hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2025-12-17 01:03:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10749 from aibaars/run_request

Browse Source 
Ruby: treat Faraday#run_request as remote source
This commit is contained in:
Arthur Baars
2022-10-14 12:24:39 +02:00
committed by GitHub
parent 7d23170fb2 9abd599024
commit 9ccf5a7798
2 changed files with 6 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
ruby/ql/lib/change-notes/2022-10-13-faraday-run-request.md Normal file
View File

@@ -0,0 +1,4 @@
---
category: minorAnalysis
---
* The response value returned by the `Faraday#run_request` method is now also considered a source of remote input.

3
ruby/ql/lib/codeql/ruby/frameworks/http_clients/Faraday.qll
View File

@@ -37,7 +37,8 @@ class FaradayHttpRequest extends Http::Client::Request::Range, DataFlow::CallNod
API::getTopLevelMember("Faraday").getInstance() API::getTopLevelMember("Faraday").getInstance()
] and ] and
requestNode = requestNode =
connectionNode.getReturn(["get", "head", "delete", "post", "put", "patch", "trace"]) and connectionNode
.getReturn(["get", "head", "delete", "post", "put", "patch", "trace", "run_request"]) and
this = requestNode.asSource() and this = requestNode.asSource() and
connectionUse = connectionNode.asSource() connectionUse = connectionNode.asSource()
} }