Fix bad join

2026-04-26 09:15:12 +02:00 · 2024-04-03 19:41:37 +02:00
parent fb19288981
commit 3c96bf6b22
1 changed files with 21 additions and 21 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll
@@ -797,30 +797,30 @@ class ActiveRecordScopeCallTarget extends AdditionalCallTarget {
 private module MassAssignmentSinks {
  private import codeql.ruby.security.MassAssignmentCustomizations

+  pragma[nomagic]
+  private predicate massAssignmentCall(DataFlow::CallNode call, string name) {
+    call = activeRecordBaseClass().getAMethodCall(name)
+    or
+    call instanceof ActiveRecordInstanceMethodCall and
+    call.getMethodName() = name
+  }
+
  /** A call to a method that sets attributes of an database record using a hash. */
  private class MassAssignmentCall extends MassAssignment::Sink {
    MassAssignmentCall() {
-      exists(DataFlow::CallNode call, string name |
-        (
-          call = activeRecordBaseClass().getAMethodCall(name)
-          or
-          call instanceof ActiveRecordInstanceMethodCall and
-          call.getMethodName() = name
-        ) and
-        (
-          name =
-            [
-              "build", "create", "create!", "create_with", "create_or_find_by",
-              "create_or_find_by!", "find_or_create_by", "find_or_create_by!",
-              "find_or_initialize_by", "insert", "insert!", "insert_all", "insert_all!",
-              "instantiate", "new", "update", "update!", "upsert", "upsert_all"
-            ] and
-          this = call.getArgument(0)
-          or
-          // These methods have an optional first id parameter.
-          name = ["update", "update!"] and
-          this = call.getArgument(1)
-        )
+      exists(DataFlow::CallNode call, string name | massAssignmentCall(call, name) |
+        name =
+          [
+            "build", "create", "create!", "create_with", "create_or_find_by", "create_or_find_by!",
+            "find_or_create_by", "find_or_create_by!", "find_or_initialize_by", "insert", "insert!",
+            "insert_all", "insert_all!", "instantiate", "new", "update", "update!", "upsert",
+            "upsert_all"
+          ] and
+        this = call.getArgument(0)
+        or
+        // These methods have an optional first id parameter.
+        name = ["update", "update!"] and
+        this = call.getArgument(1)
      )
    }
  }