add tests for the fixes in the qhelp, and fix an FP that appeared

2026-04-25 00:35:20 +02:00 · 2024-04-03 16:00:52 +02:00
parent 59c72b683c
commit 642a134035
3 changed files with 48 additions and 0 deletions
--- a/ruby/ql/lib/codeql/ruby/ast/internal/Constant.qll
+++ b/ruby/ql/lib/codeql/ruby/ast/internal/Constant.qll
@@ -560,6 +560,11 @@ private predicate isArrayExpr(Expr e, ArrayLiteralCfgNode arr) {
  // Note(hmac): I don't think this is necessary, as `getSource` will not return
  // results if the source is a phi node.
  forex(ExprCfgNode n | n = e.getAControlFlowNode() | isArrayConstant(n, arr))
+  or
+  // if `e` is an array, then `e.freeze` is also an array
+  e instanceof MethodCall and
+  e.(MethodCall).getMethodName() = "freeze" and
+  isArrayExpr(e.(MethodCall).getReceiver(), arr)
 }

 private class TokenConstantAccess extends ConstantAccess, TTokenConstantAccess {
--- a/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UrlRedirectCustomizations.qll
@@ -83,6 +83,12 @@ module UrlRedirect {
   */
  class StringConstCompareAsSanitizer extends Sanitizer, StringConstCompareBarrier { }

+  /**
+   * A string concatenation against a constant list, considered as a sanitizer-guard.
+   */
+  class StringConstArrayInclusionAsSanitizer extends Sanitizer, StringConstArrayInclusionCallBarrier
+  { }
+
  /**
   * Some methods will propagate taint to their return values.
   * Here we cover a few common ones related to `ActionController::Parameters`.
--- a/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.rb
+++ b/ruby/ql/test/query-tests/security/cwe-601/UrlRedirect.rb
@@ -98,3 +98,40 @@ end
 Rails.routes.draw do
  get "/r9", to: "users#route9"
 end
+
+class DomainController < ActionController::Base
+  KNOWN_HOST = "example.org"
+  
+  def hello
+    begin
+      target_url = URI.parse(params[:url])
+ 
+      # Redirect if the URL is either relative or on a known good host
+      if !target_url.host || target_url.host == KNOWN_HOST
+        redirect_to target_url.to_s
+      else
+        redirect_to "/error.html" # Redirect to error page if the host is not known
+      end
+    rescue URI::InvalidURIError
+      # Handle the exception, for example, by redirecting to a safe page
+      redirect_to "/error.html"
+    end
+  end
+end
+
+class ConstController < ActionController::Base
+  VALID_REDIRECTS = [
+    "http://cwe.mitre.org/data/definitions/601.html",
+    "http://cwe.mitre.org/data/definitions/79.html"
+  ].freeze
+  
+  def hello
+    # GOOD: the request parameter is validated against a known list of URLs
+    target_url = params[:url]
+    if VALID_REDIRECTS.include?(target_url)
+      redirect_to target_url
+    else
+      redirect_to "/error.html"
+    end
+  end
+end