Ruby: Add flow summaries for ActiveSupport::JSON

2026-04-28 10:15:14 +02:00 · 2022-11-07 12:29:14 +13:00
parent 375403fb9d
commit 0a98559fcb
3 changed files with 53 additions and 0 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll
@@ -374,4 +374,17 @@ module ActiveSupport {
        ]
    }
  }
+
+  /** `ActiveSupport::JSON` */
+  module Json {
+    private class JsonSummary extends ModelInput::SummaryModelCsv {
+      override predicate row(string row) {
+        row =
+          [
+            "activesupport;;Member[ActiveSupport].Member[JSON].Method[encode,dump];Argument[0];ReturnValue;taint",
+            "activesupport;;Member[ActiveSupport].Member[JSON].Method[decode,load];Argument[0];ReturnValue;taint",
+          ]
+      }
+    }
+  }
 }
--- a/ruby/ql/test/library-tests/frameworks/active_support/ActiveSupportDataFlow.expected
+++ b/ruby/ql/test/library-tests/frameworks/active_support/ActiveSupportDataFlow.expected
@@ -189,6 +189,14 @@ edges
 | active_support.rb:303:7:303:16 | call to source :  | active_support.rb:304:19:304:19 | a :  |
 | active_support.rb:304:7:304:19 | call to json_escape :  | active_support.rb:305:8:305:8 | b |
 | active_support.rb:304:19:304:19 | a :  | active_support.rb:304:7:304:19 | call to json_escape :  |
+| active_support.rb:309:9:309:18 | call to source :  | active_support.rb:310:37:310:37 | x :  |
+| active_support.rb:310:37:310:37 | x :  | active_support.rb:310:10:310:38 | call to encode |
+| active_support.rb:314:9:314:18 | call to source :  | active_support.rb:315:37:315:37 | x :  |
+| active_support.rb:315:37:315:37 | x :  | active_support.rb:315:10:315:38 | call to decode |
+| active_support.rb:319:9:319:18 | call to source :  | active_support.rb:320:35:320:35 | x :  |
+| active_support.rb:320:35:320:35 | x :  | active_support.rb:320:10:320:36 | call to dump |
+| active_support.rb:324:9:324:18 | call to source :  | active_support.rb:325:35:325:35 | x :  |
+| active_support.rb:325:35:325:35 | x :  | active_support.rb:325:10:325:36 | call to load |
 | hash_extensions.rb:2:14:2:24 | call to source :  | hash_extensions.rb:3:9:3:9 | h [element :a] :  |
 | hash_extensions.rb:2:14:2:24 | call to source :  | hash_extensions.rb:3:9:3:9 | h [element :a] :  |
 | hash_extensions.rb:3:9:3:9 | h [element :a] :  | hash_extensions.rb:3:9:3:24 | call to stringify_keys [element] :  |
@@ -539,6 +547,18 @@ nodes
 | active_support.rb:304:7:304:19 | call to json_escape :  | semmle.label | call to json_escape :  |
 | active_support.rb:304:19:304:19 | a :  | semmle.label | a :  |
 | active_support.rb:305:8:305:8 | b | semmle.label | b |
+| active_support.rb:309:9:309:18 | call to source :  | semmle.label | call to source :  |
+| active_support.rb:310:10:310:38 | call to encode | semmle.label | call to encode |
+| active_support.rb:310:37:310:37 | x :  | semmle.label | x :  |
+| active_support.rb:314:9:314:18 | call to source :  | semmle.label | call to source :  |
+| active_support.rb:315:10:315:38 | call to decode | semmle.label | call to decode |
+| active_support.rb:315:37:315:37 | x :  | semmle.label | x :  |
+| active_support.rb:319:9:319:18 | call to source :  | semmle.label | call to source :  |
+| active_support.rb:320:10:320:36 | call to dump | semmle.label | call to dump |
+| active_support.rb:320:35:320:35 | x :  | semmle.label | x :  |
+| active_support.rb:324:9:324:18 | call to source :  | semmle.label | call to source :  |
+| active_support.rb:325:10:325:36 | call to load | semmle.label | call to load |
+| active_support.rb:325:35:325:35 | x :  | semmle.label | x :  |
 | hash_extensions.rb:2:14:2:24 | call to source :  | semmle.label | call to source :  |
 | hash_extensions.rb:2:14:2:24 | call to source :  | semmle.label | call to source :  |
 | hash_extensions.rb:3:9:3:9 | h [element :a] :  | semmle.label | h [element :a] :  |
--- a/ruby/ql/test/library-tests/frameworks/active_support/active_support.rb
+++ b/ruby/ql/test/library-tests/frameworks/active_support/active_support.rb
@@ -304,3 +304,23 @@ def m_json_escape
  b = json_escape a
  sink b # $hasTaintFlow=a
 end
+
+def m_json_encode
+    x = source "a"
+    sink ActiveSupport::JSON.encode(x) # $hasTaintFlow=a
+end
+
+def m_json_decode
+    x = source "a"
+    sink ActiveSupport::JSON.decode(x) # $hasTaintFlow=a
+end
+
+def m_json_dump
+    x = source "a"
+    sink ActiveSupport::JSON.dump(x) # $hasTaintFlow=a
+end
+
+def m_json_load
+    x = source "a"
+    sink ActiveSupport::JSON.load(x) # $hasTaintFlow=a
+end