hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 00:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge from main to resolve conflicts

Browse Source
This commit is contained in:
Dave Bartolomeo
2024-03-19 10:41:31 -04:00
parent 769e3469a4 219cd4e415
commit 311ba8ea1b
1361 changed files with 222127 additions and 93308 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ruby/ql/consistency-queries/DataFlowConsistency.ql
View File

@@ -5,7 +5,7 @@ private import codeql.ruby.dataflow.internal.DataFlowImplSpecific
private import codeql.ruby.dataflow.internal.TaintTrackingImplSpecific
private import codeql.dataflow.internal.DataFlowImplConsistency
private module Input implements InputSig<RubyDataFlow> {
private module Input implements InputSig<Location, RubyDataFlow> {
private import RubyDataFlow
predicate postWithInFlowExclude(Node n) { n instanceof FlowSummaryNode }
@@ -46,4 +46,4 @@ private module Input implements InputSig<RubyDataFlow> {
}
}
import MakeConsistency<RubyDataFlow, RubyTaintTracking, Input>
import MakeConsistency<Location, RubyDataFlow, RubyTaintTracking, Input>

4
ruby/ql/lib/change-notes/2024-02-27-process-spawn.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* New command injection sinks have been added, including `Process.spawn`, `Process.exec`, `Terrapin::CommandLine` and the `open4` gem.

4
ruby/ql/lib/change-notes/2024-03-01-typhoeus-request.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Calls to `Typhoeus::Request.new` are now considered as instances of the `Http::Client::Request` concept, with the response body being treated as a remote flow source.

4
ruby/ql/lib/change-notes/2024-03-08-activerecord-from.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The second argument, `subquery_name`, of the `ActiveRecord::QueryMethods::from` method, is now recognized as an sql injection sink.

4
ruby/ql/lib/change-notes/2024-03-14-actiondispatch-uploadedfile.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Modeled instances of `ActionDispatch::Http::UploadedFile` that can be obtained from element reads of `ActionController::Parameters`, with calls to `original_filename`, `content_type`, and `read` now propagating taint from their receiver.

4
ruby/ql/lib/change-notes/2024-03-19-activerecord-scopes.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* Data flow is now tracked through `ActiveRecord` scopes.

2
ruby/ql/lib/codeql/ruby/DataFlow.qll
View File

@@ -12,6 +12,6 @@ import codeql.Locations
module DataFlow {
private import codeql.ruby.dataflow.internal.DataFlowImplSpecific
private import codeql.dataflow.DataFlow
import DataFlowMake<RubyDataFlow>
import DataFlowMake<Location, RubyDataFlow>
import codeql.ruby.dataflow.internal.DataFlowImpl1
}

3
ruby/ql/lib/codeql/ruby/TaintTracking.qll
View File

@@ -7,6 +7,7 @@ module TaintTracking {
private import codeql.ruby.dataflow.internal.DataFlowImplSpecific
private import codeql.ruby.dataflow.internal.TaintTrackingImplSpecific
private import codeql.dataflow.TaintTracking
import TaintFlowMake<RubyDataFlow, RubyTaintTracking>
private import codeql.Locations
import TaintFlowMake<Location, RubyDataFlow, RubyTaintTracking>
import codeql.ruby.dataflow.internal.tainttracking1.TaintTrackingImpl
}

2
ruby/ql/lib/codeql/ruby/ast/internal/Constant.qll
View File

@@ -423,7 +423,7 @@ private module Cached {
or
s = any(StringComponentImpl c).getValue()
} or
TSymbol(string s) { isString(_, s) or isSymbolExpr(_, s) } or
TSymbol(string s) { isSymbolExpr(_, s) } or
TRegExp(string s, string flags) {
isRegExp(_, s, flags)
or

15
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
View File

@@ -429,7 +429,20 @@ private Callable viableSourceCallableInit(RelevantCall call) { result = getIniti
/** Holds if `call` may resolve to the returned source-code method. */
private DataFlowCallable viableSourceCallable(DataFlowCall call) {
result = viableSourceCallableNonInit(call) or
result.asCfgScope() = viableSourceCallableInit(call.asCall())
result.asCfgScope() = viableSourceCallableInit(call.asCall()) or
result = any(AdditionalCallTarget t).viableTarget(call.asCall())
}
/**
* A unit class for adding additional call steps.
*
* Extend this class to add additional call steps to the data flow graph.
*/
class AdditionalCallTarget extends Unit {
/**
* Gets a viable target for `call`.
*/
abstract DataFlowCallable viableTarget(CfgNodes::ExprNodes::CallCfgNode call);
}
/** Holds if `call` may resolve to the returned summarized library method. */

3
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl.qll
View File

@@ -1,3 +1,4 @@
private import codeql.Locations
private import DataFlowImplSpecific
private import codeql.dataflow.internal.DataFlowImpl
import MakeImpl<RubyDataFlow>
import MakeImpl<Location, RubyDataFlow>

2
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl1.qll
View File

@@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig {
int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
int accessPathLimit() { result = 5 }
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate sourceGrouping(Node source, string sourceGroup) {

2
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImpl2.qll
View File

@@ -285,6 +285,8 @@ deprecated private module Config implements FullStateConfigSig {
int fieldFlowBranchLimit() { result = min(any(Configuration config).fieldFlowBranchLimit()) }
int accessPathLimit() { result = 5 }
FlowFeature getAFeature() { result = any(Configuration config).getAFeature() }
predicate sourceGrouping(Node source, string sourceGroup) {

3
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplCommon.qll
View File

@@ -1,3 +1,4 @@
private import codeql.Locations
private import DataFlowImplSpecific
private import codeql.dataflow.internal.DataFlowImplCommon
import MakeImplCommon<RubyDataFlow>
import MakeImplCommon<Location, RubyDataFlow>

3
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowImplSpecific.qll
View File

@@ -2,6 +2,7 @@
* Provides Ruby-specific definitions for use in the data flow library.
*/
private import codeql.Locations
private import codeql.dataflow.DataFlow
module Private {
@@ -13,7 +14,7 @@ module Public {
import DataFlowPublic
}
module RubyDataFlow implements InputSig {
module RubyDataFlow implements InputSig<Location> {
import Private
import Public

6
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
View File

@@ -322,7 +322,11 @@ private class Argument extends CfgNodes::ExprCfgNode {
/** Holds if `n` is not a constant expression. */
predicate isNonConstantExpr(CfgNodes::ExprCfgNode n) {
not exists(n.getConstantValue()) and
not exists(ConstantValue cv |
cv = n.getConstantValue() and
// strings are mutable in Ruby
not cv.isString(_)
) and
not n.getExpr() instanceof ConstantAccess
}

2
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPublic.qll
View File

@@ -35,7 +35,7 @@ class Node extends TNode {
* For more information, see
* [Locations](https://codeql.github.com/docs/writing-codeql-queries/providing-locations-in-codeql-queries/).
*/
predicate hasLocationInfo(
deprecated predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
) {
this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)

4
ruby/ql/lib/codeql/ruby/dataflow/internal/FlowSummaryImpl.qll
View File

@@ -9,7 +9,7 @@ private import codeql.ruby.dataflow.internal.DataFlowImplSpecific as DataFlowImp
private import DataFlowImplSpecific::Private
private import DataFlowImplSpecific::Public
module Input implements InputSig<DataFlowImplSpecific::RubyDataFlow> {
module Input implements InputSig<Location, DataFlowImplSpecific::RubyDataFlow> {
class SummarizedCallableBase = string;
ArgumentPosition callbackSelfParameterPosition() { result.isLambdaSelf() }
@@ -146,7 +146,7 @@ module Input implements InputSig<DataFlowImplSpecific::RubyDataFlow> {
}
}
private import Make<DataFlowImplSpecific::RubyDataFlow, Input> as Impl
private import Make<Location, DataFlowImplSpecific::RubyDataFlow, Input> as Impl
private module StepsInput implements Impl::Private::StepsInputSig {
DataFlowCall getACall(Public::SummarizedCallable sc) {

3
ruby/ql/lib/codeql/ruby/dataflow/internal/TaintTrackingImplSpecific.qll
View File

@@ -2,9 +2,10 @@
* Provides Ruby-specific definitions for use in the taint tracking library.
*/
private import codeql.Locations
private import codeql.dataflow.TaintTracking
private import DataFlowImplSpecific
module RubyTaintTracking implements InputSig<RubyDataFlow> {
module RubyTaintTracking implements InputSig<Location, RubyDataFlow> {
import TaintTrackingPrivate
}

64
ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
View File

@@ -8,6 +8,7 @@ private import codeql.ruby.controlflow.CfgNodes
private import codeql.ruby.DataFlow
private import codeql.ruby.dataflow.RemoteFlowSources
private import codeql.ruby.ApiGraphs
private import codeql.ruby.typetracking.TypeTracking
private import codeql.ruby.frameworks.ActionDispatch
private import codeql.ruby.frameworks.ActionView
private import codeql.ruby.frameworks.Rails
@@ -505,6 +506,27 @@ private module ParamsSummaries {
]
}
/** Gets a node that may be tainted from an `ActionController::Parameters` instance, through field accesses and hash/array element reads. */
private DataFlow::LocalSourceNode taintFromParamsBase() {
result =
[
paramsInstance(),
paramsInstance().getAMethodCall(methodReturnsTaintFromSelf()).getAnElementRead*()
]
}
private DataFlow::LocalSourceNode taintFromParamsType(TypeTracker t) {
t.start() and
result = taintFromParamsBase()
or
exists(TypeTracker t2 | result = taintFromParamsType(t2).track(t2, t))
}
/** Gets a node with a type that may be tainted from an `ActionController::Parameters` instance. */
private DataFlow::LocalSourceNode taintFromParamsType() {
taintFromParamsType(TypeTracker::end()).flowsTo(result)
}
/**
* A flow summary for methods on `ActionController::Parameters` which
* propagate taint from receiver to return value.
@@ -569,6 +591,48 @@ private module ParamsSummaries {
preservesValue = false
}
}
/** Flow summaries for `ActiveDispatch::Http::UploadedFile`, which can be an field of `ActionController::Parameters`. */
module UploadedFileSummaries {
/** Flow summary for various string attributes of `UploadedFile`, including `original_filename`, `content_type`, and `headers`. */
private class UploadedFileStringAttributeSummary extends SummarizedCallable {
UploadedFileStringAttributeSummary() {
this = "ActionDispatch::Http::UploadedFile#[original_filename,content_type,headers]"
}
override MethodCall getACall() {
result =
taintFromParamsType()
.getAMethodCall(["original_filename", "content_type", "headers"])
.asExpr()
.getExpr() and
result.getNumberOfArguments() = 0
}
override predicate propagatesFlow(string input, string output, boolean preservesValue) {
input = "Argument[self]" and output = "ReturnValue" and preservesValue = false
}
}
/**
* Flow summary for `ActiveDispatch::Http::UploadedFile#read`,
* which propagates taint from the receiver to the return value or to the second (out string) argument
*/
private class UploadedFileReadSummary extends SummarizedCallable {
UploadedFileReadSummary() { this = "ActionDispatch::Http::UploadedFile#read" }
override MethodCall getACall() {
result = taintFromParamsType().getAMethodCall("read").asExpr().getExpr() and
result.getNumberOfArguments() in [0 .. 2]
}
override predicate propagatesFlow(string input, string output, boolean preservesValue) {
input = "Argument[self]" and
output = ["ReturnValue", "Argument[1]"] and
preservesValue = false
}
}
}
}
/**

33
ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll
View File

@@ -175,14 +175,14 @@ private predicate sqlFragmentArgumentInner(DataFlow::CallNode call, DataFlow::No
call =
activeRecordQueryBuilderCall([
"delete_all", "delete_by", "destroy_all", "destroy_by", "exists?", "find_by", "find_by!",
"find_or_create_by", "find_or_create_by!", "find_or_initialize_by", "find_by_sql", "from",
"having", "lock", "not", "where", "rewhere"
"find_or_create_by", "find_or_create_by!", "find_or_initialize_by", "find_by_sql", "having",
"lock", "not", "where", "rewhere"
]) and
sink = call.getArgument(0)
or
call =
activeRecordQueryBuilderCall([
"group", "joins", "order", "reorder", "pluck", "select", "reselect"
"from", "group", "joins", "order", "reorder", "pluck", "select", "reselect"
]) and
sink = call.getArgument(_)
or
@@ -765,3 +765,30 @@ private class ActiveRecordCollectionProxyModelInstantiation extends ActiveRecord
result = this.(ActiveRecordCollectionProxyMethodCall).getAssociation().getTargetClass()
}
}
/**
* An additional call step for calls to ActiveRecord scopes. For example, in the following code:
*
* ```rb
* class User < ActiveRecord::Base
* scope :with_role, ->(role) { where(role: role) }
* end
*
* User.with_role(r)
* ```
*
* the call to `with_role` targets the lambda, and argument `r` flows to the parameter `role`.
*/
class ActiveRecordScopeCallTarget extends AdditionalCallTarget {
override DataFlowCallable viableTarget(ExprNodes::CallCfgNode scopeCall) {
exists(DataFlow::ModuleNode model, string scopeName |
model = activeRecordBaseClass().getADescendentModule() and
exists(DataFlow::CallNode scope |
scope = model.getAModuleLevelCall("scope") and
scope.getArgument(0).getConstantValue().isStringlikeValue(scopeName) and
scope.getArgument(1).asCallable().asCallableAstNode() = result.asCfgScope()
) and
scopeCall = model.getAnImmediateReference().getAMethodCall(scopeName).asExpr()
)
}
}

1
ruby/ql/lib/codeql/ruby/frameworks/Stdlib.qll
View File

@@ -5,3 +5,4 @@
import stdlib.Open3
import stdlib.Logger
import stdlib.Pathname
import stdlib.Process

3
ruby/ql/lib/codeql/ruby/frameworks/core/Array.qll
View File

@@ -1855,7 +1855,8 @@ module Enumerable {
override predicate propagatesFlow(string input, string output, boolean preservesValue) {
input = "Argument[self].Element[any]" and
output = "Argument[block].Parameter[0]" and
// For `Hash#map`, the value flows to parameter 1
output = "Argument[block].Parameter[0, 1]" and
preservesValue = true
or
input = "Argument[block].ReturnValue" and

12
ruby/ql/lib/codeql/ruby/frameworks/core/Hash.qll
View File

@@ -523,3 +523,15 @@ private class ValuesSummary extends SimpleSummarizedCallable {
preservesValue = true
}
}
// We don't (yet) track data flow through hash keys, but this is still useful in cases where a
// whole hash(like) object is tainted, such as `ActionController#params`.
private class KeysSummary extends SimpleSummarizedCallable {
KeysSummary() { this = "keys" }
override predicate propagatesFlow(string input, string output, boolean preservesValue) {
input = "Argument[self]" and
output = "ReturnValue.Element[?]" and
preservesValue = false
}
}

54
ruby/ql/lib/codeql/ruby/frameworks/http_clients/Typhoeus.qll
View File

@@ -16,17 +16,30 @@ private import codeql.ruby.DataFlow
*/
class TyphoeusHttpRequest extends Http::Client::Request::Range, DataFlow::CallNode {
API::Node requestNode;
boolean directResponse;
TyphoeusHttpRequest() {
this = requestNode.asSource() and
requestNode =
API::getTopLevelMember("Typhoeus")
.getReturn(["get", "head", "delete", "options", "post", "put", "patch"])
(
directResponse = true and
requestNode =
API::getTopLevelMember("Typhoeus")
.getReturn(["get", "head", "delete", "options", "post", "put", "patch"])
or
directResponse = false and
requestNode = API::getTopLevelMember("Typhoeus").getMember("Request").getInstance()
)
}
override DataFlow::Node getAUrlPart() { result = this.getArgument(0) }
override DataFlow::Node getResponseBody() { result = requestNode.getAMethodCall("body") }
override DataFlow::Node getResponseBody() {
directResponse = true and
result = getBodyFromResponse(requestNode)
or
directResponse = false and
result = getResponseBodyFromRequest(requestNode)
}
/** Gets the value that controls certificate validation, if any. */
DataFlow::Node getCertificateValidationControllingValue() {
@@ -55,3 +68,36 @@ private module TyphoeusDisablesCertificateValidationConfig implements DataFlow::
private module TyphoeusDisablesCertificateValidationFlow =
DataFlow::Global<TyphoeusDisablesCertificateValidationConfig>;
/** Gets the response body from the given `requestNode` representing a Typhoeus request */
bindingset[requestNode]
pragma[inline_late]
private DataFlow::Node getResponseBodyFromRequest(API::Node requestNode) {
result =
[
getBodyFromResponse(getResponseFromRequest(requestNode)),
requestNode.getMethod("on_body").getBlock().getParameter(0).asSource()
]
}
/** Gets the response from the given `requestNode` representing a Typhoeus request */
bindingset[requestNode]
pragma[inline_late]
private API::Node getResponseFromRequest(API::Node requestNode) {
result =
[
requestNode.getReturn(["run", "response"]),
requestNode
// on_headers does not carry a response body
.getMethod(["on_complete", "on_success", "on_failure", "on_progress"])
.getBlock()
.getParameter(0)
]
}
/** Gets the response body from the given `responseNode` representing a Typhoeus response */
bindingset[responseNode]
pragma[inline_late]
private DataFlow::Node getBodyFromResponse(API::Node responseNode) {
result = responseNode.getAMethodCall(["body", "response_body"])
}

32
ruby/ql/lib/codeql/ruby/frameworks/stdlib/Open3.qll
View File

@@ -7,7 +7,7 @@ private import codeql.ruby.ApiGraphs
private import codeql.ruby.Concepts
/**
* Provides modeling for the `Open3` library.
* Provides modeling for the `Open3` and `Open4` libraries.
*/
module Open3 {
/**
@@ -31,6 +31,36 @@ module Open3 {
}
}
/**
* A system command executed via one of the `Open4` methods.
* These methods take the same argument forms as `Kernel.system`.
* See `KernelSystemCall` for details.
*/
class Open4Call extends SystemCommandExecution::Range instanceof DataFlow::CallNode {
Open4Call() {
this =
API::getTopLevelMember("Open4").getAMethodCall(["open4", "popen4", "spawn", "popen4ext"])
}
override DataFlow::Node getAnArgument() {
// `popen4ext` takes an optional boolean as its first argument, but it is unlikely that we will be
// tracking flow into a boolean value so it doesn't seem worth modeling that special case here.
result = super.getArgument(_)
}
override predicate isShellInterpreted(DataFlow::Node arg) {
super.getNumberOfArguments() = 1 and
arg = this.getAnArgument()
or
// ```rb
// Open4.popen4ext(true, "some cmd")
// ```
super.getNumberOfArguments() = 2 and
super.getArgument(0).getConstantValue().isBoolean(_) and
arg = super.getArgument(1)
}
}
/**
* A pipeline of system commands constructed via one of the `Open3` methods.
* These methods accept a variable argument list of commands.

49
ruby/ql/lib/codeql/ruby/frameworks/stdlib/Process.qll Normal file
View File

@@ -0,0 +1,49 @@
/**
* Provides modeling for the `Process` library.
*/
private import codeql.ruby.Concepts
private import codeql.ruby.DataFlow
private import codeql.ruby.controlflow.CfgNodes
private import codeql.ruby.frameworks.core.Kernel
/**
* Provides modeling for the `Process` library.
*/
module Process {
/**
* A call to `Process.spawn`.
* ```rb
* Process.spawn("tar xf ruby-2.0.0-p195.tar.bz2")
* Process.spawn({"ENV" => "VAR"}, "echo", "hi")
* ```
*/
class SpawnCall extends SystemCommandExecution::Range instanceof DataFlow::CallNode {
SpawnCall() { this = DataFlow::getConstant(["Process", "PTY"]).getAMethodCall("spawn") }
// The command can be argument 0 or 1
// Options can be specified after the command, and we want to exclude those.
override DataFlow::Node getAnArgument() {
result = super.getArgument([0, 1]) and not result.asExpr() instanceof ExprNodes::PairCfgNode
}
override predicate isShellInterpreted(DataFlow::Node arg) {
// Process.spawn invokes a subshell if you provide a single string as argument
super.getNumberOfArguments() = 1 and arg = this.getAnArgument()
}
}
/**
* A system command executed via the `Process.exec` method.
*/
class ExecCall extends SystemCommandExecution::Range instanceof DataFlow::CallNode {
ExecCall() { this = DataFlow::getConstant("Process").getAMethodCall("exec") }
override DataFlow::Node getAnArgument() { result = super.getArgument(_) }
override predicate isShellInterpreted(DataFlow::Node arg) {
// Process.exec invokes a subshell if you provide a single string as argument
super.getNumberOfArguments() = 1 and arg = this.getAnArgument()
}
}
}

41
ruby/ql/lib/codeql/ruby/frameworks/terrapin/model.yml Normal file
View File

@@ -0,0 +1,41 @@
extensions:
- addsTo:
pack: codeql/ruby-all
extensible: sourceModel
data: []
- addsTo:
pack: codeql/ruby-all
extensible: sinkModel
data:
- ["Terrapin::CommandLine!","Method[new].Argument[0]","command-injection"]
- ["Terrapin::CommandLine!","Method[new].Argument[1]","command-injection"]
- addsTo:
pack: codeql/ruby-all
extensible: summaryModel
data:
- ["Terrapin::CommandLine::Output!","Method[new]","Argument[1]","ReturnValue","value"]
- ["Terrapin::CommandLine!","Method[path=]","Argument[0]","ReturnValue","taint"]
- ["Terrapin::CommandLine!","Method[new]","Argument[2]","ReturnValue","taint"]
- addsTo:
pack: codeql/ruby-all
extensible: neutralModel
data: []
- addsTo:
pack: codeql/ruby-all
extensible: typeModel
data:
- ["Terrapin::CommandLine::Output","Terrapin::CommandLine::MultiPipe","Method[output].ReturnValue"]
- ["Terrapin::CommandLine::Output","Terrapin::CommandLine::FakeRunner","Method[call].ReturnValue"]
- ["Terrapin::CommandLine::Output","Terrapin::CommandLine::ProcessRunner","Method[call].ReturnValue"]
- ["Terrapin::CommandLine::Output","Terrapin::CommandLine!","Method[runner].ReturnValue.ReturnValue"]
- ["Terrapin::CommandLine::FakeRunner","Terrapin::CommandLine!","Method[runner].ReturnValue"]
- ["Terrapin::CommandLine::Output","Terrapin::CommandLine!","Method[fake!].ReturnValue.ReturnValue"]
- ["Terrapin::CommandLine::FakeRunner","Terrapin::CommandLine!","Method[fake!].ReturnValue"]
- ["Terrapin::CommandLine::Output","Terrapin::CommandLine","Method[output].ReturnValue"]
- ["Terrapin::CommandLineError","Terrapin::CommandNotFoundError",""]
- ["Terrapin::CommandLineError","Terrapin::ExitStatusError",""]
- ["Terrapin::CommandLineError","Terrapin::InterpolationError",""]

5
ruby/ql/lib/codeql/ruby/security/ServerSideRequestForgeryCustomizations.qll
View File

@@ -10,6 +10,7 @@ private import codeql.ruby.DataFlow
private import codeql.ruby.dataflow.RemoteFlowSources
private import codeql.ruby.Concepts
private import codeql.ruby.dataflow.Sanitizers
private import codeql.ruby.frameworks.data.internal.ApiGraphModels
/**
* Provides default sources, sinks and sanitizers for reasoning about
@@ -41,4 +42,8 @@ module ServerSideRequestForgery {
/** A string interpolation with a fixed prefix, considered as a flow sanitizer. */
class StringInterpolationAsSanitizer extends PrefixedStringInterpolation, Sanitizer { }
private class ExternalRequestForgerySink extends Sink {
ExternalRequestForgerySink() { this = ModelOutput::getASinkNode("request-forgery").asSink() }
}
}

6
ruby/ql/lib/codeql/ruby/security/XSS.qll
View File

@@ -299,6 +299,8 @@ private module OrmTracking {
}
predicate isBarrierIn(DataFlow::Node node) { node instanceof DataFlow::SelfParameterNode }
int accessPathLimit() { result = 1 }
}
import DataFlow::Global<Config>
@@ -324,7 +326,9 @@ module StoredXss {
OrmFieldAsSource() {
exists(DataFlow::CallNode subSrc |
OrmTracking::flow(subSrc, this.getReceiver()) and
subSrc.(OrmInstantiation).methodCallMayAccessField(this.getMethodName())
subSrc.(OrmInstantiation).methodCallMayAccessField(this.getMethodName()) and
this.getNumberOfArguments() = 0 and
not exists(this.getBlock())
)
}
}

5
ruby/ql/test/TestUtilities/InlineFlowTest.qll
View File

@@ -4,12 +4,13 @@
*/
import ruby
private import codeql.Locations
private import codeql.dataflow.test.InlineFlowTest
private import codeql.ruby.dataflow.internal.DataFlowImplSpecific
private import codeql.ruby.dataflow.internal.TaintTrackingImplSpecific
private import internal.InlineExpectationsTestImpl
private module FlowTestImpl implements InputSig<RubyDataFlow> {
private module FlowTestImpl implements InputSig<Location, RubyDataFlow> {
import TestUtilities.InlineFlowTestUtil
bindingset[src, sink]
@@ -19,4 +20,4 @@ private module FlowTestImpl implements InputSig<RubyDataFlow> {
}
}
import InlineFlowTestMake<RubyDataFlow, RubyTaintTracking, Impl, FlowTestImpl>
import InlineFlowTestMake<Location, RubyDataFlow, RubyTaintTracking, Impl, FlowTestImpl>

18
ruby/ql/test/library-tests/dataflow/array-flow/array-flow.expected
View File

@@ -298,7 +298,9 @@ edges
| array_flow.rb:251:9:251:9 | a [element 2] | array_flow.rb:251:30:251:30 | x | provenance | |
| array_flow.rb:251:9:254:7 | call to collect_concat [element] | array_flow.rb:251:5:251:5 | b [element] | provenance | |
| array_flow.rb:251:30:251:30 | x | array_flow.rb:252:14:252:14 | x | provenance | |
| array_flow.rb:251:30:251:30 | x | array_flow.rb:253:10:253:10 | x | provenance | |
| array_flow.rb:253:9:253:25 | call to [] [element 1] | array_flow.rb:251:9:254:7 | call to collect_concat [element] | provenance | |
| array_flow.rb:253:10:253:10 | x | array_flow.rb:253:9:253:25 | call to [] [element 0] | provenance | |
| array_flow.rb:253:13:253:24 | call to source | array_flow.rb:253:9:253:25 | call to [] [element 1] | provenance | |
| array_flow.rb:255:10:255:10 | b [element] | array_flow.rb:255:10:255:13 | ...[...] | provenance | |
| array_flow.rb:256:5:256:5 | b [element] | array_flow.rb:260:10:260:10 | b [element] | provenance | |
@@ -631,6 +633,7 @@ edges
| array_flow.rb:507:9:507:9 | a [element 3] | array_flow.rb:507:26:507:26 | x | provenance | |
| array_flow.rb:507:9:510:7 | call to filter_map [element] | array_flow.rb:507:5:507:5 | b [element] | provenance | |
| array_flow.rb:507:26:507:26 | x | array_flow.rb:508:14:508:14 | x | provenance | |
| array_flow.rb:507:26:507:26 | x | array_flow.rb:509:9:509:9 | x | provenance | |
| array_flow.rb:511:10:511:10 | b [element] | array_flow.rb:511:10:511:13 | ...[...] | provenance | |
| array_flow.rb:518:5:518:5 | d [element] | array_flow.rb:521:10:521:10 | d [element] | provenance | |
| array_flow.rb:518:9:520:7 | call to filter_map [element] | array_flow.rb:518:5:518:5 | d [element] | provenance | |
@@ -718,7 +721,9 @@ edges
| array_flow.rb:571:9:571:9 | a [element 2] | array_flow.rb:571:24:571:24 | x | provenance | |
| array_flow.rb:571:9:574:7 | call to flat_map [element] | array_flow.rb:571:5:571:5 | b [element] | provenance | |
| array_flow.rb:571:24:571:24 | x | array_flow.rb:572:14:572:14 | x | provenance | |
| array_flow.rb:571:24:571:24 | x | array_flow.rb:573:10:573:10 | x | provenance | |
| array_flow.rb:573:9:573:25 | call to [] [element 1] | array_flow.rb:571:9:574:7 | call to flat_map [element] | provenance | |
| array_flow.rb:573:10:573:10 | x | array_flow.rb:573:9:573:25 | call to [] [element 0] | provenance | |
| array_flow.rb:573:13:573:24 | call to source | array_flow.rb:573:9:573:25 | call to [] [element 1] | provenance | |
| array_flow.rb:575:10:575:10 | b [element] | array_flow.rb:575:10:575:13 | ...[...] | provenance | |
| array_flow.rb:576:5:576:5 | b [element] | array_flow.rb:580:10:580:10 | b [element] | provenance | |
@@ -2337,7 +2342,9 @@ edges
| array_flow.rb:1677:16:1677:28 | call to source | array_flow.rb:1677:9:1677:29 | call to [] [element 2] | provenance | |
| array_flow.rb:1678:5:1678:5 | b [element] | array_flow.rb:1681:10:1681:10 | b [element] | provenance | |
| array_flow.rb:1678:9:1678:9 | a [element 2] | array_flow.rb:1678:9:1680:7 | call to map [element] | provenance | |
| array_flow.rb:1678:9:1678:9 | a [element 2] | array_flow.rb:1678:19:1678:19 | x | provenance | |
| array_flow.rb:1678:9:1680:7 | call to map [element] | array_flow.rb:1678:5:1678:5 | b [element] | provenance | |
| array_flow.rb:1678:19:1678:19 | x | array_flow.rb:1679:9:1679:9 | x | provenance | |
| array_flow.rb:1681:10:1681:10 | b [element] | array_flow.rb:1681:10:1681:13 | ...[...] | provenance | |
| array_flow.rb:1685:5:1685:5 | a [element 2] | array_flow.rb:1686:18:1686:18 | a [element 2] | provenance | |
| array_flow.rb:1685:5:1685:5 | a [element 3] | array_flow.rb:1686:18:1686:18 | a [element 3] | provenance | |
@@ -2674,7 +2681,9 @@ nodes
| array_flow.rb:251:9:254:7 | call to collect_concat [element] | semmle.label | call to collect_concat [element] |
| array_flow.rb:251:30:251:30 | x | semmle.label | x |
| array_flow.rb:252:14:252:14 | x | semmle.label | x |
| array_flow.rb:253:9:253:25 | call to [] [element 0] | semmle.label | call to [] [element 0] |
| array_flow.rb:253:9:253:25 | call to [] [element 1] | semmle.label | call to [] [element 1] |
| array_flow.rb:253:10:253:10 | x | semmle.label | x |
| array_flow.rb:253:13:253:24 | call to source | semmle.label | call to source |
| array_flow.rb:255:10:255:10 | b [element] | semmle.label | b [element] |
| array_flow.rb:255:10:255:13 | ...[...] | semmle.label | ...[...] |
@@ -3041,6 +3050,7 @@ nodes
| array_flow.rb:507:9:510:7 | call to filter_map [element] | semmle.label | call to filter_map [element] |
| array_flow.rb:507:26:507:26 | x | semmle.label | x |
| array_flow.rb:508:14:508:14 | x | semmle.label | x |
| array_flow.rb:509:9:509:9 | x | semmle.label | x |
| array_flow.rb:511:10:511:10 | b [element] | semmle.label | b [element] |
| array_flow.rb:511:10:511:13 | ...[...] | semmle.label | ...[...] |
| array_flow.rb:518:5:518:5 | d [element] | semmle.label | d [element] |
@@ -3132,7 +3142,9 @@ nodes
| array_flow.rb:571:9:574:7 | call to flat_map [element] | semmle.label | call to flat_map [element] |
| array_flow.rb:571:24:571:24 | x | semmle.label | x |
| array_flow.rb:572:14:572:14 | x | semmle.label | x |
| array_flow.rb:573:9:573:25 | call to [] [element 0] | semmle.label | call to [] [element 0] |
| array_flow.rb:573:9:573:25 | call to [] [element 1] | semmle.label | call to [] [element 1] |
| array_flow.rb:573:10:573:10 | x | semmle.label | x |
| array_flow.rb:573:13:573:24 | call to source | semmle.label | call to source |
| array_flow.rb:575:10:575:10 | b [element] | semmle.label | b [element] |
| array_flow.rb:575:10:575:13 | ...[...] | semmle.label | ...[...] |
@@ -4821,6 +4833,8 @@ nodes
| array_flow.rb:1678:5:1678:5 | b [element] | semmle.label | b [element] |
| array_flow.rb:1678:9:1678:9 | a [element 2] | semmle.label | a [element 2] |
| array_flow.rb:1678:9:1680:7 | call to map [element] | semmle.label | call to map [element] |
| array_flow.rb:1678:19:1678:19 | x | semmle.label | x |
| array_flow.rb:1679:9:1679:9 | x | semmle.label | x |
| array_flow.rb:1681:10:1681:10 | b [element] | semmle.label | b [element] |
| array_flow.rb:1681:10:1681:13 | ...[...] | semmle.label | ...[...] |
| array_flow.rb:1685:5:1685:5 | a [element 2] | semmle.label | a [element 2] |
@@ -4836,6 +4850,10 @@ nodes
| array_flow.rb:1689:10:1689:10 | z | semmle.label | z |
| array_flow.rb:1690:10:1690:10 | w | semmle.label | w |
subpaths
| array_flow.rb:251:9:251:9 | a [element 2] | array_flow.rb:251:30:251:30 | x | array_flow.rb:253:9:253:25 | call to [] [element 0] | array_flow.rb:251:9:254:7 | call to collect_concat [element] |
| array_flow.rb:507:9:507:9 | a [element 3] | array_flow.rb:507:26:507:26 | x | array_flow.rb:509:9:509:9 | x | array_flow.rb:507:9:510:7 | call to filter_map [element] |
| array_flow.rb:571:9:571:9 | a [element 2] | array_flow.rb:571:24:571:24 | x | array_flow.rb:573:9:573:25 | call to [] [element 0] | array_flow.rb:571:9:574:7 | call to flat_map [element] |
| array_flow.rb:1678:9:1678:9 | a [element 2] | array_flow.rb:1678:19:1678:19 | x | array_flow.rb:1679:9:1679:9 | x | array_flow.rb:1678:9:1680:7 | call to map [element] |
arrayLiteral
| array_flow.rb:9:9:9:25 | call to [] |
| array_flow.rb:33:9:33:22 | call to [] |

26
ruby/ql/test/library-tests/dataflow/call-sensitivity/call-sensitivity.expected
View File

@@ -20,14 +20,10 @@ edges
| call_sensitivity.rb:44:26:44:33 | call to taint | call_sensitivity.rb:21:27:21:27 | x | provenance | |
| call_sensitivity.rb:50:15:50:15 | x | call_sensitivity.rb:51:10:51:10 | x | provenance | |
| call_sensitivity.rb:54:15:54:15 | x | call_sensitivity.rb:55:13:55:13 | x | provenance | |
| call_sensitivity.rb:54:15:54:15 | x | call_sensitivity.rb:55:13:55:13 | x | provenance | |
| call_sensitivity.rb:55:13:55:13 | x | call_sensitivity.rb:50:15:50:15 | x | provenance | |
| call_sensitivity.rb:55:13:55:13 | x | call_sensitivity.rb:50:15:50:15 | x | provenance | |
| call_sensitivity.rb:58:20:58:20 | x | call_sensitivity.rb:59:18:59:18 | x | provenance | |
| call_sensitivity.rb:59:18:59:18 | x | call_sensitivity.rb:54:15:54:15 | x | provenance | |
| call_sensitivity.rb:62:18:62:18 | y | call_sensitivity.rb:63:15:63:15 | y | provenance | |
| call_sensitivity.rb:62:18:62:18 | y | call_sensitivity.rb:63:15:63:15 | y | provenance | |
| call_sensitivity.rb:63:15:63:15 | y | call_sensitivity.rb:50:15:50:15 | x | provenance | |
| call_sensitivity.rb:63:15:63:15 | y | call_sensitivity.rb:50:15:50:15 | x | provenance | |
| call_sensitivity.rb:66:20:66:20 | x | call_sensitivity.rb:67:24:67:24 | x | provenance | |
| call_sensitivity.rb:67:24:67:24 | x | call_sensitivity.rb:62:18:62:18 | y | provenance | |
@@ -40,26 +36,16 @@ edges
| call_sensitivity.rb:85:18:85:27 | ( ... ) | call_sensitivity.rb:80:15:80:15 | x | provenance | |
| call_sensitivity.rb:85:19:85:26 | call to taint | call_sensitivity.rb:85:18:85:27 | ( ... ) | provenance | |
| call_sensitivity.rb:88:30:88:30 | x | call_sensitivity.rb:89:23:89:23 | x | provenance | |
| call_sensitivity.rb:88:30:88:30 | x | call_sensitivity.rb:89:23:89:23 | x | provenance | |
| call_sensitivity.rb:89:23:89:23 | x | call_sensitivity.rb:70:30:70:30 | x | provenance | |
| call_sensitivity.rb:89:23:89:23 | x | call_sensitivity.rb:70:30:70:30 | x | provenance | |
| call_sensitivity.rb:92:35:92:35 | x | call_sensitivity.rb:93:28:93:28 | x | provenance | |
| call_sensitivity.rb:93:28:93:28 | x | call_sensitivity.rb:88:30:88:30 | x | provenance | |
| call_sensitivity.rb:96:33:96:33 | y | call_sensitivity.rb:97:25:97:25 | y | provenance | |
| call_sensitivity.rb:96:33:96:33 | y | call_sensitivity.rb:97:25:97:25 | y | provenance | |
| call_sensitivity.rb:97:25:97:25 | y | call_sensitivity.rb:70:30:70:30 | x | provenance | |
| call_sensitivity.rb:97:25:97:25 | y | call_sensitivity.rb:70:30:70:30 | x | provenance | |
| call_sensitivity.rb:100:35:100:35 | x | call_sensitivity.rb:101:34:101:34 | x | provenance | |
| call_sensitivity.rb:101:34:101:34 | x | call_sensitivity.rb:96:33:96:33 | y | provenance | |
| call_sensitivity.rb:104:18:104:18 | x | call_sensitivity.rb:105:10:105:10 | x | provenance | |
| call_sensitivity.rb:104:18:104:18 | x | call_sensitivity.rb:105:10:105:10 | x | provenance | |
| call_sensitivity.rb:104:18:104:18 | x | call_sensitivity.rb:105:10:105:10 | x | provenance | |
| call_sensitivity.rb:104:18:104:18 | x | call_sensitivity.rb:105:10:105:10 | x | provenance | |
| call_sensitivity.rb:104:18:104:18 | x | call_sensitivity.rb:106:13:106:13 | x | provenance | |
| call_sensitivity.rb:104:18:104:18 | x | call_sensitivity.rb:106:13:106:13 | x | provenance | |
| call_sensitivity.rb:104:18:104:18 | x | call_sensitivity.rb:106:13:106:13 | x | provenance | |
| call_sensitivity.rb:106:13:106:13 | x | call_sensitivity.rb:50:15:50:15 | x | provenance | |
| call_sensitivity.rb:106:13:106:13 | x | call_sensitivity.rb:50:15:50:15 | x | provenance | |
| call_sensitivity.rb:106:13:106:13 | x | call_sensitivity.rb:50:15:50:15 | x | provenance | |
| call_sensitivity.rb:109:21:109:21 | x | call_sensitivity.rb:110:9:110:9 | x | provenance | |
| call_sensitivity.rb:110:9:110:9 | x | call_sensitivity.rb:104:18:104:18 | x | provenance | |
@@ -124,14 +110,10 @@ nodes
| call_sensitivity.rb:50:15:50:15 | x | semmle.label | x |
| call_sensitivity.rb:51:10:51:10 | x | semmle.label | x |
| call_sensitivity.rb:54:15:54:15 | x | semmle.label | x |
| call_sensitivity.rb:54:15:54:15 | x | semmle.label | x |
| call_sensitivity.rb:55:13:55:13 | x | semmle.label | x |
| call_sensitivity.rb:55:13:55:13 | x | semmle.label | x |
| call_sensitivity.rb:58:20:58:20 | x | semmle.label | x |
| call_sensitivity.rb:59:18:59:18 | x | semmle.label | x |
| call_sensitivity.rb:62:18:62:18 | y | semmle.label | y |
| call_sensitivity.rb:62:18:62:18 | y | semmle.label | y |
| call_sensitivity.rb:63:15:63:15 | y | semmle.label | y |
| call_sensitivity.rb:63:15:63:15 | y | semmle.label | y |
| call_sensitivity.rb:66:20:66:20 | x | semmle.label | x |
| call_sensitivity.rb:67:24:67:24 | x | semmle.label | x |
@@ -145,25 +127,17 @@ nodes
| call_sensitivity.rb:85:18:85:27 | ( ... ) | semmle.label | ( ... ) |
| call_sensitivity.rb:85:19:85:26 | call to taint | semmle.label | call to taint |
| call_sensitivity.rb:88:30:88:30 | x | semmle.label | x |
| call_sensitivity.rb:88:30:88:30 | x | semmle.label | x |
| call_sensitivity.rb:89:23:89:23 | x | semmle.label | x |
| call_sensitivity.rb:89:23:89:23 | x | semmle.label | x |
| call_sensitivity.rb:92:35:92:35 | x | semmle.label | x |
| call_sensitivity.rb:93:28:93:28 | x | semmle.label | x |
| call_sensitivity.rb:96:33:96:33 | y | semmle.label | y |
| call_sensitivity.rb:96:33:96:33 | y | semmle.label | y |
| call_sensitivity.rb:97:25:97:25 | y | semmle.label | y |
| call_sensitivity.rb:97:25:97:25 | y | semmle.label | y |
| call_sensitivity.rb:100:35:100:35 | x | semmle.label | x |
| call_sensitivity.rb:101:34:101:34 | x | semmle.label | x |
| call_sensitivity.rb:104:18:104:18 | x | semmle.label | x |
| call_sensitivity.rb:104:18:104:18 | x | semmle.label | x |
| call_sensitivity.rb:104:18:104:18 | x | semmle.label | x |
| call_sensitivity.rb:104:18:104:18 | x | semmle.label | x |
| call_sensitivity.rb:105:10:105:10 | x | semmle.label | x |
| call_sensitivity.rb:106:13:106:13 | x | semmle.label | x |
| call_sensitivity.rb:106:13:106:13 | x | semmle.label | x |
| call_sensitivity.rb:106:13:106:13 | x | semmle.label | x |
| call_sensitivity.rb:109:21:109:21 | x | semmle.label | x |
| call_sensitivity.rb:110:9:110:9 | x | semmle.label | x |
| call_sensitivity.rb:114:11:114:20 | ( ... ) | semmle.label | ( ... ) |

39
ruby/ql/test/library-tests/dataflow/global/Flow.expected
View File

@@ -1,10 +1,7 @@
testFailures
edges
| blocks.rb:14:12:14:20 | call to source | blocks.rb:8:10:8:14 | yield ... | provenance | |
| captured_variables.rb:9:24:9:24 | x | captured_variables.rb:10:10:10:23 | -> { ... } [captured x] | provenance | |
| captured_variables.rb:9:24:9:24 | x | captured_variables.rb:11:5:11:6 | fn [captured x] | provenance | |
| captured_variables.rb:10:5:10:6 | fn [captured x] | captured_variables.rb:11:5:11:6 | fn [captured x] | provenance | |
| captured_variables.rb:10:10:10:23 | -> { ... } [captured x] | captured_variables.rb:10:5:10:6 | fn [captured x] | provenance | |
| captured_variables.rb:11:5:11:6 | fn [captured x] | captured_variables.rb:10:20:10:20 | x | provenance | |
| captured_variables.rb:13:20:13:29 | call to taint | captured_variables.rb:9:24:9:24 | x | provenance | |
| captured_variables.rb:15:28:15:28 | x | captured_variables.rb:16:5:18:5 | -> { ... } [captured x] | provenance | |
@@ -16,18 +13,12 @@ edges
| captured_variables.rb:27:25:27:57 | call to capture_escape_return2 [captured x] | captured_variables.rb:24:14:24:14 | x | provenance | |
| captured_variables.rb:27:48:27:57 | call to taint | captured_variables.rb:22:28:22:28 | x | provenance | |
| captured_variables.rb:27:48:27:57 | call to taint | captured_variables.rb:27:25:27:57 | call to capture_escape_return2 [captured x] | provenance | |
| captured_variables.rb:29:33:29:33 | x | captured_variables.rb:30:10:32:5 | -> { ... } [captured x] | provenance | |
| captured_variables.rb:29:33:29:33 | x | captured_variables.rb:33:29:33:30 | fn [captured x] | provenance | |
| captured_variables.rb:30:5:30:6 | fn [captured x] | captured_variables.rb:33:29:33:30 | fn [captured x] | provenance | |
| captured_variables.rb:30:10:32:5 | -> { ... } [captured x] | captured_variables.rb:30:5:30:6 | fn [captured x] | provenance | |
| captured_variables.rb:33:29:33:30 | fn [captured x] | captured_variables.rb:31:14:31:14 | x | provenance | |
| captured_variables.rb:35:29:35:38 | call to taint | captured_variables.rb:29:33:29:33 | x | provenance | |
| captured_variables.rb:37:13:37:14 | fn [captured x] | captured_variables.rb:38:5:38:6 | fn [captured x] | provenance | |
| captured_variables.rb:38:5:38:6 | fn [captured x] | captured_variables.rb:42:14:42:14 | x | provenance | |
| captured_variables.rb:40:31:40:31 | x | captured_variables.rb:41:10:43:5 | -> { ... } [captured x] | provenance | |
| captured_variables.rb:40:31:40:31 | x | captured_variables.rb:44:13:44:14 | fn [captured x] | provenance | |
| captured_variables.rb:41:5:41:6 | fn [captured x] | captured_variables.rb:44:13:44:14 | fn [captured x] | provenance | |
| captured_variables.rb:41:10:43:5 | -> { ... } [captured x] | captured_variables.rb:41:5:41:6 | fn [captured x] | provenance | |
| captured_variables.rb:44:13:44:14 | fn [captured x] | captured_variables.rb:37:13:37:14 | fn [captured x] | provenance | |
| captured_variables.rb:46:27:46:36 | call to taint | captured_variables.rb:40:31:40:31 | x | provenance | |
| captured_variables.rb:48:5:48:12 | call to taint | captured_variables.rb:49:16:52:3 | do ... end [captured x] | provenance | |
@@ -65,11 +56,8 @@ edges
| captured_variables.rb:83:6:83:8 | foo [@field] | captured_variables.rb:60:5:62:7 | self in get_field [@field] | provenance | |
| captured_variables.rb:83:6:83:8 | foo [@field] | captured_variables.rb:83:6:83:18 | call to get_field | provenance | |
| captured_variables.rb:83:6:83:8 | foo [@field] | instance_variables.rb:13:5:15:7 | self in get_field [@field] | provenance | |
| captured_variables.rb:85:5:85:12 | call to taint | captured_variables.rb:86:6:89:1 | -> { ... } [captured y] | provenance | |
| captured_variables.rb:85:5:85:12 | call to taint | captured_variables.rb:90:1:90:2 | fn [captured y] | provenance | |
| captured_variables.rb:85:5:85:12 | call to taint | captured_variables.rb:91:6:91:6 | y | provenance | |
| captured_variables.rb:86:1:86:2 | fn [captured y] | captured_variables.rb:90:1:90:2 | fn [captured y] | provenance | |
| captured_variables.rb:86:6:89:1 | -> { ... } [captured y] | captured_variables.rb:86:1:86:2 | fn [captured y] | provenance | |
| captured_variables.rb:88:9:88:16 | call to taint | captured_variables.rb:90:1:90:2 | [post] fn [captured y] | provenance | |
| captured_variables.rb:90:1:90:2 | [post] fn [captured y] | captured_variables.rb:91:6:91:6 | y | provenance | |
| captured_variables.rb:90:1:90:2 | fn [captured y] | captured_variables.rb:87:10:87:10 | y | provenance | |
@@ -81,18 +69,12 @@ edges
| captured_variables.rb:101:11:101:11 | x | captured_variables.rb:104:31:104:31 | x | provenance | |
| captured_variables.rb:104:17:104:24 | call to taint | captured_variables.rb:100:21:100:21 | x | provenance | |
| captured_variables.rb:104:31:104:31 | x | captured_variables.rb:105:10:105:10 | x | provenance | |
| captured_variables.rb:109:9:109:17 | call to taint | captured_variables.rb:110:14:116:5 | -> { ... } [captured x] | provenance | |
| captured_variables.rb:109:9:109:17 | call to taint | captured_variables.rb:117:5:117:10 | middle [captured x] | provenance | |
| captured_variables.rb:109:9:109:17 | call to taint | captured_variables.rb:118:10:118:10 | x | provenance | |
| captured_variables.rb:110:5:110:10 | middle [captured x] | captured_variables.rb:117:5:117:10 | middle [captured x] | provenance | |
| captured_variables.rb:110:14:116:5 | -> { ... } [captured x] | captured_variables.rb:110:5:110:10 | middle [captured x] | provenance | |
| captured_variables.rb:111:9:111:13 | inner [captured x] | captured_variables.rb:115:9:115:13 | inner [captured x] | provenance | |
| captured_variables.rb:111:17:114:9 | -> { ... } [captured x] | captured_variables.rb:111:9:111:13 | inner [captured x] | provenance | |
| captured_variables.rb:113:17:113:25 | call to taint | captured_variables.rb:115:9:115:13 | [post] inner [captured x] | provenance | |
| captured_variables.rb:115:9:115:13 | [post] inner [captured x] | captured_variables.rb:117:5:117:10 | [post] middle [captured x] | provenance | |
| captured_variables.rb:115:9:115:13 | inner [captured x] | captured_variables.rb:112:18:112:18 | x | provenance | |
| captured_variables.rb:117:5:117:10 | [post] middle [captured x] | captured_variables.rb:118:10:118:10 | x | provenance | |
| captured_variables.rb:117:5:117:10 | middle [captured x] | captured_variables.rb:111:17:114:9 | -> { ... } [captured x] | provenance | |
| captured_variables.rb:117:5:117:10 | middle [captured x] | captured_variables.rb:115:9:115:13 | inner [captured x] | provenance | |
| captured_variables.rb:147:5:147:6 | [post] self [@x] | captured_variables.rb:153:14:155:7 | do ... end [captured self, @x] | provenance | |
| captured_variables.rb:147:10:147:18 | call to taint | captured_variables.rb:147:5:147:6 | [post] self [@x] | provenance | |
@@ -116,11 +98,9 @@ edges
| captured_variables.rb:194:1:194:1 | c [@x] | captured_variables.rb:185:5:189:7 | self in baz [@x] | provenance | |
| captured_variables.rb:197:9:197:17 | call to taint | captured_variables.rb:199:10:199:10 | x | provenance | |
| captured_variables.rb:206:13:206:21 | call to taint | captured_variables.rb:208:14:208:14 | x | provenance | |
| captured_variables.rb:219:9:219:17 | call to taint | captured_variables.rb:222:11:224:5 | -> { ... } [captured x] | provenance | |
| captured_variables.rb:219:9:219:17 | call to taint | captured_variables.rb:226:5:226:7 | fn1 [captured x] | provenance | |
| captured_variables.rb:222:5:222:7 | fn1 [captured x] | captured_variables.rb:226:5:226:7 | fn1 [captured x] | provenance | |
| captured_variables.rb:222:11:224:5 | -> { ... } [captured x] | captured_variables.rb:222:5:222:7 | fn1 [captured x] | provenance | |
| captured_variables.rb:226:5:226:7 | [post] fn1 [captured y] | captured_variables.rb:227:10:227:10 | y | provenance | |
| captured_variables.rb:226:5:226:7 | fn1 [captured x] | captured_variables.rb:223:13:223:13 | x | provenance | |
| captured_variables.rb:226:5:226:7 | fn1 [captured x] | captured_variables.rb:226:5:226:7 | [post] fn1 [captured y] | provenance | |
| instance_variables.rb:10:19:10:19 | x | instance_variables.rb:11:18:11:18 | x | provenance | |
| instance_variables.rb:11:18:11:18 | x | instance_variables.rb:11:9:11:14 | [post] self [@field] | provenance | |
@@ -140,7 +120,6 @@ edges
| instance_variables.rb:28:20:28:24 | field | instance_variables.rb:22:20:22:24 | field | provenance | |
| instance_variables.rb:28:20:28:24 | field | instance_variables.rb:28:9:28:25 | [post] self [@field] | provenance | |
| instance_variables.rb:31:18:31:18 | x | instance_variables.rb:33:13:33:13 | x | provenance | |
| instance_variables.rb:32:13:32:21 | call to taint | instance_variables.rb:22:20:22:24 | field | provenance | |
| instance_variables.rb:32:13:32:21 | call to taint | instance_variables.rb:48:20:48:20 | x | provenance | |
| instance_variables.rb:33:13:33:13 | x | instance_variables.rb:22:20:22:24 | field | provenance | |
| instance_variables.rb:33:13:33:13 | x | instance_variables.rb:33:9:33:14 | call to new [@field] | provenance | |
@@ -265,8 +244,6 @@ nodes
| blocks.rb:8:10:8:14 | yield ... | semmle.label | yield ... |
| blocks.rb:14:12:14:20 | call to source | semmle.label | call to source |
| captured_variables.rb:9:24:9:24 | x | semmle.label | x |
| captured_variables.rb:10:5:10:6 | fn [captured x] | semmle.label | fn [captured x] |
| captured_variables.rb:10:10:10:23 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
| captured_variables.rb:10:20:10:20 | x | semmle.label | x |
| captured_variables.rb:11:5:11:6 | fn [captured x] | semmle.label | fn [captured x] |
| captured_variables.rb:13:20:13:29 | call to taint | semmle.label | call to taint |
@@ -282,16 +259,12 @@ nodes
| captured_variables.rb:27:25:27:57 | call to capture_escape_return2 [captured x] | semmle.label | call to capture_escape_return2 [captured x] |
| captured_variables.rb:27:48:27:57 | call to taint | semmle.label | call to taint |
| captured_variables.rb:29:33:29:33 | x | semmle.label | x |
| captured_variables.rb:30:5:30:6 | fn [captured x] | semmle.label | fn [captured x] |
| captured_variables.rb:30:10:32:5 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
| captured_variables.rb:31:14:31:14 | x | semmle.label | x |
| captured_variables.rb:33:29:33:30 | fn [captured x] | semmle.label | fn [captured x] |
| captured_variables.rb:35:29:35:38 | call to taint | semmle.label | call to taint |
| captured_variables.rb:37:13:37:14 | fn [captured x] | semmle.label | fn [captured x] |
| captured_variables.rb:38:5:38:6 | fn [captured x] | semmle.label | fn [captured x] |
| captured_variables.rb:40:31:40:31 | x | semmle.label | x |
| captured_variables.rb:41:5:41:6 | fn [captured x] | semmle.label | fn [captured x] |
| captured_variables.rb:41:10:43:5 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
| captured_variables.rb:42:14:42:14 | x | semmle.label | x |
| captured_variables.rb:44:13:44:14 | fn [captured x] | semmle.label | fn [captured x] |
| captured_variables.rb:46:27:46:36 | call to taint | semmle.label | call to taint |
@@ -324,8 +297,6 @@ nodes
| captured_variables.rb:83:6:83:8 | foo [@field] | semmle.label | foo [@field] |
| captured_variables.rb:83:6:83:18 | call to get_field | semmle.label | call to get_field |
| captured_variables.rb:85:5:85:12 | call to taint | semmle.label | call to taint |
| captured_variables.rb:86:1:86:2 | fn [captured y] | semmle.label | fn [captured y] |
| captured_variables.rb:86:6:89:1 | -> { ... } [captured y] | semmle.label | -> { ... } [captured y] |
| captured_variables.rb:87:10:87:10 | y | semmle.label | y |
| captured_variables.rb:88:9:88:16 | call to taint | semmle.label | call to taint |
| captured_variables.rb:90:1:90:2 | [post] fn [captured y] | semmle.label | [post] fn [captured y] |
@@ -342,10 +313,6 @@ nodes
| captured_variables.rb:104:31:104:31 | x | semmle.label | x |
| captured_variables.rb:105:10:105:10 | x | semmle.label | x |
| captured_variables.rb:109:9:109:17 | call to taint | semmle.label | call to taint |
| captured_variables.rb:110:5:110:10 | middle [captured x] | semmle.label | middle [captured x] |
| captured_variables.rb:110:14:116:5 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
| captured_variables.rb:111:9:111:13 | inner [captured x] | semmle.label | inner [captured x] |
| captured_variables.rb:111:17:114:9 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
| captured_variables.rb:112:18:112:18 | x | semmle.label | x |
| captured_variables.rb:113:17:113:25 | call to taint | semmle.label | call to taint |
| captured_variables.rb:115:9:115:13 | [post] inner [captured x] | semmle.label | [post] inner [captured x] |
@@ -381,8 +348,7 @@ nodes
| captured_variables.rb:206:13:206:21 | call to taint | semmle.label | call to taint |
| captured_variables.rb:208:14:208:14 | x | semmle.label | x |
| captured_variables.rb:219:9:219:17 | call to taint | semmle.label | call to taint |
| captured_variables.rb:222:5:222:7 | fn1 [captured x] | semmle.label | fn1 [captured x] |
| captured_variables.rb:222:11:224:5 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
| captured_variables.rb:223:13:223:13 | x | semmle.label | x |
| captured_variables.rb:226:5:226:7 | [post] fn1 [captured y] | semmle.label | [post] fn1 [captured y] |
| captured_variables.rb:226:5:226:7 | fn1 [captured x] | semmle.label | fn1 [captured x] |
| captured_variables.rb:227:10:227:10 | y | semmle.label | y |
@@ -506,6 +472,7 @@ subpaths
| captured_variables.rb:83:6:83:8 | foo [@field] | captured_variables.rb:60:5:62:7 | self in get_field [@field] | captured_variables.rb:61:9:61:21 | return | captured_variables.rb:83:6:83:18 | call to get_field |
| captured_variables.rb:83:6:83:8 | foo [@field] | instance_variables.rb:13:5:15:7 | self in get_field [@field] | instance_variables.rb:14:9:14:21 | return | captured_variables.rb:83:6:83:18 | call to get_field |
| captured_variables.rb:98:13:98:20 | call to taint | captured_variables.rb:93:17:93:17 | x | captured_variables.rb:94:5:96:5 | -> { ... } [captured x] | captured_variables.rb:98:1:98:21 | call to capture_arg [captured x] |
| captured_variables.rb:226:5:226:7 | fn1 [captured x] | captured_variables.rb:223:13:223:13 | x | captured_variables.rb:223:13:223:13 | x | captured_variables.rb:226:5:226:7 | [post] fn1 [captured y] |
| instance_variables.rb:28:20:28:24 | field | instance_variables.rb:22:20:22:24 | field | instance_variables.rb:23:9:23:14 | [post] self [@field] | instance_variables.rb:28:9:28:25 | [post] self [@field] |
| instance_variables.rb:33:13:33:13 | x | instance_variables.rb:22:20:22:24 | field | instance_variables.rb:23:9:23:14 | [post] self [@field] | instance_variables.rb:33:9:33:14 | call to new [@field] |
| instance_variables.rb:36:10:36:23 | call to new [@field] | captured_variables.rb:60:5:62:7 | self in get_field [@field] | captured_variables.rb:61:9:61:21 | return | instance_variables.rb:36:10:36:33 | call to get_field |

14
ruby/ql/test/library-tests/dataflow/global/captured_variables.rb
View File

@@ -228,3 +228,17 @@ def multi_capture
end
multi_capture
def m1
x = taint(19)
fn1 = -> {
sink x
}
x = nil
fn1.call()
end
m1

2
ruby/ql/test/library-tests/dataflow/global/instance_variables.rb
View File

@@ -70,7 +70,7 @@ foo3 = Foo.new
foo3.set_field(taint(22))
sink(foo3.field) # $ hasValueFlow=22
foo4 = "hello"
foo4 = 4
foo4.other = taint(23)
sink(foo4.other) # no field flow for constants

18
ruby/ql/test/library-tests/dataflow/hash-flow/hash-flow.expected
View File

@@ -1089,6 +1089,13 @@ edges
| hash_flow.rb:994:30:994:40 | call to taint | hash_flow.rb:994:14:994:47 | ...[...] [element :b] | provenance | |
| hash_flow.rb:996:14:996:15 | h2 [element :b] | hash_flow.rb:996:14:996:19 | ...[...] | provenance | |
| hash_flow.rb:998:14:998:15 | h2 [element :b] | hash_flow.rb:998:14:998:18 | ...[...] | provenance | |
| hash_flow.rb:1011:5:1011:5 | h [element :a] | hash_flow.rb:1012:5:1012:5 | h [element :a] | provenance | |
| hash_flow.rb:1011:9:1011:45 | call to [] [element :a] | hash_flow.rb:1011:5:1011:5 | h [element :a] | provenance | |
| hash_flow.rb:1011:14:1011:24 | call to taint | hash_flow.rb:1011:9:1011:45 | call to [] [element :a] | provenance | |
| hash_flow.rb:1012:5:1012:5 | h [element :a] | hash_flow.rb:1012:15:1012:15 | k | provenance | |
| hash_flow.rb:1012:5:1012:5 | h [element :a] | hash_flow.rb:1012:18:1012:18 | v | provenance | |
| hash_flow.rb:1012:15:1012:15 | k | hash_flow.rb:1014:14:1014:14 | k | provenance | |
| hash_flow.rb:1012:18:1012:18 | v | hash_flow.rb:1013:14:1013:14 | v | provenance | |
nodes
| hash_flow.rb:10:5:10:8 | hash [element 0] | semmle.label | hash [element 0] |
| hash_flow.rb:10:5:10:8 | hash [element :a] | semmle.label | hash [element :a] |
@@ -2251,6 +2258,14 @@ nodes
| hash_flow.rb:996:14:996:19 | ...[...] | semmle.label | ...[...] |
| hash_flow.rb:998:14:998:15 | h2 [element :b] | semmle.label | h2 [element :b] |
| hash_flow.rb:998:14:998:18 | ...[...] | semmle.label | ...[...] |
| hash_flow.rb:1011:5:1011:5 | h [element :a] | semmle.label | h [element :a] |
| hash_flow.rb:1011:9:1011:45 | call to [] [element :a] | semmle.label | call to [] [element :a] |
| hash_flow.rb:1011:14:1011:24 | call to taint | semmle.label | call to taint |
| hash_flow.rb:1012:5:1012:5 | h [element :a] | semmle.label | h [element :a] |
| hash_flow.rb:1012:15:1012:15 | k | semmle.label | k |
| hash_flow.rb:1012:18:1012:18 | v | semmle.label | v |
| hash_flow.rb:1013:14:1013:14 | v | semmle.label | v |
| hash_flow.rb:1014:14:1014:14 | k | semmle.label | k |
subpaths
hashLiteral
| hash_flow.rb:10:12:21:5 | call to [] |
@@ -2324,6 +2339,7 @@ hashLiteral
| hash_flow.rb:946:13:950:5 | call to [] |
| hash_flow.rb:971:9:971:38 | ...[...] |
| hash_flow.rb:994:14:994:47 | ...[...] |
| hash_flow.rb:1011:9:1011:45 | call to [] |
#select
| hash_flow.rb:22:10:22:17 | ...[...] | hash_flow.rb:11:15:11:24 | call to taint | hash_flow.rb:22:10:22:17 | ...[...] | $@ | hash_flow.rb:11:15:11:24 | call to taint | call to taint |
| hash_flow.rb:24:10:24:17 | ...[...] | hash_flow.rb:13:12:13:21 | call to taint | hash_flow.rb:24:10:24:17 | ...[...] | $@ | hash_flow.rb:13:12:13:21 | call to taint | call to taint |
@@ -2569,3 +2585,5 @@ hashLiteral
| hash_flow.rb:975:10:975:13 | ...[...] | hash_flow.rb:971:23:971:31 | call to taint | hash_flow.rb:975:10:975:13 | ...[...] | $@ | hash_flow.rb:971:23:971:31 | call to taint | call to taint |
| hash_flow.rb:996:14:996:19 | ...[...] | hash_flow.rb:994:30:994:40 | call to taint | hash_flow.rb:996:14:996:19 | ...[...] | $@ | hash_flow.rb:994:30:994:40 | call to taint | call to taint |
| hash_flow.rb:998:14:998:18 | ...[...] | hash_flow.rb:994:30:994:40 | call to taint | hash_flow.rb:998:14:998:18 | ...[...] | $@ | hash_flow.rb:994:30:994:40 | call to taint | call to taint |
| hash_flow.rb:1013:14:1013:14 | v | hash_flow.rb:1011:14:1011:24 | call to taint | hash_flow.rb:1013:14:1013:14 | v | $@ | hash_flow.rb:1011:14:1011:24 | call to taint | call to taint |
| hash_flow.rb:1014:14:1014:14 | k | hash_flow.rb:1011:14:1011:24 | call to taint | hash_flow.rb:1014:14:1014:14 | k | $@ | hash_flow.rb:1011:14:1011:24 | call to taint | call to taint |

2
ruby/ql/test/library-tests/dataflow/hash-flow/hash-flow.ql
View File

@@ -5,7 +5,7 @@
import codeql.ruby.AST
import codeql.ruby.CFG
import TestUtilities.InlineFlowTest
import ValueFlowTest<DefaultFlowConfig>
import DefaultFlowTest
import ValueFlow::PathGraph
query predicate hashLiteral(CfgNodes::ExprNodes::HashLiteralCfgNode n) { any() }

18
ruby/ql/test/library-tests/dataflow/hash-flow/hash_flow.rb
View File

@@ -59,7 +59,7 @@ def m3()
x = {a: taint(3.2), b: 1}
hash2 = Hash[x]
sink(hash2[:a]) # $ hasValueFlow=3.2
sink(hash2[:b])
sink(hash2[:b]) # $ hasTaintFlow=3.2
hash3 = Hash[[[:a, taint(3.3)], [:b, 1]]]
sink(hash3[:a]) # $ hasValueFlow=3.3
@@ -75,7 +75,7 @@ def m3()
hash6 = Hash[{"a" => taint(3.6), "b" => 1}]
sink(hash6["a"]) # $ hasValueFlow=3.6
sink(hash6["b"])
sink(hash6["b"]) # $ hasTaintFlow=3.6
end
m3()
@@ -1000,3 +1000,17 @@ class M54
end
M54.new.m54(:b)
def m55
h = taint(55.1)
keys = h.keys
sink(keys[f()]) # $ hasTaintFlow=55.1
end
def m56
h = { a: taint(56.1), taint(56.2) => :b }
h.map do |k, v|
sink(v) # $ hasValueFlow=56.1
sink(k) # $ MISSING: hasValueFlow=56.2 SPURIOUS: hasValueFlow=56.1
end
end

9
ruby/ql/test/library-tests/dataflow/local/DataflowStep.expected
View File

@@ -2676,6 +2676,7 @@
| local_dataflow.rb:131:7:131:8 | "" | local_dataflow.rb:131:3:131:8 | ... = ... |
| local_dataflow.rb:132:6:132:11 | [post] self | local_dataflow.rb:133:8:133:13 | self |
| local_dataflow.rb:132:6:132:11 | self | local_dataflow.rb:133:8:133:13 | self |
| local_dataflow.rb:132:10:132:10 | [post] x | local_dataflow.rb:133:12:133:12 | x |
| local_dataflow.rb:132:10:132:10 | x | local_dataflow.rb:133:12:133:12 | x |
| local_dataflow.rb:132:12:148:10 | then ... | local_dataflow.rb:132:3:149:5 | if ... |
| local_dataflow.rb:133:5:139:7 | SSA phi read(self) | local_dataflow.rb:141:9:141:14 | self |
@@ -2686,17 +2687,20 @@
| local_dataflow.rb:133:8:133:13 | self | local_dataflow.rb:133:18:133:23 | self |
| local_dataflow.rb:133:8:133:23 | SSA phi read(self) | local_dataflow.rb:134:7:134:12 | self |
| local_dataflow.rb:133:8:133:23 | SSA phi read(x) | local_dataflow.rb:134:11:134:11 | x |
| local_dataflow.rb:133:12:133:12 | [post] x | local_dataflow.rb:133:22:133:22 | x |
| local_dataflow.rb:133:12:133:12 | x | local_dataflow.rb:133:22:133:22 | x |
| local_dataflow.rb:133:18:133:23 | [post] self | local_dataflow.rb:136:7:136:12 | self |
| local_dataflow.rb:133:18:133:23 | call to use | local_dataflow.rb:133:8:133:23 | [false] ... \|\| ... |
| local_dataflow.rb:133:18:133:23 | call to use | local_dataflow.rb:133:8:133:23 | [true] ... \|\| ... |
| local_dataflow.rb:133:18:133:23 | self | local_dataflow.rb:136:7:136:12 | self |
| local_dataflow.rb:133:22:133:22 | [post] x | local_dataflow.rb:136:11:136:11 | x |
| local_dataflow.rb:133:22:133:22 | x | local_dataflow.rb:136:11:136:11 | x |
| local_dataflow.rb:133:24:134:12 | then ... | local_dataflow.rb:133:5:139:7 | if ... |
| local_dataflow.rb:134:7:134:12 | call to use | local_dataflow.rb:133:24:134:12 | then ... |
| local_dataflow.rb:135:5:138:9 | else ... | local_dataflow.rb:133:5:139:7 | if ... |
| local_dataflow.rb:136:7:136:12 | [post] self | local_dataflow.rb:137:10:137:15 | self |
| local_dataflow.rb:136:7:136:12 | self | local_dataflow.rb:137:10:137:15 | self |
| local_dataflow.rb:136:11:136:11 | [post] x | local_dataflow.rb:137:14:137:14 | x |
| local_dataflow.rb:136:11:136:11 | x | local_dataflow.rb:137:14:137:14 | x |
| local_dataflow.rb:137:7:138:9 | SSA phi read(self) | local_dataflow.rb:133:5:139:7 | SSA phi read(self) |
| local_dataflow.rb:137:7:138:9 | SSA phi read(x) | local_dataflow.rb:133:5:139:7 | SSA phi read(x) |
@@ -2705,6 +2709,7 @@
| local_dataflow.rb:137:10:137:15 | self | local_dataflow.rb:137:21:137:26 | self |
| local_dataflow.rb:137:10:137:26 | SSA phi read(self) | local_dataflow.rb:137:7:138:9 | SSA phi read(self) |
| local_dataflow.rb:137:10:137:26 | SSA phi read(x) | local_dataflow.rb:137:7:138:9 | SSA phi read(x) |
| local_dataflow.rb:137:14:137:14 | [post] x | local_dataflow.rb:137:25:137:25 | x |
| local_dataflow.rb:137:14:137:14 | x | local_dataflow.rb:137:25:137:25 | x |
| local_dataflow.rb:137:20:137:26 | [false] ! ... | local_dataflow.rb:137:10:137:26 | [false] ... && ... |
| local_dataflow.rb:137:20:137:26 | [true] ! ... | local_dataflow.rb:137:10:137:26 | [true] ... && ... |
@@ -2717,6 +2722,7 @@
| local_dataflow.rb:141:8:141:37 | SSA phi read(x) | local_dataflow.rb:141:5:145:7 | SSA phi read(x) |
| local_dataflow.rb:141:9:141:14 | [post] self | local_dataflow.rb:141:20:141:25 | self |
| local_dataflow.rb:141:9:141:14 | self | local_dataflow.rb:141:20:141:25 | self |
| local_dataflow.rb:141:13:141:13 | [post] x | local_dataflow.rb:141:24:141:24 | x |
| local_dataflow.rb:141:13:141:13 | x | local_dataflow.rb:141:24:141:24 | x |
| local_dataflow.rb:141:19:141:37 | [false] ( ... ) | local_dataflow.rb:141:8:141:37 | [false] ... \|\| ... |
| local_dataflow.rb:141:19:141:37 | [true] ( ... ) | local_dataflow.rb:141:8:141:37 | [true] ... \|\| ... |
@@ -2726,6 +2732,7 @@
| local_dataflow.rb:141:20:141:36 | SSA phi read(x) | local_dataflow.rb:143:15:143:15 | x |
| local_dataflow.rb:141:20:141:36 | [false] ... && ... | local_dataflow.rb:141:19:141:37 | [false] ( ... ) |
| local_dataflow.rb:141:20:141:36 | [true] ... && ... | local_dataflow.rb:141:19:141:37 | [true] ( ... ) |
| local_dataflow.rb:141:24:141:24 | [post] x | local_dataflow.rb:141:35:141:35 | x |
| local_dataflow.rb:141:24:141:24 | x | local_dataflow.rb:141:35:141:35 | x |
| local_dataflow.rb:141:30:141:36 | [false] ! ... | local_dataflow.rb:141:20:141:36 | [false] ... && ... |
| local_dataflow.rb:141:30:141:36 | [true] ! ... | local_dataflow.rb:141:20:141:36 | [true] ... && ... |
@@ -2740,6 +2747,7 @@
| local_dataflow.rb:143:11:143:16 | self | local_dataflow.rb:143:21:143:26 | self |
| local_dataflow.rb:143:11:143:26 | SSA phi read(self) | local_dataflow.rb:144:11:144:16 | self |
| local_dataflow.rb:143:11:143:26 | SSA phi read(x) | local_dataflow.rb:144:15:144:15 | x |
| local_dataflow.rb:143:15:143:15 | [post] x | local_dataflow.rb:143:25:143:25 | x |
| local_dataflow.rb:143:15:143:15 | x | local_dataflow.rb:143:25:143:25 | x |
| local_dataflow.rb:143:21:143:26 | call to use | local_dataflow.rb:143:11:143:26 | [false] ... \|\| ... |
| local_dataflow.rb:143:21:143:26 | call to use | local_dataflow.rb:143:11:143:26 | [true] ... \|\| ... |
@@ -2747,5 +2755,6 @@
| local_dataflow.rb:144:11:144:16 | call to use | local_dataflow.rb:143:27:144:16 | then ... |
| local_dataflow.rb:147:5:147:10 | [post] self | local_dataflow.rb:148:5:148:10 | self |
| local_dataflow.rb:147:5:147:10 | self | local_dataflow.rb:148:5:148:10 | self |
| local_dataflow.rb:147:9:147:9 | [post] x | local_dataflow.rb:148:9:148:9 | x |
| local_dataflow.rb:147:9:147:9 | x | local_dataflow.rb:148:9:148:9 | x |
| local_dataflow.rb:148:5:148:10 | call to use | local_dataflow.rb:132:12:148:10 | then ... |

12
ruby/ql/test/library-tests/dataflow/local/TaintStep.expected
View File

@@ -2835,6 +2835,9 @@
| file://:0:0:0:0 | [summary param] self in ActionController::Parameters#merge | file://:0:0:0:0 | [summary] to write: ReturnValue in ActionController::Parameters#merge |
| file://:0:0:0:0 | [summary param] self in ActionController::Parameters#merge! | file://:0:0:0:0 | [summary] to write: Argument[self] in ActionController::Parameters#merge! |
| file://:0:0:0:0 | [summary param] self in ActionController::Parameters#merge! | file://:0:0:0:0 | [summary] to write: ReturnValue in ActionController::Parameters#merge! |
| file://:0:0:0:0 | [summary param] self in ActionDispatch::Http::UploadedFile#[original_filename,content_type,headers] | file://:0:0:0:0 | [summary] to write: ReturnValue in ActionDispatch::Http::UploadedFile#[original_filename,content_type,headers] |
| file://:0:0:0:0 | [summary param] self in ActionDispatch::Http::UploadedFile#read | file://:0:0:0:0 | [summary] to write: Argument[1] in ActionDispatch::Http::UploadedFile#read |
| file://:0:0:0:0 | [summary param] self in ActionDispatch::Http::UploadedFile#read | file://:0:0:0:0 | [summary] to write: ReturnValue in ActionDispatch::Http::UploadedFile#read |
| file://:0:0:0:0 | [summary param] self in ActiveSupportStringTransform | file://:0:0:0:0 | [summary] to write: ReturnValue in ActiveSupportStringTransform |
| file://:0:0:0:0 | [summary param] self in [] | file://:0:0:0:0 | [summary] to write: ReturnValue in [] |
| file://:0:0:0:0 | [summary param] self in \| | file://:0:0:0:0 | [summary] read: Argument[self].Element[any] in \| |
@@ -3164,6 +3167,7 @@
| local_dataflow.rb:131:7:131:8 | "" | local_dataflow.rb:131:3:131:8 | ... = ... |
| local_dataflow.rb:132:6:132:11 | [post] self | local_dataflow.rb:133:8:133:13 | self |
| local_dataflow.rb:132:6:132:11 | self | local_dataflow.rb:133:8:133:13 | self |
| local_dataflow.rb:132:10:132:10 | [post] x | local_dataflow.rb:133:12:133:12 | x |
| local_dataflow.rb:132:10:132:10 | x | local_dataflow.rb:133:12:133:12 | x |
| local_dataflow.rb:132:12:148:10 | then ... | local_dataflow.rb:132:3:149:5 | if ... |
| local_dataflow.rb:133:5:139:7 | SSA phi read(self) | local_dataflow.rb:141:9:141:14 | self |
@@ -3174,17 +3178,20 @@
| local_dataflow.rb:133:8:133:13 | self | local_dataflow.rb:133:18:133:23 | self |
| local_dataflow.rb:133:8:133:23 | SSA phi read(self) | local_dataflow.rb:134:7:134:12 | self |
| local_dataflow.rb:133:8:133:23 | SSA phi read(x) | local_dataflow.rb:134:11:134:11 | x |
| local_dataflow.rb:133:12:133:12 | [post] x | local_dataflow.rb:133:22:133:22 | x |
| local_dataflow.rb:133:12:133:12 | x | local_dataflow.rb:133:22:133:22 | x |
| local_dataflow.rb:133:18:133:23 | [post] self | local_dataflow.rb:136:7:136:12 | self |
| local_dataflow.rb:133:18:133:23 | call to use | local_dataflow.rb:133:8:133:23 | [false] ... \|\| ... |
| local_dataflow.rb:133:18:133:23 | call to use | local_dataflow.rb:133:8:133:23 | [true] ... \|\| ... |
| local_dataflow.rb:133:18:133:23 | self | local_dataflow.rb:136:7:136:12 | self |
| local_dataflow.rb:133:22:133:22 | [post] x | local_dataflow.rb:136:11:136:11 | x |
| local_dataflow.rb:133:22:133:22 | x | local_dataflow.rb:136:11:136:11 | x |
| local_dataflow.rb:133:24:134:12 | then ... | local_dataflow.rb:133:5:139:7 | if ... |
| local_dataflow.rb:134:7:134:12 | call to use | local_dataflow.rb:133:24:134:12 | then ... |
| local_dataflow.rb:135:5:138:9 | else ... | local_dataflow.rb:133:5:139:7 | if ... |
| local_dataflow.rb:136:7:136:12 | [post] self | local_dataflow.rb:137:10:137:15 | self |
| local_dataflow.rb:136:7:136:12 | self | local_dataflow.rb:137:10:137:15 | self |
| local_dataflow.rb:136:11:136:11 | [post] x | local_dataflow.rb:137:14:137:14 | x |
| local_dataflow.rb:136:11:136:11 | x | local_dataflow.rb:137:14:137:14 | x |
| local_dataflow.rb:137:7:138:9 | SSA phi read(self) | local_dataflow.rb:133:5:139:7 | SSA phi read(self) |
| local_dataflow.rb:137:7:138:9 | SSA phi read(x) | local_dataflow.rb:133:5:139:7 | SSA phi read(x) |
@@ -3193,6 +3200,7 @@
| local_dataflow.rb:137:10:137:15 | self | local_dataflow.rb:137:21:137:26 | self |
| local_dataflow.rb:137:10:137:26 | SSA phi read(self) | local_dataflow.rb:137:7:138:9 | SSA phi read(self) |
| local_dataflow.rb:137:10:137:26 | SSA phi read(x) | local_dataflow.rb:137:7:138:9 | SSA phi read(x) |
| local_dataflow.rb:137:14:137:14 | [post] x | local_dataflow.rb:137:25:137:25 | x |
| local_dataflow.rb:137:14:137:14 | x | local_dataflow.rb:137:25:137:25 | x |
| local_dataflow.rb:137:20:137:26 | [false] ! ... | local_dataflow.rb:137:10:137:26 | [false] ... && ... |
| local_dataflow.rb:137:20:137:26 | [true] ! ... | local_dataflow.rb:137:10:137:26 | [true] ... && ... |
@@ -3209,6 +3217,7 @@
| local_dataflow.rb:141:9:141:14 | call to use | local_dataflow.rb:141:8:141:14 | [false] ! ... |
| local_dataflow.rb:141:9:141:14 | call to use | local_dataflow.rb:141:8:141:14 | [true] ! ... |
| local_dataflow.rb:141:9:141:14 | self | local_dataflow.rb:141:20:141:25 | self |
| local_dataflow.rb:141:13:141:13 | [post] x | local_dataflow.rb:141:24:141:24 | x |
| local_dataflow.rb:141:13:141:13 | x | local_dataflow.rb:141:24:141:24 | x |
| local_dataflow.rb:141:19:141:37 | [false] ( ... ) | local_dataflow.rb:141:8:141:37 | [false] ... \|\| ... |
| local_dataflow.rb:141:19:141:37 | [true] ( ... ) | local_dataflow.rb:141:8:141:37 | [true] ... \|\| ... |
@@ -3218,6 +3227,7 @@
| local_dataflow.rb:141:20:141:36 | SSA phi read(x) | local_dataflow.rb:143:15:143:15 | x |
| local_dataflow.rb:141:20:141:36 | [false] ... && ... | local_dataflow.rb:141:19:141:37 | [false] ( ... ) |
| local_dataflow.rb:141:20:141:36 | [true] ... && ... | local_dataflow.rb:141:19:141:37 | [true] ( ... ) |
| local_dataflow.rb:141:24:141:24 | [post] x | local_dataflow.rb:141:35:141:35 | x |
| local_dataflow.rb:141:24:141:24 | x | local_dataflow.rb:141:35:141:35 | x |
| local_dataflow.rb:141:30:141:36 | [false] ! ... | local_dataflow.rb:141:20:141:36 | [false] ... && ... |
| local_dataflow.rb:141:30:141:36 | [true] ! ... | local_dataflow.rb:141:20:141:36 | [true] ... && ... |
@@ -3234,6 +3244,7 @@
| local_dataflow.rb:143:11:143:16 | self | local_dataflow.rb:143:21:143:26 | self |
| local_dataflow.rb:143:11:143:26 | SSA phi read(self) | local_dataflow.rb:144:11:144:16 | self |
| local_dataflow.rb:143:11:143:26 | SSA phi read(x) | local_dataflow.rb:144:15:144:15 | x |
| local_dataflow.rb:143:15:143:15 | [post] x | local_dataflow.rb:143:25:143:25 | x |
| local_dataflow.rb:143:15:143:15 | x | local_dataflow.rb:143:25:143:25 | x |
| local_dataflow.rb:143:21:143:26 | call to use | local_dataflow.rb:143:11:143:26 | [false] ... \|\| ... |
| local_dataflow.rb:143:21:143:26 | call to use | local_dataflow.rb:143:11:143:26 | [true] ... \|\| ... |
@@ -3241,5 +3252,6 @@
| local_dataflow.rb:144:11:144:16 | call to use | local_dataflow.rb:143:27:144:16 | then ... |
| local_dataflow.rb:147:5:147:10 | [post] self | local_dataflow.rb:148:5:148:10 | self |
| local_dataflow.rb:147:5:147:10 | self | local_dataflow.rb:148:5:148:10 | self |
| local_dataflow.rb:147:9:147:9 | [post] x | local_dataflow.rb:148:9:148:9 | x |
| local_dataflow.rb:147:9:147:9 | x | local_dataflow.rb:148:9:148:9 | x |
| local_dataflow.rb:148:5:148:10 | call to use | local_dataflow.rb:132:12:148:10 | then ... |

12
ruby/ql/test/library-tests/dataflow/summaries/Summaries.expected
View File

@@ -65,8 +65,12 @@ edges
| summaries.rb:4:24:4:30 | tainted | summaries.rb:4:36:4:36 | x | provenance | |
| summaries.rb:4:36:4:36 | x | summaries.rb:5:8:5:8 | x | provenance | |
| summaries.rb:4:36:4:36 | x | summaries.rb:5:8:5:8 | x | provenance | |
| summaries.rb:4:36:4:36 | x | summaries.rb:6:3:6:3 | x | provenance | |
| summaries.rb:4:36:4:36 | x | summaries.rb:6:3:6:3 | x | provenance | |
| summaries.rb:11:17:11:17 | x | summaries.rb:12:8:12:8 | x | provenance | |
| summaries.rb:11:17:11:17 | x | summaries.rb:12:8:12:8 | x | provenance | |
| summaries.rb:11:17:11:17 | x | summaries.rb:13:3:13:3 | x | provenance | |
| summaries.rb:11:17:11:17 | x | summaries.rb:13:3:13:3 | x | provenance | |
| summaries.rb:16:1:16:8 | tainted3 | summaries.rb:18:6:18:13 | tainted3 | provenance | |
| summaries.rb:16:1:16:8 | tainted3 | summaries.rb:18:6:18:13 | tainted3 | provenance | |
| summaries.rb:16:12:16:43 | call to apply_lambda | summaries.rb:16:1:16:8 | tainted3 | provenance | |
@@ -275,12 +279,16 @@ nodes
| summaries.rb:4:36:4:36 | x | semmle.label | x |
| summaries.rb:5:8:5:8 | x | semmle.label | x |
| summaries.rb:5:8:5:8 | x | semmle.label | x |
| summaries.rb:6:3:6:3 | x | semmle.label | x |
| summaries.rb:6:3:6:3 | x | semmle.label | x |
| summaries.rb:9:6:9:13 | tainted2 | semmle.label | tainted2 |
| summaries.rb:9:6:9:13 | tainted2 | semmle.label | tainted2 |
| summaries.rb:11:17:11:17 | x | semmle.label | x |
| summaries.rb:11:17:11:17 | x | semmle.label | x |
| summaries.rb:12:8:12:8 | x | semmle.label | x |
| summaries.rb:12:8:12:8 | x | semmle.label | x |
| summaries.rb:13:3:13:3 | x | semmle.label | x |
| summaries.rb:13:3:13:3 | x | semmle.label | x |
| summaries.rb:16:1:16:8 | tainted3 | semmle.label | tainted3 |
| summaries.rb:16:1:16:8 | tainted3 | semmle.label | tainted3 |
| summaries.rb:16:12:16:43 | call to apply_lambda | semmle.label | call to apply_lambda |
@@ -514,6 +522,10 @@ nodes
| summaries.rb:166:20:166:36 | call to source | semmle.label | call to source |
| summaries.rb:166:20:166:36 | call to source | semmle.label | call to source |
subpaths
| summaries.rb:4:24:4:30 | tainted | summaries.rb:4:36:4:36 | x | summaries.rb:6:3:6:3 | x | summaries.rb:4:12:7:3 | call to apply_block |
| summaries.rb:4:24:4:30 | tainted | summaries.rb:4:36:4:36 | x | summaries.rb:6:3:6:3 | x | summaries.rb:4:12:7:3 | call to apply_block |
| summaries.rb:16:36:16:42 | tainted | summaries.rb:11:17:11:17 | x | summaries.rb:13:3:13:3 | x | summaries.rb:16:12:16:43 | call to apply_lambda |
| summaries.rb:16:36:16:42 | tainted | summaries.rb:11:17:11:17 | x | summaries.rb:13:3:13:3 | x | summaries.rb:16:12:16:43 | call to apply_lambda |
invalidSpecComponent
#select
| summaries.rb:2:6:2:12 | tainted | summaries.rb:1:20:1:36 | call to source | summaries.rb:2:6:2:12 | tainted | $@ | summaries.rb:1:20:1:36 | call to source | call to source |

25
ruby/ql/test/library-tests/frameworks/action_controller/ActionController.expected
View File

@@ -14,6 +14,7 @@ actionControllerControllerClasses
| input_access.rb:1:1:58:3 | UsersController |
| params_flow.rb:1:1:162:3 | MyController |
| params_flow.rb:170:1:178:3 | Subclass |
| params_flow.rb:180:1:207:3 | UploadedFileTests |
actionControllerActionMethods
| app/controllers/comments_controller.rb:17:3:51:5 | index |
| app/controllers/comments_controller.rb:53:3:54:5 | create |
@@ -86,6 +87,12 @@ actionControllerActionMethods
| params_flow.rb:152:3:159:5 | m33 |
| params_flow.rb:165:3:167:5 | m34 |
| params_flow.rb:171:3:173:5 | m35 |
| params_flow.rb:181:3:183:5 | m36 |
| params_flow.rb:185:3:187:5 | m37 |
| params_flow.rb:189:3:191:5 | m38 |
| params_flow.rb:193:3:195:5 | m39 |
| params_flow.rb:197:3:200:5 | m40 |
| params_flow.rb:202:3:206:5 | m41 |
paramsCalls
| app/controllers/comments_controller.rb:80:36:80:41 | call to params |
| app/controllers/foo/bars_controller.rb:13:21:13:26 | call to params |
@@ -146,6 +153,12 @@ paramsCalls
| params_flow.rb:166:10:166:15 | call to params |
| params_flow.rb:172:10:172:15 | call to params |
| params_flow.rb:176:10:176:15 | call to params |
| params_flow.rb:182:10:182:15 | call to params |
| params_flow.rb:186:10:186:15 | call to params |
| params_flow.rb:190:10:190:15 | call to params |
| params_flow.rb:194:10:194:15 | call to params |
| params_flow.rb:198:5:198:10 | call to params |
| params_flow.rb:204:5:204:10 | call to params |
paramsSources
| app/controllers/comments_controller.rb:80:36:80:41 | call to params |
| app/controllers/foo/bars_controller.rb:13:21:13:26 | call to params |
@@ -206,6 +219,12 @@ paramsSources
| params_flow.rb:166:10:166:15 | call to params |
| params_flow.rb:172:10:172:15 | call to params |
| params_flow.rb:176:10:176:15 | call to params |
| params_flow.rb:182:10:182:15 | call to params |
| params_flow.rb:186:10:186:15 | call to params |
| params_flow.rb:190:10:190:15 | call to params |
| params_flow.rb:194:10:194:15 | call to params |
| params_flow.rb:198:5:198:10 | call to params |
| params_flow.rb:204:5:204:10 | call to params |
httpInputAccesses
| app/controllers/application_controller.rb:11:53:11:64 | call to path | ActionDispatch::Request#path |
| app/controllers/comments_controller.rb:18:5:18:18 | call to params | ActionDispatch::Request#params |
@@ -324,6 +343,12 @@ httpInputAccesses
| params_flow.rb:166:10:166:15 | call to params | ActionController::Metal#params |
| params_flow.rb:172:10:172:15 | call to params | ActionController::Metal#params |
| params_flow.rb:176:10:176:15 | call to params | ActionController::Metal#params |
| params_flow.rb:182:10:182:15 | call to params | ActionController::Metal#params |
| params_flow.rb:186:10:186:15 | call to params | ActionController::Metal#params |
| params_flow.rb:190:10:190:15 | call to params | ActionController::Metal#params |
| params_flow.rb:194:10:194:15 | call to params | ActionController::Metal#params |
| params_flow.rb:198:5:198:10 | call to params | ActionController::Metal#params |
| params_flow.rb:204:5:204:10 | call to params | ActionController::Metal#params |
cookiesCalls
| app/controllers/foo/bars_controller.rb:10:27:10:33 | call to cookies |
cookiesSources

48
ruby/ql/test/library-tests/frameworks/action_controller/params-flow.expected
View File

@@ -101,6 +101,24 @@ edges
| params_flow.rb:166:10:166:15 | call to params | params_flow.rb:166:10:166:19 | ...[...] | provenance | |
| params_flow.rb:172:10:172:15 | call to params | params_flow.rb:172:10:172:19 | ...[...] | provenance | |
| params_flow.rb:176:10:176:15 | call to params | params_flow.rb:176:10:176:19 | ...[...] | provenance | |
| params_flow.rb:182:10:182:15 | call to params | params_flow.rb:182:10:182:22 | ...[...] | provenance | |
| params_flow.rb:182:10:182:22 | ...[...] | params_flow.rb:182:10:182:40 | call to original_filename | provenance | |
| params_flow.rb:186:10:186:15 | call to params | params_flow.rb:186:10:186:30 | call to require | provenance | |
| params_flow.rb:186:10:186:30 | call to require | params_flow.rb:186:10:186:43 | call to content_type | provenance | |
| params_flow.rb:190:10:190:15 | call to params | params_flow.rb:190:10:190:29 | call to permit | provenance | |
| params_flow.rb:190:10:190:29 | call to permit | params_flow.rb:190:10:190:36 | ...[...] | provenance | |
| params_flow.rb:190:10:190:36 | ...[...] | params_flow.rb:190:10:190:44 | call to headers | provenance | |
| params_flow.rb:194:10:194:15 | call to params | params_flow.rb:194:10:194:19 | ...[...] | provenance | |
| params_flow.rb:194:10:194:19 | ...[...] | params_flow.rb:194:10:194:31 | call to to_unsafe_h | provenance | |
| params_flow.rb:194:10:194:31 | call to to_unsafe_h | params_flow.rb:194:10:194:35 | ...[...] | provenance | |
| params_flow.rb:194:10:194:35 | ...[...] | params_flow.rb:194:10:194:42 | ...[...] | provenance | |
| params_flow.rb:194:10:194:42 | ...[...] | params_flow.rb:194:10:194:47 | call to read | provenance | |
| params_flow.rb:198:5:198:10 | call to params | params_flow.rb:198:5:198:17 | ...[...] | provenance | |
| params_flow.rb:198:5:198:17 | ...[...] | params_flow.rb:198:28:198:28 | [post] a | provenance | |
| params_flow.rb:198:28:198:28 | [post] a | params_flow.rb:199:10:199:10 | a | provenance | |
| params_flow.rb:204:5:204:10 | call to params | params_flow.rb:204:5:204:17 | ...[...] | provenance | |
| params_flow.rb:204:5:204:17 | ...[...] | params_flow.rb:204:28:204:28 | [post] a | provenance | |
| params_flow.rb:204:28:204:28 | [post] a | params_flow.rb:205:10:205:10 | a | provenance | |
nodes
| filter_flow.rb:14:5:14:8 | [post] self [@foo] | semmle.label | [post] self [@foo] |
| filter_flow.rb:14:12:14:17 | call to params | semmle.label | call to params |
@@ -244,6 +262,30 @@ nodes
| params_flow.rb:172:10:172:19 | ...[...] | semmle.label | ...[...] |
| params_flow.rb:176:10:176:15 | call to params | semmle.label | call to params |
| params_flow.rb:176:10:176:19 | ...[...] | semmle.label | ...[...] |
| params_flow.rb:182:10:182:15 | call to params | semmle.label | call to params |
| params_flow.rb:182:10:182:22 | ...[...] | semmle.label | ...[...] |
| params_flow.rb:182:10:182:40 | call to original_filename | semmle.label | call to original_filename |
| params_flow.rb:186:10:186:15 | call to params | semmle.label | call to params |
| params_flow.rb:186:10:186:30 | call to require | semmle.label | call to require |
| params_flow.rb:186:10:186:43 | call to content_type | semmle.label | call to content_type |
| params_flow.rb:190:10:190:15 | call to params | semmle.label | call to params |
| params_flow.rb:190:10:190:29 | call to permit | semmle.label | call to permit |
| params_flow.rb:190:10:190:36 | ...[...] | semmle.label | ...[...] |
| params_flow.rb:190:10:190:44 | call to headers | semmle.label | call to headers |
| params_flow.rb:194:10:194:15 | call to params | semmle.label | call to params |
| params_flow.rb:194:10:194:19 | ...[...] | semmle.label | ...[...] |
| params_flow.rb:194:10:194:31 | call to to_unsafe_h | semmle.label | call to to_unsafe_h |
| params_flow.rb:194:10:194:35 | ...[...] | semmle.label | ...[...] |
| params_flow.rb:194:10:194:42 | ...[...] | semmle.label | ...[...] |
| params_flow.rb:194:10:194:47 | call to read | semmle.label | call to read |
| params_flow.rb:198:5:198:10 | call to params | semmle.label | call to params |
| params_flow.rb:198:5:198:17 | ...[...] | semmle.label | ...[...] |
| params_flow.rb:198:28:198:28 | [post] a | semmle.label | [post] a |
| params_flow.rb:199:10:199:10 | a | semmle.label | a |
| params_flow.rb:204:5:204:10 | call to params | semmle.label | call to params |
| params_flow.rb:204:5:204:17 | ...[...] | semmle.label | ...[...] |
| params_flow.rb:204:28:204:28 | [post] a | semmle.label | [post] a |
| params_flow.rb:205:10:205:10 | a | semmle.label | a |
subpaths
#select
| filter_flow.rb:21:10:21:13 | @foo | filter_flow.rb:14:12:14:17 | call to params | filter_flow.rb:21:10:21:13 | @foo | $@ | filter_flow.rb:14:12:14:17 | call to params | call to params |
@@ -298,3 +340,9 @@ subpaths
| params_flow.rb:166:10:166:19 | ...[...] | params_flow.rb:166:10:166:15 | call to params | params_flow.rb:166:10:166:19 | ...[...] | $@ | params_flow.rb:166:10:166:15 | call to params | call to params |
| params_flow.rb:172:10:172:19 | ...[...] | params_flow.rb:172:10:172:15 | call to params | params_flow.rb:172:10:172:19 | ...[...] | $@ | params_flow.rb:172:10:172:15 | call to params | call to params |
| params_flow.rb:176:10:176:19 | ...[...] | params_flow.rb:176:10:176:15 | call to params | params_flow.rb:176:10:176:19 | ...[...] | $@ | params_flow.rb:176:10:176:15 | call to params | call to params |
| params_flow.rb:182:10:182:40 | call to original_filename | params_flow.rb:182:10:182:15 | call to params | params_flow.rb:182:10:182:40 | call to original_filename | $@ | params_flow.rb:182:10:182:15 | call to params | call to params |
| params_flow.rb:186:10:186:43 | call to content_type | params_flow.rb:186:10:186:15 | call to params | params_flow.rb:186:10:186:43 | call to content_type | $@ | params_flow.rb:186:10:186:15 | call to params | call to params |
| params_flow.rb:190:10:190:44 | call to headers | params_flow.rb:190:10:190:15 | call to params | params_flow.rb:190:10:190:44 | call to headers | $@ | params_flow.rb:190:10:190:15 | call to params | call to params |
| params_flow.rb:194:10:194:47 | call to read | params_flow.rb:194:10:194:15 | call to params | params_flow.rb:194:10:194:47 | call to read | $@ | params_flow.rb:194:10:194:15 | call to params | call to params |
| params_flow.rb:199:10:199:10 | a | params_flow.rb:198:5:198:10 | call to params | params_flow.rb:199:10:199:10 | a | $@ | params_flow.rb:198:5:198:10 | call to params | call to params |
| params_flow.rb:205:10:205:10 | a | params_flow.rb:204:5:204:10 | call to params | params_flow.rb:205:10:205:10 | a | $@ | params_flow.rb:204:5:204:10 | call to params | call to params |

29
ruby/ql/test/library-tests/frameworks/action_controller/params_flow.rb
View File

@@ -176,3 +176,32 @@ class Subclass < MyController
sink params[:x] # $hasTaintFlow
end
end
class UploadedFileTests < MyController
def m36
sink params[:file].original_filename # $hasTaintFlow
end
def m37
sink params.require(:file).content_type # $hasTaintFlow
end
def m38
sink params.permit(:file)[:file].headers # $hasTaintFlow
end
def m39
sink params[:a].to_unsafe_h[:b][:file].read # $hasTaintFlow
end
def m40(a)
params[:file].read(nil,a)
sink a # $ hasTaintFlow
end
def m41
a = ""
params[:file].read(nil,a)
sink a # $ hasTaintFlow
end
end

32
ruby/ql/test/library-tests/frameworks/http_clients/HttpClients.expected
View File

@@ -67,6 +67,14 @@ httpRequests
| Typhoeus.rb:15:9:15:46 | call to delete |
| Typhoeus.rb:18:9:18:44 | call to head |
| Typhoeus.rb:21:9:21:47 | call to options |
| Typhoeus.rb:24:8:24:50 | call to new |
| Typhoeus.rb:27:8:27:50 | call to new |
| Typhoeus.rb:31:9:31:51 | call to new |
| Typhoeus.rb:34:9:34:51 | call to new |
| Typhoeus.rb:39:9:39:51 | call to new |
| Typhoeus.rb:44:9:44:51 | call to new |
| Typhoeus.rb:49:9:49:51 | call to new |
| Typhoeus.rb:54:9:54:51 | call to new |
getFramework
| Excon.rb:3:9:3:40 | call to get | Excon |
| Excon.rb:6:9:6:60 | call to post | Excon |
@@ -136,6 +144,14 @@ getFramework
| Typhoeus.rb:15:9:15:46 | call to delete | Typhoeus |
| Typhoeus.rb:18:9:18:44 | call to head | Typhoeus |
| Typhoeus.rb:21:9:21:47 | call to options | Typhoeus |
| Typhoeus.rb:24:8:24:50 | call to new | Typhoeus |
| Typhoeus.rb:27:8:27:50 | call to new | Typhoeus |
| Typhoeus.rb:31:9:31:51 | call to new | Typhoeus |
| Typhoeus.rb:34:9:34:51 | call to new | Typhoeus |
| Typhoeus.rb:39:9:39:51 | call to new | Typhoeus |
| Typhoeus.rb:44:9:44:51 | call to new | Typhoeus |
| Typhoeus.rb:49:9:49:51 | call to new | Typhoeus |
| Typhoeus.rb:54:9:54:51 | call to new | Typhoeus |
getResponseBody
| Excon.rb:3:9:3:40 | call to get | Excon.rb:4:1:4:10 | call to body |
| Excon.rb:6:9:6:60 | call to post | Excon.rb:7:1:7:10 | call to body |
@@ -205,6 +221,14 @@ getResponseBody
| Typhoeus.rb:15:9:15:46 | call to delete | Typhoeus.rb:16:1:16:10 | call to body |
| Typhoeus.rb:18:9:18:44 | call to head | Typhoeus.rb:19:1:19:10 | call to body |
| Typhoeus.rb:21:9:21:47 | call to options | Typhoeus.rb:22:1:22:10 | call to body |
| Typhoeus.rb:24:8:24:50 | call to new | Typhoeus.rb:25:1:25:13 | call to body |
| Typhoeus.rb:27:8:27:50 | call to new | Typhoeus.rb:29:1:29:18 | call to body |
| Typhoeus.rb:31:9:31:51 | call to new | Typhoeus.rb:32:1:32:23 | call to response_body |
| Typhoeus.rb:34:9:34:51 | call to new | Typhoeus.rb:36:5:36:15 | call to body |
| Typhoeus.rb:39:9:39:51 | call to new | Typhoeus.rb:41:5:41:15 | call to body |
| Typhoeus.rb:44:9:44:51 | call to new | Typhoeus.rb:46:5:46:15 | call to body |
| Typhoeus.rb:49:9:49:51 | call to new | Typhoeus.rb:51:5:51:15 | call to body |
| Typhoeus.rb:54:9:54:51 | call to new | Typhoeus.rb:55:19:55:24 | body15 |
getAUrlPart
| Excon.rb:3:9:3:40 | call to get | Excon.rb:3:19:3:39 | "http://example.com/" |
| Excon.rb:6:9:6:60 | call to post | Excon.rb:6:20:6:40 | "http://example.com/" |
@@ -287,3 +311,11 @@ getAUrlPart
| Typhoeus.rb:15:9:15:46 | call to delete | Typhoeus.rb:15:25:15:45 | "http://example.com/" |
| Typhoeus.rb:18:9:18:44 | call to head | Typhoeus.rb:18:23:18:43 | "http://example.com/" |
| Typhoeus.rb:21:9:21:47 | call to options | Typhoeus.rb:21:26:21:46 | "http://example.com/" |
| Typhoeus.rb:24:8:24:50 | call to new | Typhoeus.rb:24:30:24:49 | "http://example.com" |
| Typhoeus.rb:27:8:27:50 | call to new | Typhoeus.rb:27:30:27:49 | "http://example.com" |
| Typhoeus.rb:31:9:31:51 | call to new | Typhoeus.rb:31:31:31:50 | "http://example.com" |
| Typhoeus.rb:34:9:34:51 | call to new | Typhoeus.rb:34:31:34:50 | "http://example.com" |
| Typhoeus.rb:39:9:39:51 | call to new | Typhoeus.rb:39:31:39:50 | "http://example.com" |
| Typhoeus.rb:44:9:44:51 | call to new | Typhoeus.rb:44:31:44:50 | "http://example.com" |
| Typhoeus.rb:49:9:49:51 | call to new | Typhoeus.rb:49:31:49:50 | "http://example.com" |
| Typhoeus.rb:54:9:54:51 | call to new | Typhoeus.rb:54:31:54:50 | "http://example.com" |

37
ruby/ql/test/library-tests/frameworks/http_clients/Typhoeus.rb
View File

@@ -19,4 +19,39 @@ resp6 = Typhoeus.head("http://example.com/")
resp6.body
resp7 = Typhoeus.options("http://example.com/")
resp7.body
resp7.body
req8 = Typhoeus::Request.new("http://example.com")
req8.run.body
req9 = Typhoeus::Request.new("http://example.com")
req9.run
req9.response.body
req10 = Typhoeus::Request.new("http://example.com")
req10.run.response_body
req11 = Typhoeus::Request.new("http://example.com")
req11.on_complete do |resp11|
resp11.body
end
req12 = Typhoeus::Request.new("http://example.com")
req12.on_success do |resp12|
resp12.body
end
req13 = Typhoeus::Request.new("http://example.com")
req13.on_failure do |resp13|
resp13.body
end
req14 = Typhoeus::Request.new("http://example.com")
req14.on_progress do |resp14|
resp14.body
end
req15 = Typhoeus::Request.new("http://example.com")
req15.on_body do |body15|
# ...
end

32
ruby/ql/test/library-tests/frameworks/stdlib/CommandExecution.expected Normal file
View File

@@ -0,0 +1,32 @@
| Open3.rb:1:1:1:24 | call to popen3 | Open3.rb:1:14:1:23 | "echo foo" | true |
| Open3.rb:2:1:2:24 | call to popen2 | Open3.rb:2:14:2:23 | "echo foo" | true |
| Open3.rb:3:1:3:25 | call to popen2e | Open3.rb:3:15:3:24 | "echo foo" | true |
| Open3.rb:4:1:4:26 | call to capture3 | Open3.rb:4:16:4:25 | "echo foo" | true |
| Open3.rb:5:1:5:26 | call to capture2 | Open3.rb:5:16:5:25 | "echo foo" | true |
| Open3.rb:6:1:6:27 | call to capture2e | Open3.rb:6:17:6:26 | "echo foo" | true |
| Open3.rb:7:1:7:41 | call to pipeline_rw | Open3.rb:7:19:7:28 | "echo foo" | true |
| Open3.rb:7:1:7:41 | call to pipeline_rw | Open3.rb:7:31:7:40 | "grep bar" | true |
| Open3.rb:8:1:8:40 | call to pipeline_r | Open3.rb:8:18:8:27 | "echo foo" | true |
| Open3.rb:8:1:8:40 | call to pipeline_r | Open3.rb:8:30:8:39 | "grep bar" | true |
| Open3.rb:9:1:9:40 | call to pipeline_w | Open3.rb:9:18:9:27 | "echo foo" | true |
| Open3.rb:9:1:9:40 | call to pipeline_w | Open3.rb:9:30:9:39 | "grep bar" | true |
| Open3.rb:10:1:10:44 | call to pipeline_start | Open3.rb:10:22:10:31 | "echo foo" | true |
| Open3.rb:10:1:10:44 | call to pipeline_start | Open3.rb:10:34:10:43 | "grep bar" | true |
| Open3.rb:11:1:11:38 | call to pipeline | Open3.rb:11:16:11:25 | "echo foo" | true |
| Open3.rb:11:1:11:38 | call to pipeline | Open3.rb:11:28:11:37 | "grep bar" | true |
| Open3.rb:13:1:13:24 | call to open4 | Open3.rb:13:14:13:23 | "echo foo" | true |
| Open3.rb:14:1:14:25 | call to popen4 | Open3.rb:14:15:14:24 | "echo foo" | true |
| Open3.rb:15:1:15:23 | call to spawn | Open3.rb:15:13:15:22 | "echo bar" | true |
| Open3.rb:16:1:16:27 | call to popen4ext | Open3.rb:16:17:16:26 | "echo foo" | true |
| Open3.rb:17:1:17:30 | call to popen4ext | Open3.rb:17:17:17:22 | "echo" | false |
| Open3.rb:17:1:17:30 | call to popen4ext | Open3.rb:17:25:17:29 | "foo" | false |
| Open3.rb:18:1:18:33 | call to popen4ext | Open3.rb:18:17:18:20 | true | false |
| Open3.rb:18:1:18:33 | call to popen4ext | Open3.rb:18:23:18:32 | "echo foo" | true |
| Open3.rb:19:1:19:36 | call to popen4ext | Open3.rb:19:17:19:20 | true | false |
| Open3.rb:19:1:19:36 | call to popen4ext | Open3.rb:19:23:19:28 | "echo" | false |
| Open3.rb:19:1:19:36 | call to popen4ext | Open3.rb:19:31:19:35 | "foo" | false |
| process.rb:1:1:1:25 | call to spawn | process.rb:1:15:1:24 | "echo foo" | true |
| process.rb:2:1:2:30 | call to spawn | process.rb:2:15:2:29 | call to [] | true |
| process.rb:3:1:3:24 | call to exec | process.rb:3:14:3:23 | "echo foo" | true |
| process.rb:4:1:4:29 | call to exec | process.rb:4:14:4:28 | call to [] | true |
| process.rb:5:1:5:21 | call to spawn | process.rb:5:11:5:20 | "echo foo" | true |

12
ruby/ql/test/library-tests/frameworks/stdlib/CommandExecution.ql Normal file
View File

@@ -0,0 +1,12 @@
import codeql.ruby.Frameworks
import codeql.ruby.Concepts
import codeql.ruby.DataFlow
query predicate commandExecutions(
SystemCommandExecution execution, DataFlow::Node arg, boolean isShellInterpreted
) {
arg = execution.getAnArgument() and
if execution.isShellInterpreted(arg)
then isShellInterpreted = true
else isShellInterpreted = false
}

8
ruby/ql/test/library-tests/frameworks/stdlib/Open3.expected
View File

@@ -11,3 +11,11 @@ open3PipelineCallExecutions
| Open3.rb:9:1:9:40 | call to pipeline_w |
| Open3.rb:10:1:10:44 | call to pipeline_start |
| Open3.rb:11:1:11:38 | call to pipeline |
open4CallExecutions
| Open3.rb:13:1:13:24 | call to open4 |
| Open3.rb:14:1:14:25 | call to popen4 |
| Open3.rb:15:1:15:23 | call to spawn |
| Open3.rb:16:1:16:27 | call to popen4ext |
| Open3.rb:17:1:17:30 | call to popen4ext |
| Open3.rb:18:1:18:33 | call to popen4ext |
| Open3.rb:19:1:19:36 | call to popen4ext |

2
ruby/ql/test/library-tests/frameworks/stdlib/Open3.ql
View File

@@ -4,3 +4,5 @@ import codeql.ruby.DataFlow
query predicate open3CallExecutions(Open3Call c) { any() }
query predicate open3PipelineCallExecutions(Open3PipelineCall c) { any() }
query predicate open4CallExecutions(Open4Call c) { any() }

10
ruby/ql/test/library-tests/frameworks/stdlib/Open3.rb
View File

@@ -8,4 +8,12 @@ Open3.pipeline_rw("echo foo", "grep bar")
Open3.pipeline_r("echo foo", "grep bar")
Open3.pipeline_w("echo foo", "grep bar")
Open3.pipeline_start("echo foo", "grep bar")
Open3.pipeline("echo foo", "grep bar")
Open3.pipeline("echo foo", "grep bar")
Open4::open4("echo foo")
Open4::popen4("echo foo")
Open4.spawn("echo bar")
Open4.popen4ext("echo foo")
Open4.popen4ext("echo", "foo")
Open4.popen4ext(true, "echo foo")
Open4.popen4ext(true, "echo", "foo")

5
ruby/ql/test/library-tests/frameworks/stdlib/process.rb Normal file
View File

@@ -0,0 +1,5 @@
Process.spawn("echo foo")
Process.spawn(["echo", "foo"])
Process.exec("echo foo")
Process.exec(["echo", "foo"])
PTY.spawn("echo foo")

10
ruby/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.expected
View File

@@ -21,6 +21,9 @@ edges
| CommandInjection.rb:103:9:103:12 | file | CommandInjection.rb:104:16:104:28 | "cat #{...}" | provenance | |
| CommandInjection.rb:103:16:103:21 | call to params | CommandInjection.rb:103:16:103:28 | ...[...] | provenance | |
| CommandInjection.rb:103:16:103:28 | ...[...] | CommandInjection.rb:103:9:103:12 | file | provenance | |
| CommandInjection.rb:111:33:111:38 | call to params | CommandInjection.rb:111:33:111:44 | ...[...] | provenance | |
| CommandInjection.rb:113:44:113:49 | call to params | CommandInjection.rb:113:44:113:54 | ...[...] | provenance | |
| CommandInjection.rb:113:44:113:54 | ...[...] | CommandInjection.rb:113:41:113:56 | "#{...}" | provenance | |
nodes
| CommandInjection.rb:6:9:6:11 | cmd | semmle.label | cmd |
| CommandInjection.rb:6:15:6:20 | call to params | semmle.label | call to params |
@@ -51,6 +54,11 @@ nodes
| CommandInjection.rb:103:16:103:21 | call to params | semmle.label | call to params |
| CommandInjection.rb:103:16:103:28 | ...[...] | semmle.label | ...[...] |
| CommandInjection.rb:104:16:104:28 | "cat #{...}" | semmle.label | "cat #{...}" |
| CommandInjection.rb:111:33:111:38 | call to params | semmle.label | call to params |
| CommandInjection.rb:111:33:111:44 | ...[...] | semmle.label | ...[...] |
| CommandInjection.rb:113:41:113:56 | "#{...}" | semmle.label | "#{...}" |
| CommandInjection.rb:113:44:113:49 | call to params | semmle.label | call to params |
| CommandInjection.rb:113:44:113:54 | ...[...] | semmle.label | ...[...] |
subpaths
#select
| CommandInjection.rb:7:10:7:15 | #{...} | CommandInjection.rb:6:15:6:20 | call to params | CommandInjection.rb:7:10:7:15 | #{...} | This command depends on a $@. | CommandInjection.rb:6:15:6:20 | call to params | user-provided value |
@@ -67,3 +75,5 @@ subpaths
| CommandInjection.rb:82:14:82:34 | "echo #{...}" | CommandInjection.rb:81:23:81:33 | blah_number | CommandInjection.rb:82:14:82:34 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:81:23:81:33 | blah_number | user-provided value |
| CommandInjection.rb:91:14:91:39 | "echo #{...}" | CommandInjection.rb:91:22:91:37 | ...[...] | CommandInjection.rb:91:14:91:39 | "echo #{...}" | This command depends on a $@. | CommandInjection.rb:91:22:91:37 | ...[...] | user-provided value |
| CommandInjection.rb:104:16:104:28 | "cat #{...}" | CommandInjection.rb:103:16:103:21 | call to params | CommandInjection.rb:104:16:104:28 | "cat #{...}" | This command depends on a $@. | CommandInjection.rb:103:16:103:21 | call to params | user-provided value |
| CommandInjection.rb:111:33:111:44 | ...[...] | CommandInjection.rb:111:33:111:38 | call to params | CommandInjection.rb:111:33:111:44 | ...[...] | This command depends on a $@. | CommandInjection.rb:111:33:111:38 | call to params | user-provided value |
| CommandInjection.rb:113:41:113:56 | "#{...}" | CommandInjection.rb:113:44:113:49 | call to params | CommandInjection.rb:113:41:113:56 | "#{...}" | This command depends on a $@. | CommandInjection.rb:113:44:113:49 | call to params | user-provided value |

11
ruby/ql/test/query-tests/security/cwe-078/CommandInjection/CommandInjection.rb
View File

@@ -106,4 +106,13 @@ class Foo < ActionController::Base
system("cat #{file.shellescape}") # OK, because file is shell escaped
end
end
def index
Terrapin::CommandLine.new(params[:foo], "bar") # BAD
Terrapin::CommandLine.new("echo", "#{params[foo]}") # BAD
cmd = Terrapin::CommandLine.new("echo", ":msg")
cmd.run(msg: params[:foo]) # GOOD
end
end

17
ruby/ql/test/query-tests/security/cwe-089/ActiveRecordInjection.rb
View File

@@ -114,6 +114,12 @@ class FooController < ActionController::Base
User.joins(:a, params[:column])
User.count_by_sql(params[:custom_sql_query])
# BAD: executes `SELECT users.* FROM #{params[:tab]}`
# where `params[:tab]` is unsanitized
User.all.from(params[:tab])
# BAD: executes `SELECT "users".* FROM (SELECT "users".* FROM "users") #{params[:sq]}
User.all.from(User.all, params[:sq])
end
end
@@ -198,3 +204,14 @@ class RegressionController < ActionController::Base
Regression.connection.execute("SELECT * FROM users WHERE id = #{permitted_params[:user_id]}")
end
end
class User
scope :with_role, ->(role) { where("role = #{role}") }
end
class UsersController < ActionController::Base
def index
# BAD: user input passed to scope which uses it without sanitization.
@users = User.with_role(params[:role])
end
end

146
ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected
View File

@@ -46,34 +46,39 @@ edges
| ActiveRecordInjection.rb:113:21:113:26 | call to params | ActiveRecordInjection.rb:113:21:113:35 | ...[...] | provenance | |
| ActiveRecordInjection.rb:114:20:114:25 | call to params | ActiveRecordInjection.rb:114:20:114:34 | ...[...] | provenance | |
| ActiveRecordInjection.rb:116:23:116:28 | call to params | ActiveRecordInjection.rb:116:23:116:47 | ...[...] | provenance | |
| ActiveRecordInjection.rb:122:5:122:6 | ps | ActiveRecordInjection.rb:123:11:123:12 | ps | provenance | |
| ActiveRecordInjection.rb:122:10:122:15 | call to params | ActiveRecordInjection.rb:122:5:122:6 | ps | provenance | |
| ActiveRecordInjection.rb:123:5:123:7 | uid | ActiveRecordInjection.rb:124:5:124:9 | uidEq | provenance | |
| ActiveRecordInjection.rb:123:11:123:12 | ps | ActiveRecordInjection.rb:123:11:123:17 | ...[...] | provenance | |
| ActiveRecordInjection.rb:123:11:123:17 | ...[...] | ActiveRecordInjection.rb:123:5:123:7 | uid | provenance | |
| ActiveRecordInjection.rb:124:5:124:9 | uidEq | ActiveRecordInjection.rb:128:20:128:32 | ... + ... | provenance | |
| ActiveRecordInjection.rb:124:5:124:9 | uidEq | ActiveRecordInjection.rb:128:28:128:32 | uidEq | provenance | |
| ActiveRecordInjection.rb:128:20:128:32 | ... + ... [element] | ActiveRecordInjection.rb:128:20:128:32 | ... + ... | provenance | |
| ActiveRecordInjection.rb:128:28:128:32 | uidEq | ActiveRecordInjection.rb:128:20:128:32 | ... + ... [element] | provenance | |
| ActiveRecordInjection.rb:161:21:161:26 | call to params | ActiveRecordInjection.rb:161:21:161:44 | ...[...] | provenance | |
| ActiveRecordInjection.rb:161:21:161:26 | call to params | ActiveRecordInjection.rb:161:21:161:44 | ...[...] | provenance | |
| ActiveRecordInjection.rb:161:21:161:44 | ...[...] | ActiveRecordInjection.rb:20:22:20:30 | condition | provenance | |
| ActiveRecordInjection.rb:175:59:175:64 | call to params | ActiveRecordInjection.rb:175:59:175:74 | ...[...] | provenance | |
| ActiveRecordInjection.rb:175:59:175:74 | ...[...] | ActiveRecordInjection.rb:175:27:175:76 | "this is an unsafe annotation:..." | provenance | |
| ActiveRecordInjection.rb:186:5:186:13 | my_params | ActiveRecordInjection.rb:187:47:187:55 | my_params | provenance | |
| ActiveRecordInjection.rb:186:17:186:32 | call to permitted_params | ActiveRecordInjection.rb:186:5:186:13 | my_params | provenance | |
| ActiveRecordInjection.rb:187:5:187:9 | query | ActiveRecordInjection.rb:188:37:188:41 | query | provenance | |
| ActiveRecordInjection.rb:187:47:187:55 | my_params | ActiveRecordInjection.rb:187:47:187:65 | ...[...] | provenance | |
| ActiveRecordInjection.rb:187:47:187:65 | ...[...] | ActiveRecordInjection.rb:187:5:187:9 | query | provenance | |
| ActiveRecordInjection.rb:193:5:193:10 | call to params | ActiveRecordInjection.rb:193:5:193:27 | call to require | provenance | |
| ActiveRecordInjection.rb:193:5:193:27 | call to require | ActiveRecordInjection.rb:193:5:193:59 | call to permit | provenance | |
| ActiveRecordInjection.rb:193:5:193:59 | call to permit | ActiveRecordInjection.rb:186:17:186:32 | call to permitted_params | provenance | |
| ActiveRecordInjection.rb:193:5:193:59 | call to permit | ActiveRecordInjection.rb:197:77:197:92 | call to permitted_params | provenance | |
| ActiveRecordInjection.rb:193:5:193:59 | call to permit | ActiveRecordInjection.rb:198:69:198:84 | call to permitted_params | provenance | |
| ActiveRecordInjection.rb:197:77:197:92 | call to permitted_params | ActiveRecordInjection.rb:197:77:197:102 | ...[...] | provenance | |
| ActiveRecordInjection.rb:197:77:197:102 | ...[...] | ActiveRecordInjection.rb:197:43:197:104 | "SELECT * FROM users WHERE id ..." | provenance | |
| ActiveRecordInjection.rb:198:69:198:84 | call to permitted_params | ActiveRecordInjection.rb:198:69:198:94 | ...[...] | provenance | |
| ActiveRecordInjection.rb:198:69:198:94 | ...[...] | ActiveRecordInjection.rb:198:35:198:96 | "SELECT * FROM users WHERE id ..." | provenance | |
| ActiveRecordInjection.rb:120:19:120:24 | call to params | ActiveRecordInjection.rb:120:19:120:30 | ...[...] | provenance | |
| ActiveRecordInjection.rb:122:29:122:34 | call to params | ActiveRecordInjection.rb:122:29:122:39 | ...[...] | provenance | |
| ActiveRecordInjection.rb:128:5:128:6 | ps | ActiveRecordInjection.rb:129:11:129:12 | ps | provenance | |
| ActiveRecordInjection.rb:128:10:128:15 | call to params | ActiveRecordInjection.rb:128:5:128:6 | ps | provenance | |
| ActiveRecordInjection.rb:129:5:129:7 | uid | ActiveRecordInjection.rb:130:5:130:9 | uidEq | provenance | |
| ActiveRecordInjection.rb:129:11:129:12 | ps | ActiveRecordInjection.rb:129:11:129:17 | ...[...] | provenance | |
| ActiveRecordInjection.rb:129:11:129:17 | ...[...] | ActiveRecordInjection.rb:129:5:129:7 | uid | provenance | |
| ActiveRecordInjection.rb:130:5:130:9 | uidEq | ActiveRecordInjection.rb:134:20:134:32 | ... + ... | provenance | |
| ActiveRecordInjection.rb:130:5:130:9 | uidEq | ActiveRecordInjection.rb:134:28:134:32 | uidEq | provenance | |
| ActiveRecordInjection.rb:134:20:134:32 | ... + ... [element] | ActiveRecordInjection.rb:134:20:134:32 | ... + ... | provenance | |
| ActiveRecordInjection.rb:134:28:134:32 | uidEq | ActiveRecordInjection.rb:134:20:134:32 | ... + ... [element] | provenance | |
| ActiveRecordInjection.rb:167:21:167:26 | call to params | ActiveRecordInjection.rb:167:21:167:44 | ...[...] | provenance | |
| ActiveRecordInjection.rb:167:21:167:26 | call to params | ActiveRecordInjection.rb:167:21:167:44 | ...[...] | provenance | |
| ActiveRecordInjection.rb:167:21:167:44 | ...[...] | ActiveRecordInjection.rb:20:22:20:30 | condition | provenance | |
| ActiveRecordInjection.rb:181:59:181:64 | call to params | ActiveRecordInjection.rb:181:59:181:74 | ...[...] | provenance | |
| ActiveRecordInjection.rb:181:59:181:74 | ...[...] | ActiveRecordInjection.rb:181:27:181:76 | "this is an unsafe annotation:..." | provenance | |
| ActiveRecordInjection.rb:192:5:192:13 | my_params | ActiveRecordInjection.rb:193:47:193:55 | my_params | provenance | |
| ActiveRecordInjection.rb:192:17:192:32 | call to permitted_params | ActiveRecordInjection.rb:192:5:192:13 | my_params | provenance | |
| ActiveRecordInjection.rb:193:5:193:9 | query | ActiveRecordInjection.rb:194:37:194:41 | query | provenance | |
| ActiveRecordInjection.rb:193:47:193:55 | my_params | ActiveRecordInjection.rb:193:47:193:65 | ...[...] | provenance | |
| ActiveRecordInjection.rb:193:47:193:65 | ...[...] | ActiveRecordInjection.rb:193:5:193:9 | query | provenance | |
| ActiveRecordInjection.rb:199:5:199:10 | call to params | ActiveRecordInjection.rb:199:5:199:27 | call to require | provenance | |
| ActiveRecordInjection.rb:199:5:199:27 | call to require | ActiveRecordInjection.rb:199:5:199:59 | call to permit | provenance | |
| ActiveRecordInjection.rb:199:5:199:59 | call to permit | ActiveRecordInjection.rb:192:17:192:32 | call to permitted_params | provenance | |
| ActiveRecordInjection.rb:199:5:199:59 | call to permit | ActiveRecordInjection.rb:203:77:203:92 | call to permitted_params | provenance | |
| ActiveRecordInjection.rb:199:5:199:59 | call to permit | ActiveRecordInjection.rb:204:69:204:84 | call to permitted_params | provenance | |
| ActiveRecordInjection.rb:203:77:203:92 | call to permitted_params | ActiveRecordInjection.rb:203:77:203:102 | ...[...] | provenance | |
| ActiveRecordInjection.rb:203:77:203:102 | ...[...] | ActiveRecordInjection.rb:203:43:203:104 | "SELECT * FROM users WHERE id ..." | provenance | |
| ActiveRecordInjection.rb:204:69:204:84 | call to permitted_params | ActiveRecordInjection.rb:204:69:204:94 | ...[...] | provenance | |
| ActiveRecordInjection.rb:204:69:204:94 | ...[...] | ActiveRecordInjection.rb:204:35:204:96 | "SELECT * FROM users WHERE id ..." | provenance | |
| ActiveRecordInjection.rb:209:24:209:27 | role | ActiveRecordInjection.rb:209:38:209:53 | "role = #{...}" | provenance | |
| ActiveRecordInjection.rb:215:29:215:34 | call to params | ActiveRecordInjection.rb:215:29:215:41 | ...[...] | provenance | |
| ActiveRecordInjection.rb:215:29:215:41 | ...[...] | ActiveRecordInjection.rb:209:24:209:27 | role | provenance | |
| ArelInjection.rb:4:5:4:8 | name | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | provenance | |
| ArelInjection.rb:4:5:4:8 | name | ArelInjection.rb:7:39:7:80 | "SELECT * FROM users WHERE nam..." | provenance | |
| ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:4:12:4:29 | ...[...] | provenance | |
@@ -165,36 +170,44 @@ nodes
| ActiveRecordInjection.rb:114:20:114:34 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:116:23:116:28 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:116:23:116:47 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:122:5:122:6 | ps | semmle.label | ps |
| ActiveRecordInjection.rb:122:10:122:15 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:123:5:123:7 | uid | semmle.label | uid |
| ActiveRecordInjection.rb:123:11:123:12 | ps | semmle.label | ps |
| ActiveRecordInjection.rb:123:11:123:17 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:124:5:124:9 | uidEq | semmle.label | uidEq |
| ActiveRecordInjection.rb:128:20:128:32 | ... + ... | semmle.label | ... + ... |
| ActiveRecordInjection.rb:128:20:128:32 | ... + ... [element] | semmle.label | ... + ... [element] |
| ActiveRecordInjection.rb:128:28:128:32 | uidEq | semmle.label | uidEq |
| ActiveRecordInjection.rb:161:21:161:26 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:161:21:161:44 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:161:21:161:44 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:175:27:175:76 | "this is an unsafe annotation:..." | semmle.label | "this is an unsafe annotation:..." |
| ActiveRecordInjection.rb:175:59:175:64 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:175:59:175:74 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:186:5:186:13 | my_params | semmle.label | my_params |
| ActiveRecordInjection.rb:186:17:186:32 | call to permitted_params | semmle.label | call to permitted_params |
| ActiveRecordInjection.rb:187:5:187:9 | query | semmle.label | query |
| ActiveRecordInjection.rb:187:47:187:55 | my_params | semmle.label | my_params |
| ActiveRecordInjection.rb:187:47:187:65 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:188:37:188:41 | query | semmle.label | query |
| ActiveRecordInjection.rb:193:5:193:10 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:193:5:193:27 | call to require | semmle.label | call to require |
| ActiveRecordInjection.rb:193:5:193:59 | call to permit | semmle.label | call to permit |
| ActiveRecordInjection.rb:197:43:197:104 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
| ActiveRecordInjection.rb:197:77:197:92 | call to permitted_params | semmle.label | call to permitted_params |
| ActiveRecordInjection.rb:197:77:197:102 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:198:35:198:96 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
| ActiveRecordInjection.rb:198:69:198:84 | call to permitted_params | semmle.label | call to permitted_params |
| ActiveRecordInjection.rb:198:69:198:94 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:120:19:120:24 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:120:19:120:30 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:122:29:122:34 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:122:29:122:39 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:128:5:128:6 | ps | semmle.label | ps |
| ActiveRecordInjection.rb:128:10:128:15 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:129:5:129:7 | uid | semmle.label | uid |
| ActiveRecordInjection.rb:129:11:129:12 | ps | semmle.label | ps |
| ActiveRecordInjection.rb:129:11:129:17 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:130:5:130:9 | uidEq | semmle.label | uidEq |
| ActiveRecordInjection.rb:134:20:134:32 | ... + ... | semmle.label | ... + ... |
| ActiveRecordInjection.rb:134:20:134:32 | ... + ... [element] | semmle.label | ... + ... [element] |
| ActiveRecordInjection.rb:134:28:134:32 | uidEq | semmle.label | uidEq |
| ActiveRecordInjection.rb:167:21:167:26 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:167:21:167:44 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:167:21:167:44 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:181:27:181:76 | "this is an unsafe annotation:..." | semmle.label | "this is an unsafe annotation:..." |
| ActiveRecordInjection.rb:181:59:181:64 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:181:59:181:74 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:192:5:192:13 | my_params | semmle.label | my_params |
| ActiveRecordInjection.rb:192:17:192:32 | call to permitted_params | semmle.label | call to permitted_params |
| ActiveRecordInjection.rb:193:5:193:9 | query | semmle.label | query |
| ActiveRecordInjection.rb:193:47:193:55 | my_params | semmle.label | my_params |
| ActiveRecordInjection.rb:193:47:193:65 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:194:37:194:41 | query | semmle.label | query |
| ActiveRecordInjection.rb:199:5:199:10 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:199:5:199:27 | call to require | semmle.label | call to require |
| ActiveRecordInjection.rb:199:5:199:59 | call to permit | semmle.label | call to permit |
| ActiveRecordInjection.rb:203:43:203:104 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
| ActiveRecordInjection.rb:203:77:203:92 | call to permitted_params | semmle.label | call to permitted_params |
| ActiveRecordInjection.rb:203:77:203:102 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:204:35:204:96 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
| ActiveRecordInjection.rb:204:69:204:84 | call to permitted_params | semmle.label | call to permitted_params |
| ActiveRecordInjection.rb:204:69:204:94 | ...[...] | semmle.label | ...[...] |
| ActiveRecordInjection.rb:209:24:209:27 | role | semmle.label | role |
| ActiveRecordInjection.rb:209:38:209:53 | "role = #{...}" | semmle.label | "role = #{...}" |
| ActiveRecordInjection.rb:215:29:215:34 | call to params | semmle.label | call to params |
| ActiveRecordInjection.rb:215:29:215:41 | ...[...] | semmle.label | ...[...] |
| ArelInjection.rb:4:5:4:8 | name | semmle.label | name |
| ArelInjection.rb:4:12:4:17 | call to params | semmle.label | call to params |
| ArelInjection.rb:4:12:4:29 | ...[...] | semmle.label | ...[...] |
@@ -217,7 +230,7 @@ subpaths
#select
| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:70:23:70:28 | call to params | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:70:23:70:28 | call to params | user-provided value |
| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:70:38:70:43 | call to params | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:70:38:70:43 | call to params | user-provided value |
| ActiveRecordInjection.rb:23:16:23:24 | condition | ActiveRecordInjection.rb:161:21:161:26 | call to params | ActiveRecordInjection.rb:23:16:23:24 | condition | This SQL query depends on a $@. | ActiveRecordInjection.rb:161:21:161:26 | call to params | user-provided value |
| ActiveRecordInjection.rb:23:16:23:24 | condition | ActiveRecordInjection.rb:167:21:167:26 | call to params | ActiveRecordInjection.rb:23:16:23:24 | condition | This SQL query depends on a $@. | ActiveRecordInjection.rb:167:21:167:26 | call to params | user-provided value |
| ActiveRecordInjection.rb:35:30:35:44 | ...[...] | ActiveRecordInjection.rb:35:30:35:35 | call to params | ActiveRecordInjection.rb:35:30:35:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:35:30:35:35 | call to params | user-provided value |
| ActiveRecordInjection.rb:39:18:39:32 | ...[...] | ActiveRecordInjection.rb:39:18:39:23 | call to params | ActiveRecordInjection.rb:39:18:39:32 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:39:18:39:23 | call to params | user-provided value |
| ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | ActiveRecordInjection.rb:43:29:43:34 | call to params | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:43:29:43:34 | call to params | user-provided value |
@@ -243,12 +256,15 @@ subpaths
| ActiveRecordInjection.rb:113:21:113:35 | ...[...] | ActiveRecordInjection.rb:113:21:113:26 | call to params | ActiveRecordInjection.rb:113:21:113:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:113:21:113:26 | call to params | user-provided value |
| ActiveRecordInjection.rb:114:20:114:34 | ...[...] | ActiveRecordInjection.rb:114:20:114:25 | call to params | ActiveRecordInjection.rb:114:20:114:34 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:114:20:114:25 | call to params | user-provided value |
| ActiveRecordInjection.rb:116:23:116:47 | ...[...] | ActiveRecordInjection.rb:116:23:116:28 | call to params | ActiveRecordInjection.rb:116:23:116:47 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:116:23:116:28 | call to params | user-provided value |
| ActiveRecordInjection.rb:128:20:128:32 | ... + ... | ActiveRecordInjection.rb:122:10:122:15 | call to params | ActiveRecordInjection.rb:128:20:128:32 | ... + ... | This SQL query depends on a $@. | ActiveRecordInjection.rb:122:10:122:15 | call to params | user-provided value |
| ActiveRecordInjection.rb:161:21:161:44 | ...[...] | ActiveRecordInjection.rb:161:21:161:26 | call to params | ActiveRecordInjection.rb:161:21:161:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:161:21:161:26 | call to params | user-provided value |
| ActiveRecordInjection.rb:175:27:175:76 | "this is an unsafe annotation:..." | ActiveRecordInjection.rb:175:59:175:64 | call to params | ActiveRecordInjection.rb:175:27:175:76 | "this is an unsafe annotation:..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:175:59:175:64 | call to params | user-provided value |
| ActiveRecordInjection.rb:188:37:188:41 | query | ActiveRecordInjection.rb:193:5:193:10 | call to params | ActiveRecordInjection.rb:188:37:188:41 | query | This SQL query depends on a $@. | ActiveRecordInjection.rb:193:5:193:10 | call to params | user-provided value |
| ActiveRecordInjection.rb:197:43:197:104 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:193:5:193:10 | call to params | ActiveRecordInjection.rb:197:43:197:104 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:193:5:193:10 | call to params | user-provided value |
| ActiveRecordInjection.rb:198:35:198:96 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:193:5:193:10 | call to params | ActiveRecordInjection.rb:198:35:198:96 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:193:5:193:10 | call to params | user-provided value |
| ActiveRecordInjection.rb:120:19:120:30 | ...[...] | ActiveRecordInjection.rb:120:19:120:24 | call to params | ActiveRecordInjection.rb:120:19:120:30 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:120:19:120:24 | call to params | user-provided value |
| ActiveRecordInjection.rb:122:29:122:39 | ...[...] | ActiveRecordInjection.rb:122:29:122:34 | call to params | ActiveRecordInjection.rb:122:29:122:39 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:122:29:122:34 | call to params | user-provided value |
| ActiveRecordInjection.rb:134:20:134:32 | ... + ... | ActiveRecordInjection.rb:128:10:128:15 | call to params | ActiveRecordInjection.rb:134:20:134:32 | ... + ... | This SQL query depends on a $@. | ActiveRecordInjection.rb:128:10:128:15 | call to params | user-provided value |
| ActiveRecordInjection.rb:167:21:167:44 | ...[...] | ActiveRecordInjection.rb:167:21:167:26 | call to params | ActiveRecordInjection.rb:167:21:167:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:167:21:167:26 | call to params | user-provided value |
| ActiveRecordInjection.rb:181:27:181:76 | "this is an unsafe annotation:..." | ActiveRecordInjection.rb:181:59:181:64 | call to params | ActiveRecordInjection.rb:181:27:181:76 | "this is an unsafe annotation:..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:181:59:181:64 | call to params | user-provided value |
| ActiveRecordInjection.rb:194:37:194:41 | query | ActiveRecordInjection.rb:199:5:199:10 | call to params | ActiveRecordInjection.rb:194:37:194:41 | query | This SQL query depends on a $@. | ActiveRecordInjection.rb:199:5:199:10 | call to params | user-provided value |
| ActiveRecordInjection.rb:203:43:203:104 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:199:5:199:10 | call to params | ActiveRecordInjection.rb:203:43:203:104 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:199:5:199:10 | call to params | user-provided value |
| ActiveRecordInjection.rb:204:35:204:96 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:199:5:199:10 | call to params | ActiveRecordInjection.rb:204:35:204:96 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:199:5:199:10 | call to params | user-provided value |
| ActiveRecordInjection.rb:209:38:209:53 | "role = #{...}" | ActiveRecordInjection.rb:215:29:215:34 | call to params | ActiveRecordInjection.rb:209:38:209:53 | "role = #{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:215:29:215:34 | call to params | user-provided value |
| ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value |
| ArelInjection.rb:7:39:7:80 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:7:39:7:80 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value |
| PgInjection.rb:14:15:14:18 | qry1 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:14:15:14:18 | qry1 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value |