mirror of
https://github.com/github/codeql.git
synced 2026-04-28 02:05:14 +02:00
Merge pull request #10538 from hmac/hmac/actioncontroller-parameters
Ruby: Model flow through ActionController::Parameters
This commit is contained in:
Harry Maclean
@@ -0,0 +1,4 @@
|
||||
---
|
||||
category: minorAnalysis
|
||||
---
|
||||
* Taint flow through `ActionController::Parameters` is tracked more accurately.
|
||||
@@ -382,3 +382,123 @@ private class SendFile extends FileSystemAccess::Range, DataFlow::CallNode {
|
||||
|
||||
override DataFlow::Node getAPathArgument() { result = this.getArgument(0) }
|
||||
}
|
||||
|
||||
private module ParamsSummaries {
|
||||
private import codeql.ruby.dataflow.FlowSummary
|
||||
|
||||
/**
|
||||
* An instance of `ActionController::Parameters`, including those returned
|
||||
* from method calls on other instances.
|
||||
*/
|
||||
private class ParamsInstance extends DataFlow::Node {
|
||||
ParamsInstance() {
|
||||
this.asExpr().getExpr() instanceof ParamsCall
|
||||
or
|
||||
this =
|
||||
any(DataFlow::CallNode call |
|
||||
call.getReceiver() instanceof ParamsInstance and
|
||||
call.getMethodName() = paramsMethodReturningParamsInstance()
|
||||
)
|
||||
or
|
||||
exists(ParamsInstance prev | prev.(DataFlow::LocalSourceNode).flowsTo(this))
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* Methods on `ActionController::Parameters` that return an instance of
|
||||
* `ActionController::Parameters`.
|
||||
*/
|
||||
string paramsMethodReturningParamsInstance() {
|
||||
result =
|
||||
[
|
||||
"concat", "concat!", "compact_blank", "deep_dup", "deep_transform_keys", "delete_if",
|
||||
// dig doesn't always return a Parameters instance, but it will if the
|
||||
// given key refers to a nested hash parameter.
|
||||
"dig", "each", "each_key", "each_pair", "each_value", "except", "keep_if", "merge",
|
||||
"merge!", "permit", "reject", "reject!", "reverse_merge", "reverse_merge!", "select",
|
||||
"select!", "slice", "slice!", "transform_keys", "transform_keys!", "transform_values",
|
||||
"transform_values!", "with_defaults", "with_defaults!"
|
||||
]
|
||||
}
|
||||
|
||||
/**
|
||||
* Methods on `ActionController::Parameters` that propagate taint from
|
||||
* receiver to return value.
|
||||
*/
|
||||
string methodReturnsTaintFromSelf() {
|
||||
result =
|
||||
[
|
||||
"as_json", "permit", "require", "required", "deep_dup", "deep_transform_keys",
|
||||
"deep_transform_keys!", "delete_if", "extract!", "keep_if", "select", "select!", "reject",
|
||||
"reject!", "to_h", "to_hash", "to_query", "to_param", "to_unsafe_h", "to_unsafe_hash",
|
||||
"transform_keys", "transform_keys!", "transform_values", "transform_values!", "values_at"
|
||||
]
|
||||
}
|
||||
|
||||
/**
|
||||
* A flow summary for methods on `ActionController::Parameters` which
|
||||
* propagate taint from receiver to return value.
|
||||
*/
|
||||
private class MethodsReturningParamsInstanceSummary extends SummarizedCallable {
|
||||
MethodsReturningParamsInstanceSummary() { this = "ActionController::Parameters#<various>" }
|
||||
|
||||
override MethodCall getACall() {
|
||||
any(ParamsInstance i).asExpr().getExpr() = result.getReceiver() and
|
||||
result.getMethodName() = methodReturnsTaintFromSelf()
|
||||
}
|
||||
|
||||
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
|
||||
input = "Argument[self]" and
|
||||
output = "ReturnValue" and
|
||||
preservesValue = false
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* `#merge`
|
||||
* Returns a new ActionController::Parameters with all keys from other_hash merged into current hash.
|
||||
* `#reverse_merge`
|
||||
* `#with_defaults`
|
||||
* Returns a new ActionController::Parameters with all keys from current hash merged into other_hash.
|
||||
*/
|
||||
private class MergeSummary extends SummarizedCallable {
|
||||
MergeSummary() { this = "ActionController::Parameters#merge" }
|
||||
|
||||
override MethodCall getACall() {
|
||||
result.getMethodName() = ["merge", "reverse_merge", "with_defaults"] and
|
||||
exists(ParamsInstance i |
|
||||
i.asExpr().getExpr() = [result.getReceiver(), result.getArgument(0)]
|
||||
)
|
||||
}
|
||||
|
||||
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
|
||||
input = ["Argument[self]", "Argument[0]"] and
|
||||
output = "ReturnValue" and
|
||||
preservesValue = false
|
||||
}
|
||||
}
|
||||
|
||||
/**
|
||||
* `#merge!`
|
||||
* Returns current ActionController::Parameters instance with current hash merged into other_hash.
|
||||
* `#reverse_merge!`
|
||||
* `#with_defaults!`
|
||||
* Returns a new ActionController::Parameters with all keys from current hash merged into other_hash.
|
||||
*/
|
||||
private class MergeBangSummary extends SummarizedCallable {
|
||||
MergeBangSummary() { this = "ActionController::Parameters#merge!" }
|
||||
|
||||
override MethodCall getACall() {
|
||||
result.getMethodName() = ["merge!", "reverse_merge!", "with_defaults!"] and
|
||||
exists(ParamsInstance i |
|
||||
i.asExpr().getExpr() = [result.getReceiver(), result.getArgument(0)]
|
||||
)
|
||||
}
|
||||
|
||||
override predicate propagatesFlowExt(string input, string output, boolean preservesValue) {
|
||||
input = ["Argument[self]", "Argument[0]"] and
|
||||
output = ["ReturnValue", "Argument[self]"] and
|
||||
preservesValue = false
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -1,4 +1,5 @@
|
||||
actionControllerControllerClasses
|
||||
| action_controller/params_flow.rb:1:1:151:3 | MyController |
|
||||
| active_record/ActiveRecord.rb:23:1:39:3 | FooController |
|
||||
| active_record/ActiveRecord.rb:41:1:64:3 | BarController |
|
||||
| active_record/ActiveRecord.rb:66:1:98:3 | BazController |
|
||||
@@ -11,6 +12,39 @@ actionControllerControllerClasses
|
||||
| app/controllers/tags_controller.rb:1:1:2:3 | TagsController |
|
||||
| app/controllers/users/notifications_controller.rb:2:3:5:5 | NotificationsController |
|
||||
actionControllerActionMethods
|
||||
| action_controller/params_flow.rb:2:3:4:5 | m1 |
|
||||
| action_controller/params_flow.rb:6:3:8:5 | m2 |
|
||||
| action_controller/params_flow.rb:10:3:12:5 | m2 |
|
||||
| action_controller/params_flow.rb:14:3:16:5 | m3 |
|
||||
| action_controller/params_flow.rb:18:3:20:5 | m4 |
|
||||
| action_controller/params_flow.rb:22:3:24:5 | m5 |
|
||||
| action_controller/params_flow.rb:26:3:28:5 | m6 |
|
||||
| action_controller/params_flow.rb:30:3:32:5 | m7 |
|
||||
| action_controller/params_flow.rb:34:3:36:5 | m8 |
|
||||
| action_controller/params_flow.rb:38:3:40:5 | m9 |
|
||||
| action_controller/params_flow.rb:42:3:44:5 | m10 |
|
||||
| action_controller/params_flow.rb:46:3:48:5 | m11 |
|
||||
| action_controller/params_flow.rb:50:3:52:5 | m12 |
|
||||
| action_controller/params_flow.rb:54:3:56:5 | m13 |
|
||||
| action_controller/params_flow.rb:58:3:60:5 | m14 |
|
||||
| action_controller/params_flow.rb:62:3:64:5 | m15 |
|
||||
| action_controller/params_flow.rb:66:3:68:5 | m16 |
|
||||
| action_controller/params_flow.rb:70:3:72:5 | m17 |
|
||||
| action_controller/params_flow.rb:74:3:76:5 | m18 |
|
||||
| action_controller/params_flow.rb:78:3:80:5 | m19 |
|
||||
| action_controller/params_flow.rb:82:3:84:5 | m20 |
|
||||
| action_controller/params_flow.rb:86:3:88:5 | m21 |
|
||||
| action_controller/params_flow.rb:90:3:92:5 | m22 |
|
||||
| action_controller/params_flow.rb:94:3:96:5 | m23 |
|
||||
| action_controller/params_flow.rb:98:3:100:5 | m24 |
|
||||
| action_controller/params_flow.rb:102:3:104:5 | m25 |
|
||||
| action_controller/params_flow.rb:106:3:108:5 | m26 |
|
||||
| action_controller/params_flow.rb:110:3:113:5 | m27 |
|
||||
| action_controller/params_flow.rb:115:3:118:5 | m28 |
|
||||
| action_controller/params_flow.rb:120:3:123:5 | m29 |
|
||||
| action_controller/params_flow.rb:125:3:132:5 | m30 |
|
||||
| action_controller/params_flow.rb:134:3:141:5 | m31 |
|
||||
| action_controller/params_flow.rb:143:3:150:5 | m32 |
|
||||
| active_record/ActiveRecord.rb:27:3:38:5 | some_request_handler |
|
||||
| active_record/ActiveRecord.rb:42:3:47:5 | some_other_request_handler |
|
||||
| active_record/ActiveRecord.rb:49:3:63:5 | safe_paths |
|
||||
@@ -39,6 +73,48 @@ actionControllerActionMethods
|
||||
| app/controllers/posts_controller.rb:8:3:9:5 | upvote |
|
||||
| app/controllers/users/notifications_controller.rb:3:5:4:7 | mark_as_read |
|
||||
paramsCalls
|
||||
| action_controller/params_flow.rb:3:10:3:15 | call to params |
|
||||
| action_controller/params_flow.rb:7:10:7:15 | call to params |
|
||||
| action_controller/params_flow.rb:11:10:11:15 | call to params |
|
||||
| action_controller/params_flow.rb:15:10:15:15 | call to params |
|
||||
| action_controller/params_flow.rb:19:10:19:15 | call to params |
|
||||
| action_controller/params_flow.rb:23:10:23:15 | call to params |
|
||||
| action_controller/params_flow.rb:27:10:27:15 | call to params |
|
||||
| action_controller/params_flow.rb:31:10:31:15 | call to params |
|
||||
| action_controller/params_flow.rb:35:10:35:15 | call to params |
|
||||
| action_controller/params_flow.rb:39:10:39:15 | call to params |
|
||||
| action_controller/params_flow.rb:43:10:43:15 | call to params |
|
||||
| action_controller/params_flow.rb:47:10:47:15 | call to params |
|
||||
| action_controller/params_flow.rb:51:10:51:15 | call to params |
|
||||
| action_controller/params_flow.rb:55:10:55:15 | call to params |
|
||||
| action_controller/params_flow.rb:59:10:59:15 | call to params |
|
||||
| action_controller/params_flow.rb:63:10:63:15 | call to params |
|
||||
| action_controller/params_flow.rb:67:10:67:15 | call to params |
|
||||
| action_controller/params_flow.rb:71:10:71:15 | call to params |
|
||||
| action_controller/params_flow.rb:75:10:75:15 | call to params |
|
||||
| action_controller/params_flow.rb:79:10:79:15 | call to params |
|
||||
| action_controller/params_flow.rb:83:10:83:15 | call to params |
|
||||
| action_controller/params_flow.rb:87:10:87:15 | call to params |
|
||||
| action_controller/params_flow.rb:91:10:91:15 | call to params |
|
||||
| action_controller/params_flow.rb:95:10:95:15 | call to params |
|
||||
| action_controller/params_flow.rb:99:10:99:15 | call to params |
|
||||
| action_controller/params_flow.rb:103:10:103:15 | call to params |
|
||||
| action_controller/params_flow.rb:107:10:107:15 | call to params |
|
||||
| action_controller/params_flow.rb:111:10:111:15 | call to params |
|
||||
| action_controller/params_flow.rb:112:23:112:28 | call to params |
|
||||
| action_controller/params_flow.rb:116:10:116:15 | call to params |
|
||||
| action_controller/params_flow.rb:117:31:117:36 | call to params |
|
||||
| action_controller/params_flow.rb:121:10:121:15 | call to params |
|
||||
| action_controller/params_flow.rb:122:31:122:36 | call to params |
|
||||
| action_controller/params_flow.rb:126:10:126:15 | call to params |
|
||||
| action_controller/params_flow.rb:127:24:127:29 | call to params |
|
||||
| action_controller/params_flow.rb:130:14:130:19 | call to params |
|
||||
| action_controller/params_flow.rb:135:10:135:15 | call to params |
|
||||
| action_controller/params_flow.rb:136:32:136:37 | call to params |
|
||||
| action_controller/params_flow.rb:139:22:139:27 | call to params |
|
||||
| action_controller/params_flow.rb:144:10:144:15 | call to params |
|
||||
| action_controller/params_flow.rb:145:32:145:37 | call to params |
|
||||
| action_controller/params_flow.rb:148:22:148:27 | call to params |
|
||||
| active_record/ActiveRecord.rb:28:30:28:35 | call to params |
|
||||
| active_record/ActiveRecord.rb:29:29:29:34 | call to params |
|
||||
| active_record/ActiveRecord.rb:30:31:30:36 | call to params |
|
||||
@@ -71,6 +147,48 @@ paramsCalls
|
||||
| app/controllers/foo/bars_controller.rb:22:10:22:15 | call to params |
|
||||
| app/views/foo/bars/show.html.erb:5:9:5:14 | call to params |
|
||||
paramsSources
|
||||
| action_controller/params_flow.rb:3:10:3:15 | call to params |
|
||||
| action_controller/params_flow.rb:7:10:7:15 | call to params |
|
||||
| action_controller/params_flow.rb:11:10:11:15 | call to params |
|
||||
| action_controller/params_flow.rb:15:10:15:15 | call to params |
|
||||
| action_controller/params_flow.rb:19:10:19:15 | call to params |
|
||||
| action_controller/params_flow.rb:23:10:23:15 | call to params |
|
||||
| action_controller/params_flow.rb:27:10:27:15 | call to params |
|
||||
| action_controller/params_flow.rb:31:10:31:15 | call to params |
|
||||
| action_controller/params_flow.rb:35:10:35:15 | call to params |
|
||||
| action_controller/params_flow.rb:39:10:39:15 | call to params |
|
||||
| action_controller/params_flow.rb:43:10:43:15 | call to params |
|
||||
| action_controller/params_flow.rb:47:10:47:15 | call to params |
|
||||
| action_controller/params_flow.rb:51:10:51:15 | call to params |
|
||||
| action_controller/params_flow.rb:55:10:55:15 | call to params |
|
||||
| action_controller/params_flow.rb:59:10:59:15 | call to params |
|
||||
| action_controller/params_flow.rb:63:10:63:15 | call to params |
|
||||
| action_controller/params_flow.rb:67:10:67:15 | call to params |
|
||||
| action_controller/params_flow.rb:71:10:71:15 | call to params |
|
||||
| action_controller/params_flow.rb:75:10:75:15 | call to params |
|
||||
| action_controller/params_flow.rb:79:10:79:15 | call to params |
|
||||
| action_controller/params_flow.rb:83:10:83:15 | call to params |
|
||||
| action_controller/params_flow.rb:87:10:87:15 | call to params |
|
||||
| action_controller/params_flow.rb:91:10:91:15 | call to params |
|
||||
| action_controller/params_flow.rb:95:10:95:15 | call to params |
|
||||
| action_controller/params_flow.rb:99:10:99:15 | call to params |
|
||||
| action_controller/params_flow.rb:103:10:103:15 | call to params |
|
||||
| action_controller/params_flow.rb:107:10:107:15 | call to params |
|
||||
| action_controller/params_flow.rb:111:10:111:15 | call to params |
|
||||
| action_controller/params_flow.rb:112:23:112:28 | call to params |
|
||||
| action_controller/params_flow.rb:116:10:116:15 | call to params |
|
||||
| action_controller/params_flow.rb:117:31:117:36 | call to params |
|
||||
| action_controller/params_flow.rb:121:10:121:15 | call to params |
|
||||
| action_controller/params_flow.rb:122:31:122:36 | call to params |
|
||||
| action_controller/params_flow.rb:126:10:126:15 | call to params |
|
||||
| action_controller/params_flow.rb:127:24:127:29 | call to params |
|
||||
| action_controller/params_flow.rb:130:14:130:19 | call to params |
|
||||
| action_controller/params_flow.rb:135:10:135:15 | call to params |
|
||||
| action_controller/params_flow.rb:136:32:136:37 | call to params |
|
||||
| action_controller/params_flow.rb:139:22:139:27 | call to params |
|
||||
| action_controller/params_flow.rb:144:10:144:15 | call to params |
|
||||
| action_controller/params_flow.rb:145:32:145:37 | call to params |
|
||||
| action_controller/params_flow.rb:148:22:148:27 | call to params |
|
||||
| active_record/ActiveRecord.rb:28:30:28:35 | call to params |
|
||||
| active_record/ActiveRecord.rb:29:29:29:34 | call to params |
|
||||
| active_record/ActiveRecord.rb:30:31:30:36 | call to params |
|
||||
|
||||
@@ -0,0 +1,175 @@
|
||||
failures
|
||||
edges
|
||||
| params_flow.rb:3:10:3:15 | call to params : | params_flow.rb:3:10:3:19 | ...[...] |
|
||||
| params_flow.rb:7:10:7:15 | call to params : | params_flow.rb:7:10:7:23 | call to as_json |
|
||||
| params_flow.rb:15:10:15:15 | call to params : | params_flow.rb:15:10:15:33 | call to permit |
|
||||
| params_flow.rb:19:10:19:15 | call to params : | params_flow.rb:19:10:19:34 | call to require |
|
||||
| params_flow.rb:23:10:23:15 | call to params : | params_flow.rb:23:10:23:35 | call to required |
|
||||
| params_flow.rb:27:10:27:15 | call to params : | params_flow.rb:27:10:27:24 | call to deep_dup |
|
||||
| params_flow.rb:31:10:31:15 | call to params : | params_flow.rb:31:10:31:45 | call to deep_transform_keys |
|
||||
| params_flow.rb:35:10:35:15 | call to params : | params_flow.rb:35:10:35:46 | call to deep_transform_keys! |
|
||||
| params_flow.rb:39:10:39:15 | call to params : | params_flow.rb:39:10:39:48 | call to delete_if |
|
||||
| params_flow.rb:43:10:43:15 | call to params : | params_flow.rb:43:10:43:32 | call to extract! |
|
||||
| params_flow.rb:47:10:47:15 | call to params : | params_flow.rb:47:10:47:46 | call to keep_if |
|
||||
| params_flow.rb:51:10:51:15 | call to params : | params_flow.rb:51:10:51:45 | call to select |
|
||||
| params_flow.rb:55:10:55:15 | call to params : | params_flow.rb:55:10:55:46 | call to select! |
|
||||
| params_flow.rb:59:10:59:15 | call to params : | params_flow.rb:59:10:59:45 | call to reject |
|
||||
| params_flow.rb:63:10:63:15 | call to params : | params_flow.rb:63:10:63:46 | call to reject! |
|
||||
| params_flow.rb:67:10:67:15 | call to params : | params_flow.rb:67:10:67:20 | call to to_h |
|
||||
| params_flow.rb:71:10:71:15 | call to params : | params_flow.rb:71:10:71:23 | call to to_hash |
|
||||
| params_flow.rb:75:10:75:15 | call to params : | params_flow.rb:75:10:75:24 | call to to_query |
|
||||
| params_flow.rb:79:10:79:15 | call to params : | params_flow.rb:79:10:79:24 | call to to_param |
|
||||
| params_flow.rb:83:10:83:15 | call to params : | params_flow.rb:83:10:83:27 | call to to_unsafe_h |
|
||||
| params_flow.rb:87:10:87:15 | call to params : | params_flow.rb:87:10:87:30 | call to to_unsafe_hash |
|
||||
| params_flow.rb:91:10:91:15 | call to params : | params_flow.rb:91:10:91:40 | call to transform_keys |
|
||||
| params_flow.rb:95:10:95:15 | call to params : | params_flow.rb:95:10:95:41 | call to transform_keys! |
|
||||
| params_flow.rb:99:10:99:15 | call to params : | params_flow.rb:99:10:99:42 | call to transform_values |
|
||||
| params_flow.rb:103:10:103:15 | call to params : | params_flow.rb:103:10:103:43 | call to transform_values! |
|
||||
| params_flow.rb:107:10:107:15 | call to params : | params_flow.rb:107:10:107:33 | call to values_at |
|
||||
| params_flow.rb:111:10:111:15 | call to params : | params_flow.rb:111:10:111:29 | call to merge |
|
||||
| params_flow.rb:112:23:112:28 | call to params : | params_flow.rb:112:10:112:29 | call to merge |
|
||||
| params_flow.rb:116:10:116:15 | call to params : | params_flow.rb:116:10:116:37 | call to reverse_merge |
|
||||
| params_flow.rb:117:31:117:36 | call to params : | params_flow.rb:117:10:117:37 | call to reverse_merge |
|
||||
| params_flow.rb:121:10:121:15 | call to params : | params_flow.rb:121:10:121:43 | call to with_defaults |
|
||||
| params_flow.rb:122:31:122:36 | call to params : | params_flow.rb:122:10:122:37 | call to with_defaults |
|
||||
| params_flow.rb:126:10:126:15 | call to params : | params_flow.rb:126:10:126:30 | call to merge! |
|
||||
| params_flow.rb:127:24:127:29 | call to params : | params_flow.rb:127:10:127:30 | call to merge! |
|
||||
| params_flow.rb:130:5:130:5 | [post] p : | params_flow.rb:131:10:131:10 | p |
|
||||
| params_flow.rb:130:14:130:19 | call to params : | params_flow.rb:130:5:130:5 | [post] p : |
|
||||
| params_flow.rb:135:10:135:15 | call to params : | params_flow.rb:135:10:135:38 | call to reverse_merge! |
|
||||
| params_flow.rb:136:32:136:37 | call to params : | params_flow.rb:136:10:136:38 | call to reverse_merge! |
|
||||
| params_flow.rb:139:5:139:5 | [post] p : | params_flow.rb:140:10:140:10 | p |
|
||||
| params_flow.rb:139:22:139:27 | call to params : | params_flow.rb:139:5:139:5 | [post] p : |
|
||||
| params_flow.rb:144:10:144:15 | call to params : | params_flow.rb:144:10:144:44 | call to with_defaults! |
|
||||
| params_flow.rb:145:32:145:37 | call to params : | params_flow.rb:145:10:145:38 | call to with_defaults! |
|
||||
| params_flow.rb:148:5:148:5 | [post] p : | params_flow.rb:149:10:149:10 | p |
|
||||
| params_flow.rb:148:22:148:27 | call to params : | params_flow.rb:148:5:148:5 | [post] p : |
|
||||
nodes
|
||||
| params_flow.rb:3:10:3:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:3:10:3:19 | ...[...] | semmle.label | ...[...] |
|
||||
| params_flow.rb:7:10:7:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:7:10:7:23 | call to as_json | semmle.label | call to as_json |
|
||||
| params_flow.rb:15:10:15:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:15:10:15:33 | call to permit | semmle.label | call to permit |
|
||||
| params_flow.rb:19:10:19:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:19:10:19:34 | call to require | semmle.label | call to require |
|
||||
| params_flow.rb:23:10:23:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:23:10:23:35 | call to required | semmle.label | call to required |
|
||||
| params_flow.rb:27:10:27:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:27:10:27:24 | call to deep_dup | semmle.label | call to deep_dup |
|
||||
| params_flow.rb:31:10:31:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:31:10:31:45 | call to deep_transform_keys | semmle.label | call to deep_transform_keys |
|
||||
| params_flow.rb:35:10:35:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:35:10:35:46 | call to deep_transform_keys! | semmle.label | call to deep_transform_keys! |
|
||||
| params_flow.rb:39:10:39:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:39:10:39:48 | call to delete_if | semmle.label | call to delete_if |
|
||||
| params_flow.rb:43:10:43:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:43:10:43:32 | call to extract! | semmle.label | call to extract! |
|
||||
| params_flow.rb:47:10:47:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:47:10:47:46 | call to keep_if | semmle.label | call to keep_if |
|
||||
| params_flow.rb:51:10:51:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:51:10:51:45 | call to select | semmle.label | call to select |
|
||||
| params_flow.rb:55:10:55:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:55:10:55:46 | call to select! | semmle.label | call to select! |
|
||||
| params_flow.rb:59:10:59:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:59:10:59:45 | call to reject | semmle.label | call to reject |
|
||||
| params_flow.rb:63:10:63:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:63:10:63:46 | call to reject! | semmle.label | call to reject! |
|
||||
| params_flow.rb:67:10:67:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:67:10:67:20 | call to to_h | semmle.label | call to to_h |
|
||||
| params_flow.rb:71:10:71:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:71:10:71:23 | call to to_hash | semmle.label | call to to_hash |
|
||||
| params_flow.rb:75:10:75:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:75:10:75:24 | call to to_query | semmle.label | call to to_query |
|
||||
| params_flow.rb:79:10:79:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:79:10:79:24 | call to to_param | semmle.label | call to to_param |
|
||||
| params_flow.rb:83:10:83:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:83:10:83:27 | call to to_unsafe_h | semmle.label | call to to_unsafe_h |
|
||||
| params_flow.rb:87:10:87:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:87:10:87:30 | call to to_unsafe_hash | semmle.label | call to to_unsafe_hash |
|
||||
| params_flow.rb:91:10:91:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:91:10:91:40 | call to transform_keys | semmle.label | call to transform_keys |
|
||||
| params_flow.rb:95:10:95:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:95:10:95:41 | call to transform_keys! | semmle.label | call to transform_keys! |
|
||||
| params_flow.rb:99:10:99:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:99:10:99:42 | call to transform_values | semmle.label | call to transform_values |
|
||||
| params_flow.rb:103:10:103:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:103:10:103:43 | call to transform_values! | semmle.label | call to transform_values! |
|
||||
| params_flow.rb:107:10:107:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:107:10:107:33 | call to values_at | semmle.label | call to values_at |
|
||||
| params_flow.rb:111:10:111:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:111:10:111:29 | call to merge | semmle.label | call to merge |
|
||||
| params_flow.rb:112:10:112:29 | call to merge | semmle.label | call to merge |
|
||||
| params_flow.rb:112:23:112:28 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:116:10:116:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:116:10:116:37 | call to reverse_merge | semmle.label | call to reverse_merge |
|
||||
| params_flow.rb:117:10:117:37 | call to reverse_merge | semmle.label | call to reverse_merge |
|
||||
| params_flow.rb:117:31:117:36 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:121:10:121:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:121:10:121:43 | call to with_defaults | semmle.label | call to with_defaults |
|
||||
| params_flow.rb:122:10:122:37 | call to with_defaults | semmle.label | call to with_defaults |
|
||||
| params_flow.rb:122:31:122:36 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:126:10:126:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:126:10:126:30 | call to merge! | semmle.label | call to merge! |
|
||||
| params_flow.rb:127:10:127:30 | call to merge! | semmle.label | call to merge! |
|
||||
| params_flow.rb:127:24:127:29 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:130:5:130:5 | [post] p : | semmle.label | [post] p : |
|
||||
| params_flow.rb:130:14:130:19 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:131:10:131:10 | p | semmle.label | p |
|
||||
| params_flow.rb:135:10:135:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:135:10:135:38 | call to reverse_merge! | semmle.label | call to reverse_merge! |
|
||||
| params_flow.rb:136:10:136:38 | call to reverse_merge! | semmle.label | call to reverse_merge! |
|
||||
| params_flow.rb:136:32:136:37 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:139:5:139:5 | [post] p : | semmle.label | [post] p : |
|
||||
| params_flow.rb:139:22:139:27 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:140:10:140:10 | p | semmle.label | p |
|
||||
| params_flow.rb:144:10:144:15 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:144:10:144:44 | call to with_defaults! | semmle.label | call to with_defaults! |
|
||||
| params_flow.rb:145:10:145:38 | call to with_defaults! | semmle.label | call to with_defaults! |
|
||||
| params_flow.rb:145:32:145:37 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:148:5:148:5 | [post] p : | semmle.label | [post] p : |
|
||||
| params_flow.rb:148:22:148:27 | call to params : | semmle.label | call to params : |
|
||||
| params_flow.rb:149:10:149:10 | p | semmle.label | p |
|
||||
subpaths
|
||||
#select
|
||||
| params_flow.rb:3:10:3:19 | ...[...] | params_flow.rb:3:10:3:15 | call to params : | params_flow.rb:3:10:3:19 | ...[...] | $@ | params_flow.rb:3:10:3:15 | call to params : | call to params : |
|
||||
| params_flow.rb:7:10:7:23 | call to as_json | params_flow.rb:7:10:7:15 | call to params : | params_flow.rb:7:10:7:23 | call to as_json | $@ | params_flow.rb:7:10:7:15 | call to params : | call to params : |
|
||||
| params_flow.rb:15:10:15:33 | call to permit | params_flow.rb:15:10:15:15 | call to params : | params_flow.rb:15:10:15:33 | call to permit | $@ | params_flow.rb:15:10:15:15 | call to params : | call to params : |
|
||||
| params_flow.rb:19:10:19:34 | call to require | params_flow.rb:19:10:19:15 | call to params : | params_flow.rb:19:10:19:34 | call to require | $@ | params_flow.rb:19:10:19:15 | call to params : | call to params : |
|
||||
| params_flow.rb:23:10:23:35 | call to required | params_flow.rb:23:10:23:15 | call to params : | params_flow.rb:23:10:23:35 | call to required | $@ | params_flow.rb:23:10:23:15 | call to params : | call to params : |
|
||||
| params_flow.rb:27:10:27:24 | call to deep_dup | params_flow.rb:27:10:27:15 | call to params : | params_flow.rb:27:10:27:24 | call to deep_dup | $@ | params_flow.rb:27:10:27:15 | call to params : | call to params : |
|
||||
| params_flow.rb:31:10:31:45 | call to deep_transform_keys | params_flow.rb:31:10:31:15 | call to params : | params_flow.rb:31:10:31:45 | call to deep_transform_keys | $@ | params_flow.rb:31:10:31:15 | call to params : | call to params : |
|
||||
| params_flow.rb:35:10:35:46 | call to deep_transform_keys! | params_flow.rb:35:10:35:15 | call to params : | params_flow.rb:35:10:35:46 | call to deep_transform_keys! | $@ | params_flow.rb:35:10:35:15 | call to params : | call to params : |
|
||||
| params_flow.rb:39:10:39:48 | call to delete_if | params_flow.rb:39:10:39:15 | call to params : | params_flow.rb:39:10:39:48 | call to delete_if | $@ | params_flow.rb:39:10:39:15 | call to params : | call to params : |
|
||||
| params_flow.rb:43:10:43:32 | call to extract! | params_flow.rb:43:10:43:15 | call to params : | params_flow.rb:43:10:43:32 | call to extract! | $@ | params_flow.rb:43:10:43:15 | call to params : | call to params : |
|
||||
| params_flow.rb:47:10:47:46 | call to keep_if | params_flow.rb:47:10:47:15 | call to params : | params_flow.rb:47:10:47:46 | call to keep_if | $@ | params_flow.rb:47:10:47:15 | call to params : | call to params : |
|
||||
| params_flow.rb:51:10:51:45 | call to select | params_flow.rb:51:10:51:15 | call to params : | params_flow.rb:51:10:51:45 | call to select | $@ | params_flow.rb:51:10:51:15 | call to params : | call to params : |
|
||||
| params_flow.rb:55:10:55:46 | call to select! | params_flow.rb:55:10:55:15 | call to params : | params_flow.rb:55:10:55:46 | call to select! | $@ | params_flow.rb:55:10:55:15 | call to params : | call to params : |
|
||||
| params_flow.rb:59:10:59:45 | call to reject | params_flow.rb:59:10:59:15 | call to params : | params_flow.rb:59:10:59:45 | call to reject | $@ | params_flow.rb:59:10:59:15 | call to params : | call to params : |
|
||||
| params_flow.rb:63:10:63:46 | call to reject! | params_flow.rb:63:10:63:15 | call to params : | params_flow.rb:63:10:63:46 | call to reject! | $@ | params_flow.rb:63:10:63:15 | call to params : | call to params : |
|
||||
| params_flow.rb:67:10:67:20 | call to to_h | params_flow.rb:67:10:67:15 | call to params : | params_flow.rb:67:10:67:20 | call to to_h | $@ | params_flow.rb:67:10:67:15 | call to params : | call to params : |
|
||||
| params_flow.rb:71:10:71:23 | call to to_hash | params_flow.rb:71:10:71:15 | call to params : | params_flow.rb:71:10:71:23 | call to to_hash | $@ | params_flow.rb:71:10:71:15 | call to params : | call to params : |
|
||||
| params_flow.rb:75:10:75:24 | call to to_query | params_flow.rb:75:10:75:15 | call to params : | params_flow.rb:75:10:75:24 | call to to_query | $@ | params_flow.rb:75:10:75:15 | call to params : | call to params : |
|
||||
| params_flow.rb:79:10:79:24 | call to to_param | params_flow.rb:79:10:79:15 | call to params : | params_flow.rb:79:10:79:24 | call to to_param | $@ | params_flow.rb:79:10:79:15 | call to params : | call to params : |
|
||||
| params_flow.rb:83:10:83:27 | call to to_unsafe_h | params_flow.rb:83:10:83:15 | call to params : | params_flow.rb:83:10:83:27 | call to to_unsafe_h | $@ | params_flow.rb:83:10:83:15 | call to params : | call to params : |
|
||||
| params_flow.rb:87:10:87:30 | call to to_unsafe_hash | params_flow.rb:87:10:87:15 | call to params : | params_flow.rb:87:10:87:30 | call to to_unsafe_hash | $@ | params_flow.rb:87:10:87:15 | call to params : | call to params : |
|
||||
| params_flow.rb:91:10:91:40 | call to transform_keys | params_flow.rb:91:10:91:15 | call to params : | params_flow.rb:91:10:91:40 | call to transform_keys | $@ | params_flow.rb:91:10:91:15 | call to params : | call to params : |
|
||||
| params_flow.rb:95:10:95:41 | call to transform_keys! | params_flow.rb:95:10:95:15 | call to params : | params_flow.rb:95:10:95:41 | call to transform_keys! | $@ | params_flow.rb:95:10:95:15 | call to params : | call to params : |
|
||||
| params_flow.rb:99:10:99:42 | call to transform_values | params_flow.rb:99:10:99:15 | call to params : | params_flow.rb:99:10:99:42 | call to transform_values | $@ | params_flow.rb:99:10:99:15 | call to params : | call to params : |
|
||||
| params_flow.rb:103:10:103:43 | call to transform_values! | params_flow.rb:103:10:103:15 | call to params : | params_flow.rb:103:10:103:43 | call to transform_values! | $@ | params_flow.rb:103:10:103:15 | call to params : | call to params : |
|
||||
| params_flow.rb:107:10:107:33 | call to values_at | params_flow.rb:107:10:107:15 | call to params : | params_flow.rb:107:10:107:33 | call to values_at | $@ | params_flow.rb:107:10:107:15 | call to params : | call to params : |
|
||||
| params_flow.rb:111:10:111:29 | call to merge | params_flow.rb:111:10:111:15 | call to params : | params_flow.rb:111:10:111:29 | call to merge | $@ | params_flow.rb:111:10:111:15 | call to params : | call to params : |
|
||||
| params_flow.rb:112:10:112:29 | call to merge | params_flow.rb:112:23:112:28 | call to params : | params_flow.rb:112:10:112:29 | call to merge | $@ | params_flow.rb:112:23:112:28 | call to params : | call to params : |
|
||||
| params_flow.rb:116:10:116:37 | call to reverse_merge | params_flow.rb:116:10:116:15 | call to params : | params_flow.rb:116:10:116:37 | call to reverse_merge | $@ | params_flow.rb:116:10:116:15 | call to params : | call to params : |
|
||||
| params_flow.rb:117:10:117:37 | call to reverse_merge | params_flow.rb:117:31:117:36 | call to params : | params_flow.rb:117:10:117:37 | call to reverse_merge | $@ | params_flow.rb:117:31:117:36 | call to params : | call to params : |
|
||||
| params_flow.rb:121:10:121:43 | call to with_defaults | params_flow.rb:121:10:121:15 | call to params : | params_flow.rb:121:10:121:43 | call to with_defaults | $@ | params_flow.rb:121:10:121:15 | call to params : | call to params : |
|
||||
| params_flow.rb:122:10:122:37 | call to with_defaults | params_flow.rb:122:31:122:36 | call to params : | params_flow.rb:122:10:122:37 | call to with_defaults | $@ | params_flow.rb:122:31:122:36 | call to params : | call to params : |
|
||||
| params_flow.rb:126:10:126:30 | call to merge! | params_flow.rb:126:10:126:15 | call to params : | params_flow.rb:126:10:126:30 | call to merge! | $@ | params_flow.rb:126:10:126:15 | call to params : | call to params : |
|
||||
| params_flow.rb:127:10:127:30 | call to merge! | params_flow.rb:127:24:127:29 | call to params : | params_flow.rb:127:10:127:30 | call to merge! | $@ | params_flow.rb:127:24:127:29 | call to params : | call to params : |
|
||||
| params_flow.rb:131:10:131:10 | p | params_flow.rb:130:14:130:19 | call to params : | params_flow.rb:131:10:131:10 | p | $@ | params_flow.rb:130:14:130:19 | call to params : | call to params : |
|
||||
| params_flow.rb:135:10:135:38 | call to reverse_merge! | params_flow.rb:135:10:135:15 | call to params : | params_flow.rb:135:10:135:38 | call to reverse_merge! | $@ | params_flow.rb:135:10:135:15 | call to params : | call to params : |
|
||||
| params_flow.rb:136:10:136:38 | call to reverse_merge! | params_flow.rb:136:32:136:37 | call to params : | params_flow.rb:136:10:136:38 | call to reverse_merge! | $@ | params_flow.rb:136:32:136:37 | call to params : | call to params : |
|
||||
| params_flow.rb:140:10:140:10 | p | params_flow.rb:139:22:139:27 | call to params : | params_flow.rb:140:10:140:10 | p | $@ | params_flow.rb:139:22:139:27 | call to params : | call to params : |
|
||||
| params_flow.rb:144:10:144:44 | call to with_defaults! | params_flow.rb:144:10:144:15 | call to params : | params_flow.rb:144:10:144:44 | call to with_defaults! | $@ | params_flow.rb:144:10:144:15 | call to params : | call to params : |
|
||||
| params_flow.rb:145:10:145:38 | call to with_defaults! | params_flow.rb:145:32:145:37 | call to params : | params_flow.rb:145:10:145:38 | call to with_defaults! | $@ | params_flow.rb:145:32:145:37 | call to params : | call to params : |
|
||||
| params_flow.rb:149:10:149:10 | p | params_flow.rb:148:22:148:27 | call to params : | params_flow.rb:149:10:149:10 | p | $@ | params_flow.rb:148:22:148:27 | call to params : | call to params : |
|
||||
@@ -0,0 +1,16 @@
|
||||
/**
|
||||
* @kind path-problem
|
||||
*/
|
||||
|
||||
import ruby
|
||||
import TestUtilities.InlineFlowTest
|
||||
import PathGraph
|
||||
import codeql.ruby.frameworks.ActionController
|
||||
|
||||
class ParamsTaintFlowConf extends DefaultTaintFlowConf {
|
||||
override predicate isSource(DataFlow::Node n) { n.asExpr().getExpr() instanceof ParamsCall }
|
||||
}
|
||||
|
||||
from DataFlow::PathNode source, DataFlow::PathNode sink, ParamsTaintFlowConf conf
|
||||
where conf.hasFlowPath(source, sink)
|
||||
select sink, source, sink, "$@", source, source.toString()
|
||||
@@ -0,0 +1,151 @@
|
||||
class MyController < ActionController::Base
|
||||
def m1
|
||||
sink params[:a] # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m2
|
||||
sink params.as_json # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m2
|
||||
sink params.not_a_method
|
||||
end
|
||||
|
||||
def m3
|
||||
sink params.permit(:some_key) # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m4
|
||||
sink params.require(:some_key) # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m5
|
||||
sink params.required(:some_key) # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m6
|
||||
sink params.deep_dup # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m7
|
||||
sink params.deep_transform_keys(&:upcase) # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m8
|
||||
sink params.deep_transform_keys!(&:upcase) # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m9
|
||||
sink params.delete_if { |v| v.match? regex } # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m10
|
||||
sink params.extract!(:a, :b) # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m11
|
||||
sink params.keep_if { |v| v.match? regex } # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m12
|
||||
sink params.select { |v| v.match? regex } # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m13
|
||||
sink params.select! { |v| v.match? regex } # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m14
|
||||
sink params.reject { |v| v.match? regex } # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m15
|
||||
sink params.reject! { |v| v.match? regex } # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m16
|
||||
sink params.to_h # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m17
|
||||
sink params.to_hash # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m18
|
||||
sink params.to_query # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m19
|
||||
sink params.to_param # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m20
|
||||
sink params.to_unsafe_h # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m21
|
||||
sink params.to_unsafe_hash # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m22
|
||||
sink params.transform_keys(&:upcase) # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m23
|
||||
sink params.transform_keys!(&:upcase) # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m24
|
||||
sink params.transform_values(&:upcase) # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m25
|
||||
sink params.transform_values!(&:upcase) # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m26
|
||||
sink params.values_at(:a, :b) # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m27
|
||||
sink params.merge({a: 1}) # $hasTaintFlow
|
||||
sink {a: 1}.merge(params) # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m28
|
||||
sink params.reverse_merge({a: 1}) # $hasTaintFlow
|
||||
sink {a: 1}.reverse_merge(params) # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m29
|
||||
sink params.with_defaults({a: 1, b: 2}) # $hasTaintFlow
|
||||
sink {a: 1}.with_defaults(params) # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m30
|
||||
sink params.merge!({a: 1}) # $hasTaintFlow
|
||||
sink {a: 1}.merge!(params) # $hasTaintFlow
|
||||
|
||||
p = {a: 1}
|
||||
p.merge!(params)
|
||||
sink p # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m31
|
||||
sink params.reverse_merge!({a: 1}) # $hasTaintFlow
|
||||
sink {a: 1}.reverse_merge!(params) # $hasTaintFlow
|
||||
|
||||
p = {a: 1}
|
||||
p.reverse_merge!(params)
|
||||
sink p # $hasTaintFlow
|
||||
end
|
||||
|
||||
def m32
|
||||
sink params.with_defaults!({a: 1, b: 2}) # $hasTaintFlow
|
||||
sink {a: 1}.with_defaults!(params) # $hasTaintFlow
|
||||
|
||||
p = {a: 1}
|
||||
p.with_defaults!(params)
|
||||
sink p # $hasTaintFlow
|
||||
end
|
||||
end
|
||||
Reference in New Issue
Block a user