make rb/overly-permissive-file a proper path-problem

2026-04-21 15:05:56 +02:00 · 2021-04-29 19:11:39 +01:00
parent 4375452866
commit 2c8a4f833f
2 changed files with 21 additions and 1 deletions
--- a/ql/src/queries/security/cwe-732/WeakFilePermissions.ql
+++ b/ql/src/queries/security/cwe-732/WeakFilePermissions.ql
@@ -10,6 +10,7 @@
 */

 import ruby
+import codeql_ruby.dataflow.internal.DataFlowImpl::PathGraph
 private import codeql_ruby.dataflow.SSA
 private import codeql_ruby.dataflow.internal.DataFlowImpl as DataFlow

@@ -94,5 +95,5 @@ class PermissivePermissionsConfig extends DataFlow::Configuration {

 from DataFlow::PathNode source, DataFlow::PathNode sink, PermissivePermissionsConfig conf
 where conf.hasFlowPath(source, sink)
-select sink, source, sink, "Overly permissive mask sets file to $@.", source.getNode(),
+select sink.getNode(), source, sink, "Overly permissive mask sets file to $@.", source.getNode(),
  source.getNode().toString()
--- a/ql/test/query-tests/security/cwe-732/WeakFilePermissions.expected
+++ b/ql/test/query-tests/security/cwe-732/WeakFilePermissions.expected
@@ -1,3 +1,22 @@
+edges
+| FilePermissions.rb:43:10:43:13 | 0777 :  | FilePermissions.rb:44:19:44:22 | perm |
+| FilePermissions.rb:43:10:43:13 | 0777 :  | FilePermissions.rb:46:19:46:23 | perm2 |
+| FilePermissions.rb:48:10:48:26 | "u=wrx,g=rwx,o=x" :  | FilePermissions.rb:50:19:50:23 | perm2 |
+nodes
+| FilePermissions.rb:4:19:4:22 | 0222 | semmle.label | 0222 |
+| FilePermissions.rb:5:19:5:22 | 0622 | semmle.label | 0622 |
+| FilePermissions.rb:6:19:6:22 | 0755 | semmle.label | 0755 |
+| FilePermissions.rb:7:19:7:22 | 0777 | semmle.label | 0777 |
+| FilePermissions.rb:24:13:24:16 | 0755 | semmle.label | 0755 |
+| FilePermissions.rb:43:10:43:13 | 0777 :  | semmle.label | 0777 :  |
+| FilePermissions.rb:44:19:44:22 | perm | semmle.label | perm |
+| FilePermissions.rb:46:19:46:23 | perm2 | semmle.label | perm2 |
+| FilePermissions.rb:48:10:48:26 | "u=wrx,g=rwx,o=x" :  | semmle.label | "u=wrx,g=rwx,o=x" :  |
+| FilePermissions.rb:50:19:50:23 | perm2 | semmle.label | perm2 |
+| FilePermissions.rb:51:19:51:29 | "u=rwx,o+r" | semmle.label | "u=rwx,o+r" |
+| FilePermissions.rb:53:19:53:24 | "a+rw" | semmle.label | "a+rw" |
+| FilePermissions.rb:57:16:57:19 | 0755 | semmle.label | 0755 |
+#select
 | FilePermissions.rb:4:19:4:22 | 0222 | FilePermissions.rb:4:19:4:22 | 0222 | FilePermissions.rb:4:19:4:22 | 0222 | Overly permissive mask sets file to $@. | FilePermissions.rb:4:19:4:22 | 0222 | 0222 |
 | FilePermissions.rb:5:19:5:22 | 0622 | FilePermissions.rb:5:19:5:22 | 0622 | FilePermissions.rb:5:19:5:22 | 0622 | Overly permissive mask sets file to $@. | FilePermissions.rb:5:19:5:22 | 0622 | 0622 |
 | FilePermissions.rb:6:19:6:22 | 0755 | FilePermissions.rb:6:19:6:22 | 0755 | FilePermissions.rb:6:19:6:22 | 0755 | Overly permissive mask sets file to $@. | FilePermissions.rb:6:19:6:22 | 0755 | 0755 |