Merge pull request #11250 from github/nickrolfe/stack-trace-exposure

Ruby: add stack-trace exposure query
2026-04-29 18:55:14 +02:00 · 2022-11-28 10:45:59 +00:00
parent 7456f3750d 50b10be2db
commit 8a94cabdbf
9 changed files with 208 additions and 0 deletions
--- a/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.expected
+++ b/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.expected
@@ -0,0 +1,12 @@
+edges
+| StackTraceExposure.rb:11:10:11:17 | call to caller :  | StackTraceExposure.rb:12:18:12:19 | bt |
+nodes
+| StackTraceExposure.rb:6:18:6:28 | call to backtrace | semmle.label | call to backtrace |
+| StackTraceExposure.rb:11:10:11:17 | call to caller :  | semmle.label | call to caller :  |
+| StackTraceExposure.rb:12:18:12:19 | bt | semmle.label | bt |
+| StackTraceExposure.rb:18:18:18:28 | call to backtrace | semmle.label | call to backtrace |
+subpaths
+#select
+| StackTraceExposure.rb:6:18:6:28 | call to backtrace | StackTraceExposure.rb:6:18:6:28 | call to backtrace | StackTraceExposure.rb:6:18:6:28 | call to backtrace | $@ can be exposed to an external user. | StackTraceExposure.rb:6:18:6:28 | call to backtrace | Error information |
+| StackTraceExposure.rb:12:18:12:19 | bt | StackTraceExposure.rb:11:10:11:17 | call to caller :  | StackTraceExposure.rb:12:18:12:19 | bt | $@ can be exposed to an external user. | StackTraceExposure.rb:11:10:11:17 | call to caller | Error information |
+| StackTraceExposure.rb:18:18:18:28 | call to backtrace | StackTraceExposure.rb:18:18:18:28 | call to backtrace | StackTraceExposure.rb:18:18:18:28 | call to backtrace | $@ can be exposed to an external user. | StackTraceExposure.rb:18:18:18:28 | call to backtrace | Error information |
--- a/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.qlref
+++ b/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.qlref
@@ -0,0 +1 @@
+queries/security/cwe-209/StackTraceExposure.ql
--- a/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.rb
+++ b/ruby/ql/test/query-tests/security/cwe-209/StackTraceExposure.rb
@@ -0,0 +1,21 @@
+class FooController < ApplicationController
+
+  def show
+    something_that_might_fail()
+  rescue => e
+    render body: e.backtrace, content_type: "text/plain"
+  end
+
+
+  def show2
+    bt = caller()
+    render body: bt, content_type: "text/plain"
+  end
+
+  def show3
+    not_a_method()
+  rescue NoMethodError => e
+    render body: e.backtrace, content_type: "text/plain"
+  end
+
+end
				`@@ -0,0 +1 @@`
				`queries/security/cwe-209/StackTraceExposure.ql`