hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 04:39:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: prevent bad join in ActionController.qll

Browse Source
This commit is contained in:
Harry Maclean
2022-02-08 12:10:23 +13:00
parent 61cd05cfc5
commit 3031b39dc1
1 changed files with 12 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
View File

@@ -92,12 +92,21 @@ class ActionControllerActionMethod extends Method, HTTP::Server::RequestHandler:
* May return multiple results.
*/
ActionDispatch::Route getARoute() {
result.getController() + "_controller" =
ActionDispatch::underscore(namespaceDeclaration(controllerClass)) and
isActionControllerMethod(this, result.getAction(), controllerClass)
exists(string name |
isRoute(result, name, controllerClass) and
isActionControllerMethod(this, name, controllerClass)
)
}
}
private predicate isRoute(
ActionDispatch::Route route, string name, ActionControllerControllerClass controllerClass
) {
route.getController() + "_controller" =
ActionDispatch::underscore(namespaceDeclaration(controllerClass)) and
name = route.getAction()
}
// A method call with a `self` receiver from within a controller class
private class ActionControllerContextCall extends MethodCall {
private ActionControllerControllerClass controllerClass;