hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #16354 from hmac/hmac-incomplete-hostname-fp

Browse Source 
Ruby: Reduce FPs for rb/incomplete-hostname-regexp
This commit is contained in:
Harry Maclean
2024-04-29 14:40:44 +01:00
committed by GitHub
parent a304e2d8d6 51bc8e917e
commit 607ed2efb4
3 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ruby/ql/lib/codeql/ruby/Regexp.qll
View File

@@ -122,7 +122,9 @@ class StdLibRegExpInterpretation extends RegExpInterpretation::Range {
mce.getMethodName() = ["match", "match?"] and
this = mce.getArgument(0) and
// exclude https://ruby-doc.org/core-2.4.0/Regexp.html#method-i-match
not mce.getReceiver() = RegExpTracking::trackRegexpType()
not mce.getReceiver() = RegExpTracking::trackRegexpType() and
// exclude non-stdlib methods
not exists(mce.getATarget())
)
}
}

1
ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/IncompleteHostnameRegExp.expected
View File

@@ -28,3 +28,4 @@
| tst-IncompleteHostnameRegExp.rb:48:42:48:67 | ^https?://.+.example\\.com/ | This string, which is used as a regular expression $@, has an unescaped '.' before 'example\\.com/', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.rb:48:13:48:69 | ... + ... | here |
| tst-IncompleteHostnameRegExp.rb:48:42:48:67 | ^https?://.+.example\\.com/ | This string, which is used as a regular expression $@, has an unrestricted wildcard '.+' which may cause 'example\\.com/' to be matched anywhere in the URL, outside the hostname. | tst-IncompleteHostnameRegExp.rb:48:13:48:69 | ... + ... | here |
| tst-IncompleteHostnameRegExp.rb:59:5:59:20 | foo.example\\.com | This regular expression has an unescaped '.' before 'example\\.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.rb:59:2:59:32 | /^(foo.example\\.com\|whatever)$/ | here |
| tst-IncompleteHostnameRegExp.rb:81:11:81:34 | ^http://test.example.com | This string, which is used as a regular expression $@, has an unescaped '.' before 'example.com', so it might match more hosts than expected. | tst-IncompleteHostnameRegExp.rb:77:22:77:22 | x | here |

14
ruby/ql/test/query-tests/security/cwe-020/IncompleteHostnameRegExp/tst-IncompleteHostnameRegExp.rb
View File

@@ -65,3 +65,17 @@ end
def convert2(domain)
return Regexp.new(domain[:hostname]);
end
class A
def self.match?(x) = true
end
A.match?("^http://test.example.com") # OK
class B
def self.match?(x)
some_string.match?(x)
end
end
B.match?("^http://test.example.com") # NOT OK