Add mass assignment query

2026-04-24 16:25:15 +02:00 · 2024-03-20 10:24:23 +00:00
parent 1785086ccb
commit 0f45a53adc
2 changed files with 122 additions and 0 deletions
--- a/ruby/ql/src/queries/security/cwe-915/MassAssignment.ql
+++ b/ruby/ql/src/queries/security/cwe-915/MassAssignment.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Insecure Mass Assignment
+ * @description Using mass assignment with user-controlled keys allows unintended parameters to be set.
+ * @kind path-problem
+ * @problem.severity error
+ * @security-severity 7.5
+ * @precision high
+ * @id ruby/insecure-mass-assignment
+ * @tags security
+ *       external/cwe/cwe-915
+ */
+
+import codeql.ruby.security.MassAssignmentQuery
+import MassAssignmentFlow::PathGraph
+
+from MassAssignmentFlow::PathNode source, MassAssignmentFlow::PathNode sink
+where MassAssignmentFlow::flowPath(source, sink)
+select sink.getNode(), source, sink, "mass assignment"