Merge branch 'main' into diagnostics-2

2026-05-05 13:45:19 +02:00 · 2023-02-27 18:39:28 +01:00
parent f71c3301b3 0f4df0da99
commit 6c57823232
1251 changed files with 96065 additions and 18509 deletions
--- a/ruby/ql/test/query-tests/diagnostics/ExtractionErrors.expected
+++ b/ruby/ql/test/query-tests/diagnostics/ExtractionErrors.expected
@@ -1,3 +1 @@
-| src/not_ruby.rb:5:25:5:26 | A parse error occured. Check the syntax of the file using the ruby -c command. If the file is invalid, please correct the error or exclude the file from analysis. | Extraction failed in src/not_ruby.rb with error A parse error occured. Check the syntax of the file using the ruby -c command. If the file is invalid, please correct the error or exclude the file from analysis. | 2 |
-| src/unsupported_feature.rb:2:1:2:4 | A parse error occured. Check the syntax of the file using the ruby -c command. If the file is invalid, please correct the error or exclude the file from analysis. | Extraction failed in src/unsupported_feature.rb with error A parse error occured. Check the syntax of the file using the ruby -c command. If the file is invalid, please correct the error or exclude the file from analysis. | 2 |
-| src/unsupported_feature.rb:3:1:3:8 | A parse error occured. Check the syntax of the file using the ruby -c command. If the file is invalid, please correct the error or exclude the file from analysis. | Extraction failed in src/unsupported_feature.rb with error A parse error occured. Check the syntax of the file using the ruby -c command. If the file is invalid, please correct the error or exclude the file from analysis. | 2 |
+| src/not_ruby.rb:5:25:5:26 | A parse error occurred. Check the syntax of the file using the ruby -c command. If the file is indeed invalid, please correct the error or exclude the file from analysis. | Extraction failed in src/not_ruby.rb with error A parse error occurred. Check the syntax of the file using the ruby -c command. If the file is indeed invalid, please correct the error or exclude the file from analysis. | 2 |
--- a/ruby/ql/test/query-tests/diagnostics/NumberOfFilesExtractedWithErrors.expected
+++ b/ruby/ql/test/query-tests/diagnostics/NumberOfFilesExtractedWithErrors.expected
@@ -1 +1 @@
-| 2 |
+| 1 |
--- a/ruby/ql/test/query-tests/diagnostics/src/unsupported_feature.rb
+++ b/ruby/ql/test/query-tests/diagnostics/src/unsupported_feature.rb
@@ -1,3 +0,0 @@
-# one line pattern matches
-5 in 3
-[1,2] => [x, *]
--- a/ruby/ql/test/query-tests/experimental/improper-memoization/improper_memoization.rb
+++ b/ruby/ql/test/query-tests/experimental/improper-memoization/improper_memoization.rb
@@ -47,54 +47,54 @@ def m6(arg1, arg2)
 end

 # Bad: method has parameter but only one result is memoized.
-def m7(arg) # $result=BAD
+def m7(arg)
  @m7 ||= begin
    arg += 3
  end
  @m7
-end
+end # $result=BAD

 # Bad: method has parameter but only one result is memoized.
-def m8(arg) # $result=BAD
+def m8(arg)
  @m8 ||= begin
    long_running_method(arg)
  end
  @m8
-end
+end # $result=BAD

 # Bad: method has parameter but only one result is memoized.
-def m9(arg) # $result=BAD
+def m9(arg)
  @m9 ||= long_running_method(arg)
-end
+end # $result=BAD

 # Bad: method has parameter but only one result is memoized.
-def m10(arg1, arg2) # $result=BAD
+def m10(arg1, arg2)
  @m10 ||= long_running_method(arg1, arg2)
-end
+end # $result=BAD

 # Bad: `arg2` not used in key.
-def m11(arg1, arg2) # $result=BAD
+def m11(arg1, arg2)
  @m11 ||= {}
  @m11[arg1] ||= long_running_method(arg1, arg2)
-end
+end # $result=BAD

 # Bad: `arg2` not used in key.
-def m12(arg1, arg2) # $result=BAD
+def m12(arg1, arg2)
  @m12 ||= Hash.new do |h1, arg1|
    h1[arg1] = result(arg1, arg2)
  end
  @m12[arg1]
-end
+end # $result=BAD

 # Bad: arg not used in key.
-def m13(id:) # $result=BAD
+def m13(id:)
  @m13 ||= Rails.cache.fetch("product_sku/#{id}", expires_in: 30.minutes) do
    ActiveRecord::Base.transaction do
      ProductSku.find_by(id: id)
    end
  end
  @m13
-end
+end # $result=BAD

 # Good (FP): arg is used in key via string interpolation.
 def m14(arg)
--- a/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.expected
+++ b/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.expected
@@ -0,0 +1,16 @@
+edges
+| impl/miss-anchor.rb:2:12:2:15 | name :  | impl/miss-anchor.rb:3:39:3:42 | name |
+| impl/miss-anchor.rb:6:12:6:15 | name :  | impl/miss-anchor.rb:7:43:7:46 | name |
+| impl/miss-anchor.rb:14:12:14:15 | name :  | impl/miss-anchor.rb:15:47:15:50 | name |
+nodes
+| impl/miss-anchor.rb:2:12:2:15 | name :  | semmle.label | name :  |
+| impl/miss-anchor.rb:3:39:3:42 | name | semmle.label | name |
+| impl/miss-anchor.rb:6:12:6:15 | name :  | semmle.label | name :  |
+| impl/miss-anchor.rb:7:43:7:46 | name | semmle.label | name |
+| impl/miss-anchor.rb:14:12:14:15 | name :  | semmle.label | name :  |
+| impl/miss-anchor.rb:15:47:15:50 | name | semmle.label | name |
+subpaths
+#select
+| impl/miss-anchor.rb:3:39:3:42 | name | impl/miss-anchor.rb:2:12:2:15 | name :  | impl/miss-anchor.rb:3:39:3:42 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:2:12:2:15 | name | library input | impl/miss-anchor.rb:3:39:3:89 | ... !~ ... | checked | impl/miss-anchor.rb:3:48:3:88 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression |
+| impl/miss-anchor.rb:7:43:7:46 | name | impl/miss-anchor.rb:6:12:6:15 | name :  | impl/miss-anchor.rb:7:43:7:46 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:6:12:6:15 | name | library input | impl/miss-anchor.rb:7:43:7:93 | ... !~ ... | checked | impl/miss-anchor.rb:7:52:7:92 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression |
+| impl/miss-anchor.rb:15:47:15:50 | name | impl/miss-anchor.rb:14:12:14:15 | name :  | impl/miss-anchor.rb:15:47:15:50 | name | This value depends on $@, and is $@ against a $@. | impl/miss-anchor.rb:14:12:14:15 | name | library input | impl/miss-anchor.rb:15:47:15:97 | ... !~ ... | checked | impl/miss-anchor.rb:15:56:15:96 | ^[A-Za-z0-9\\+\\-_]+(\\/[A-Za-z0-9\\+\\-_]+)*$ | badly anchored regular expression |
--- a/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.qlref
+++ b/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/MissingFullAnchor.qlref
@@ -0,0 +1 @@
+queries/security/cwe-020/MissingFullAnchor.ql
--- a/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/impl/miss-anchor.rb
+++ b/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/impl/miss-anchor.rb
@@ -0,0 +1,17 @@
+class Foobar
+  def foo1(name)
+    raise Blabity, 'Invalid thing' if name !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/ # NOT OK
+  end
+
+  def foo2(name)
+    raise Blabity, 'Invalid thing' unless name !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/ # NOT OK
+  end
+
+  def foo3(name)
+    raise Blabity, 'Invalid thing' unless name !~ /\A[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*\z/ # OK
+  end
+
+  def foo4(name) 
+    raise Blabity, 'Invalid thing' unless not name !~ /^[A-Za-z0-9\+\-_]+(\/[A-Za-z0-9\+\-_]+)*$/ # NOT OK
+  end
+end
--- a/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/miss-anchor.gemspec
+++ b/ruby/ql/test/query-tests/security/cwe-020/MissingFullAnchor/miss-anchor.gemspec
@@ -0,0 +1,5 @@
+Gem::Specification.new do |s|
+  s.name = 'miss-anchor'
+  s.require_path = "impl"
+end
+  
--- a/ruby/ql/test/query-tests/security/cwe-116/IncompleteMultiCharacterSanitization/incomplete_multi_character_sanitization.rb
+++ b/ruby/ql/test/query-tests/security/cwe-116/IncompleteMultiCharacterSanitization/incomplete_multi_character_sanitization.rb
@@ -80,9 +80,9 @@ def m9(x)
  x = x.gsub(/^(\.\.\/?)+/, "") # OK

  # NOT OK
-  x = x.gsub(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/) do |match| # $ hasResult=html
+  x = x.gsub(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/) do |match|
      if unknown then match else "" end
-  end
+  end # $ hasResult=html

  x = x.gsub(/<\/?([a-z][a-z0-9]*)\b[^>]*>/i, "") # NOT OK [INCONSISTENCY] $ hasResult=html

@@ -113,10 +113,10 @@ def m9(x)

  x = x.gsub(/<!\-\-DEVEL[\d\D]*?DEVEL\-\->/, "") # OK

-  x = x # $ hasResult=path
+  x = x
    .gsub(/^\.\//, "")
    .gsub(/\/\.\//, "/")
-    .gsub(/[^\/]*\/\.\.\//, "")
+    .gsub(/[^\/]*\/\.\.\//, "") # $ hasResult=path

  x
 end
--- a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected
+++ b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/PolynomialReDoS.expected
@@ -34,6 +34,8 @@ edges
 | PolynomialReDoS.rb:70:12:70:24 | ...[...] :  | PolynomialReDoS.rb:73:32:73:35 | name :  |
 | PolynomialReDoS.rb:73:32:73:35 | name :  | PolynomialReDoS.rb:76:35:76:39 | input :  |
 | PolynomialReDoS.rb:76:35:76:39 | input :  | PolynomialReDoS.rb:77:5:77:9 | input |
+| lib/index.rb:2:11:2:11 | x :  | lib/index.rb:4:13:4:13 | x |
+| lib/index.rb:8:13:8:13 | x :  | lib/index.rb:9:15:9:15 | x |
 nodes
 | PolynomialReDoS.rb:4:12:4:17 | call to params :  | semmle.label | call to params :  |
 | PolynomialReDoS.rb:4:12:4:24 | ...[...] :  | semmle.label | ...[...] :  |
@@ -76,6 +78,10 @@ nodes
 | PolynomialReDoS.rb:73:32:73:35 | name :  | semmle.label | name :  |
 | PolynomialReDoS.rb:76:35:76:39 | input :  | semmle.label | input :  |
 | PolynomialReDoS.rb:77:5:77:9 | input | semmle.label | input |
+| lib/index.rb:2:11:2:11 | x :  | semmle.label | x :  |
+| lib/index.rb:4:13:4:13 | x | semmle.label | x |
+| lib/index.rb:8:13:8:13 | x :  | semmle.label | x :  |
+| lib/index.rb:9:15:9:15 | x | semmle.label | x |
 subpaths
 #select
 | PolynomialReDoS.rb:10:5:10:17 | ... =~ ... | PolynomialReDoS.rb:4:12:4:17 | call to params :  | PolynomialReDoS.rb:10:5:10:8 | name | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:7:19:7:21 | \\s+ | regular expression | PolynomialReDoS.rb:4:12:4:17 | call to params | user-provided value |
@@ -101,3 +107,5 @@ subpaths
 | PolynomialReDoS.rb:62:5:62:22 | call to gsub | PolynomialReDoS.rb:54:12:54:17 | call to params :  | PolynomialReDoS.rb:62:5:62:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:56:31:56:33 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value |
 | PolynomialReDoS.rb:66:5:66:34 | call to match? | PolynomialReDoS.rb:54:12:54:17 | call to params :  | PolynomialReDoS.rb:66:5:66:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:58:30:58:32 | \\s+ | regular expression | PolynomialReDoS.rb:54:12:54:17 | call to params | user-provided value |
 | PolynomialReDoS.rb:77:5:77:22 | call to gsub | PolynomialReDoS.rb:70:12:70:17 | call to params :  | PolynomialReDoS.rb:77:5:77:9 | input | This $@ that depends on a $@ may run slow on strings with many repetitions of ' '. | PolynomialReDoS.rb:72:28:72:30 | \\s+ | regular expression | PolynomialReDoS.rb:70:12:70:17 | call to params | user-provided value |
+| lib/index.rb:4:13:4:26 | call to match | lib/index.rb:2:11:2:11 | x :  | lib/index.rb:4:13:4:13 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:4:22:4:23 | a+ | regular expression | lib/index.rb:2:11:2:11 | x | library input |
+| lib/index.rb:9:15:9:28 | call to match | lib/index.rb:8:13:8:13 | x :  | lib/index.rb:9:15:9:15 | x | This $@ that depends on a $@ may run slow on strings with many repetitions of 'a'. | lib/index.rb:9:24:9:25 | a+ | regular expression | lib/index.rb:8:13:8:13 | x | library input |
--- a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/lib/index.rb
+++ b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/lib/index.rb
@@ -0,0 +1,11 @@
+module Foo 
+  def bar(x) 
+    # Run the /a+$/ regex on the input x.
+    match = x.match(/a+$/)
+  end
+
+  protected
+    def baz(x)
+      match = x.match(/a+$/)
+    end
+end
--- a/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/poly-redos.gemspec
+++ b/ruby/ql/test/query-tests/security/cwe-1333-polynomial-redos/poly-redos.gemspec
@@ -0,0 +1,5 @@
+Gem::Specification.new do |s|
+    s.name = 'poly-redos'
+    s.require_path = "lib"
+  end
+
				`@@ -0,0 +1 @@`
				`queries/security/cwe-020/MissingFullAnchor.ql`