Fix #19294, Ruby NetHttpRequest improvements

2025-12-16 16:53:25 +01:00 · 2025-07-21 15:17:54 -04:00
parent 05572b49de
commit 9da94fb880
2 changed files with 26 additions and 4 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/http_clients/NetHttp.qll
@@ -12,15 +12,22 @@ private import codeql.ruby.DataFlow
 /**
 * A `Net::HTTP` call which initiates an HTTP request.
 * ```ruby
+ * # one-off request
 * Net::HTTP.get("http://example.com/")
 * Net::HTTP.post("http://example.com/", "some_data")
 * req = Net::HTTP.new("example.com")
 * response = req.get("/")
+ *
+ * # connection re-use
+ * Net::HTTP.start("http://example.com") do |http|
+ *   http.get("/")
+ * end
 * ```
 */
 class NetHttpRequest extends Http::Client::Request::Range instanceof DataFlow::CallNode {
  private DataFlow::CallNode request;
-  private API::Node requestNode;
+  API::Node requestNode;
+  API::Node connectionNode;
  private boolean returnsResponseBody;

  NetHttpRequest() {
@@ -30,20 +37,27 @@ class NetHttpRequest extends Http::Client::Request::Range instanceof DataFlow::C
    |
      // Net::HTTP.get(...)
      method in ["get", "get_response"] and
-      requestNode = API::getTopLevelMember("Net").getMember("HTTP").getReturn(method) and
+      connectionNode = API::getTopLevelMember("Net").getMember("HTTP") and
+      requestNode = connectionNode.getReturn(method) and
      returnsResponseBody = true
      or
      // Net::HTTP.post(...).body
      method in ["post", "post_form"] and
-      requestNode = API::getTopLevelMember("Net").getMember("HTTP").getReturn(method) and
+      connectionNode = API::getTopLevelMember("Net").getMember("HTTP") and
+      requestNode = connectionNode.getReturn(method) and
      returnsResponseBody = false
      or
      // Net::HTTP.new(..).get(..).body
+      // Net::HTTP.start(..) do |http| http.get(..) end
      method in [
          "get", "get2", "request_get", "head", "head2", "request_head", "delete", "put", "patch",
          "post", "post2", "request_post", "request"
        ] and
-      requestNode = API::getTopLevelMember("Net").getMember("HTTP").getInstance().getReturn(method) and
+      connectionNode = [
+        API::getTopLevelMember("Net").getMember("HTTP").getInstance(),
+        API::getTopLevelMember("Net").getMember("HTTP").getMethod("start").getBlock().getParameter(0)
+        ] and
+      requestNode = connectionNode.getReturn(method) and
      returnsResponseBody = false
    )
  }
--- a/ruby/ql/test/library-tests/frameworks/http_clients/NetHttp.rb
+++ b/ruby/ql/test/library-tests/frameworks/http_clients/NetHttp.rb
@@ -27,3 +27,11 @@ end
 get("example.com", "/").body

 Net::HTTP.post(uri, "some_body") # note: response body not accessed
+
+http = Net::HTTP.new("https://example.com")
+root_get = Net::HTTP::Get.new("/")
+http.request(root_get)
+
+Net::HTTP.start("https://example.com") do |http|
+  http.get("/")
+end