add support for string-like-literals

2026-04-28 10:15:14 +02:00 · 2022-11-24 18:01:54 +01:00
parent 80c92dc3e6
commit 378cc1aed2
3 changed files with 12 additions and 1 deletions
--- a/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeCodeConstructionCustomizations.qll
@@ -84,7 +84,7 @@ module UnsafeCodeConstruction {
    Concepts::CodeExecution s;

    StringFormatAsSink() {
-      exists(Ast::StringLiteral lit |
+      exists(Ast::StringlikeLiteral lit |
        any(DataFlow::Node n | n.asExpr().getExpr() = lit) = getANodeExecutedAsCode(s) and
        this.asExpr().getExpr() = lit.getComponent(_)
      )
--- a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected
+++ b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/UnsafeCodeConstruction.expected
@@ -6,6 +6,7 @@ edges
 | impl/unsafeCode.rb:32:21:32:21 | x :  | impl/unsafeCode.rb:34:10:34:12 | arr |
 | impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:40:10:40:12 | arr |
 | impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:44:10:44:12 | arr |
+| impl/unsafeCode.rb:47:15:47:15 | x :  | impl/unsafeCode.rb:49:9:49:12 | #{...} |
 nodes
 | impl/unsafeCode.rb:2:12:2:17 | target :  | semmle.label | target :  |
 | impl/unsafeCode.rb:3:17:3:25 | #{...} | semmle.label | #{...} |
@@ -20,6 +21,8 @@ nodes
 | impl/unsafeCode.rb:37:15:37:15 | x :  | semmle.label | x :  |
 | impl/unsafeCode.rb:40:10:40:12 | arr | semmle.label | arr |
 | impl/unsafeCode.rb:44:10:44:12 | arr | semmle.label | arr |
+| impl/unsafeCode.rb:47:15:47:15 | x :  | semmle.label | x :  |
+| impl/unsafeCode.rb:49:9:49:12 | #{...} | semmle.label | #{...} |
 subpaths
 #select
 | impl/unsafeCode.rb:3:17:3:25 | #{...} | impl/unsafeCode.rb:2:12:2:17 | target :  | impl/unsafeCode.rb:3:17:3:25 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:2:12:2:17 | target | library input | impl/unsafeCode.rb:3:5:3:27 | call to eval | interpreted as code |
@@ -29,3 +32,4 @@ subpaths
 | impl/unsafeCode.rb:34:10:34:12 | arr | impl/unsafeCode.rb:32:21:32:21 | x :  | impl/unsafeCode.rb:34:10:34:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:32:21:32:21 | x | library input | impl/unsafeCode.rb:34:5:34:24 | call to eval | interpreted as code |
 | impl/unsafeCode.rb:40:10:40:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:40:10:40:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:40:5:40:24 | call to eval | interpreted as code |
 | impl/unsafeCode.rb:44:10:44:12 | arr | impl/unsafeCode.rb:37:15:37:15 | x :  | impl/unsafeCode.rb:44:10:44:12 | arr | This array which depends on $@ is later $@. | impl/unsafeCode.rb:37:15:37:15 | x | library input | impl/unsafeCode.rb:44:5:44:24 | call to eval | interpreted as code |
+| impl/unsafeCode.rb:49:9:49:12 | #{...} | impl/unsafeCode.rb:47:15:47:15 | x :  | impl/unsafeCode.rb:49:9:49:12 | #{...} | This string interpolation which depends on $@ is later $@. | impl/unsafeCode.rb:47:15:47:15 | x | library input | impl/unsafeCode.rb:51:5:51:13 | call to eval | interpreted as code |
--- a/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb
+++ b/ruby/ql/test/query-tests/security/cwe-094/UnsafeCodeConstruction/impl/unsafeCode.rb
@@ -43,4 +43,11 @@ class Foobar
    arr2 << y
    eval(arr.join("\n")) # NOT OK
  end
+
+  def hereDoc(x)
+    foo = <<~HERE
+        #{x}
+    HERE
+    eval(foo) # NOT OK
+  end
 end