hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-28 02:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: Handle unknown content in splat flow

Browse Source
This commit is contained in:
Harry Maclean
2023-08-09 14:51:29 +01:00
parent 4239268efd
commit 142393b599
3 changed files with 22 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
View File

@@ -812,7 +812,11 @@ private module ParameterNodes {
ParameterNode getAParameter(ContentSet c) {
exists(int n |
isParameterNode(result, callable, (any(ParameterPosition p | p.isPositional(n)))) and
c = getPositionalContent(n)
(
c = getPositionalContent(n)
or
c.isSingleton(TUnknownElementContent())
)
)
}

11
ruby/ql/test/library-tests/dataflow/params/params-flow.expected
View File

@@ -98,6 +98,11 @@ edges
| params_flow.rb:108:44:108:44 | c | params_flow.rb:111:10:111:10 | c |
| params_flow.rb:114:33:114:41 | call to taint | params_flow.rb:108:37:108:37 | a |
| params_flow.rb:114:58:114:66 | call to taint | params_flow.rb:108:44:108:44 | c |
| params_flow.rb:117:1:117:1 | [post] x [element] | params_flow.rb:118:13:118:13 | x [element] |
| params_flow.rb:117:19:117:27 | call to taint | params_flow.rb:117:1:117:1 | [post] x [element] |
| params_flow.rb:118:12:118:13 | * ... [element] | params_flow.rb:9:16:9:17 | p1 |
| params_flow.rb:118:12:118:13 | * ... [element] | params_flow.rb:9:20:9:21 | p2 |
| params_flow.rb:118:13:118:13 | x [element] | params_flow.rb:118:12:118:13 | * ... [element] |
nodes
| params_flow.rb:9:16:9:17 | p1 | semmle.label | p1 |
| params_flow.rb:9:20:9:21 | p2 | semmle.label | p2 |
@@ -217,13 +222,19 @@ nodes
| params_flow.rb:111:10:111:10 | c | semmle.label | c |
| params_flow.rb:114:33:114:41 | call to taint | semmle.label | call to taint |
| params_flow.rb:114:58:114:66 | call to taint | semmle.label | call to taint |
| params_flow.rb:117:1:117:1 | [post] x [element] | semmle.label | [post] x [element] |
| params_flow.rb:117:19:117:27 | call to taint | semmle.label | call to taint |
| params_flow.rb:118:12:118:13 | * ... [element] | semmle.label | * ... [element] |
| params_flow.rb:118:13:118:13 | x [element] | semmle.label | x [element] |
subpaths
#select
| params_flow.rb:10:10:10:11 | p1 | params_flow.rb:14:12:14:19 | call to taint | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:14:12:14:19 | call to taint | call to taint |
| params_flow.rb:10:10:10:11 | p1 | params_flow.rb:44:12:44:20 | call to taint | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:44:12:44:20 | call to taint | call to taint |
| params_flow.rb:10:10:10:11 | p1 | params_flow.rb:46:9:46:17 | call to taint | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:46:9:46:17 | call to taint | call to taint |
| params_flow.rb:10:10:10:11 | p1 | params_flow.rb:117:19:117:27 | call to taint | params_flow.rb:10:10:10:11 | p1 | $@ | params_flow.rb:117:19:117:27 | call to taint | call to taint |
| params_flow.rb:11:10:11:11 | p2 | params_flow.rb:14:22:14:29 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:14:22:14:29 | call to taint | call to taint |
| params_flow.rb:11:10:11:11 | p2 | params_flow.rb:46:20:46:28 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:46:20:46:28 | call to taint | call to taint |
| params_flow.rb:11:10:11:11 | p2 | params_flow.rb:117:19:117:27 | call to taint | params_flow.rb:11:10:11:11 | p2 | $@ | params_flow.rb:117:19:117:27 | call to taint | call to taint |
| params_flow.rb:17:10:17:11 | p1 | params_flow.rb:21:13:21:20 | call to taint | params_flow.rb:17:10:17:11 | p1 | $@ | params_flow.rb:21:13:21:20 | call to taint | call to taint |
| params_flow.rb:17:10:17:11 | p1 | params_flow.rb:22:27:22:34 | call to taint | params_flow.rb:17:10:17:11 | p1 | $@ | params_flow.rb:22:27:22:34 | call to taint | call to taint |
| params_flow.rb:17:10:17:11 | p1 | params_flow.rb:23:33:23:40 | call to taint | params_flow.rb:17:10:17:11 | p1 | $@ | params_flow.rb:23:33:23:40 | call to taint | call to taint |

8
ruby/ql/test/library-tests/dataflow/params/params_flow.rb
View File

@@ -7,8 +7,8 @@ def sink x
end
def positional(p1, p2)
sink p1 # $ hasValueFlow=1 $ hasValueFlow=16 $ hasValueFlow=18
sink p2 # $ hasValueFlow=2 $ hasValueFlow=19 $ MISSING: hasValueFlow=17
sink p1 # $ hasValueFlow=1 $ hasValueFlow=16 $ hasValueFlow=18 $ hasValueFlow=61
sink p2 # $ hasValueFlow=2 $ hasValueFlow=19 $ hasValueFlow=61 $ MISSING: hasValueFlow=17
end
positional(taint(1), taint(2))
@@ -112,3 +112,7 @@ def splat_followed_by_keyword_param(a, *b, c:)
end
splat_followed_by_keyword_param(taint(58), taint(59), c: taint(60))
x = []
x[some_index()] = taint(61)
positional(*x)