hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-22 23:35:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Merge from main

Browse Source
This commit is contained in:
Dave Bartolomeo
2022-11-01 13:22:40 -04:00
parent 23b572e9b7 e8f9429b92
commit 49c4c554c4
486 changed files with 6866 additions and 2473 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
ruby/ql/consistency-queries/SsaConsistency.ql
View File

@@ -1,18 +1,10 @@
import codeql.ruby.dataflow.SSA
import codeql.ruby.dataflow.internal.SsaImpl::Consistency as Consistency
import codeql.ruby.dataflow.internal.SsaImpl::Consistency
class MyRelevantDefinition extends Consistency::RelevantDefinition, Ssa::Definition {
class MyRelevantDefinition extends RelevantDefinition, Ssa::Definition {
override predicate hasLocationInfo(
string filepath, int startline, int startcolumn, int endline, int endcolumn
) {
this.getLocation().hasLocationInfo(filepath, startline, startcolumn, endline, endcolumn)
}
}
query predicate nonUniqueDef = Consistency::nonUniqueDef/4;
query predicate readWithoutDef = Consistency::readWithoutDef/3;
query predicate deadDef = Consistency::deadDef/2;
query predicate notDominatedByDef = Consistency::notDominatedByDef/4;

5
ruby/ql/lib/change-notes/2022-10-18-activesupport-flow.md Normal file
View File

@@ -0,0 +1,5 @@
---
category: minorAnalysis
---
* Taint flow is now tracked through extension methods on `Hash`, `String` and
`Object` provided by `ActiveSupport`.

5
ruby/ql/lib/change-notes/2022-10-20-expand-faraday-model-for-ssrf-sink.md Normal file
View File

@@ -0,0 +1,5 @@
---
category: minorAnalysis
---
- Instantiations using `Faraday::Connection.new` are now recognized as part of `FaradayHttpRequest`s, meaning they will be considered as sinks for queries such as `rb/request-forgery`.

123
ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowDispatch.qll
View File

@@ -615,9 +615,9 @@ private predicate isInstance(DataFlow::Node n, Module tp, boolean exact) {
exact = true
or
// `self.new` inside a singleton method
exists(MethodBase target |
selfInMethod(sourceNode.(SsaSelfDefinitionNode).getVariable(), target, tp) and
singletonMethod(target, _, _) and
exists(MethodBase caller |
selfInMethod(sourceNode.(SsaSelfDefinitionNode).getVariable(), caller, tp) and
singletonMethod(caller, _, _) and
exact = false
)
)
@@ -991,14 +991,13 @@ private predicate isInstanceLocalMustFlow(DataFlow::Node n, Module tp, boolean e
* `name` is the name of the method being called by `call`.
*/
pragma[nomagic]
private predicate mayBenefitFromCallContext0(
private predicate argFlowsToReceiver(
RelevantCall ctx, ArgumentNode arg, RelevantCall call, Callable encl, string name
) {
exists(
ParameterNodeImpl p, SsaDefinitionNode ssaNode, ParameterPosition ppos, ArgumentPosition apos
|
// the receiver of `call` references `p`
ssaNode = trackInstance(_, _) and
LocalFlow::localFlowSsaParamInput(p, ssaNode) and
flowsToMethodCallReceiver(pragma[only_bind_into](call), pragma[only_bind_into](ssaNode),
pragma[only_bind_into](name)) and
@@ -1016,24 +1015,66 @@ private predicate mayBenefitFromCallContext0(
/**
* Holds if `ctx` targets `encl`, which is the enclosing callable of `call`, and
* the receiver of `call` is a parameter access, where the corresponding argument
* of `ctx` has type `tp`.
* `arg` of `ctx` has type `tp`.
*
* `name` is the name of the method being called by `call`, and `exact` is pertaining
* to the type of the argument.
*/
pragma[nomagic]
private predicate mayBenefitFromCallContext1(
RelevantCall ctx, RelevantCall call, Callable encl, Module tp, boolean exact, string name
private predicate mayBenefitFromCallContextInstance(
RelevantCall ctx, RelevantCall call, ArgumentNode arg, Callable encl, Module tp, boolean exact,
string name
) {
exists(ArgumentNode arg |
mayBenefitFromCallContext0(ctx, pragma[only_bind_into](arg), call, encl,
pragma[only_bind_into](name)) and
// `arg` has a relevant instance type
isInstanceLocalMustFlow(arg, tp, exact) and
exists(lookupMethod(tp, pragma[only_bind_into](name)))
argFlowsToReceiver(ctx, pragma[only_bind_into](arg), call, encl, pragma[only_bind_into](name)) and
// `arg` has a relevant instance type
isInstanceLocalMustFlow(arg, tp, exact) and
exists(lookupMethod(tp, pragma[only_bind_into](name)))
}
/** Same as `resolveConstantReadAccess`, but includes local must-flow through SSA definitions. */
private predicate resolveConstantReadAccessMustFlow(DataFlow::Node n, Module tp) {
tp = resolveConstantReadAccess(n.asExpr().getExpr())
or
exists(DataFlow::Node mid | resolveConstantReadAccessMustFlow(mid, tp) |
n.asExpr() = mid.(SsaDefinitionNode).getDefinition().getARead()
or
n.(SsaDefinitionNode).getDefinition().(Ssa::WriteDefinition).assigns(mid.asExpr())
)
}
/**
* Holds if `ctx` targets `encl`, which is the enclosing callable of `call`, and
* the receiver of `call` is a parameter access, where the corresponding argument
* `arg` of `ctx` is a module access targeting a module of type `tp`.
*
* `name` is the name of the method being called by `call`, and `exact` is pertaining
* to the type of the argument.
*/
pragma[nomagic]
private predicate mayBenefitFromCallContextSingleton(
RelevantCall ctx, RelevantCall call, ArgumentNode arg, Callable encl, Module tp, boolean exact,
string name
) {
argFlowsToReceiver(ctx, pragma[only_bind_into](arg), call, encl, pragma[only_bind_into](name)) and
// `arg` has a relevant module type
(
resolveConstantReadAccessMustFlow(arg, tp) and
exact = true
or
exists(SelfVariable self | arg.asExpr().getExpr() = self.getAnAccess() |
selfInModule(self, tp) and
exact = true
or
exists(MethodBase caller |
selfInMethod(self, caller, tp) and
singletonMethod(caller, _, _) and
exact = false
)
)
) and
exists(lookupSingletonMethod(tp, pragma[only_bind_into](name), exact))
}
/**
* Holds if the set of viable implementations that can be called by `call`
* might be improved by knowing the call context. This is the case if the
@@ -1041,7 +1082,9 @@ private predicate mayBenefitFromCallContext1(
* the implicit `self` parameter).
*/
predicate mayBenefitFromCallContext(DataFlowCall call, DataFlowCallable c) {
mayBenefitFromCallContext1(_, call.asCall(), c.asCallable(), _, _, _)
mayBenefitFromCallContextInstance(_, call.asCall(), _, c.asCallable(), _, _, _)
or
mayBenefitFromCallContextSingleton(_, call.asCall(), _, c.asCallable(), _, _, _)
}
/**
@@ -1050,28 +1093,38 @@ predicate mayBenefitFromCallContext(DataFlowCall call, DataFlowCallable c) {
*/
pragma[nomagic]
DataFlowCallable viableImplInCallContext(DataFlowCall call, DataFlowCall ctx) {
// `ctx` can provide a potentially better type bound
exists(RelevantCall call0, Callable res |
call0 = call.asCall() and
res = result.asCallable() and
res = getTarget(call0) and // make sure to not include e.g. private methods
exists(Module m, boolean exact, string name |
res = lookupMethod(m, name, exact) and
mayBenefitFromCallContext1(ctx.asCall(), pragma[only_bind_into](call0), _,
pragma[only_bind_into](m), exact, pragma[only_bind_into](name))
mayBenefitFromCallContext(call, _) and
(
// `ctx` can provide a potentially better type bound
exists(RelevantCall call0, Callable res |
call0 = call.asCall() and
res = result.asCallable() and
res = getTarget(call0) and // make sure to not include e.g. private methods
exists(Module m, boolean exact, string name |
mayBenefitFromCallContextInstance(ctx.asCall(), pragma[only_bind_into](call0), _, _,
pragma[only_bind_into](m), exact, pragma[only_bind_into](name)) and
res = lookupMethod(m, name, exact)
or
mayBenefitFromCallContextSingleton(ctx.asCall(), pragma[only_bind_into](call0), _, _,
pragma[only_bind_into](m), exact, pragma[only_bind_into](name)) and
res = lookupSingletonMethod(m, name, exact)
)
)
or
// `ctx` cannot provide a type bound
exists(RelevantCall call0, RelevantCall ctx0, ArgumentNode arg, string name |
call0 = call.asCall() and
ctx0 = ctx.asCall() and
argFlowsToReceiver(ctx0, arg, call0, _, name) and
not mayBenefitFromCallContextInstance(ctx0, call0, arg, _, _, _, name) and
not mayBenefitFromCallContextSingleton(ctx0, call0, arg, _, _, _, name) and
result = viableSourceCallable(call)
)
or
// library calls should always be able to resolve
argFlowsToReceiver(ctx.asCall(), _, call.asCall(), _, _) and
result = viableLibraryCallable(call)
)
or
// `ctx` cannot provide a type bound
exists(ArgumentNode arg |
mayBenefitFromCallContext0(ctx.asCall(), arg, call.asCall(), _, _) and
not isInstanceLocalMustFlow(arg, _, _) and
result = viableSourceCallable(call)
)
or
// library calls should always be able to resolve
mayBenefitFromCallContext0(ctx.asCall(), _, call.asCall(), _, _) and
result = viableLibraryCallable(call)
}
predicate exprNodeReturnedFrom = exprNodeReturnedFromCached/2;

123
ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll
View File

@@ -24,14 +24,17 @@ module ActiveSupport {
*/
module String {
/**
* A call to `String#constantize`, which tries to find a declared constant with the given name.
* Passing user input to this method may result in instantiation of arbitrary Ruby classes.
* A call to `String#constantize` or `String#safe_constantize`, which
* tries to find a declared constant with the given name.
* Passing user input to this method may result in instantiation of
* arbitrary Ruby classes.
*/
class Constantize extends CodeExecution::Range, DataFlow::CallNode {
// We treat this an `UnknownMethodCall` in order to match every call to `constantize` that isn't overridden.
// We can't (yet) rely on API Graphs or dataflow to tell us that the receiver is a String.
Constantize() {
this.asExpr().getExpr().(UnknownMethodCall).getMethodName() = "constantize"
this.asExpr().getExpr().(UnknownMethodCall).getMethodName() =
["constantize", "safe_constantize"]
}
override DataFlow::Node getCode() { result = this.getReceiver() }
@@ -49,9 +52,11 @@ module ActiveSupport {
override MethodCall getACall() {
result.getMethodName() =
[
"camelize", "camelcase", "classify", "dasherize", "deconstantize", "demodulize",
"foreign_key", "humanize", "indent", "parameterize", "pluralize", "singularize",
"squish", "strip_heredoc", "tableize", "titlecase", "titleize", "underscore",
"at", "camelize", "camelcase", "classify", "dasherize", "deconstantize", "demodulize",
"first", "foreign_key", "from", "html_safe", "humanize", "indent", "indent!",
"inquiry", "last", "mb_chars", "parameterize", "pluralize", "remove", "remove!",
"singularize", "squish", "squish!", "strip_heredoc", "tableize", "titlecase",
"titleize", "to", "truncate", "truncate_bytes", "truncate_words", "underscore",
"upcase_first"
]
}
@@ -62,6 +67,112 @@ module ActiveSupport {
}
}
/**
* Extensions to the `Object` class.
*/
module Object {
/** Flow summary for methods which can return the receiver. */
private class IdentitySummary extends SimpleSummarizedCallable {
IdentitySummary() { this = ["presence", "deep_dup"] }
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
input = "Argument[self]" and
output = "ReturnValue" and
preservesValue = true
}
}
}
/**
* Extensions to the `Hash` class.
*/
module Hash {
private class WithIndifferentAccessSummary extends SimpleSummarizedCallable {
WithIndifferentAccessSummary() { this = "with_indifferent_access" }
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
input = "Argument[self].Element[any]" and
output = "ReturnValue.Element[any]" and
preservesValue = true
}
}
private class TransformSummary extends SimpleSummarizedCallable {
TransformSummary() {
this =
[
"stringify_keys", "to_options", "symbolize_keys", "deep_stringify_keys",
"deep_symbolize_keys", "with_indifferent_access"
]
}
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
input = "Argument[self].Element[any]" and
output = "ReturnValue.Element[?]" and
preservesValue = true
}
}
private string getExtractComponent(MethodCall mc, int i) {
mc.getMethodName() = "extract!" and
result = DataFlow::Content::getKnownElementIndex(mc.getArgument(i)).serialize()
}
/**
* A flow summary for `Hash#extract!`. This method removes the key/value pairs
* matching the given keys from the receiver and returns them (as a Hash).
*
* Example:
*
* ```rb
* hash = { a: 1, b: 2, c: 3, d: 4 }
* hash.extract!(:a, :b) # => {:a=>1, :b=>2}
* hash # => {:c=>3, :d=>4}
* ```
*
* There is value flow from elements corresponding to keys in the
* arguments (`:a` and `:b` in the example) to elements in
* the return value.
* There is also value flow from any element corresponding to a key _not_
* mentioned in the arguments to an element in `self`, including elements
* at unknown keys.
*/
private class ExtractSummary extends SummarizedCallable {
MethodCall mc;
ExtractSummary() {
mc.getMethodName() = "extract!" and
this =
"extract!(" +
concat(int i, string s | s = getExtractComponent(mc, i) | s, "," order by i) + ")"
}
final override MethodCall getACall() { result = mc }
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
(
exists(string s | s = getExtractComponent(mc, _) |
input = "Argument[self].Element[" + s + "!]" and
output = "ReturnValue.Element[" + s + "!]"
)
or
// Argument[self].WithoutElement[:a!, :b!].WithElement[any] means
// "an element of self whose key is not :a or :b, including elements
// with unknown keys"
input =
"Argument[self]" +
concat(int i, string s |
s = getExtractComponent(mc, i)
|
".WithoutElement[" + s + "!]" order by i
) + ".WithElement[any]" and
output = "Argument[self]"
) and
preservesValue = true
}
}
}
/**
* Extensions to the `Enumerable` module.
*/

28
ruby/ql/lib/codeql/ruby/frameworks/core/Hash.qll
View File

@@ -244,7 +244,7 @@ module Hash {
}
private string getExceptComponent(MethodCall mc, int i) {
mc.getMethodName() = "except" and
mc.getMethodName() = ["except", "except!"] and
result = DataFlow::Content::getKnownElementIndex(mc.getArgument(i)).serialize()
}
@@ -252,10 +252,12 @@ module Hash {
MethodCall mc;
ExceptSummary() {
mc.getMethodName() = "except" and
// except! is an ActiveSupport extension
// https://api.rubyonrails.org/classes/Hash.html#method-i-except-21
mc.getMethodName() = ["except", "except!"] and
this =
"except(" + concat(int i, string s | s = getExceptComponent(mc, i) | s, "," order by i) +
")"
mc.getMethodName() + "(" +
concat(int i, string s | s = getExceptComponent(mc, i) | s, "," order by i) + ")"
}
final override MethodCall getACallSimple() { result = mc }
@@ -268,7 +270,11 @@ module Hash {
|
".WithoutElement[" + s + "!]" order by i
) + ".WithElement[any]" and
output = "ReturnValue" and
(
if mc.getMethodName() = "except!"
then output = ["ReturnValue", "Argument[self]"]
else output = "ReturnValue"
) and
preservesValue = true
}
}
@@ -331,7 +337,11 @@ private class FetchValuesUnknownSummary extends FetchValuesSummary {
}
private class MergeSummary extends SimpleSummarizedCallable {
MergeSummary() { this = "merge" }
MergeSummary() {
// deep_merge is an ActiveSupport extension
// https://api.rubyonrails.org/classes/Hash.html#method-i-deep_merge
this = ["merge", "deep_merge"]
}
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
(
@@ -346,7 +356,11 @@ private class MergeSummary extends SimpleSummarizedCallable {
}
private class MergeBangSummary extends SimpleSummarizedCallable {
MergeBangSummary() { this = ["merge!", "update"] }
MergeBangSummary() {
// deep_merge! is an ActiveSupport extension
// https://api.rubyonrails.org/classes/Hash.html#method-i-deep_merge-21
this = ["merge!", "deep_merge!", "update"]
}
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
(

4
ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll
View File

@@ -34,7 +34,9 @@ class FaradayHttpRequest extends Http::Client::Request::Range, DataFlow::CallNod
// one-off requests
API::getTopLevelMember("Faraday"),
// connection re-use
API::getTopLevelMember("Faraday").getInstance()
API::getTopLevelMember("Faraday").getInstance(),
// connection re-use with Faraday::Connection.new instantiation
API::getTopLevelMember("Faraday").getMember("Connection").getInstance()
] and
requestNode =
connectionNode

2
ruby/ql/lib/codeql/ruby/security/CodeInjectionCustomizations.qll
View File

@@ -70,7 +70,7 @@ module CodeInjection {
/** Gets a flow state for which this is a sink. */
override DataFlow::FlowState getAFlowState() {
if c.runsArbitraryCode()
then result = [FlowState::substring(), FlowState::full()] // If it runs immediately, then it's always vulnerable.
then result = [FlowState::substring(), FlowState::full()] // If it runs arbitrary code then it's always vulnerable.
else result = FlowState::full() // If it "just" loads something, then it's only vulnerable if the attacker controls the entire string.
}
}

4
ruby/ql/src/qlpack.lock.yml
View File

@@ -1,6 +1,4 @@
---
dependencies:
codeql/suite-helpers:
version: 0.0.2
dependencies: {}
compiled: false
lockVersion: 1.0.0

5
ruby/ql/src/queries/security/cwe-094/CodeInjection.ql
View File

@@ -25,9 +25,10 @@ where
// removing duplications of the same path, but different flow-labels.
sink =
min(DataFlow::PathNode otherSink |
config.hasFlowPath(any(DataFlow::PathNode s | s.getNode() = source.getNode()), otherSink)
config.hasFlowPath(any(DataFlow::PathNode s | s.getNode() = sourceNode), otherSink) and
otherSink.getNode() = sink.getNode()
|
otherSink order by otherSink.getState()
)
select sink.getNode(), source, sink, "This code execution depends on a $@.", source.getNode(),
select sink.getNode(), source, sink, "This code execution depends on a $@.", sourceNode,
"user-provided value"

12
ruby/ql/test/TestUtilities/InlineExpectationsTest.qll
View File

@@ -137,6 +137,7 @@ abstract class InlineExpectationsTest extends string {
final predicate hasFailureMessage(FailureLocatable element, string message) {
exists(ActualResult actualResult |
actualResult.getTest() = this and
actualResult.getTag() = this.getARelevantTag() and
element = actualResult and
(
exists(FalseNegativeExpectation falseNegative |
@@ -150,9 +151,18 @@ abstract class InlineExpectationsTest extends string {
)
)
or
exists(ActualResult actualResult |
actualResult.getTest() = this and
not actualResult.getTag() = this.getARelevantTag() and
element = actualResult and
message =
"Tag mismatch: Actual result with tag '" + actualResult.getTag() +
"' that is not part of getARelevantTag()"
)
or
exists(ValidExpectation expectation |
not exists(ActualResult actualResult | expectation.matchesActualResult(actualResult)) and
expectation.getTag() = getARelevantTag() and
expectation.getTag() = this.getARelevantTag() and
element = expectation and
(
expectation instanceof GoodExpectation and

2
ruby/ql/test/library-tests/dataflow/api-graphs/use.ql
View File

@@ -20,7 +20,7 @@ class CustomEntryPointUse extends API::EntryPoint {
class ApiUseTest extends InlineExpectationsTest {
ApiUseTest() { this = "ApiUseTest" }
override string getARelevantTag() { result = ["use", "def"] }
override string getARelevantTag() { result = ["use", "def", "call"] }
private predicate relevantNode(API::Node a, DataFlow::Node n, Location l, string tag) {
l = n.getLocation() and

5
ruby/ql/test/library-tests/dataflow/array-flow/type-tracking-array-flow.ql
View File

@@ -1 +1,6 @@
// This test flags any difference in flow between the type-tracking and dataflow
// libraries. New results in this query do not necessarily indicate a problem,
// only that type-tracking cannot follow the flow in your test. If the dataflow
// test (`array-flow.ql`) shows no failures, then that may be sufficient
// (depending on your use case).
import TestUtilities.InlineTypeTrackingFlowTest

198
ruby/ql/test/library-tests/dataflow/call-sensitivity/call-sensitivity.expected
View File

@@ -40,16 +40,70 @@ edges
| call_sensitivity.rb:50:15:50:15 | x : | call_sensitivity.rb:51:10:51:10 | x |
| call_sensitivity.rb:54:15:54:15 | x : | call_sensitivity.rb:55:13:55:13 | x : |
| call_sensitivity.rb:54:15:54:15 | x : | call_sensitivity.rb:55:13:55:13 | x : |
| call_sensitivity.rb:54:15:54:15 | x : | call_sensitivity.rb:55:13:55:13 | x : |
| call_sensitivity.rb:54:15:54:15 | x : | call_sensitivity.rb:55:13:55:13 | x : |
| call_sensitivity.rb:55:13:55:13 | x : | call_sensitivity.rb:50:15:50:15 | x : |
| call_sensitivity.rb:55:13:55:13 | x : | call_sensitivity.rb:50:15:50:15 | x : |
| call_sensitivity.rb:58:18:58:18 | y : | call_sensitivity.rb:59:15:59:15 | y : |
| call_sensitivity.rb:58:18:58:18 | y : | call_sensitivity.rb:59:15:59:15 | y : |
| call_sensitivity.rb:59:15:59:15 | y : | call_sensitivity.rb:50:15:50:15 | x : |
| call_sensitivity.rb:59:15:59:15 | y : | call_sensitivity.rb:50:15:50:15 | x : |
| call_sensitivity.rb:64:11:64:18 | call to taint : | call_sensitivity.rb:54:15:54:15 | x : |
| call_sensitivity.rb:64:11:64:18 | call to taint : | call_sensitivity.rb:54:15:54:15 | x : |
| call_sensitivity.rb:65:14:65:22 | call to taint : | call_sensitivity.rb:58:18:58:18 | y : |
| call_sensitivity.rb:65:14:65:22 | call to taint : | call_sensitivity.rb:58:18:58:18 | y : |
| call_sensitivity.rb:55:13:55:13 | x : | call_sensitivity.rb:50:15:50:15 | x : |
| call_sensitivity.rb:55:13:55:13 | x : | call_sensitivity.rb:50:15:50:15 | x : |
| call_sensitivity.rb:58:20:58:20 | x : | call_sensitivity.rb:59:18:59:18 | x : |
| call_sensitivity.rb:58:20:58:20 | x : | call_sensitivity.rb:59:18:59:18 | x : |
| call_sensitivity.rb:59:18:59:18 | x : | call_sensitivity.rb:54:15:54:15 | x : |
| call_sensitivity.rb:59:18:59:18 | x : | call_sensitivity.rb:54:15:54:15 | x : |
| call_sensitivity.rb:62:18:62:18 | y : | call_sensitivity.rb:63:15:63:15 | y : |
| call_sensitivity.rb:62:18:62:18 | y : | call_sensitivity.rb:63:15:63:15 | y : |
| call_sensitivity.rb:62:18:62:18 | y : | call_sensitivity.rb:63:15:63:15 | y : |
| call_sensitivity.rb:62:18:62:18 | y : | call_sensitivity.rb:63:15:63:15 | y : |
| call_sensitivity.rb:63:15:63:15 | y : | call_sensitivity.rb:50:15:50:15 | x : |
| call_sensitivity.rb:63:15:63:15 | y : | call_sensitivity.rb:50:15:50:15 | x : |
| call_sensitivity.rb:63:15:63:15 | y : | call_sensitivity.rb:50:15:50:15 | x : |
| call_sensitivity.rb:63:15:63:15 | y : | call_sensitivity.rb:50:15:50:15 | x : |
| call_sensitivity.rb:66:20:66:20 | x : | call_sensitivity.rb:67:24:67:24 | x : |
| call_sensitivity.rb:66:20:66:20 | x : | call_sensitivity.rb:67:24:67:24 | x : |
| call_sensitivity.rb:67:24:67:24 | x : | call_sensitivity.rb:62:18:62:18 | y : |
| call_sensitivity.rb:67:24:67:24 | x : | call_sensitivity.rb:62:18:62:18 | y : |
| call_sensitivity.rb:70:30:70:30 | x : | call_sensitivity.rb:71:10:71:10 | x |
| call_sensitivity.rb:70:30:70:30 | x : | call_sensitivity.rb:71:10:71:10 | x |
| call_sensitivity.rb:74:30:74:30 | x : | call_sensitivity.rb:75:23:75:23 | x : |
| call_sensitivity.rb:74:30:74:30 | x : | call_sensitivity.rb:75:23:75:23 | x : |
| call_sensitivity.rb:74:30:74:30 | x : | call_sensitivity.rb:75:23:75:23 | x : |
| call_sensitivity.rb:74:30:74:30 | x : | call_sensitivity.rb:75:23:75:23 | x : |
| call_sensitivity.rb:75:23:75:23 | x : | call_sensitivity.rb:70:30:70:30 | x : |
| call_sensitivity.rb:75:23:75:23 | x : | call_sensitivity.rb:70:30:70:30 | x : |
| call_sensitivity.rb:75:23:75:23 | x : | call_sensitivity.rb:70:30:70:30 | x : |
| call_sensitivity.rb:75:23:75:23 | x : | call_sensitivity.rb:70:30:70:30 | x : |
| call_sensitivity.rb:78:35:78:35 | x : | call_sensitivity.rb:79:28:79:28 | x : |
| call_sensitivity.rb:78:35:78:35 | x : | call_sensitivity.rb:79:28:79:28 | x : |
| call_sensitivity.rb:79:28:79:28 | x : | call_sensitivity.rb:74:30:74:30 | x : |
| call_sensitivity.rb:79:28:79:28 | x : | call_sensitivity.rb:74:30:74:30 | x : |
| call_sensitivity.rb:82:33:82:33 | y : | call_sensitivity.rb:83:25:83:25 | y : |
| call_sensitivity.rb:82:33:82:33 | y : | call_sensitivity.rb:83:25:83:25 | y : |
| call_sensitivity.rb:82:33:82:33 | y : | call_sensitivity.rb:83:25:83:25 | y : |
| call_sensitivity.rb:82:33:82:33 | y : | call_sensitivity.rb:83:25:83:25 | y : |
| call_sensitivity.rb:83:25:83:25 | y : | call_sensitivity.rb:70:30:70:30 | x : |
| call_sensitivity.rb:83:25:83:25 | y : | call_sensitivity.rb:70:30:70:30 | x : |
| call_sensitivity.rb:83:25:83:25 | y : | call_sensitivity.rb:70:30:70:30 | x : |
| call_sensitivity.rb:83:25:83:25 | y : | call_sensitivity.rb:70:30:70:30 | x : |
| call_sensitivity.rb:86:35:86:35 | x : | call_sensitivity.rb:87:34:87:34 | x : |
| call_sensitivity.rb:86:35:86:35 | x : | call_sensitivity.rb:87:34:87:34 | x : |
| call_sensitivity.rb:87:34:87:34 | x : | call_sensitivity.rb:82:33:82:33 | y : |
| call_sensitivity.rb:87:34:87:34 | x : | call_sensitivity.rb:82:33:82:33 | y : |
| call_sensitivity.rb:92:11:92:18 | call to taint : | call_sensitivity.rb:54:15:54:15 | x : |
| call_sensitivity.rb:92:11:92:18 | call to taint : | call_sensitivity.rb:54:15:54:15 | x : |
| call_sensitivity.rb:93:16:93:23 | call to taint : | call_sensitivity.rb:58:20:58:20 | x : |
| call_sensitivity.rb:93:16:93:23 | call to taint : | call_sensitivity.rb:58:20:58:20 | x : |
| call_sensitivity.rb:94:14:94:22 | call to taint : | call_sensitivity.rb:62:18:62:18 | y : |
| call_sensitivity.rb:94:14:94:22 | call to taint : | call_sensitivity.rb:62:18:62:18 | y : |
| call_sensitivity.rb:95:16:95:24 | call to taint : | call_sensitivity.rb:66:20:66:20 | x : |
| call_sensitivity.rb:95:16:95:24 | call to taint : | call_sensitivity.rb:66:20:66:20 | x : |
| call_sensitivity.rb:97:21:97:28 | call to taint : | call_sensitivity.rb:74:30:74:30 | x : |
| call_sensitivity.rb:97:21:97:28 | call to taint : | call_sensitivity.rb:74:30:74:30 | x : |
| call_sensitivity.rb:98:26:98:33 | call to taint : | call_sensitivity.rb:78:35:78:35 | x : |
| call_sensitivity.rb:98:26:98:33 | call to taint : | call_sensitivity.rb:78:35:78:35 | x : |
| call_sensitivity.rb:99:24:99:32 | call to taint : | call_sensitivity.rb:82:33:82:33 | y : |
| call_sensitivity.rb:99:24:99:32 | call to taint : | call_sensitivity.rb:82:33:82:33 | y : |
| call_sensitivity.rb:100:26:100:33 | call to taint : | call_sensitivity.rb:86:35:86:35 | x : |
| call_sensitivity.rb:100:26:100:33 | call to taint : | call_sensitivity.rb:86:35:86:35 | x : |
nodes
| call_sensitivity.rb:9:6:9:14 | ( ... ) | semmle.label | ( ... ) |
| call_sensitivity.rb:9:6:9:14 | ( ... ) | semmle.label | ( ... ) |
@@ -103,16 +157,72 @@ nodes
| call_sensitivity.rb:51:10:51:10 | x | semmle.label | x |
| call_sensitivity.rb:54:15:54:15 | x : | semmle.label | x : |
| call_sensitivity.rb:54:15:54:15 | x : | semmle.label | x : |
| call_sensitivity.rb:54:15:54:15 | x : | semmle.label | x : |
| call_sensitivity.rb:54:15:54:15 | x : | semmle.label | x : |
| call_sensitivity.rb:55:13:55:13 | x : | semmle.label | x : |
| call_sensitivity.rb:55:13:55:13 | x : | semmle.label | x : |
| call_sensitivity.rb:58:18:58:18 | y : | semmle.label | y : |
| call_sensitivity.rb:58:18:58:18 | y : | semmle.label | y : |
| call_sensitivity.rb:59:15:59:15 | y : | semmle.label | y : |
| call_sensitivity.rb:59:15:59:15 | y : | semmle.label | y : |
| call_sensitivity.rb:64:11:64:18 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:64:11:64:18 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:65:14:65:22 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:65:14:65:22 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:55:13:55:13 | x : | semmle.label | x : |
| call_sensitivity.rb:55:13:55:13 | x : | semmle.label | x : |
| call_sensitivity.rb:58:20:58:20 | x : | semmle.label | x : |
| call_sensitivity.rb:58:20:58:20 | x : | semmle.label | x : |
| call_sensitivity.rb:59:18:59:18 | x : | semmle.label | x : |
| call_sensitivity.rb:59:18:59:18 | x : | semmle.label | x : |
| call_sensitivity.rb:62:18:62:18 | y : | semmle.label | y : |
| call_sensitivity.rb:62:18:62:18 | y : | semmle.label | y : |
| call_sensitivity.rb:62:18:62:18 | y : | semmle.label | y : |
| call_sensitivity.rb:62:18:62:18 | y : | semmle.label | y : |
| call_sensitivity.rb:63:15:63:15 | y : | semmle.label | y : |
| call_sensitivity.rb:63:15:63:15 | y : | semmle.label | y : |
| call_sensitivity.rb:63:15:63:15 | y : | semmle.label | y : |
| call_sensitivity.rb:63:15:63:15 | y : | semmle.label | y : |
| call_sensitivity.rb:66:20:66:20 | x : | semmle.label | x : |
| call_sensitivity.rb:66:20:66:20 | x : | semmle.label | x : |
| call_sensitivity.rb:67:24:67:24 | x : | semmle.label | x : |
| call_sensitivity.rb:67:24:67:24 | x : | semmle.label | x : |
| call_sensitivity.rb:70:30:70:30 | x : | semmle.label | x : |
| call_sensitivity.rb:70:30:70:30 | x : | semmle.label | x : |
| call_sensitivity.rb:71:10:71:10 | x | semmle.label | x |
| call_sensitivity.rb:71:10:71:10 | x | semmle.label | x |
| call_sensitivity.rb:74:30:74:30 | x : | semmle.label | x : |
| call_sensitivity.rb:74:30:74:30 | x : | semmle.label | x : |
| call_sensitivity.rb:74:30:74:30 | x : | semmle.label | x : |
| call_sensitivity.rb:74:30:74:30 | x : | semmle.label | x : |
| call_sensitivity.rb:75:23:75:23 | x : | semmle.label | x : |
| call_sensitivity.rb:75:23:75:23 | x : | semmle.label | x : |
| call_sensitivity.rb:75:23:75:23 | x : | semmle.label | x : |
| call_sensitivity.rb:75:23:75:23 | x : | semmle.label | x : |
| call_sensitivity.rb:78:35:78:35 | x : | semmle.label | x : |
| call_sensitivity.rb:78:35:78:35 | x : | semmle.label | x : |
| call_sensitivity.rb:79:28:79:28 | x : | semmle.label | x : |
| call_sensitivity.rb:79:28:79:28 | x : | semmle.label | x : |
| call_sensitivity.rb:82:33:82:33 | y : | semmle.label | y : |
| call_sensitivity.rb:82:33:82:33 | y : | semmle.label | y : |
| call_sensitivity.rb:82:33:82:33 | y : | semmle.label | y : |
| call_sensitivity.rb:82:33:82:33 | y : | semmle.label | y : |
| call_sensitivity.rb:83:25:83:25 | y : | semmle.label | y : |
| call_sensitivity.rb:83:25:83:25 | y : | semmle.label | y : |
| call_sensitivity.rb:83:25:83:25 | y : | semmle.label | y : |
| call_sensitivity.rb:83:25:83:25 | y : | semmle.label | y : |
| call_sensitivity.rb:86:35:86:35 | x : | semmle.label | x : |
| call_sensitivity.rb:86:35:86:35 | x : | semmle.label | x : |
| call_sensitivity.rb:87:34:87:34 | x : | semmle.label | x : |
| call_sensitivity.rb:87:34:87:34 | x : | semmle.label | x : |
| call_sensitivity.rb:92:11:92:18 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:92:11:92:18 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:93:16:93:23 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:93:16:93:23 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:94:14:94:22 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:94:14:94:22 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:95:16:95:24 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:95:16:95:24 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:97:21:97:28 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:97:21:97:28 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:98:26:98:33 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:98:26:98:33 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:99:24:99:32 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:99:24:99:32 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:100:26:100:33 | call to taint : | semmle.label | call to taint : |
| call_sensitivity.rb:100:26:100:33 | call to taint : | semmle.label | call to taint : |
subpaths
#select
| call_sensitivity.rb:9:6:9:14 | ( ... ) | call_sensitivity.rb:9:7:9:13 | call to taint : | call_sensitivity.rb:9:6:9:14 | ( ... ) | $@ | call_sensitivity.rb:9:7:9:13 | call to taint : | call to taint : |
@@ -120,16 +230,56 @@ subpaths
| call_sensitivity.rb:31:27:31:27 | x | call_sensitivity.rb:32:25:32:32 | call to taint : | call_sensitivity.rb:31:27:31:27 | x | $@ | call_sensitivity.rb:32:25:32:32 | call to taint : | call to taint : |
| call_sensitivity.rb:40:31:40:31 | x | call_sensitivity.rb:41:25:41:32 | call to taint : | call_sensitivity.rb:40:31:40:31 | x | $@ | call_sensitivity.rb:41:25:41:32 | call to taint : | call to taint : |
| call_sensitivity.rb:43:32:43:32 | x | call_sensitivity.rb:44:26:44:33 | call to taint : | call_sensitivity.rb:43:32:43:32 | x | $@ | call_sensitivity.rb:44:26:44:33 | call to taint : | call to taint : |
| call_sensitivity.rb:51:10:51:10 | x | call_sensitivity.rb:64:11:64:18 | call to taint : | call_sensitivity.rb:51:10:51:10 | x | $@ | call_sensitivity.rb:64:11:64:18 | call to taint : | call to taint : |
| call_sensitivity.rb:51:10:51:10 | x | call_sensitivity.rb:65:14:65:22 | call to taint : | call_sensitivity.rb:51:10:51:10 | x | $@ | call_sensitivity.rb:65:14:65:22 | call to taint : | call to taint : |
| call_sensitivity.rb:51:10:51:10 | x | call_sensitivity.rb:92:11:92:18 | call to taint : | call_sensitivity.rb:51:10:51:10 | x | $@ | call_sensitivity.rb:92:11:92:18 | call to taint : | call to taint : |
| call_sensitivity.rb:51:10:51:10 | x | call_sensitivity.rb:93:16:93:23 | call to taint : | call_sensitivity.rb:51:10:51:10 | x | $@ | call_sensitivity.rb:93:16:93:23 | call to taint : | call to taint : |
| call_sensitivity.rb:51:10:51:10 | x | call_sensitivity.rb:94:14:94:22 | call to taint : | call_sensitivity.rb:51:10:51:10 | x | $@ | call_sensitivity.rb:94:14:94:22 | call to taint : | call to taint : |
| call_sensitivity.rb:51:10:51:10 | x | call_sensitivity.rb:95:16:95:24 | call to taint : | call_sensitivity.rb:51:10:51:10 | x | $@ | call_sensitivity.rb:95:16:95:24 | call to taint : | call to taint : |
| call_sensitivity.rb:71:10:71:10 | x | call_sensitivity.rb:97:21:97:28 | call to taint : | call_sensitivity.rb:71:10:71:10 | x | $@ | call_sensitivity.rb:97:21:97:28 | call to taint : | call to taint : |
| call_sensitivity.rb:71:10:71:10 | x | call_sensitivity.rb:98:26:98:33 | call to taint : | call_sensitivity.rb:71:10:71:10 | x | $@ | call_sensitivity.rb:98:26:98:33 | call to taint : | call to taint : |
| call_sensitivity.rb:71:10:71:10 | x | call_sensitivity.rb:99:24:99:32 | call to taint : | call_sensitivity.rb:71:10:71:10 | x | $@ | call_sensitivity.rb:99:24:99:32 | call to taint : | call to taint : |
| call_sensitivity.rb:71:10:71:10 | x | call_sensitivity.rb:100:26:100:33 | call to taint : | call_sensitivity.rb:71:10:71:10 | x | $@ | call_sensitivity.rb:100:26:100:33 | call to taint : | call to taint : |
mayBenefitFromCallContext
| call_sensitivity.rb:51:5:51:10 | call to sink | call_sensitivity.rb:50:3:52:5 | method1 |
| call_sensitivity.rb:55:5:55:13 | call to method1 | call_sensitivity.rb:54:3:56:5 | method2 |
| call_sensitivity.rb:59:5:59:16 | call to method1 | call_sensitivity.rb:58:3:60:5 | method3 |
| call_sensitivity.rb:59:5:59:18 | call to method2 | call_sensitivity.rb:58:3:60:5 | call_method2 |
| call_sensitivity.rb:63:5:63:16 | call to method1 | call_sensitivity.rb:62:3:64:5 | method3 |
| call_sensitivity.rb:67:5:67:25 | call to method3 | call_sensitivity.rb:66:3:68:5 | call_method3 |
| call_sensitivity.rb:75:5:75:23 | call to singleton_method1 | call_sensitivity.rb:74:3:76:5 | singleton_method2 |
| call_sensitivity.rb:79:5:79:28 | call to singleton_method2 | call_sensitivity.rb:78:3:80:5 | call_singleton_method2 |
| call_sensitivity.rb:83:5:83:26 | call to singleton_method1 | call_sensitivity.rb:82:3:84:5 | singleton_method3 |
| call_sensitivity.rb:87:5:87:35 | call to singleton_method3 | call_sensitivity.rb:86:3:88:5 | call_singleton_method3 |
| call_sensitivity.rb:112:5:112:18 | call to method2 | call_sensitivity.rb:111:3:113:5 | call_method2 |
| call_sensitivity.rb:116:5:116:25 | call to method3 | call_sensitivity.rb:115:3:117:5 | call_method3 |
| call_sensitivity.rb:120:5:120:28 | call to singleton_method2 | call_sensitivity.rb:119:3:121:5 | call_singleton_method2 |
| call_sensitivity.rb:124:5:124:35 | call to singleton_method3 | call_sensitivity.rb:123:3:125:5 | call_singleton_method3 |
viableImplInCallContext
| call_sensitivity.rb:51:5:51:10 | call to sink | call_sensitivity.rb:55:5:55:13 | call to method1 | call_sensitivity.rb:5:1:7:3 | sink |
| call_sensitivity.rb:51:5:51:10 | call to sink | call_sensitivity.rb:59:5:59:16 | call to method1 | call_sensitivity.rb:5:1:7:3 | sink |
| call_sensitivity.rb:55:5:55:13 | call to method1 | call_sensitivity.rb:64:1:64:19 | call to method2 | call_sensitivity.rb:50:3:52:5 | method1 |
| call_sensitivity.rb:55:5:55:13 | call to method1 | call_sensitivity.rb:74:1:74:19 | call to method2 | call_sensitivity.rb:68:3:70:5 | method1 |
| call_sensitivity.rb:59:5:59:16 | call to method1 | call_sensitivity.rb:65:1:65:23 | call to method3 | call_sensitivity.rb:50:3:52:5 | method1 |
| call_sensitivity.rb:59:5:59:16 | call to method1 | call_sensitivity.rb:75:1:75:23 | call to method3 | call_sensitivity.rb:68:3:70:5 | method1 |
| call_sensitivity.rb:51:5:51:10 | call to sink | call_sensitivity.rb:63:5:63:16 | call to method1 | call_sensitivity.rb:5:1:7:3 | sink |
| call_sensitivity.rb:55:5:55:13 | call to method1 | call_sensitivity.rb:59:5:59:18 | call to method2 | call_sensitivity.rb:50:3:52:5 | method1 |
| call_sensitivity.rb:55:5:55:13 | call to method1 | call_sensitivity.rb:59:5:59:18 | call to method2 | call_sensitivity.rb:103:3:105:5 | method1 |
| call_sensitivity.rb:55:5:55:13 | call to method1 | call_sensitivity.rb:92:1:92:19 | call to method2 | call_sensitivity.rb:50:3:52:5 | method1 |
| call_sensitivity.rb:55:5:55:13 | call to method1 | call_sensitivity.rb:112:5:112:18 | call to method2 | call_sensitivity.rb:103:3:105:5 | method1 |
| call_sensitivity.rb:55:5:55:13 | call to method1 | call_sensitivity.rb:129:1:129:19 | call to method2 | call_sensitivity.rb:103:3:105:5 | method1 |
| call_sensitivity.rb:59:5:59:18 | call to method2 | call_sensitivity.rb:93:1:93:24 | call to call_method2 | call_sensitivity.rb:54:3:56:5 | method2 |
| call_sensitivity.rb:63:5:63:16 | call to method1 | call_sensitivity.rb:67:5:67:25 | call to method3 | call_sensitivity.rb:50:3:52:5 | method1 |
| call_sensitivity.rb:63:5:63:16 | call to method1 | call_sensitivity.rb:67:5:67:25 | call to method3 | call_sensitivity.rb:103:3:105:5 | method1 |
| call_sensitivity.rb:63:5:63:16 | call to method1 | call_sensitivity.rb:94:1:94:23 | call to method3 | call_sensitivity.rb:50:3:52:5 | method1 |
| call_sensitivity.rb:63:5:63:16 | call to method1 | call_sensitivity.rb:116:5:116:25 | call to method3 | call_sensitivity.rb:103:3:105:5 | method1 |
| call_sensitivity.rb:63:5:63:16 | call to method1 | call_sensitivity.rb:131:1:131:23 | call to method3 | call_sensitivity.rb:103:3:105:5 | method1 |
| call_sensitivity.rb:67:5:67:25 | call to method3 | call_sensitivity.rb:95:1:95:25 | call to call_method3 | call_sensitivity.rb:62:3:64:5 | method3 |
| call_sensitivity.rb:75:5:75:23 | call to singleton_method1 | call_sensitivity.rb:79:5:79:28 | call to singleton_method2 | call_sensitivity.rb:70:3:72:5 | singleton_method1 |
| call_sensitivity.rb:75:5:75:23 | call to singleton_method1 | call_sensitivity.rb:79:5:79:28 | call to singleton_method2 | call_sensitivity.rb:107:3:109:5 | singleton_method1 |
| call_sensitivity.rb:75:5:75:23 | call to singleton_method1 | call_sensitivity.rb:97:1:97:29 | call to singleton_method2 | call_sensitivity.rb:70:3:72:5 | singleton_method1 |
| call_sensitivity.rb:75:5:75:23 | call to singleton_method1 | call_sensitivity.rb:120:5:120:28 | call to singleton_method2 | call_sensitivity.rb:107:3:109:5 | singleton_method1 |
| call_sensitivity.rb:75:5:75:23 | call to singleton_method1 | call_sensitivity.rb:134:1:134:29 | call to singleton_method2 | call_sensitivity.rb:107:3:109:5 | singleton_method1 |
| call_sensitivity.rb:79:5:79:28 | call to singleton_method2 | call_sensitivity.rb:98:1:98:34 | call to call_singleton_method2 | call_sensitivity.rb:74:3:76:5 | singleton_method2 |
| call_sensitivity.rb:83:5:83:26 | call to singleton_method1 | call_sensitivity.rb:87:5:87:35 | call to singleton_method3 | call_sensitivity.rb:70:3:72:5 | singleton_method1 |
| call_sensitivity.rb:83:5:83:26 | call to singleton_method1 | call_sensitivity.rb:87:5:87:35 | call to singleton_method3 | call_sensitivity.rb:107:3:109:5 | singleton_method1 |
| call_sensitivity.rb:83:5:83:26 | call to singleton_method1 | call_sensitivity.rb:99:1:99:33 | call to singleton_method3 | call_sensitivity.rb:70:3:72:5 | singleton_method1 |
| call_sensitivity.rb:83:5:83:26 | call to singleton_method1 | call_sensitivity.rb:124:5:124:35 | call to singleton_method3 | call_sensitivity.rb:107:3:109:5 | singleton_method1 |
| call_sensitivity.rb:83:5:83:26 | call to singleton_method1 | call_sensitivity.rb:136:1:136:33 | call to singleton_method3 | call_sensitivity.rb:107:3:109:5 | singleton_method1 |
| call_sensitivity.rb:87:5:87:35 | call to singleton_method3 | call_sensitivity.rb:100:1:100:34 | call to call_singleton_method3 | call_sensitivity.rb:82:3:84:5 | singleton_method3 |
| call_sensitivity.rb:112:5:112:18 | call to method2 | call_sensitivity.rb:130:1:130:24 | call to call_method2 | call_sensitivity.rb:54:3:56:5 | method2 |
| call_sensitivity.rb:116:5:116:25 | call to method3 | call_sensitivity.rb:132:1:132:25 | call to call_method3 | call_sensitivity.rb:62:3:64:5 | method3 |
| call_sensitivity.rb:120:5:120:28 | call to singleton_method2 | call_sensitivity.rb:135:1:135:34 | call to call_singleton_method2 | call_sensitivity.rb:74:3:76:5 | singleton_method2 |
| call_sensitivity.rb:124:5:124:35 | call to singleton_method3 | call_sensitivity.rb:137:1:137:34 | call to call_singleton_method3 | call_sensitivity.rb:82:3:84:5 | singleton_method3 |

72
ruby/ql/test/library-tests/dataflow/call-sensitivity/call_sensitivity.rb
View File

@@ -48,28 +48,90 @@ apply_lambda(MY_LAMBDA2, taint(9))
class A
def method1 x
sink x # $ hasValueFlow=10 $ hasValueFlow=11
sink x # $ hasValueFlow=10 $ hasValueFlow=11 $ hasValueFlow=12 $ hasValueFlow=13
end
def method2 x
method1 x
end
def call_method2 x
self.method2 x
end
def method3(x, y)
x.method1(y)
end
def call_method3 x
self.method3(self, x)
end
def self.singleton_method1 x
sink x # $ hasValueFlow=14 $ hasValueFlow=15 # $ hasValueFlow=16 $ hasValueFlow=17
end
def self.singleton_method2 x
singleton_method1 x
end
def self.call_singleton_method2 x
self.singleton_method2 x
end
def self.singleton_method3(x, y)
x.singleton_method1(y)
end
def self.call_singleton_method3 x
self.singleton_method3(self, x)
end
end
a = A.new
a.method2(taint 10)
a.method3(a, taint(11))
a.call_method2(taint 11)
a.method3(a, taint(12))
a.call_method3(taint(13))
A.singleton_method2(taint 14)
A.call_singleton_method2(taint 15)
A.singleton_method3(A, taint(16))
A.call_singleton_method3(taint 17)
class B < A
def method1 x
puts x
puts "NON SINK: #{x}"
end
def self.singleton_method1 x
puts "NON SINK: #{x}"
end
def call_method2 x
self.method2 x
end
def call_method3 x
self.method3(self, x)
end
def self.call_singleton_method2 x
self.singleton_method2 x
end
def self.call_singleton_method3 x
self.singleton_method3(self, x)
end
end
b = B.new
b.method2(taint 12)
b.method3(b, taint(13))
b.method2(taint 18)
b.call_method2(taint 19)
b.method3(b, taint(20))
b.call_method3(taint(21))
B.singleton_method2(taint 22)
B.call_singleton_method2(taint 23)
B.singleton_method3(B, taint(24))
B.call_singleton_method3(taint 25)

210
ruby/ql/test/library-tests/dataflow/hash-flow/hash-flow.expected
View File

@@ -523,6 +523,95 @@ edges
| hash_flow.rb:750:10:750:13 | hash [element :d] : | hash_flow.rb:750:10:750:17 | ...[...] |
| hash_flow.rb:752:10:752:13 | hash [element :f] : | hash_flow.rb:752:10:752:17 | ...[...] |
| hash_flow.rb:753:10:753:13 | hash [element :g] : | hash_flow.rb:753:10:753:17 | ...[...] |
| hash_flow.rb:761:15:761:25 | call to taint : | hash_flow.rb:767:10:767:13 | hash [element :a] : |
| hash_flow.rb:763:15:763:25 | call to taint : | hash_flow.rb:769:10:769:13 | hash [element :c] : |
| hash_flow.rb:763:15:763:25 | call to taint : | hash_flow.rb:772:9:772:12 | hash [element :c] : |
| hash_flow.rb:764:15:764:25 | call to taint : | hash_flow.rb:770:10:770:13 | hash [element :d] : |
| hash_flow.rb:767:10:767:13 | hash [element :a] : | hash_flow.rb:767:10:767:17 | ...[...] |
| hash_flow.rb:769:10:769:13 | hash [element :c] : | hash_flow.rb:769:10:769:17 | ...[...] |
| hash_flow.rb:770:10:770:13 | hash [element :d] : | hash_flow.rb:770:10:770:17 | ...[...] |
| hash_flow.rb:772:9:772:12 | [post] hash [element :c] : | hash_flow.rb:781:10:781:13 | hash [element :c] : |
| hash_flow.rb:772:9:772:12 | hash [element :c] : | hash_flow.rb:772:9:772:12 | [post] hash [element :c] : |
| hash_flow.rb:772:9:772:12 | hash [element :c] : | hash_flow.rb:772:9:772:31 | call to except! [element :c] : |
| hash_flow.rb:772:9:772:31 | call to except! [element :c] : | hash_flow.rb:776:10:776:10 | x [element :c] : |
| hash_flow.rb:776:10:776:10 | x [element :c] : | hash_flow.rb:776:10:776:14 | ...[...] |
| hash_flow.rb:781:10:781:13 | hash [element :c] : | hash_flow.rb:781:10:781:17 | ...[...] |
| hash_flow.rb:789:15:789:25 | call to taint : | hash_flow.rb:798:12:798:16 | hash1 [element :a] : |
| hash_flow.rb:791:15:791:25 | call to taint : | hash_flow.rb:798:12:798:16 | hash1 [element :c] : |
| hash_flow.rb:794:15:794:25 | call to taint : | hash_flow.rb:798:29:798:33 | hash2 [element :d] : |
| hash_flow.rb:796:15:796:25 | call to taint : | hash_flow.rb:798:29:798:33 | hash2 [element :f] : |
| hash_flow.rb:798:12:798:16 | hash1 [element :a] : | hash_flow.rb:798:12:802:7 | call to deep_merge [element :a] : |
| hash_flow.rb:798:12:798:16 | hash1 [element :a] : | hash_flow.rb:798:45:798:53 | old_value : |
| hash_flow.rb:798:12:798:16 | hash1 [element :a] : | hash_flow.rb:798:56:798:64 | new_value : |
| hash_flow.rb:798:12:798:16 | hash1 [element :c] : | hash_flow.rb:798:12:802:7 | call to deep_merge [element :c] : |
| hash_flow.rb:798:12:798:16 | hash1 [element :c] : | hash_flow.rb:798:45:798:53 | old_value : |
| hash_flow.rb:798:12:798:16 | hash1 [element :c] : | hash_flow.rb:798:56:798:64 | new_value : |
| hash_flow.rb:798:12:802:7 | call to deep_merge [element :a] : | hash_flow.rb:803:11:803:14 | hash [element :a] : |
| hash_flow.rb:798:12:802:7 | call to deep_merge [element :c] : | hash_flow.rb:805:11:805:14 | hash [element :c] : |
| hash_flow.rb:798:12:802:7 | call to deep_merge [element :d] : | hash_flow.rb:806:11:806:14 | hash [element :d] : |
| hash_flow.rb:798:12:802:7 | call to deep_merge [element :f] : | hash_flow.rb:808:11:808:14 | hash [element :f] : |
| hash_flow.rb:798:29:798:33 | hash2 [element :d] : | hash_flow.rb:798:12:802:7 | call to deep_merge [element :d] : |
| hash_flow.rb:798:29:798:33 | hash2 [element :d] : | hash_flow.rb:798:45:798:53 | old_value : |
| hash_flow.rb:798:29:798:33 | hash2 [element :d] : | hash_flow.rb:798:56:798:64 | new_value : |
| hash_flow.rb:798:29:798:33 | hash2 [element :f] : | hash_flow.rb:798:12:802:7 | call to deep_merge [element :f] : |
| hash_flow.rb:798:29:798:33 | hash2 [element :f] : | hash_flow.rb:798:45:798:53 | old_value : |
| hash_flow.rb:798:29:798:33 | hash2 [element :f] : | hash_flow.rb:798:56:798:64 | new_value : |
| hash_flow.rb:798:45:798:53 | old_value : | hash_flow.rb:800:14:800:22 | old_value |
| hash_flow.rb:798:56:798:64 | new_value : | hash_flow.rb:801:14:801:22 | new_value |
| hash_flow.rb:803:11:803:14 | hash [element :a] : | hash_flow.rb:803:11:803:18 | ...[...] : |
| hash_flow.rb:803:11:803:18 | ...[...] : | hash_flow.rb:803:10:803:19 | ( ... ) |
| hash_flow.rb:805:11:805:14 | hash [element :c] : | hash_flow.rb:805:11:805:18 | ...[...] : |
| hash_flow.rb:805:11:805:18 | ...[...] : | hash_flow.rb:805:10:805:19 | ( ... ) |
| hash_flow.rb:806:11:806:14 | hash [element :d] : | hash_flow.rb:806:11:806:18 | ...[...] : |
| hash_flow.rb:806:11:806:18 | ...[...] : | hash_flow.rb:806:10:806:19 | ( ... ) |
| hash_flow.rb:808:11:808:14 | hash [element :f] : | hash_flow.rb:808:11:808:18 | ...[...] : |
| hash_flow.rb:808:11:808:18 | ...[...] : | hash_flow.rb:808:10:808:19 | ( ... ) |
| hash_flow.rb:815:15:815:25 | call to taint : | hash_flow.rb:824:12:824:16 | hash1 [element :a] : |
| hash_flow.rb:817:15:817:25 | call to taint : | hash_flow.rb:824:12:824:16 | hash1 [element :c] : |
| hash_flow.rb:820:15:820:25 | call to taint : | hash_flow.rb:824:30:824:34 | hash2 [element :d] : |
| hash_flow.rb:822:15:822:25 | call to taint : | hash_flow.rb:824:30:824:34 | hash2 [element :f] : |
| hash_flow.rb:824:12:824:16 | [post] hash1 [element :a] : | hash_flow.rb:836:11:836:15 | hash1 [element :a] : |
| hash_flow.rb:824:12:824:16 | [post] hash1 [element :c] : | hash_flow.rb:838:11:838:15 | hash1 [element :c] : |
| hash_flow.rb:824:12:824:16 | [post] hash1 [element :d] : | hash_flow.rb:839:11:839:15 | hash1 [element :d] : |
| hash_flow.rb:824:12:824:16 | [post] hash1 [element :f] : | hash_flow.rb:841:11:841:15 | hash1 [element :f] : |
| hash_flow.rb:824:12:824:16 | hash1 [element :a] : | hash_flow.rb:824:12:824:16 | [post] hash1 [element :a] : |
| hash_flow.rb:824:12:824:16 | hash1 [element :a] : | hash_flow.rb:824:12:828:7 | call to deep_merge! [element :a] : |
| hash_flow.rb:824:12:824:16 | hash1 [element :a] : | hash_flow.rb:824:46:824:54 | old_value : |
| hash_flow.rb:824:12:824:16 | hash1 [element :a] : | hash_flow.rb:824:57:824:65 | new_value : |
| hash_flow.rb:824:12:824:16 | hash1 [element :c] : | hash_flow.rb:824:12:824:16 | [post] hash1 [element :c] : |
| hash_flow.rb:824:12:824:16 | hash1 [element :c] : | hash_flow.rb:824:12:828:7 | call to deep_merge! [element :c] : |
| hash_flow.rb:824:12:824:16 | hash1 [element :c] : | hash_flow.rb:824:46:824:54 | old_value : |
| hash_flow.rb:824:12:824:16 | hash1 [element :c] : | hash_flow.rb:824:57:824:65 | new_value : |
| hash_flow.rb:824:12:828:7 | call to deep_merge! [element :a] : | hash_flow.rb:829:11:829:14 | hash [element :a] : |
| hash_flow.rb:824:12:828:7 | call to deep_merge! [element :c] : | hash_flow.rb:831:11:831:14 | hash [element :c] : |
| hash_flow.rb:824:12:828:7 | call to deep_merge! [element :d] : | hash_flow.rb:832:11:832:14 | hash [element :d] : |
| hash_flow.rb:824:12:828:7 | call to deep_merge! [element :f] : | hash_flow.rb:834:11:834:14 | hash [element :f] : |
| hash_flow.rb:824:30:824:34 | hash2 [element :d] : | hash_flow.rb:824:12:824:16 | [post] hash1 [element :d] : |
| hash_flow.rb:824:30:824:34 | hash2 [element :d] : | hash_flow.rb:824:12:828:7 | call to deep_merge! [element :d] : |
| hash_flow.rb:824:30:824:34 | hash2 [element :d] : | hash_flow.rb:824:46:824:54 | old_value : |
| hash_flow.rb:824:30:824:34 | hash2 [element :d] : | hash_flow.rb:824:57:824:65 | new_value : |
| hash_flow.rb:824:30:824:34 | hash2 [element :f] : | hash_flow.rb:824:12:824:16 | [post] hash1 [element :f] : |
| hash_flow.rb:824:30:824:34 | hash2 [element :f] : | hash_flow.rb:824:12:828:7 | call to deep_merge! [element :f] : |
| hash_flow.rb:824:30:824:34 | hash2 [element :f] : | hash_flow.rb:824:46:824:54 | old_value : |
| hash_flow.rb:824:30:824:34 | hash2 [element :f] : | hash_flow.rb:824:57:824:65 | new_value : |
| hash_flow.rb:824:46:824:54 | old_value : | hash_flow.rb:826:14:826:22 | old_value |
| hash_flow.rb:824:57:824:65 | new_value : | hash_flow.rb:827:14:827:22 | new_value |
| hash_flow.rb:829:11:829:14 | hash [element :a] : | hash_flow.rb:829:11:829:18 | ...[...] : |
| hash_flow.rb:829:11:829:18 | ...[...] : | hash_flow.rb:829:10:829:19 | ( ... ) |
| hash_flow.rb:831:11:831:14 | hash [element :c] : | hash_flow.rb:831:11:831:18 | ...[...] : |
| hash_flow.rb:831:11:831:18 | ...[...] : | hash_flow.rb:831:10:831:19 | ( ... ) |
| hash_flow.rb:832:11:832:14 | hash [element :d] : | hash_flow.rb:832:11:832:18 | ...[...] : |
| hash_flow.rb:832:11:832:18 | ...[...] : | hash_flow.rb:832:10:832:19 | ( ... ) |
| hash_flow.rb:834:11:834:14 | hash [element :f] : | hash_flow.rb:834:11:834:18 | ...[...] : |
| hash_flow.rb:834:11:834:18 | ...[...] : | hash_flow.rb:834:10:834:19 | ( ... ) |
| hash_flow.rb:836:11:836:15 | hash1 [element :a] : | hash_flow.rb:836:11:836:19 | ...[...] : |
| hash_flow.rb:836:11:836:19 | ...[...] : | hash_flow.rb:836:10:836:20 | ( ... ) |
| hash_flow.rb:838:11:838:15 | hash1 [element :c] : | hash_flow.rb:838:11:838:19 | ...[...] : |
| hash_flow.rb:838:11:838:19 | ...[...] : | hash_flow.rb:838:10:838:20 | ( ... ) |
| hash_flow.rb:839:11:839:15 | hash1 [element :d] : | hash_flow.rb:839:11:839:19 | ...[...] : |
| hash_flow.rb:839:11:839:19 | ...[...] : | hash_flow.rb:839:10:839:20 | ( ... ) |
| hash_flow.rb:841:11:841:15 | hash1 [element :f] : | hash_flow.rb:841:11:841:19 | ...[...] : |
| hash_flow.rb:841:11:841:19 | ...[...] : | hash_flow.rb:841:10:841:20 | ( ... ) |
nodes
| hash_flow.rb:11:15:11:24 | call to taint : | semmle.label | call to taint : |
| hash_flow.rb:13:12:13:21 | call to taint : | semmle.label | call to taint : |
@@ -1105,6 +1194,94 @@ nodes
| hash_flow.rb:752:10:752:17 | ...[...] | semmle.label | ...[...] |
| hash_flow.rb:753:10:753:13 | hash [element :g] : | semmle.label | hash [element :g] : |
| hash_flow.rb:753:10:753:17 | ...[...] | semmle.label | ...[...] |
| hash_flow.rb:761:15:761:25 | call to taint : | semmle.label | call to taint : |
| hash_flow.rb:763:15:763:25 | call to taint : | semmle.label | call to taint : |
| hash_flow.rb:764:15:764:25 | call to taint : | semmle.label | call to taint : |
| hash_flow.rb:767:10:767:13 | hash [element :a] : | semmle.label | hash [element :a] : |
| hash_flow.rb:767:10:767:17 | ...[...] | semmle.label | ...[...] |
| hash_flow.rb:769:10:769:13 | hash [element :c] : | semmle.label | hash [element :c] : |
| hash_flow.rb:769:10:769:17 | ...[...] | semmle.label | ...[...] |
| hash_flow.rb:770:10:770:13 | hash [element :d] : | semmle.label | hash [element :d] : |
| hash_flow.rb:770:10:770:17 | ...[...] | semmle.label | ...[...] |
| hash_flow.rb:772:9:772:12 | [post] hash [element :c] : | semmle.label | [post] hash [element :c] : |
| hash_flow.rb:772:9:772:12 | hash [element :c] : | semmle.label | hash [element :c] : |
| hash_flow.rb:772:9:772:31 | call to except! [element :c] : | semmle.label | call to except! [element :c] : |
| hash_flow.rb:776:10:776:10 | x [element :c] : | semmle.label | x [element :c] : |
| hash_flow.rb:776:10:776:14 | ...[...] | semmle.label | ...[...] |
| hash_flow.rb:781:10:781:13 | hash [element :c] : | semmle.label | hash [element :c] : |
| hash_flow.rb:781:10:781:17 | ...[...] | semmle.label | ...[...] |
| hash_flow.rb:789:15:789:25 | call to taint : | semmle.label | call to taint : |
| hash_flow.rb:791:15:791:25 | call to taint : | semmle.label | call to taint : |
| hash_flow.rb:794:15:794:25 | call to taint : | semmle.label | call to taint : |
| hash_flow.rb:796:15:796:25 | call to taint : | semmle.label | call to taint : |
| hash_flow.rb:798:12:798:16 | hash1 [element :a] : | semmle.label | hash1 [element :a] : |
| hash_flow.rb:798:12:798:16 | hash1 [element :c] : | semmle.label | hash1 [element :c] : |
| hash_flow.rb:798:12:802:7 | call to deep_merge [element :a] : | semmle.label | call to deep_merge [element :a] : |
| hash_flow.rb:798:12:802:7 | call to deep_merge [element :c] : | semmle.label | call to deep_merge [element :c] : |
| hash_flow.rb:798:12:802:7 | call to deep_merge [element :d] : | semmle.label | call to deep_merge [element :d] : |
| hash_flow.rb:798:12:802:7 | call to deep_merge [element :f] : | semmle.label | call to deep_merge [element :f] : |
| hash_flow.rb:798:29:798:33 | hash2 [element :d] : | semmle.label | hash2 [element :d] : |
| hash_flow.rb:798:29:798:33 | hash2 [element :f] : | semmle.label | hash2 [element :f] : |
| hash_flow.rb:798:45:798:53 | old_value : | semmle.label | old_value : |
| hash_flow.rb:798:56:798:64 | new_value : | semmle.label | new_value : |
| hash_flow.rb:800:14:800:22 | old_value | semmle.label | old_value |
| hash_flow.rb:801:14:801:22 | new_value | semmle.label | new_value |
| hash_flow.rb:803:10:803:19 | ( ... ) | semmle.label | ( ... ) |
| hash_flow.rb:803:11:803:14 | hash [element :a] : | semmle.label | hash [element :a] : |
| hash_flow.rb:803:11:803:18 | ...[...] : | semmle.label | ...[...] : |
| hash_flow.rb:805:10:805:19 | ( ... ) | semmle.label | ( ... ) |
| hash_flow.rb:805:11:805:14 | hash [element :c] : | semmle.label | hash [element :c] : |
| hash_flow.rb:805:11:805:18 | ...[...] : | semmle.label | ...[...] : |
| hash_flow.rb:806:10:806:19 | ( ... ) | semmle.label | ( ... ) |
| hash_flow.rb:806:11:806:14 | hash [element :d] : | semmle.label | hash [element :d] : |
| hash_flow.rb:806:11:806:18 | ...[...] : | semmle.label | ...[...] : |
| hash_flow.rb:808:10:808:19 | ( ... ) | semmle.label | ( ... ) |
| hash_flow.rb:808:11:808:14 | hash [element :f] : | semmle.label | hash [element :f] : |
| hash_flow.rb:808:11:808:18 | ...[...] : | semmle.label | ...[...] : |
| hash_flow.rb:815:15:815:25 | call to taint : | semmle.label | call to taint : |
| hash_flow.rb:817:15:817:25 | call to taint : | semmle.label | call to taint : |
| hash_flow.rb:820:15:820:25 | call to taint : | semmle.label | call to taint : |
| hash_flow.rb:822:15:822:25 | call to taint : | semmle.label | call to taint : |
| hash_flow.rb:824:12:824:16 | [post] hash1 [element :a] : | semmle.label | [post] hash1 [element :a] : |
| hash_flow.rb:824:12:824:16 | [post] hash1 [element :c] : | semmle.label | [post] hash1 [element :c] : |
| hash_flow.rb:824:12:824:16 | [post] hash1 [element :d] : | semmle.label | [post] hash1 [element :d] : |
| hash_flow.rb:824:12:824:16 | [post] hash1 [element :f] : | semmle.label | [post] hash1 [element :f] : |
| hash_flow.rb:824:12:824:16 | hash1 [element :a] : | semmle.label | hash1 [element :a] : |
| hash_flow.rb:824:12:824:16 | hash1 [element :c] : | semmle.label | hash1 [element :c] : |
| hash_flow.rb:824:12:828:7 | call to deep_merge! [element :a] : | semmle.label | call to deep_merge! [element :a] : |
| hash_flow.rb:824:12:828:7 | call to deep_merge! [element :c] : | semmle.label | call to deep_merge! [element :c] : |
| hash_flow.rb:824:12:828:7 | call to deep_merge! [element :d] : | semmle.label | call to deep_merge! [element :d] : |
| hash_flow.rb:824:12:828:7 | call to deep_merge! [element :f] : | semmle.label | call to deep_merge! [element :f] : |
| hash_flow.rb:824:30:824:34 | hash2 [element :d] : | semmle.label | hash2 [element :d] : |
| hash_flow.rb:824:30:824:34 | hash2 [element :f] : | semmle.label | hash2 [element :f] : |
| hash_flow.rb:824:46:824:54 | old_value : | semmle.label | old_value : |
| hash_flow.rb:824:57:824:65 | new_value : | semmle.label | new_value : |
| hash_flow.rb:826:14:826:22 | old_value | semmle.label | old_value |
| hash_flow.rb:827:14:827:22 | new_value | semmle.label | new_value |
| hash_flow.rb:829:10:829:19 | ( ... ) | semmle.label | ( ... ) |
| hash_flow.rb:829:11:829:14 | hash [element :a] : | semmle.label | hash [element :a] : |
| hash_flow.rb:829:11:829:18 | ...[...] : | semmle.label | ...[...] : |
| hash_flow.rb:831:10:831:19 | ( ... ) | semmle.label | ( ... ) |
| hash_flow.rb:831:11:831:14 | hash [element :c] : | semmle.label | hash [element :c] : |
| hash_flow.rb:831:11:831:18 | ...[...] : | semmle.label | ...[...] : |
| hash_flow.rb:832:10:832:19 | ( ... ) | semmle.label | ( ... ) |
| hash_flow.rb:832:11:832:14 | hash [element :d] : | semmle.label | hash [element :d] : |
| hash_flow.rb:832:11:832:18 | ...[...] : | semmle.label | ...[...] : |
| hash_flow.rb:834:10:834:19 | ( ... ) | semmle.label | ( ... ) |
| hash_flow.rb:834:11:834:14 | hash [element :f] : | semmle.label | hash [element :f] : |
| hash_flow.rb:834:11:834:18 | ...[...] : | semmle.label | ...[...] : |
| hash_flow.rb:836:10:836:20 | ( ... ) | semmle.label | ( ... ) |
| hash_flow.rb:836:11:836:15 | hash1 [element :a] : | semmle.label | hash1 [element :a] : |
| hash_flow.rb:836:11:836:19 | ...[...] : | semmle.label | ...[...] : |
| hash_flow.rb:838:10:838:20 | ( ... ) | semmle.label | ( ... ) |
| hash_flow.rb:838:11:838:15 | hash1 [element :c] : | semmle.label | hash1 [element :c] : |
| hash_flow.rb:838:11:838:19 | ...[...] : | semmle.label | ...[...] : |
| hash_flow.rb:839:10:839:20 | ( ... ) | semmle.label | ( ... ) |
| hash_flow.rb:839:11:839:15 | hash1 [element :d] : | semmle.label | hash1 [element :d] : |
| hash_flow.rb:839:11:839:19 | ...[...] : | semmle.label | ...[...] : |
| hash_flow.rb:841:10:841:20 | ( ... ) | semmle.label | ( ... ) |
| hash_flow.rb:841:11:841:15 | hash1 [element :f] : | semmle.label | hash1 [element :f] : |
| hash_flow.rb:841:11:841:19 | ...[...] : | semmle.label | ...[...] : |
subpaths
#select
| hash_flow.rb:22:10:22:17 | ...[...] | hash_flow.rb:11:15:11:24 | call to taint : | hash_flow.rb:22:10:22:17 | ...[...] | $@ | hash_flow.rb:11:15:11:24 | call to taint : | call to taint : |
@@ -1279,3 +1456,36 @@ subpaths
| hash_flow.rb:750:10:750:17 | ...[...] | hash_flow.rb:742:15:742:25 | call to taint : | hash_flow.rb:750:10:750:17 | ...[...] | $@ | hash_flow.rb:742:15:742:25 | call to taint : | call to taint : |
| hash_flow.rb:752:10:752:17 | ...[...] | hash_flow.rb:744:15:744:25 | call to taint : | hash_flow.rb:752:10:752:17 | ...[...] | $@ | hash_flow.rb:744:15:744:25 | call to taint : | call to taint : |
| hash_flow.rb:753:10:753:17 | ...[...] | hash_flow.rb:746:29:746:39 | call to taint : | hash_flow.rb:753:10:753:17 | ...[...] | $@ | hash_flow.rb:746:29:746:39 | call to taint : | call to taint : |
| hash_flow.rb:767:10:767:17 | ...[...] | hash_flow.rb:761:15:761:25 | call to taint : | hash_flow.rb:767:10:767:17 | ...[...] | $@ | hash_flow.rb:761:15:761:25 | call to taint : | call to taint : |
| hash_flow.rb:769:10:769:17 | ...[...] | hash_flow.rb:763:15:763:25 | call to taint : | hash_flow.rb:769:10:769:17 | ...[...] | $@ | hash_flow.rb:763:15:763:25 | call to taint : | call to taint : |
| hash_flow.rb:770:10:770:17 | ...[...] | hash_flow.rb:764:15:764:25 | call to taint : | hash_flow.rb:770:10:770:17 | ...[...] | $@ | hash_flow.rb:764:15:764:25 | call to taint : | call to taint : |
| hash_flow.rb:776:10:776:14 | ...[...] | hash_flow.rb:763:15:763:25 | call to taint : | hash_flow.rb:776:10:776:14 | ...[...] | $@ | hash_flow.rb:763:15:763:25 | call to taint : | call to taint : |
| hash_flow.rb:781:10:781:17 | ...[...] | hash_flow.rb:763:15:763:25 | call to taint : | hash_flow.rb:781:10:781:17 | ...[...] | $@ | hash_flow.rb:763:15:763:25 | call to taint : | call to taint : |
| hash_flow.rb:800:14:800:22 | old_value | hash_flow.rb:789:15:789:25 | call to taint : | hash_flow.rb:800:14:800:22 | old_value | $@ | hash_flow.rb:789:15:789:25 | call to taint : | call to taint : |
| hash_flow.rb:800:14:800:22 | old_value | hash_flow.rb:791:15:791:25 | call to taint : | hash_flow.rb:800:14:800:22 | old_value | $@ | hash_flow.rb:791:15:791:25 | call to taint : | call to taint : |
| hash_flow.rb:800:14:800:22 | old_value | hash_flow.rb:794:15:794:25 | call to taint : | hash_flow.rb:800:14:800:22 | old_value | $@ | hash_flow.rb:794:15:794:25 | call to taint : | call to taint : |
| hash_flow.rb:800:14:800:22 | old_value | hash_flow.rb:796:15:796:25 | call to taint : | hash_flow.rb:800:14:800:22 | old_value | $@ | hash_flow.rb:796:15:796:25 | call to taint : | call to taint : |
| hash_flow.rb:801:14:801:22 | new_value | hash_flow.rb:789:15:789:25 | call to taint : | hash_flow.rb:801:14:801:22 | new_value | $@ | hash_flow.rb:789:15:789:25 | call to taint : | call to taint : |
| hash_flow.rb:801:14:801:22 | new_value | hash_flow.rb:791:15:791:25 | call to taint : | hash_flow.rb:801:14:801:22 | new_value | $@ | hash_flow.rb:791:15:791:25 | call to taint : | call to taint : |
| hash_flow.rb:801:14:801:22 | new_value | hash_flow.rb:794:15:794:25 | call to taint : | hash_flow.rb:801:14:801:22 | new_value | $@ | hash_flow.rb:794:15:794:25 | call to taint : | call to taint : |
| hash_flow.rb:801:14:801:22 | new_value | hash_flow.rb:796:15:796:25 | call to taint : | hash_flow.rb:801:14:801:22 | new_value | $@ | hash_flow.rb:796:15:796:25 | call to taint : | call to taint : |
| hash_flow.rb:803:10:803:19 | ( ... ) | hash_flow.rb:789:15:789:25 | call to taint : | hash_flow.rb:803:10:803:19 | ( ... ) | $@ | hash_flow.rb:789:15:789:25 | call to taint : | call to taint : |
| hash_flow.rb:805:10:805:19 | ( ... ) | hash_flow.rb:791:15:791:25 | call to taint : | hash_flow.rb:805:10:805:19 | ( ... ) | $@ | hash_flow.rb:791:15:791:25 | call to taint : | call to taint : |
| hash_flow.rb:806:10:806:19 | ( ... ) | hash_flow.rb:794:15:794:25 | call to taint : | hash_flow.rb:806:10:806:19 | ( ... ) | $@ | hash_flow.rb:794:15:794:25 | call to taint : | call to taint : |
| hash_flow.rb:808:10:808:19 | ( ... ) | hash_flow.rb:796:15:796:25 | call to taint : | hash_flow.rb:808:10:808:19 | ( ... ) | $@ | hash_flow.rb:796:15:796:25 | call to taint : | call to taint : |
| hash_flow.rb:826:14:826:22 | old_value | hash_flow.rb:815:15:815:25 | call to taint : | hash_flow.rb:826:14:826:22 | old_value | $@ | hash_flow.rb:815:15:815:25 | call to taint : | call to taint : |
| hash_flow.rb:826:14:826:22 | old_value | hash_flow.rb:817:15:817:25 | call to taint : | hash_flow.rb:826:14:826:22 | old_value | $@ | hash_flow.rb:817:15:817:25 | call to taint : | call to taint : |
| hash_flow.rb:826:14:826:22 | old_value | hash_flow.rb:820:15:820:25 | call to taint : | hash_flow.rb:826:14:826:22 | old_value | $@ | hash_flow.rb:820:15:820:25 | call to taint : | call to taint : |
| hash_flow.rb:826:14:826:22 | old_value | hash_flow.rb:822:15:822:25 | call to taint : | hash_flow.rb:826:14:826:22 | old_value | $@ | hash_flow.rb:822:15:822:25 | call to taint : | call to taint : |
| hash_flow.rb:827:14:827:22 | new_value | hash_flow.rb:815:15:815:25 | call to taint : | hash_flow.rb:827:14:827:22 | new_value | $@ | hash_flow.rb:815:15:815:25 | call to taint : | call to taint : |
| hash_flow.rb:827:14:827:22 | new_value | hash_flow.rb:817:15:817:25 | call to taint : | hash_flow.rb:827:14:827:22 | new_value | $@ | hash_flow.rb:817:15:817:25 | call to taint : | call to taint : |
| hash_flow.rb:827:14:827:22 | new_value | hash_flow.rb:820:15:820:25 | call to taint : | hash_flow.rb:827:14:827:22 | new_value | $@ | hash_flow.rb:820:15:820:25 | call to taint : | call to taint : |
| hash_flow.rb:827:14:827:22 | new_value | hash_flow.rb:822:15:822:25 | call to taint : | hash_flow.rb:827:14:827:22 | new_value | $@ | hash_flow.rb:822:15:822:25 | call to taint : | call to taint : |
| hash_flow.rb:829:10:829:19 | ( ... ) | hash_flow.rb:815:15:815:25 | call to taint : | hash_flow.rb:829:10:829:19 | ( ... ) | $@ | hash_flow.rb:815:15:815:25 | call to taint : | call to taint : |
| hash_flow.rb:831:10:831:19 | ( ... ) | hash_flow.rb:817:15:817:25 | call to taint : | hash_flow.rb:831:10:831:19 | ( ... ) | $@ | hash_flow.rb:817:15:817:25 | call to taint : | call to taint : |
| hash_flow.rb:832:10:832:19 | ( ... ) | hash_flow.rb:820:15:820:25 | call to taint : | hash_flow.rb:832:10:832:19 | ( ... ) | $@ | hash_flow.rb:820:15:820:25 | call to taint : | call to taint : |
| hash_flow.rb:834:10:834:19 | ( ... ) | hash_flow.rb:822:15:822:25 | call to taint : | hash_flow.rb:834:10:834:19 | ( ... ) | $@ | hash_flow.rb:822:15:822:25 | call to taint : | call to taint : |
| hash_flow.rb:836:10:836:20 | ( ... ) | hash_flow.rb:815:15:815:25 | call to taint : | hash_flow.rb:836:10:836:20 | ( ... ) | $@ | hash_flow.rb:815:15:815:25 | call to taint : | call to taint : |
| hash_flow.rb:838:10:838:20 | ( ... ) | hash_flow.rb:817:15:817:25 | call to taint : | hash_flow.rb:838:10:838:20 | ( ... ) | $@ | hash_flow.rb:817:15:817:25 | call to taint : | call to taint : |
| hash_flow.rb:839:10:839:20 | ( ... ) | hash_flow.rb:820:15:820:25 | call to taint : | hash_flow.rb:839:10:839:20 | ( ... ) | $@ | hash_flow.rb:820:15:820:25 | call to taint : | call to taint : |
| hash_flow.rb:841:10:841:20 | ( ... ) | hash_flow.rb:822:15:822:25 | call to taint : | hash_flow.rb:841:10:841:20 | ( ... ) | $@ | hash_flow.rb:822:15:822:25 | call to taint : | call to taint : |

89
ruby/ql/test/library-tests/dataflow/hash-flow/hash_flow.rb
View File

@@ -754,4 +754,91 @@ def m45()
sink(hash[:h])
end
m45()
m45()
def m46(x)
hash = {
:a => taint(46.1),
:b => 1,
:c => taint(46.2),
:d => taint(46.3)
}
sink(hash[:a]) # $ hasValueFlow=46.1
sink(hash[:b])
sink(hash[:c]) # $ hasValueFlow=46.2
sink(hash[:d]) # $ hasValueFlow=46.3
x = hash.except!(:a, x, :d)
sink(x[:a])
sink(x[:b])
sink(x[:c]) # $ hasValueFlow=46.2
sink(x[:d])
sink(hash[:a])
sink(hash[:b])
sink(hash[:c]) # $ hasValueFlow=46.2
sink(hash[:d])
end
m46(:c)
def m47()
hash1 = {
:a => taint(47.1),
:b => 1,
:c => taint(47.2)
}
hash2 = {
:d => taint(47.3),
:e => 1,
:f => taint(47.4)
}
hash = hash1.deep_merge(hash2) do |key, old_value, new_value|
sink key
sink old_value # $ hasValueFlow=47.1 $ hasValueFlow=47.2 $ hasValueFlow=47.3 $ hasValueFlow=47.4
sink new_value # $ hasValueFlow=47.1 $ hasValueFlow=47.2 $ hasValueFlow=47.3 $ hasValueFlow=47.4
end
sink (hash[:a]) # $ hasValueFlow=47.1
sink (hash[:b])
sink (hash[:c]) # $ hasValueFlow=47.2
sink (hash[:d]) # $ hasValueFlow=47.3
sink (hash[:e])
sink (hash[:f]) # $ hasValueFlow=47.4
end
m47()
def m48()
hash1 = {
:a => taint(48.1),
:b => 1,
:c => taint(48.2)
}
hash2 = {
:d => taint(48.3),
:e => 1,
:f => taint(48.4)
}
hash = hash1.deep_merge!(hash2) do |key, old_value, new_value|
sink key
sink old_value # $ hasValueFlow=48.1 $ hasValueFlow=48.2 $ hasValueFlow=48.3 $ hasValueFlow=48.4
sink new_value # $ hasValueFlow=48.1 $ hasValueFlow=48.2 $ hasValueFlow=48.3 $ hasValueFlow=48.4
end
sink (hash[:a]) # $ hasValueFlow=48.1
sink (hash[:b])
sink (hash[:c]) # $ hasValueFlow=48.2
sink (hash[:d]) # $ hasValueFlow=48.3
sink (hash[:e])
sink (hash[:f]) # $ hasValueFlow=48.4
sink (hash1[:a]) # $ hasValueFlow=48.1
sink (hash1[:b])
sink (hash1[:c]) # $ hasValueFlow=48.2
sink (hash1[:d]) # $ hasValueFlow=48.3
sink (hash1[:e])
sink (hash1[:f]) # $ hasValueFlow=48.4
end
m48()

6
ruby/ql/test/library-tests/dataflow/hash-flow/type-tracking-hash-flow.expected
View File

@@ -25,3 +25,9 @@
| hash_flow.rb:671:10:671:19 | ( ... ) | Unexpected result: hasValueFlow=41.1 |
| hash_flow.rb:702:22:702:42 | # $ hasValueFlow=42.3 | Missing result:hasValueFlow=42.3 |
| hash_flow.rb:704:22:704:42 | # $ hasValueFlow=42.4 | Missing result:hasValueFlow=42.4 |
| hash_flow.rb:774:10:774:14 | ...[...] | Unexpected result: hasValueFlow=46.1 |
| hash_flow.rb:777:10:777:14 | ...[...] | Unexpected result: hasValueFlow=46.3 |
| hash_flow.rb:779:10:779:17 | ...[...] | Unexpected result: hasValueFlow=46.1 |
| hash_flow.rb:782:10:782:17 | ...[...] | Unexpected result: hasValueFlow=46.3 |
| hash_flow.rb:839:22:839:42 | # $ hasValueFlow=48.3 | Missing result:hasValueFlow=48.3 |
| hash_flow.rb:841:22:841:42 | # $ hasValueFlow=48.4 | Missing result:hasValueFlow=48.4 |

5
ruby/ql/test/library-tests/dataflow/hash-flow/type-tracking-hash-flow.ql
View File

@@ -1 +1,6 @@
// This test flags any difference in flow between the type-tracking and dataflow
// libraries. New results in this query do not necessarily indicate a problem,
// only that type-tracking cannot follow the flow in your test. If the dataflow
// test (`hash-flow.ql`) shows no failures, then that may be sufficient
// (depending on your use case).
import TestUtilities.InlineTypeTrackingFlowTest

5
ruby/ql/test/library-tests/frameworks/active_support/ActiveSupport.expected
View File

@@ -1,6 +1,7 @@
constantizeCalls
| active_support.rb:1:1:1:22 | call to constantize | active_support.rb:1:1:1:10 | "Foo::Bar" |
| active_support.rb:3:1:3:13 | call to constantize | active_support.rb:3:1:3:1 | call to a |
| active_support.rb:4:1:4:18 | call to safe_constantize | active_support.rb:4:1:4:1 | call to a |
loggerInstantiations
| active_support.rb:5:1:5:33 | call to new |
| active_support.rb:6:1:6:40 | call to new |
| active_support.rb:6:1:6:33 | call to new |
| active_support.rb:7:1:7:40 | call to new |

959
ruby/ql/test/library-tests/frameworks/active_support/ActiveSupportDataFlow.expected
View File

@@ -1,345 +1,624 @@
failures
edges
| active_support.rb:9:9:9:18 | call to source : | active_support.rb:10:10:10:10 | x : |
| active_support.rb:10:10:10:10 | x : | active_support.rb:10:10:10:19 | call to camelize |
| active_support.rb:14:9:14:18 | call to source : | active_support.rb:15:10:15:10 | x : |
| active_support.rb:15:10:15:10 | x : | active_support.rb:15:10:15:20 | call to camelcase |
| active_support.rb:19:9:19:18 | call to source : | active_support.rb:20:10:20:10 | x : |
| active_support.rb:20:10:20:10 | x : | active_support.rb:20:10:20:19 | call to classify |
| active_support.rb:24:9:24:18 | call to source : | active_support.rb:25:10:25:10 | x : |
| active_support.rb:25:10:25:10 | x : | active_support.rb:25:10:25:20 | call to dasherize |
| active_support.rb:29:9:29:18 | call to source : | active_support.rb:30:10:30:10 | x : |
| active_support.rb:30:10:30:10 | x : | active_support.rb:30:10:30:24 | call to deconstantize |
| active_support.rb:34:9:34:18 | call to source : | active_support.rb:35:10:35:10 | x : |
| active_support.rb:35:10:35:10 | x : | active_support.rb:35:10:35:21 | call to demodulize |
| active_support.rb:39:9:39:18 | call to source : | active_support.rb:40:10:40:10 | x : |
| active_support.rb:40:10:40:10 | x : | active_support.rb:40:10:40:22 | call to foreign_key |
| active_support.rb:44:9:44:18 | call to source : | active_support.rb:45:10:45:10 | x : |
| active_support.rb:45:10:45:10 | x : | active_support.rb:45:10:45:19 | call to humanize |
| active_support.rb:49:9:49:18 | call to source : | active_support.rb:50:10:50:10 | x : |
| active_support.rb:50:10:50:10 | x : | active_support.rb:50:10:50:20 | call to indent |
| active_support.rb:54:9:54:18 | call to source : | active_support.rb:55:10:55:10 | x : |
| active_support.rb:55:10:55:10 | x : | active_support.rb:55:10:55:23 | call to parameterize |
| active_support.rb:59:9:59:18 | call to source : | active_support.rb:60:10:60:10 | x : |
| active_support.rb:60:10:60:10 | x : | active_support.rb:60:10:60:20 | call to pluralize |
| active_support.rb:64:9:64:18 | call to source : | active_support.rb:65:10:65:10 | x : |
| active_support.rb:65:10:65:10 | x : | active_support.rb:65:10:65:22 | call to singularize |
| active_support.rb:69:9:69:18 | call to source : | active_support.rb:70:10:70:10 | x : |
| active_support.rb:70:10:70:10 | x : | active_support.rb:70:10:70:17 | call to squish |
| active_support.rb:74:9:74:18 | call to source : | active_support.rb:75:10:75:10 | x : |
| active_support.rb:75:10:75:10 | x : | active_support.rb:75:10:75:24 | call to strip_heredoc |
| active_support.rb:79:9:79:18 | call to source : | active_support.rb:80:10:80:10 | x : |
| active_support.rb:80:10:80:10 | x : | active_support.rb:80:10:80:19 | call to tableize |
| active_support.rb:84:9:84:18 | call to source : | active_support.rb:85:10:85:10 | x : |
| active_support.rb:85:10:85:10 | x : | active_support.rb:85:10:85:20 | call to titlecase |
| active_support.rb:89:9:89:18 | call to source : | active_support.rb:90:10:90:10 | x : |
| active_support.rb:90:10:90:10 | x : | active_support.rb:90:10:90:19 | call to titleize |
| active_support.rb:94:9:94:18 | call to source : | active_support.rb:95:10:95:10 | x : |
| active_support.rb:95:10:95:10 | x : | active_support.rb:95:10:95:21 | call to underscore |
| active_support.rb:99:9:99:18 | call to source : | active_support.rb:100:10:100:10 | x : |
| active_support.rb:100:10:100:10 | x : | active_support.rb:100:10:100:23 | call to upcase_first |
| active_support.rb:104:10:104:17 | call to source : | active_support.rb:105:9:105:9 | x [element 0] : |
| active_support.rb:104:10:104:17 | call to source : | active_support.rb:105:9:105:9 | x [element 0] : |
| active_support.rb:105:9:105:9 | x [element 0] : | active_support.rb:105:9:105:23 | call to compact_blank [element] : |
| active_support.rb:105:9:105:9 | x [element 0] : | active_support.rb:105:9:105:23 | call to compact_blank [element] : |
| active_support.rb:105:9:105:23 | call to compact_blank [element] : | active_support.rb:106:10:106:10 | y [element] : |
| active_support.rb:105:9:105:23 | call to compact_blank [element] : | active_support.rb:106:10:106:10 | y [element] : |
| active_support.rb:106:10:106:10 | y [element] : | active_support.rb:106:10:106:13 | ...[...] |
| active_support.rb:106:10:106:10 | y [element] : | active_support.rb:106:10:106:13 | ...[...] |
| active_support.rb:110:10:110:18 | call to source : | active_support.rb:111:9:111:9 | x [element 0] : |
| active_support.rb:110:10:110:18 | call to source : | active_support.rb:111:9:111:9 | x [element 0] : |
| active_support.rb:111:9:111:9 | x [element 0] : | active_support.rb:111:9:111:21 | call to excluding [element] : |
| active_support.rb:111:9:111:9 | x [element 0] : | active_support.rb:111:9:111:21 | call to excluding [element] : |
| active_support.rb:111:9:111:21 | call to excluding [element] : | active_support.rb:112:10:112:10 | y [element] : |
| active_support.rb:111:9:111:21 | call to excluding [element] : | active_support.rb:112:10:112:10 | y [element] : |
| active_support.rb:112:10:112:10 | y [element] : | active_support.rb:112:10:112:13 | ...[...] |
| active_support.rb:112:10:112:10 | y [element] : | active_support.rb:112:10:112:13 | ...[...] |
| active_support.rb:116:10:116:18 | call to source : | active_support.rb:117:9:117:9 | x [element 0] : |
| active_support.rb:116:10:116:18 | call to source : | active_support.rb:117:9:117:9 | x [element 0] : |
| active_support.rb:117:9:117:9 | x [element 0] : | active_support.rb:117:9:117:19 | call to without [element] : |
| active_support.rb:117:9:117:9 | x [element 0] : | active_support.rb:117:9:117:19 | call to without [element] : |
| active_support.rb:117:9:117:19 | call to without [element] : | active_support.rb:118:10:118:10 | y [element] : |
| active_support.rb:117:9:117:19 | call to without [element] : | active_support.rb:118:10:118:10 | y [element] : |
| active_support.rb:118:10:118:10 | y [element] : | active_support.rb:118:10:118:13 | ...[...] |
| active_support.rb:118:10:118:10 | y [element] : | active_support.rb:118:10:118:13 | ...[...] |
| active_support.rb:122:10:122:18 | call to source : | active_support.rb:123:9:123:9 | x [element 0] : |
| active_support.rb:122:10:122:18 | call to source : | active_support.rb:123:9:123:9 | x [element 0] : |
| active_support.rb:123:9:123:9 | x [element 0] : | active_support.rb:123:9:123:37 | call to in_order_of [element] : |
| active_support.rb:123:9:123:9 | x [element 0] : | active_support.rb:123:9:123:37 | call to in_order_of [element] : |
| active_support.rb:123:9:123:37 | call to in_order_of [element] : | active_support.rb:124:10:124:10 | y [element] : |
| active_support.rb:123:9:123:37 | call to in_order_of [element] : | active_support.rb:124:10:124:10 | y [element] : |
| active_support.rb:124:10:124:10 | y [element] : | active_support.rb:124:10:124:13 | ...[...] |
| active_support.rb:124:10:124:10 | y [element] : | active_support.rb:124:10:124:13 | ...[...] |
| active_support.rb:128:10:128:18 | call to source : | active_support.rb:129:9:129:9 | a [element 0] : |
| active_support.rb:128:10:128:18 | call to source : | active_support.rb:129:9:129:9 | a [element 0] : |
| active_support.rb:128:10:128:18 | call to source : | active_support.rb:130:10:130:10 | a [element 0] : |
| active_support.rb:128:10:128:18 | call to source : | active_support.rb:130:10:130:10 | a [element 0] : |
| active_support.rb:129:9:129:9 | a [element 0] : | active_support.rb:129:9:129:41 | call to including [element 0] : |
| active_support.rb:129:9:129:9 | a [element 0] : | active_support.rb:129:9:129:41 | call to including [element 0] : |
| active_support.rb:129:9:129:41 | call to including [element 0] : | active_support.rb:132:10:132:10 | b [element 0] : |
| active_support.rb:129:9:129:41 | call to including [element 0] : | active_support.rb:132:10:132:10 | b [element 0] : |
| active_support.rb:129:9:129:41 | call to including [element] : | active_support.rb:132:10:132:10 | b [element] : |
| active_support.rb:129:9:129:41 | call to including [element] : | active_support.rb:132:10:132:10 | b [element] : |
| active_support.rb:129:9:129:41 | call to including [element] : | active_support.rb:133:10:133:10 | b [element] : |
| active_support.rb:129:9:129:41 | call to including [element] : | active_support.rb:133:10:133:10 | b [element] : |
| active_support.rb:129:9:129:41 | call to including [element] : | active_support.rb:134:10:134:10 | b [element] : |
| active_support.rb:129:9:129:41 | call to including [element] : | active_support.rb:134:10:134:10 | b [element] : |
| active_support.rb:129:9:129:41 | call to including [element] : | active_support.rb:135:10:135:10 | b [element] : |
| active_support.rb:129:9:129:41 | call to including [element] : | active_support.rb:135:10:135:10 | b [element] : |
| active_support.rb:129:21:129:29 | call to source : | active_support.rb:129:9:129:41 | call to including [element] : |
| active_support.rb:129:21:129:29 | call to source : | active_support.rb:129:9:129:41 | call to including [element] : |
| active_support.rb:129:32:129:40 | call to source : | active_support.rb:129:9:129:41 | call to including [element] : |
| active_support.rb:129:32:129:40 | call to source : | active_support.rb:129:9:129:41 | call to including [element] : |
| active_support.rb:130:10:130:10 | a [element 0] : | active_support.rb:130:10:130:13 | ...[...] |
| active_support.rb:130:10:130:10 | a [element 0] : | active_support.rb:130:10:130:13 | ...[...] |
| active_support.rb:132:10:132:10 | b [element 0] : | active_support.rb:132:10:132:13 | ...[...] |
| active_support.rb:132:10:132:10 | b [element 0] : | active_support.rb:132:10:132:13 | ...[...] |
| active_support.rb:132:10:132:10 | b [element] : | active_support.rb:132:10:132:13 | ...[...] |
| active_support.rb:132:10:132:10 | b [element] : | active_support.rb:132:10:132:13 | ...[...] |
| active_support.rb:133:10:133:10 | b [element] : | active_support.rb:133:10:133:13 | ...[...] |
| active_support.rb:133:10:133:10 | b [element] : | active_support.rb:133:10:133:13 | ...[...] |
| active_support.rb:134:10:134:10 | b [element] : | active_support.rb:134:10:134:13 | ...[...] |
| active_support.rb:134:10:134:10 | b [element] : | active_support.rb:134:10:134:13 | ...[...] |
| active_support.rb:135:10:135:10 | b [element] : | active_support.rb:135:10:135:13 | ...[...] |
| active_support.rb:135:10:135:10 | b [element] : | active_support.rb:135:10:135:13 | ...[...] |
| active_support.rb:139:7:139:16 | call to source : | active_support.rb:140:34:140:34 | x : |
| active_support.rb:140:7:140:35 | call to new : | active_support.rb:141:8:141:8 | y |
| active_support.rb:140:34:140:34 | x : | active_support.rb:140:7:140:35 | call to new : |
| active_support.rb:146:7:146:16 | call to source : | active_support.rb:147:21:147:21 | b : |
| active_support.rb:147:7:147:22 | call to safe_concat : | active_support.rb:148:8:148:8 | y |
| active_support.rb:147:21:147:21 | b : | active_support.rb:147:7:147:22 | call to safe_concat : |
| active_support.rb:153:7:153:16 | call to source : | active_support.rb:154:17:154:17 | b : |
| active_support.rb:154:3:154:3 | [post] x : | active_support.rb:155:8:155:8 | x |
| active_support.rb:154:17:154:17 | b : | active_support.rb:154:3:154:3 | [post] x : |
| active_support.rb:159:7:159:16 | call to source : | active_support.rb:161:34:161:34 | a : |
| active_support.rb:161:7:161:35 | call to new : | active_support.rb:162:7:162:7 | x : |
| active_support.rb:161:34:161:34 | a : | active_support.rb:161:7:161:35 | call to new : |
| active_support.rb:162:7:162:7 | x : | active_support.rb:162:7:162:17 | call to concat : |
| active_support.rb:162:7:162:17 | call to concat : | active_support.rb:163:8:163:8 | y |
| active_support.rb:167:7:167:16 | call to source : | active_support.rb:169:34:169:34 | a : |
| active_support.rb:169:7:169:35 | call to new : | active_support.rb:170:7:170:7 | x : |
| active_support.rb:169:34:169:34 | a : | active_support.rb:169:7:169:35 | call to new : |
| active_support.rb:170:7:170:7 | x : | active_support.rb:170:7:170:20 | call to insert : |
| active_support.rb:170:7:170:20 | call to insert : | active_support.rb:171:8:171:8 | y |
| active_support.rb:175:7:175:16 | call to source : | active_support.rb:177:34:177:34 | a : |
| active_support.rb:177:7:177:35 | call to new : | active_support.rb:178:7:178:7 | x : |
| active_support.rb:177:34:177:34 | a : | active_support.rb:177:7:177:35 | call to new : |
| active_support.rb:178:7:178:7 | x : | active_support.rb:178:7:178:18 | call to prepend : |
| active_support.rb:178:7:178:18 | call to prepend : | active_support.rb:179:8:179:8 | y |
| active_support.rb:183:7:183:16 | call to source : | active_support.rb:184:34:184:34 | a : |
| active_support.rb:184:7:184:35 | call to new : | active_support.rb:185:7:185:7 | x : |
| active_support.rb:184:34:184:34 | a : | active_support.rb:184:7:184:35 | call to new : |
| active_support.rb:185:7:185:7 | x : | active_support.rb:185:7:185:12 | call to to_s : |
| active_support.rb:185:7:185:12 | call to to_s : | active_support.rb:186:8:186:8 | y |
| active_support.rb:190:7:190:16 | call to source : | active_support.rb:191:34:191:34 | a : |
| active_support.rb:191:7:191:35 | call to new : | active_support.rb:192:7:192:7 | x : |
| active_support.rb:191:34:191:34 | a : | active_support.rb:191:7:191:35 | call to new : |
| active_support.rb:192:7:192:7 | x : | active_support.rb:192:7:192:16 | call to to_param : |
| active_support.rb:192:7:192:16 | call to to_param : | active_support.rb:193:8:193:8 | y |
| active_support.rb:197:7:197:16 | call to source : | active_support.rb:198:20:198:20 | a : |
| active_support.rb:198:7:198:21 | call to new : | active_support.rb:199:7:199:7 | x : |
| active_support.rb:198:20:198:20 | a : | active_support.rb:198:7:198:21 | call to new : |
| active_support.rb:199:7:199:7 | x : | active_support.rb:199:7:199:17 | call to existence : |
| active_support.rb:199:7:199:17 | call to existence : | active_support.rb:200:8:200:8 | y |
| active_support.rb:199:7:199:17 | call to existence : | active_support.rb:201:7:201:7 | y : |
| active_support.rb:201:7:201:7 | y : | active_support.rb:201:7:201:17 | call to existence : |
| active_support.rb:201:7:201:17 | call to existence : | active_support.rb:202:8:202:8 | z |
| active_support.rb:10:9:10:18 | call to source : | active_support.rb:11:10:11:10 | x : |
| active_support.rb:11:10:11:10 | x : | active_support.rb:11:10:11:19 | call to at |
| active_support.rb:15:9:15:18 | call to source : | active_support.rb:16:10:16:10 | x : |
| active_support.rb:16:10:16:10 | x : | active_support.rb:16:10:16:19 | call to camelize |
| active_support.rb:20:9:20:18 | call to source : | active_support.rb:21:10:21:10 | x : |
| active_support.rb:21:10:21:10 | x : | active_support.rb:21:10:21:20 | call to camelcase |
| active_support.rb:25:9:25:18 | call to source : | active_support.rb:26:10:26:10 | x : |
| active_support.rb:26:10:26:10 | x : | active_support.rb:26:10:26:19 | call to classify |
| active_support.rb:30:9:30:18 | call to source : | active_support.rb:31:10:31:10 | x : |
| active_support.rb:31:10:31:10 | x : | active_support.rb:31:10:31:20 | call to dasherize |
| active_support.rb:35:9:35:18 | call to source : | active_support.rb:36:10:36:10 | x : |
| active_support.rb:36:10:36:10 | x : | active_support.rb:36:10:36:24 | call to deconstantize |
| active_support.rb:40:9:40:18 | call to source : | active_support.rb:41:10:41:10 | x : |
| active_support.rb:41:10:41:10 | x : | active_support.rb:41:10:41:21 | call to demodulize |
| active_support.rb:45:9:45:18 | call to source : | active_support.rb:46:10:46:10 | x : |
| active_support.rb:46:10:46:10 | x : | active_support.rb:46:10:46:19 | call to first |
| active_support.rb:50:9:50:18 | call to source : | active_support.rb:51:10:51:10 | x : |
| active_support.rb:51:10:51:10 | x : | active_support.rb:51:10:51:22 | call to foreign_key |
| active_support.rb:55:9:55:18 | call to source : | active_support.rb:56:10:56:10 | x : |
| active_support.rb:56:10:56:10 | x : | active_support.rb:56:10:56:18 | call to from |
| active_support.rb:60:9:60:18 | call to source : | active_support.rb:61:10:61:10 | x : |
| active_support.rb:61:10:61:10 | x : | active_support.rb:61:10:61:20 | call to html_safe |
| active_support.rb:65:9:65:18 | call to source : | active_support.rb:66:10:66:10 | x : |
| active_support.rb:66:10:66:10 | x : | active_support.rb:66:10:66:19 | call to humanize |
| active_support.rb:70:9:70:18 | call to source : | active_support.rb:71:10:71:10 | x : |
| active_support.rb:71:10:71:10 | x : | active_support.rb:71:10:71:20 | call to indent |
| active_support.rb:75:9:75:18 | call to source : | active_support.rb:76:10:76:10 | x : |
| active_support.rb:76:10:76:10 | x : | active_support.rb:76:10:76:21 | call to indent! |
| active_support.rb:80:9:80:18 | call to source : | active_support.rb:81:10:81:10 | x : |
| active_support.rb:81:10:81:10 | x : | active_support.rb:81:10:81:18 | call to inquiry |
| active_support.rb:85:9:85:18 | call to source : | active_support.rb:86:10:86:10 | x : |
| active_support.rb:86:10:86:10 | x : | active_support.rb:86:10:86:18 | call to last |
| active_support.rb:90:9:90:18 | call to source : | active_support.rb:91:10:91:10 | x : |
| active_support.rb:91:10:91:10 | x : | active_support.rb:91:10:91:19 | call to mb_chars |
| active_support.rb:95:9:95:18 | call to source : | active_support.rb:96:10:96:10 | x : |
| active_support.rb:96:10:96:10 | x : | active_support.rb:96:10:96:23 | call to parameterize |
| active_support.rb:100:9:100:18 | call to source : | active_support.rb:101:10:101:10 | x : |
| active_support.rb:101:10:101:10 | x : | active_support.rb:101:10:101:20 | call to pluralize |
| active_support.rb:105:9:105:18 | call to source : | active_support.rb:106:10:106:10 | x : |
| active_support.rb:106:10:106:10 | x : | active_support.rb:106:10:106:24 | call to remove |
| active_support.rb:110:9:110:18 | call to source : | active_support.rb:111:10:111:10 | x : |
| active_support.rb:111:10:111:10 | x : | active_support.rb:111:10:111:25 | call to remove! |
| active_support.rb:115:9:115:18 | call to source : | active_support.rb:116:10:116:10 | x : |
| active_support.rb:116:10:116:10 | x : | active_support.rb:116:10:116:22 | call to singularize |
| active_support.rb:120:9:120:18 | call to source : | active_support.rb:121:10:121:10 | x : |
| active_support.rb:121:10:121:10 | x : | active_support.rb:121:10:121:17 | call to squish |
| active_support.rb:125:9:125:18 | call to source : | active_support.rb:126:10:126:10 | x : |
| active_support.rb:126:10:126:10 | x : | active_support.rb:126:10:126:18 | call to squish! |
| active_support.rb:130:9:130:18 | call to source : | active_support.rb:131:10:131:10 | x : |
| active_support.rb:131:10:131:10 | x : | active_support.rb:131:10:131:24 | call to strip_heredoc |
| active_support.rb:135:9:135:18 | call to source : | active_support.rb:136:10:136:10 | x : |
| active_support.rb:136:10:136:10 | x : | active_support.rb:136:10:136:19 | call to tableize |
| active_support.rb:140:9:140:18 | call to source : | active_support.rb:141:10:141:10 | x : |
| active_support.rb:141:10:141:10 | x : | active_support.rb:141:10:141:20 | call to titlecase |
| active_support.rb:145:9:145:18 | call to source : | active_support.rb:146:10:146:10 | x : |
| active_support.rb:146:10:146:10 | x : | active_support.rb:146:10:146:19 | call to titleize |
| active_support.rb:150:9:150:18 | call to source : | active_support.rb:151:10:151:10 | x : |
| active_support.rb:151:10:151:10 | x : | active_support.rb:151:10:151:16 | call to to |
| active_support.rb:155:9:155:18 | call to source : | active_support.rb:156:10:156:10 | x : |
| active_support.rb:156:10:156:10 | x : | active_support.rb:156:10:156:22 | call to truncate |
| active_support.rb:160:9:160:18 | call to source : | active_support.rb:161:10:161:10 | x : |
| active_support.rb:161:10:161:10 | x : | active_support.rb:161:10:161:28 | call to truncate_bytes |
| active_support.rb:165:9:165:18 | call to source : | active_support.rb:166:10:166:10 | x : |
| active_support.rb:166:10:166:10 | x : | active_support.rb:166:10:166:28 | call to truncate_words |
| active_support.rb:170:9:170:18 | call to source : | active_support.rb:171:10:171:10 | x : |
| active_support.rb:171:10:171:10 | x : | active_support.rb:171:10:171:21 | call to underscore |
| active_support.rb:175:9:175:18 | call to source : | active_support.rb:176:10:176:10 | x : |
| active_support.rb:176:10:176:10 | x : | active_support.rb:176:10:176:23 | call to upcase_first |
| active_support.rb:180:10:180:17 | call to source : | active_support.rb:181:9:181:9 | x [element 0] : |
| active_support.rb:180:10:180:17 | call to source : | active_support.rb:181:9:181:9 | x [element 0] : |
| active_support.rb:181:9:181:9 | x [element 0] : | active_support.rb:181:9:181:23 | call to compact_blank [element] : |
| active_support.rb:181:9:181:9 | x [element 0] : | active_support.rb:181:9:181:23 | call to compact_blank [element] : |
| active_support.rb:181:9:181:23 | call to compact_blank [element] : | active_support.rb:182:10:182:10 | y [element] : |
| active_support.rb:181:9:181:23 | call to compact_blank [element] : | active_support.rb:182:10:182:10 | y [element] : |
| active_support.rb:182:10:182:10 | y [element] : | active_support.rb:182:10:182:13 | ...[...] |
| active_support.rb:182:10:182:10 | y [element] : | active_support.rb:182:10:182:13 | ...[...] |
| active_support.rb:186:10:186:18 | call to source : | active_support.rb:187:9:187:9 | x [element 0] : |
| active_support.rb:186:10:186:18 | call to source : | active_support.rb:187:9:187:9 | x [element 0] : |
| active_support.rb:187:9:187:9 | x [element 0] : | active_support.rb:187:9:187:21 | call to excluding [element] : |
| active_support.rb:187:9:187:9 | x [element 0] : | active_support.rb:187:9:187:21 | call to excluding [element] : |
| active_support.rb:187:9:187:21 | call to excluding [element] : | active_support.rb:188:10:188:10 | y [element] : |
| active_support.rb:187:9:187:21 | call to excluding [element] : | active_support.rb:188:10:188:10 | y [element] : |
| active_support.rb:188:10:188:10 | y [element] : | active_support.rb:188:10:188:13 | ...[...] |
| active_support.rb:188:10:188:10 | y [element] : | active_support.rb:188:10:188:13 | ...[...] |
| active_support.rb:192:10:192:18 | call to source : | active_support.rb:193:9:193:9 | x [element 0] : |
| active_support.rb:192:10:192:18 | call to source : | active_support.rb:193:9:193:9 | x [element 0] : |
| active_support.rb:193:9:193:9 | x [element 0] : | active_support.rb:193:9:193:19 | call to without [element] : |
| active_support.rb:193:9:193:9 | x [element 0] : | active_support.rb:193:9:193:19 | call to without [element] : |
| active_support.rb:193:9:193:19 | call to without [element] : | active_support.rb:194:10:194:10 | y [element] : |
| active_support.rb:193:9:193:19 | call to without [element] : | active_support.rb:194:10:194:10 | y [element] : |
| active_support.rb:194:10:194:10 | y [element] : | active_support.rb:194:10:194:13 | ...[...] |
| active_support.rb:194:10:194:10 | y [element] : | active_support.rb:194:10:194:13 | ...[...] |
| active_support.rb:198:10:198:18 | call to source : | active_support.rb:199:9:199:9 | x [element 0] : |
| active_support.rb:198:10:198:18 | call to source : | active_support.rb:199:9:199:9 | x [element 0] : |
| active_support.rb:199:9:199:9 | x [element 0] : | active_support.rb:199:9:199:37 | call to in_order_of [element] : |
| active_support.rb:199:9:199:9 | x [element 0] : | active_support.rb:199:9:199:37 | call to in_order_of [element] : |
| active_support.rb:199:9:199:37 | call to in_order_of [element] : | active_support.rb:200:10:200:10 | y [element] : |
| active_support.rb:199:9:199:37 | call to in_order_of [element] : | active_support.rb:200:10:200:10 | y [element] : |
| active_support.rb:200:10:200:10 | y [element] : | active_support.rb:200:10:200:13 | ...[...] |
| active_support.rb:200:10:200:10 | y [element] : | active_support.rb:200:10:200:13 | ...[...] |
| active_support.rb:204:10:204:18 | call to source : | active_support.rb:205:9:205:9 | a [element 0] : |
| active_support.rb:204:10:204:18 | call to source : | active_support.rb:205:9:205:9 | a [element 0] : |
| active_support.rb:204:10:204:18 | call to source : | active_support.rb:206:10:206:10 | a [element 0] : |
| active_support.rb:204:10:204:18 | call to source : | active_support.rb:206:10:206:10 | a [element 0] : |
| active_support.rb:205:9:205:9 | a [element 0] : | active_support.rb:205:9:205:41 | call to including [element 0] : |
| active_support.rb:205:9:205:9 | a [element 0] : | active_support.rb:205:9:205:41 | call to including [element 0] : |
| active_support.rb:205:9:205:41 | call to including [element 0] : | active_support.rb:208:10:208:10 | b [element 0] : |
| active_support.rb:205:9:205:41 | call to including [element 0] : | active_support.rb:208:10:208:10 | b [element 0] : |
| active_support.rb:205:9:205:41 | call to including [element] : | active_support.rb:208:10:208:10 | b [element] : |
| active_support.rb:205:9:205:41 | call to including [element] : | active_support.rb:208:10:208:10 | b [element] : |
| active_support.rb:205:9:205:41 | call to including [element] : | active_support.rb:209:10:209:10 | b [element] : |
| active_support.rb:205:9:205:41 | call to including [element] : | active_support.rb:209:10:209:10 | b [element] : |
| active_support.rb:205:9:205:41 | call to including [element] : | active_support.rb:210:10:210:10 | b [element] : |
| active_support.rb:205:9:205:41 | call to including [element] : | active_support.rb:210:10:210:10 | b [element] : |
| active_support.rb:205:9:205:41 | call to including [element] : | active_support.rb:211:10:211:10 | b [element] : |
| active_support.rb:205:9:205:41 | call to including [element] : | active_support.rb:211:10:211:10 | b [element] : |
| active_support.rb:205:21:205:29 | call to source : | active_support.rb:205:9:205:41 | call to including [element] : |
| active_support.rb:205:21:205:29 | call to source : | active_support.rb:205:9:205:41 | call to including [element] : |
| active_support.rb:205:32:205:40 | call to source : | active_support.rb:205:9:205:41 | call to including [element] : |
| active_support.rb:205:32:205:40 | call to source : | active_support.rb:205:9:205:41 | call to including [element] : |
| active_support.rb:206:10:206:10 | a [element 0] : | active_support.rb:206:10:206:13 | ...[...] |
| active_support.rb:206:10:206:10 | a [element 0] : | active_support.rb:206:10:206:13 | ...[...] |
| active_support.rb:208:10:208:10 | b [element 0] : | active_support.rb:208:10:208:13 | ...[...] |
| active_support.rb:208:10:208:10 | b [element 0] : | active_support.rb:208:10:208:13 | ...[...] |
| active_support.rb:208:10:208:10 | b [element] : | active_support.rb:208:10:208:13 | ...[...] |
| active_support.rb:208:10:208:10 | b [element] : | active_support.rb:208:10:208:13 | ...[...] |
| active_support.rb:209:10:209:10 | b [element] : | active_support.rb:209:10:209:13 | ...[...] |
| active_support.rb:209:10:209:10 | b [element] : | active_support.rb:209:10:209:13 | ...[...] |
| active_support.rb:210:10:210:10 | b [element] : | active_support.rb:210:10:210:13 | ...[...] |
| active_support.rb:210:10:210:10 | b [element] : | active_support.rb:210:10:210:13 | ...[...] |
| active_support.rb:211:10:211:10 | b [element] : | active_support.rb:211:10:211:13 | ...[...] |
| active_support.rb:211:10:211:10 | b [element] : | active_support.rb:211:10:211:13 | ...[...] |
| active_support.rb:215:7:215:16 | call to source : | active_support.rb:216:34:216:34 | x : |
| active_support.rb:216:7:216:35 | call to new : | active_support.rb:217:8:217:8 | y |
| active_support.rb:216:34:216:34 | x : | active_support.rb:216:7:216:35 | call to new : |
| active_support.rb:222:7:222:16 | call to source : | active_support.rb:223:21:223:21 | b : |
| active_support.rb:223:7:223:22 | call to safe_concat : | active_support.rb:224:8:224:8 | y |
| active_support.rb:223:21:223:21 | b : | active_support.rb:223:7:223:22 | call to safe_concat : |
| active_support.rb:229:7:229:16 | call to source : | active_support.rb:230:17:230:17 | b : |
| active_support.rb:230:3:230:3 | [post] x : | active_support.rb:231:8:231:8 | x |
| active_support.rb:230:17:230:17 | b : | active_support.rb:230:3:230:3 | [post] x : |
| active_support.rb:235:7:235:16 | call to source : | active_support.rb:237:34:237:34 | a : |
| active_support.rb:237:7:237:35 | call to new : | active_support.rb:238:7:238:7 | x : |
| active_support.rb:237:34:237:34 | a : | active_support.rb:237:7:237:35 | call to new : |
| active_support.rb:238:7:238:7 | x : | active_support.rb:238:7:238:17 | call to concat : |
| active_support.rb:238:7:238:17 | call to concat : | active_support.rb:239:8:239:8 | y |
| active_support.rb:243:7:243:16 | call to source : | active_support.rb:245:34:245:34 | a : |
| active_support.rb:245:7:245:35 | call to new : | active_support.rb:246:7:246:7 | x : |
| active_support.rb:245:34:245:34 | a : | active_support.rb:245:7:245:35 | call to new : |
| active_support.rb:246:7:246:7 | x : | active_support.rb:246:7:246:20 | call to insert : |
| active_support.rb:246:7:246:20 | call to insert : | active_support.rb:247:8:247:8 | y |
| active_support.rb:251:7:251:16 | call to source : | active_support.rb:253:34:253:34 | a : |
| active_support.rb:253:7:253:35 | call to new : | active_support.rb:254:7:254:7 | x : |
| active_support.rb:253:34:253:34 | a : | active_support.rb:253:7:253:35 | call to new : |
| active_support.rb:254:7:254:7 | x : | active_support.rb:254:7:254:18 | call to prepend : |
| active_support.rb:254:7:254:18 | call to prepend : | active_support.rb:255:8:255:8 | y |
| active_support.rb:259:7:259:16 | call to source : | active_support.rb:260:34:260:34 | a : |
| active_support.rb:260:7:260:35 | call to new : | active_support.rb:261:7:261:7 | x : |
| active_support.rb:260:34:260:34 | a : | active_support.rb:260:7:260:35 | call to new : |
| active_support.rb:261:7:261:7 | x : | active_support.rb:261:7:261:12 | call to to_s : |
| active_support.rb:261:7:261:12 | call to to_s : | active_support.rb:262:8:262:8 | y |
| active_support.rb:266:7:266:16 | call to source : | active_support.rb:267:34:267:34 | a : |
| active_support.rb:267:7:267:35 | call to new : | active_support.rb:268:7:268:7 | x : |
| active_support.rb:267:34:267:34 | a : | active_support.rb:267:7:267:35 | call to new : |
| active_support.rb:268:7:268:7 | x : | active_support.rb:268:7:268:16 | call to to_param : |
| active_support.rb:268:7:268:16 | call to to_param : | active_support.rb:269:8:269:8 | y |
| active_support.rb:273:7:273:16 | call to source : | active_support.rb:274:20:274:20 | a : |
| active_support.rb:274:7:274:21 | call to new : | active_support.rb:275:7:275:7 | x : |
| active_support.rb:274:20:274:20 | a : | active_support.rb:274:7:274:21 | call to new : |
| active_support.rb:275:7:275:7 | x : | active_support.rb:275:7:275:17 | call to existence : |
| active_support.rb:275:7:275:17 | call to existence : | active_support.rb:276:8:276:8 | y |
| active_support.rb:275:7:275:17 | call to existence : | active_support.rb:277:7:277:7 | y : |
| active_support.rb:277:7:277:7 | y : | active_support.rb:277:7:277:17 | call to existence : |
| active_support.rb:277:7:277:17 | call to existence : | active_support.rb:278:8:278:8 | z |
| active_support.rb:282:7:282:16 | call to source : | active_support.rb:283:8:283:8 | x : |
| active_support.rb:282:7:282:16 | call to source : | active_support.rb:283:8:283:8 | x : |
| active_support.rb:283:8:283:8 | x : | active_support.rb:283:8:283:17 | call to presence |
| active_support.rb:283:8:283:8 | x : | active_support.rb:283:8:283:17 | call to presence |
| active_support.rb:285:7:285:16 | call to source : | active_support.rb:286:8:286:8 | y : |
| active_support.rb:285:7:285:16 | call to source : | active_support.rb:286:8:286:8 | y : |
| active_support.rb:286:8:286:8 | y : | active_support.rb:286:8:286:17 | call to presence |
| active_support.rb:286:8:286:8 | y : | active_support.rb:286:8:286:17 | call to presence |
| active_support.rb:290:7:290:16 | call to source : | active_support.rb:291:8:291:8 | x : |
| active_support.rb:290:7:290:16 | call to source : | active_support.rb:291:8:291:8 | x : |
| active_support.rb:291:8:291:8 | x : | active_support.rb:291:8:291:17 | call to deep_dup |
| active_support.rb:291:8:291:8 | x : | active_support.rb:291:8:291:17 | call to deep_dup |
| hash_extensions.rb:2:14:2:24 | call to source : | hash_extensions.rb:3:9:3:9 | h [element :a] : |
| hash_extensions.rb:2:14:2:24 | call to source : | hash_extensions.rb:3:9:3:9 | h [element :a] : |
| hash_extensions.rb:3:9:3:9 | h [element :a] : | hash_extensions.rb:3:9:3:24 | call to stringify_keys [element] : |
| hash_extensions.rb:3:9:3:9 | h [element :a] : | hash_extensions.rb:3:9:3:24 | call to stringify_keys [element] : |
| hash_extensions.rb:3:9:3:24 | call to stringify_keys [element] : | hash_extensions.rb:4:10:4:10 | x [element] : |
| hash_extensions.rb:3:9:3:24 | call to stringify_keys [element] : | hash_extensions.rb:4:10:4:10 | x [element] : |
| hash_extensions.rb:4:10:4:10 | x [element] : | hash_extensions.rb:4:10:4:14 | ...[...] |
| hash_extensions.rb:4:10:4:10 | x [element] : | hash_extensions.rb:4:10:4:14 | ...[...] |
| hash_extensions.rb:10:14:10:24 | call to source : | hash_extensions.rb:11:9:11:9 | h [element :a] : |
| hash_extensions.rb:10:14:10:24 | call to source : | hash_extensions.rb:11:9:11:9 | h [element :a] : |
| hash_extensions.rb:11:9:11:9 | h [element :a] : | hash_extensions.rb:11:9:11:20 | call to to_options [element] : |
| hash_extensions.rb:11:9:11:9 | h [element :a] : | hash_extensions.rb:11:9:11:20 | call to to_options [element] : |
| hash_extensions.rb:11:9:11:20 | call to to_options [element] : | hash_extensions.rb:12:10:12:10 | x [element] : |
| hash_extensions.rb:11:9:11:20 | call to to_options [element] : | hash_extensions.rb:12:10:12:10 | x [element] : |
| hash_extensions.rb:12:10:12:10 | x [element] : | hash_extensions.rb:12:10:12:14 | ...[...] |
| hash_extensions.rb:12:10:12:10 | x [element] : | hash_extensions.rb:12:10:12:14 | ...[...] |
| hash_extensions.rb:18:14:18:24 | call to source : | hash_extensions.rb:19:9:19:9 | h [element :a] : |
| hash_extensions.rb:18:14:18:24 | call to source : | hash_extensions.rb:19:9:19:9 | h [element :a] : |
| hash_extensions.rb:19:9:19:9 | h [element :a] : | hash_extensions.rb:19:9:19:24 | call to symbolize_keys [element] : |
| hash_extensions.rb:19:9:19:9 | h [element :a] : | hash_extensions.rb:19:9:19:24 | call to symbolize_keys [element] : |
| hash_extensions.rb:19:9:19:24 | call to symbolize_keys [element] : | hash_extensions.rb:20:10:20:10 | x [element] : |
| hash_extensions.rb:19:9:19:24 | call to symbolize_keys [element] : | hash_extensions.rb:20:10:20:10 | x [element] : |
| hash_extensions.rb:20:10:20:10 | x [element] : | hash_extensions.rb:20:10:20:14 | ...[...] |
| hash_extensions.rb:20:10:20:10 | x [element] : | hash_extensions.rb:20:10:20:14 | ...[...] |
| hash_extensions.rb:26:14:26:24 | call to source : | hash_extensions.rb:27:9:27:9 | h [element :a] : |
| hash_extensions.rb:26:14:26:24 | call to source : | hash_extensions.rb:27:9:27:9 | h [element :a] : |
| hash_extensions.rb:27:9:27:9 | h [element :a] : | hash_extensions.rb:27:9:27:29 | call to deep_stringify_keys [element] : |
| hash_extensions.rb:27:9:27:9 | h [element :a] : | hash_extensions.rb:27:9:27:29 | call to deep_stringify_keys [element] : |
| hash_extensions.rb:27:9:27:29 | call to deep_stringify_keys [element] : | hash_extensions.rb:28:10:28:10 | x [element] : |
| hash_extensions.rb:27:9:27:29 | call to deep_stringify_keys [element] : | hash_extensions.rb:28:10:28:10 | x [element] : |
| hash_extensions.rb:28:10:28:10 | x [element] : | hash_extensions.rb:28:10:28:14 | ...[...] |
| hash_extensions.rb:28:10:28:10 | x [element] : | hash_extensions.rb:28:10:28:14 | ...[...] |
| hash_extensions.rb:34:14:34:24 | call to source : | hash_extensions.rb:35:9:35:9 | h [element :a] : |
| hash_extensions.rb:34:14:34:24 | call to source : | hash_extensions.rb:35:9:35:9 | h [element :a] : |
| hash_extensions.rb:35:9:35:9 | h [element :a] : | hash_extensions.rb:35:9:35:29 | call to deep_symbolize_keys [element] : |
| hash_extensions.rb:35:9:35:9 | h [element :a] : | hash_extensions.rb:35:9:35:29 | call to deep_symbolize_keys [element] : |
| hash_extensions.rb:35:9:35:29 | call to deep_symbolize_keys [element] : | hash_extensions.rb:36:10:36:10 | x [element] : |
| hash_extensions.rb:35:9:35:29 | call to deep_symbolize_keys [element] : | hash_extensions.rb:36:10:36:10 | x [element] : |
| hash_extensions.rb:36:10:36:10 | x [element] : | hash_extensions.rb:36:10:36:14 | ...[...] |
| hash_extensions.rb:36:10:36:10 | x [element] : | hash_extensions.rb:36:10:36:14 | ...[...] |
| hash_extensions.rb:42:14:42:24 | call to source : | hash_extensions.rb:43:9:43:9 | h [element :a] : |
| hash_extensions.rb:42:14:42:24 | call to source : | hash_extensions.rb:43:9:43:9 | h [element :a] : |
| hash_extensions.rb:43:9:43:9 | h [element :a] : | hash_extensions.rb:43:9:43:33 | call to with_indifferent_access [element] : |
| hash_extensions.rb:43:9:43:9 | h [element :a] : | hash_extensions.rb:43:9:43:33 | call to with_indifferent_access [element] : |
| hash_extensions.rb:43:9:43:33 | call to with_indifferent_access [element] : | hash_extensions.rb:44:10:44:10 | x [element] : |
| hash_extensions.rb:43:9:43:33 | call to with_indifferent_access [element] : | hash_extensions.rb:44:10:44:10 | x [element] : |
| hash_extensions.rb:44:10:44:10 | x [element] : | hash_extensions.rb:44:10:44:14 | ...[...] |
| hash_extensions.rb:44:10:44:10 | x [element] : | hash_extensions.rb:44:10:44:14 | ...[...] |
| hash_extensions.rb:50:14:50:23 | call to taint : | hash_extensions.rb:51:9:51:9 | h [element :a] : |
| hash_extensions.rb:50:14:50:23 | call to taint : | hash_extensions.rb:51:9:51:9 | h [element :a] : |
| hash_extensions.rb:50:29:50:38 | call to taint : | hash_extensions.rb:51:9:51:9 | h [element :b] : |
| hash_extensions.rb:50:29:50:38 | call to taint : | hash_extensions.rb:51:9:51:9 | h [element :b] : |
| hash_extensions.rb:50:52:50:61 | call to taint : | hash_extensions.rb:51:9:51:9 | h [element :d] : |
| hash_extensions.rb:50:52:50:61 | call to taint : | hash_extensions.rb:51:9:51:9 | h [element :d] : |
| hash_extensions.rb:51:9:51:9 | [post] h [element :d] : | hash_extensions.rb:56:10:56:10 | h [element :d] : |
| hash_extensions.rb:51:9:51:9 | [post] h [element :d] : | hash_extensions.rb:56:10:56:10 | h [element :d] : |
| hash_extensions.rb:51:9:51:9 | h [element :a] : | hash_extensions.rb:51:9:51:29 | call to extract! [element :a] : |
| hash_extensions.rb:51:9:51:9 | h [element :a] : | hash_extensions.rb:51:9:51:29 | call to extract! [element :a] : |
| hash_extensions.rb:51:9:51:9 | h [element :b] : | hash_extensions.rb:51:9:51:29 | call to extract! [element :b] : |
| hash_extensions.rb:51:9:51:9 | h [element :b] : | hash_extensions.rb:51:9:51:29 | call to extract! [element :b] : |
| hash_extensions.rb:51:9:51:9 | h [element :d] : | hash_extensions.rb:51:9:51:9 | [post] h [element :d] : |
| hash_extensions.rb:51:9:51:9 | h [element :d] : | hash_extensions.rb:51:9:51:9 | [post] h [element :d] : |
| hash_extensions.rb:51:9:51:29 | call to extract! [element :a] : | hash_extensions.rb:58:10:58:10 | x [element :a] : |
| hash_extensions.rb:51:9:51:29 | call to extract! [element :a] : | hash_extensions.rb:58:10:58:10 | x [element :a] : |
| hash_extensions.rb:51:9:51:29 | call to extract! [element :b] : | hash_extensions.rb:59:10:59:10 | x [element :b] : |
| hash_extensions.rb:51:9:51:29 | call to extract! [element :b] : | hash_extensions.rb:59:10:59:10 | x [element :b] : |
| hash_extensions.rb:56:10:56:10 | h [element :d] : | hash_extensions.rb:56:10:56:14 | ...[...] |
| hash_extensions.rb:56:10:56:10 | h [element :d] : | hash_extensions.rb:56:10:56:14 | ...[...] |
| hash_extensions.rb:58:10:58:10 | x [element :a] : | hash_extensions.rb:58:10:58:14 | ...[...] |
| hash_extensions.rb:58:10:58:10 | x [element :a] : | hash_extensions.rb:58:10:58:14 | ...[...] |
| hash_extensions.rb:59:10:59:10 | x [element :b] : | hash_extensions.rb:59:10:59:14 | ...[...] |
| hash_extensions.rb:59:10:59:10 | x [element :b] : | hash_extensions.rb:59:10:59:14 | ...[...] |
nodes
| active_support.rb:9:9:9:18 | call to source : | semmle.label | call to source : |
| active_support.rb:10:10:10:10 | x : | semmle.label | x : |
| active_support.rb:10:10:10:19 | call to camelize | semmle.label | call to camelize |
| active_support.rb:14:9:14:18 | call to source : | semmle.label | call to source : |
| active_support.rb:15:10:15:10 | x : | semmle.label | x : |
| active_support.rb:15:10:15:20 | call to camelcase | semmle.label | call to camelcase |
| active_support.rb:19:9:19:18 | call to source : | semmle.label | call to source : |
| active_support.rb:20:10:20:10 | x : | semmle.label | x : |
| active_support.rb:20:10:20:19 | call to classify | semmle.label | call to classify |
| active_support.rb:24:9:24:18 | call to source : | semmle.label | call to source : |
| active_support.rb:25:10:25:10 | x : | semmle.label | x : |
| active_support.rb:25:10:25:20 | call to dasherize | semmle.label | call to dasherize |
| active_support.rb:29:9:29:18 | call to source : | semmle.label | call to source : |
| active_support.rb:30:10:30:10 | x : | semmle.label | x : |
| active_support.rb:30:10:30:24 | call to deconstantize | semmle.label | call to deconstantize |
| active_support.rb:34:9:34:18 | call to source : | semmle.label | call to source : |
| active_support.rb:35:10:35:10 | x : | semmle.label | x : |
| active_support.rb:35:10:35:21 | call to demodulize | semmle.label | call to demodulize |
| active_support.rb:39:9:39:18 | call to source : | semmle.label | call to source : |
| active_support.rb:40:10:40:10 | x : | semmle.label | x : |
| active_support.rb:40:10:40:22 | call to foreign_key | semmle.label | call to foreign_key |
| active_support.rb:44:9:44:18 | call to source : | semmle.label | call to source : |
| active_support.rb:45:10:45:10 | x : | semmle.label | x : |
| active_support.rb:45:10:45:19 | call to humanize | semmle.label | call to humanize |
| active_support.rb:49:9:49:18 | call to source : | semmle.label | call to source : |
| active_support.rb:50:10:50:10 | x : | semmle.label | x : |
| active_support.rb:50:10:50:20 | call to indent | semmle.label | call to indent |
| active_support.rb:54:9:54:18 | call to source : | semmle.label | call to source : |
| active_support.rb:55:10:55:10 | x : | semmle.label | x : |
| active_support.rb:55:10:55:23 | call to parameterize | semmle.label | call to parameterize |
| active_support.rb:59:9:59:18 | call to source : | semmle.label | call to source : |
| active_support.rb:60:10:60:10 | x : | semmle.label | x : |
| active_support.rb:60:10:60:20 | call to pluralize | semmle.label | call to pluralize |
| active_support.rb:64:9:64:18 | call to source : | semmle.label | call to source : |
| active_support.rb:65:10:65:10 | x : | semmle.label | x : |
| active_support.rb:65:10:65:22 | call to singularize | semmle.label | call to singularize |
| active_support.rb:69:9:69:18 | call to source : | semmle.label | call to source : |
| active_support.rb:70:10:70:10 | x : | semmle.label | x : |
| active_support.rb:70:10:70:17 | call to squish | semmle.label | call to squish |
| active_support.rb:74:9:74:18 | call to source : | semmle.label | call to source : |
| active_support.rb:75:10:75:10 | x : | semmle.label | x : |
| active_support.rb:75:10:75:24 | call to strip_heredoc | semmle.label | call to strip_heredoc |
| active_support.rb:79:9:79:18 | call to source : | semmle.label | call to source : |
| active_support.rb:80:10:80:10 | x : | semmle.label | x : |
| active_support.rb:80:10:80:19 | call to tableize | semmle.label | call to tableize |
| active_support.rb:84:9:84:18 | call to source : | semmle.label | call to source : |
| active_support.rb:85:10:85:10 | x : | semmle.label | x : |
| active_support.rb:85:10:85:20 | call to titlecase | semmle.label | call to titlecase |
| active_support.rb:89:9:89:18 | call to source : | semmle.label | call to source : |
| active_support.rb:90:10:90:10 | x : | semmle.label | x : |
| active_support.rb:90:10:90:19 | call to titleize | semmle.label | call to titleize |
| active_support.rb:94:9:94:18 | call to source : | semmle.label | call to source : |
| active_support.rb:95:10:95:10 | x : | semmle.label | x : |
| active_support.rb:95:10:95:21 | call to underscore | semmle.label | call to underscore |
| active_support.rb:99:9:99:18 | call to source : | semmle.label | call to source : |
| active_support.rb:100:10:100:10 | x : | semmle.label | x : |
| active_support.rb:100:10:100:23 | call to upcase_first | semmle.label | call to upcase_first |
| active_support.rb:104:10:104:17 | call to source : | semmle.label | call to source : |
| active_support.rb:104:10:104:17 | call to source : | semmle.label | call to source : |
| active_support.rb:105:9:105:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:105:9:105:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:105:9:105:23 | call to compact_blank [element] : | semmle.label | call to compact_blank [element] : |
| active_support.rb:105:9:105:23 | call to compact_blank [element] : | semmle.label | call to compact_blank [element] : |
| active_support.rb:106:10:106:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:106:10:106:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:106:10:106:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:106:10:106:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:110:10:110:18 | call to source : | semmle.label | call to source : |
| active_support.rb:110:10:110:18 | call to source : | semmle.label | call to source : |
| active_support.rb:111:9:111:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:111:9:111:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:111:9:111:21 | call to excluding [element] : | semmle.label | call to excluding [element] : |
| active_support.rb:111:9:111:21 | call to excluding [element] : | semmle.label | call to excluding [element] : |
| active_support.rb:112:10:112:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:112:10:112:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:112:10:112:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:112:10:112:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:116:10:116:18 | call to source : | semmle.label | call to source : |
| active_support.rb:116:10:116:18 | call to source : | semmle.label | call to source : |
| active_support.rb:117:9:117:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:117:9:117:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:117:9:117:19 | call to without [element] : | semmle.label | call to without [element] : |
| active_support.rb:117:9:117:19 | call to without [element] : | semmle.label | call to without [element] : |
| active_support.rb:118:10:118:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:118:10:118:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:118:10:118:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:118:10:118:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:122:10:122:18 | call to source : | semmle.label | call to source : |
| active_support.rb:122:10:122:18 | call to source : | semmle.label | call to source : |
| active_support.rb:123:9:123:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:123:9:123:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:123:9:123:37 | call to in_order_of [element] : | semmle.label | call to in_order_of [element] : |
| active_support.rb:123:9:123:37 | call to in_order_of [element] : | semmle.label | call to in_order_of [element] : |
| active_support.rb:124:10:124:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:124:10:124:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:124:10:124:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:124:10:124:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:128:10:128:18 | call to source : | semmle.label | call to source : |
| active_support.rb:128:10:128:18 | call to source : | semmle.label | call to source : |
| active_support.rb:129:9:129:9 | a [element 0] : | semmle.label | a [element 0] : |
| active_support.rb:129:9:129:9 | a [element 0] : | semmle.label | a [element 0] : |
| active_support.rb:129:9:129:41 | call to including [element 0] : | semmle.label | call to including [element 0] : |
| active_support.rb:129:9:129:41 | call to including [element 0] : | semmle.label | call to including [element 0] : |
| active_support.rb:129:9:129:41 | call to including [element] : | semmle.label | call to including [element] : |
| active_support.rb:129:9:129:41 | call to including [element] : | semmle.label | call to including [element] : |
| active_support.rb:129:21:129:29 | call to source : | semmle.label | call to source : |
| active_support.rb:129:21:129:29 | call to source : | semmle.label | call to source : |
| active_support.rb:129:32:129:40 | call to source : | semmle.label | call to source : |
| active_support.rb:129:32:129:40 | call to source : | semmle.label | call to source : |
| active_support.rb:130:10:130:10 | a [element 0] : | semmle.label | a [element 0] : |
| active_support.rb:130:10:130:10 | a [element 0] : | semmle.label | a [element 0] : |
| active_support.rb:130:10:130:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:130:10:130:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:132:10:132:10 | b [element 0] : | semmle.label | b [element 0] : |
| active_support.rb:132:10:132:10 | b [element 0] : | semmle.label | b [element 0] : |
| active_support.rb:132:10:132:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:132:10:132:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:132:10:132:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:132:10:132:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:133:10:133:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:133:10:133:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:133:10:133:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:133:10:133:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:134:10:134:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:134:10:134:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:134:10:134:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:134:10:134:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:135:10:135:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:135:10:135:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:135:10:135:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:135:10:135:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:139:7:139:16 | call to source : | semmle.label | call to source : |
| active_support.rb:140:7:140:35 | call to new : | semmle.label | call to new : |
| active_support.rb:140:34:140:34 | x : | semmle.label | x : |
| active_support.rb:141:8:141:8 | y | semmle.label | y |
| active_support.rb:146:7:146:16 | call to source : | semmle.label | call to source : |
| active_support.rb:147:7:147:22 | call to safe_concat : | semmle.label | call to safe_concat : |
| active_support.rb:147:21:147:21 | b : | semmle.label | b : |
| active_support.rb:148:8:148:8 | y | semmle.label | y |
| active_support.rb:153:7:153:16 | call to source : | semmle.label | call to source : |
| active_support.rb:154:3:154:3 | [post] x : | semmle.label | [post] x : |
| active_support.rb:154:17:154:17 | b : | semmle.label | b : |
| active_support.rb:155:8:155:8 | x | semmle.label | x |
| active_support.rb:159:7:159:16 | call to source : | semmle.label | call to source : |
| active_support.rb:161:7:161:35 | call to new : | semmle.label | call to new : |
| active_support.rb:161:34:161:34 | a : | semmle.label | a : |
| active_support.rb:162:7:162:7 | x : | semmle.label | x : |
| active_support.rb:162:7:162:17 | call to concat : | semmle.label | call to concat : |
| active_support.rb:163:8:163:8 | y | semmle.label | y |
| active_support.rb:167:7:167:16 | call to source : | semmle.label | call to source : |
| active_support.rb:169:7:169:35 | call to new : | semmle.label | call to new : |
| active_support.rb:169:34:169:34 | a : | semmle.label | a : |
| active_support.rb:170:7:170:7 | x : | semmle.label | x : |
| active_support.rb:170:7:170:20 | call to insert : | semmle.label | call to insert : |
| active_support.rb:171:8:171:8 | y | semmle.label | y |
| active_support.rb:175:7:175:16 | call to source : | semmle.label | call to source : |
| active_support.rb:177:7:177:35 | call to new : | semmle.label | call to new : |
| active_support.rb:177:34:177:34 | a : | semmle.label | a : |
| active_support.rb:178:7:178:7 | x : | semmle.label | x : |
| active_support.rb:178:7:178:18 | call to prepend : | semmle.label | call to prepend : |
| active_support.rb:179:8:179:8 | y | semmle.label | y |
| active_support.rb:183:7:183:16 | call to source : | semmle.label | call to source : |
| active_support.rb:184:7:184:35 | call to new : | semmle.label | call to new : |
| active_support.rb:184:34:184:34 | a : | semmle.label | a : |
| active_support.rb:185:7:185:7 | x : | semmle.label | x : |
| active_support.rb:185:7:185:12 | call to to_s : | semmle.label | call to to_s : |
| active_support.rb:186:8:186:8 | y | semmle.label | y |
| active_support.rb:190:7:190:16 | call to source : | semmle.label | call to source : |
| active_support.rb:191:7:191:35 | call to new : | semmle.label | call to new : |
| active_support.rb:191:34:191:34 | a : | semmle.label | a : |
| active_support.rb:192:7:192:7 | x : | semmle.label | x : |
| active_support.rb:192:7:192:16 | call to to_param : | semmle.label | call to to_param : |
| active_support.rb:193:8:193:8 | y | semmle.label | y |
| active_support.rb:197:7:197:16 | call to source : | semmle.label | call to source : |
| active_support.rb:198:7:198:21 | call to new : | semmle.label | call to new : |
| active_support.rb:198:20:198:20 | a : | semmle.label | a : |
| active_support.rb:199:7:199:7 | x : | semmle.label | x : |
| active_support.rb:199:7:199:17 | call to existence : | semmle.label | call to existence : |
| active_support.rb:200:8:200:8 | y | semmle.label | y |
| active_support.rb:201:7:201:7 | y : | semmle.label | y : |
| active_support.rb:201:7:201:17 | call to existence : | semmle.label | call to existence : |
| active_support.rb:202:8:202:8 | z | semmle.label | z |
| active_support.rb:10:9:10:18 | call to source : | semmle.label | call to source : |
| active_support.rb:11:10:11:10 | x : | semmle.label | x : |
| active_support.rb:11:10:11:19 | call to at | semmle.label | call to at |
| active_support.rb:15:9:15:18 | call to source : | semmle.label | call to source : |
| active_support.rb:16:10:16:10 | x : | semmle.label | x : |
| active_support.rb:16:10:16:19 | call to camelize | semmle.label | call to camelize |
| active_support.rb:20:9:20:18 | call to source : | semmle.label | call to source : |
| active_support.rb:21:10:21:10 | x : | semmle.label | x : |
| active_support.rb:21:10:21:20 | call to camelcase | semmle.label | call to camelcase |
| active_support.rb:25:9:25:18 | call to source : | semmle.label | call to source : |
| active_support.rb:26:10:26:10 | x : | semmle.label | x : |
| active_support.rb:26:10:26:19 | call to classify | semmle.label | call to classify |
| active_support.rb:30:9:30:18 | call to source : | semmle.label | call to source : |
| active_support.rb:31:10:31:10 | x : | semmle.label | x : |
| active_support.rb:31:10:31:20 | call to dasherize | semmle.label | call to dasherize |
| active_support.rb:35:9:35:18 | call to source : | semmle.label | call to source : |
| active_support.rb:36:10:36:10 | x : | semmle.label | x : |
| active_support.rb:36:10:36:24 | call to deconstantize | semmle.label | call to deconstantize |
| active_support.rb:40:9:40:18 | call to source : | semmle.label | call to source : |
| active_support.rb:41:10:41:10 | x : | semmle.label | x : |
| active_support.rb:41:10:41:21 | call to demodulize | semmle.label | call to demodulize |
| active_support.rb:45:9:45:18 | call to source : | semmle.label | call to source : |
| active_support.rb:46:10:46:10 | x : | semmle.label | x : |
| active_support.rb:46:10:46:19 | call to first | semmle.label | call to first |
| active_support.rb:50:9:50:18 | call to source : | semmle.label | call to source : |
| active_support.rb:51:10:51:10 | x : | semmle.label | x : |
| active_support.rb:51:10:51:22 | call to foreign_key | semmle.label | call to foreign_key |
| active_support.rb:55:9:55:18 | call to source : | semmle.label | call to source : |
| active_support.rb:56:10:56:10 | x : | semmle.label | x : |
| active_support.rb:56:10:56:18 | call to from | semmle.label | call to from |
| active_support.rb:60:9:60:18 | call to source : | semmle.label | call to source : |
| active_support.rb:61:10:61:10 | x : | semmle.label | x : |
| active_support.rb:61:10:61:20 | call to html_safe | semmle.label | call to html_safe |
| active_support.rb:65:9:65:18 | call to source : | semmle.label | call to source : |
| active_support.rb:66:10:66:10 | x : | semmle.label | x : |
| active_support.rb:66:10:66:19 | call to humanize | semmle.label | call to humanize |
| active_support.rb:70:9:70:18 | call to source : | semmle.label | call to source : |
| active_support.rb:71:10:71:10 | x : | semmle.label | x : |
| active_support.rb:71:10:71:20 | call to indent | semmle.label | call to indent |
| active_support.rb:75:9:75:18 | call to source : | semmle.label | call to source : |
| active_support.rb:76:10:76:10 | x : | semmle.label | x : |
| active_support.rb:76:10:76:21 | call to indent! | semmle.label | call to indent! |
| active_support.rb:80:9:80:18 | call to source : | semmle.label | call to source : |
| active_support.rb:81:10:81:10 | x : | semmle.label | x : |
| active_support.rb:81:10:81:18 | call to inquiry | semmle.label | call to inquiry |
| active_support.rb:85:9:85:18 | call to source : | semmle.label | call to source : |
| active_support.rb:86:10:86:10 | x : | semmle.label | x : |
| active_support.rb:86:10:86:18 | call to last | semmle.label | call to last |
| active_support.rb:90:9:90:18 | call to source : | semmle.label | call to source : |
| active_support.rb:91:10:91:10 | x : | semmle.label | x : |
| active_support.rb:91:10:91:19 | call to mb_chars | semmle.label | call to mb_chars |
| active_support.rb:95:9:95:18 | call to source : | semmle.label | call to source : |
| active_support.rb:96:10:96:10 | x : | semmle.label | x : |
| active_support.rb:96:10:96:23 | call to parameterize | semmle.label | call to parameterize |
| active_support.rb:100:9:100:18 | call to source : | semmle.label | call to source : |
| active_support.rb:101:10:101:10 | x : | semmle.label | x : |
| active_support.rb:101:10:101:20 | call to pluralize | semmle.label | call to pluralize |
| active_support.rb:105:9:105:18 | call to source : | semmle.label | call to source : |
| active_support.rb:106:10:106:10 | x : | semmle.label | x : |
| active_support.rb:106:10:106:24 | call to remove | semmle.label | call to remove |
| active_support.rb:110:9:110:18 | call to source : | semmle.label | call to source : |
| active_support.rb:111:10:111:10 | x : | semmle.label | x : |
| active_support.rb:111:10:111:25 | call to remove! | semmle.label | call to remove! |
| active_support.rb:115:9:115:18 | call to source : | semmle.label | call to source : |
| active_support.rb:116:10:116:10 | x : | semmle.label | x : |
| active_support.rb:116:10:116:22 | call to singularize | semmle.label | call to singularize |
| active_support.rb:120:9:120:18 | call to source : | semmle.label | call to source : |
| active_support.rb:121:10:121:10 | x : | semmle.label | x : |
| active_support.rb:121:10:121:17 | call to squish | semmle.label | call to squish |
| active_support.rb:125:9:125:18 | call to source : | semmle.label | call to source : |
| active_support.rb:126:10:126:10 | x : | semmle.label | x : |
| active_support.rb:126:10:126:18 | call to squish! | semmle.label | call to squish! |
| active_support.rb:130:9:130:18 | call to source : | semmle.label | call to source : |
| active_support.rb:131:10:131:10 | x : | semmle.label | x : |
| active_support.rb:131:10:131:24 | call to strip_heredoc | semmle.label | call to strip_heredoc |
| active_support.rb:135:9:135:18 | call to source : | semmle.label | call to source : |
| active_support.rb:136:10:136:10 | x : | semmle.label | x : |
| active_support.rb:136:10:136:19 | call to tableize | semmle.label | call to tableize |
| active_support.rb:140:9:140:18 | call to source : | semmle.label | call to source : |
| active_support.rb:141:10:141:10 | x : | semmle.label | x : |
| active_support.rb:141:10:141:20 | call to titlecase | semmle.label | call to titlecase |
| active_support.rb:145:9:145:18 | call to source : | semmle.label | call to source : |
| active_support.rb:146:10:146:10 | x : | semmle.label | x : |
| active_support.rb:146:10:146:19 | call to titleize | semmle.label | call to titleize |
| active_support.rb:150:9:150:18 | call to source : | semmle.label | call to source : |
| active_support.rb:151:10:151:10 | x : | semmle.label | x : |
| active_support.rb:151:10:151:16 | call to to | semmle.label | call to to |
| active_support.rb:155:9:155:18 | call to source : | semmle.label | call to source : |
| active_support.rb:156:10:156:10 | x : | semmle.label | x : |
| active_support.rb:156:10:156:22 | call to truncate | semmle.label | call to truncate |
| active_support.rb:160:9:160:18 | call to source : | semmle.label | call to source : |
| active_support.rb:161:10:161:10 | x : | semmle.label | x : |
| active_support.rb:161:10:161:28 | call to truncate_bytes | semmle.label | call to truncate_bytes |
| active_support.rb:165:9:165:18 | call to source : | semmle.label | call to source : |
| active_support.rb:166:10:166:10 | x : | semmle.label | x : |
| active_support.rb:166:10:166:28 | call to truncate_words | semmle.label | call to truncate_words |
| active_support.rb:170:9:170:18 | call to source : | semmle.label | call to source : |
| active_support.rb:171:10:171:10 | x : | semmle.label | x : |
| active_support.rb:171:10:171:21 | call to underscore | semmle.label | call to underscore |
| active_support.rb:175:9:175:18 | call to source : | semmle.label | call to source : |
| active_support.rb:176:10:176:10 | x : | semmle.label | x : |
| active_support.rb:176:10:176:23 | call to upcase_first | semmle.label | call to upcase_first |
| active_support.rb:180:10:180:17 | call to source : | semmle.label | call to source : |
| active_support.rb:180:10:180:17 | call to source : | semmle.label | call to source : |
| active_support.rb:181:9:181:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:181:9:181:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:181:9:181:23 | call to compact_blank [element] : | semmle.label | call to compact_blank [element] : |
| active_support.rb:181:9:181:23 | call to compact_blank [element] : | semmle.label | call to compact_blank [element] : |
| active_support.rb:182:10:182:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:182:10:182:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:182:10:182:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:182:10:182:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:186:10:186:18 | call to source : | semmle.label | call to source : |
| active_support.rb:186:10:186:18 | call to source : | semmle.label | call to source : |
| active_support.rb:187:9:187:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:187:9:187:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:187:9:187:21 | call to excluding [element] : | semmle.label | call to excluding [element] : |
| active_support.rb:187:9:187:21 | call to excluding [element] : | semmle.label | call to excluding [element] : |
| active_support.rb:188:10:188:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:188:10:188:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:188:10:188:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:188:10:188:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:192:10:192:18 | call to source : | semmle.label | call to source : |
| active_support.rb:192:10:192:18 | call to source : | semmle.label | call to source : |
| active_support.rb:193:9:193:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:193:9:193:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:193:9:193:19 | call to without [element] : | semmle.label | call to without [element] : |
| active_support.rb:193:9:193:19 | call to without [element] : | semmle.label | call to without [element] : |
| active_support.rb:194:10:194:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:194:10:194:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:194:10:194:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:194:10:194:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:198:10:198:18 | call to source : | semmle.label | call to source : |
| active_support.rb:198:10:198:18 | call to source : | semmle.label | call to source : |
| active_support.rb:199:9:199:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:199:9:199:9 | x [element 0] : | semmle.label | x [element 0] : |
| active_support.rb:199:9:199:37 | call to in_order_of [element] : | semmle.label | call to in_order_of [element] : |
| active_support.rb:199:9:199:37 | call to in_order_of [element] : | semmle.label | call to in_order_of [element] : |
| active_support.rb:200:10:200:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:200:10:200:10 | y [element] : | semmle.label | y [element] : |
| active_support.rb:200:10:200:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:200:10:200:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:204:10:204:18 | call to source : | semmle.label | call to source : |
| active_support.rb:204:10:204:18 | call to source : | semmle.label | call to source : |
| active_support.rb:205:9:205:9 | a [element 0] : | semmle.label | a [element 0] : |
| active_support.rb:205:9:205:9 | a [element 0] : | semmle.label | a [element 0] : |
| active_support.rb:205:9:205:41 | call to including [element 0] : | semmle.label | call to including [element 0] : |
| active_support.rb:205:9:205:41 | call to including [element 0] : | semmle.label | call to including [element 0] : |
| active_support.rb:205:9:205:41 | call to including [element] : | semmle.label | call to including [element] : |
| active_support.rb:205:9:205:41 | call to including [element] : | semmle.label | call to including [element] : |
| active_support.rb:205:21:205:29 | call to source : | semmle.label | call to source : |
| active_support.rb:205:21:205:29 | call to source : | semmle.label | call to source : |
| active_support.rb:205:32:205:40 | call to source : | semmle.label | call to source : |
| active_support.rb:205:32:205:40 | call to source : | semmle.label | call to source : |
| active_support.rb:206:10:206:10 | a [element 0] : | semmle.label | a [element 0] : |
| active_support.rb:206:10:206:10 | a [element 0] : | semmle.label | a [element 0] : |
| active_support.rb:206:10:206:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:206:10:206:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:208:10:208:10 | b [element 0] : | semmle.label | b [element 0] : |
| active_support.rb:208:10:208:10 | b [element 0] : | semmle.label | b [element 0] : |
| active_support.rb:208:10:208:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:208:10:208:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:208:10:208:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:208:10:208:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:209:10:209:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:209:10:209:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:209:10:209:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:209:10:209:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:210:10:210:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:210:10:210:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:210:10:210:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:210:10:210:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:211:10:211:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:211:10:211:10 | b [element] : | semmle.label | b [element] : |
| active_support.rb:211:10:211:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:211:10:211:13 | ...[...] | semmle.label | ...[...] |
| active_support.rb:215:7:215:16 | call to source : | semmle.label | call to source : |
| active_support.rb:216:7:216:35 | call to new : | semmle.label | call to new : |
| active_support.rb:216:34:216:34 | x : | semmle.label | x : |
| active_support.rb:217:8:217:8 | y | semmle.label | y |
| active_support.rb:222:7:222:16 | call to source : | semmle.label | call to source : |
| active_support.rb:223:7:223:22 | call to safe_concat : | semmle.label | call to safe_concat : |
| active_support.rb:223:21:223:21 | b : | semmle.label | b : |
| active_support.rb:224:8:224:8 | y | semmle.label | y |
| active_support.rb:229:7:229:16 | call to source : | semmle.label | call to source : |
| active_support.rb:230:3:230:3 | [post] x : | semmle.label | [post] x : |
| active_support.rb:230:17:230:17 | b : | semmle.label | b : |
| active_support.rb:231:8:231:8 | x | semmle.label | x |
| active_support.rb:235:7:235:16 | call to source : | semmle.label | call to source : |
| active_support.rb:237:7:237:35 | call to new : | semmle.label | call to new : |
| active_support.rb:237:34:237:34 | a : | semmle.label | a : |
| active_support.rb:238:7:238:7 | x : | semmle.label | x : |
| active_support.rb:238:7:238:17 | call to concat : | semmle.label | call to concat : |
| active_support.rb:239:8:239:8 | y | semmle.label | y |
| active_support.rb:243:7:243:16 | call to source : | semmle.label | call to source : |
| active_support.rb:245:7:245:35 | call to new : | semmle.label | call to new : |
| active_support.rb:245:34:245:34 | a : | semmle.label | a : |
| active_support.rb:246:7:246:7 | x : | semmle.label | x : |
| active_support.rb:246:7:246:20 | call to insert : | semmle.label | call to insert : |
| active_support.rb:247:8:247:8 | y | semmle.label | y |
| active_support.rb:251:7:251:16 | call to source : | semmle.label | call to source : |
| active_support.rb:253:7:253:35 | call to new : | semmle.label | call to new : |
| active_support.rb:253:34:253:34 | a : | semmle.label | a : |
| active_support.rb:254:7:254:7 | x : | semmle.label | x : |
| active_support.rb:254:7:254:18 | call to prepend : | semmle.label | call to prepend : |
| active_support.rb:255:8:255:8 | y | semmle.label | y |
| active_support.rb:259:7:259:16 | call to source : | semmle.label | call to source : |
| active_support.rb:260:7:260:35 | call to new : | semmle.label | call to new : |
| active_support.rb:260:34:260:34 | a : | semmle.label | a : |
| active_support.rb:261:7:261:7 | x : | semmle.label | x : |
| active_support.rb:261:7:261:12 | call to to_s : | semmle.label | call to to_s : |
| active_support.rb:262:8:262:8 | y | semmle.label | y |
| active_support.rb:266:7:266:16 | call to source : | semmle.label | call to source : |
| active_support.rb:267:7:267:35 | call to new : | semmle.label | call to new : |
| active_support.rb:267:34:267:34 | a : | semmle.label | a : |
| active_support.rb:268:7:268:7 | x : | semmle.label | x : |
| active_support.rb:268:7:268:16 | call to to_param : | semmle.label | call to to_param : |
| active_support.rb:269:8:269:8 | y | semmle.label | y |
| active_support.rb:273:7:273:16 | call to source : | semmle.label | call to source : |
| active_support.rb:274:7:274:21 | call to new : | semmle.label | call to new : |
| active_support.rb:274:20:274:20 | a : | semmle.label | a : |
| active_support.rb:275:7:275:7 | x : | semmle.label | x : |
| active_support.rb:275:7:275:17 | call to existence : | semmle.label | call to existence : |
| active_support.rb:276:8:276:8 | y | semmle.label | y |
| active_support.rb:277:7:277:7 | y : | semmle.label | y : |
| active_support.rb:277:7:277:17 | call to existence : | semmle.label | call to existence : |
| active_support.rb:278:8:278:8 | z | semmle.label | z |
| active_support.rb:282:7:282:16 | call to source : | semmle.label | call to source : |
| active_support.rb:282:7:282:16 | call to source : | semmle.label | call to source : |
| active_support.rb:283:8:283:8 | x : | semmle.label | x : |
| active_support.rb:283:8:283:8 | x : | semmle.label | x : |
| active_support.rb:283:8:283:17 | call to presence | semmle.label | call to presence |
| active_support.rb:283:8:283:17 | call to presence | semmle.label | call to presence |
| active_support.rb:285:7:285:16 | call to source : | semmle.label | call to source : |
| active_support.rb:285:7:285:16 | call to source : | semmle.label | call to source : |
| active_support.rb:286:8:286:8 | y : | semmle.label | y : |
| active_support.rb:286:8:286:8 | y : | semmle.label | y : |
| active_support.rb:286:8:286:17 | call to presence | semmle.label | call to presence |
| active_support.rb:286:8:286:17 | call to presence | semmle.label | call to presence |
| active_support.rb:290:7:290:16 | call to source : | semmle.label | call to source : |
| active_support.rb:290:7:290:16 | call to source : | semmle.label | call to source : |
| active_support.rb:291:8:291:8 | x : | semmle.label | x : |
| active_support.rb:291:8:291:8 | x : | semmle.label | x : |
| active_support.rb:291:8:291:17 | call to deep_dup | semmle.label | call to deep_dup |
| active_support.rb:291:8:291:17 | call to deep_dup | semmle.label | call to deep_dup |
| hash_extensions.rb:2:14:2:24 | call to source : | semmle.label | call to source : |
| hash_extensions.rb:2:14:2:24 | call to source : | semmle.label | call to source : |
| hash_extensions.rb:3:9:3:9 | h [element :a] : | semmle.label | h [element :a] : |
| hash_extensions.rb:3:9:3:9 | h [element :a] : | semmle.label | h [element :a] : |
| hash_extensions.rb:3:9:3:24 | call to stringify_keys [element] : | semmle.label | call to stringify_keys [element] : |
| hash_extensions.rb:3:9:3:24 | call to stringify_keys [element] : | semmle.label | call to stringify_keys [element] : |
| hash_extensions.rb:4:10:4:10 | x [element] : | semmle.label | x [element] : |
| hash_extensions.rb:4:10:4:10 | x [element] : | semmle.label | x [element] : |
| hash_extensions.rb:4:10:4:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:4:10:4:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:10:14:10:24 | call to source : | semmle.label | call to source : |
| hash_extensions.rb:10:14:10:24 | call to source : | semmle.label | call to source : |
| hash_extensions.rb:11:9:11:9 | h [element :a] : | semmle.label | h [element :a] : |
| hash_extensions.rb:11:9:11:9 | h [element :a] : | semmle.label | h [element :a] : |
| hash_extensions.rb:11:9:11:20 | call to to_options [element] : | semmle.label | call to to_options [element] : |
| hash_extensions.rb:11:9:11:20 | call to to_options [element] : | semmle.label | call to to_options [element] : |
| hash_extensions.rb:12:10:12:10 | x [element] : | semmle.label | x [element] : |
| hash_extensions.rb:12:10:12:10 | x [element] : | semmle.label | x [element] : |
| hash_extensions.rb:12:10:12:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:12:10:12:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:18:14:18:24 | call to source : | semmle.label | call to source : |
| hash_extensions.rb:18:14:18:24 | call to source : | semmle.label | call to source : |
| hash_extensions.rb:19:9:19:9 | h [element :a] : | semmle.label | h [element :a] : |
| hash_extensions.rb:19:9:19:9 | h [element :a] : | semmle.label | h [element :a] : |
| hash_extensions.rb:19:9:19:24 | call to symbolize_keys [element] : | semmle.label | call to symbolize_keys [element] : |
| hash_extensions.rb:19:9:19:24 | call to symbolize_keys [element] : | semmle.label | call to symbolize_keys [element] : |
| hash_extensions.rb:20:10:20:10 | x [element] : | semmle.label | x [element] : |
| hash_extensions.rb:20:10:20:10 | x [element] : | semmle.label | x [element] : |
| hash_extensions.rb:20:10:20:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:20:10:20:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:26:14:26:24 | call to source : | semmle.label | call to source : |
| hash_extensions.rb:26:14:26:24 | call to source : | semmle.label | call to source : |
| hash_extensions.rb:27:9:27:9 | h [element :a] : | semmle.label | h [element :a] : |
| hash_extensions.rb:27:9:27:9 | h [element :a] : | semmle.label | h [element :a] : |
| hash_extensions.rb:27:9:27:29 | call to deep_stringify_keys [element] : | semmle.label | call to deep_stringify_keys [element] : |
| hash_extensions.rb:27:9:27:29 | call to deep_stringify_keys [element] : | semmle.label | call to deep_stringify_keys [element] : |
| hash_extensions.rb:28:10:28:10 | x [element] : | semmle.label | x [element] : |
| hash_extensions.rb:28:10:28:10 | x [element] : | semmle.label | x [element] : |
| hash_extensions.rb:28:10:28:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:28:10:28:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:34:14:34:24 | call to source : | semmle.label | call to source : |
| hash_extensions.rb:34:14:34:24 | call to source : | semmle.label | call to source : |
| hash_extensions.rb:35:9:35:9 | h [element :a] : | semmle.label | h [element :a] : |
| hash_extensions.rb:35:9:35:9 | h [element :a] : | semmle.label | h [element :a] : |
| hash_extensions.rb:35:9:35:29 | call to deep_symbolize_keys [element] : | semmle.label | call to deep_symbolize_keys [element] : |
| hash_extensions.rb:35:9:35:29 | call to deep_symbolize_keys [element] : | semmle.label | call to deep_symbolize_keys [element] : |
| hash_extensions.rb:36:10:36:10 | x [element] : | semmle.label | x [element] : |
| hash_extensions.rb:36:10:36:10 | x [element] : | semmle.label | x [element] : |
| hash_extensions.rb:36:10:36:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:36:10:36:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:42:14:42:24 | call to source : | semmle.label | call to source : |
| hash_extensions.rb:42:14:42:24 | call to source : | semmle.label | call to source : |
| hash_extensions.rb:43:9:43:9 | h [element :a] : | semmle.label | h [element :a] : |
| hash_extensions.rb:43:9:43:9 | h [element :a] : | semmle.label | h [element :a] : |
| hash_extensions.rb:43:9:43:33 | call to with_indifferent_access [element] : | semmle.label | call to with_indifferent_access [element] : |
| hash_extensions.rb:43:9:43:33 | call to with_indifferent_access [element] : | semmle.label | call to with_indifferent_access [element] : |
| hash_extensions.rb:44:10:44:10 | x [element] : | semmle.label | x [element] : |
| hash_extensions.rb:44:10:44:10 | x [element] : | semmle.label | x [element] : |
| hash_extensions.rb:44:10:44:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:44:10:44:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:50:14:50:23 | call to taint : | semmle.label | call to taint : |
| hash_extensions.rb:50:14:50:23 | call to taint : | semmle.label | call to taint : |
| hash_extensions.rb:50:29:50:38 | call to taint : | semmle.label | call to taint : |
| hash_extensions.rb:50:29:50:38 | call to taint : | semmle.label | call to taint : |
| hash_extensions.rb:50:52:50:61 | call to taint : | semmle.label | call to taint : |
| hash_extensions.rb:50:52:50:61 | call to taint : | semmle.label | call to taint : |
| hash_extensions.rb:51:9:51:9 | [post] h [element :d] : | semmle.label | [post] h [element :d] : |
| hash_extensions.rb:51:9:51:9 | [post] h [element :d] : | semmle.label | [post] h [element :d] : |
| hash_extensions.rb:51:9:51:9 | h [element :a] : | semmle.label | h [element :a] : |
| hash_extensions.rb:51:9:51:9 | h [element :a] : | semmle.label | h [element :a] : |
| hash_extensions.rb:51:9:51:9 | h [element :b] : | semmle.label | h [element :b] : |
| hash_extensions.rb:51:9:51:9 | h [element :b] : | semmle.label | h [element :b] : |
| hash_extensions.rb:51:9:51:9 | h [element :d] : | semmle.label | h [element :d] : |
| hash_extensions.rb:51:9:51:9 | h [element :d] : | semmle.label | h [element :d] : |
| hash_extensions.rb:51:9:51:29 | call to extract! [element :a] : | semmle.label | call to extract! [element :a] : |
| hash_extensions.rb:51:9:51:29 | call to extract! [element :a] : | semmle.label | call to extract! [element :a] : |
| hash_extensions.rb:51:9:51:29 | call to extract! [element :b] : | semmle.label | call to extract! [element :b] : |
| hash_extensions.rb:51:9:51:29 | call to extract! [element :b] : | semmle.label | call to extract! [element :b] : |
| hash_extensions.rb:56:10:56:10 | h [element :d] : | semmle.label | h [element :d] : |
| hash_extensions.rb:56:10:56:10 | h [element :d] : | semmle.label | h [element :d] : |
| hash_extensions.rb:56:10:56:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:56:10:56:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:58:10:58:10 | x [element :a] : | semmle.label | x [element :a] : |
| hash_extensions.rb:58:10:58:10 | x [element :a] : | semmle.label | x [element :a] : |
| hash_extensions.rb:58:10:58:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:58:10:58:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:59:10:59:10 | x [element :b] : | semmle.label | x [element :b] : |
| hash_extensions.rb:59:10:59:10 | x [element :b] : | semmle.label | x [element :b] : |
| hash_extensions.rb:59:10:59:14 | ...[...] | semmle.label | ...[...] |
| hash_extensions.rb:59:10:59:14 | ...[...] | semmle.label | ...[...] |
subpaths
#select
| active_support.rb:106:10:106:13 | ...[...] | active_support.rb:104:10:104:17 | call to source : | active_support.rb:106:10:106:13 | ...[...] | $@ | active_support.rb:104:10:104:17 | call to source : | call to source : |
| active_support.rb:112:10:112:13 | ...[...] | active_support.rb:110:10:110:18 | call to source : | active_support.rb:112:10:112:13 | ...[...] | $@ | active_support.rb:110:10:110:18 | call to source : | call to source : |
| active_support.rb:118:10:118:13 | ...[...] | active_support.rb:116:10:116:18 | call to source : | active_support.rb:118:10:118:13 | ...[...] | $@ | active_support.rb:116:10:116:18 | call to source : | call to source : |
| active_support.rb:124:10:124:13 | ...[...] | active_support.rb:122:10:122:18 | call to source : | active_support.rb:124:10:124:13 | ...[...] | $@ | active_support.rb:122:10:122:18 | call to source : | call to source : |
| active_support.rb:130:10:130:13 | ...[...] | active_support.rb:128:10:128:18 | call to source : | active_support.rb:130:10:130:13 | ...[...] | $@ | active_support.rb:128:10:128:18 | call to source : | call to source : |
| active_support.rb:132:10:132:13 | ...[...] | active_support.rb:128:10:128:18 | call to source : | active_support.rb:132:10:132:13 | ...[...] | $@ | active_support.rb:128:10:128:18 | call to source : | call to source : |
| active_support.rb:132:10:132:13 | ...[...] | active_support.rb:129:21:129:29 | call to source : | active_support.rb:132:10:132:13 | ...[...] | $@ | active_support.rb:129:21:129:29 | call to source : | call to source : |
| active_support.rb:132:10:132:13 | ...[...] | active_support.rb:129:32:129:40 | call to source : | active_support.rb:132:10:132:13 | ...[...] | $@ | active_support.rb:129:32:129:40 | call to source : | call to source : |
| active_support.rb:133:10:133:13 | ...[...] | active_support.rb:129:21:129:29 | call to source : | active_support.rb:133:10:133:13 | ...[...] | $@ | active_support.rb:129:21:129:29 | call to source : | call to source : |
| active_support.rb:133:10:133:13 | ...[...] | active_support.rb:129:32:129:40 | call to source : | active_support.rb:133:10:133:13 | ...[...] | $@ | active_support.rb:129:32:129:40 | call to source : | call to source : |
| active_support.rb:134:10:134:13 | ...[...] | active_support.rb:129:21:129:29 | call to source : | active_support.rb:134:10:134:13 | ...[...] | $@ | active_support.rb:129:21:129:29 | call to source : | call to source : |
| active_support.rb:134:10:134:13 | ...[...] | active_support.rb:129:32:129:40 | call to source : | active_support.rb:134:10:134:13 | ...[...] | $@ | active_support.rb:129:32:129:40 | call to source : | call to source : |
| active_support.rb:135:10:135:13 | ...[...] | active_support.rb:129:21:129:29 | call to source : | active_support.rb:135:10:135:13 | ...[...] | $@ | active_support.rb:129:21:129:29 | call to source : | call to source : |
| active_support.rb:135:10:135:13 | ...[...] | active_support.rb:129:32:129:40 | call to source : | active_support.rb:135:10:135:13 | ...[...] | $@ | active_support.rb:129:32:129:40 | call to source : | call to source : |
| active_support.rb:182:10:182:13 | ...[...] | active_support.rb:180:10:180:17 | call to source : | active_support.rb:182:10:182:13 | ...[...] | $@ | active_support.rb:180:10:180:17 | call to source : | call to source : |
| active_support.rb:188:10:188:13 | ...[...] | active_support.rb:186:10:186:18 | call to source : | active_support.rb:188:10:188:13 | ...[...] | $@ | active_support.rb:186:10:186:18 | call to source : | call to source : |
| active_support.rb:194:10:194:13 | ...[...] | active_support.rb:192:10:192:18 | call to source : | active_support.rb:194:10:194:13 | ...[...] | $@ | active_support.rb:192:10:192:18 | call to source : | call to source : |
| active_support.rb:200:10:200:13 | ...[...] | active_support.rb:198:10:198:18 | call to source : | active_support.rb:200:10:200:13 | ...[...] | $@ | active_support.rb:198:10:198:18 | call to source : | call to source : |
| active_support.rb:206:10:206:13 | ...[...] | active_support.rb:204:10:204:18 | call to source : | active_support.rb:206:10:206:13 | ...[...] | $@ | active_support.rb:204:10:204:18 | call to source : | call to source : |
| active_support.rb:208:10:208:13 | ...[...] | active_support.rb:204:10:204:18 | call to source : | active_support.rb:208:10:208:13 | ...[...] | $@ | active_support.rb:204:10:204:18 | call to source : | call to source : |
| active_support.rb:208:10:208:13 | ...[...] | active_support.rb:205:21:205:29 | call to source : | active_support.rb:208:10:208:13 | ...[...] | $@ | active_support.rb:205:21:205:29 | call to source : | call to source : |
| active_support.rb:208:10:208:13 | ...[...] | active_support.rb:205:32:205:40 | call to source : | active_support.rb:208:10:208:13 | ...[...] | $@ | active_support.rb:205:32:205:40 | call to source : | call to source : |
| active_support.rb:209:10:209:13 | ...[...] | active_support.rb:205:21:205:29 | call to source : | active_support.rb:209:10:209:13 | ...[...] | $@ | active_support.rb:205:21:205:29 | call to source : | call to source : |
| active_support.rb:209:10:209:13 | ...[...] | active_support.rb:205:32:205:40 | call to source : | active_support.rb:209:10:209:13 | ...[...] | $@ | active_support.rb:205:32:205:40 | call to source : | call to source : |
| active_support.rb:210:10:210:13 | ...[...] | active_support.rb:205:21:205:29 | call to source : | active_support.rb:210:10:210:13 | ...[...] | $@ | active_support.rb:205:21:205:29 | call to source : | call to source : |
| active_support.rb:210:10:210:13 | ...[...] | active_support.rb:205:32:205:40 | call to source : | active_support.rb:210:10:210:13 | ...[...] | $@ | active_support.rb:205:32:205:40 | call to source : | call to source : |
| active_support.rb:211:10:211:13 | ...[...] | active_support.rb:205:21:205:29 | call to source : | active_support.rb:211:10:211:13 | ...[...] | $@ | active_support.rb:205:21:205:29 | call to source : | call to source : |
| active_support.rb:211:10:211:13 | ...[...] | active_support.rb:205:32:205:40 | call to source : | active_support.rb:211:10:211:13 | ...[...] | $@ | active_support.rb:205:32:205:40 | call to source : | call to source : |
| active_support.rb:283:8:283:17 | call to presence | active_support.rb:282:7:282:16 | call to source : | active_support.rb:283:8:283:17 | call to presence | $@ | active_support.rb:282:7:282:16 | call to source : | call to source : |
| active_support.rb:286:8:286:17 | call to presence | active_support.rb:285:7:285:16 | call to source : | active_support.rb:286:8:286:17 | call to presence | $@ | active_support.rb:285:7:285:16 | call to source : | call to source : |
| active_support.rb:291:8:291:17 | call to deep_dup | active_support.rb:290:7:290:16 | call to source : | active_support.rb:291:8:291:17 | call to deep_dup | $@ | active_support.rb:290:7:290:16 | call to source : | call to source : |
| hash_extensions.rb:4:10:4:14 | ...[...] | hash_extensions.rb:2:14:2:24 | call to source : | hash_extensions.rb:4:10:4:14 | ...[...] | $@ | hash_extensions.rb:2:14:2:24 | call to source : | call to source : |
| hash_extensions.rb:12:10:12:14 | ...[...] | hash_extensions.rb:10:14:10:24 | call to source : | hash_extensions.rb:12:10:12:14 | ...[...] | $@ | hash_extensions.rb:10:14:10:24 | call to source : | call to source : |
| hash_extensions.rb:20:10:20:14 | ...[...] | hash_extensions.rb:18:14:18:24 | call to source : | hash_extensions.rb:20:10:20:14 | ...[...] | $@ | hash_extensions.rb:18:14:18:24 | call to source : | call to source : |
| hash_extensions.rb:28:10:28:14 | ...[...] | hash_extensions.rb:26:14:26:24 | call to source : | hash_extensions.rb:28:10:28:14 | ...[...] | $@ | hash_extensions.rb:26:14:26:24 | call to source : | call to source : |
| hash_extensions.rb:36:10:36:14 | ...[...] | hash_extensions.rb:34:14:34:24 | call to source : | hash_extensions.rb:36:10:36:14 | ...[...] | $@ | hash_extensions.rb:34:14:34:24 | call to source : | call to source : |
| hash_extensions.rb:44:10:44:14 | ...[...] | hash_extensions.rb:42:14:42:24 | call to source : | hash_extensions.rb:44:10:44:14 | ...[...] | $@ | hash_extensions.rb:42:14:42:24 | call to source : | call to source : |
| hash_extensions.rb:56:10:56:14 | ...[...] | hash_extensions.rb:50:52:50:61 | call to taint : | hash_extensions.rb:56:10:56:14 | ...[...] | $@ | hash_extensions.rb:50:52:50:61 | call to taint : | call to taint : |
| hash_extensions.rb:58:10:58:14 | ...[...] | hash_extensions.rb:50:14:50:23 | call to taint : | hash_extensions.rb:58:10:58:14 | ...[...] | $@ | hash_extensions.rb:50:14:50:23 | call to taint : | call to taint : |
| hash_extensions.rb:59:10:59:14 | ...[...] | hash_extensions.rb:50:29:50:38 | call to taint : | hash_extensions.rb:59:10:59:14 | ...[...] | $@ | hash_extensions.rb:50:29:50:38 | call to taint : | call to taint : |

1
ruby/ql/test/library-tests/frameworks/active_support/ActiveSupportDataFlow.ql
View File

@@ -4,6 +4,7 @@
import codeql.ruby.AST
import TestUtilities.InlineFlowTest
import codeql.ruby.Frameworks
import PathGraph
from DataFlow::PathNode source, DataFlow::PathNode sink, DefaultValueFlowConf conf

89
ruby/ql/test/library-tests/frameworks/active_support/active_support.rb
View File

@@ -1,10 +1,16 @@
"Foo::Bar".constantize
a.constantize
a.safe_constantize
ActiveSupport::Logger.new(STDOUT)
ActiveSupport::TaggedLogging.new(STDOUT)
def m_at
x = source "a"
sink x.at(1..3) # $hasTaintFlow=a
end
def m_camelize
x = source "a"
sink x.camelize # $hasTaintFlow=a
@@ -35,11 +41,26 @@ def m_demodulize
sink x.demodulize # $hasTaintFlow=a
end
def first
x = source "a"
sink x.first(3) # $hasTaintFlow=a
end
def m_foreign_key
x = source "a"
sink x.foreign_key # $hasTaintFlow=a
end
def m_from
x = source "a"
sink x.from(3) # $hasTaintFlow=a
end
def m_html_safe
x = source "a"
sink x.html_safe # $hasTaintFlow=a
end
def m_humanize
x = source "a"
sink x.humanize # $hasTaintFlow=a
@@ -50,6 +71,26 @@ def m_indent
sink x.indent(1) # $hasTaintFlow=a
end
def m_indent!
x = source "a"
sink x.indent!(1) # $hasTaintFlow=a
end
def m_inquiry
x = source "a"
sink x.inquiry # $hasTaintFlow=a
end
def m_last
x = source "a"
sink x.last(1) # $hasTaintFlow=a
end
def m_mb_chars
x = source "a"
sink x.mb_chars # $hasTaintFlow=a
end
def m_parameterize
x = source "a"
sink x.parameterize # $hasTaintFlow=a
@@ -60,6 +101,16 @@ def m_pluralize
sink x.pluralize # $hasTaintFlow=a
end
def m_remove
x = source "a"
sink x.remove("foo") # $hasTaintFlow=a
end
def m_remove!
x = source "a"
sink x.remove!("foo") # $hasTaintFlow=a
end
def m_singularize
x = source "a"
sink x.singularize # $hasTaintFlow=a
@@ -70,6 +121,11 @@ def m_squish
sink x.squish # $hasTaintFlow=a
end
def m_squish!
x = source "a"
sink x.squish! # $hasTaintFlow=a
end
def m_strip_heredoc
x = source "a"
sink x.strip_heredoc # $hasTaintFlow=a
@@ -90,6 +146,26 @@ def m_titleize
sink x.titleize # $hasTaintFlow=a
end
def m_to
x = source "a"
sink x.to(3) # $hasTaintFlow=a
end
def m_truncate
x = source "a"
sink x.truncate(3) # $hasTaintFlow=a
end
def m_truncate_bytes
x = source "a"
sink x.truncate_bytes(3) # $hasTaintFlow=a
end
def m_truncate_words
x = source "a"
sink x.truncate_words(3) # $hasTaintFlow=a
end
def m_underscore
x = source "a"
sink x.underscore # $hasTaintFlow=a
@@ -201,3 +277,16 @@ def m_pathname_existence
z = y.existence
sink z # $hasTaintFlow=a
end
def m_presence
x = source "a"
sink x.presence # $hasValueFlow=a
y = source 123
sink y.presence # $hasValueFlow=123
end
def m_deep_dup
x = source "a"
sink x.deep_dup # $hasValueFlow=a
end

64
ruby/ql/test/library-tests/frameworks/active_support/hash_extensions.rb Normal file
View File

@@ -0,0 +1,64 @@
def m_stringify_keys
h = { a: source("a") }
x = h.stringify_keys
sink x[:a] # $hasValueFlow=a
end
m_stringify_keys()
def m_to_options
h = { a: source("a") }
x = h.to_options
sink x[:a] # $hasValueFlow=a
end
m_to_options()
def m_symbolize_keys
h = { a: source("a") }
x = h.symbolize_keys
sink x[:a] # $hasValueFlow=a
end
m_symbolize_keys()
def m_deep_stringify_keys
h = { a: source("a") }
x = h.deep_stringify_keys
sink x[:a] # $hasValueFlow=a
end
m_deep_stringify_keys()
def m_deep_symbolize_keys
h = { a: source("a") }
x = h.deep_symbolize_keys
sink x[:a] # $hasValueFlow=a
end
m_deep_symbolize_keys()
def m_with_indifferent_access
h = { a: source("a") }
x = h.with_indifferent_access
sink x[:a] # $hasValueFlow=a
end
m_with_indifferent_access()
def m_extract!(x)
h = { a: taint("a"), b: taint("b"), c: "c", d: taint("d") }
x = h.extract!(:a, x, :b)
sink h[:a]
sink h[:b]
sink h[:c]
sink h[:d] # $ hasValueFlow=d
sink x[:a] # $ hasValueFlow=a
sink x[:b] # $ hasValueFlow=b
sink x[:c]
sink x[:d]
end
m_extract!(:c)

6
ruby/ql/test/library-tests/frameworks/http_clients/Faraday.rb
View File

@@ -33,4 +33,8 @@ resp10.body
connection = Faraday.new(url: "http://example.com")
resp11 = connection.get("/")
resp11.body
resp11.body
connection = Faraday::Connection.new(url: "https://example.com")
resp12 = connection.get("/")
resp12.body

3
ruby/ql/test/library-tests/frameworks/http_clients/HttpClients.expected
View File

@@ -28,6 +28,9 @@
| Faraday.rb:35:10:35:28 | call to get | Faraday | Faraday.rb:34:26:34:50 | Pair | Faraday.rb:36:1:36:11 | call to body |
| Faraday.rb:35:10:35:28 | call to get | Faraday | Faraday.rb:34:31:34:50 | "http://example.com" | Faraday.rb:36:1:36:11 | call to body |
| Faraday.rb:35:10:35:28 | call to get | Faraday | Faraday.rb:35:25:35:27 | "/" | Faraday.rb:36:1:36:11 | call to body |
| Faraday.rb:39:10:39:28 | call to get | Faraday | Faraday.rb:38:38:38:63 | Pair | Faraday.rb:40:1:40:11 | call to body |
| Faraday.rb:39:10:39:28 | call to get | Faraday | Faraday.rb:38:43:38:63 | "https://example.com" | Faraday.rb:40:1:40:11 | call to body |
| Faraday.rb:39:10:39:28 | call to get | Faraday | Faraday.rb:39:25:39:27 | "/" | Faraday.rb:40:1:40:11 | call to body |
| HttpClient.rb:3:9:3:45 | call to get | HTTPClient | HttpClient.rb:3:24:3:44 | "http://example.com/" | HttpClient.rb:4:1:4:10 | call to body |
| HttpClient.rb:6:9:6:65 | call to post | HTTPClient | HttpClient.rb:6:25:6:45 | "http://example.com/" | HttpClient.rb:7:1:7:13 | call to content |
| HttpClient.rb:9:9:9:64 | call to put | HTTPClient | HttpClient.rb:9:24:9:44 | "http://example.com/" | HttpClient.rb:10:1:10:15 | call to http_body |

4
ruby/ql/test/qlpack.lock.yml
View File

@@ -1,6 +1,4 @@
---
dependencies:
codeql/suite-helpers:
version: 0.0.2
dependencies: {}
compiled: false
lockVersion: 1.0.0

2
ruby/ql/test/query-tests/experimental/improper-memoization/ImproperMemoization.ql
View File

@@ -5,7 +5,7 @@ import codeql.ruby.security.ImproperMemoizationQuery
class ImproperMemoizationTest extends InlineExpectationsTest {
ImproperMemoizationTest() { this = "ImproperMemoizationTest" }
override string getARelevantTag() { result = "BAD" }
override string getARelevantTag() { result = "result" }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "result" and

14
ruby/ql/test/query-tests/security/cwe-094/CodeInjection.expected
View File

@@ -15,7 +15,12 @@ edges
| CodeInjection.rb:38:24:38:27 | code : | CodeInjection.rb:38:10:38:28 | call to escape |
| CodeInjection.rb:38:24:38:27 | code : | CodeInjection.rb:38:10:38:28 | call to escape |
| CodeInjection.rb:78:12:78:17 | call to params : | CodeInjection.rb:78:12:78:24 | ...[...] : |
| CodeInjection.rb:78:12:78:17 | call to params : | CodeInjection.rb:78:12:78:24 | ...[...] : |
| CodeInjection.rb:78:12:78:24 | ...[...] : | CodeInjection.rb:80:16:80:19 | code |
| CodeInjection.rb:78:12:78:24 | ...[...] : | CodeInjection.rb:86:10:86:37 | ... + ... |
| CodeInjection.rb:78:12:78:24 | ...[...] : | CodeInjection.rb:88:10:88:32 | "prefix_#{...}_suffix" |
| CodeInjection.rb:78:12:78:24 | ...[...] : | CodeInjection.rb:90:10:90:13 | code |
| CodeInjection.rb:78:12:78:24 | ...[...] : | CodeInjection.rb:90:10:90:13 | code |
nodes
| CodeInjection.rb:5:12:5:17 | call to params : | semmle.label | call to params : |
| CodeInjection.rb:5:12:5:17 | call to params : | semmle.label | call to params : |
@@ -37,8 +42,14 @@ nodes
| CodeInjection.rb:38:24:38:27 | code : | semmle.label | code : |
| CodeInjection.rb:41:40:41:43 | code | semmle.label | code |
| CodeInjection.rb:78:12:78:17 | call to params : | semmle.label | call to params : |
| CodeInjection.rb:78:12:78:17 | call to params : | semmle.label | call to params : |
| CodeInjection.rb:78:12:78:24 | ...[...] : | semmle.label | ...[...] : |
| CodeInjection.rb:78:12:78:24 | ...[...] : | semmle.label | ...[...] : |
| CodeInjection.rb:80:16:80:19 | code | semmle.label | code |
| CodeInjection.rb:86:10:86:37 | ... + ... | semmle.label | ... + ... |
| CodeInjection.rb:88:10:88:32 | "prefix_#{...}_suffix" | semmle.label | "prefix_#{...}_suffix" |
| CodeInjection.rb:90:10:90:13 | code | semmle.label | code |
| CodeInjection.rb:90:10:90:13 | code | semmle.label | code |
subpaths
#select
| CodeInjection.rb:8:10:8:13 | code | CodeInjection.rb:5:12:5:17 | call to params : | CodeInjection.rb:8:10:8:13 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
@@ -50,3 +61,6 @@ subpaths
| CodeInjection.rb:38:10:38:28 | call to escape | CodeInjection.rb:5:12:5:17 | call to params : | CodeInjection.rb:38:10:38:28 | call to escape | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
| CodeInjection.rb:41:40:41:43 | code | CodeInjection.rb:5:12:5:17 | call to params : | CodeInjection.rb:41:40:41:43 | code | This code execution depends on a $@. | CodeInjection.rb:5:12:5:17 | call to params | user-provided value |
| CodeInjection.rb:80:16:80:19 | code | CodeInjection.rb:78:12:78:17 | call to params : | CodeInjection.rb:80:16:80:19 | code | This code execution depends on a $@. | CodeInjection.rb:78:12:78:17 | call to params | user-provided value |
| CodeInjection.rb:86:10:86:37 | ... + ... | CodeInjection.rb:78:12:78:17 | call to params : | CodeInjection.rb:86:10:86:37 | ... + ... | This code execution depends on a $@. | CodeInjection.rb:78:12:78:17 | call to params | user-provided value |
| CodeInjection.rb:88:10:88:32 | "prefix_#{...}_suffix" | CodeInjection.rb:78:12:78:17 | call to params : | CodeInjection.rb:88:10:88:32 | "prefix_#{...}_suffix" | This code execution depends on a $@. | CodeInjection.rb:78:12:78:17 | call to params | user-provided value |
| CodeInjection.rb:90:10:90:13 | code | CodeInjection.rb:78:12:78:17 | call to params : | CodeInjection.rb:90:10:90:13 | code | This code execution depends on a $@. | CodeInjection.rb:78:12:78:17 | call to params | user-provided value |

6
ruby/ql/test/query-tests/security/cwe-094/CodeInjection.rb
View File

@@ -82,5 +82,11 @@ class UsersController < ActionController::Base
obj().send("prefix_" + code + "_suffix", "foo"); # GOOD
obj().send("prefix_#{code}_suffix", "foo"); # GOOD
eval("prefix_" + code + "_suffix"); # BAD
eval("prefix_#{code}_suffix"); # BAD
eval(code); # BAD
end
end

2
ruby/ql/test/query-tests/security/cwe-300/InsecureDependency.ql
View File

@@ -5,7 +5,7 @@ import codeql.ruby.security.InsecureDependencyQuery
class InsecureDependencyTest extends InlineExpectationsTest {
InsecureDependencyTest() { this = "InsecureDependencyTest" }
override string getARelevantTag() { result = "BAD" }
override string getARelevantTag() { result = "result" }
override predicate hasActualResult(Location location, string element, string tag, string value) {
tag = "result" and

20
ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.expected
View File

@@ -1,10 +1,18 @@
edges
| ServerSideRequestForgery.rb:9:32:9:37 | call to params : | ServerSideRequestForgery.rb:9:32:9:60 | ...[...] : |
| ServerSideRequestForgery.rb:9:32:9:60 | ...[...] : | ServerSideRequestForgery.rb:10:31:10:62 | "#{...}/logins" |
| ServerSideRequestForgery.rb:10:32:10:37 | call to params : | ServerSideRequestForgery.rb:10:32:10:60 | ...[...] : |
| ServerSideRequestForgery.rb:10:32:10:60 | ...[...] : | ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" |
| ServerSideRequestForgery.rb:15:33:15:38 | call to params : | ServerSideRequestForgery.rb:15:33:15:44 | ...[...] |
| ServerSideRequestForgery.rb:20:45:20:50 | call to params : | ServerSideRequestForgery.rb:20:45:20:56 | ...[...] |
nodes
| ServerSideRequestForgery.rb:9:32:9:37 | call to params : | semmle.label | call to params : |
| ServerSideRequestForgery.rb:9:32:9:60 | ...[...] : | semmle.label | ...[...] : |
| ServerSideRequestForgery.rb:10:31:10:62 | "#{...}/logins" | semmle.label | "#{...}/logins" |
| ServerSideRequestForgery.rb:10:32:10:37 | call to params : | semmle.label | call to params : |
| ServerSideRequestForgery.rb:10:32:10:60 | ...[...] : | semmle.label | ...[...] : |
| ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | semmle.label | "#{...}/logins" |
| ServerSideRequestForgery.rb:15:33:15:38 | call to params : | semmle.label | call to params : |
| ServerSideRequestForgery.rb:15:33:15:44 | ...[...] | semmle.label | ...[...] |
| ServerSideRequestForgery.rb:20:45:20:50 | call to params : | semmle.label | call to params : |
| ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | semmle.label | ...[...] |
subpaths
#select
| ServerSideRequestForgery.rb:10:31:10:62 | "#{...}/logins" | ServerSideRequestForgery.rb:9:32:9:37 | call to params : | ServerSideRequestForgery.rb:10:31:10:62 | "#{...}/logins" | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:9:32:9:37 | call to params | user-provided value |
| ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | ServerSideRequestForgery.rb:10:32:10:37 | call to params : | ServerSideRequestForgery.rb:11:31:11:62 | "#{...}/logins" | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:10:32:10:37 | call to params | user-provided value |
| ServerSideRequestForgery.rb:15:33:15:44 | ...[...] | ServerSideRequestForgery.rb:15:33:15:38 | call to params : | ServerSideRequestForgery.rb:15:33:15:44 | ...[...] | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:15:33:15:38 | call to params | user-provided value |
| ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | ServerSideRequestForgery.rb:20:45:20:50 | call to params : | ServerSideRequestForgery.rb:20:45:20:56 | ...[...] | The URL of this request depends on a $@. | ServerSideRequestForgery.rb:20:45:20:50 | call to params | user-provided value |

11
ruby/ql/test/query-tests/security/cwe-918/ServerSideRequestForgery.rb
View File

@@ -1,4 +1,5 @@
require "excon"
require "faraday"
require "json"
class PostsController < ActionController::Base
@@ -10,6 +11,16 @@ class PostsController < ActionController::Base
response = Excon.post("#{users_service_domain}/logins", body: {user_id: user}).body
token = JSON.parse(response)["token"]
# BAD - user can control the entire URL for the request using Faraday library
conn = Faraday.new(url: params[:url])
resp = conn.post
token = JSON.parse(resp)["token"]
# BAD - user can control the entire URL for the request using Faraday::Connection library
conn = Faraday::Connection.new(url: params[:url])
resp = conn.post
token = JSON.parse(resp)["token"]
# GOOD - user can only control the suffix of the URL
users_service_path = params[:users_service_path]
response = Excon.post("users-service/#{users_service_path}", body: {user_id: user}).body