Merge pull request #10316 from hmac/hmac/actionview

Ruby: Model ActionView
2026-05-05 05:35:13 +02:00 · 2022-10-04 08:16:16 +13:00
parent 98f4caf76f e48665ad9f
commit 42a97b26bb
12 changed files with 377 additions and 4 deletions
--- a/ruby/ql/test/library-tests/frameworks/ActionView.expected
+++ b/ruby/ql/test/library-tests/frameworks/ActionView.expected
@@ -30,3 +30,12 @@ httpResponses
 | app/controllers/foo/bars_controller.rb:36:12:36:67 | call to render_to_string | app/controllers/foo/bars_controller.rb:36:29:36:33 | @user | application/json |
 | app/controllers/foo/bars_controller.rb:38:5:38:50 | call to render | app/controllers/foo/bars_controller.rb:38:12:38:22 | call to backtrace | text/plain |
 | app/controllers/foo/bars_controller.rb:44:5:44:17 | call to render | app/controllers/foo/bars_controller.rb:44:12:44:17 | "show" | text/html |
+rawHelperCalls
+| action_view/helpers.erb:4:1:4:36 | call to simple_format | action_view/helpers.erb:4:15:4:15 | call to x |
+| action_view/helpers.erb:7:1:7:26 | call to truncate | action_view/helpers.erb:7:10:7:10 | call to x |
+| action_view/helpers.erb:10:1:10:29 | call to highlight | action_view/helpers.erb:10:11:10:11 | call to x |
+| action_view/helpers.erb:12:1:12:17 | call to javascript_tag | action_view/helpers.erb:12:16:12:16 | call to x |
+| action_view/helpers.erb:15:1:15:27 | call to content_tag | action_view/helpers.erb:15:16:15:16 | call to y |
+| action_view/helpers.erb:18:1:18:19 | call to tag | action_view/helpers.erb:18:5:18:5 | call to x |
+| action_view/helpers.erb:21:1:21:24 | call to h1 | action_view/helpers.erb:21:8:21:8 | call to x |
+| action_view/helpers.erb:24:1:24:23 | call to p | action_view/helpers.erb:24:7:24:7 | call to x |
--- a/ruby/ql/test/library-tests/frameworks/ActionView.ql
+++ b/ruby/ql/test/library-tests/frameworks/ActionView.ql
@@ -1,7 +1,8 @@
+private import ruby
+private import codeql.ruby.AST
 private import codeql.ruby.frameworks.ActionController
 private import codeql.ruby.frameworks.ActionView
 private import codeql.ruby.Concepts
-private import codeql.ruby.DataFlow

 query predicate htmlSafeCalls(HtmlSafeCall c) { any() }

@@ -16,3 +17,7 @@ query predicate linkToCalls(LinkToCall c) { any() }
 query predicate httpResponses(Http::Server::HttpResponse r, DataFlow::Node body, string mimeType) {
  r.getBody() = body and r.getMimetype() = mimeType
 }
+
+query predicate rawHelperCalls(ActionView::Helpers::RawHelperCall c, Expr arg) {
+  arg = c.getRawArgument()
+}
--- a/ruby/ql/test/library-tests/frameworks/action_view/helpers.erb
+++ b/ruby/ql/test/library-tests/frameworks/action_view/helpers.erb
@@ -0,0 +1,26 @@
+<%=
+
+simple_format(x, y, sanitize: true)
+simple_format(x, y, sanitize: false)
+
+truncate(x, escape: true)
+truncate(x, escape: false)
+
+highlight(x, sanitize: true)
+highlight(x, sanitize: false)
+
+javascript_tag(x)
+
+content_tag(x, y, z, true)
+content_tag(x, y, z, false)
+
+tag(x, y, z, true)
+tag(x, y, z, false)
+
+tag.h1(x, escape: true)
+tag.h1(x, escape: false)
+
+tag.p(x, escape: true)
+tag.p(x, escape: false)
+
+%>
--- a/ruby/ql/test/library-tests/frameworks/active_support/ActiveSupportDataFlow.expected
+++ b/ruby/ql/test/library-tests/frameworks/active_support/ActiveSupportDataFlow.expected
@@ -102,6 +102,40 @@ edges
 | active_support.rb:134:10:134:10 | b [element] :  | active_support.rb:134:10:134:13 | ...[...] |
 | active_support.rb:135:10:135:10 | b [element] :  | active_support.rb:135:10:135:13 | ...[...] |
 | active_support.rb:135:10:135:10 | b [element] :  | active_support.rb:135:10:135:13 | ...[...] |
+| active_support.rb:139:7:139:16 | call to source :  | active_support.rb:140:34:140:34 | x :  |
+| active_support.rb:140:7:140:35 | call to new :  | active_support.rb:141:8:141:8 | y |
+| active_support.rb:140:34:140:34 | x :  | active_support.rb:140:7:140:35 | call to new :  |
+| active_support.rb:146:7:146:16 | call to source :  | active_support.rb:147:21:147:21 | b :  |
+| active_support.rb:147:7:147:22 | call to safe_concat :  | active_support.rb:148:8:148:8 | y |
+| active_support.rb:147:21:147:21 | b :  | active_support.rb:147:7:147:22 | call to safe_concat :  |
+| active_support.rb:153:7:153:16 | call to source :  | active_support.rb:154:17:154:17 | b :  |
+| active_support.rb:154:3:154:3 | [post] x :  | active_support.rb:155:8:155:8 | x |
+| active_support.rb:154:17:154:17 | b :  | active_support.rb:154:3:154:3 | [post] x :  |
+| active_support.rb:159:7:159:16 | call to source :  | active_support.rb:161:34:161:34 | a :  |
+| active_support.rb:161:7:161:35 | call to new :  | active_support.rb:162:7:162:7 | x :  |
+| active_support.rb:161:34:161:34 | a :  | active_support.rb:161:7:161:35 | call to new :  |
+| active_support.rb:162:7:162:7 | x :  | active_support.rb:162:7:162:17 | call to concat :  |
+| active_support.rb:162:7:162:17 | call to concat :  | active_support.rb:163:8:163:8 | y |
+| active_support.rb:167:7:167:16 | call to source :  | active_support.rb:169:34:169:34 | a :  |
+| active_support.rb:169:7:169:35 | call to new :  | active_support.rb:170:7:170:7 | x :  |
+| active_support.rb:169:34:169:34 | a :  | active_support.rb:169:7:169:35 | call to new :  |
+| active_support.rb:170:7:170:7 | x :  | active_support.rb:170:7:170:20 | call to insert :  |
+| active_support.rb:170:7:170:20 | call to insert :  | active_support.rb:171:8:171:8 | y |
+| active_support.rb:175:7:175:16 | call to source :  | active_support.rb:177:34:177:34 | a :  |
+| active_support.rb:177:7:177:35 | call to new :  | active_support.rb:178:7:178:7 | x :  |
+| active_support.rb:177:34:177:34 | a :  | active_support.rb:177:7:177:35 | call to new :  |
+| active_support.rb:178:7:178:7 | x :  | active_support.rb:178:7:178:18 | call to prepend :  |
+| active_support.rb:178:7:178:18 | call to prepend :  | active_support.rb:179:8:179:8 | y |
+| active_support.rb:183:7:183:16 | call to source :  | active_support.rb:184:34:184:34 | a :  |
+| active_support.rb:184:7:184:35 | call to new :  | active_support.rb:185:7:185:7 | x :  |
+| active_support.rb:184:34:184:34 | a :  | active_support.rb:184:7:184:35 | call to new :  |
+| active_support.rb:185:7:185:7 | x :  | active_support.rb:185:7:185:12 | call to to_s :  |
+| active_support.rb:185:7:185:12 | call to to_s :  | active_support.rb:186:8:186:8 | y |
+| active_support.rb:190:7:190:16 | call to source :  | active_support.rb:191:34:191:34 | a :  |
+| active_support.rb:191:7:191:35 | call to new :  | active_support.rb:192:7:192:7 | x :  |
+| active_support.rb:191:34:191:34 | a :  | active_support.rb:191:7:191:35 | call to new :  |
+| active_support.rb:192:7:192:7 | x :  | active_support.rb:192:7:192:16 | call to to_param :  |
+| active_support.rb:192:7:192:16 | call to to_param :  | active_support.rb:193:8:193:8 | y |
 nodes
 | active_support.rb:9:9:9:18 | call to source :  | semmle.label | call to source :  |
 | active_support.rb:10:10:10:10 | x :  | semmle.label | x :  |
@@ -234,6 +268,48 @@ nodes
 | active_support.rb:135:10:135:10 | b [element] :  | semmle.label | b [element] :  |
 | active_support.rb:135:10:135:13 | ...[...] | semmle.label | ...[...] |
 | active_support.rb:135:10:135:13 | ...[...] | semmle.label | ...[...] |
+| active_support.rb:139:7:139:16 | call to source :  | semmle.label | call to source :  |
+| active_support.rb:140:7:140:35 | call to new :  | semmle.label | call to new :  |
+| active_support.rb:140:34:140:34 | x :  | semmle.label | x :  |
+| active_support.rb:141:8:141:8 | y | semmle.label | y |
+| active_support.rb:146:7:146:16 | call to source :  | semmle.label | call to source :  |
+| active_support.rb:147:7:147:22 | call to safe_concat :  | semmle.label | call to safe_concat :  |
+| active_support.rb:147:21:147:21 | b :  | semmle.label | b :  |
+| active_support.rb:148:8:148:8 | y | semmle.label | y |
+| active_support.rb:153:7:153:16 | call to source :  | semmle.label | call to source :  |
+| active_support.rb:154:3:154:3 | [post] x :  | semmle.label | [post] x :  |
+| active_support.rb:154:17:154:17 | b :  | semmle.label | b :  |
+| active_support.rb:155:8:155:8 | x | semmle.label | x |
+| active_support.rb:159:7:159:16 | call to source :  | semmle.label | call to source :  |
+| active_support.rb:161:7:161:35 | call to new :  | semmle.label | call to new :  |
+| active_support.rb:161:34:161:34 | a :  | semmle.label | a :  |
+| active_support.rb:162:7:162:7 | x :  | semmle.label | x :  |
+| active_support.rb:162:7:162:17 | call to concat :  | semmle.label | call to concat :  |
+| active_support.rb:163:8:163:8 | y | semmle.label | y |
+| active_support.rb:167:7:167:16 | call to source :  | semmle.label | call to source :  |
+| active_support.rb:169:7:169:35 | call to new :  | semmle.label | call to new :  |
+| active_support.rb:169:34:169:34 | a :  | semmle.label | a :  |
+| active_support.rb:170:7:170:7 | x :  | semmle.label | x :  |
+| active_support.rb:170:7:170:20 | call to insert :  | semmle.label | call to insert :  |
+| active_support.rb:171:8:171:8 | y | semmle.label | y |
+| active_support.rb:175:7:175:16 | call to source :  | semmle.label | call to source :  |
+| active_support.rb:177:7:177:35 | call to new :  | semmle.label | call to new :  |
+| active_support.rb:177:34:177:34 | a :  | semmle.label | a :  |
+| active_support.rb:178:7:178:7 | x :  | semmle.label | x :  |
+| active_support.rb:178:7:178:18 | call to prepend :  | semmle.label | call to prepend :  |
+| active_support.rb:179:8:179:8 | y | semmle.label | y |
+| active_support.rb:183:7:183:16 | call to source :  | semmle.label | call to source :  |
+| active_support.rb:184:7:184:35 | call to new :  | semmle.label | call to new :  |
+| active_support.rb:184:34:184:34 | a :  | semmle.label | a :  |
+| active_support.rb:185:7:185:7 | x :  | semmle.label | x :  |
+| active_support.rb:185:7:185:12 | call to to_s :  | semmle.label | call to to_s :  |
+| active_support.rb:186:8:186:8 | y | semmle.label | y |
+| active_support.rb:190:7:190:16 | call to source :  | semmle.label | call to source :  |
+| active_support.rb:191:7:191:35 | call to new :  | semmle.label | call to new :  |
+| active_support.rb:191:34:191:34 | a :  | semmle.label | a :  |
+| active_support.rb:192:7:192:7 | x :  | semmle.label | x :  |
+| active_support.rb:192:7:192:16 | call to to_param :  | semmle.label | call to to_param :  |
+| active_support.rb:193:8:193:8 | y | semmle.label | y |
 subpaths
 #select
 | active_support.rb:106:10:106:13 | ...[...] | active_support.rb:104:10:104:17 | call to source :  | active_support.rb:106:10:106:13 | ...[...] | $@ | active_support.rb:104:10:104:17 | call to source :  | call to source :  |
--- a/ruby/ql/test/library-tests/frameworks/active_support/active_support.rb
+++ b/ruby/ql/test/library-tests/frameworks/active_support/active_support.rb
@@ -133,4 +133,62 @@ def m_including
    sink b[1] # $ hasValueFlow=3 $ hasValueFlow=4
    sink b[2] # $ hasValueFlow=3 $ hasValueFlow=4
    sink b[3] # $ hasValueFlow=3 $ hasValueFlow=4
-end
+end
+
+def m_safe_buffer_new
+  x = source "a"
+  y = ActionView::SafeBuffer.new(x)
+  sink y # $hasTaintFlow=a
+end
+
+def m_safe_buffer_safe_concat_retval
+  x = ActionView::SafeBuffer.new("a")
+  b = source "b"
+  y = x.safe_concat(b)
+  sink y # $hasTaintFlow=b
+end
+
+def m_safe_buffer_safe_concat_self
+  x = ActionView::SafeBuffer.new("a")
+  b = source "b"
+  x.safe_concat(b)
+  sink x # $hasTaintFlow=b
+end
+
+def m_safe_buffer_concat
+  a = source "a"
+  b = source "b"
+  x = ActionView::SafeBuffer.new(a)
+  y = x.concat(b)
+  sink y # $hasTaintFlow=a
+end
+
+def m_safe_buffer_insert
+  a = source "a"
+  b = source "b"
+  x = ActionView::SafeBuffer.new(a)
+  y = x.insert(i, b)
+  sink y # $hasTaintFlow=a
+end
+
+def m_safe_buffer_prepend
+  a = source "a"
+  b = source "b"
+  x = ActionView::SafeBuffer.new(a)
+  y = x.prepend(b)
+  sink y # $hasTaintFlow=a
+end
+
+def m_safe_buffer_to_s
+  a = source "a"
+  x = ActionView::SafeBuffer.new(a)
+  y = x.to_s
+  sink y # $hasTaintFlow=a
+end
+
+def m_safe_buffer_to_param
+  a = source "a"
+  x = ActionView::SafeBuffer.new(a)
+  y = x.to_param
+  sink y # $hasTaintFlow=a
+end