hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 08:15:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: configsig rb/path-injection

Browse Source
This commit is contained in:
Alex Ford
2023-09-01 13:53:17 +01:00
parent 867e47bcdd
commit ad2bbfb265
2 changed files with 21 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
ruby/ql/lib/codeql/ruby/security/PathInjectionQuery.qll
View File

@@ -3,7 +3,7 @@
* path injection vulnerabilities.
*
* Note, for performance reasons: only import this file if
* `PathInjection::Configuration` is needed, otherwise
* `PathInjectionFlow` is needed, otherwise
* `PathInjectionCustomizations` should be imported instead.
*/
@@ -15,8 +15,9 @@ private import codeql.ruby.TaintTracking
/**
* A taint-tracking configuration for reasoning about path injection
* vulnerabilities.
* DEPRECATED: Use `PathInjectionFlow`
*/
class Configuration extends TaintTracking::Configuration {
deprecated class Configuration extends TaintTracking::Configuration {
Configuration() { this = "PathInjection" }
override predicate isSource(DataFlow::Node source) { source instanceof PathInjection::Source }
@@ -31,3 +32,18 @@ class Configuration extends TaintTracking::Configuration {
guard instanceof PathInjection::SanitizerGuard
}
}
private module PathInjectionConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) { source instanceof PathInjection::Source }
predicate isSink(DataFlow::Node sink) { sink instanceof PathInjection::Sink }
predicate isBarrier(DataFlow::Node node) {
node instanceof Path::PathSanitization or node instanceof PathInjection::Sanitizer
}
}
/**
* Taint-tracking for detecting path injection vulnerabilities.
*/
module PathInjectionFlow = TaintTracking::Global<PathInjectionConfig>;

6
ruby/ql/src/queries/security/cwe-022/PathInjection.ql
View File

@@ -17,9 +17,9 @@
import ruby
import codeql.ruby.security.PathInjectionQuery
import DataFlow::PathGraph
import PathInjectionFlow::PathGraph
from Configuration cfg, DataFlow::PathNode source, DataFlow::PathNode sink
where cfg.hasFlowPath(source, sink)
from PathInjectionFlow::PathNode source, PathInjectionFlow::PathNode sink
where PathInjectionFlow::flowPath(source, sink)
select sink.getNode(), source, sink, "This path depends on a $@.", source.getNode(),
"user-provided value"