mirror of
https://github.com/github/codeql.git
synced 2026-05-04 21:25:44 +02:00
Merge branch 'main' into expand-ruby-ssrf-sinks-faraday-connection-new
This commit is contained in:
thiggy1342
@@ -9,5 +9,5 @@ nodes
|
||||
| KernelOpen.rb:5:13:5:16 | file | semmle.label | file |
|
||||
subpaths
|
||||
#select
|
||||
| KernelOpen.rb:4:10:4:13 | file | KernelOpen.rb:3:12:3:17 | call to params : | KernelOpen.rb:4:10:4:13 | file | This call to Kernel.open depends on a $@. Replace it with File.open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
|
||||
| KernelOpen.rb:5:13:5:16 | file | KernelOpen.rb:3:12:3:17 | call to params : | KernelOpen.rb:5:13:5:16 | file | This call to IO.read depends on a $@. Replace it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
|
||||
| KernelOpen.rb:4:10:4:13 | file | KernelOpen.rb:3:12:3:17 | call to params : | KernelOpen.rb:4:10:4:13 | file | This call to Kernel.open depends on a $@. Consider replacing it with File.open. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
|
||||
| KernelOpen.rb:5:13:5:16 | file | KernelOpen.rb:3:12:3:17 | call to params : | KernelOpen.rb:5:13:5:16 | file | This call to IO.read depends on a $@. Consider replacing it with File.read. | KernelOpen.rb:3:12:3:17 | call to params | user-provided value |
|
||||
@@ -0,0 +1,4 @@
|
||||
| NonConstantKernelOpen.rb:4:5:4:14 | call to open | Call to Kernel.open with a non-constant value. Consider replacing it with File.open. |
|
||||
| NonConstantKernelOpen.rb:5:5:5:17 | call to read | Call to IO.read with a non-constant value. Consider replacing it with File.read. |
|
||||
| NonConstantKernelOpen.rb:9:5:9:21 | call to open | Call to Kernel.open with a non-constant value. Consider replacing it with File.open. |
|
||||
| NonConstantKernelOpen.rb:19:5:19:33 | call to open | Call to Kernel.open with a non-constant value. Consider replacing it with File.open. |
|
||||
@@ -0,0 +1 @@
|
||||
queries/security/cwe-078/NonConstantKernelOpen.ql
|
||||
@@ -0,0 +1,23 @@
|
||||
class UsersController < ActionController::Base
|
||||
def create
|
||||
file = params[:file]
|
||||
open(file) # BAD
|
||||
IO.read(file) # BAD
|
||||
|
||||
File.open(file).read # GOOD
|
||||
|
||||
Kernel.open(file) # BAD
|
||||
|
||||
File.open(file, "r") # GOOD
|
||||
|
||||
Kernel.open("constant") # GOOD
|
||||
|
||||
IO.read("constant") # GOOD
|
||||
|
||||
Kernel.open("this is #{fine}") # GOOD
|
||||
|
||||
Kernel.open("#{this_is} bad") # BAD
|
||||
|
||||
open("| #{this_is_an_explicit_command} foo bar") # GOOD
|
||||
end
|
||||
end
|
||||
@@ -10,13 +10,17 @@ edges
|
||||
| app/controllers/foo/bars_controller.rb:17:21:17:36 | ...[...] : | app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website |
|
||||
| app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params : | app/controllers/foo/bars_controller.rb:18:10:18:22 | ...[...] : |
|
||||
| app/controllers/foo/bars_controller.rb:18:10:18:22 | ...[...] : | app/controllers/foo/bars_controller.rb:19:22:19:23 | dt : |
|
||||
| app/controllers/foo/bars_controller.rb:18:10:18:22 | ...[...] : | app/controllers/foo/bars_controller.rb:23:53:23:54 | dt : |
|
||||
| app/controllers/foo/bars_controller.rb:18:10:18:22 | ...[...] : | app/controllers/foo/bars_controller.rb:26:53:26:54 | dt : |
|
||||
| app/controllers/foo/bars_controller.rb:19:22:19:23 | dt : | app/views/foo/bars/show.html.erb:41:3:41:16 | @instance_text |
|
||||
| app/controllers/foo/bars_controller.rb:23:53:23:54 | dt : | app/views/foo/bars/show.html.erb:5:9:5:20 | call to display_text |
|
||||
| app/controllers/foo/bars_controller.rb:23:53:23:54 | dt : | app/views/foo/bars/show.html.erb:8:9:8:36 | ...[...] |
|
||||
| app/controllers/foo/bars_controller.rb:23:53:23:54 | dt : | app/views/foo/bars/show.html.erb:12:9:12:26 | ...[...] |
|
||||
| app/controllers/foo/bars_controller.rb:23:53:23:54 | dt : | app/views/foo/bars/show.html.erb:36:3:36:14 | call to display_text |
|
||||
| app/controllers/foo/bars_controller.rb:23:53:23:54 | dt : | app/views/foo/bars/show.html.erb:44:76:44:87 | call to display_text : |
|
||||
| app/controllers/foo/bars_controller.rb:24:39:24:44 | call to params : | app/controllers/foo/bars_controller.rb:24:39:24:59 | ...[...] : |
|
||||
| app/controllers/foo/bars_controller.rb:24:39:24:59 | ...[...] : | app/controllers/foo/bars_controller.rb:24:39:24:59 | ... = ... |
|
||||
| app/controllers/foo/bars_controller.rb:26:53:26:54 | dt : | app/views/foo/bars/show.html.erb:5:9:5:20 | call to display_text |
|
||||
| app/controllers/foo/bars_controller.rb:26:53:26:54 | dt : | app/views/foo/bars/show.html.erb:8:9:8:36 | ...[...] |
|
||||
| app/controllers/foo/bars_controller.rb:26:53:26:54 | dt : | app/views/foo/bars/show.html.erb:12:9:12:26 | ...[...] |
|
||||
| app/controllers/foo/bars_controller.rb:26:53:26:54 | dt : | app/views/foo/bars/show.html.erb:36:3:36:14 | call to display_text |
|
||||
| app/controllers/foo/bars_controller.rb:26:53:26:54 | dt : | app/views/foo/bars/show.html.erb:44:76:44:87 | call to display_text : |
|
||||
| app/controllers/foo/bars_controller.rb:30:11:30:16 | call to params : | app/controllers/foo/bars_controller.rb:30:11:30:28 | ...[...] : |
|
||||
| app/controllers/foo/bars_controller.rb:30:11:30:28 | ...[...] : | app/controllers/foo/bars_controller.rb:31:5:31:7 | str |
|
||||
| app/views/foo/bars/show.html.erb:44:64:44:87 | ... + ... : | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text |
|
||||
| app/views/foo/bars/show.html.erb:44:64:44:87 | ... + ... : | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] |
|
||||
| app/views/foo/bars/show.html.erb:44:76:44:87 | call to display_text : | app/views/foo/bars/show.html.erb:44:64:44:87 | ... + ... : |
|
||||
@@ -35,7 +39,13 @@ nodes
|
||||
| app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params : | semmle.label | call to params : |
|
||||
| app/controllers/foo/bars_controller.rb:18:10:18:22 | ...[...] : | semmle.label | ...[...] : |
|
||||
| app/controllers/foo/bars_controller.rb:19:22:19:23 | dt : | semmle.label | dt : |
|
||||
| app/controllers/foo/bars_controller.rb:23:53:23:54 | dt : | semmle.label | dt : |
|
||||
| app/controllers/foo/bars_controller.rb:24:39:24:44 | call to params : | semmle.label | call to params : |
|
||||
| app/controllers/foo/bars_controller.rb:24:39:24:59 | ... = ... | semmle.label | ... = ... |
|
||||
| app/controllers/foo/bars_controller.rb:24:39:24:59 | ...[...] : | semmle.label | ...[...] : |
|
||||
| app/controllers/foo/bars_controller.rb:26:53:26:54 | dt : | semmle.label | dt : |
|
||||
| app/controllers/foo/bars_controller.rb:30:11:30:16 | call to params : | semmle.label | call to params : |
|
||||
| app/controllers/foo/bars_controller.rb:30:11:30:28 | ...[...] : | semmle.label | ...[...] : |
|
||||
| app/controllers/foo/bars_controller.rb:31:5:31:7 | str | semmle.label | str |
|
||||
| app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | semmle.label | call to display_text |
|
||||
| app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | semmle.label | ...[...] |
|
||||
| app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website | semmle.label | @user_website |
|
||||
@@ -58,6 +68,8 @@ nodes
|
||||
| app/views/foo/bars/show.html.erb:77:28:77:39 | ...[...] | semmle.label | ...[...] |
|
||||
subpaths
|
||||
#select
|
||||
| app/controllers/foo/bars_controller.rb:24:39:24:59 | ... = ... | app/controllers/foo/bars_controller.rb:24:39:24:44 | call to params : | app/controllers/foo/bars_controller.rb:24:39:24:59 | ... = ... | Cross-site scripting vulnerability due to a $@. | app/controllers/foo/bars_controller.rb:24:39:24:44 | call to params | user-provided value |
|
||||
| app/controllers/foo/bars_controller.rb:31:5:31:7 | str | app/controllers/foo/bars_controller.rb:30:11:30:16 | call to params : | app/controllers/foo/bars_controller.rb:31:5:31:7 | str | Cross-site scripting vulnerability due to a $@. | app/controllers/foo/bars_controller.rb:30:11:30:16 | call to params | user-provided value |
|
||||
| app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params : | app/views/foo/bars/_widget.html.erb:5:9:5:20 | call to display_text | Cross-site scripting vulnerability due to a $@. | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params | user-provided value |
|
||||
| app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params : | app/views/foo/bars/_widget.html.erb:8:9:8:36 | ...[...] | Cross-site scripting vulnerability due to a $@. | app/controllers/foo/bars_controller.rb:18:10:18:15 | call to params | user-provided value |
|
||||
| app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website | app/controllers/foo/bars_controller.rb:17:21:17:26 | call to params : | app/views/foo/bars/show.html.erb:2:18:2:30 | @user_website | Cross-site scripting vulnerability due to a $@. | app/controllers/foo/bars_controller.rb:17:21:17:26 | call to params | user-provided value |
|
||||
|
||||
@@ -20,6 +20,14 @@ class BarsController < ApplicationController
|
||||
@safe_foo = params[:text]
|
||||
@safe_foo = "safe_foo"
|
||||
@html_escaped = ERB::Util.html_escape(params[:text])
|
||||
@header_escaped = ERB::Util.html_escape(cookies[:foo]) # OK - cookies not controllable by 3rd party
|
||||
response.header["content-type"] = params[:content_type]
|
||||
response.header["x-customer-header"] = params[:bar] # OK - header not relevant to XSS
|
||||
render "foo/bars/show", locals: { display_text: dt, safe_text: "hello" }
|
||||
end
|
||||
|
||||
def make_safe_html
|
||||
str = params[:user_name]
|
||||
str.html_safe
|
||||
end
|
||||
end
|
||||
|
||||
@@ -81,3 +81,6 @@
|
||||
|
||||
<%# BAD: Indirect to a database value without escaping %>
|
||||
<%= @other_user_raw_name.html_safe %>
|
||||
|
||||
<%# GOOD: The `foo.bar.baz` is not recognized as a source %>
|
||||
<%= @other_user_raw_name.foo.bar.baz.html_safe %>
|
||||
@@ -1,29 +1,32 @@
|
||||
edges
|
||||
| CodeInjection.rb:3:12:3:17 | call to params : | CodeInjection.rb:3:12:3:24 | ...[...] : |
|
||||
| CodeInjection.rb:3:12:3:24 | ...[...] : | CodeInjection.rb:6:10:6:13 | code |
|
||||
| CodeInjection.rb:3:12:3:24 | ...[...] : | CodeInjection.rb:18:20:18:23 | code |
|
||||
| CodeInjection.rb:3:12:3:24 | ...[...] : | CodeInjection.rb:21:21:21:24 | code |
|
||||
| CodeInjection.rb:3:12:3:24 | ...[...] : | CodeInjection.rb:27:15:27:18 | code |
|
||||
| CodeInjection.rb:3:12:3:24 | ...[...] : | CodeInjection.rb:30:19:30:22 | code |
|
||||
| CodeInjection.rb:3:12:3:24 | ...[...] : | CodeInjection.rb:36:24:36:27 | code : |
|
||||
| CodeInjection.rb:36:24:36:27 | code : | CodeInjection.rb:36:10:36:28 | call to escape |
|
||||
| CodeInjection.rb:5:12:5:17 | call to params : | CodeInjection.rb:5:12:5:24 | ...[...] : |
|
||||
| CodeInjection.rb:5:12:5:24 | ...[...] : | CodeInjection.rb:8:10:8:13 | code |
|
||||
| CodeInjection.rb:5:12:5:24 | ...[...] : | CodeInjection.rb:20:20:20:23 | code |
|
||||
| CodeInjection.rb:5:12:5:24 | ...[...] : | CodeInjection.rb:23:21:23:24 | code |
|
||||
| CodeInjection.rb:5:12:5:24 | ...[...] : | CodeInjection.rb:29:15:29:18 | code |
|
||||
| CodeInjection.rb:5:12:5:24 | ...[...] : | CodeInjection.rb:32:19:32:22 | code |
|
||||
| CodeInjection.rb:5:12:5:24 | ...[...] : | CodeInjection.rb:38:24:38:27 | code : |
|
||||
| CodeInjection.rb:5:12:5:24 | ...[...] : | CodeInjection.rb:41:40:41:43 | code |
|
||||
| CodeInjection.rb:38:24:38:27 | code : | CodeInjection.rb:38:10:38:28 | call to escape |
|
||||
nodes
|
||||
| CodeInjection.rb:3:12:3:17 | call to params : | semmle.label | call to params : |
|
||||
| CodeInjection.rb:3:12:3:24 | ...[...] : | semmle.label | ...[...] : |
|
||||
| CodeInjection.rb:6:10:6:13 | code | semmle.label | code |
|
||||
| CodeInjection.rb:9:10:9:15 | call to params | semmle.label | call to params |
|
||||
| CodeInjection.rb:18:20:18:23 | code | semmle.label | code |
|
||||
| CodeInjection.rb:21:21:21:24 | code | semmle.label | code |
|
||||
| CodeInjection.rb:27:15:27:18 | code | semmle.label | code |
|
||||
| CodeInjection.rb:30:19:30:22 | code | semmle.label | code |
|
||||
| CodeInjection.rb:36:10:36:28 | call to escape | semmle.label | call to escape |
|
||||
| CodeInjection.rb:36:24:36:27 | code : | semmle.label | code : |
|
||||
| CodeInjection.rb:5:12:5:17 | call to params : | semmle.label | call to params : |
|
||||
| CodeInjection.rb:5:12:5:24 | ...[...] : | semmle.label | ...[...] : |
|
||||
| CodeInjection.rb:8:10:8:13 | code | semmle.label | code |
|
||||
| CodeInjection.rb:11:10:11:15 | call to params | semmle.label | call to params |
|
||||
| CodeInjection.rb:20:20:20:23 | code | semmle.label | code |
|
||||
| CodeInjection.rb:23:21:23:24 | code | semmle.label | code |
|
||||
| CodeInjection.rb:29:15:29:18 | code | semmle.label | code |
|
||||
| CodeInjection.rb:32:19:32:22 | code | semmle.label | code |
|
||||
| CodeInjection.rb:38:10:38:28 | call to escape | semmle.label | call to escape |
|
||||
| CodeInjection.rb:38:24:38:27 | code : | semmle.label | code : |
|
||||
| CodeInjection.rb:41:40:41:43 | code | semmle.label | code |
|
||||
subpaths
|
||||
#select
|
||||
| CodeInjection.rb:6:10:6:13 | code | CodeInjection.rb:3:12:3:17 | call to params : | CodeInjection.rb:6:10:6:13 | code | This code execution depends on a $@. | CodeInjection.rb:3:12:3:17 | call to params | user-provided value |
|
||||
| CodeInjection.rb:9:10:9:15 | call to params | CodeInjection.rb:9:10:9:15 | call to params | CodeInjection.rb:9:10:9:15 | call to params | This code execution depends on a $@. | CodeInjection.rb:9:10:9:15 | call to params | user-provided value |
|
||||
| CodeInjection.rb:18:20:18:23 | code | CodeInjection.rb:3:12:3:17 | call to params : | CodeInjection.rb:18:20:18:23 | code | This code execution depends on a $@. | CodeInjection.rb:3:12:3:17 | call to params | user-provided value |
|
||||
| CodeInjection.rb:21:21:21:24 | code | CodeInjection.rb:3:12:3:17 | call to params : | CodeInjection.rb:21:21:21:24 | code | This code execution depends on a $@. | CodeInjection.rb:3:12:3:17 | call to params | user-provided value |
|
||||
| CodeInjection.rb:27:15:27:18 | code | CodeInjection.rb:3:12:3:17 | call to params : | CodeInjection.rb:27:15:27:18 | code | This code execution depends on a $@. | CodeInjection.rb:3:12:3:17 | call to params | user-provided value |
|
||||
| CodeInjection.rb:30:19:30:22 | code | CodeInjection.rb:3:12:3:17 | call to params : | CodeInjection.rb:30:19:30:22 | code | This code execution depends on a $@. | CodeInjection.rb:3:12:3:17 | call to params | user-provided value |
|
||||
| CodeInjection.rb:36:10:36:28 | call to escape | CodeInjection.rb:3:12:3:17 | call to params : | CodeInjection.rb:36:10:36:28 | call to escape | This code execution depends on a $@. | CodeInjection.rb:3:12:3:17 | call to params | user-provided value |
|
||||
| CodeInjection.rb:8:10:8:13 | code | CodeInjection.rb:5:12:5:17 | call to params : | CodeInjection.rb:8:10:8:13 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
|
||||
| CodeInjection.rb:11:10:11:15 | call to params | CodeInjection.rb:11:10:11:15 | call to params | CodeInjection.rb:11:10:11:15 | call to params | This code execution depends on a $@. | CodeInjection.rb:11:10:11:15 | call to params | user-provided value |
|
||||
| CodeInjection.rb:20:20:20:23 | code | CodeInjection.rb:5:12:5:17 | call to params : | CodeInjection.rb:20:20:20:23 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
|
||||
| CodeInjection.rb:23:21:23:24 | code | CodeInjection.rb:5:12:5:17 | call to params : | CodeInjection.rb:23:21:23:24 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
|
||||
| CodeInjection.rb:29:15:29:18 | code | CodeInjection.rb:5:12:5:17 | call to params : | CodeInjection.rb:29:15:29:18 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
|
||||
| CodeInjection.rb:32:19:32:22 | code | CodeInjection.rb:5:12:5:17 | call to params : | CodeInjection.rb:32:19:32:22 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
|
||||
| CodeInjection.rb:38:10:38:28 | call to escape | CodeInjection.rb:5:12:5:17 | call to params : | CodeInjection.rb:38:10:38:28 | call to escape | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
|
||||
| CodeInjection.rb:41:40:41:43 | code | CodeInjection.rb:5:12:5:17 | call to params : | CodeInjection.rb:41:40:41:43 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
|
||||
|
||||
@@ -1,3 +1,5 @@
|
||||
require 'active_job'
|
||||
|
||||
class UsersController < ActionController::Base
|
||||
def create
|
||||
code = params[:code]
|
||||
@@ -22,18 +24,21 @@ class UsersController < ActionController::Base
|
||||
|
||||
# GOOD
|
||||
Bar.class_eval(code)
|
||||
|
||||
|
||||
# BAD
|
||||
const_get(code)
|
||||
|
||||
|
||||
# BAD
|
||||
Foo.const_get(code)
|
||||
|
||||
|
||||
# GOOD
|
||||
Bar.const_get(code)
|
||||
|
||||
# BAD
|
||||
eval(Regexp.escape(code))
|
||||
|
||||
# BAD
|
||||
ActiveJob::Serializers.deserialize(code)
|
||||
end
|
||||
|
||||
def update
|
||||
@@ -62,8 +67,8 @@ class Bar
|
||||
def self.class_eval(x)
|
||||
true
|
||||
end
|
||||
|
||||
|
||||
def self.const_get(x)
|
||||
true
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -15,6 +15,8 @@ edges
|
||||
| PolynomialReDoS.rb:4:12:4:24 | ...[...] : | PolynomialReDoS.rb:22:5:22:8 | name |
|
||||
| PolynomialReDoS.rb:4:12:4:24 | ...[...] : | PolynomialReDoS.rb:23:17:23:20 | name |
|
||||
| PolynomialReDoS.rb:4:12:4:24 | ...[...] : | PolynomialReDoS.rb:24:18:24:21 | name |
|
||||
| PolynomialReDoS.rb:4:12:4:24 | ...[...] : | PolynomialReDoS.rb:42:10:42:13 | name |
|
||||
| PolynomialReDoS.rb:4:12:4:24 | ...[...] : | PolynomialReDoS.rb:47:10:47:13 | name |
|
||||
| PolynomialReDoS.rb:27:9:27:14 | call to params : | PolynomialReDoS.rb:27:9:27:18 | ...[...] : |
|
||||
| PolynomialReDoS.rb:27:9:27:18 | ...[...] : | PolynomialReDoS.rb:28:5:28:5 | a |
|
||||
| PolynomialReDoS.rb:29:9:29:14 | call to params : | PolynomialReDoS.rb:29:9:29:18 | ...[...] : |
|
||||
@@ -48,6 +50,8 @@ nodes
|
||||
| PolynomialReDoS.rb:31:9:31:14 | call to params : | semmle.label | call to params : |
|
||||
| PolynomialReDoS.rb:31:9:31:18 | ...[...] : | semmle.label | ...[...] : |
|
||||
| PolynomialReDoS.rb:32:5:32:5 | c | semmle.label | c |
|
||||
| PolynomialReDoS.rb:42:10:42:13 | name | semmle.label | name |
|
||||
| PolynomialReDoS.rb:47:10:47:13 | name | semmle.label | name |
|
||||
subpaths
|
||||
#select
|
||||
| PolynomialReDoS.rb:10:5:10:17 | ... =~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:10:5:10:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
|
||||
@@ -68,3 +72,5 @@ subpaths
|
||||
| PolynomialReDoS.rb:28:5:28:21 | call to gsub! | PolynomialReDoS.rb:27:9:27:14 | call to params : | PolynomialReDoS.rb:28:5:28:5 | a | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:27:9:27:14 | call to params | user-provided value |
|
||||
| PolynomialReDoS.rb:30:5:30:18 | call to slice! | PolynomialReDoS.rb:29:9:29:14 | call to params : | PolynomialReDoS.rb:30:5:30:5 | b | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:29:9:29:14 | call to params | user-provided value |
|
||||
| PolynomialReDoS.rb:32:5:32:20 | call to sub! | PolynomialReDoS.rb:31:9:31:14 | call to params : | PolynomialReDoS.rb:32:5:32:5 | c | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:31:9:31:14 | call to params | user-provided value |
|
||||
| PolynomialReDoS.rb:42:5:45:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:42:10:42:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
|
||||
| PolynomialReDoS.rb:47:5:50:7 | case ... | PolynomialReDoS.rb:4:12:4:17 | call to params : | PolynomialReDoS.rb:47:10:47:13 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:48:14:48:16 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
|
||||
|
||||
@@ -38,5 +38,15 @@ class FooController < ActionController::Base
|
||||
|
||||
# GOOD - regex does not suffer from polynomial backtracking (regression test)
|
||||
params[:foo] =~ /\A[bc].*\Z/
|
||||
|
||||
case name # NOT GOOD
|
||||
when regex
|
||||
puts "foo"
|
||||
end
|
||||
|
||||
case name # NOT GOOD
|
||||
in /^\s+|\s+$/ then
|
||||
puts "foo"
|
||||
end
|
||||
end
|
||||
end
|
||||
|
||||
@@ -17,3 +17,13 @@
|
||||
| broken_crypto.rb:75:1:75:24 | call to new | The cryptographic algorithm RC4 is broken or weak, and should not be used. |
|
||||
| broken_crypto.rb:77:1:77:29 | call to new | The cryptographic algorithm RC4 is broken or weak, and should not be used. |
|
||||
| broken_crypto.rb:79:1:79:35 | call to new | The cryptographic algorithm RC4 is broken or weak, and should not be used. |
|
||||
| broken_crypto.rb:81:1:81:28 | call to hexdigest | The cryptographic algorithm MD5 is broken or weak, and should not be used. |
|
||||
| broken_crypto.rb:84:1:84:31 | call to base64digest | The cryptographic algorithm MD5 is broken or weak, and should not be used. |
|
||||
| broken_crypto.rb:87:1:87:20 | call to digest | The cryptographic algorithm MD5 is broken or weak, and should not be used. |
|
||||
| broken_crypto.rb:89:1:89:21 | call to update | The cryptographic algorithm MD5 is broken or weak, and should not be used. |
|
||||
| broken_crypto.rb:90:1:90:17 | ... << ... | The cryptographic algorithm MD5 is broken or weak, and should not be used. |
|
||||
| broken_crypto.rb:95:1:95:34 | call to bubblebabble | The cryptographic algorithm MD5 is broken or weak, and should not be used. |
|
||||
| broken_crypto.rb:97:11:97:37 | call to file | The cryptographic algorithm MD5 is broken or weak, and should not be used. |
|
||||
| broken_crypto.rb:103:1:103:21 | call to digest | The cryptographic algorithm SHA1 is broken or weak, and should not be used. |
|
||||
| broken_crypto.rb:104:1:104:17 | ... << ... | The cryptographic algorithm SHA1 is broken or weak, and should not be used. |
|
||||
| broken_crypto.rb:106:1:106:37 | call to digest | The cryptographic algorithm SHA1 is broken or weak, and should not be used. |
|
||||
|
||||
@@ -77,3 +77,31 @@ OpenSSL::Cipher::RC4.new
|
||||
OpenSSL::Cipher::RC4.new '40'
|
||||
# BAD: weak encryption algorithm
|
||||
OpenSSL::Cipher::RC4.new 'hmac-md5'
|
||||
|
||||
Digest::MD5.hexdigest('foo') # BAD: weak hash algorithm
|
||||
Digest::SHA256.hexdigest('foo') # GOOD: strong hash algorithm
|
||||
|
||||
Digest::MD5.base64digest('foo') # BAD: weak hash algorithm
|
||||
|
||||
md5 = Digest::MD5.new
|
||||
md5.digest 'message' # BAD: weak hash algorithm
|
||||
|
||||
md5.update 'message1' # BAD: weak hash algorithm
|
||||
md5 << 'message2' # << is an alias for update
|
||||
|
||||
sha256 = Digest::SHA256.new
|
||||
sha256.digest 'message' # GOOD: strong hash algorithm
|
||||
|
||||
Digest::MD5.bubblebabble 'message' # BAD: weak hash algorithm
|
||||
|
||||
filemd5 = Digest::MD5.file 'testfile'
|
||||
filemd5.hexdigest
|
||||
|
||||
Digest("MD5").hexdigest('foo') # BAD: weak hash algorithm
|
||||
|
||||
sha1 = OpenSSL::Digest.new('SHA1')
|
||||
sha1.digest 'message' # BAD: weak hash algorithm
|
||||
sha1 << 'message' # << is an alias for update
|
||||
|
||||
OpenSSL::Digest.digest('SHA1', "abc") # BAD: weak hash algorithm
|
||||
OpenSSL::Digest.digest('SHA3-512', "abc") # GOOD: strong hash algorithm
|
||||
@@ -1,61 +1,69 @@
|
||||
edges
|
||||
| UnsafeDeserialization.rb:9:39:9:44 | call to params : | UnsafeDeserialization.rb:9:39:9:50 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:9:39:9:50 | ...[...] : | UnsafeDeserialization.rb:10:27:10:41 | serialized_data |
|
||||
| UnsafeDeserialization.rb:15:39:15:44 | call to params : | UnsafeDeserialization.rb:15:39:15:50 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:15:39:15:50 | ...[...] : | UnsafeDeserialization.rb:16:30:16:44 | serialized_data |
|
||||
| UnsafeDeserialization.rb:21:17:21:22 | call to params : | UnsafeDeserialization.rb:21:17:21:28 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:21:17:21:28 | ...[...] : | UnsafeDeserialization.rb:22:24:22:32 | json_data |
|
||||
| UnsafeDeserialization.rb:27:17:27:22 | call to params : | UnsafeDeserialization.rb:27:17:27:28 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:27:17:27:28 | ...[...] : | UnsafeDeserialization.rb:28:27:28:35 | json_data |
|
||||
| UnsafeDeserialization.rb:39:17:39:22 | call to params : | UnsafeDeserialization.rb:39:17:39:28 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:39:17:39:28 | ...[...] : | UnsafeDeserialization.rb:40:24:40:32 | yaml_data |
|
||||
| UnsafeDeserialization.rb:51:17:51:22 | call to params : | UnsafeDeserialization.rb:51:17:51:28 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:51:17:51:28 | ...[...] : | UnsafeDeserialization.rb:52:22:52:30 | json_data |
|
||||
| UnsafeDeserialization.rb:51:17:51:28 | ...[...] : | UnsafeDeserialization.rb:53:22:53:30 | json_data |
|
||||
| UnsafeDeserialization.rb:58:17:58:22 | call to params : | UnsafeDeserialization.rb:58:17:58:28 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:58:17:58:28 | ...[...] : | UnsafeDeserialization.rb:68:23:68:31 | json_data |
|
||||
| UnsafeDeserialization.rb:80:11:80:16 | call to params : | UnsafeDeserialization.rb:80:11:80:22 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:80:11:80:22 | ...[...] : | UnsafeDeserialization.rb:81:34:81:36 | xml |
|
||||
| UnsafeDeserialization.rb:86:17:86:22 | call to params : | UnsafeDeserialization.rb:86:17:86:28 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:86:17:86:28 | ...[...] : | UnsafeDeserialization.rb:87:25:87:33 | yaml_data |
|
||||
| UnsafeDeserialization.rb:10:39:10:44 | call to params : | UnsafeDeserialization.rb:10:39:10:50 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:10:39:10:50 | ...[...] : | UnsafeDeserialization.rb:11:27:11:41 | serialized_data |
|
||||
| UnsafeDeserialization.rb:16:39:16:44 | call to params : | UnsafeDeserialization.rb:16:39:16:50 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:16:39:16:50 | ...[...] : | UnsafeDeserialization.rb:17:30:17:44 | serialized_data |
|
||||
| UnsafeDeserialization.rb:22:17:22:22 | call to params : | UnsafeDeserialization.rb:22:17:22:28 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:22:17:22:28 | ...[...] : | UnsafeDeserialization.rb:23:24:23:32 | json_data |
|
||||
| UnsafeDeserialization.rb:28:17:28:22 | call to params : | UnsafeDeserialization.rb:28:17:28:28 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:28:17:28:28 | ...[...] : | UnsafeDeserialization.rb:29:27:29:35 | json_data |
|
||||
| UnsafeDeserialization.rb:40:17:40:22 | call to params : | UnsafeDeserialization.rb:40:17:40:28 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:40:17:40:28 | ...[...] : | UnsafeDeserialization.rb:41:24:41:32 | yaml_data |
|
||||
| UnsafeDeserialization.rb:52:17:52:22 | call to params : | UnsafeDeserialization.rb:52:17:52:28 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:52:17:52:28 | ...[...] : | UnsafeDeserialization.rb:53:22:53:30 | json_data |
|
||||
| UnsafeDeserialization.rb:52:17:52:28 | ...[...] : | UnsafeDeserialization.rb:54:22:54:30 | json_data |
|
||||
| UnsafeDeserialization.rb:59:17:59:22 | call to params : | UnsafeDeserialization.rb:59:17:59:28 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:59:17:59:28 | ...[...] : | UnsafeDeserialization.rb:69:23:69:31 | json_data |
|
||||
| UnsafeDeserialization.rb:81:11:81:16 | call to params : | UnsafeDeserialization.rb:81:11:81:22 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:81:11:81:22 | ...[...] : | UnsafeDeserialization.rb:82:34:82:36 | xml |
|
||||
| UnsafeDeserialization.rb:87:17:87:22 | call to params : | UnsafeDeserialization.rb:87:17:87:28 | ...[...] : |
|
||||
| UnsafeDeserialization.rb:87:17:87:28 | ...[...] : | UnsafeDeserialization.rb:88:25:88:33 | yaml_data |
|
||||
| UnsafeDeserialization.rb:93:30:93:35 | call to params : | UnsafeDeserialization.rb:93:30:93:43 | ...[...] |
|
||||
| UnsafeDeserialization.rb:99:48:99:53 | call to params : | UnsafeDeserialization.rb:99:48:99:61 | ...[...] |
|
||||
nodes
|
||||
| UnsafeDeserialization.rb:9:39:9:44 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:9:39:9:50 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:10:27:10:41 | serialized_data | semmle.label | serialized_data |
|
||||
| UnsafeDeserialization.rb:15:39:15:44 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:15:39:15:50 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:16:30:16:44 | serialized_data | semmle.label | serialized_data |
|
||||
| UnsafeDeserialization.rb:21:17:21:22 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:21:17:21:28 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:22:24:22:32 | json_data | semmle.label | json_data |
|
||||
| UnsafeDeserialization.rb:27:17:27:22 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:27:17:27:28 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:28:27:28:35 | json_data | semmle.label | json_data |
|
||||
| UnsafeDeserialization.rb:39:17:39:22 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:39:17:39:28 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:40:24:40:32 | yaml_data | semmle.label | yaml_data |
|
||||
| UnsafeDeserialization.rb:51:17:51:22 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:51:17:51:28 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:52:22:52:30 | json_data | semmle.label | json_data |
|
||||
| UnsafeDeserialization.rb:10:39:10:44 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:10:39:10:50 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:11:27:11:41 | serialized_data | semmle.label | serialized_data |
|
||||
| UnsafeDeserialization.rb:16:39:16:44 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:16:39:16:50 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:17:30:17:44 | serialized_data | semmle.label | serialized_data |
|
||||
| UnsafeDeserialization.rb:22:17:22:22 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:22:17:22:28 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:23:24:23:32 | json_data | semmle.label | json_data |
|
||||
| UnsafeDeserialization.rb:28:17:28:22 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:28:17:28:28 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:29:27:29:35 | json_data | semmle.label | json_data |
|
||||
| UnsafeDeserialization.rb:40:17:40:22 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:40:17:40:28 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:41:24:41:32 | yaml_data | semmle.label | yaml_data |
|
||||
| UnsafeDeserialization.rb:52:17:52:22 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:52:17:52:28 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:53:22:53:30 | json_data | semmle.label | json_data |
|
||||
| UnsafeDeserialization.rb:58:17:58:22 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:58:17:58:28 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:68:23:68:31 | json_data | semmle.label | json_data |
|
||||
| UnsafeDeserialization.rb:80:11:80:16 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:80:11:80:22 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:81:34:81:36 | xml | semmle.label | xml |
|
||||
| UnsafeDeserialization.rb:86:17:86:22 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:86:17:86:28 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:87:25:87:33 | yaml_data | semmle.label | yaml_data |
|
||||
| UnsafeDeserialization.rb:54:22:54:30 | json_data | semmle.label | json_data |
|
||||
| UnsafeDeserialization.rb:59:17:59:22 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:59:17:59:28 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:69:23:69:31 | json_data | semmle.label | json_data |
|
||||
| UnsafeDeserialization.rb:81:11:81:16 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:81:11:81:22 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:82:34:82:36 | xml | semmle.label | xml |
|
||||
| UnsafeDeserialization.rb:87:17:87:22 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:87:17:87:28 | ...[...] : | semmle.label | ...[...] : |
|
||||
| UnsafeDeserialization.rb:88:25:88:33 | yaml_data | semmle.label | yaml_data |
|
||||
| UnsafeDeserialization.rb:93:30:93:35 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:93:30:93:43 | ...[...] | semmle.label | ...[...] |
|
||||
| UnsafeDeserialization.rb:99:48:99:53 | call to params : | semmle.label | call to params : |
|
||||
| UnsafeDeserialization.rb:99:48:99:61 | ...[...] | semmle.label | ...[...] |
|
||||
subpaths
|
||||
#select
|
||||
| UnsafeDeserialization.rb:10:27:10:41 | serialized_data | UnsafeDeserialization.rb:9:39:9:44 | call to params : | UnsafeDeserialization.rb:10:27:10:41 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:9:39:9:44 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:16:30:16:44 | serialized_data | UnsafeDeserialization.rb:15:39:15:44 | call to params : | UnsafeDeserialization.rb:16:30:16:44 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:15:39:15:44 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:22:24:22:32 | json_data | UnsafeDeserialization.rb:21:17:21:22 | call to params : | UnsafeDeserialization.rb:22:24:22:32 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:21:17:21:22 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:28:27:28:35 | json_data | UnsafeDeserialization.rb:27:17:27:22 | call to params : | UnsafeDeserialization.rb:28:27:28:35 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:27:17:27:22 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:40:24:40:32 | yaml_data | UnsafeDeserialization.rb:39:17:39:22 | call to params : | UnsafeDeserialization.rb:40:24:40:32 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:39:17:39:22 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:52:22:52:30 | json_data | UnsafeDeserialization.rb:51:17:51:22 | call to params : | UnsafeDeserialization.rb:52:22:52:30 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:51:17:51:22 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:53:22:53:30 | json_data | UnsafeDeserialization.rb:51:17:51:22 | call to params : | UnsafeDeserialization.rb:53:22:53:30 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:51:17:51:22 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:68:23:68:31 | json_data | UnsafeDeserialization.rb:58:17:58:22 | call to params : | UnsafeDeserialization.rb:68:23:68:31 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:58:17:58:22 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:81:34:81:36 | xml | UnsafeDeserialization.rb:80:11:80:16 | call to params : | UnsafeDeserialization.rb:81:34:81:36 | xml | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:80:11:80:16 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:87:25:87:33 | yaml_data | UnsafeDeserialization.rb:86:17:86:22 | call to params : | UnsafeDeserialization.rb:87:25:87:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:86:17:86:22 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:11:27:11:41 | serialized_data | UnsafeDeserialization.rb:10:39:10:44 | call to params : | UnsafeDeserialization.rb:11:27:11:41 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:10:39:10:44 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:17:30:17:44 | serialized_data | UnsafeDeserialization.rb:16:39:16:44 | call to params : | UnsafeDeserialization.rb:17:30:17:44 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:16:39:16:44 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:23:24:23:32 | json_data | UnsafeDeserialization.rb:22:17:22:22 | call to params : | UnsafeDeserialization.rb:23:24:23:32 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:22:17:22:22 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:29:27:29:35 | json_data | UnsafeDeserialization.rb:28:17:28:22 | call to params : | UnsafeDeserialization.rb:29:27:29:35 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:28:17:28:22 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:41:24:41:32 | yaml_data | UnsafeDeserialization.rb:40:17:40:22 | call to params : | UnsafeDeserialization.rb:41:24:41:32 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:40:17:40:22 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:53:22:53:30 | json_data | UnsafeDeserialization.rb:52:17:52:22 | call to params : | UnsafeDeserialization.rb:53:22:53:30 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:52:17:52:22 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:54:22:54:30 | json_data | UnsafeDeserialization.rb:52:17:52:22 | call to params : | UnsafeDeserialization.rb:54:22:54:30 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:52:17:52:22 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:69:23:69:31 | json_data | UnsafeDeserialization.rb:59:17:59:22 | call to params : | UnsafeDeserialization.rb:69:23:69:31 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:59:17:59:22 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:82:34:82:36 | xml | UnsafeDeserialization.rb:81:11:81:16 | call to params : | UnsafeDeserialization.rb:82:34:82:36 | xml | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:81:11:81:16 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:88:25:88:33 | yaml_data | UnsafeDeserialization.rb:87:17:87:22 | call to params : | UnsafeDeserialization.rb:88:25:88:33 | yaml_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:87:17:87:22 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:93:30:93:43 | ...[...] | UnsafeDeserialization.rb:93:30:93:35 | call to params : | UnsafeDeserialization.rb:93:30:93:43 | ...[...] | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:93:30:93:35 | call to params | user-provided value |
|
||||
| UnsafeDeserialization.rb:99:48:99:61 | ...[...] | UnsafeDeserialization.rb:99:48:99:53 | call to params : | UnsafeDeserialization.rb:99:48:99:61 | ...[...] | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:99:48:99:53 | call to params | user-provided value |
|
||||
|
||||
@@ -1,3 +1,4 @@
|
||||
require "active_job"
|
||||
require "base64"
|
||||
require "json"
|
||||
require "oj"
|
||||
@@ -86,4 +87,16 @@ class UsersController < ActionController::Base
|
||||
yaml_data = params[:key]
|
||||
object = Psych.load yaml_data
|
||||
end
|
||||
|
||||
# BAD - user input determines which class is instantiated
|
||||
def route12
|
||||
klass = Module.const_get(params[:class])
|
||||
object = klass.new
|
||||
end
|
||||
|
||||
# BAD - user input determines which class is instantiated
|
||||
def route13
|
||||
klass = ActiveJob::Serializers.deserialize(params[:class])
|
||||
object = klass.new
|
||||
end
|
||||
end
|
||||
|
||||
@@ -0,0 +1,24 @@
|
||||
edges
|
||||
| app/controllers/users_controller.rb:4:11:4:16 | call to params : | app/controllers/users_controller.rb:4:11:4:27 | ...[...] |
|
||||
| app/controllers/users_controller.rb:9:16:9:21 | call to params : | app/controllers/users_controller.rb:9:16:9:27 | ...[...] : |
|
||||
| app/controllers/users_controller.rb:9:16:9:27 | ...[...] : | app/controllers/users_controller.rb:10:42:10:49 | password |
|
||||
| app/controllers/users_controller.rb:14:5:14:13 | [post] self [@password] : | app/controllers/users_controller.rb:15:42:15:50 | self [@password] : |
|
||||
| app/controllers/users_controller.rb:14:17:14:22 | call to params : | app/controllers/users_controller.rb:14:17:14:28 | ...[...] : |
|
||||
| app/controllers/users_controller.rb:14:17:14:28 | ...[...] : | app/controllers/users_controller.rb:14:5:14:13 | [post] self [@password] : |
|
||||
| app/controllers/users_controller.rb:15:42:15:50 | self [@password] : | app/controllers/users_controller.rb:15:42:15:50 | @password |
|
||||
nodes
|
||||
| app/controllers/users_controller.rb:4:11:4:16 | call to params : | semmle.label | call to params : |
|
||||
| app/controllers/users_controller.rb:4:11:4:27 | ...[...] | semmle.label | ...[...] |
|
||||
| app/controllers/users_controller.rb:9:16:9:21 | call to params : | semmle.label | call to params : |
|
||||
| app/controllers/users_controller.rb:9:16:9:27 | ...[...] : | semmle.label | ...[...] : |
|
||||
| app/controllers/users_controller.rb:10:42:10:49 | password | semmle.label | password |
|
||||
| app/controllers/users_controller.rb:14:5:14:13 | [post] self [@password] : | semmle.label | [post] self [@password] : |
|
||||
| app/controllers/users_controller.rb:14:17:14:22 | call to params : | semmle.label | call to params : |
|
||||
| app/controllers/users_controller.rb:14:17:14:28 | ...[...] : | semmle.label | ...[...] : |
|
||||
| app/controllers/users_controller.rb:15:42:15:50 | @password | semmle.label | @password |
|
||||
| app/controllers/users_controller.rb:15:42:15:50 | self [@password] : | semmle.label | self [@password] : |
|
||||
subpaths
|
||||
#select
|
||||
| app/controllers/users_controller.rb:4:11:4:16 | call to params | app/controllers/users_controller.rb:4:11:4:16 | call to params : | app/controllers/users_controller.rb:4:11:4:27 | ...[...] | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:3:3:6:5 | login_get_1 | Route handler |
|
||||
| app/controllers/users_controller.rb:9:16:9:21 | call to params | app/controllers/users_controller.rb:9:16:9:21 | call to params : | app/controllers/users_controller.rb:10:42:10:49 | password | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:8:3:11:5 | login_get_2 | Route handler |
|
||||
| app/controllers/users_controller.rb:14:17:14:22 | call to params | app/controllers/users_controller.rb:14:17:14:22 | call to params : | app/controllers/users_controller.rb:15:42:15:50 | @password | $@ for GET requests uses query parameter as sensitive data. | app/controllers/users_controller.rb:13:3:16:5 | login_get_3 | Route handler |
|
||||
@@ -0,0 +1 @@
|
||||
queries/security/cwe-598/SensitiveGetQuery.ql
|
||||
@@ -0,0 +1,32 @@
|
||||
class UsersController < ApplicationController
|
||||
|
||||
def login_get_1
|
||||
foo = params[:password] # BAD: route handler uses GET query parameters to receive sensitive data
|
||||
authenticate_user(params[:username], foo)
|
||||
end
|
||||
|
||||
def login_get_2
|
||||
password = params[:foo] # BAD: route handler uses GET query parameters to receive sensitive data
|
||||
authenticate_user(params[:username], password)
|
||||
end
|
||||
|
||||
def login_get_3
|
||||
@password = params[:foo] # BAD: route handler uses GET query parameters to receive sensitive data
|
||||
authenticate_user(params[:username], @password)
|
||||
end
|
||||
|
||||
def login_post
|
||||
foo = params[:password] # GOOD: handler uses POST form parameters to receive sensitive data
|
||||
authenticate_user(params[:username], foo)
|
||||
end
|
||||
|
||||
def login_get_cookies
|
||||
foo = cookies[:password] # GOOD: data sourced from cookies rather than (plaintext) query params
|
||||
authenticate_user(params[:username], foo)
|
||||
end
|
||||
|
||||
private
|
||||
def authenticate_user(username, password)
|
||||
# ... authenticate the user here
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,7 @@
|
||||
Rails.application.routes.draw do
|
||||
match "users/login1", to: "users#login_get_1", via: :get
|
||||
get "users/login2", to: "users#login_get_2"
|
||||
get "users/login3", to: "users#login_get_3"
|
||||
post "users/login4", to: "users#login_post"
|
||||
get "users/login5", to: "users#login_get_cookies"
|
||||
end
|
||||
@@ -3,14 +3,14 @@ edges
|
||||
| UrlRedirect.rb:14:17:14:22 | call to params : | UrlRedirect.rb:14:17:14:43 | call to fetch |
|
||||
| UrlRedirect.rb:19:17:19:22 | call to params : | UrlRedirect.rb:19:17:19:37 | call to to_unsafe_hash |
|
||||
| UrlRedirect.rb:24:31:24:36 | call to params : | UrlRedirect.rb:24:17:24:37 | call to filter_params |
|
||||
| UrlRedirect.rb:24:31:24:36 | call to params : | UrlRedirect.rb:88:21:88:32 | input_params : |
|
||||
| UrlRedirect.rb:24:31:24:36 | call to params : | UrlRedirect.rb:93:21:93:32 | input_params : |
|
||||
| UrlRedirect.rb:34:20:34:25 | call to params : | UrlRedirect.rb:34:20:34:31 | ...[...] : |
|
||||
| UrlRedirect.rb:34:20:34:31 | ...[...] : | UrlRedirect.rb:34:17:34:37 | "#{...}/foo" |
|
||||
| UrlRedirect.rb:58:17:58:22 | call to params : | UrlRedirect.rb:58:17:58:28 | ...[...] |
|
||||
| UrlRedirect.rb:63:38:63:43 | call to params : | UrlRedirect.rb:63:38:63:49 | ...[...] |
|
||||
| UrlRedirect.rb:68:38:68:43 | call to params : | UrlRedirect.rb:68:38:68:49 | ...[...] |
|
||||
| UrlRedirect.rb:73:25:73:30 | call to params : | UrlRedirect.rb:73:25:73:36 | ...[...] |
|
||||
| UrlRedirect.rb:88:21:88:32 | input_params : | UrlRedirect.rb:89:5:89:29 | call to permit : |
|
||||
| UrlRedirect.rb:93:21:93:32 | input_params : | UrlRedirect.rb:94:5:94:29 | call to permit : |
|
||||
nodes
|
||||
| UrlRedirect.rb:4:17:4:22 | call to params | semmle.label | call to params |
|
||||
| UrlRedirect.rb:9:17:9:22 | call to params : | semmle.label | call to params : |
|
||||
@@ -32,10 +32,10 @@ nodes
|
||||
| UrlRedirect.rb:68:38:68:49 | ...[...] | semmle.label | ...[...] |
|
||||
| UrlRedirect.rb:73:25:73:30 | call to params : | semmle.label | call to params : |
|
||||
| UrlRedirect.rb:73:25:73:36 | ...[...] | semmle.label | ...[...] |
|
||||
| UrlRedirect.rb:88:21:88:32 | input_params : | semmle.label | input_params : |
|
||||
| UrlRedirect.rb:89:5:89:29 | call to permit : | semmle.label | call to permit : |
|
||||
| UrlRedirect.rb:93:21:93:32 | input_params : | semmle.label | input_params : |
|
||||
| UrlRedirect.rb:94:5:94:29 | call to permit : | semmle.label | call to permit : |
|
||||
subpaths
|
||||
| UrlRedirect.rb:24:31:24:36 | call to params : | UrlRedirect.rb:88:21:88:32 | input_params : | UrlRedirect.rb:89:5:89:29 | call to permit : | UrlRedirect.rb:24:17:24:37 | call to filter_params |
|
||||
| UrlRedirect.rb:24:31:24:36 | call to params : | UrlRedirect.rb:93:21:93:32 | input_params : | UrlRedirect.rb:94:5:94:29 | call to permit : | UrlRedirect.rb:24:17:24:37 | call to filter_params |
|
||||
#select
|
||||
| UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | UrlRedirect.rb:4:17:4:22 | call to params | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:4:17:4:22 | call to params | user-provided value |
|
||||
| UrlRedirect.rb:9:17:9:28 | ...[...] | UrlRedirect.rb:9:17:9:22 | call to params : | UrlRedirect.rb:9:17:9:28 | ...[...] | Untrusted URL redirection depends on a $@. | UrlRedirect.rb:9:17:9:22 | call to params | user-provided value |
|
||||
|
||||
@@ -83,6 +83,11 @@ class UsersController < ActionController::Base
|
||||
redirect_back_or_to params[:key], allow_other_host: false
|
||||
end
|
||||
|
||||
# GOOD
|
||||
def route15
|
||||
redirect_to cookies[:foo]
|
||||
end
|
||||
|
||||
private
|
||||
|
||||
def filter_params(input_params)
|
||||
|
||||
Reference in New Issue
Block a user