Ruby: limit ActiveRecord conditions sink to first array element

2026-04-30 11:15:13 +02:00 · 2024-04-11 13:18:06 +01:00
parent 2950890180
commit 91bca4a2c3
2 changed files with 10 additions and 20 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll
@@ -195,7 +195,14 @@ private predicate sqlFragmentArgumentInner(DataFlow::CallNode call, DataFlow::No
  or
  // This format was supported until Rails 2.3.8
  call = activeRecordQueryBuilderCall(["all", "find", "first", "last"]) and
-  sink = call.getKeywordArgument("conditions")
+  exists(DataFlow::LocalSourceNode sn |
+    sn = call.getKeywordArgument("conditions").getALocalSource()
+  |
+    sink = sn.(DataFlow::ArrayLiteralNode).getElement(0)
+    or
+    sn.(DataFlow::LiteralNode).asLiteralAstNode() instanceof StringlikeLiteral and
+    sink = sn
+  )
  or
  call = activeRecordQueryBuilderCall("reload") and
  sink = call.getKeywordArgument("lock")