Ruby: Model sanitize ActionView helper

2026-04-28 02:05:14 +02:00 · 2022-09-07 15:02:23 +01:00
parent 9e625acd3d
commit 9f99a3ca1f
2 changed files with 4 additions and 1 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/ActionView.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/ActionView.qll
@@ -38,7 +38,7 @@ private class ActionViewHtmlSafeCall extends HtmlSafeCall {
 */
 abstract class HtmlEscapeCall extends MethodCall {
  // "h" is aliased to "html_escape" in ActiveSupport
-  HtmlEscapeCall() { this.getMethodName() = ["html_escape", "html_escape_once", "h"] }
+  HtmlEscapeCall() { this.getMethodName() = ["html_escape", "html_escape_once", "h", "sanitize"] }
 }

 /**
--- a/ruby/ql/test/query-tests/security/cwe-079/app/views/foo/bars/show.html.erb
+++ b/ruby/ql/test/query-tests/security/cwe-079/app/views/foo/bars/show.html.erb
@@ -75,3 +75,6 @@

 <%# BAD: javasript_include_tag called with remote input %>
 <%= javascript_include_tag params[:url] %>
+
+<%# GOOD: input is sanitized %>
+<%= sanitize(params[:comment]).html_safe %>