rb:58:5:58:16 | new_password | app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" |
| app/controllers/users_controller.rb:58:5:58:16 | new_password | app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" |
| app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | app/controllers/users_controller.rb:58:5:58:16 | new_password |
| app/models/user.rb:3:5:3:16 | new_password | app/models/user.rb:5:27:5:38 | new_password |
| app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" | app/models/user.rb:3:5:3:16 | new_password |
| app/models/user.rb:9:5:9:16 | new_password | app/models/user.rb:11:22:11:33 | new_password |
| app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" | app/models/user.rb:9:5:9:16 | new_password |
| app/models/user.rb:15:5:15:16 | new_password | app/models/user.rb:17:21:17:32 | new_password |
| app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" | app/models/user.rb:15:5:15:16 | new_password |
nodes
| app/controllers/users_controller.rb:3:5:3:16 | new_password : | semmle.label | new_password : |
| app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : | semmle.label | "043697b96909e03ca907599d6420555f" : |
| app/controllers/users_controller.rb:3:5:3:16 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | semmle.label | "043697b96909e03ca907599d6420555f" |
| app/controllers/users_controller.rb:5:39:5:50 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:7:41:7:52 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:11:5:11:16 | new_password : | semmle.label | new_password : |
| app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | semmle.label | "083c9e1da4cc0c2f5480bb4dbe6ff141" : |
| app/controllers/users_controller.rb:11:5:11:16 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | semmle.label | "083c9e1da4cc0c2f5480bb4dbe6ff141" |
| app/controllers/users_controller.rb:13:42:13:53 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:15:49:15:60 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:15:49:15:60 | new_password : | semmle.label | new_password : |
| app/controllers/users_controller.rb:15:49:15:60 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:15:87:15:98 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:19:5:19:16 | new_password : | semmle.label | new_password : |
| app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : | semmle.label | "504d224a806cf8073cd14ef08242d422" : |
| app/controllers/users_controller.rb:19:5:19:16 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | semmle.label | "504d224a806cf8073cd14ef08242d422" |
| app/controllers/users_controller.rb:21:45:21:56 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:21:45:21:56 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:21:45:21:56 | new_password : | semmle.label | new_password : |
| app/controllers/users_controller.rb:21:83:21:94 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:26:5:26:16 | new_password : | semmle.label | new_password : |
| app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : | semmle.label | "7d6ae08394c3f284506dca70f05995f6" : |
| app/controllers/users_controller.rb:26:5:26:16 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | semmle.label | "7d6ae08394c3f284506dca70f05995f6" |
| app/controllers/users_controller.rb:28:27:28:38 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:30:28:30:39 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:35:5:35:16 | new_password : | semmle.label | new_password : |
| app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" : | semmle.label | "ff295f8648a406c37fbe378377320e4c" : |
| app/controllers/users_controller.rb:35:5:35:16 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" | semmle.label | "ff295f8648a406c37fbe378377320e4c" |
| app/controllers/users_controller.rb:37:39:37:50 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:42:5:42:16 | new_password : | semmle.label | new_password : |
| app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" : | semmle.label | "78ffbec583b546bd073efd898f833184" : |
| app/controllers/users_controller.rb:42:5:42:16 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" | semmle.label | "78ffbec583b546bd073efd898f833184" |
| app/controllers/users_controller.rb:44:21:44:32 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:58:5:58:16 | new_password : | semmle.label | new_password : |
| app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : | semmle.label | "0157af7c38cbdd24f1616de4e5321861" : |
| app/controllers/users_controller.rb:58:5:58:16 | new_password | semmle.label | new_password |
| app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | semmle.label | "0157af7c38cbdd24f1616de4e5321861" |
| app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | semmle.label | "password: #{...}\\n" |
| app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | semmle.label | "password: #{...}" |
| app/models/user.rb:3:5:3:16 | new_password : | semmle.label | new_password : |
| app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" : | semmle.label | "06c38c6a8a9c11a9d3b209a3193047b4" : |
| app/models/user.rb:3:5:3:16 | new_password | semmle.label | new_password |
| app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" | semmle.label | "06c38c6a8a9c11a9d3b209a3193047b4" |
| app/models/user.rb:5:27:5:38 | new_password | semmle.label | new_password |
| app/models/user.rb:9:5:9:16 | new_password : | semmle.label | new_password : |
| app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" : | semmle.label | "52652fb5c709fb6b9b5a0194af7c6067" : |
| app/models/user.rb:9:5:9:16 | new_password | semmle.label | new_password |
| app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" | semmle.label | "52652fb5c709fb6b9b5a0194af7c6067" |
| app/models/user.rb:11:22:11:33 | new_password | semmle.label | new_password |
| app/models/user.rb:15:5:15:16 | new_password : | semmle.label | new_password : |
| app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" : | semmle.label | "f982bf2531c149a8a1444a951b12e830" : |
| app/models/user.rb:15:5:15:16 | new_password | semmle.label | new_password |
| app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" | semmle.label | "f982bf2531c149a8a1444a951b12e830" |
| app/models/user.rb:17:21:17:32 | new_password | semmle.label | new_password |
subpaths
#select
| app/controllers/users_controller.rb:5:39:5:50 | new_password | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : | app/controllers/users_controller.rb:5:39:5:50 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password |
| app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : | app/controllers/users_controller.rb:7:41:7:52 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password |
| app/controllers/users_controller.rb:5:39:5:50 | new_password | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | app/controllers/users_controller.rb:5:39:5:50 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password |
| app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | app/controllers/users_controller.rb:7:41:7:52 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password |
| app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:7:41:7:52 | new_password | app/controllers/users_controller.rb:7:41:7:52 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:7:41:7:52 | new_password | a write to password |
| app/controllers/users_controller.rb:13:42:13:53 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | app/controllers/users_controller.rb:13:42:13:53 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password |
| app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | app/controllers/users_controller.rb:15:49:15:60 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password |
| app/controllers/users_controller.rb:13:42:13:53 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | app/controllers/users_controller.rb:13:42:13:53 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password |
| app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | app/controllers/users_controller.rb:15:49:15:60 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password |
| app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:15:49:15:60 | new_password | a write to password |
| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password |
| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password : | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:15:49:15:60 | new_password | a write to password |
| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password |
| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:15:49:15:60 | new_password | a write to password |
| app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:15:87:15:98 | new_password | a write to password |
| app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : | app/controllers/users_controller.rb:21:45:21:56 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | an assignment to new_password |
| app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | app/controllers/users_controller.rb:21:45:21:56 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | an assignment to new_password |
| app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:21:45:21:56 | new_password | a write to password |
| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | an assignment to new_password |
| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password : | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:21:45:21:56 | new_password | a write to password |
| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | an assignment to new_password |
| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:21:45:21:56 | new_password | a write to password |
| app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:21:83:21:94 | new_password | a write to password |
| app/controllers/users_controller.rb:28:27:28:38 | new_password | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : | app/controllers/users_controller.rb:28:27:28:38 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | an assignment to new_password |
| app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : | app/controllers/users_controller.rb:30:28:30:39 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | an assignment to new_password |
| app/controllers/users_controller.rb:28:27:28:38 | new_password | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | app/controllers/users_controller.rb:28:27:28:38 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | an assignment to new_password |
| app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | app/controllers/users_controller.rb:30:28:30:39 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | an assignment to new_password |
| app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:30:28:30:39 | new_password | app/controllers/users_controller.rb:30:28:30:39 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:30:28:30:39 | new_password | a write to password |
| app/controllers/users_controller.rb:37:39:37:50 | new_password | app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" : | app/controllers/users_controller.rb:37:39:37:50 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" | an assignment to new_password |
| app/controllers/users_controller.rb:44:21:44:32 | new_password | app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" : | app/controllers/users_controller.rb:44:21:44:32 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" | an assignment to new_password |
| app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : | app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | an assignment to new_password |
| app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : | app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | an assignment to new_password |
| app/models/user.rb:5:27:5:38 | new_password | app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" : | app/models/user.rb:5:27:5:38 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" | an assignment to new_password |
| app/models/user.rb:11:22:11:33 | new_password | app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" : | app/models/user.rb:11:22:11:33 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" | an assignment to new_password |
| app/models/user.rb:17:21:17:32 | new_password | app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" : | app/models/user.rb:17:21:17:32 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" | an assignment to new_password |
| app/controllers/users_controller.rb:37:39:37:50 | new_password | app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" | app/controllers/users_controller.rb:37:39:37:50 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" | an assignment to new_password |
| app/controllers/users_controller.rb:44:21:44:32 | new_password | app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" | app/controllers/users_controller.rb:44:21:44:32 | new_password | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" | an assignment to new_password |
| app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | an assignment to new_password |
| app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | This stores sensitive data returned by $@ as clear text. | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | an assignment to new_password |
| app/models/user.rb:5:27:5:38 | new_password | app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" | app/models/user.rb:5:27:5:38 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" | an assignment to new_password |
| app/models/user.rb:11:22:11:33 | new_password | app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" | app/models/user.rb:11:22:11:33 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" | an assignment to new_password |
| app/models/user.rb:17:21:17:32 | new_password | app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" | app/models/user.rb:17:21:17:32 | new_password | This stores sensitive data returned by $@ as clear text. | app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" | an assignment to new_password |

14
ruby/ql/test/query-tests/security/cwe-502/oj-global-options/UnsafeDeserialization.expected
View File

@@ -1,12 +1,12 @@
edges
| OjGlobalOptions.rb:13:5:13:13 | json_data : | OjGlobalOptions.rb:14:22:14:30 | json_data |
| OjGlobalOptions.rb:13:17:13:22 | call to params : | OjGlobalOptions.rb:13:17:13:28 | ...[...] : |
| OjGlobalOptions.rb:13:17:13:28 | ...[...] : | OjGlobalOptions.rb:13:5:13:13 | json_data : |
| OjGlobalOptions.rb:13:5:13:13 | json_data | OjGlobalOptions.rb:14:22:14:30 | json_data |
| OjGlobalOptions.rb:13:17:13:22 | call to params | OjGlobalOptions.rb:13:17:13:28 | ...[...] |
| OjGlobalOptions.rb:13:17:13:28 | ...[...] | OjGlobalOptions.rb:13:5:13:13 | json_data |
nodes
| OjGlobalOptions.rb:13:5:13:13 | json_data : | semmle.label | json_data : |
| OjGlobalOptions.rb:13:17:13:22 | call to params : | semmle.label | call to params : |
| OjGlobalOptions.rb:13:17:13:28 | ...[...] : | semmle.label | ...[...] : |
| OjGlobalOptions.rb:13:5:13:13 | json_data | semmle.label | json_data |
| OjGlobalOptions.rb:13:17:13:22 | call to params | semmle.label | call to params |
| OjGlobalOptions.rb:13:17:13:28 | ...[...] | semmle.label | ...[...] |
| OjGlobalOptions.rb:14:22:14:30 | json_data | semmle.label | json_data |
subpaths
#select
| OjGlobalOptions.rb:14:22:14:30 | json_data | OjGlobalOptions.rb:13:17:13:22 | call to params : | OjGlobalOptions.rb:14:22:14:30 | json_data | Unsafe deserialization depends on a $@. | OjGlobalOptions.rb:13:17:13:22 | call to params | user-provided value |
| OjGlobalOptions.rb:14:22:14:30 | json_data | OjGlobalOptions.rb:13:17:13:22 | call to params | OjGlobalOptions.rb:14:22:14:30 | json_data | Unsafe deserialization depends on a $@. | OjGlobalOptions.rb:13:17:13:22 | call to params | user-provided value |

138
ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected
View File

@@ -1,73 +1,73 @@
edges
| UnsafeDeserialization.rb:10:5:10:19 | serialized_data : | UnsafeDeserialization.rb:11:27:11:41 | serialized_data |
| UnsafeDeserialization.rb:10:23:10:50 | call to decode64 : | UnsafeDeserialization.rb:10:5:10:19 | serialized_data : |
| UnsafeDeserialization.rb:10:39:10:44 | call to params : | UnsafeDeserialization.rb:10:39:10:50 | ...[...] : |
| UnsafeDeserialization.rb:10:39:10:50 | ...[...] : | UnsafeDeserialization.rb:10:23:10:50 | call to decode64 : |
| UnsafeDeserialization.rb:16:5:16:19 | serialized_data : | UnsafeDeserialization.rb:17:30:17:44 | serialized_data |
| UnsafeDeserialization.rb:16:23:16:50 | call to decode64 : | UnsafeDeserialization.rb:16:5:16:19 | serialized_data : |
| UnsafeDeserialization.rb:16:39:16:44 | call to params : | UnsafeDeserialization.rb:16:39:16:50 | ...[...] : |
| UnsafeDeserialization.rb:16:39:16:50 | ...[...] : | UnsafeDeserialization.rb:16:23:16:50 | call to decode64 : |
| UnsafeDeserialization.rb:22:5:22:13 | json_data : | UnsafeDeserialization.rb:23:24:23:32 | json_data |
| UnsafeDeserialization.rb:22:17:22:22 | call to params : | UnsafeDeserialization.rb:22:17:22:28 | ...[...] : |
| UnsafeDeserialization.rb:22:17:22:28 | ...[...] : | UnsafeDeserialization.rb:22:5:22:13 | json_data : |
| UnsafeDeserialization.rb:28:5:28:13 | json_data : | UnsafeDeserialization.rb:29:27:29:35 | json_data |
| UnsafeDeserialization.rb:28:17:28:22 | call to params : | UnsafeDeserialization.rb:28:17:28:28 | ...[...] : |
| UnsafeDeserialization.rb:28:17:28:28 | ...[...] : | UnsafeDeserialization.rb:28:5:28:13 | json_data : |
| UnsafeDeserialization.rb:40:5:40:13 | yaml_data : | UnsafeDeserialization.rb:41:24:41:32 | yaml_data |
| UnsafeDeserialization.rb:40:17:40:22 | call to params : | UnsafeDeserialization.rb:40:17:40:28 | ...[...] : |
| UnsafeDeserialization.rb:40:17:40:28 | ...[...] : | UnsafeDeserialization.rb:40:5:40:13 | yaml_data : |
| UnsafeDeserialization.rb:52:5:52:13 | json_data : | UnsafeDeserialization.rb:53:22:53:30 | json_data |
| UnsafeDeserialization.rb:52:5:52:13 | json_data : | UnsafeDeserialization.rb:54:22:54:30 | json_data |
| UnsafeDeserialization.rb:52:17:52:22 | call to params : | UnsafeDeserialization.rb:52:17:52:28 | ...[...] : |
| UnsafeDeserialization.rb:52:17:52:28 | ...[...] : | UnsafeDeserialization.rb:52:5:52:13 | json_data : |
| UnsafeDeserialization.rb:59:5:59:13 | json_data : | UnsafeDeserialization.rb:69:23:69:31 | json_data |
| UnsafeDeserialization.rb:59:17:59:22 | call to params : | UnsafeDeserialization.rb:59:17:59:28 | ...[...] : |
| UnsafeDeserialization.rb:59:17:59:28 | ...[...] : | UnsafeDeserialization.rb:59:5:59:13 | json_data : |
| UnsafeDeserialization.rb:81:5:81:7 | xml : | UnsafeDeserialization.rb:82:34:82:36 | xml |
| UnsafeDeserialization.rb:81:11:81:16 | call to params : | UnsafeDeserialization.rb:81:11:81:22 | ...[...] : |
| UnsafeDeserialization.rb:81:11:81:22 | ...[...] : | UnsafeDeserialization.rb:81:5:81:7 | xml : |
| UnsafeDeserialization.rb:87:5:87:13 | yaml_data : | UnsafeDeserialization.rb:88:25:88:33 | yaml_data |
| UnsafeDeserialization.rb:87:17:87:22 | call to params : | UnsafeDeserialization.rb:87:17:87:28 | ...[...] : |
| UnsafeDeserialization.rb:87:17:87:28 | ...[...] : | UnsafeDeserialization.rb:87:5:87:13 | yaml_data : |
| UnsafeDeserialization.rb:10:5:10:19 | serialized_data | UnsafeDeserialization.rb:11:27:11:41 | serialized_data |
| UnsafeDeserialization.rb:10:23:10:50 | call to decode64 | UnsafeDeserialization.rb:10:5:10:19 | serialized_data |
| UnsafeDeserialization.rb:10:39:10:44 | call to params | UnsafeDeserialization.rb:10:39:10:50 | ...[...] |
| UnsafeDeserialization.rb:10:39:10:50 | ...[...] | UnsafeDeserialization.rb:10:23:10:50 | call to decode64 |
| UnsafeDeserialization.rb:16:5:16:19 | serialized_data | UnsafeDeserialization.rb:17:30:17:44 | serialized_data |
| UnsafeDeserialization.rb:16:23:16:50 | call to decode64 | UnsafeDeserialization.rb:16:5:16:19 | serialized_data |
| UnsafeDeserialization.rb:16:39:16:44 | call to params | UnsafeDeserialization.rb:16:39:16:50 | ...[...] |
| UnsafeDeserialization.rb:16:39:16:50 | ...[...] | UnsafeDeserialization.rb:16:23:16:50 | call to decode64 |
| UnsafeDeserialization.rb:22:5:22:13 | json_data | UnsafeDeserialization.rb:23:24:23:32 | json_data |
| UnsafeDeserialization.rb:22:17:22:22 | call to params | UnsafeDeserialization.rb:22:17:22:28 | ...[...] |
| UnsafeDeserialization.rb:22:17:22:28 | ...[...] | UnsafeDeserialization.rb:22:5:22:13 | json_data |
| UnsafeDeserialization.rb:28:5:28:13 | json_data | UnsafeDeserialization.rb:29:27:29:35 | json_data |
| UnsafeDeserialization.rb:28:17:28:22 | call to params | UnsafeDeserialization.rb:28:17:28:28 | ...[...] |
| UnsafeDeserialization.rb:28:17:28:28 | ...[...] | UnsafeDeserialization.rb:28:5:28:13 | json_data |
| UnsafeDeserialization.rb:40:5:40:13 | yaml_data | UnsafeDeserialization.rb:41:24:41:32 | yaml_data |
| UnsafeDeserialization.rb:40:17:40:22 | call to params | UnsafeDeserialization.rb:40:17:40:28 | ...[...] |
| UnsafeDeserialization.rb:40:17:40:28 | ...[...] | UnsafeDeserialization.rb:40:5:40:13 | yaml_data |
| UnsafeDeserialization.rb:52:5:52:13 | json_data | UnsafeDeserialization.rb:53:22:53:30 | json_data |
| UnsafeDeserialization.rb:52:5:52:13 | json_data | UnsafeDeserialization.rb:54:22:54:30 | json_data |
| UnsafeDeserialization.rb:52:17:52:22 | call to params | UnsafeDeserialization.rb:52:17:52:28 | ...[...] |
| UnsafeDeserialization.rb:52:17:52:28 | ...[...] | UnsafeDeserialization.rb:52:5:52:13 | json_data |
| UnsafeDeserialization.rb:59:5:59:13 | json_data | UnsafeDeserialization.rb:69:23:69:31 | json_data |
| UnsafeDeserialization.rb:59:17:59:22 | call to params | UnsafeDeserialization.rb:59:17:59:28 | ...[...] |
| UnsafeDeserialization.rb:59:17:59:28 | ...[...] | UnsafeDeserialization.rb:59:5:59:13 | json_data |
| UnsafeDeserialization.rb:81:5:81:7 | xml | UnsafeDeserialization.rb:82:34:82:36 | xml |
| UnsafeDeserialization.rb:81:11:81:16 | call to params | UnsafeDeserialization.rb:81:11:81:22 | ...[...] |
| UnsafeDeserialization.rb:81:11:81:22 | ...[...] | UnsafeDeserialization.rb:81:5:81:7 | xml |
| UnsafeDeserialization.rb:87:5:87:13 | yaml_data | UnsafeDeserialization.rb:88:25:88:33 | yaml_data |
| UnsafeDeserialization.rb:87:17:87:22 | call to params | UnsafeDeserialization.rb:87:17:87:28 | ...[...] |
| UnsafeDeserialization.rb:87:17:87:28 | ...[...] | UnsafeDeserialization.rb:87:5:87:13 | yaml_data |
nodes
| UnsafeDeserialization.rb:10:5:10:19 | serialized_data : | semmle.label | serialized_data : |
| UnsafeDeserialization.rb:10:23:10:50 | call to decode64 : | semmle.label | call to decode64 : |
| UnsafeDeserialization.rb:10:39:10:44 | call to params : | semmle.label | call to params : |
| UnsafeDeserialization.rb:10:39:10:50 | ...[...] : | semmle.label | ...[...] : |
| UnsafeDeserialization.rb:10:5:10:19 | serialized_data | semmle.label | serialized_data |
| UnsafeDeserialization.rb:10:23:10:50 | call to decode64 | semmle.label | call to decode64 |
| UnsafeDeserialization.rb:10:39:10:44 | call to params | semmle.label | call to params |
| UnsafeDeserialization.rb:10:39:10:50 | ...[...] | semmle.label | ...[...] |
| UnsafeDeserialization.rb:11:27:11:41 | serialized_data | semmle.label | serialized_data |
| UnsafeDeserialization.rb:16:5:16:19 | serialized_data : | semmle.label | serialized_data : |
| UnsafeDeserialization.rb:16:23:16:50 | call to decode64 : | semmle.label | call to decode64 : |
| UnsafeDeserialization.rb:16:39:16:44 | call to params : | semmle.label | call to params : |
| UnsafeDeserialization.rb:16:39:16:50 | ...[...] : | semmle.label | ...[...] : |
| UnsafeDeserialization.rb:16:5:16:19 | serialized_data | semmle.label | serialized_data |
| UnsafeDeserialization.rb:16:23:16:50 | call to decode64 | semmle.label | call to decode64 |
| UnsafeDeserialization.rb:16:39:16:44 | call to params | semmle.label | call to params |
| UnsafeDeserialization.rb:16:39:16:50 | ...[...] | semmle.label | ...[...] |
| UnsafeDeserialization.rb:17:30:17:44 | serialized_data | semmle.label | serialized_data |
| UnsafeDeserialization.rb:22:5:22:13 | json_data : | semmle.label | json_data : |
| UnsafeDeserialization.rb:22:17:22:22 | call to params : | semmle.label | call to params : |
| UnsafeDeserialization.rb:22:17:22:28 | ...[...] : | semmle.label | ...[...] : |
| UnsafeDeserialization.rb:22:5:22:13 | json_data | semmle.label | json_data |
| UnsafeDeserialization.rb:22:17:22:22 | call to params | semmle.label | call to params |
| UnsafeDeserialization.rb:22:17:22:28 | ...[...] | semmle.label | ...[...] |
| UnsafeDeserialization.rb:23:24:23:32 | json_data | semmle.label | json_data |
| UnsafeDeserialization.rb:28:5:28:13 | json_data : | semmle.label | json_data : |
| UnsafeDeserialization.rb:28:17:28:22 | call to params : | semmle.label | call to params : |
| UnsafeDeserialization.rb:28:17:28:28 | ...[...] : | semmle.label | ...[...] : |
| UnsafeDeserialization.rb:28:5:28:13 | json_data | semmle.label | json_data |
| UnsafeDeserialization.rb:28:17:28:22 | call to params | semmle.label | call to params |
| UnsafeDeserialization.rb:28:17:28:28 | ...[...] | semmle.label | ...[...] |
| UnsafeDeserialization.rb:29:27:29:35 | json_data | semmle.label | json_data |
| UnsafeDeserialization.rb:40:5:40:13 | yaml_data : | semmle.label | yaml_data : |
| UnsafeDeserialization.rb:40:17:40:22 | call to params : | semmle.label | call to params : |
| UnsafeDeserialization.rb:40:17:40:28 | ...[...] : | semmle.label | ...[...] : |
| UnsafeDeserialization.rb:40:5:40:13 | yaml_data | semmle.label | yaml_data |
| UnsafeDeserialization.rb:40:17:40:22 | call to params | semmle.label | call to params |
| UnsafeDeserialization.rb:40:17:40:28 | ...[...] | semmle.label | ...[...] |
| UnsafeDeserialization.rb:41:24:41:32 | yaml_data | semmle.label | yaml_data |
| UnsafeDeserialization.rb:52:5:52:13 | json_data : | semmle.label | json_data : |
| UnsafeDeserialization.rb:52:17:52:22 | call to params : | semmle.label | call to params : |
| UnsafeDeserialization.rb:52:17:52:28 | ...[...] : | semmle.label | ...[...] : |
| UnsafeDeserialization.rb:52:5:52:13 | json_data | semmle.label | json_data |
| UnsafeDeserialization.rb:52:17:52:22 | call to params | semmle.label | call to params |
| UnsafeDeserialization.rb:52:17:52:28 | ...[...] | semmle.label | ...[...] |
| UnsafeDeserialization.rb:53:22:53:30 | json_data | semmle.label | json_data |
| UnsafeDeserialization.rb:54:22:54:30 | json_data | semmle.label | json_data |
| UnsafeDeserialization.rb:59:5:59:13 | json_data : | semmle.label | json_data : |
| UnsafeDeserialization.rb:59:17:59:22 | call to params : | semmle.label | call to params : |
| UnsafeDeserialization.rb:59:17:59:28 | ...[...] : | semmle.label | ...[...] : |
| UnsafeDeserialization.rb:59:5:59:13 | json_data | semmle.label | json_data |
| UnsafeDeserialization.rb:59:17:59:22 | call to params | semmle.label | call to params |
| UnsafeDeserialization.rb:59:17:59:28 | ...[...] | semmle.label | ...[...] |
| UnsafeDeserialization.rb:69:23:69:31 | json_data | semmle.label | json_data |
| UnsafeDeserialization.rb:81:5:81:7 | xml : | semmle.label | xml : |
| UnsafeDeserialization.rb:81:11:81:16 | call to params : | semmle.label | call to params : |
| UnsafeDeserialization.rb:81:11:81:22 | ...[...] : | semmle.label | ...[...] : |
| UnsafeDeserialization.rb:81:5:81:7 | xml | semmle.label | xml |
| UnsafeDeserialization.rb:81:11:81:16 | call to params | semmle.label | call to params |
| UnsafeDeserialization.rb:81:11:81:22 | ...[...] | semmle.label | ...[...] |
| UnsafeDeserialization.rb:82:34:82:36 | xml | semmle.label | xml |
| UnsafeDeserialization.rb:87:5:87:13 | yaml_data : | semmle.label | yaml_data : |
| UnsafeDeserialization.rb:87:17:87:22 | call to params : | semmle.label | call to params : |
| UnsafeDeserialization.rb:87:17:87:28 | ...[...] : | semmle.label | ...[...] : |
| UnsafeDeserialization.rb:87:5:87:13 | yaml_data | semmle.label | yaml_data |
| UnsafeDeserialization.rb:87:17:87:22 | call to params | semmle.label | call to params |
| UnsafeDeserialization.rb:87:17:87:28 | ...[...] | semmle.label | ...[...] |
| UnsafeDeserialization.rb:88:25:88:33 | yaml_data | semmle.label | yaml_data |
| UnsafeDeserialization.rb:92:24:92:34 | call to read | semmle.label | call to read |
| UnsafeDeserialization.rb:95:24:95:33 | call to gets | semmle.label | call to gets |
@@ -76,16 +76,16 @@ nodes
| UnsafeDeserialization.rb:104:24:104:32 | call to readlines | semmle.label | call to readlines |
subpaths
#select
| UnsafeDeserialization.rb:11:27:11:41 | serialized_data | UnsafeDeserialization.rb:10:39:10:44 | call to params : | UnsafeDeserialization.rb:11:27:11:41 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:10:39:10:44 | call to params | user-provided value |
| UnsafeDeserialization.rb:17:30:17:44 | serialized_data | UnsafeDeserialization.rb:16:39:16:44 | call to params : | UnsafeDeserialization.rb:17:30:17:44 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:16:39:16:44 | call to params | user-provided value |
| UnsafeDeserialization.rb:23:24:23:32 | json_data | UnsafeDeserialization.rb:22:17:22:22 | call to params : | UnsafeDeserialization.rb:23:24:23:32 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:22:17:22:22 | call to params | user-provided value |
| UnsafeDeserialization.rb:29:27:29:35 | json_data | UnsafeDeserialization.rb:28:17:28:22 | call to params : | UnsafeDeserialization.rb:29:27:29:35 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:28:17:28:22 | call to params | user-provided value |
| UnsafeDeserialization.rb:41:24:41:32 | yaml_data | UnsafeDeserialization.rb:40:17:40:22 | call to params : | UnsafeDeserialization.rb:41:24:41:32 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:40:17:40:22 | call to params | user-provided value |
| UnsafeDeserialization.rb:53:22:53:30 | json_data | UnsafeDeserialization.rb:52:17:52:22 | call to params : | UnsafeDeserialization.rb:53:22:53:30 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:52:17:52:22 | call to params | user-provided value |
| UnsafeDeserialization.rb:54:22:54:30 | json_data | UnsafeDeserialization.rb:52:17:52:22 | call to params : | UnsafeDeserialization.rb:54:22:54:30 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:52:17:52:22 | call to params | user-provided value |
| UnsafeDeserialization.rb:69:23:69:31 | json_data | UnsafeDeserialization.rb:59:17:59:22 | call to params : | UnsafeDeserialization.rb:69:23:69:31 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:59:17:59:22 | call to params | user-provided value |
| UnsafeDeserialization.rb:82:34:82:36 | xml | UnsafeDeserialization.rb:81:11:81:16 | call to params : | UnsafeDeserialization.rb:82:34:82:36 | xml | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:81:11:81:16 | call to params | user-provided value |
| UnsafeDeserialization.rb:88:25:88:33 | yaml_data | UnsafeDeserialization.rb:87:17:87:22 | call to params : | UnsafeDeserialization.rb:88:25:88:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:87:17:87:22 | call to params | user-provided value |
| UnsafeDeserialization.rb:11:27:11:41 | serialized_data | UnsafeDeserialization.rb:10:39:10:44 | call to params | UnsafeDeserialization.rb:11:27:11:41 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:10:39:10:44 | call to params | user-provided value |
| UnsafeDeserialization.rb:17:30:17:44 | serialized_data | UnsafeDeserialization.rb:16:39:16:44 | call to params | UnsafeDeserialization.rb:17:30:17:44 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:16:39:16:44 | call to params | user-provided value |
| UnsafeDeserialization.rb:23:24:23:32 | json_data | UnsafeDeserialization.rb:22:17:22:22 | call to params | UnsafeDeserialization.rb:23:24:23:32 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:22:17:22:22 | call to params | user-provided value |
| UnsafeDeserialization.rb:29:27:29:35 | json_data | UnsafeDeserialization.rb:28:17:28:22 | call to params | UnsafeDeserialization.rb:29:27:29:35 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:28:17:28:22 | call to params | user-provided value |
| UnsafeDeserialization.rb:41:24:41:32 | yaml_data | UnsafeDeserialization.rb:40:17:40:22 | call to params | UnsafeDeserialization.rb:41:24:41:32 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:40:17:40:22 | call to params | user-provided value |
| UnsafeDeserialization.rb:53:22:53:30 | json_data | UnsafeDeserialization.rb:52:17:52:22 | call to params | UnsafeDeserialization.rb:53:22:53:30 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:52:17:52:22 | call to params | user-provided value |
| UnsafeDeserialization.rb:54:22:54:30 | json_data | UnsafeDeserialization.rb:52:17:52:22 | call to params | UnsafeDeserialization.rb:54:22:54:30 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:52:17:52:22 | call to params | user-provided value |
| UnsafeDeserialization.rb:69:23:69:31 | json_data | UnsafeDeserialization.rb:59:17:59:22 | call to params | UnsafeDeserialization.rb:69:23:69:31 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:59:17:59:22 | call to params | user-provided value |
| UnsafeDeserialization.rb:82:34:82:36 | xml | UnsafeDeserialization.rb:81:11:81:16 | call to params | UnsafeDeserialization.rb:82:34:82:36 | xml | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:81:11:81:16 | call to params | user-provided value |
| UnsafeDeserialization.rb:88:25:88:33 | yaml_data | UnsafeDeserialization.rb:87:17:87:22 | call to params | UnsafeDeserialization.rb:88:25:88:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:87:17:87:22 | call to params | user-provided value |
| UnsafeDeserialization.rb:92:24:92:34 | call to read | UnsafeDeserialization.rb:92:24:92:34 | call to read | UnsafeDeserialization.rb:92:24:92:34 | call to read | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:92:24:92:34 | call to read | value from stdin |
| UnsafeDeserialization.rb:95:24:95:33 | call to gets | UnsafeDeserialization.rb:95:24:95:33 | call to gets | UnsafeDeserialization.rb:95:24:95:33 | call to gets | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:95:24:95:33 | call to gets | value from stdin |
| UnsafeDeserialization.rb:98:24:98:32 | call to read | UnsafeDeserialization.rb:98:24:98:32 | call to read | UnsafeDeserialization.rb:98:24:98:32 | call to read | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:98:24:98:32 | call to read | value from stdin |

52
ruby/ql/test/query-tests/security/cwe-506/HardcodedDataInterpretedAsCode.expected
View File

@@ -1,33 +1,33 @@
edges
| tst.rb:1:7:1:7 | r : | tst.rb:2:4:2:4 | r : |
| tst.rb:2:4:2:4 | r : | tst.rb:2:3:2:15 | call to pack : |
| tst.rb:5:1:5:23 | totally_harmless_string : | tst.rb:7:8:7:30 | totally_harmless_string : |
| tst.rb:5:27:5:72 | "707574732822636f646520696e6a6..." : | tst.rb:5:1:5:23 | totally_harmless_string : |
| tst.rb:7:8:7:30 | totally_harmless_string : | tst.rb:1:7:1:7 | r : |
| tst.rb:7:8:7:30 | totally_harmless_string : | tst.rb:7:6:7:31 | call to e |
| tst.rb:10:11:10:24 | "666f6f626172" : | tst.rb:1:7:1:7 | r : |
| tst.rb:10:11:10:24 | "666f6f626172" : | tst.rb:10:9:10:25 | call to e |
| tst.rb:16:1:16:27 | another_questionable_string : | tst.rb:17:6:17:32 | another_questionable_string : |
| tst.rb:16:31:16:84 | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." : | tst.rb:16:1:16:27 | another_questionable_string : |
| tst.rb:17:6:17:32 | another_questionable_string : | tst.rb:17:6:17:38 | call to strip |
| tst.rb:1:7:1:7 | r | tst.rb:2:4:2:4 | r |
| tst.rb:2:4:2:4 | r | tst.rb:2:3:2:15 | call to pack |
| tst.rb:5:1:5:23 | totally_harmless_string | tst.rb:7:8:7:30 | totally_harmless_string |
| tst.rb:5:27:5:72 | "707574732822636f646520696e6a6..." | tst.rb:5:1:5:23 | totally_harmless_string |
| tst.rb:7:8:7:30 | totally_harmless_string | tst.rb:1:7:1:7 | r |
| tst.rb:7:8:7:30 | totally_harmless_string | tst.rb:7:6:7:31 | call to e |
| tst.rb:10:11:10:24 | "666f6f626172" | tst.rb:1:7:1:7 | r |
| tst.rb:10:11:10:24 | "666f6f626172" | tst.rb:10:9:10:25 | call to e |
| tst.rb:16:1:16:27 | another_questionable_string | tst.rb:17:6:17:32 | another_questionable_string |
| tst.rb:16:31:16:84 | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." | tst.rb:16:1:16:27 | another_questionable_string |
| tst.rb:17:6:17:32 | another_questionable_string | tst.rb:17:6:17:38 | call to strip |
nodes
| tst.rb:1:7:1:7 | r : | semmle.label | r : |
| tst.rb:2:3:2:15 | call to pack : | semmle.label | call to pack : |
| tst.rb:2:4:2:4 | r : | semmle.label | r : |
| tst.rb:5:1:5:23 | totally_harmless_string : | semmle.label | totally_harmless_string : |
| tst.rb:5:27:5:72 | "707574732822636f646520696e6a6..." : | semmle.label | "707574732822636f646520696e6a6..." : |
| tst.rb:1:7:1:7 | r | semmle.label | r |
| tst.rb:2:3:2:15 | call to pack | semmle.label | call to pack |
| tst.rb:2:4:2:4 | r | semmle.label | r |
| tst.rb:5:1:5:23 | totally_harmless_string | semmle.label | totally_harmless_string |
| tst.rb:5:27:5:72 | "707574732822636f646520696e6a6..." | semmle.label | "707574732822636f646520696e6a6..." |
| tst.rb:7:6:7:31 | call to e | semmle.label | call to e |
| tst.rb:7:8:7:30 | totally_harmless_string : | semmle.label | totally_harmless_string : |
| tst.rb:7:8:7:30 | totally_harmless_string | semmle.label | totally_harmless_string |
| tst.rb:10:9:10:25 | call to e | semmle.label | call to e |
| tst.rb:10:11:10:24 | "666f6f626172" : | semmle.label | "666f6f626172" : |
| tst.rb:16:1:16:27 | another_questionable_string : | semmle.label | another_questionable_string : |
| tst.rb:16:31:16:84 | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." : | semmle.label | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." : |
| tst.rb:17:6:17:32 | another_questionable_string : | semmle.label | another_questionable_string : |
| tst.rb:10:11:10:24 | "666f6f626172" | semmle.label | "666f6f626172" |
| tst.rb:16:1:16:27 | another_questionable_string | semmle.label | another_questionable_string |
| tst.rb:16:31:16:84 | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." | semmle.label | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." |
| tst.rb:17:6:17:32 | another_questionable_string | semmle.label | another_questionable_string |
| tst.rb:17:6:17:38 | call to strip | semmle.label | call to strip |
subpaths
| tst.rb:7:8:7:30 | totally_harmless_string : | tst.rb:1:7:1:7 | r : | tst.rb:2:3:2:15 | call to pack : | tst.rb:7:6:7:31 | call to e |
| tst.rb:10:11:10:24 | "666f6f626172" : | tst.rb:1:7:1:7 | r : | tst.rb:2:3:2:15 | call to pack : | tst.rb:10:9:10:25 | call to e |
| tst.rb:7:8:7:30 | totally_harmless_string | tst.rb:1:7:1:7 | r | tst.rb:2:3:2:15 | call to pack | tst.rb:7:6:7:31 | call to e |
| tst.rb:10:11:10:24 | "666f6f626172" | tst.rb:1:7:1:7 | r | tst.rb:2:3:2:15 | call to pack | tst.rb:10:9:10:25 | call to e |
#select
| tst.rb:7:6:7:31 | call to e | tst.rb:5:27:5:72 | "707574732822636f646520696e6a6..." : | tst.rb:7:6:7:31 | call to e | $@ is interpreted as code. | tst.rb:5:27:5:72 | "707574732822636f646520696e6a6..." | Hard-coded data |
| tst.rb:10:9:10:25 | call to e | tst.rb:10:11:10:24 | "666f6f626172" : | tst.rb:10:9:10:25 | call to e | $@ is interpreted as an import path. | tst.rb:10:11:10:24 | "666f6f626172" | Hard-coded data |
| tst.rb:17:6:17:38 | call to strip | tst.rb:16:31:16:84 | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." : | tst.rb:17:6:17:38 | call to strip | $@ is interpreted as code. | tst.rb:16:31:16:84 | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." | Hard-coded data |
| tst.rb:7:6:7:31 | call to e | tst.rb:5:27:5:72 | "707574732822636f646520696e6a6..." | tst.rb:7:6:7:31 | call to e | $@ is interpreted as code. | tst.rb:5:27:5:72 | "707574732822636f646520696e6a6..." | Hard-coded data |
| tst.rb:10:9:10:25 | call to e | tst.rb:10:11:10:24 | "666f6f626172" | tst.rb:10:9:10:25 | call to e | $@ is interpreted as an import path. | tst.rb:10:11:10:24 | "666f6f626172" | Hard-coded data |
| tst.rb:17:6:17:38 | call to strip | tst.rb:16:31:16:84 | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." | tst.rb:17:6:17:38 | call to strip | $@ is interpreted as code. | tst.rb:16:31:16:84 | "\\x70\\x75\\x74\\x73\\x28\\x27\\x68\\..." | Hard-coded data |

68
ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.expected
View File

@@ -1,49 +1,49 @@
edges
| UrlRedirect.rb:9:17:9:22 | call to params : | UrlRedirect.rb:9:17:9:28 | ...[...] |
| UrlRedirect.rb:14:17:14:22 | call to params : | UrlRedirect.rb:14:17:14:43 | call to fetch |
| UrlRedirect.rb:19:17:19:22 | call to params : | UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash |
| UrlRedirect.rb:24:31:24:36 | call to params : | UrlRedirect.rb:24:17:24:37 | call to filter_params |
| UrlRedirect.rb:24:31:24:36 | call to params : | UrlRedirect.rb:93:21:93:32 | input_params : |
| UrlRedirect.rb:34:20:34:25 | call to params : | UrlRedirect.rb:34:20:34:31 | ...[...] : |
| UrlRedirect.rb:34:20:34:31 | ...[...] : | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" |
| UrlRedirect.rb:58:17:58:22 | call to params : | UrlRedirect.rb:58:17:58:28 | ...[...] |
| UrlRedirect.rb:63:38:63:43 | call to params : | UrlRedirect.rb:63:38:63:49 | ...[...] |
| UrlRedirect.rb:68:38:68:43 | call to params : | UrlRedirect.rb:68:38:68:49 | ...[...] |
| UrlRedirect.rb:73:25:73:30 | call to params : | UrlRedirect.rb:73:25:73:36 | ...[...] |
| UrlRedirect.rb:93:21:93:32 | input_params : | UrlRedirect.rb:94:5:94:29 | call to permit : |
| UrlRedirect.rb:9:17:9:22 | call to params | UrlRedirect.rb:9:17:9:28 | ...[...] |
| UrlRedirect.rb:14:17:14:22 | call to params | UrlRedirect.rb:14:17:14:43 | call to fetch |
| UrlRedirect.rb:19:17:19:22 | call to params | UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash |
| UrlRedirect.rb:24:31:24:36 | call to params | UrlRedirect.rb:24:17:24:37 | call to filter_params |
| UrlRedirect.rb:24:31:24:36 | call to params | UrlRedirect.rb:93:21:93:32 | input_params |
| UrlRedirect.rb:34:20:34:25 | call to params | UrlRedirect.rb:34:20:34:31 | ...[...] |
| UrlRedirect.rb:34:20:34:31 | ...[...] | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" |
| UrlRedirect.rb:58:17:58:22 | call to params | UrlRedirect.rb:58:17:58:28 | ...[...] |
| UrlRedirect.rb:63:38:63:43 | call to params | UrlRedirect.rb:63:38:63:49 | ...[...] |
| UrlRedirect.rb:68:38:68:43 | call to params | UrlRedirect.rb:68:38:68:49 | ...[...] |
| UrlRedirect.rb:73:25:73:30 | call to params | UrlRedirect.rb:73:25:73:36 | ...[...] |
| UrlRedirect.rb:93:21:93:32 | input_params | UrlRedirect.rb:94:5:94:29 | call to permit |
nodes
| UrlRedirect.rb:4:17:4:22 | call to params | semmle.label | call to params |
| UrlRedirect.rb:9:17:9:22 | call to params : | semmle.label | call to params : |
| UrlRedirect.rb:9:17:9:22 | call to params | semmle.label | call to params |
| UrlRedirect.rb:9:17:9:28 | ...[...] | semmle.label | ...[...] |
| UrlRedirect.rb:14:17:14:22 | call to params : | semmle.label | call to params : |
| UrlRedirect.rb:14:17:14:22 | call to params | semmle.label | call to params |
| UrlRedirect.rb:14:17:14:43 | call to fetch | semmle.label | call to fetch |
| UrlRedirect.rb:19:17:19:22 | call to params : | semmle.label | call to params : |
| UrlRedirect.rb:19:17:19:22 | call to params | semmle.label | call to params |
| UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | semmle.label | call to to_unsafe_hash |
| UrlRedirect.rb:24:17:24:37 | call to filter_params | semmle.label | call to filter_params |
| UrlRedirect.rb:24:31:24:36 | call to params : | semmle.label | call to params : |
| UrlRedirect.rb:24:31:24:36 | call to params | semmle.label | call to params |
| UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | semmle.label | "#{...}/foo" |
| UrlRedirect.rb:34:20:34:25 | call to params : | semmle.label | call to params : |
| UrlRedirect.rb:34:20:34:31 | ...[...] : | semmle.label | ...[...] : |
| UrlRedirect.rb:58:17:58:22 | call to params : | semmle.label | call to params : |
| UrlRedirect.rb:34:20:34:25 | call to params | semmle.label | call to params |
| UrlRedirect.rb:34:20:34:31 | ...[...] | semmle.label | ...[...] |
| UrlRedirect.rb:58:17:58:22 | call to params | semmle.label | call to params |
| UrlRedirect.rb:58:17:58:28 | ...[...] | semmle.label | ...[...] |
| UrlRedirect.rb:63:38:63:43 | call to params : | semmle.label | call to params : |
| UrlRedirect.rb:63:38:63:43 | call to params | semmle.label | call to params |
| UrlRedirect.rb:63:38:63:49 | ...[...] | semmle.label | ...[...] |
| UrlRedirect.rb:68:38:68:43 | call to params : | semmle.label | call to params : |
| UrlRedirect.rb:68:38:68:43 | call to params | semmle.label | call to params |
| UrlRedirect.rb:68:38:68:49 | ...[...] | semmle.label | ...[...] |
| UrlRedirect.rb:73:25:73:30 | call to params : | semmle.label | call to params : |
| UrlRedirect.rb:73:25:73:30 | call to params | semmle.label | call to params |
| UrlRedirect.rb:73:25:73:36 | ...[...] | semmle.label | ...[...] |
| UrlRedirect.rb:93:21:93:32 | input_params : | semmle.label | input_params : |
| UrlRedirect.rb:94:5:94:29 | call to permit : | semmle.label | call to permit : |
| UrlRedirect.rb:93:21:93:32 | input_params | semmle.label | input_params |
| UrlRedirect.rb:94:5:94:29 | call to permit | semmle.label | call to permit |
subpaths
| UrlRedirect.rb:24:31:24:36 | call to params : | UrlRedirect.rb:93:21:93:32 | input_params : | UrlRedirect.rb:94:5:94:29 | call to permit : | UrlRedirect.rb:24:17:24:37 | call to filter_params |
| UrlRedirect.rb:24:31:24:36 | call to params | UrlRedirect.rb:93:21:93:32 | input_params | UrlRedirect.rb:94:5:94:29 | call to permit | UrlRedirect.rb:24:17:24:37 | call to filter_params |
#select
| UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:4:17:4:22 | call to params | user-provided value |
| UrlRedirect.rb:9:17:9:28 | ...[...] | UrlRedirect.rb:9:17:9:22 | call to params : | UrlRedirect.rb:9:17:9:28 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:9:17:9:22 | call to params | user-provided value |
| UrlRedirect.rb:14:17:14:43 | call to fetch | UrlRedirect.rb:14:17:14:22 | call to params : | UrlRedirect.rb:14:17:14:43 | call to fetch | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:14:17:14:22 | call to params | user-provided value |
| UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | UrlRedirect.rb:19:17:19:22 | call to params : | UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:19:17:19:22 | call to params | user-provided value |
| UrlRedirect.rb:24:17:24:37 | call to filter_params | UrlRedirect.rb:24:31:24:36 | call to params : | UrlRedirect.rb:24:17:24:37 | call to filter_params | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:24:31:24:36 | call to params | user-provided value |
| UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | UrlRedirect.rb:34:20:34:25 | call to params : | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:34:20:34:25 | call to params | user-provided value |
| UrlRedirect.rb:58:17:58:28 | ...[...] | UrlRedirect.rb:58:17:58:22 | call to params : | UrlRedirect.rb:58:17:58:28 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:58:17:58:22 | call to params | user-provided value |
| UrlRedirect.rb:63:38:63:49 | ...[...] | UrlRedirect.rb:63:38:63:43 | call to params : | UrlRedirect.rb:63:38:63:49 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:63:38:63:43 | call to params | user-provided value |
| UrlRedirect.rb:68:38:68:49 | ...[...] | UrlRedirect.rb:68:38:68:43 | call to params : | UrlRedirect.rb:68:38:68:49 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:68:38:68:43 | call to params | user-provided value |
| UrlRedirect.rb:73:25:73:36 | ...[...] | UrlRedirect.rb:73:25:73:30 | call to params : | UrlRedirect.rb:73:25:73:36 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:73:25:73:30 | call to params | user-provided value |
| UrlRedirect.rb:9:17:9:28 | ...[...] | UrlRedirect.rb:9:17:9:22 | call to params | UrlRedirect.rb:9:17:9:28 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:9:17:9:22 | call to params | user-provided value |
| UrlRedirect.rb:14:17:14:43 | call to fetch | UrlRedirect.rb:14:17:14:22 | call to params | UrlRedirect.rb:14:17:14:43 | call to fetch | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:14:17:14:22 | call to params | user-provided value |
| UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | UrlRedirect.rb:19:17:19:22 | call to params | UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:19:17:19:22 | call to params | user-provided value |
| UrlRedirect.rb:24:17:24:37 | call to filter_params | UrlRedirect.rb:24:31:24:36 | call to params | UrlRedirect.rb:24:17:24:37 | call to filter_params | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:24:31:24:36 | call to params | user-provided value |
| UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | UrlRedirect.rb:34:20:34:25 | call to params | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:34:20:34:25 | call to params | user-provided value |
| UrlRedirect.rb:58:17:58:28 | ...[...] | UrlRedirect.rb:58:17:58:22 | call to params | UrlRedirect.rb:58:17:58:28 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:58:17:58:22 | call to params | user-provided value |
| UrlRedirect.rb:63:38:63:49 | ...[...] | UrlRedirect.rb:63:38:63:43 | call to params | UrlRedirect.rb:63:38:63:49 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:63:38:63:43 | call to params | user-provided value |
| UrlRedirect.rb:68:38:68:49 | ...[...] | UrlRedirect.rb:68:38:68:43 | call to params | UrlRedirect.rb:68:38:68:49 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:68:38:68:43 | call to params | user-provided value |
| UrlRedirect.rb:73:25:73:36 | ...[...] | UrlRedirect.rb:73:25:73:30 | call to params | UrlRedirect.rb:73:25:73:36 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:73:25:73:30 | call to params | user-provided value |

26
ruby/ql/test/query-tests/security/cwe-611/libxml-backend/Xxe.expected
View File

@@ -1,21 +1,21 @@
edges
| LibXmlBackend.rb:16:5:16:11 | content : | LibXmlBackend.rb:18:30:18:36 | content |
| LibXmlBackend.rb:16:5:16:11 | content : | LibXmlBackend.rb:19:19:19:25 | content |
| LibXmlBackend.rb:16:5:16:11 | content : | LibXmlBackend.rb:20:27:20:33 | content |
| LibXmlBackend.rb:16:5:16:11 | content : | LibXmlBackend.rb:21:34:21:40 | content |
| LibXmlBackend.rb:16:15:16:20 | call to params : | LibXmlBackend.rb:16:15:16:26 | ...[...] : |
| LibXmlBackend.rb:16:15:16:26 | ...[...] : | LibXmlBackend.rb:16:5:16:11 | content : |
| LibXmlBackend.rb:16:5:16:11 | content | LibXmlBackend.rb:18:30:18:36 | content |
| LibXmlBackend.rb:16:5:16:11 | content | LibXmlBackend.rb:19:19:19:25 | content |
| LibXmlBackend.rb:16:5:16:11 | content | LibXmlBackend.rb:20:27:20:33 | content |
| LibXmlBackend.rb:16:5:16:11 | content | LibXmlBackend.rb:21:34:21:40 | content |
| LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:16:15:16:26 | ...[...] |
| LibXmlBackend.rb:16:15:16:26 | ...[...] | LibXmlBackend.rb:16:5:16:11 | content |
nodes
| LibXmlBackend.rb:16:5:16:11 | content : | semmle.label | content : |
| LibXmlBackend.rb:16:15:16:20 | call to params : | semmle.label | call to params : |
| LibXmlBackend.rb:16:15:16:26 | ...[...] : | semmle.label | ...[...] : |
| LibXmlBackend.rb:16:5:16:11 | content | semmle.label | content |
| LibXmlBackend.rb:16:15:16:20 | call to params | semmle.label | call to params |
| LibXmlBackend.rb:16:15:16:26 | ...[...] | semmle.label | ...[...] |
| LibXmlBackend.rb:18:30:18:36 | content | semmle.label | content |
| LibXmlBackend.rb:19:19:19:25 | content | semmle.label | content |
| LibXmlBackend.rb:20:27:20:33 | content | semmle.label | content |
| LibXmlBackend.rb:21:34:21:40 | content | semmle.label | content |
subpaths
#select
| LibXmlBackend.rb:18:30:18:36 | content | LibXmlBackend.rb:16:15:16:20 | call to params : | LibXmlBackend.rb:18:30:18:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value |
| LibXmlBackend.rb:19:19:19:25 | content | LibXmlBackend.rb:16:15:16:20 | call to params : | LibXmlBackend.rb:19:19:19:25 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value |
| LibXmlBackend.rb:20:27:20:33 | content | LibXmlBackend.rb:16:15:16:20 | call to params : | LibXmlBackend.rb:20:27:20:33 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value |
| LibXmlBackend.rb:21:34:21:40 | content | LibXmlBackend.rb:16:15:16:20 | call to params : | LibXmlBackend.rb:21:34:21:40 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value |
| LibXmlBackend.rb:18:30:18:36 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:18:30:18:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value |
| LibXmlBackend.rb:19:19:19:25 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:19:19:19:25 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value |
| LibXmlBackend.rb:20:27:20:33 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:20:27:20:33 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value |
| LibXmlBackend.rb:21:34:21:40 | content | LibXmlBackend.rb:16:15:16:20 | call to params | LibXmlBackend.rb:21:34:21:40 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlBackend.rb:16:15:16:20 | call to params | user-provided value |

112
ruby/ql/test/query-tests/security/cwe-611/xxe/Xxe.expected
View File

@@ -1,35 +1,35 @@
edges
| LibXmlRuby.rb:3:5:3:11 | content : | LibXmlRuby.rb:4:34:4:40 | content |
| LibXmlRuby.rb:3:5:3:11 | content : | LibXmlRuby.rb:5:32:5:38 | content |
| LibXmlRuby.rb:3:5:3:11 | content : | LibXmlRuby.rb:6:30:6:36 | content |
| LibXmlRuby.rb:3:5:3:11 | content : | LibXmlRuby.rb:7:32:7:38 | content |
| LibXmlRuby.rb:3:5:3:11 | content : | LibXmlRuby.rb:8:30:8:36 | content |
| LibXmlRuby.rb:3:5:3:11 | content : | LibXmlRuby.rb:9:28:9:34 | content |
| LibXmlRuby.rb:3:5:3:11 | content : | LibXmlRuby.rb:11:26:11:32 | content |
| LibXmlRuby.rb:3:5:3:11 | content : | LibXmlRuby.rb:12:24:12:30 | content |
| LibXmlRuby.rb:3:15:3:20 | call to params : | LibXmlRuby.rb:3:15:3:26 | ...[...] : |
| LibXmlRuby.rb:3:15:3:26 | ...[...] : | LibXmlRuby.rb:3:5:3:11 | content : |
| Nokogiri.rb:3:5:3:11 | content : | Nokogiri.rb:5:26:5:32 | content |
| Nokogiri.rb:3:5:3:11 | content : | Nokogiri.rb:6:26:6:32 | content |
| Nokogiri.rb:3:5:3:11 | content : | Nokogiri.rb:7:26:7:32 | content |
| Nokogiri.rb:3:5:3:11 | content : | Nokogiri.rb:8:26:8:32 | content |
| Nokogiri.rb:3:5:3:11 | content : | Nokogiri.rb:9:26:9:32 | content |
| Nokogiri.rb:3:5:3:11 | content : | Nokogiri.rb:11:26:11:32 | content |
| Nokogiri.rb:3:5:3:11 | content : | Nokogiri.rb:12:26:12:32 | content |
| Nokogiri.rb:3:5:3:11 | content : | Nokogiri.rb:15:26:15:32 | content |
| Nokogiri.rb:3:5:3:11 | content : | Nokogiri.rb:16:26:16:32 | content |
| Nokogiri.rb:3:5:3:11 | content : | Nokogiri.rb:18:26:18:32 | content |
| Nokogiri.rb:3:5:3:11 | content : | Nokogiri.rb:19:26:19:32 | content |
| Nokogiri.rb:3:5:3:11 | content : | Nokogiri.rb:22:26:22:32 | content |
| Nokogiri.rb:3:5:3:11 | content : | Nokogiri.rb:25:26:25:32 | content |
| Nokogiri.rb:3:5:3:11 | content : | Nokogiri.rb:27:26:27:32 | content |
| Nokogiri.rb:3:5:3:11 | content : | Nokogiri.rb:28:26:28:32 | content |
| Nokogiri.rb:3:15:3:20 | call to params : | Nokogiri.rb:3:15:3:26 | ...[...] : |
| Nokogiri.rb:3:15:3:26 | ...[...] : | Nokogiri.rb:3:5:3:11 | content : |
| LibXmlRuby.rb:3:5:3:11 | content | LibXmlRuby.rb:4:34:4:40 | content |
| LibXmlRuby.rb:3:5:3:11 | content | LibXmlRuby.rb:5:32:5:38 | content |
| LibXmlRuby.rb:3:5:3:11 | content | LibXmlRuby.rb:6:30:6:36 | content |
| LibXmlRuby.rb:3:5:3:11 | content | LibXmlRuby.rb:7:32:7:38 | content |
| LibXmlRuby.rb:3:5:3:11 | content | LibXmlRuby.rb:8:30:8:36 | content |
| LibXmlRuby.rb:3:5:3:11 | content | LibXmlRuby.rb:9:28:9:34 | content |
| LibXmlRuby.rb:3:5:3:11 | content | LibXmlRuby.rb:11:26:11:32 | content |
| LibXmlRuby.rb:3:5:3:11 | content | LibXmlRuby.rb:12:24:12:30 | content |
| LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:3:15:3:26 | ...[...] |
| LibXmlRuby.rb:3:15:3:26 | ...[...] | LibXmlRuby.rb:3:5:3:11 | content |
| Nokogiri.rb:3:5:3:11 | content | Nokogiri.rb:5:26:5:32 | content |
| Nokogiri.rb:3:5:3:11 | content | Nokogiri.rb:6:26:6:32 | content |
| Nokogiri.rb:3:5:3:11 | content | Nokogiri.rb:7:26:7:32 | content |
| Nokogiri.rb:3:5:3:11 | content | Nokogiri.rb:8:26:8:32 | content |
| Nokogiri.rb:3:5:3:11 | content | Nokogiri.rb:9:26:9:32 | content |
| Nokogiri.rb:3:5:3:11 | content | Nokogiri.rb:11:26:11:32 | content |
| Nokogiri.rb:3:5:3:11 | content | Nokogiri.rb:12:26:12:32 | content |
| Nokogiri.rb:3:5:3:11 | content | Nokogiri.rb:15:26:15:32 | content |
| Nokogiri.rb:3:5:3:11 | content | Nokogiri.rb:16:26:16:32 | content |
| Nokogiri.rb:3:5:3:11 | content | Nokogiri.rb:18:26:18:32 | content |
| Nokogiri.rb:3:5:3:11 | content | Nokogiri.rb:19:26:19:32 | content |
| Nokogiri.rb:3:5:3:11 | content | Nokogiri.rb:22:26:22:32 | content |
| Nokogiri.rb:3:5:3:11 | content | Nokogiri.rb:25:26:25:32 | content |
| Nokogiri.rb:3:5:3:11 | content | Nokogiri.rb:27:26:27:32 | content |
| Nokogiri.rb:3:5:3:11 | content | Nokogiri.rb:28:26:28:32 | content |
| Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:3:15:3:26 | ...[...] |
| Nokogiri.rb:3:15:3:26 | ...[...] | Nokogiri.rb:3:5:3:11 | content |
nodes
| LibXmlRuby.rb:3:5:3:11 | content : | semmle.label | content : |
| LibXmlRuby.rb:3:15:3:20 | call to params : | semmle.label | call to params : |
| LibXmlRuby.rb:3:15:3:26 | ...[...] : | semmle.label | ...[...] : |
| LibXmlRuby.rb:3:5:3:11 | content | semmle.label | content |
| LibXmlRuby.rb:3:15:3:20 | call to params | semmle.label | call to params |
| LibXmlRuby.rb:3:15:3:26 | ...[...] | semmle.label | ...[...] |
| LibXmlRuby.rb:4:34:4:40 | content | semmle.label | content |
| LibXmlRuby.rb:5:32:5:38 | content | semmle.label | content |
| LibXmlRuby.rb:6:30:6:36 | content | semmle.label | content |
@@ -38,9 +38,9 @@ nodes
| LibXmlRuby.rb:9:28:9:34 | content | semmle.label | content |
| LibXmlRuby.rb:11:26:11:32 | content | semmle.label | content |
| LibXmlRuby.rb:12:24:12:30 | content | semmle.label | content |
| Nokogiri.rb:3:5:3:11 | content : | semmle.label | content : |
| Nokogiri.rb:3:15:3:20 | call to params : | semmle.label | call to params : |
| Nokogiri.rb:3:15:3:26 | ...[...] : | semmle.label | ...[...] : |
| Nokogiri.rb:3:5:3:11 | content | semmle.label | content |
| Nokogiri.rb:3:15:3:20 | call to params | semmle.label | call to params |
| Nokogiri.rb:3:15:3:26 | ...[...] | semmle.label | ...[...] |
| Nokogiri.rb:5:26:5:32 | content | semmle.label | content |
| Nokogiri.rb:6:26:6:32 | content | semmle.label | content |
| Nokogiri.rb:7:26:7:32 | content | semmle.label | content |
@@ -58,26 +58,26 @@ nodes
| Nokogiri.rb:28:26:28:32 | content | semmle.label | content |
subpaths
#select
| LibXmlRuby.rb:4:34:4:40 | content | LibXmlRuby.rb:3:15:3:20 | call to params : | LibXmlRuby.rb:4:34:4:40 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value |
| LibXmlRuby.rb:5:32:5:38 | content | LibXmlRuby.rb:3:15:3:20 | call to params : | LibXmlRuby.rb:5:32:5:38 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value |
| LibXmlRuby.rb:6:30:6:36 | content | LibXmlRuby.rb:3:15:3:20 | call to params : | LibXmlRuby.rb:6:30:6:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value |
| LibXmlRuby.rb:7:32:7:38 | content | LibXmlRuby.rb:3:15:3:20 | call to params : | LibXmlRuby.rb:7:32:7:38 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value |
| LibXmlRuby.rb:8:30:8:36 | content | LibXmlRuby.rb:3:15:3:20 | call to params : | LibXmlRuby.rb:8:30:8:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value |
| LibXmlRuby.rb:9:28:9:34 | content | LibXmlRuby.rb:3:15:3:20 | call to params : | LibXmlRuby.rb:9:28:9:34 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value |
| LibXmlRuby.rb:11:26:11:32 | content | LibXmlRuby.rb:3:15:3:20 | call to params : | LibXmlRuby.rb:11:26:11:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value |
| LibXmlRuby.rb:12:24:12:30 | content | LibXmlRuby.rb:3:15:3:20 | call to params : | LibXmlRuby.rb:12:24:12:30 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:5:26:5:32 | content | Nokogiri.rb:3:15:3:20 | call to params : | Nokogiri.rb:5:26:5:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:6:26:6:32 | content | Nokogiri.rb:3:15:3:20 | call to params : | Nokogiri.rb:6:26:6:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:7:26:7:32 | content | Nokogiri.rb:3:15:3:20 | call to params : | Nokogiri.rb:7:26:7:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:8:26:8:32 | content | Nokogiri.rb:3:15:3:20 | call to params : | Nokogiri.rb:8:26:8:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:9:26:9:32 | content | Nokogiri.rb:3:15:3:20 | call to params : | Nokogiri.rb:9:26:9:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:11:26:11:32 | content | Nokogiri.rb:3:15:3:20 | call to params : | Nokogiri.rb:11:26:11:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:12:26:12:32 | content | Nokogiri.rb:3:15:3:20 | call to params : | Nokogiri.rb:12:26:12:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:15:26:15:32 | content | Nokogiri.rb:3:15:3:20 | call to params : | Nokogiri.rb:15:26:15:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:16:26:16:32 | content | Nokogiri.rb:3:15:3:20 | call to params : | Nokogiri.rb:16:26:16:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:18:26:18:32 | content | Nokogiri.rb:3:15:3:20 | call to params : | Nokogiri.rb:18:26:18:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:19:26:19:32 | content | Nokogiri.rb:3:15:3:20 | call to params : | Nokogiri.rb:19:26:19:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:22:26:22:32 | content | Nokogiri.rb:3:15:3:20 | call to params : | Nokogiri.rb:22:26:22:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:25:26:25:32 | content | Nokogiri.rb:3:15:3:20 | call to params : | Nokogiri.rb:25:26:25:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:27:26:27:32 | content | Nokogiri.rb:3:15:3:20 | call to params : | Nokogiri.rb:27:26:27:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:28:26:28:32 | content | Nokogiri.rb:3:15:3:20 | call to params : | Nokogiri.rb:28:26:28:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| LibXmlRuby.rb:4:34:4:40 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:4:34:4:40 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value |
| LibXmlRuby.rb:5:32:5:38 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:5:32:5:38 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value |
| LibXmlRuby.rb:6:30:6:36 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:6:30:6:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value |
| LibXmlRuby.rb:7:32:7:38 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:7:32:7:38 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value |
| LibXmlRuby.rb:8:30:8:36 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:8:30:8:36 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value |
| LibXmlRuby.rb:9:28:9:34 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:9:28:9:34 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value |
| LibXmlRuby.rb:11:26:11:32 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:11:26:11:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value |
| LibXmlRuby.rb:12:24:12:30 | content | LibXmlRuby.rb:3:15:3:20 | call to params | LibXmlRuby.rb:12:24:12:30 | content | XML parsing depends on a $@ without guarding against external entity expansion. | LibXmlRuby.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:5:26:5:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:5:26:5:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:6:26:6:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:6:26:6:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:7:26:7:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:7:26:7:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:8:26:8:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:8:26:8:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:9:26:9:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:9:26:9:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:11:26:11:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:11:26:11:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:12:26:12:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:12:26:12:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:15:26:15:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:15:26:15:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:16:26:16:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:16:26:16:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:18:26:18:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:18:26:18:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:19:26:19:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:19:26:19:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:22:26:22:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:22:26:22:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:25:26:25:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:25:26:25:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:27:26:27:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:27:26:27:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |
| Nokogiri.rb:28:26:28:32 | content | Nokogiri.rb:3:15:3:20 | call to params | Nokogiri.rb:28:26:28:32 | content | XML parsing depends on a $@ without guarding against external entity expansion. | Nokogiri.rb:3:15:3:20 | call to params | user-provided value |

32
ruby/ql/test/query-tests/security/cwe-732/WeakFilePermissions.expected
View File

@@ -1,25 +1,25 @@
edges
| FilePermissions.rb:51:3:51:6 | perm : | FilePermissions.rb:53:19:53:22 | perm |
| FilePermissions.rb:51:3:51:6 | perm : | FilePermissions.rb:54:3:54:7 | perm2 : |
| FilePermissions.rb:51:10:51:13 | 0777 : | FilePermissions.rb:51:3:51:6 | perm : |
| FilePermissions.rb:54:3:54:7 | perm2 : | FilePermissions.rb:56:19:56:23 | perm2 |
| FilePermissions.rb:58:3:58:6 | perm : | FilePermissions.rb:59:3:59:7 | perm2 : |
| FilePermissions.rb:58:10:58:26 | "u=wrx,g=rwx,o=x" : | FilePermissions.rb:58:3:58:6 | perm : |
| FilePermissions.rb:59:3:59:7 | perm2 : | FilePermissions.rb:61:19:61:23 | perm2 |
| FilePermissions.rb:51:3:51:6 | perm | FilePermissions.rb:53:19:53:22 | perm |
| FilePermissions.rb:51:3:51:6 | perm | FilePermissions.rb:54:3:54:7 | perm2 |
| FilePermissions.rb:51:10:51:13 | 0777 | FilePermissions.rb:51:3:51:6 | perm |
| FilePermissions.rb:54:3:54:7 | perm2 | FilePermissions.rb:56:19:56:23 | perm2 |
| FilePermissions.rb:58:3:58:6 | perm | FilePermissions.rb:59:3:59:7 | perm2 |
| FilePermissions.rb:58:10:58:26 | "u=wrx,g=rwx,o=x" | FilePermissions.rb:58:3:58:6 | perm |
| FilePermissions.rb:59:3:59:7 | perm2 | FilePermissions.rb:61:19:61:23 | perm2 |
nodes
| FilePermissions.rb:5:19:5:22 | 0222 | semmle.label | 0222 |
| FilePermissions.rb:7:19:7:22 | 0622 | semmle.label | 0622 |
| FilePermissions.rb:9:19:9:22 | 0755 | semmle.label | 0755 |
| FilePermissions.rb:11:19:11:22 | 0777 | semmle.label | 0777 |
| FilePermissions.rb:28:13:28:16 | 0755 | semmle.label | 0755 |
| FilePermissions.rb:51:3:51:6 | perm : | semmle.label | perm : |
| FilePermissions.rb:51:10:51:13 | 0777 : | semmle.label | 0777 : |
| FilePermissions.rb:51:3:51:6 | perm | semmle.label | perm |
| FilePermissions.rb:51:10:51:13 | 0777 | semmle.label | 0777 |
| FilePermissions.rb:53:19:53:22 | perm | semmle.label | perm |
| FilePermissions.rb:54:3:54:7 | perm2 : | semmle.label | perm2 : |
| FilePermissions.rb:54:3:54:7 | perm2 | semmle.label | perm2 |
| FilePermissions.rb:56:19:56:23 | perm2 | semmle.label | perm2 |
| FilePermissions.rb:58:3:58:6 | perm : | semmle.label | perm : |
| FilePermissions.rb:58:10:58:26 | "u=wrx,g=rwx,o=x" : | semmle.label | "u=wrx,g=rwx,o=x" : |
| FilePermissions.rb:59:3:59:7 | perm2 : | semmle.label | perm2 : |
| FilePermissions.rb:58:3:58:6 | perm | semmle.label | perm |
| FilePermissions.rb:58:10:58:26 | "u=wrx,g=rwx,o=x" | semmle.label | "u=wrx,g=rwx,o=x" |
| FilePermissions.rb:59:3:59:7 | perm2 | semmle.label | perm2 |
| FilePermissions.rb:61:19:61:23 | perm2 | semmle.label | perm2 |
| FilePermissions.rb:63:19:63:29 | "u=rwx,o+r" | semmle.label | "u=rwx,o+r" |
| FilePermissions.rb:67:19:67:24 | "a+rw" | semmle.label | "a+rw" |
@@ -31,9 +31,9 @@ subpaths
| FilePermissions.rb:9:19:9:22 | 0755 | FilePermissions.rb:9:19:9:22 | 0755 | FilePermissions.rb:9:19:9:22 | 0755 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:9:3:9:32 | call to chmod | call to chmod |
| FilePermissions.rb:11:19:11:22 | 0777 | FilePermissions.rb:11:19:11:22 | 0777 | FilePermissions.rb:11:19:11:22 | 0777 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:11:3:11:32 | call to chmod | call to chmod |
| FilePermissions.rb:28:13:28:16 | 0755 | FilePermissions.rb:28:13:28:16 | 0755 | FilePermissions.rb:28:13:28:16 | 0755 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:28:3:28:26 | call to chmod | call to chmod |
| FilePermissions.rb:51:10:51:13 | 0777 | FilePermissions.rb:51:10:51:13 | 0777 : | FilePermissions.rb:53:19:53:22 | perm | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:53:3:53:32 | call to chmod | call to chmod |
| FilePermissions.rb:51:10:51:13 | 0777 | FilePermissions.rb:51:10:51:13 | 0777 : | FilePermissions.rb:56:19:56:23 | perm2 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:56:3:56:33 | call to chmod | call to chmod |
| FilePermissions.rb:58:10:58:26 | "u=wrx,g=rwx,o=x" | FilePermissions.rb:58:10:58:26 | "u=wrx,g=rwx,o=x" : | FilePermissions.rb:61:19:61:23 | perm2 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:61:3:61:33 | call to chmod | call to chmod |
| FilePermissions.rb:51:10:51:13 | 0777 | FilePermissions.rb:51:10:51:13 | 0777 | FilePermissions.rb:53:19:53:22 | perm | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:53:3:53:32 | call to chmod | call to chmod |
| FilePermissions.rb:51:10:51:13 | 0777 | FilePermissions.rb:51:10:51:13 | 0777 | FilePermissions.rb:56:19:56:23 | perm2 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:56:3:56:33 | call to chmod | call to chmod |
| FilePermissions.rb:58:10:58:26 | "u=wrx,g=rwx,o=x" | FilePermissions.rb:58:10:58:26 | "u=wrx,g=rwx,o=x" | FilePermissions.rb:61:19:61:23 | perm2 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:61:3:61:33 | call to chmod | call to chmod |
| FilePermissions.rb:63:19:63:29 | "u=rwx,o+r" | FilePermissions.rb:63:19:63:29 | "u=rwx,o+r" | FilePermissions.rb:63:19:63:29 | "u=rwx,o+r" | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:63:3:63:39 | call to chmod | call to chmod |
| FilePermissions.rb:67:19:67:24 | "a+rw" | FilePermissions.rb:67:19:67:24 | "a+rw" | FilePermissions.rb:67:19:67:24 | "a+rw" | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:67:3:67:34 | call to chmod | call to chmod |
| FilePermissions.rb:72:21:72:24 | 0755 | FilePermissions.rb:72:21:72:24 | 0755 | FilePermissions.rb:72:21:72:24 | 0755 | This overly permissive mask used in $@ allows read or write access to others. | FilePermissions.rb:72:3:72:34 | call to chmod_R | call to chmod_R |

68
ruby/ql/test/query-tests/security/cwe-798/HardcodedCredentials.expected
View File

@@ -1,49 +1,49 @@
edges
| HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : | HardcodedCredentials.rb:1:23:1:30 | password |
| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." : | HardcodedCredentials.rb:1:33:1:36 | cert |
| HardcodedCredentials.rb:18:19:18:72 | ... + ... : | HardcodedCredentials.rb:1:23:1:30 | password |
| HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." : | HardcodedCredentials.rb:18:19:18:72 | ... + ... : |
| HardcodedCredentials.rb:20:1:20:7 | pw_left : | HardcodedCredentials.rb:22:1:22:2 | pw : |
| HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." : | HardcodedCredentials.rb:20:1:20:7 | pw_left : |
| HardcodedCredentials.rb:21:1:21:8 | pw_right : | HardcodedCredentials.rb:22:1:22:2 | pw : |
| HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" : | HardcodedCredentials.rb:21:1:21:8 | pw_right : |
| HardcodedCredentials.rb:22:1:22:2 | pw : | HardcodedCredentials.rb:23:19:23:20 | pw : |
| HardcodedCredentials.rb:23:19:23:20 | pw : | HardcodedCredentials.rb:1:23:1:30 | password |
| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." : | HardcodedCredentials.rb:31:18:31:23 | passwd |
| HardcodedCredentials.rb:43:29:43:43 | "user@test.com" : | HardcodedCredentials.rb:43:18:43:25 | username |
| HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" : | HardcodedCredentials.rb:43:46:43:53 | password |
| HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." | HardcodedCredentials.rb:1:23:1:30 | password |
| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:1:33:1:36 | cert |
| HardcodedCredentials.rb:18:19:18:72 | ... + ... | HardcodedCredentials.rb:1:23:1:30 | password |
| HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." | HardcodedCredentials.rb:18:19:18:72 | ... + ... |
| HardcodedCredentials.rb:20:1:20:7 | pw_left | HardcodedCredentials.rb:22:1:22:2 | pw |
| HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." | HardcodedCredentials.rb:20:1:20:7 | pw_left |
| HardcodedCredentials.rb:21:1:21:8 | pw_right | HardcodedCredentials.rb:22:1:22:2 | pw |
| HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" | HardcodedCredentials.rb:21:1:21:8 | pw_right |
| HardcodedCredentials.rb:22:1:22:2 | pw | HardcodedCredentials.rb:23:19:23:20 | pw |
| HardcodedCredentials.rb:23:19:23:20 | pw | HardcodedCredentials.rb:1:23:1:30 | password |
| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." | HardcodedCredentials.rb:31:18:31:23 | passwd |
| HardcodedCredentials.rb:43:29:43:43 | "user@test.com" | HardcodedCredentials.rb:43:18:43:25 | username |
| HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" | HardcodedCredentials.rb:43:46:43:53 | password |
nodes
| HardcodedCredentials.rb:1:23:1:30 | password | semmle.label | password |
| HardcodedCredentials.rb:1:33:1:36 | cert | semmle.label | cert |
| HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | semmle.label | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." |
| HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | semmle.label | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." |
| HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : | semmle.label | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : |
| HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." | semmle.label | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." |
| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | semmle.label | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." |
| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." : | semmle.label | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." : |
| HardcodedCredentials.rb:18:19:18:72 | ... + ... : | semmle.label | ... + ... : |
| HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." : | semmle.label | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." : |
| HardcodedCredentials.rb:20:1:20:7 | pw_left : | semmle.label | pw_left : |
| HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." : | semmle.label | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." : |
| HardcodedCredentials.rb:21:1:21:8 | pw_right : | semmle.label | pw_right : |
| HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" : | semmle.label | "4fQuzXef4f2yow8KWvIJTA==" : |
| HardcodedCredentials.rb:22:1:22:2 | pw : | semmle.label | pw : |
| HardcodedCredentials.rb:23:19:23:20 | pw : | semmle.label | pw : |
| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | semmle.label | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." |
| HardcodedCredentials.rb:18:19:18:72 | ... + ... | semmle.label | ... + ... |
| HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." | semmle.label | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." |
| HardcodedCredentials.rb:20:1:20:7 | pw_left | semmle.label | pw_left |
| HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." | semmle.label | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." |
| HardcodedCredentials.rb:21:1:21:8 | pw_right | semmle.label | pw_right |
| HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" | semmle.label | "4fQuzXef4f2yow8KWvIJTA==" |
| HardcodedCredentials.rb:22:1:22:2 | pw | semmle.label | pw |
| HardcodedCredentials.rb:23:19:23:20 | pw | semmle.label | pw |
| HardcodedCredentials.rb:31:18:31:23 | passwd | semmle.label | passwd |
| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." : | semmle.label | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." : |
| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." | semmle.label | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." |
| HardcodedCredentials.rb:43:18:43:25 | username | semmle.label | username |
| HardcodedCredentials.rb:43:29:43:43 | "user@test.com" : | semmle.label | "user@test.com" : |
| HardcodedCredentials.rb:43:29:43:43 | "user@test.com" | semmle.label | "user@test.com" |
| HardcodedCredentials.rb:43:46:43:53 | password | semmle.label | password |
| HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" : | semmle.label | "abcdef123456" : |
| HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" | semmle.label | "abcdef123456" |
subpaths
#select
| HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | This hardcoded value is $@. | HardcodedCredentials.rb:4:20:4:65 | "xwjVWdfzfRlbcgKkbSfG/xSrUeHYq..." | used as credentials |
| HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | This hardcoded value is $@. | HardcodedCredentials.rb:8:30:8:75 | "X6BLgRWSAtAWG/GaHS+WGGW2K7zZF..." | used as credentials |
| HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." | HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." : | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials |
| HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." | HardcodedCredentials.rb:12:19:12:64 | "4NQX/CqB5Ae98zFUmwj1DMpF7azsh..." | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials |
| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:1:33:1:36 | cert | This hardcoded value is $@. | HardcodedCredentials.rb:1:33:1:36 | cert | used as credentials |
| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | This hardcoded value is $@. | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | used as credentials |
| HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." | HardcodedCredentials.rb:15:30:15:75 | "WLC17dLQ9P8YlQvqm77qplOMm5pd1..." : | HardcodedCredentials.rb:1:33:1:36 | cert | This hardcoded value is $@. | HardcodedCredentials.rb:1:33:1:36 | cert | used as credentials |
| HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." | HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." : | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials |
| HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." | HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." : | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials |
| HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" | HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" : | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials |
| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." | HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." : | HardcodedCredentials.rb:31:18:31:23 | passwd | This hardcoded value is $@. | HardcodedCredentials.rb:31:18:31:23 | passwd | used as credentials |
| HardcodedCredentials.rb:43:29:43:43 | "user@test.com" | HardcodedCredentials.rb:43:29:43:43 | "user@test.com" : | HardcodedCredentials.rb:43:18:43:25 | username | This hardcoded value is $@. | HardcodedCredentials.rb:43:18:43:25 | username | used as credentials |
| HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" | HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" : | HardcodedCredentials.rb:43:46:43:53 | password | This hardcoded value is $@. | HardcodedCredentials.rb:43:46:43:53 | password | used as credentials |
| HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." | HardcodedCredentials.rb:18:27:18:72 | "ogH6qSYWGdbR/2WOGYa7eZ/tObL+G..." | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials |
| HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." | HardcodedCredentials.rb:20:11:20:76 | "3jOe7sXKX6Tx52qHWUVqh2t9LNsE+..." | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials |
| HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" | HardcodedCredentials.rb:21:12:21:37 | "4fQuzXef4f2yow8KWvIJTA==" | HardcodedCredentials.rb:1:23:1:30 | password | This hardcoded value is $@. | HardcodedCredentials.rb:1:23:1:30 | password | used as credentials |
| HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." | HardcodedCredentials.rb:38:40:38:85 | "kdW/xVhiv6y1fQQNevDpUaq+2rfPK..." | HardcodedCredentials.rb:31:18:31:23 | passwd | This hardcoded value is $@. | HardcodedCredentials.rb:31:18:31:23 | passwd | used as credentials |
| HardcodedCredentials.rb:43:29:43:43 | "user@test.com" | HardcodedCredentials.rb:43:29:43:43 | "user@test.com" | HardcodedCredentials.rb:43:18:43:25 | username | This hardcoded value is $@. | HardcodedCredentials.rb:43:18:43:25 | username | used as credentials |
| HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" | HardcodedCredentials.rb:43:57:43:70 | "abcdef123456" | HardcodedCredentials.rb:43:46:43:53 | password | This hardcoded value is $@. | HardcodedCredentials.rb:43:46:43:53 | password | used as credentials |

36
ruby/ql/test/query-tests/security/cwe-807-user-controlled-bypass/ConditionalBypass.expected
View File

@@ -1,26 +1,26 @@
edges
| ConditionalBypass.rb:3:5:3:9 | check : | ConditionalBypass.rb:6:8:6:12 | check |
| ConditionalBypass.rb:3:13:3:18 | call to params : | ConditionalBypass.rb:3:13:3:26 | ...[...] : |
| ConditionalBypass.rb:3:13:3:26 | ...[...] : | ConditionalBypass.rb:3:5:3:9 | check : |
| ConditionalBypass.rb:14:14:14:19 | call to params : | ConditionalBypass.rb:14:14:14:27 | ...[...] |
| ConditionalBypass.rb:25:5:25:5 | p : | ConditionalBypass.rb:27:8:27:8 | p |
| ConditionalBypass.rb:25:10:25:15 | call to params : | ConditionalBypass.rb:25:10:25:22 | ...[...] |
| ConditionalBypass.rb:25:10:25:15 | call to params : | ConditionalBypass.rb:25:10:25:22 | ...[...] : |
| ConditionalBypass.rb:25:10:25:22 | ...[...] : | ConditionalBypass.rb:25:5:25:5 | p : |
| ConditionalBypass.rb:3:5:3:9 | check | ConditionalBypass.rb:6:8:6:12 | check |
| ConditionalBypass.rb:3:13:3:18 | call to params | ConditionalBypass.rb:3:13:3:26 | ...[...] |
| ConditionalBypass.rb:3:13:3:26 | ...[...] | ConditionalBypass.rb:3:5:3:9 | check |
| ConditionalBypass.rb:14:14:14:19 | call to params | ConditionalBypass.rb:14:14:14:27 | ...[...] |
| ConditionalBypass.rb:25:5:25:5 | p | ConditionalBypass.rb:27:8:27:8 | p |
| ConditionalBypass.rb:25:10:25:15 | call to params | ConditionalBypass.rb:25:10:25:22 | ...[...] |
| ConditionalBypass.rb:25:10:25:15 | call to params | ConditionalBypass.rb:25:10:25:22 | ...[...] |
| ConditionalBypass.rb:25:10:25:22 | ...[...] | ConditionalBypass.rb:25:5:25:5 | p |
nodes
| ConditionalBypass.rb:3:5:3:9 | check : | semmle.label | check : |
| ConditionalBypass.rb:3:13:3:18 | call to params : | semmle.label | call to params : |
| ConditionalBypass.rb:3:13:3:26 | ...[...] : | semmle.label | ...[...] : |
| ConditionalBypass.rb:3:5:3:9 | check | semmle.label | check |
| ConditionalBypass.rb:3:13:3:18 | call to params | semmle.label | call to params |
| ConditionalBypass.rb:3:13:3:26 | ...[...] | semmle.label | ...[...] |
| ConditionalBypass.rb:6:8:6:12 | check | semmle.label | check |
| ConditionalBypass.rb:14:14:14:19 | call to params : | semmle.label | call to params : |
| ConditionalBypass.rb:14:14:14:19 | call to params | semmle.label | call to params |
| ConditionalBypass.rb:14:14:14:27 | ...[...] | semmle.label | ...[...] |
| ConditionalBypass.rb:25:5:25:5 | p : | semmle.label | p : |
| ConditionalBypass.rb:25:10:25:15 | call to params : | semmle.label | call to params : |
| ConditionalBypass.rb:25:5:25:5 | p | semmle.label | p |
| ConditionalBypass.rb:25:10:25:15 | call to params | semmle.label | call to params |
| ConditionalBypass.rb:25:10:25:22 | ...[...] | semmle.label | ...[...] |
| ConditionalBypass.rb:25:10:25:22 | ...[...] | semmle.label | ...[...] |
| ConditionalBypass.rb:25:10:25:22 | ...[...] : | semmle.label | ...[...] : |
| ConditionalBypass.rb:27:8:27:8 | p | semmle.label | p |
subpaths
#select
| ConditionalBypass.rb:6:8:6:12 | check | ConditionalBypass.rb:3:13:3:18 | call to params : | ConditionalBypass.rb:6:8:6:12 | check | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:8:7:8:29 | call to authenticate_user! | action | ConditionalBypass.rb:3:13:3:18 | call to params | user-provided value |
| ConditionalBypass.rb:14:14:14:27 | ...[...] | ConditionalBypass.rb:14:14:14:19 | call to params : | ConditionalBypass.rb:14:14:14:27 | ...[...] | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:14:5:14:9 | call to login | action | ConditionalBypass.rb:14:14:14:19 | call to params | user-provided value |
| ConditionalBypass.rb:27:8:27:8 | p | ConditionalBypass.rb:25:10:25:15 | call to params : | ConditionalBypass.rb:27:8:27:8 | p | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:28:7:28:13 | call to verify! | action | ConditionalBypass.rb:25:10:25:15 | call to params | user-provided value |
| ConditionalBypass.rb:6:8:6:12 | check | ConditionalBypass.rb:3:13:3:18 | call to params | ConditionalBypass.rb:6:8:6:12 | check | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:8:7:8:29 | call to authenticate_user! | action | ConditionalBypass.rb:3:13:3:18 | call to params | user-provided value |
| ConditionalBypass.rb:14:14:14:27 | ...[...] | ConditionalBypass.rb:14:14:14:19 | call to params | ConditionalBypass.rb:14:14:14:27 | ...[...] | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:14:5:14:9 | call to login | action | ConditionalBypass.rb:14:14:14:19 | call to params | user-provided value |
| ConditionalBypass.rb:27:8:27:8 | p | ConditionalBypass.rb:25:10:25:15 | call to params | ConditionalBypass.rb:27:8:27:8 | p | This condition guards a sensitive $@, but a $@ controls it. | ConditionalBypass.rb:28:7:28:13 | call to verify! | action | ConditionalBypass.rb:25:10:25:15 | call to params | user-provided value |

20
ruby/ql/test/query-tests/security/cwe-829/InsecureDownload.expected
View File

@@ -1,16 +1,16 @@
failures
edges
| insecure_download.rb:31:5:31:7 | url : | insecure_download.rb:33:15:33:17 | url |
| insecure_download.rb:31:5:31:7 | url : | insecure_download.rb:33:15:33:17 | url |
| insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" : | insecure_download.rb:31:5:31:7 | url : |
| insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" : | insecure_download.rb:31:5:31:7 | url : |
| insecure_download.rb:31:5:31:7 | url | insecure_download.rb:33:15:33:17 | url |
| insecure_download.rb:31:5:31:7 | url | insecure_download.rb:33:15:33:17 | url |
| insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" | insecure_download.rb:31:5:31:7 | url |
| insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" | insecure_download.rb:31:5:31:7 | url |
nodes
| insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | semmle.label | "http://example.org/unsafe.APK" |
| insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | semmle.label | "http://example.org/unsafe.APK" |
| insecure_download.rb:31:5:31:7 | url : | semmle.label | url : |
| insecure_download.rb:31:5:31:7 | url : | semmle.label | url : |
| insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" : | semmle.label | "http://example.org/unsafe.APK" : |
| insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" : | semmle.label | "http://example.org/unsafe.APK" : |
| insecure_download.rb:31:5:31:7 | url | semmle.label | url |
| insecure_download.rb:31:5:31:7 | url | semmle.label | url |
| insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" | semmle.label | "http://example.org/unsafe.APK" |
| insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" | semmle.label | "http://example.org/unsafe.APK" |
| insecure_download.rb:33:15:33:17 | url | semmle.label | url |
| insecure_download.rb:33:15:33:17 | url | semmle.label | url |
| insecure_download.rb:37:42:37:68 | "http://example.org/unsafe" | semmle.label | "http://example.org/unsafe" |
@@ -21,8 +21,8 @@ subpaths
#select
| insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | $@ | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | "http://example.org/unsafe.APK" |
| insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | $@ | insecure_download.rb:27:15:27:45 | "http://example.org/unsafe.APK" | "http://example.org/unsafe.APK" |
| insecure_download.rb:33:15:33:17 | url | insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" : | insecure_download.rb:33:15:33:17 | url | $@ | insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" : | "http://example.org/unsafe.APK" : |
| insecure_download.rb:33:15:33:17 | url | insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" : | insecure_download.rb:33:15:33:17 | url | $@ | insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" : | "http://example.org/unsafe.APK" : |
| insecure_download.rb:33:15:33:17 | url | insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" | insecure_download.rb:33:15:33:17 | url | $@ | insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" | "http://example.org/unsafe.APK" |
| insecure_download.rb:33:15:33:17 | url | insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" | insecure_download.rb:33:15:33:17 | url | $@ | insecure_download.rb:31:11:31:41 | "http://example.org/unsafe.APK" | "http://example.org/unsafe.APK" |
| insecure_download.rb:33:15:33:17 | url | insecure_download.rb:33:15:33:17 | url | insecure_download.rb:33:15:33:17 | url | $@ | insecure_download.rb:33:15:33:17 | url | url |
| insecure_download.rb:33:15:33:17 | url | insecure_download.rb:33:15:33:17 | url | insecure_download.rb:33:15:33:17 | url | $@ | insecure_download.rb:33:15:33:17 | url | url |
| insecure_download.rb:37:42:37:68 | "http://example.org/unsafe" | insecure_download.rb:37:42:37:68 | "http://example.org/unsafe" | insecure_download.rb:37:42:37:68 | "http://example.org/unsafe" | $@ | insecure_download.rb:37:42:37:68 | "http://example.org/unsafe" | "http://example.org/unsafe" |

24
ruby/ql/test/query-tests/security/cwe-912/HttpToFileAccess.expected
View File

@@ -1,18 +1,18 @@
edges
| http_to_file_access.rb:3:1:3:4 | resp : | http_to_file_access.rb:5:12:5:15 | resp |
| http_to_file_access.rb:3:8:3:52 | call to body : | http_to_file_access.rb:3:1:3:4 | resp : |
| http_to_file_access.rb:9:7:9:12 | script : | http_to_file_access.rb:11:18:11:23 | script |
| http_to_file_access.rb:9:16:9:21 | call to params : | http_to_file_access.rb:9:16:9:30 | ...[...] : |
| http_to_file_access.rb:9:16:9:30 | ...[...] : | http_to_file_access.rb:9:7:9:12 | script : |
| http_to_file_access.rb:3:1:3:4 | resp | http_to_file_access.rb:5:12:5:15 | resp |
| http_to_file_access.rb:3:8:3:52 | call to body | http_to_file_access.rb:3:1:3:4 | resp |
| http_to_file_access.rb:9:7:9:12 | script | http_to_file_access.rb:11:18:11:23 | script |
| http_to_file_access.rb:9:16:9:21 | call to params | http_to_file_access.rb:9:16:9:30 | ...[...] |
| http_to_file_access.rb:9:16:9:30 | ...[...] | http_to_file_access.rb:9:7:9:12 | script |
nodes
| http_to_file_access.rb:3:1:3:4 | resp : | semmle.label | resp : |
| http_to_file_access.rb:3:8:3:52 | call to body : | semmle.label | call to body : |
| http_to_file_access.rb:3:1:3:4 | resp | semmle.label | resp |
| http_to_file_access.rb:3:8:3:52 | call to body | semmle.label | call to body |
| http_to_file_access.rb:5:12:5:15 | resp | semmle.label | resp |
| http_to_file_access.rb:9:7:9:12 | script : | semmle.label | script : |
| http_to_file_access.rb:9:16:9:21 | call to params : | semmle.label | call to params : |
| http_to_file_access.rb:9:16:9:30 | ...[...] : | semmle.label | ...[...] : |
| http_to_file_access.rb:9:7:9:12 | script | semmle.label | script |
| http_to_file_access.rb:9:16:9:21 | call to params | semmle.label | call to params |
| http_to_file_access.rb:9:16:9:30 | ...[...] | semmle.label | ...[...] |
| http_to_file_access.rb:11:18:11:23 | script | semmle.label | script |
subpaths
#select
| http_to_file_access.rb:5:12:5:15 | resp | http_to_file_access.rb:3:8:3:52 | call to body : | http_to_file_access.rb:5:12:5:15 | resp | Write to file system depends on $@. | http_to_file_access.rb:3:8:3:52 | call to body | untrusted data |
| http_to_file_access.rb:11:18:11:23 | script | http_to_file_access.rb:9:16:9:21 | call to params : | http_to_file_access.rb:11:18:11:23 | script | Write to file system depends on $@. | http_to_file_access.rb:9:16:9:21 | call to params | untrusted data |
| http_to_file_access.rb:5:12:5:15 | resp | http_to_file_access.rb:3:8:3:52 | call to body | http_to_file_access.rb:5:12:5:15 | resp | Write to file system depends on $@. | http_to_file_access.rb:3:8:3:52 | call to body | untrusted data |
| http_to_file_access.rb:11:18:11:23 | script | http_to_file_access.rb:9:16:9:21 | call to params | http_to_file_access.rb:11:18:11:23 | script | Write to file system depends on $@. | http_to_file_access.rb:9:16:9:21 | call to params | untrusted data |

26
ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.expected
View File

@@ -1,20 +1,20 @@
edges
| ServerSideRequestForgery.rb:10:9:10:28 | users_service_domain : | ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" |
| ServerSideRequestForgery.rb:10:32:10:37 | call to params : | ServerSideRequestForgery.rb:10:32:10:60 | ...[...] : |
| ServerSideRequestForgery.rb:10:32:10:60 | ...[...] : | ServerSideRequestForgery.rb:10:9:10:28 | users_service_domain : |
| ServerSideRequestForgery.rb:15:33:15:38 | call to params : | ServerSideRequestForgery.rb:15:33:15:44 | ...[...] |
| ServerSideRequestForgery.rb:20:45:20:50 | call to params : | ServerSideRequestForgery.rb:20:45:20:56 | ...[...] |
| ServerSideRequestForgery.rb:10:9:10:28 | users_service_domain | ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" |
| ServerSideRequestForgery.rb:10:32:10:37 | call to params | ServerSideRequestForgery.rb:10:32:10:60 | ...[...] |
| ServerSideRequestForgery.rb:10:32:10:60 | ...[...] | ServerSideRequestForgery.rb:10:9:10:28 | users_service_domain |
| ServerSideRequestForgery.rb:15:33:15:38 | call to params | ServerSideRequestForgery.rb:15:33:15:44 | ...[...] |
| ServerSideRequestForgery.rb:20:45:20:50 | call to params | ServerSideRequestForgery.rb:20:45:20:56 | ...[...] |
nodes
| ServerSideRequestForgery.rb:10:9:10:28 | users_service_domain : | semmle.label | users_service_domain : |
| ServerSideRequestForgery.rb:10:32:10:37 | call to params : | semmle.label | call to params : |
| ServerSideRequestForgery.rb:10:32:10:60 | ...[...] : | semmle.label | ...[...] : |
| ServerSideRequestForgery.rb:10:9:10:28 | users_service_domain | semmle.label | users_service_domain |
| ServerSideRequestForgery.rb:10:32:10:37 | call to params | semmle.label | call to params |
| ServerSideRequestForgery.rb:10:32:10:60 | ...[...] | semmle.label | ...[...] |
| ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | semmle.label | "#{...}/logins" |
| ServerSideRequestForgery.rb:15:33:15:38 | call to params : | semmle.label | call to params : |
| ServerSideRequestForgery.rb:15:33:15:38 | call to params | semmle.label | call to params |
| ServerSideRequestForgery.rb:15:33:15:44 | ...[...] | semmle.label | ...[...] |
| ServerSideRequestForgery.rb:20:45:20:50 | call to params : | semmle.label | call to params : |
| ServerSideRequestForgery.rb:20:45:20:50 | call to params | semmle.label | call to params |
| ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | semmle.label | ...[...] |
subpaths
#select
| ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | ServerSideRequestForgery.rb:10:32:10:37 | call to params : | ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:10:32:10:37 | call to params | user-provided value |
| ServerSideRequestForgery.rb:15:33:15:44 | ...[...] | ServerSideRequestForgery.rb:15:33:15:38 | call to params : | ServerSideRequestForgery.rb:15:33:15:44 | ...[...] | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:15:33:15:38 | call to params | user-provided value |
| ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | ServerSideRequestForgery.rb:20:45:20:50 | call to params : | ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:20:45:20:50 | call to params | user-provided value |
| ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | ServerSideRequestForgery.rb:10:32:10:37 | call to params | ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:10:32:10:37 | call to params | user-provided value |
| ServerSideRequestForgery.rb:15:33:15:44 | ...[...] | ServerSideRequestForgery.rb:15:33:15:38 | call to params | ServerSideRequestForgery.rb:15:33:15:44 | ...[...] | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:15:33:15:38 | call to params | user-provided value |
| ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | ServerSideRequestForgery.rb:20:45:20:50 | call to params | ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:20:45:20:50 | call to params | user-provided value |

20
ruby/ql/test/query-tests/security/decompression-api/DecompressionApi.expected
View File

@@ -1,16 +1,16 @@
edges
| decompression_api.rb:4:9:4:12 | path : | decompression_api.rb:5:31:5:34 | path |
| decompression_api.rb:4:16:4:21 | call to params : | decompression_api.rb:4:16:4:28 | ...[...] : |
| decompression_api.rb:4:16:4:28 | ...[...] : | decompression_api.rb:4:9:4:12 | path : |
| decompression_api.rb:15:31:15:36 | call to params : | decompression_api.rb:15:31:15:43 | ...[...] |
| decompression_api.rb:4:9:4:12 | path | decompression_api.rb:5:31:5:34 | path |
| decompression_api.rb:4:16:4:21 | call to params | decompression_api.rb:4:16:4:28 | ...[...] |
| decompression_api.rb:4:16:4:28 | ...[...] | decompression_api.rb:4:9:4:12 | path |
| decompression_api.rb:15:31:15:36 | call to params | decompression_api.rb:15:31:15:43 | ...[...] |
nodes
| decompression_api.rb:4:9:4:12 | path : | semmle.label | path : |
| decompression_api.rb:4:16:4:21 | call to params : | semmle.label | call to params : |
| decompression_api.rb:4:16:4:28 | ...[...] : | semmle.label | ...[...] : |
| decompression_api.rb:4:9:4:12 | path | semmle.label | path |
| decompression_api.rb:4:16:4:21 | call to params | semmle.label | call to params |
| decompression_api.rb:4:16:4:28 | ...[...] | semmle.label | ...[...] |
| decompression_api.rb:5:31:5:34 | path | semmle.label | path |
| decompression_api.rb:15:31:15:36 | call to params : | semmle.label | call to params : |
| decompression_api.rb:15:31:15:36 | call to params | semmle.label | call to params |
| decompression_api.rb:15:31:15:43 | ...[...] | semmle.label | ...[...] |
subpaths
#select
| decompression_api.rb:5:31:5:34 | path | decompression_api.rb:4:16:4:21 | call to params : | decompression_api.rb:5:31:5:34 | path | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | decompression_api.rb:5:9:5:35 | call to inflate | inflate |
| decompression_api.rb:15:31:15:43 | ...[...] | decompression_api.rb:15:31:15:36 | call to params : | decompression_api.rb:15:31:15:43 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | decompression_api.rb:15:9:15:44 | call to open_buffer | open_buffer |
| decompression_api.rb:5:31:5:34 | path | decompression_api.rb:4:16:4:21 | call to params | decompression_api.rb:5:31:5:34 | path | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | decompression_api.rb:5:9:5:35 | call to inflate | inflate |
| decompression_api.rb:15:31:15:43 | ...[...] | decompression_api.rb:15:31:15:36 | call to params | decompression_api.rb:15:31:15:43 | ...[...] | This call to $@ is unsafe because user-controlled data is used to set the object being decompressed, which could lead to a denial of service attack or malicious code extracted from an unknown source. | decompression_api.rb:15:9:15:44 | call to open_buffer | open_buffer |