more custom array steps from unsafe-code-construction to a utility predicate

This commit is contained in:
erik-krogh
2023-01-30 16:46:13 +01:00
parent 89d835b9ec
commit a4c42aa14b
2 changed files with 21 additions and 12 deletions

View File

@@ -1815,6 +1815,25 @@ module Array {
preservesValue = true
}
}
/**
* Holds if there an array element `pred` might taint the array defined by `succ`.
* This is used for queries where we consider an entire array to be tainted if any of its elements are tainted.
*/
predicate taintedArrayObjectSteps(DataFlow::Node pred, DataFlow::Node succ) {
exists(DataFlow::CallNode call |
call.getMethodName() = ["<<", "push", "append"] and
call.getReceiver() = succ and
pred = call.getArgument(0) and
call.getNumberOfArguments() = 1
)
or
exists(DataFlow::CallNode call |
call.getMethodName() = "[]" and
succ = call and
pred = call.getArgument(_)
)
}
}
/**

View File

@@ -10,6 +10,7 @@ import codeql.ruby.DataFlow
import UnsafeCodeConstructionCustomizations::UnsafeCodeConstruction
private import codeql.ruby.TaintTracking
private import codeql.ruby.dataflow.BarrierGuards
private import codeql.ruby.frameworks.core.Array
/**
* A taint-tracking configuration for detecting code constructed from library input vulnerabilities.
@@ -33,17 +34,6 @@ class Configuration extends TaintTracking::Configuration {
override predicate isAdditionalTaintStep(DataFlow::Node pred, DataFlow::Node succ) {
// if an array element gets tainted, then we treat the entire array as tainted
exists(DataFlow::CallNode call |
call.getMethodName() = ["<<", "push", "append"] and
call.getReceiver() = succ and
pred = call.getArgument(0) and
call.getNumberOfArguments() = 1
)
or
exists(DataFlow::CallNode call |
call.getMethodName() = "[]" and
succ = call and
pred = call.getArgument(_)
)
Array::taintedArrayObjectSteps(pred, succ)
}
}