mirror of
https://github.com/github/codeql.git
synced 2026-04-26 09:15:12 +02:00
update SqlInjection tests
This commit is contained in:
Alex Ford
@@ -6,6 +6,7 @@ class User < ApplicationRecord
|
||||
belongs_to :user_group
|
||||
|
||||
def self.authenticate(name, pass)
|
||||
# BAD: possible untrusted input interpolated into SQL fragment
|
||||
find(:first, :conditions => "name='#{name}' and pass='#{pass}'")
|
||||
end
|
||||
end
|
||||
@@ -19,21 +20,28 @@ class FooController < ActionController::Base
|
||||
|
||||
# A string tainted by user input is inserted into an SQL query
|
||||
def some_request_handler
|
||||
# SELECT AVG(#{params[:column]}) FROM "users"
|
||||
# BAD: executes `SELECT AVG(#{params[:column]}) FROM "users"`
|
||||
# where `params[:column]` is unsanitized
|
||||
User.calculate(:average, params[:column])
|
||||
|
||||
# DELETE FROM "users" WHERE (id = #{params[:id]})
|
||||
User.delete_all("id = #{params[:id]}")
|
||||
# BAD: executes `DELETE FROM "users" WHERE (id = '#{params[:id]}')`
|
||||
# where `params[:id]` is unsanitized
|
||||
User.delete_all("id = '#{params[:id]}'")
|
||||
|
||||
# SELECT "users".* FROM "users" WHERE (id = #{params[:id]})
|
||||
User.destroy_all(["id = #{params[:id]}"])
|
||||
# BAD: executes `SELECT "users".* FROM "users" WHERE (id = '#{params[:id]}')`
|
||||
# where `params[:id]` is unsanitized
|
||||
User.destroy_all(["id = '#{params[:id]}'"])
|
||||
|
||||
# SELECT "users".* FROM "users" WHERE id BETWEEN #{params[:min_id]} AND 100000
|
||||
# BAD: executes `SELECT "users".* FROM "users" WHERE id BETWEEN '#{params[:min_id]}' AND 100000`
|
||||
# where `params[:min_id]` is unsanitized
|
||||
User.where(<<-SQL, MAX_USER_ID)
|
||||
id BETWEEN #{params[:min_id]} AND ?
|
||||
id BETWEEN '#{params[:min_id]}' AND ?
|
||||
SQL
|
||||
|
||||
UserGroup.joins(:users).where("user.id = #{params[:id]}")
|
||||
# BAD: chained method case
|
||||
# executes `SELECT "users".* FROM "users" WHERE (NOT (user_id = 'params[:id]'))`
|
||||
# where `params[:id]` is unsanitized
|
||||
User.where.not("user.id = '#{params[:id]}'")
|
||||
|
||||
User.authenticate(params[:name], params[:pass])
|
||||
end
|
||||
@@ -45,24 +53,29 @@ class BarController < ApplicationController
|
||||
def some_other_request_handler
|
||||
ps = params
|
||||
uid = ps[:id]
|
||||
uidEq = "= #{uid}"
|
||||
uidEq = "= '#{uid}'"
|
||||
|
||||
# DELETE FROM "users" WHERE (id = #{uid})
|
||||
# BAD: executes `DELETE FROM "users" WHERE (id = #{uid})`
|
||||
# where `uid` is unsantized
|
||||
User.delete_all("id " + uidEq)
|
||||
end
|
||||
|
||||
def sanitized_paths
|
||||
|
||||
dir = params[:order]
|
||||
# barrier guard prevents taint flow
|
||||
# GOOD: barrier guard prevents taint flow
|
||||
dir = "DESC" unless dir == "ASC"
|
||||
User.order("name #{dir}")
|
||||
|
||||
name = params[:user_name]
|
||||
# barrier guard prevents taint flow
|
||||
# GOOD: barrier guard prevents taint flow
|
||||
if %w(alice bob charlie).include? name
|
||||
User.find_by("username = #{name}")
|
||||
end
|
||||
|
||||
name = params[:user_name]
|
||||
# GOOD: hash arguments are sanitized by ActiveRecord
|
||||
User.find_by(user_name: name)
|
||||
end
|
||||
end
|
||||
|
||||
|
||||
@@ -1,38 +1,42 @@
|
||||
edges
|
||||
| ActiveRecordInjection.rb:8:25:8:28 | name : | ActiveRecordInjection.rb:9:33:9:67 | "name='#{...}' and pass='#{...}'" |
|
||||
| ActiveRecordInjection.rb:8:31:8:34 | pass : | ActiveRecordInjection.rb:9:33:9:67 | "name='#{...}' and pass='#{...}'" |
|
||||
| ActiveRecordInjection.rb:23:30:23:35 | call to params : | ActiveRecordInjection.rb:23:30:23:44 | ...[...] |
|
||||
| ActiveRecordInjection.rb:26:29:26:34 | call to params : | ActiveRecordInjection.rb:26:21:26:41 | "id = #{...}" |
|
||||
| ActiveRecordInjection.rb:33:20:33:25 | call to params : | ActiveRecordInjection.rb:32:16:32:21 | <<-SQL |
|
||||
| ActiveRecordInjection.rb:36:48:36:53 | call to params : | ActiveRecordInjection.rb:36:35:36:60 | "user.id = #{...}" |
|
||||
| ActiveRecordInjection.rb:38:23:38:28 | call to params : | ActiveRecordInjection.rb:38:23:38:35 | ...[...] : |
|
||||
| ActiveRecordInjection.rb:38:23:38:35 | ...[...] : | ActiveRecordInjection.rb:8:25:8:28 | name : |
|
||||
| ActiveRecordInjection.rb:38:38:38:43 | call to params : | ActiveRecordInjection.rb:38:38:38:50 | ...[...] : |
|
||||
| ActiveRecordInjection.rb:38:38:38:50 | ...[...] : | ActiveRecordInjection.rb:8:31:8:34 | pass : |
|
||||
| ActiveRecordInjection.rb:46:10:46:15 | call to params : | ActiveRecordInjection.rb:51:21:51:33 | ... + ... |
|
||||
| ActiveRecordInjection.rb:8:25:8:28 | name : | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" |
|
||||
| ActiveRecordInjection.rb:8:31:8:34 | pass : | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" |
|
||||
| ActiveRecordInjection.rb:25:30:25:35 | call to params : | ActiveRecordInjection.rb:25:30:25:44 | ...[...] |
|
||||
| ActiveRecordInjection.rb:29:30:29:35 | call to params : | ActiveRecordInjection.rb:29:21:29:43 | "id = '#{...}'" |
|
||||
| ActiveRecordInjection.rb:33:32:33:37 | call to params : | ActiveRecordInjection.rb:33:23:33:45 | "id = '#{...}'" |
|
||||
| ActiveRecordInjection.rb:38:21:38:26 | call to params : | ActiveRecordInjection.rb:37:16:37:21 | <<-SQL |
|
||||
| ActiveRecordInjection.rb:44:34:44:39 | call to params : | ActiveRecordInjection.rb:44:20:44:47 | "user.id = '#{...}'" |
|
||||
| ActiveRecordInjection.rb:46:23:46:28 | call to params : | ActiveRecordInjection.rb:46:23:46:35 | ...[...] : |
|
||||
| ActiveRecordInjection.rb:46:23:46:35 | ...[...] : | ActiveRecordInjection.rb:8:25:8:28 | name : |
|
||||
| ActiveRecordInjection.rb:46:38:46:43 | call to params : | ActiveRecordInjection.rb:46:38:46:50 | ...[...] : |
|
||||
| ActiveRecordInjection.rb:46:38:46:50 | ...[...] : | ActiveRecordInjection.rb:8:31:8:34 | pass : |
|
||||
| ActiveRecordInjection.rb:54:10:54:15 | call to params : | ActiveRecordInjection.rb:60:21:60:33 | ... + ... |
|
||||
nodes
|
||||
| ActiveRecordInjection.rb:8:25:8:28 | name : | semmle.label | name : |
|
||||
| ActiveRecordInjection.rb:8:31:8:34 | pass : | semmle.label | pass : |
|
||||
| ActiveRecordInjection.rb:9:33:9:67 | "name='#{...}' and pass='#{...}'" | semmle.label | "name='#{...}' and pass='#{...}'" |
|
||||
| ActiveRecordInjection.rb:23:30:23:35 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:23:30:23:44 | ...[...] | semmle.label | ...[...] |
|
||||
| ActiveRecordInjection.rb:26:21:26:41 | "id = #{...}" | semmle.label | "id = #{...}" |
|
||||
| ActiveRecordInjection.rb:26:29:26:34 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:32:16:32:21 | <<-SQL | semmle.label | <<-SQL |
|
||||
| ActiveRecordInjection.rb:33:20:33:25 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:36:35:36:60 | "user.id = #{...}" | semmle.label | "user.id = #{...}" |
|
||||
| ActiveRecordInjection.rb:36:48:36:53 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:38:23:38:28 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:38:23:38:35 | ...[...] : | semmle.label | ...[...] : |
|
||||
| ActiveRecordInjection.rb:38:38:38:43 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:38:38:38:50 | ...[...] : | semmle.label | ...[...] : |
|
||||
| ActiveRecordInjection.rb:46:10:46:15 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:51:21:51:33 | ... + ... | semmle.label | ... + ... |
|
||||
| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | semmle.label | "name='#{...}' and pass='#{...}'" |
|
||||
| ActiveRecordInjection.rb:25:30:25:35 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:25:30:25:44 | ...[...] | semmle.label | ...[...] |
|
||||
| ActiveRecordInjection.rb:29:21:29:43 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
|
||||
| ActiveRecordInjection.rb:29:30:29:35 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:33:23:33:45 | "id = '#{...}'" | semmle.label | "id = '#{...}'" |
|
||||
| ActiveRecordInjection.rb:33:32:33:37 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:37:16:37:21 | <<-SQL | semmle.label | <<-SQL |
|
||||
| ActiveRecordInjection.rb:38:21:38:26 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:44:20:44:47 | "user.id = '#{...}'" | semmle.label | "user.id = '#{...}'" |
|
||||
| ActiveRecordInjection.rb:44:34:44:39 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:46:23:46:28 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:46:23:46:35 | ...[...] : | semmle.label | ...[...] : |
|
||||
| ActiveRecordInjection.rb:46:38:46:43 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:46:38:46:50 | ...[...] : | semmle.label | ...[...] : |
|
||||
| ActiveRecordInjection.rb:54:10:54:15 | call to params : | semmle.label | call to params : |
|
||||
| ActiveRecordInjection.rb:60:21:60:33 | ... + ... | semmle.label | ... + ... |
|
||||
#select
|
||||
| ActiveRecordInjection.rb:9:33:9:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:38:23:38:28 | call to params : | ActiveRecordInjection.rb:9:33:9:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:38:23:38:28 | call to params | a user-provided value |
|
||||
| ActiveRecordInjection.rb:9:33:9:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:38:38:38:43 | call to params : | ActiveRecordInjection.rb:9:33:9:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:38:38:38:43 | call to params | a user-provided value |
|
||||
| ActiveRecordInjection.rb:23:30:23:44 | ...[...] | ActiveRecordInjection.rb:23:30:23:35 | call to params : | ActiveRecordInjection.rb:23:30:23:44 | ...[...] | This SQL query depends on $@. | ActiveRecordInjection.rb:23:30:23:35 | call to params | a user-provided value |
|
||||
| ActiveRecordInjection.rb:26:21:26:41 | "id = #{...}" | ActiveRecordInjection.rb:26:29:26:34 | call to params : | ActiveRecordInjection.rb:26:21:26:41 | "id = #{...}" | This SQL query depends on $@. | ActiveRecordInjection.rb:26:29:26:34 | call to params | a user-provided value |
|
||||
| ActiveRecordInjection.rb:32:16:32:21 | <<-SQL | ActiveRecordInjection.rb:33:20:33:25 | call to params : | ActiveRecordInjection.rb:32:16:32:21 | <<-SQL | This SQL query depends on $@. | ActiveRecordInjection.rb:33:20:33:25 | call to params | a user-provided value |
|
||||
| ActiveRecordInjection.rb:36:35:36:60 | "user.id = #{...}" | ActiveRecordInjection.rb:36:48:36:53 | call to params : | ActiveRecordInjection.rb:36:35:36:60 | "user.id = #{...}" | This SQL query depends on $@. | ActiveRecordInjection.rb:36:48:36:53 | call to params | a user-provided value |
|
||||
| ActiveRecordInjection.rb:51:21:51:33 | ... + ... | ActiveRecordInjection.rb:46:10:46:15 | call to params : | ActiveRecordInjection.rb:51:21:51:33 | ... + ... | This SQL query depends on $@. | ActiveRecordInjection.rb:46:10:46:15 | call to params | a user-provided value |
|
||||
| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:46:23:46:28 | call to params : | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:46:23:46:28 | call to params | a user-provided value |
|
||||
| ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:46:38:46:43 | call to params : | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:46:38:46:43 | call to params | a user-provided value |
|
||||
| ActiveRecordInjection.rb:25:30:25:44 | ...[...] | ActiveRecordInjection.rb:25:30:25:35 | call to params : | ActiveRecordInjection.rb:25:30:25:44 | ...[...] | This SQL query depends on $@. | ActiveRecordInjection.rb:25:30:25:35 | call to params | a user-provided value |
|
||||
| ActiveRecordInjection.rb:29:21:29:43 | "id = '#{...}'" | ActiveRecordInjection.rb:29:30:29:35 | call to params : | ActiveRecordInjection.rb:29:21:29:43 | "id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:29:30:29:35 | call to params | a user-provided value |
|
||||
| ActiveRecordInjection.rb:33:23:33:45 | "id = '#{...}'" | ActiveRecordInjection.rb:33:32:33:37 | call to params : | ActiveRecordInjection.rb:33:23:33:45 | "id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:33:32:33:37 | call to params | a user-provided value |
|
||||
| ActiveRecordInjection.rb:37:16:37:21 | <<-SQL | ActiveRecordInjection.rb:38:21:38:26 | call to params : | ActiveRecordInjection.rb:37:16:37:21 | <<-SQL | This SQL query depends on $@. | ActiveRecordInjection.rb:38:21:38:26 | call to params | a user-provided value |
|
||||
| ActiveRecordInjection.rb:44:20:44:47 | "user.id = '#{...}'" | ActiveRecordInjection.rb:44:34:44:39 | call to params : | ActiveRecordInjection.rb:44:20:44:47 | "user.id = '#{...}'" | This SQL query depends on $@. | ActiveRecordInjection.rb:44:34:44:39 | call to params | a user-provided value |
|
||||
| ActiveRecordInjection.rb:60:21:60:33 | ... + ... | ActiveRecordInjection.rb:54:10:54:15 | call to params : | ActiveRecordInjection.rb:60:21:60:33 | ... + ... | This SQL query depends on $@. | ActiveRecordInjection.rb:54:10:54:15 | call to params | a user-provided value |
|
||||
|
||||
Reference in New Issue
Block a user