remove parameters named "code" as source

2026-04-29 10:45:15 +02:00 · 2022-10-18 12:35:30 +02:00
parent e7c6571f52
commit 2033dd2dcc
2 changed files with 8 additions and 1 deletions
--- a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll
@@ -19,7 +19,10 @@ module UnsafeCodeConstruction {

  /** An input parameter to a gem seen as a source. */
  private class LibraryInputAsSource extends Source instanceof DataFlow::ParameterNode {
-    LibraryInputAsSource() { this = Gem::getALibraryInput() }
+    LibraryInputAsSource() {
+      this = Gem::getALibraryInput() and
+      not this.getName() = "code"
+    }
  }

  /** A sink for code constructed from library input vulnerabilities. */
--- a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb
+++ b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb
@@ -20,4 +20,8 @@ class Foobar
  def send_stuff(x)
    foo.send("foo_#{x}") # OK - attacker cannot control entire string.
  end
+
+  def named_code(code)
+    foo.send("def \n #{code} \n end") # OK - parameter is named code
+  end
 end