hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #14033 from hmac/excon-bugfix

Browse Source 
Ruby: Fix bug in excon model
This commit is contained in:
Harry Maclean
2023-08-23 14:24:53 +01:00
committed by GitHub
parent d146514275 d18ca3f5d7
commit 54c2221f35
2 changed files with 21 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
ruby/ql/lib/codeql/ruby/frameworks/http_clients/Excon.qll
View File

@@ -64,10 +64,8 @@ class ExconHttpRequest extends Http::Client::Request::Range, DataFlow::CallNode
/** Gets the value that controls certificate validation, if any. */ /** Gets the value that controls certificate validation, if any. */
DataFlow::Node getCertificateValidationControllingValue() { DataFlow::Node getCertificateValidationControllingValue() {
exists(DataFlow::CallNode newCall | newCall = connectionNode.getAValueReachableFromSource() | result =
// Check for `ssl_verify_peer: false` connectionUse.(DataFlow::CallNode).getKeywordArgumentIncludeHashArgument("ssl_verify_peer")
result = newCall.getKeywordArgumentIncludeHashArgument("ssl_verify_peer")
)
} }
cached cached

19
ruby/ql/test/query-tests/security/cwe-295/Excon.rb
View File

@@ -46,4 +46,23 @@ def method8
# GOOD # GOOD
Excon.defaults[:ssl_verify_peer] = false Excon.defaults[:ssl_verify_peer] = false
Excon.new("http://example.com/", ssl_verify_peer: true) Excon.new("http://example.com/", ssl_verify_peer: true)
end
# Regression test for excon
class Excon
def self.new(params)
Excon::Connection.new(params)
end
end
def method9
# GOOD: connection is not used
Excon.new("foo", ssl_verify_peer: false)
end
def method10
# GOOD
connection = Excon.new("foo")
connection.get("bar")
end end