Tidy up PotentiallyUnsafeSqlExecutingMethodCall characteristic predicate

Co-authored-by: Nick Rolfe <nickrolfe@github.com>
2026-04-27 09:45:15 +02:00 · 2021-06-17 14:39:40 +01:00
parent bf43a77df5
commit 12a0af1d28
1 changed files with 6 additions and 8 deletions
--- a/ql/src/codeql_ruby/frameworks/ActiveRecord.qll
+++ b/ql/src/codeql_ruby/frameworks/ActiveRecord.qll
@@ -53,12 +53,15 @@ class ActiveRecordModelClassMethodCall extends MethodCall {
  }
 }

-private predicate methodCanTakeSqlFragmentAsFirstArg(string methodName) {
+private predicate methodWithSqlFragmentArg(string methodName, int argIndex) {
  methodName =
    [
      "delete_all", "destroy_all", "exists?", "find_by", "find_by_sql", "from", "group", "having",
      "joins", "lock", "not", "order", "pluck", "where"
-    ]
+    ] and
+  argIndex = 0
+  or
+  methodName = "calculate" and argIndex = 1
 }

 class PotentiallyUnsafeSqlExecutingMethodCall extends ActiveRecordModelClassMethodCall {
@@ -73,12 +76,7 @@ class PotentiallyUnsafeSqlExecutingMethodCall extends ActiveRecordModelClassMeth
  PotentiallyUnsafeSqlExecutingMethodCall() {
    methodName = this.getMethodName() and
    sqlFragmentExpr = this.getArgument(sqlFragmentArgumentIndex) and
-    (
-      methodName = "calculate" and sqlFragmentArgumentIndex = 1
-      or
-      sqlFragmentArgumentIndex = 0 and
-      methodCanTakeSqlFragmentAsFirstArg(methodName)
-    ) and
+    methodWithSqlFragmentArg(methodName, sqlFragmentArgumentIndex) and
    (
      // select only literals containing an interpolated value...
      exists(StringInterpolationComponent interpolated |