From 1d7a39a093a748276b454645ecd8be7703ed97d6 Mon Sep 17 00:00:00 2001 From: Owen Mansel-Chan Date: Tue, 17 Feb 2026 12:58:38 +0000 Subject: [PATCH] Change how sql-injection barriers are accepted --- ruby/ql/lib/codeql/ruby/Concepts.qll | 5 +++++ .../lib/codeql/ruby/security/SqlInjectionCustomizations.qll | 4 ---- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/ruby/ql/lib/codeql/ruby/Concepts.qll b/ruby/ql/lib/codeql/ruby/Concepts.qll index 2ddcb433e1b..642a2fd0b1b 100644 --- a/ruby/ql/lib/codeql/ruby/Concepts.qll +++ b/ruby/ql/lib/codeql/ruby/Concepts.qll @@ -9,6 +9,7 @@ private import codeql.ruby.CFG private import codeql.ruby.DataFlow private import codeql.ruby.dataflow.internal.DataFlowImplSpecific private import codeql.ruby.Frameworks +private import codeql.ruby.frameworks.data.internal.ApiGraphModels private import codeql.ruby.dataflow.RemoteFlowSources private import codeql.ruby.ApiGraphs private import codeql.ruby.Regexp as RE @@ -95,6 +96,10 @@ module SqlSanitization { abstract class Range extends DataFlow::Node { } } +private class ExternalSqlInjectionSanitizer extends SqlSanitization::Range { + ExternalSqlInjectionSanitizer() { ModelOutput::barrierNode(this, "sql-injection") } +} + /** * A data-flow node that executes a regular expression. * diff --git a/ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll b/ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll index 7d6f16731a5..1bf14dc3b28 100644 --- a/ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll +++ b/ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll @@ -61,8 +61,4 @@ module SqlInjection { private class ExternalSqlInjectionSink extends Sink { ExternalSqlInjectionSink() { ModelOutput::sinkNode(this, "sql-injection") } } - - private class ExternalSqlInjectionSanitizer extends Sanitizer { - ExternalSqlInjectionSanitizer() { ModelOutput::barrierNode(this, "sql-injection") } - } }