Add != to StringConstCompare

This means we treat != comparisons against strings as taint tracking guards: if foo != "A" foo # still tainted else foo # not tainted, because we know foo == "A" end
2026-04-26 01:05:15 +02:00 · 2021-09-10 16:37:48 +01:00
parent 8f36b0d7fe
commit 800e18349f
3 changed files with 23 additions and 9 deletions
--- a/ql/lib/codeql/ruby/dataflow/BarrierGuards.qll
+++ b/ql/lib/codeql/ruby/dataflow/BarrierGuards.qll
@@ -20,11 +20,16 @@ private import codeql.ruby.CFG
 class StringConstCompare extends DataFlow::BarrierGuard,
  CfgNodes::ExprNodes::ComparisonOperationCfgNode {
  private CfgNode checkedNode;
+  // The value of the condition that results in the node being validated.
+  private boolean checkedBranch;

  StringConstCompare() {
    exists(CfgNodes::ExprNodes::StringLiteralCfgNode strLitNode |
-      this.getExpr() instanceof EqExpr or
-      this.getExpr() instanceof CaseEqExpr
+      this.getExpr() instanceof EqExpr and checkedBranch = true
+      or
+      this.getExpr() instanceof CaseEqExpr and checkedBranch = true
+      or
+      this.getExpr() instanceof NEExpr and checkedBranch = false
    |
      this.getLeftOperand() = strLitNode and this.getRightOperand() = checkedNode
      or
@@ -32,7 +37,9 @@ class StringConstCompare extends DataFlow::BarrierGuard,
    )
  }

-  override predicate checks(CfgNode expr, boolean branch) { expr = checkedNode and branch = true }
+  override predicate checks(CfgNode expr, boolean branch) {
+    expr = checkedNode and branch = checkedBranch
+  }
 }

 /**
--- a/ql/test/library-tests/dataflow/barrier-guards/barrier-guards.expected
+++ b/ql/test/library-tests/dataflow/barrier-guards/barrier-guards.expected
@@ -1,2 +1,3 @@
-| barrier-guards.rb:3:4:3:15 | ... == ... | barrier-guards.rb:4:15:4:17 | foo | barrier-guards.rb:3:4:3:6 | foo | true |
-| barrier-guards.rb:9:4:9:24 | call to include? | barrier-guards.rb:10:15:10:17 | foo | barrier-guards.rb:9:21:9:23 | foo | true |
+| barrier-guards.rb:3:4:3:15 | ... == ... | barrier-guards.rb:4:13:4:15 | foo | barrier-guards.rb:3:4:3:6 | foo | true |
+| barrier-guards.rb:9:4:9:24 | call to include? | barrier-guards.rb:10:13:10:15 | foo | barrier-guards.rb:9:21:9:23 | foo | true |
+| barrier-guards.rb:15:4:15:15 | ... != ... | barrier-guards.rb:18:14:18:16 | foo | barrier-guards.rb:15:4:15:6 | foo | false |
--- a/ql/test/library-tests/dataflow/barrier-guards/barrier-guards.rb
+++ b/ql/test/library-tests/dataflow/barrier-guards/barrier-guards.rb
@@ -1,15 +1,21 @@
 foo = "foo"

 if foo == "foo"
-    do_true_1 foo
+    do_true foo
 else
-    do_false_1 foo
+    do_false foo
 end

 if ["foo"].include?(foo)
-    do_true_2 foo
+    do_true foo
 else
-    do_false_2 foo
+    do_false foo
+end
+
+if foo != "foo"
+    do_true foo
+else
+    do_false foo
 end

 do_default foo