Add requested changes

2025-12-21 03:06:31 +01:00 · 2023-06-01 11:00:35 +02:00
parent 3c00235375
commit 7579f182ad
3 changed files with 48 additions and 19 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/Mysql2.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Mysql2.qll
@@ -48,4 +48,26 @@ module Mysql2 {

    override DataFlow::Node getSql() { result = query }
  }
+
+  /**
+   * A call to `Mysql2::Client.escape`, considered as a sanitizer for SQL statements.
+   */
+  private class Mysql2EscapeSanitization extends SqlSanitization::Range {
+    Mysql2EscapeSanitization() {
+      this = API::getTopLevelMember("Mysql2").getMember("Client").getAMethodCall("escape")
+    }
+  }
+
+  /**
+   * Flow summary for `Mysql2::Client.escape()`.
+   */
+  private class EscapeSummary extends SummarizedCallable {
+    EscapeSummary() { this = "Mysql2::Client.escape()" }
+
+    override MethodCall getACall() { result = any(Mysql2EscapeSanitization c).asExpr().getExpr() }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[0]" and output = "ReturnValue" and preservesValue = false
+    }
+  }
 }
--- a/ruby/ql/lib/codeql/ruby/frameworks/Sqlite3.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Sqlite3.qll
@@ -77,4 +77,26 @@ module Sqlite3 {

    override DataFlow::Node getSql() { result = this.getArgument(0) }
  }
+
+  /**
+   * A call to `SQLite3::Database.quote`, considered as a sanitizer for SQL statements.
+   */
+  private class SQLite3QuoteSanitization extends SqlSanitization {
+    SQLite3QuoteSanitization() {
+      this = API::getTopLevelMember("SQLite3").getMember("Database").getAMethodCall("quote")
+    }
+  }
+
+  /**
+   * Flow summary for `SQLite3::Database.quote()`.
+   */
+  private class QuoteSummary extends SummarizedCallable {
+    QuoteSummary() { this = "SQLite3::Database.quote()" }
+
+    override MethodCall getACall() { result = any(SQLite3QuoteSanitization c).asExpr().getExpr() }
+
+    override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
+      input = "Argument[0]" and output = "ReturnValue" and preservesValue = false
+    }
+  }
 }
--- a/ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/SqlInjectionCustomizations.qll
@@ -52,23 +52,8 @@ module SqlInjection {
   * sanitizer-guard.
   */
  class StringConstArrayInclusionCallAsSanitizer extends Sanitizer,
-    StringConstArrayInclusionCallBarrier { }
+    StringConstArrayInclusionCallBarrier
+  { }

-  /**
-   * A call to `Mysql2::Client.escape`, considered as a sanitizer.
-   */
-  private class Mysql2EscapeSanitization extends Sanitizer {
-    Mysql2EscapeSanitization() {
-      this = API::getTopLevelMember("Mysql2").getMember("Client").getAMethodCall("escape")
-    }
-  }
-
-  /**
-   * A call to `SQLite3::Database.quote`, considered as a sanitizer.
-   */
-  private class SQLite3EscapeSanitization extends Sanitizer {
-    SQLite3EscapeSanitization() {
-      this = API::getTopLevelMember("SQLite3").getMember("Database").getAMethodCall("quote")
-    }
-  }
+  private class SqlSanitizationAsSanitizer extends Sanitizer, SqlSanitization { }
 }