Ruby: Make HttpToFileAccess more specific

Only consider sources from HTTP requests, rather than any remote flow source.
2026-04-30 11:15:13 +02:00 · 2022-02-25 11:36:46 +13:00
parent fac17384c3
commit 130d93dded
2 changed files with 24 additions and 3 deletions
--- a/ruby/ql/lib/codeql/ruby/Concepts.qll
+++ b/ruby/ql/lib/codeql/ruby/Concepts.qll
@@ -298,6 +298,11 @@ module HTTP {
     * extend `RequestInputAccess::Range` instead.
     */
    class RequestInputAccess extends DataFlow::Node instanceof RequestInputAccess::Range {
+      /**
+       * Gets a string that describes the type of this input.
+       *
+       *  This is typically the name of the method that gives rise to this input.
+       */
      string getSourceType() { result = super.getSourceType() }
    }

@@ -310,6 +315,11 @@ module HTTP {
       * extend `RequestInputAccess` instead.
       */
      abstract class Range extends DataFlow::Node {
+        /**
+         * Gets a string that describes the type of this input.
+         *
+         *  This is typically the name of the method that gives rise to this input.
+         */
        abstract string getSourceType();
      }
    }
--- a/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/HttpToFileAccessCustomizations.qll
@@ -9,6 +9,11 @@ import codeql.ruby.DataFlow
 import codeql.ruby.dataflow.RemoteFlowSources
 import codeql.ruby.Concepts

+/**
+ * Provides default sources, sinks and sanitizers for reasoning about
+ * writing user-controlled data to files, as well as extension points
+ * for adding your own.
+ */
 module HttpToFileAccess {
  /**
   * A data flow source for writing user-controlled data to files.
@@ -25,9 +30,15 @@ module HttpToFileAccess {
   */
  abstract class Sanitizer extends DataFlow::Node { }

-  /** A source of remote user input, considered as a flow source for writing user-controlled data to files. */
-  class RemoteFlowSourceAsSource extends Source {
-    RemoteFlowSourceAsSource() { this instanceof RemoteFlowSource }
+  /**
+   * An access to a user-controlled HTTP request input, considered as a flow source for writing user-controlled data to files
+   */
+  private class RequestInputAccessAsSource extends Source instanceof HTTP::Server::RequestInputAccess {
+  }
+
+  /** A response from an outgoing HTTP request, considered as a flow source for writing user-controlled data to files. */
+  private class HttpResponseAsSource extends Source {
+    HttpResponseAsSource() { this = any(HTTP::Client::Request r).getResponseBody() }
  }

  /** A sink that represents file access method (write, append) argument */