Ruby: add RequestInputAccess#getKind predicate

2026-04-28 02:05:14 +02:00 · 2022-10-05 13:38:31 +01:00
parent dea53d86c9
commit 71670a4f75
3 changed files with 23 additions and 1 deletions
--- a/ruby/ql/lib/codeql/ruby/Concepts.qll
+++ b/ruby/ql/lib/codeql/ruby/Concepts.qll
@@ -314,6 +314,14 @@ module Http {
       * This is typically the name of the method that gives rise to this input.
       */
      string getSourceType() { result = super.getSourceType() }
+
+      /**
+       * Gets the kind of the accessed input,
+       * Can be one of "parameter", "header", "body", "url", "cookie".
+       *
+       * Note that this predicate is functional.
+       */
+      string getKind() { result = super.getKind() }
    }

    /** Provides a class for modeling new HTTP request inputs. */
@@ -331,6 +339,14 @@ module Http {
         * This is typically the name of the method that gives rise to this input.
         */
        abstract string getSourceType();
+
+        /**
+         * Gets the kind of the accessed input,
+         * Can be one of "parameter", "header", "body", "url", "cookie".
+         *
+         * Note that this predicate is functional.
+         */
+        abstract string getKind();
      }
    }

@@ -411,6 +427,8 @@ module Http {
      RoutedParameter() { this.getParameter() = handler.getARoutedParameter() }

      override string getSourceType() { result = handler.getFramework() + " RoutedParameter" }
+
+      override string getKind() { result = "url" }
    }

    /**
--- a/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/ActionController.qll
@@ -141,6 +141,8 @@ class ParamsSource extends Http::Server::RequestInputAccess::Range {
  ParamsSource() { this.asExpr().getExpr() instanceof Rails::ParamsCall }

  override string getSourceType() { result = "ActionController::Metal#params" }
+
+  override string getKind() { result = "parameter" }
 }

 /**
@@ -151,6 +153,8 @@ class CookiesSource extends Http::Server::RequestInputAccess::Range {
  CookiesSource() { this.asExpr().getExpr() instanceof Rails::CookiesCall }

  override string getSourceType() { result = "ActionController::Metal#cookies" }
+
+  override string getKind() { result = "cookie" }
 }

 /** A call to `cookies` from within a controller. */
--- a/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/SensitiveGetQueryCustomizations.qll
@@ -33,7 +33,7 @@ module SensitiveGetQuery {
    RequestInputAccessSource() {
      handler = this.asExpr().getExpr().getEnclosingMethod() and
      handler.getAnHttpMethod() = "get" and
-      this.getSourceType().matches(["%params%", "%parameters%"])
+      this.getKind() = "parameter"
    }

    override Http::Server::RequestHandler getHandler() { result = handler }