Merge pull request #9850 from hmac/hmac/arel

Ruby: Model Arel.sql
2026-04-24 16:25:15 +02:00 · 2022-07-25 12:09:18 +12:00
parent cb3ebeedf9 ec1d1eb547
commit 681e58c8e0
6 changed files with 64 additions and 0 deletions
--- a/ruby/ql/lib/change-notes/2022-07-19-arel.md
+++ b/ruby/ql/lib/change-notes/2022-07-19-arel.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Calls to `Arel.sql` are now recognised as propagating taint from their argument.
--- a/ruby/ql/lib/codeql/ruby/Frameworks.qll
+++ b/ruby/ql/lib/codeql/ruby/Frameworks.qll
@@ -10,6 +10,7 @@ private import codeql.ruby.frameworks.ActiveStorage
 private import codeql.ruby.frameworks.ActionView
 private import codeql.ruby.frameworks.ActiveSupport
 private import codeql.ruby.frameworks.Archive
+private import codeql.ruby.frameworks.Arel
 private import codeql.ruby.frameworks.GraphQL
 private import codeql.ruby.frameworks.Rails
 private import codeql.ruby.frameworks.Railties
--- a/ruby/ql/lib/codeql/ruby/frameworks/Arel.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Arel.qll
@@ -0,0 +1,31 @@
+/**
+ * Provides modeling for Arel, a low level SQL library that powers ActiveRecord.
+ * Version: 7.0.3
+ * https://api.rubyonrails.org/classes/Arel.html
+ */
+
+private import codeql.ruby.ApiGraphs
+private import codeql.ruby.dataflow.FlowSummary
+
+/**
+ * Provides modeling for Arel, a low level SQL library that powers ActiveRecord.
+ * Version: 7.0.3
+ * https://api.rubyonrails.org/classes/Arel.html
+ */
+module Arel {
+  /**
+   * Flow summary for `Arel.sql`. This method wraps a SQL string, marking it as
+   * safe.
+   */
+  private class SqlSummary extends SummarizedCallable {
+    SqlSummary() { this = "Arel.sql" }
+
+    override MethodCall getACall() {
+      result = API::getTopLevelMember("Arel").getAMethodCall("sql").asExpr().getExpr()
+    }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[0]" and output = "ReturnValue" and preservesValue = false
+    }
+  }
+}
--- a/ruby/ql/test/library-tests/frameworks/arel/Arel.expected
+++ b/ruby/ql/test/library-tests/frameworks/arel/Arel.expected
@@ -0,0 +1,3 @@
+failures
+#select
+| arel.rb:3:8:3:18 | call to sql | arel.rb:2:7:2:14 | call to source :  | arel.rb:3:8:3:18 | call to sql | $@ | arel.rb:2:7:2:14 | call to source :  | call to source :  |
--- a/ruby/ql/test/library-tests/frameworks/arel/Arel.ql
+++ b/ruby/ql/test/library-tests/frameworks/arel/Arel.ql
@@ -0,0 +1,11 @@
+/**
+ * @kind path-problem
+ */
+
+import codeql.ruby.frameworks.Arel
+import ruby
+import TestUtilities.InlineFlowTest
+
+from DataFlow::PathNode source, DataFlow::PathNode sink, DefaultTaintFlowConf conf
+where conf.hasFlowPath(source, sink)
+select sink, source, sink, "$@", source, source.toString()
--- a/ruby/ql/test/library-tests/frameworks/arel/arel.rb
+++ b/ruby/ql/test/library-tests/frameworks/arel/arel.rb
@@ -0,0 +1,14 @@
+def m1
+  x = source 1
+  sink(Arel.sql(x)) # $hasTaintFlow=1
+end
+
+def m2
+  x = 1
+  sink(Arel.sql(x))
+end
+
+def m3
+  x = source 1
+  sink(Unrelated.method(x))
+end