Merge branch 'github:main' into main

2026-05-03 12:45:27 +02:00 · 2023-02-23 10:50:15 +00:00
parent fe97d2a05d 748387a69f
commit 4ab6a7bdfd
395 changed files with 31400 additions and 2624 deletions
--- a/ruby/ql/lib/CHANGELOG.md
+++ b/ruby/ql/lib/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.5.3
+
+### Minor Analysis Improvements
+
+ * Ruby 3.1: one-line pattern matches are now supported. The AST nodes are named `TestPattern` (`expr in pattern`) and `MatchPattern` (`expr => pattern`).
+
 ## 0.5.2

 ### Minor Analysis Improvements
--- a/ruby/ql/lib/change-notes/2023-02-03-applicationcontroller-render.md
+++ b/ruby/ql/lib/change-notes/2023-02-03-applicationcontroller-render.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Calls to `ApplicationController#render` and `ApplicationController::Renderer#render` are recognized as Rails rendering calls.
--- a/ruby/ql/lib/change-notes/2023-02-03-twirp.md
+++ b/ruby/ql/lib/change-notes/2023-02-03-twirp.md
@@ -0,0 +1,4 @@
+---
+ category: minorAnalysis
+---
+* Support for [Twirp framework](https://twitchtv.github.io/twirp/docs/intro.html).
--- a/ruby/ql/lib/change-notes/2023-02-06-one-line-matches.md
+++ b/ruby/ql/lib/change-notes/2023-02-06-one-line-matches.md
@@ -1,4 +1,5 @@
---
- category: minorAnalysis
---
+## 0.5.3
+
+### Minor Analysis Improvements
+
 * Ruby 3.1: one-line pattern matches are now supported. The AST nodes are named `TestPattern` (`expr in pattern`) and `MatchPattern` (`expr => pattern`).
--- a/ruby/ql/lib/codeql-pack.release.yml
+++ b/ruby/ql/lib/codeql-pack.release.yml
@@ -1,2 +1,2 @@
 ---
-lastReleaseVersion: 0.5.2
+lastReleaseVersion: 0.5.3
--- a/ruby/ql/lib/codeql/ruby/Frameworks.qll
+++ b/ruby/ql/lib/codeql/ruby/Frameworks.qll
@@ -27,3 +27,4 @@ private import codeql.ruby.frameworks.ActionDispatch
 private import codeql.ruby.frameworks.PosixSpawn
 private import codeql.ruby.frameworks.StringFormatters
 private import codeql.ruby.frameworks.Json
+private import codeql.ruby.frameworks.Twirp
--- a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
@@ -364,6 +364,21 @@ private class ActionControllerRenderToCall extends RenderToCallImpl {
  }
 }

+/** A call to `ActionController::Renderer#render`. */
+private class RendererRenderCall extends RenderCallImpl {
+  RendererRenderCall() {
+    this =
+      [
+        // ActionController#render is an alias for ActionController::Renderer#render
+        any(ActionControllerClass c).getAnImmediateReference().getAMethodCall("render"),
+        any(ActionControllerClass c)
+            .getAnImmediateReference()
+            .getAMethodCall("renderer")
+            .getAMethodCall("render")
+      ].asExpr().getExpr()
+  }
+}
+
 /** A call to `html_escape` from within a controller. */
 private class ActionControllerHtmlEscapeCall extends HtmlEscapeCallImpl {
  ActionControllerHtmlEscapeCall() {
--- a/ruby/ql/lib/codeql/ruby/frameworks/Twirp.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Twirp.qll
@@ -0,0 +1,85 @@
+/**
+ * Provides classes for modeling the `Twirp` framework.
+ */
+
+private import codeql.ruby.DataFlow
+private import codeql.ruby.CFG
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.AST as Ast
+private import codeql.ruby.security.ServerSideRequestForgeryCustomizations
+private import codeql.ruby.Concepts
+
+/**
+ * Provides classes for modeling the `Twirp` framework.
+ */
+module Twirp {
+  /**
+   * A Twirp service instantiation
+   */
+  class ServiceInstantiation extends DataFlow::CallNode {
+    ServiceInstantiation() {
+      this =
+        API::getTopLevelMember("Twirp").getMember("Service").getASubclass().getAnInstantiation()
+    }
+
+    /**
+     * Gets a local source node for the Service instantiation argument (the service handler).
+     */
+    private DataFlow::LocalSourceNode getHandlerSource() {
+      result = this.getArgument(0).getALocalSource()
+    }
+
+    /**
+     * Gets the API::Node for the service handler's class.
+     */
+    private API::Node getAHandlerClassApiNode() {
+      result.getAnInstantiation() = this.getHandlerSource()
+    }
+
+    /**
+     * Gets the AST module for the service handler's class.
+     */
+    private Ast::Module getAHandlerClassAstNode() {
+      result =
+        this.getAHandlerClassApiNode()
+            .asSource()
+            .asExpr()
+            .(CfgNodes::ExprNodes::ConstantReadAccessCfgNode)
+            .getExpr()
+            .getModule()
+    }
+
+    /**
+     * Gets a handler's method.
+     */
+    Ast::Method getAHandlerMethod() {
+      result = this.getAHandlerClassAstNode().getAnInstanceMethod()
+    }
+  }
+
+  /**
+   * A Twirp client
+   */
+  class ClientInstantiation extends DataFlow::CallNode {
+    ClientInstantiation() {
+      this = API::getTopLevelMember("Twirp").getMember("Client").getASubclass().getAnInstantiation()
+    }
+  }
+
+  /** The URL of a Twirp service, considered as a sink. */
+  class ServiceUrlAsSsrfSink extends ServerSideRequestForgery::Sink {
+    ServiceUrlAsSsrfSink() { exists(ClientInstantiation c | c.getArgument(0) = this) }
+  }
+
+  /** A parameter that will receive parts of the url when handling an incoming request. */
+  class UnmarshaledParameter extends Http::Server::RequestInputAccess::Range,
+    DataFlow::ParameterNode {
+    UnmarshaledParameter() {
+      exists(ServiceInstantiation i | i.getAHandlerMethod().getParameter(0) = this.asParameter())
+    }
+
+    override string getSourceType() { result = "Twirp Unmarhaled Parameter" }
+
+    override Http::Server::RequestInputKind getKind() { result = Http::Server::bodyInputKind() }
+  }
+}
--- a/ruby/ql/lib/qlpack.yml
+++ b/ruby/ql/lib/qlpack.yml
@@ -1,5 +1,5 @@
 name: codeql/ruby-all
-version: 0.5.3-dev
+version: 0.5.4-dev
 groups: ruby
 extractor: ruby
 dbscheme: ruby.dbscheme