hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-21 03:06:31 +01:00
Code Issues Packages Projects Releases Wiki Activity

Model the Faraday HTTP client

Browse Source
This commit is contained in:
Harry Maclean
2021-09-22 15:53:20 +01:00
parent ee51298633
commit 4cf520c2df
5 changed files with 84 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
ql/lib/codeql/ruby/frameworks/HTTPClients.qll
View File

@@ -4,3 +4,4 @@
private import codeql.ruby.frameworks.http_clients.NetHTTP private import codeql.ruby.frameworks.http_clients.NetHTTP
private import codeql.ruby.frameworks.http_clients.Excon private import codeql.ruby.frameworks.http_clients.Excon
private import codeql.ruby.frameworks.http_clients.Faraday

38
ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll Normal file
View File

@@ -0,0 +1,38 @@
private import ruby
private import codeql.ruby.Concepts
private import codeql.ruby.ApiGraphs
/**
* A call that makes an HTTP request using `Faraday`.
* ```ruby
* # one-off request
* Faraday.get("http://example.com").body
*
* # connection re-use
* connection = Faraday.new("http://example.com")
* connection.get("/").body
* ```
*/
class FaradayHTTPRequest extends HTTP::Client::Request::Range {
DataFlow::Node request;
DataFlow::CallNode responseBody;
FaradayHTTPRequest() {
exists(API::Node requestNode |
requestNode =
[
// one-off requests
API::getTopLevelMember("Faraday"),
// connection re-use
API::getTopLevelMember("Faraday").getInstance()
].getReturn(["get", "head", "delete", "post", "put", "patch", "trace"]) and
responseBody = requestNode.getAMethodCall("body") and
request = requestNode.getAnImmediateUse() and
this = request.asExpr().getExpr()
)
}
override DataFlow::Node getResponseBody() { result = responseBody }
override string getFramework() { result = "Faraday" }
}

9
ql/test/library-tests/frameworks/http_clients/Faraday.expected Normal file
View File

@@ -0,0 +1,9 @@
| Faraday.rb:3:9:3:42 | call to get | Faraday.rb:4:1:4:10 | call to body |
| Faraday.rb:6:9:6:62 | call to post | Faraday.rb:7:1:7:10 | call to body |
| Faraday.rb:9:9:9:61 | call to put | Faraday.rb:10:1:10:10 | call to body |
| Faraday.rb:12:9:12:63 | call to patch | Faraday.rb:13:1:13:10 | call to body |
| Faraday.rb:15:9:15:45 | call to delete | Faraday.rb:16:1:16:10 | call to body |
| Faraday.rb:18:9:18:43 | call to head | Faraday.rb:19:1:19:10 | call to body |
| Faraday.rb:24:9:24:44 | call to trace | Faraday.rb:25:1:25:10 | call to body |
| Faraday.rb:28:9:28:27 | call to get | Faraday.rb:29:1:29:10 | call to body |
| Faraday.rb:31:10:31:46 | call to post | Faraday.rb:32:1:32:11 | call to body |

4
ql/test/library-tests/frameworks/http_clients/Faraday.ql Normal file
View File

@@ -0,0 +1,4 @@
import codeql.ruby.frameworks.http_clients.Faraday
import codeql.ruby.DataFlow
query DataFlow::Node faradayHTTPRequests(FaradayHTTPRequest e) { result = e.getResponseBody() }

32
ql/test/library-tests/frameworks/http_clients/Faraday.rb Normal file
View File

@@ -0,0 +1,32 @@
require "faraday"
resp1 = Faraday.get("http://example.com/")
resp1.body
resp2 = Faraday.post("http://example.com/", body: "some_data")
resp2.body
resp3 = Faraday.put("http://example.com/", body: "some_data")
resp3.body
resp4 = Faraday.patch("http://example.com/", body: "some_data")
resp4.body
resp5 = Faraday.delete("http://example.com/")
resp5.body
resp6 = Faraday.head("http://example.com/")
resp6.body
resp7 = Faraday.options("http://example.com/")
resp7.body
resp8 = Faraday.trace("http://example.com/")
resp8.body
connection = Faraday.new("http://example.com")
resp9 = connection.get("/")
resp9.body
resp10 = connection.post("/foo", some: "data")
resp10.body