hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: address QL4QL alerts for rb/sensitive-get-query

Browse Source
This commit is contained in:
Alex Ford
2022-09-12 08:52:44 +01:00
parent f84035a65c
commit 0da367f6e5
3 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ruby/ql/lib/codeql/ruby/frameworks/GraphQL.qll
View File

@@ -86,7 +86,7 @@ private class GraphqlSchemaResolverClass extends ClassDeclaration {
}
/** Gets an HTTP method that is supported for querying a GraphQL server. */
private string getASupportedHTTPMethod() { result = ["get", "post"] }
private string getASupportedHttpMethod() { result = ["get", "post"] }
/**
* A `ClassDeclaration` for a class that extends `GraphQL::Schema::Object`.
@@ -176,7 +176,7 @@ class GraphqlResolveMethod extends Method, HTTP::Server::RequestHandler::Range {
override string getFramework() { result = "GraphQL" }
override string getAnHttpMethod() { result = getASupportedHTTPMethod() }
override string getAnHttpMethod() { result = getASupportedHttpMethod() }
/** Gets the mutation class containing this method. */
GraphqlResolvableClass getMutationClass() { result = resolvableClass }
@@ -225,7 +225,7 @@ class GraphqlLoadMethod extends Method, HTTP::Server::RequestHandler::Range {
override string getFramework() { result = "GraphQL" }
override string getAnHttpMethod() { result = getASupportedHTTPMethod() }
override string getAnHttpMethod() { result = getASupportedHttpMethod() }
/** Gets the mutation class containing this method. */
GraphqlResolvableClass getMutationClass() { result = resolvableClass }
@@ -396,7 +396,7 @@ class GraphqlFieldResolutionMethod extends Method, HTTP::Server::RequestHandler:
override string getFramework() { result = "GraphQL" }
override string getAnHttpMethod() { result = getASupportedHTTPMethod() }
override string getAnHttpMethod() { result = getASupportedHttpMethod() }
/** Gets the class containing this method. */
GraphqlSchemaObjectClass getGraphqlClass() { result = schemaObjectClass }

2
ruby/ql/src/queries/security/cwe-598/SensitiveGetQuery.ql
View File

@@ -41,4 +41,4 @@ where
sensitive.asExpr().getExpr() instanceof SensitiveExpr and
localFlowWithElementReference(input, sensitive)
select input, "$@ for GET requests uses query parameter as sensitive data.", handler,
"Request handler"
"Route handler"

4
ruby/ql/test/query-tests/security/cwe-598/SensitiveGetQuery.expected
View File

@@ -1,2 +1,2 @@
| app/controllers/users_controller.rb:4:16:4:21 | call to params | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:3:3:6:5 | login_get | Request handler |
| app/controllers/users_controller.rb:5:23:5:28 | call to params | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:3:3:6:5 | login_get | Request handler |
| app/controllers/users_controller.rb:4:16:4:21 | call to params | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:3:3:6:5 | login_get | Route handler |
| app/controllers/users_controller.rb:5:23:5:28 | call to params | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:3:3:6:5 | login_get | Route handler |