hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-03 04:39:29 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: Fix bug in rb/insecure-dependency query

Browse Source 
Only look at the first component of strings for the prefix.

Co-authored-by: Nick Rolfe <nickrolfe@github.com>
This commit is contained in:
Harry Maclean
2022-04-01 15:35:21 +13:00
committed by GitHub
parent 3d96c5e6db
commit 5814db19d5
1 changed files with 1 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
ruby/ql/lib/codeql/ruby/security/InsecureDependencyQuery.qll
View File

@@ -59,7 +59,7 @@ private predicate hasInsecureProtocol(string s, string proto) {
private predicate containsInsecureUrl(Expr e, string proto) {
// Handle cases where the string as a whole has no constant value (due to interpolations)
// but has a known prefix. E.g. "http://#{foo}"
exists(StringComponent c | c = e.(StringlikeLiteral).getComponent(_) |
exists(StringComponent c | c = e.(StringlikeLiteral).getComponent(0) |
hasInsecureProtocol(c.getConstantValue().getString(), proto)
)
or