Merge pull request #15718 from joefarebrother/ruby-arel-sqlliteral

Ruby: Model Arel::Nodes::SqlLiteral.new
2026-04-29 10:45:15 +02:00 · 2024-02-27 12:43:47 +00:00
parent df5e753ee0 cb733dcf85
commit 3ab6f222d0
5 changed files with 39 additions and 0 deletions
--- a/ruby/ql/lib/change-notes/2024-02-26-arel-sqlliteral.md
+++ b/ruby/ql/lib/change-notes/2024-02-26-arel-sqlliteral.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+Calls to `Arel::Nodes::SqlLiteral.new` are now modeled as instances of the `SqlConstruction` concept, as well as propagating taint from their argument.
--- a/ruby/ql/lib/codeql/ruby/frameworks/Arel.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Arel.qll
@@ -39,4 +39,34 @@ module Arel {

    override DataFlow::Node getSql() { result = this.getArgument(0) }
  }
+
+  /**
+   * Flow summary for `Arel::Nodes::SqlLiteral.new`. This method wraps a SQL string, marking it as
+   * safe.
+   */
+  private class SqlLiteralNewSummary extends SummarizedCallable {
+    SqlLiteralNewSummary() { this = "Arel::Nodes::SqlLiteral.new" }
+
+    override MethodCall getACall() {
+      result = any(ArelSqlLiteralNewConstruction c).asExpr().getExpr()
+    }
+
+    override predicate propagatesFlow(string input, string output, boolean preservesValue) {
+      input = "Argument[0]" and output = "ReturnValue" and preservesValue = false
+    }
+  }
+
+  /** A call to `Arel::Nodes::SqlLiteral.new`, considered as a SQL construction. */
+  private class ArelSqlLiteralNewConstruction extends SqlConstruction::Range, DataFlow::CallNode {
+    ArelSqlLiteralNewConstruction() {
+      this.asExpr() =
+        API::getTopLevelMember("Arel")
+            .getMember("Nodes")
+            .getMember("SqlLiteral")
+            .getAMethodCall("new")
+            .asExpr()
+    }
+
+    override DataFlow::Node getSql() { result = this.getArgument(0) }
+  }
 }