Ruby: fix SensitiveNode detection relating to class/instance variables

2025-12-16 16:53:25 +01:00 · 2022-10-14 10:41:46 +01:00
parent 36a1b18f5b
commit 24dad5599a
1 changed files with 11 additions and 2 deletions
--- a/ruby/ql/lib/codeql/ruby/security/SensitiveActions.qll
+++ b/ruby/ql/lib/codeql/ruby/security/SensitiveActions.qll
@@ -84,6 +84,13 @@ private predicate writesProperty(DataFlow::Node node, string name) {
  node.(DataFlow::CallNode).getArgument(0).asExpr().getConstantValue().isStringlikeValue(name)
 }

+/**
+ * Instance and class variable names are reported with their respective `@`
+ * and `@@` prefixes. This predicate strips these prefixes.
+ */
+bindingset[name]
+private string unprefixedVariableName(string name) { result = name.regexpReplaceAll("^@*", "") }
+
 /** A write to a variable or property that might contain sensitive data. */
 private class BasicSensitiveWrite extends SensitiveWrite {
  SensitiveDataClassification classification;
@@ -104,7 +111,7 @@ private class BasicSensitiveWrite extends SensitiveWrite {
       */

      writesProperty(this, name) and
-      nameIndicatesSensitiveData(name, classification)
+      nameIndicatesSensitiveData(unprefixedVariableName(name), classification)
    )
  }

@@ -116,7 +123,9 @@ private class BasicSensitiveWrite extends SensitiveWrite {
 private class BasicSensitiveVariableAccess extends SensitiveVariableAccess {
  SensitiveDataClassification classification;

-  BasicSensitiveVariableAccess() { nameIndicatesSensitiveData(name, classification) }
+  BasicSensitiveVariableAccess() {
+    nameIndicatesSensitiveData(unprefixedVariableName(name), classification)
+  }

  override SensitiveDataClassification getClassification() { result = classification }
 }