Merge branch 'main' into redsun82/bzlmod

2026-04-24 00:05:14 +02:00 · 2024-02-22 15:35:41 +01:00
parent fe6b27bcf8 2b4b512611
commit b1e0287a7c
37 changed files with 692 additions and 190 deletions
--- a/java/kotlin-extractor/kotlin_plugin_versions.py
+++ b/java/kotlin-extractor/kotlin_plugin_versions.py
@@ -46,7 +46,7 @@ def version_string_to_version(version):
 # Version number used by CI.
 ci_version = '1.9.0'

-many_versions = [ '1.5.0', '1.5.10', '1.5.20', '1.5.30', '1.6.0', '1.6.20', '1.7.0', '1.7.20', '1.8.0', '1.9.0-Beta', '1.9.20-Beta', '2.0.0-Beta3', '2.0.255-SNAPSHOT' ]
+many_versions = [ '1.5.0', '1.5.10', '1.5.20', '1.5.30', '1.6.0', '1.6.20', '1.7.0', '1.7.20', '1.8.0', '1.9.0-Beta', '1.9.20-Beta', '2.0.0-Beta4', '2.0.255-SNAPSHOT' ]

 many_versions_versions = [version_string_to_version(v) for v in many_versions]
 many_versions_versions_asc  = sorted(many_versions_versions, key = lambda v: v.toTupleWithTag())
--- a/java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta4/IrSymbolInternals.kt
+++ b/java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta4/IrSymbolInternals.kt
--- a/java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta4/JavaBinarySourceElement.kt
+++ b/java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta4/JavaBinarySourceElement.kt
--- a/java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_255-SNAPSHOT/JvmDefaultModeEnabled.kt
+++ b/java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_255-SNAPSHOT/JvmDefaultModeEnabled.kt
--- a/java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_255-SNAPSHOT/Psi2Ir.kt
+++ b/java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_255-SNAPSHOT/Psi2Ir.kt
--- a/java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta4/parents.kt
+++ b/java/kotlin-extractor/src/main/kotlin/utils/versions/v_2_0_0-Beta4/parents.kt
--- a/java/ql/lib/semmle/code/java/security/AndroidLocalAuthQuery.qll
+++ b/java/ql/lib/semmle/code/java/security/AndroidLocalAuthQuery.qll
@@ -1,6 +1,7 @@
 /** Definitions for the insecure local authentication query. */

 import java
+private import semmle.code.java.dataflow.DataFlow

 /** A base class that is used as a callback for biometric authentication. */
 private class AuthenticationCallbackClass extends Class {
@@ -40,3 +41,24 @@ class AuthenticationSuccessCallback extends Method {
    not result = this.getASuperResultUse()
  }
 }
+
+/** A call that sets a parameter for key generation that is insecure for use with biometric authentication. */
+class InsecureBiometricKeyParamCall extends MethodCall {
+  InsecureBiometricKeyParamCall() {
+    exists(string name, CompileTimeConstantExpr val |
+      this.getMethod()
+          .hasQualifiedName("android.security.keystore", "KeyGenParameterSpec$Builder", name) and
+      DataFlow::localExprFlow(val, this.getArgument(0)) and
+      (
+        name = ["setUserAuthenticationRequired", "setInvalidatedByBiometricEnrollment"] and
+        val.getBooleanValue() = false
+        or
+        name = "setUserAuthenticationValidityDurationSeconds" and
+        val.getIntValue() != -1
+      )
+    )
+  }
+}
+
+/** Holds if the application contains an instance of a key being used for local biometric authentication. */
+predicate usesLocalAuth() { exists(AuthenticationSuccessCallback cb | exists(cb.getAResultUse())) }
--- a/java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.qhelp
+++ b/java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.qhelp
@@ -0,0 +1,43 @@
+<!DOCTYPE qhelp PUBLIC
+  "-//Semmle//qhelp//EN"
+  "qhelp.dtd">
+<qhelp>
+
+<overview>
+<p>
+Biometric authentication, such as fingerprint recognition, can be used alongside cryptographic keys stored in the Android <code>KeyStore</code> to protect sensitive parts of the application. However, 
+when a key generated for this purpose has certain parameters set insecurely, an attacker with physical access can bypass the 
+authentication check using application hooking tools such as Frida.
+</p>
+</overview>
+
+<recommendation>
+<p>
+When generating a key for use with biometric authentication, ensure that the following parameters of <code>KeyGenParameterSpec.Builder</code> are set:
+</p>
+<ul>
+<li><code>setUserAuthenticationRequired</code> should be set to <code>true</code>; otherwise, the key can be used without user authentication.</li>
+<li><code>setInvalidatedByBiometricEnrollment</code> should be set to <code>true</code> (the default); otherwise, an attacker can use the key by enrolling additional biometrics on the device.</li>
+<li><code>setUserAuthenticationValidityDurationSeconds</code>, if used, should be set to <code>-1</code>; otherwise, non-biometric (less secure) credentials can be used to access the key. We recommend using <code>setUserAuthenticationParameters</code> instead to explicitly set both the timeout and the types of credentials that may be used.</li>
+</ul>
+
+</recommendation>
+
+<example>
+<p>The following example demonstrates a key that is configured with secure paramaters:</p>
+<sample src="AndroidInsecureKeysGood.java"/>
+
+<p>In each of the following cases, a parameter is set insecurely:</p>
+<sample src="AndroidInsecureKeysBad.java"/>
+</example>
+
+<references>
+<li>
+WithSecure: <a href="https://labs.withsecure.com/publications/how-secure-is-your-android-keystore-authentication">How Secure is your Android Keystore Authentication?</a>.
+</li>
+<li>
+Android Developers: <a href="https://developer.android.com/reference/android/security/keystore/KeyGenParameterSpec.Builder">KeyGenParameterSpec.Builder</a>.
+</li>
+
+</references>
+</qhelp>
--- a/java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.ql
+++ b/java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeys.ql
@@ -0,0 +1,18 @@
+/**
+ * @name Insecurely generated keys for local authentication
+ * @description Generation of keys with insecure parameters for local biometric authentication can allow attackers with physical access to bypass authentication checks.
+ * @kind problem
+ * @problem.severity warning
+ * @security-severity 4.4
+ * @precision medium
+ * @id java/android/insecure-local-key-gen
+ * @tags security
+ *       external/cwe/cwe-287
+ */
+
+import java
+import semmle.code.java.security.AndroidLocalAuthQuery
+
+from InsecureBiometricKeyParamCall call
+where usesLocalAuth()
+select call, "This key is not secure for biometric authentication."
--- a/java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeysBad.java
+++ b/java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeysBad.java
@@ -0,0 +1,47 @@
+private void generateSecretKey() {
+    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(
+        "MySecretKey",
+        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
+        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+        // BAD: User authentication is not required to use this key.
+        .setUserAuthenticationRequired(false)
+        .build();
+    KeyGenerator keyGenerator = KeyGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
+    keyGenerator.init(keyGenParameterSpec);
+    keyGenerator.generateKey();
+}
+
+private void generateSecretKey() {
+    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(
+        "MySecretKey",
+        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
+        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+        .setUserAuthenticationRequired(true)
+        // BAD: An attacker can access this key by enrolling additional biometrics.
+        .setInvalidatedByBiometricEnrollment(false)
+        .build();
+    KeyGenerator keyGenerator = KeyGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
+    keyGenerator.init(keyGenParameterSpec);
+    keyGenerator.generateKey();
+}
+
+private void generateSecretKey() {
+    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(
+        "MySecretKey",
+        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
+        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+        .setUserAuthenticationRequired(true)
+        .setInvalidatedByBiometricEnrollment(true)
+        // BAD: This key can be accessed using non-biometric credentials. 
+        .setUserAuthenticationValidityDurationSeconds(30)
+        .build();
+    KeyGenerator keyGenerator = KeyGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
+    keyGenerator.init(keyGenParameterSpec);
+    keyGenerator.generateKey();
+}
--- a/java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeysGood.java
+++ b/java/ql/src/Security/CWE/CWE-287/AndroidInsecureKeysGood.java
@@ -0,0 +1,16 @@
+private void generateSecretKey() {
+    KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(
+        "MySecretKey",
+        KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+        .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
+        .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+        // GOOD: Secure parameters are used to generate a key for biometric authentication.
+        .setUserAuthenticationRequired(true)
+        .setInvalidatedByBiometricEnrollment(true)
+        .setUserAuthenticationParameters(0, KeyProperties.AUTH_BIOMETRIC_STRONG)
+        .build();
+    KeyGenerator keyGenerator = KeyGenerator.getInstance(
+            KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
+    keyGenerator.init(keyGenParameterSpec);
+    keyGenerator.generateKey();
+}
--- a/java/ql/src/change-notes/2024-02-12-android-insecure-keys.md
+++ b/java/ql/src/change-notes/2024-02-12-android-insecure-keys.md
@@ -0,0 +1,4 @@
+---
+category: newQuery
+---
+* Added a new query `java/android/insecure-local-key-gen` for finding instances of keys generated for biometric authentication in an insecure way.
--- a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/InsecureKeys.expected
+++ b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/InsecureKeys.expected
--- a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/InsecureKeys.ql
+++ b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/InsecureKeys.ql
@@ -0,0 +1,19 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.AndroidLocalAuthQuery
+
+module InsecureKeysTest implements TestSig {
+  string getARelevantTag() { result = "insecure-key" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "insecure-key" and
+    exists(InsecureBiometricKeyParamCall call | usesLocalAuth() |
+      call.getLocation() = location and
+      element = call.toString() and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<InsecureKeysTest>
--- a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/Test.java
+++ b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/Test.java
@@ -0,0 +1,39 @@
+import android.security.keystore.KeyGenParameterSpec;
+import android.hardware.biometrics.BiometricPrompt;
+import android.security.keystore.KeyProperties;
+import javax.crypto.KeyGenerator;
+
+class Test {
+    void test() {
+        KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder("MySecretKey", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT);
+        builder.setUserAuthenticationRequired(false); // $insecure-key
+        builder.setInvalidatedByBiometricEnrollment(false); // $insecure-key
+        builder.setUserAuthenticationValidityDurationSeconds(30); // $insecure-key
+    }
+
+    private void generateSecretKey() throws Exception {
+        KeyGenParameterSpec keyGenParameterSpec = new KeyGenParameterSpec.Builder(
+            "MySecretKey",
+            KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT)
+            .setBlockModes(KeyProperties.BLOCK_MODE_CBC)
+            .setEncryptionPaddings(KeyProperties.ENCRYPTION_PADDING_PKCS7)
+            // GOOD: Secure parameters are used to generate a key for biometric authentication.
+            .setUserAuthenticationRequired(true)
+            .setInvalidatedByBiometricEnrollment(true)
+            .setUserAuthenticationParameters(0, KeyProperties.AUTH_BIOMETRIC_STRONG)
+            .build();
+        KeyGenerator keyGenerator = KeyGenerator.getInstance(
+                KeyProperties.KEY_ALGORITHM_AES, "AndroidKeyStore");
+        keyGenerator.init(keyGenParameterSpec);
+        keyGenerator.generateKey();
+    }
+}
+
+class Callback extends BiometricPrompt.AuthenticationCallback {
+    public static void useKey(BiometricPrompt.CryptoObject key) {}
+
+    @Override
+    public void onAuthenticationSucceeded(BiometricPrompt.AuthenticationResult result) {
+        useKey(result.getCryptoObject());
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/options
+++ b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test1/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/google-android-9.0.0
--- a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/InsecureKeys.expected
+++ b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/InsecureKeys.expected
@@ -0,0 +1,2 @@
+testFailures
+failures
--- a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/InsecureKeys.ql
+++ b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/InsecureKeys.ql
@@ -0,0 +1,19 @@
+import java
+import TestUtilities.InlineExpectationsTest
+import semmle.code.java.dataflow.DataFlow
+import semmle.code.java.security.AndroidLocalAuthQuery
+
+module InsecureKeysTest implements TestSig {
+  string getARelevantTag() { result = "insecure-key" }
+
+  predicate hasActualResult(Location location, string element, string tag, string value) {
+    tag = "insecure-key" and
+    exists(InsecureBiometricKeyParamCall call | usesLocalAuth() |
+      call.getLocation() = location and
+      element = call.toString() and
+      value = ""
+    )
+  }
+}
+
+import MakeTest<InsecureKeysTest>
--- a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/Test.java
+++ b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/Test.java
@@ -0,0 +1,13 @@
+import android.security.keystore.KeyGenParameterSpec;
+import android.hardware.biometrics.BiometricPrompt;
+import android.security.keystore.KeyProperties;
+
+class Test {
+    void test() {
+        KeyGenParameterSpec.Builder builder = new KeyGenParameterSpec.Builder("MySecretKey", KeyProperties.PURPOSE_ENCRYPT | KeyProperties.PURPOSE_DECRYPT);
+        // No alert as there is no use of biometric authentication in this application.
+        builder.setUserAuthenticationRequired(false); 
+        builder.setInvalidatedByBiometricEnrollment(false); 
+        builder.setUserAuthenticationValidityDurationSeconds(30); 
+    }
+}
--- a/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/options
+++ b/java/ql/test/query-tests/security/CWE-287/InsecureKeys/Test2/options
@@ -0,0 +1 @@
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/google-android-9.0.0
--- a/java/ql/test/query-tests/security/CWE-287/InsecureLocalAuth/InsecureLocalAuth.expected
+++ b/java/ql/test/query-tests/security/CWE-287/InsecureLocalAuth/InsecureLocalAuth.expected
@@ -0,0 +1,2 @@
+testFailures
+failures
--- a/java/ql/test/query-tests/security/CWE-287/InsecureLocalAuth/InsecureLocalAuth.ql
+++ b/java/ql/test/query-tests/security/CWE-287/InsecureLocalAuth/InsecureLocalAuth.ql
--- a/java/ql/test/query-tests/security/CWE-287/InsecureLocalAuth/Test.java
+++ b/java/ql/test/query-tests/security/CWE-287/InsecureLocalAuth/Test.java
--- a/java/ql/test/query-tests/security/CWE-287/InsecureLocalAuth/Test2.java
+++ b/java/ql/test/query-tests/security/CWE-287/InsecureLocalAuth/Test2.java
--- a/java/ql/test/query-tests/security/CWE-287/InsecureLocalAuth/options
+++ b/java/ql/test/query-tests/security/CWE-287/InsecureLocalAuth/options
@@ -1 +1 @@
-//semmle-extractor-options: --javac-args -cp ${testdir}/../../../stubs/google-android-9.0.0
+//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../stubs/google-android-9.0.0
--- a/java/ql/test/stubs/google-android-9.0.0/android/security/keystore/KeyGenParameterSpec.java
+++ b/java/ql/test/stubs/google-android-9.0.0/android/security/keystore/KeyGenParameterSpec.java
@@ -0,0 +1,76 @@
+// Generated automatically from android.security.keystore.KeyGenParameterSpec for testing purposes
+
+package android.security.keystore;
+
+import java.math.BigInteger;
+import java.security.spec.AlgorithmParameterSpec;
+import java.util.Date;
+import javax.security.auth.x500.X500Principal;
+
+public class KeyGenParameterSpec implements AlgorithmParameterSpec
+{
+    public AlgorithmParameterSpec getAlgorithmParameterSpec(){ return null; }
+    public BigInteger getCertificateSerialNumber(){ return null; }
+    public Date getCertificateNotAfter(){ return null; }
+    public Date getCertificateNotBefore(){ return null; }
+    public Date getKeyValidityForConsumptionEnd(){ return null; }
+    public Date getKeyValidityForOriginationEnd(){ return null; }
+    public Date getKeyValidityStart(){ return null; }
+    public String getAttestKeyAlias(){ return null; }
+    public String getKeystoreAlias(){ return null; }
+    public String[] getBlockModes(){ return null; }
+    public String[] getDigests(){ return null; }
+    public String[] getEncryptionPaddings(){ return null; }
+    public String[] getSignaturePaddings(){ return null; }
+    public X500Principal getCertificateSubject(){ return null; }
+    public boolean isDevicePropertiesAttestationIncluded(){ return false; }
+    public boolean isDigestsSpecified(){ return false; }
+    public boolean isInvalidatedByBiometricEnrollment(){ return false; }
+    public boolean isRandomizedEncryptionRequired(){ return false; }
+    public boolean isStrongBoxBacked(){ return false; }
+    public boolean isUnlockedDeviceRequired(){ return false; }
+    public boolean isUserAuthenticationRequired(){ return false; }
+    public boolean isUserAuthenticationValidWhileOnBody(){ return false; }
+    public boolean isUserConfirmationRequired(){ return false; }
+    public boolean isUserPresenceRequired(){ return false; }
+    public byte[] getAttestationChallenge(){ return null; }
+    public int getKeySize(){ return 0; }
+    public int getMaxUsageCount(){ return 0; }
+    public int getPurposes(){ return 0; }
+    public int getUserAuthenticationType(){ return 0; }
+    public int getUserAuthenticationValidityDurationSeconds(){ return 0; }
+    static public class Builder
+    {
+        protected Builder() {}
+        public Builder(String p0, int p1){}
+        public KeyGenParameterSpec build(){ return null; }
+        public KeyGenParameterSpec.Builder setAlgorithmParameterSpec(AlgorithmParameterSpec p0){ return null; }
+        public KeyGenParameterSpec.Builder setAttestKeyAlias(String p0){ return null; }
+        public KeyGenParameterSpec.Builder setAttestationChallenge(byte[] p0){ return null; }
+        public KeyGenParameterSpec.Builder setBlockModes(String... p0){ return null; }
+        public KeyGenParameterSpec.Builder setCertificateNotAfter(Date p0){ return null; }
+        public KeyGenParameterSpec.Builder setCertificateNotBefore(Date p0){ return null; }
+        public KeyGenParameterSpec.Builder setCertificateSerialNumber(BigInteger p0){ return null; }
+        public KeyGenParameterSpec.Builder setCertificateSubject(X500Principal p0){ return null; }
+        public KeyGenParameterSpec.Builder setDevicePropertiesAttestationIncluded(boolean p0){ return null; }
+        public KeyGenParameterSpec.Builder setDigests(String... p0){ return null; }
+        public KeyGenParameterSpec.Builder setEncryptionPaddings(String... p0){ return null; }
+        public KeyGenParameterSpec.Builder setInvalidatedByBiometricEnrollment(boolean p0){ return null; }
+        public KeyGenParameterSpec.Builder setIsStrongBoxBacked(boolean p0){ return null; }
+        public KeyGenParameterSpec.Builder setKeySize(int p0){ return null; }
+        public KeyGenParameterSpec.Builder setKeyValidityEnd(Date p0){ return null; }
+        public KeyGenParameterSpec.Builder setKeyValidityForConsumptionEnd(Date p0){ return null; }
+        public KeyGenParameterSpec.Builder setKeyValidityForOriginationEnd(Date p0){ return null; }
+        public KeyGenParameterSpec.Builder setKeyValidityStart(Date p0){ return null; }
+        public KeyGenParameterSpec.Builder setMaxUsageCount(int p0){ return null; }
+        public KeyGenParameterSpec.Builder setRandomizedEncryptionRequired(boolean p0){ return null; }
+        public KeyGenParameterSpec.Builder setSignaturePaddings(String... p0){ return null; }
+        public KeyGenParameterSpec.Builder setUnlockedDeviceRequired(boolean p0){ return null; }
+        public KeyGenParameterSpec.Builder setUserAuthenticationParameters(int p0, int p1){ return null; }
+        public KeyGenParameterSpec.Builder setUserAuthenticationRequired(boolean p0){ return null; }
+        public KeyGenParameterSpec.Builder setUserAuthenticationValidWhileOnBody(boolean p0){ return null; }
+        public KeyGenParameterSpec.Builder setUserAuthenticationValidityDurationSeconds(int p0){ return null; }
+        public KeyGenParameterSpec.Builder setUserConfirmationRequired(boolean p0){ return null; }
+        public KeyGenParameterSpec.Builder setUserPresenceRequired(boolean p0){ return null; }
+    }
+}
--- a/java/ql/test/stubs/google-android-9.0.0/android/security/keystore/KeyProperties.java
+++ b/java/ql/test/stubs/google-android-9.0.0/android/security/keystore/KeyProperties.java
@@ -0,0 +1,54 @@
+// Generated automatically from android.security.keystore.KeyProperties for testing purposes
+
+package android.security.keystore;
+
+
+abstract public class KeyProperties
+{
+    protected KeyProperties() {}
+    public static String BLOCK_MODE_CBC = null;
+    public static String BLOCK_MODE_CTR = null;
+    public static String BLOCK_MODE_ECB = null;
+    public static String BLOCK_MODE_GCM = null;
+    public static String DIGEST_MD5 = null;
+    public static String DIGEST_NONE = null;
+    public static String DIGEST_SHA1 = null;
+    public static String DIGEST_SHA224 = null;
+    public static String DIGEST_SHA256 = null;
+    public static String DIGEST_SHA384 = null;
+    public static String DIGEST_SHA512 = null;
+    public static String ENCRYPTION_PADDING_NONE = null;
+    public static String ENCRYPTION_PADDING_PKCS7 = null;
+    public static String ENCRYPTION_PADDING_RSA_OAEP = null;
+    public static String ENCRYPTION_PADDING_RSA_PKCS1 = null;
+    public static String KEY_ALGORITHM_3DES = null;
+    public static String KEY_ALGORITHM_AES = null;
+    public static String KEY_ALGORITHM_EC = null;
+    public static String KEY_ALGORITHM_HMAC_SHA1 = null;
+    public static String KEY_ALGORITHM_HMAC_SHA224 = null;
+    public static String KEY_ALGORITHM_HMAC_SHA256 = null;
+    public static String KEY_ALGORITHM_HMAC_SHA384 = null;
+    public static String KEY_ALGORITHM_HMAC_SHA512 = null;
+    public static String KEY_ALGORITHM_RSA = null;
+    public static String SIGNATURE_PADDING_RSA_PKCS1 = null;
+    public static String SIGNATURE_PADDING_RSA_PSS = null;
+    public static int AUTH_BIOMETRIC_STRONG = 0;
+    public static int AUTH_DEVICE_CREDENTIAL = 0;
+    public static int ORIGIN_GENERATED = 0;
+    public static int ORIGIN_IMPORTED = 0;
+    public static int ORIGIN_SECURELY_IMPORTED = 0;
+    public static int ORIGIN_UNKNOWN = 0;
+    public static int PURPOSE_AGREE_KEY = 0;
+    public static int PURPOSE_ATTEST_KEY = 0;
+    public static int PURPOSE_DECRYPT = 0;
+    public static int PURPOSE_ENCRYPT = 0;
+    public static int PURPOSE_SIGN = 0;
+    public static int PURPOSE_VERIFY = 0;
+    public static int PURPOSE_WRAP_KEY = 0;
+    public static int SECURITY_LEVEL_SOFTWARE = 0;
+    public static int SECURITY_LEVEL_STRONGBOX = 0;
+    public static int SECURITY_LEVEL_TRUSTED_ENVIRONMENT = 0;
+    public static int SECURITY_LEVEL_UNKNOWN = 0;
+    public static int SECURITY_LEVEL_UNKNOWN_SECURE = 0;
+    public static int UNRESTRICTED_USAGE_COUNT = 0;
+}
--- a/ruby/ql/lib/change-notes/2024-02-15-activerecord_connection_sql_sinks.md
+++ b/ruby/ql/lib/change-notes/2024-02-15-activerecord_connection_sql_sinks.md
@@ -0,0 +1,4 @@
+---
+category: minorAnalysis
+---
+* Calls to several methods of `ActiveRecord::Connection`, such as `ActiveRecord::Connection#exec_query`, are now recognized as SQL executions, including those via subclasses.
--- a/ruby/ql/lib/change-notes/2024-02-20-activerecord-sql-sink-arguments.md
+++ b/ruby/ql/lib/change-notes/2024-02-20-activerecord-sql-sink-arguments.md
@@ -0,0 +1,5 @@
+
+---
+category: minorAnalysis
+---
+* Additional arguments beyond the first of calls to the  `ActiveRecord` methods `select`, `reselect`, `order`, `reorder`, `joins`, `group`, and `pluck` are now recognized as sql injection sinks. 
--- a/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
+++ b/ruby/ql/lib/codeql/ruby/dataflow/internal/DataFlowPrivate.qll
@@ -2177,7 +2177,7 @@ predicate allowParameterReturnInSelf(ParameterNodeImpl p) {
    FlowSummaryImpl::Private::summaryAllowParameterReturnInSelf(c.asLibraryCallable(), pos)
  )
  or
-  VariableCapture::Flow::heuristicAllowInstanceParameterReturnInSelf(p.(SelfParameterNode)
+  VariableCapture::Flow::heuristicAllowInstanceParameterReturnInSelf(p.(LambdaSelfReferenceNode)
        .getCallable())
 }

--- a/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/ActiveRecord.qll
@@ -176,11 +176,16 @@ private predicate sqlFragmentArgumentInner(DataFlow::CallNode call, DataFlow::No
    activeRecordQueryBuilderCall([
        "delete_all", "delete_by", "destroy_all", "destroy_by", "exists?", "find_by", "find_by!",
        "find_or_create_by", "find_or_create_by!", "find_or_initialize_by", "find_by_sql", "from",
-        "group", "having", "joins", "lock", "not", "order", "reorder", "pluck", "where", "rewhere",
-        "select", "reselect"
+        "having", "lock", "not", "where", "rewhere"
      ]) and
  sink = call.getArgument(0)
  or
+  call =
+    activeRecordQueryBuilderCall([
+        "group", "joins", "order", "reorder", "pluck", "select", "reselect"
+      ]) and
+  sink = call.getArgument(_)
+  or
  call = activeRecordQueryBuilderCall("calculate") and
  sink = call.getArgument(1)
  or
@@ -200,7 +205,13 @@ private predicate sqlFragmentArgumentInner(DataFlow::CallNode call, DataFlow::No
  call = activeRecordQueryBuilderCall("annotate") and
  sink = call.getArgument(_)
  or
-  call = activeRecordConnectionInstance().getAMethodCall("execute") and
+  call =
+    activeRecordConnectionInstance()
+        .getAMethodCall([
+            "create", "delete", "exec_query", "exec_delete", "exec_insert", "exec_update",
+            "execute", "insert", "select_all", "select_one", "select_rows", "select_value",
+            "select_values", "update"
+          ]) and
  sink = call.getArgument(0)
  or
  call = activeRecordQueryBuilderCall("update_all") and
--- a/ruby/ql/test/library-tests/dataflow/global/Flow.expected
+++ b/ruby/ql/test/library-tests/dataflow/global/Flow.expected
@@ -116,6 +116,12 @@ edges
 | captured_variables.rb:194:1:194:1 | c [@x] | captured_variables.rb:185:5:189:7 | self in baz [@x] | provenance |  |
 | captured_variables.rb:197:9:197:17 | call to taint | captured_variables.rb:199:10:199:10 | x | provenance |  |
 | captured_variables.rb:206:13:206:21 | call to taint | captured_variables.rb:208:14:208:14 | x | provenance |  |
+| captured_variables.rb:219:9:219:17 | call to taint | captured_variables.rb:222:11:224:5 | -> { ... } [captured x] | provenance |  |
+| captured_variables.rb:219:9:219:17 | call to taint | captured_variables.rb:226:5:226:7 | fn1 [captured x] | provenance |  |
+| captured_variables.rb:222:5:222:7 | fn1 [captured x] | captured_variables.rb:226:5:226:7 | fn1 [captured x] | provenance |  |
+| captured_variables.rb:222:11:224:5 | -> { ... } [captured x] | captured_variables.rb:222:5:222:7 | fn1 [captured x] | provenance |  |
+| captured_variables.rb:226:5:226:7 | [post] fn1 [captured y] | captured_variables.rb:227:10:227:10 | y | provenance |  |
+| captured_variables.rb:226:5:226:7 | fn1 [captured x] | captured_variables.rb:226:5:226:7 | [post] fn1 [captured y] | provenance |  |
 | instance_variables.rb:10:19:10:19 | x | instance_variables.rb:11:18:11:18 | x | provenance |  |
 | instance_variables.rb:11:18:11:18 | x | instance_variables.rb:11:9:11:14 | [post] self [@field] | provenance |  |
 | instance_variables.rb:13:5:15:7 | self in get_field [@field] | instance_variables.rb:14:16:14:21 | self [@field] | provenance |  |
@@ -374,6 +380,12 @@ nodes
 | captured_variables.rb:199:10:199:10 | x | semmle.label | x |
 | captured_variables.rb:206:13:206:21 | call to taint | semmle.label | call to taint |
 | captured_variables.rb:208:14:208:14 | x | semmle.label | x |
+| captured_variables.rb:219:9:219:17 | call to taint | semmle.label | call to taint |
+| captured_variables.rb:222:5:222:7 | fn1 [captured x] | semmle.label | fn1 [captured x] |
+| captured_variables.rb:222:11:224:5 | -> { ... } [captured x] | semmle.label | -> { ... } [captured x] |
+| captured_variables.rb:226:5:226:7 | [post] fn1 [captured y] | semmle.label | [post] fn1 [captured y] |
+| captured_variables.rb:226:5:226:7 | fn1 [captured x] | semmle.label | fn1 [captured x] |
+| captured_variables.rb:227:10:227:10 | y | semmle.label | y |
 | instance_variables.rb:10:19:10:19 | x | semmle.label | x |
 | instance_variables.rb:11:9:11:14 | [post] self [@field] | semmle.label | [post] self [@field] |
 | instance_variables.rb:11:18:11:18 | x | semmle.label | x |
@@ -583,6 +595,7 @@ subpaths
 | captured_variables.rb:187:18:187:19 | @x | captured_variables.rb:178:14:178:22 | call to taint | captured_variables.rb:187:18:187:19 | @x | $@ | captured_variables.rb:178:14:178:22 | call to taint | call to taint |
 | captured_variables.rb:199:10:199:10 | x | captured_variables.rb:197:9:197:17 | call to taint | captured_variables.rb:199:10:199:10 | x | $@ | captured_variables.rb:197:9:197:17 | call to taint | call to taint |
 | captured_variables.rb:208:14:208:14 | x | captured_variables.rb:206:13:206:21 | call to taint | captured_variables.rb:208:14:208:14 | x | $@ | captured_variables.rb:206:13:206:21 | call to taint | call to taint |
+| captured_variables.rb:227:10:227:10 | y | captured_variables.rb:219:9:219:17 | call to taint | captured_variables.rb:227:10:227:10 | y | $@ | captured_variables.rb:219:9:219:17 | call to taint | call to taint |
 | instance_variables.rb:20:10:20:13 | @foo | instance_variables.rb:19:12:19:21 | call to taint | instance_variables.rb:20:10:20:13 | @foo | $@ | instance_variables.rb:19:12:19:21 | call to taint | call to taint |
 | instance_variables.rb:36:10:36:33 | call to get_field | instance_variables.rb:36:14:36:22 | call to taint | instance_variables.rb:36:10:36:33 | call to get_field | $@ | instance_variables.rb:36:14:36:22 | call to taint | call to taint |
 | instance_variables.rb:39:6:39:33 | call to get_field | instance_variables.rb:39:14:39:22 | call to taint | instance_variables.rb:39:6:39:33 | call to get_field | $@ | instance_variables.rb:39:14:39:22 | call to taint | call to taint |
--- a/ruby/ql/test/library-tests/dataflow/global/captured_variables.rb
+++ b/ruby/ql/test/library-tests/dataflow/global/captured_variables.rb
@@ -214,3 +214,17 @@ class CaptureOverwrite

    fn.call()
 end
+
+def multi_capture
+    x = taint(18)
+    y = 123
+
+    fn1 = -> {
+        y = x
+    }
+
+    fn1.call()
+    sink(y) # $ hasValueFlow=18
+end
+
+multi_capture
--- a/ruby/ql/test/library-tests/frameworks/active_record/ActiveRecord.expected
+++ b/ruby/ql/test/library-tests/frameworks/active_record/ActiveRecord.expected
@@ -1,7 +1,7 @@
 activeRecordModelClasses
 | ActiveRecord.rb:1:1:3:3 | UserGroup |
-| ActiveRecord.rb:5:1:19:3 | User |
-| ActiveRecord.rb:21:1:25:3 | Admin |
+| ActiveRecord.rb:5:1:32:3 | User |
+| ActiveRecord.rb:34:1:38:3 | Admin |
 | associations.rb:1:1:3:3 | Author |
 | associations.rb:5:1:9:3 | Post |
 | associations.rb:11:1:13:3 | Tag |
@@ -10,20 +10,33 @@ activeRecordInstances
 | ActiveRecord.rb:9:5:9:68 | call to find |
 | ActiveRecord.rb:13:5:13:40 | call to find_by |
 | ActiveRecord.rb:13:5:13:46 | call to users |
-| ActiveRecord.rb:16:3:18:5 | self (exec) |
-| ActiveRecord.rb:16:3:18:5 | self in exec |
+| ActiveRecord.rb:16:3:31:5 | self (exec) |
+| ActiveRecord.rb:16:3:31:5 | self in exec |
 | ActiveRecord.rb:17:5:17:14 | self |
-| ActiveRecord.rb:39:5:39:51 | call to authenticate |
-| ActiveRecord.rb:40:5:40:30 | call to find_by_name |
-| ActiveRecord.rb:59:5:61:7 | if ... |
-| ActiveRecord.rb:59:43:60:40 | then ... |
-| ActiveRecord.rb:60:7:60:40 | call to find_by |
-| ActiveRecord.rb:64:5:64:33 | call to find_by |
-| ActiveRecord.rb:66:5:66:34 | call to find |
-| ActiveRecord.rb:76:5:76:24 | call to create |
-| ActiveRecord.rb:80:5:80:66 | call to create |
-| ActiveRecord.rb:84:5:84:68 | call to create |
-| ActiveRecord.rb:88:5:88:16 | call to create |
+| ActiveRecord.rb:18:5:18:14 | self |
+| ActiveRecord.rb:19:5:19:14 | self |
+| ActiveRecord.rb:20:5:20:14 | self |
+| ActiveRecord.rb:21:5:21:14 | self |
+| ActiveRecord.rb:22:5:22:14 | self |
+| ActiveRecord.rb:23:5:23:14 | self |
+| ActiveRecord.rb:24:5:24:14 | self |
+| ActiveRecord.rb:25:5:25:14 | self |
+| ActiveRecord.rb:26:5:26:14 | self |
+| ActiveRecord.rb:27:5:27:14 | self |
+| ActiveRecord.rb:28:5:28:14 | self |
+| ActiveRecord.rb:29:5:29:14 | self |
+| ActiveRecord.rb:30:5:30:14 | self |
+| ActiveRecord.rb:52:5:52:51 | call to authenticate |
+| ActiveRecord.rb:53:5:53:30 | call to find_by_name |
+| ActiveRecord.rb:72:5:74:7 | if ... |
+| ActiveRecord.rb:72:43:73:40 | then ... |
+| ActiveRecord.rb:73:7:73:40 | call to find_by |
+| ActiveRecord.rb:77:5:77:33 | call to find_by |
+| ActiveRecord.rb:79:5:79:34 | call to find |
+| ActiveRecord.rb:89:5:89:24 | call to create |
+| ActiveRecord.rb:93:5:93:66 | call to create |
+| ActiveRecord.rb:97:5:97:68 | call to create |
+| ActiveRecord.rb:101:5:101:16 | call to create |
 | associations.rb:19:1:19:7 | author1 |
 | associations.rb:19:1:19:20 | ... = ... |
 | associations.rb:19:11:19:20 | call to new |
@@ -108,47 +121,60 @@ activeRecordInstances
 | associations.rb:53:1:53:34 | call to find |
 activeRecordSqlExecutionRanges
 | ActiveRecord.rb:9:33:9:67 | "name='#{...}' and pass='#{...}'" |
-| ActiveRecord.rb:17:24:17:24 | q |
-| ActiveRecord.rb:23:16:23:24 | condition |
-| ActiveRecord.rb:32:30:32:44 | ...[...] |
-| ActiveRecord.rb:33:20:33:42 | "id = '#{...}'" |
-| ActiveRecord.rb:34:21:34:45 | call to [] |
-| ActiveRecord.rb:35:16:35:21 | <<-SQL |
-| ActiveRecord.rb:38:20:38:47 | "user.id = '#{...}'" |
-| ActiveRecord.rb:50:20:50:32 | ... + ... |
-| ActiveRecord.rb:56:16:56:28 | "name #{...}" |
-| ActiveRecord.rb:60:20:60:39 | "username = #{...}" |
-| ActiveRecord.rb:72:21:72:44 | ...[...] |
-| ActiveRecord.rb:110:27:110:76 | "this is an unsafe annotation:..." |
+| ActiveRecord.rb:17:23:17:23 | q |
+| ActiveRecord.rb:18:23:18:23 | q |
+| ActiveRecord.rb:19:27:19:27 | q |
+| ActiveRecord.rb:20:28:20:28 | q |
+| ActiveRecord.rb:21:28:21:28 | q |
+| ActiveRecord.rb:22:28:22:28 | q |
+| ActiveRecord.rb:23:24:23:24 | q |
+| ActiveRecord.rb:24:23:24:23 | q |
+| ActiveRecord.rb:25:27:25:27 | q |
+| ActiveRecord.rb:26:27:26:27 | q |
+| ActiveRecord.rb:27:28:27:28 | q |
+| ActiveRecord.rb:28:29:28:29 | q |
+| ActiveRecord.rb:29:30:29:30 | q |
+| ActiveRecord.rb:30:23:30:23 | q |
+| ActiveRecord.rb:36:16:36:24 | condition |
+| ActiveRecord.rb:45:30:45:44 | ...[...] |
+| ActiveRecord.rb:46:20:46:42 | "id = '#{...}'" |
+| ActiveRecord.rb:47:21:47:45 | call to [] |
+| ActiveRecord.rb:48:16:48:21 | <<-SQL |
+| ActiveRecord.rb:51:20:51:47 | "user.id = '#{...}'" |
+| ActiveRecord.rb:63:20:63:32 | ... + ... |
+| ActiveRecord.rb:69:16:69:28 | "name #{...}" |
+| ActiveRecord.rb:73:20:73:39 | "username = #{...}" |
+| ActiveRecord.rb:85:21:85:44 | ...[...] |
+| ActiveRecord.rb:123:27:123:76 | "this is an unsafe annotation:..." |
 activeRecordModelClassMethodCalls
 | ActiveRecord.rb:2:3:2:17 | call to has_many |
 | ActiveRecord.rb:6:3:6:24 | call to belongs_to |
 | ActiveRecord.rb:9:5:9:68 | call to find |
 | ActiveRecord.rb:13:5:13:40 | call to find_by |
 | ActiveRecord.rb:13:5:13:46 | call to users |
-| ActiveRecord.rb:23:5:23:25 | call to destroy_by |
-| ActiveRecord.rb:32:5:32:45 | call to calculate |
-| ActiveRecord.rb:33:5:33:43 | call to delete_by |
-| ActiveRecord.rb:34:5:34:46 | call to destroy_by |
-| ActiveRecord.rb:35:5:35:35 | call to where |
-| ActiveRecord.rb:38:5:38:14 | call to where |
-| ActiveRecord.rb:38:5:38:48 | call to not |
-| ActiveRecord.rb:40:5:40:30 | call to find_by_name |
-| ActiveRecord.rb:41:5:41:36 | call to not_a_find_by_method |
-| ActiveRecord.rb:50:5:50:33 | call to delete_by |
-| ActiveRecord.rb:56:5:56:29 | call to order |
-| ActiveRecord.rb:60:7:60:40 | call to find_by |
-| ActiveRecord.rb:64:5:64:33 | call to find_by |
-| ActiveRecord.rb:66:5:66:34 | call to find |
-| ActiveRecord.rb:76:5:76:24 | call to create |
-| ActiveRecord.rb:80:5:80:66 | call to create |
-| ActiveRecord.rb:84:5:84:68 | call to create |
-| ActiveRecord.rb:88:5:88:16 | call to create |
-| ActiveRecord.rb:92:5:92:27 | call to update |
-| ActiveRecord.rb:96:5:96:69 | call to update |
-| ActiveRecord.rb:100:5:100:71 | call to update |
-| ActiveRecord.rb:106:13:106:54 | call to annotate |
-| ActiveRecord.rb:110:13:110:77 | call to annotate |
+| ActiveRecord.rb:36:5:36:25 | call to destroy_by |
+| ActiveRecord.rb:45:5:45:45 | call to calculate |
+| ActiveRecord.rb:46:5:46:43 | call to delete_by |
+| ActiveRecord.rb:47:5:47:46 | call to destroy_by |
+| ActiveRecord.rb:48:5:48:35 | call to where |
+| ActiveRecord.rb:51:5:51:14 | call to where |
+| ActiveRecord.rb:51:5:51:48 | call to not |
+| ActiveRecord.rb:53:5:53:30 | call to find_by_name |
+| ActiveRecord.rb:54:5:54:36 | call to not_a_find_by_method |
+| ActiveRecord.rb:63:5:63:33 | call to delete_by |
+| ActiveRecord.rb:69:5:69:29 | call to order |
+| ActiveRecord.rb:73:7:73:40 | call to find_by |
+| ActiveRecord.rb:77:5:77:33 | call to find_by |
+| ActiveRecord.rb:79:5:79:34 | call to find |
+| ActiveRecord.rb:89:5:89:24 | call to create |
+| ActiveRecord.rb:93:5:93:66 | call to create |
+| ActiveRecord.rb:97:5:97:68 | call to create |
+| ActiveRecord.rb:101:5:101:16 | call to create |
+| ActiveRecord.rb:105:5:105:27 | call to update |
+| ActiveRecord.rb:109:5:109:69 | call to update |
+| ActiveRecord.rb:113:5:113:71 | call to update |
+| ActiveRecord.rb:119:13:119:54 | call to annotate |
+| ActiveRecord.rb:123:13:123:77 | call to annotate |
 | associations.rb:2:3:2:17 | call to has_many |
 | associations.rb:6:3:6:20 | call to belongs_to |
 | associations.rb:7:3:7:20 | call to has_many |
@@ -204,41 +230,41 @@ activeRecordModelClassMethodCalls
 activeRecordModelClassMethodCallsReplacement
 | ActiveRecord.rb:1:1:3:3 | UserGroup | ActiveRecord.rb:2:3:2:17 | call to has_many |
 | ActiveRecord.rb:1:1:3:3 | UserGroup | ActiveRecord.rb:13:5:13:40 | call to find_by |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:6:3:6:24 | call to belongs_to |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:9:5:9:68 | call to find |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:23:5:23:25 | call to destroy_by |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:32:5:32:45 | call to calculate |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:33:5:33:43 | call to delete_by |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:34:5:34:46 | call to destroy_by |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:35:5:35:35 | call to where |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:38:5:38:14 | call to where |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:39:5:39:51 | call to authenticate |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:40:5:40:30 | call to find_by_name |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:41:5:41:36 | call to not_a_find_by_method |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:50:5:50:33 | call to delete_by |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:56:5:56:29 | call to order |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:60:7:60:40 | call to find_by |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:64:5:64:33 | call to find_by |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:66:5:66:34 | call to find |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:72:5:72:45 | call to delete_by |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:76:5:76:24 | call to create |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:80:5:80:66 | call to create |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:84:5:84:68 | call to create |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:88:5:88:16 | call to create |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:92:5:92:27 | call to update |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:96:5:96:69 | call to update |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:100:5:100:71 | call to update |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:106:13:106:54 | call to annotate |
-| ActiveRecord.rb:5:1:19:3 | User | ActiveRecord.rb:110:13:110:77 | call to annotate |
-| ActiveRecord.rb:21:1:25:3 | Admin | ActiveRecord.rb:23:5:23:25 | call to destroy_by |
-| ActiveRecord.rb:21:1:25:3 | Admin | ActiveRecord.rb:72:5:72:45 | call to delete_by |
-| ActiveRecord.rb:21:1:25:3 | Admin | ActiveRecord.rb:76:5:76:24 | call to create |
-| ActiveRecord.rb:21:1:25:3 | Admin | ActiveRecord.rb:80:5:80:66 | call to create |
-| ActiveRecord.rb:21:1:25:3 | Admin | ActiveRecord.rb:84:5:84:68 | call to create |
-| ActiveRecord.rb:21:1:25:3 | Admin | ActiveRecord.rb:88:5:88:16 | call to create |
-| ActiveRecord.rb:21:1:25:3 | Admin | ActiveRecord.rb:92:5:92:27 | call to update |
-| ActiveRecord.rb:21:1:25:3 | Admin | ActiveRecord.rb:96:5:96:69 | call to update |
-| ActiveRecord.rb:21:1:25:3 | Admin | ActiveRecord.rb:100:5:100:71 | call to update |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:6:3:6:24 | call to belongs_to |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:9:5:9:68 | call to find |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:36:5:36:25 | call to destroy_by |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:45:5:45:45 | call to calculate |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:46:5:46:43 | call to delete_by |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:47:5:47:46 | call to destroy_by |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:48:5:48:35 | call to where |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:51:5:51:14 | call to where |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:52:5:52:51 | call to authenticate |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:53:5:53:30 | call to find_by_name |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:54:5:54:36 | call to not_a_find_by_method |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:63:5:63:33 | call to delete_by |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:69:5:69:29 | call to order |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:73:7:73:40 | call to find_by |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:77:5:77:33 | call to find_by |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:79:5:79:34 | call to find |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:85:5:85:45 | call to delete_by |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:89:5:89:24 | call to create |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:93:5:93:66 | call to create |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:97:5:97:68 | call to create |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:101:5:101:16 | call to create |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:105:5:105:27 | call to update |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:109:5:109:69 | call to update |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:113:5:113:71 | call to update |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:119:13:119:54 | call to annotate |
+| ActiveRecord.rb:5:1:32:3 | User | ActiveRecord.rb:123:13:123:77 | call to annotate |
+| ActiveRecord.rb:34:1:38:3 | Admin | ActiveRecord.rb:36:5:36:25 | call to destroy_by |
+| ActiveRecord.rb:34:1:38:3 | Admin | ActiveRecord.rb:85:5:85:45 | call to delete_by |
+| ActiveRecord.rb:34:1:38:3 | Admin | ActiveRecord.rb:89:5:89:24 | call to create |
+| ActiveRecord.rb:34:1:38:3 | Admin | ActiveRecord.rb:93:5:93:66 | call to create |
+| ActiveRecord.rb:34:1:38:3 | Admin | ActiveRecord.rb:97:5:97:68 | call to create |
+| ActiveRecord.rb:34:1:38:3 | Admin | ActiveRecord.rb:101:5:101:16 | call to create |
+| ActiveRecord.rb:34:1:38:3 | Admin | ActiveRecord.rb:105:5:105:27 | call to update |
+| ActiveRecord.rb:34:1:38:3 | Admin | ActiveRecord.rb:109:5:109:69 | call to update |
+| ActiveRecord.rb:34:1:38:3 | Admin | ActiveRecord.rb:113:5:113:71 | call to update |
 | associations.rb:1:1:3:3 | Author | associations.rb:2:3:2:17 | call to has_many |
 | associations.rb:1:1:3:3 | Author | associations.rb:19:11:19:20 | call to new |
 | associations.rb:5:1:9:3 | Post | associations.rb:6:3:6:20 | call to belongs_to |
@@ -248,29 +274,29 @@ activeRecordModelClassMethodCallsReplacement
 | associations.rb:15:1:17:3 | Comment | associations.rb:16:3:16:18 | call to belongs_to |
 potentiallyUnsafeSqlExecutingMethodCall
 | ActiveRecord.rb:9:5:9:68 | call to find |
-| ActiveRecord.rb:23:5:23:25 | call to destroy_by |
-| ActiveRecord.rb:32:5:32:45 | call to calculate |
-| ActiveRecord.rb:33:5:33:43 | call to delete_by |
-| ActiveRecord.rb:34:5:34:46 | call to destroy_by |
-| ActiveRecord.rb:35:5:35:35 | call to where |
-| ActiveRecord.rb:38:5:38:48 | call to not |
-| ActiveRecord.rb:50:5:50:33 | call to delete_by |
-| ActiveRecord.rb:56:5:56:29 | call to order |
-| ActiveRecord.rb:60:7:60:40 | call to find_by |
-| ActiveRecord.rb:110:13:110:77 | call to annotate |
+| ActiveRecord.rb:36:5:36:25 | call to destroy_by |
+| ActiveRecord.rb:45:5:45:45 | call to calculate |
+| ActiveRecord.rb:46:5:46:43 | call to delete_by |
+| ActiveRecord.rb:47:5:47:46 | call to destroy_by |
+| ActiveRecord.rb:48:5:48:35 | call to where |
+| ActiveRecord.rb:51:5:51:48 | call to not |
+| ActiveRecord.rb:63:5:63:33 | call to delete_by |
+| ActiveRecord.rb:69:5:69:29 | call to order |
+| ActiveRecord.rb:73:7:73:40 | call to find_by |
+| ActiveRecord.rb:123:13:123:77 | call to annotate |
 activeRecordModelInstantiations
-| ActiveRecord.rb:9:5:9:68 | call to find | ActiveRecord.rb:5:1:19:3 | User |
+| ActiveRecord.rb:9:5:9:68 | call to find | ActiveRecord.rb:5:1:32:3 | User |
 | ActiveRecord.rb:13:5:13:40 | call to find_by | ActiveRecord.rb:1:1:3:3 | UserGroup |
-| ActiveRecord.rb:13:5:13:46 | call to users | ActiveRecord.rb:5:1:19:3 | User |
-| ActiveRecord.rb:16:3:18:5 | self in exec | ActiveRecord.rb:5:1:19:3 | User |
-| ActiveRecord.rb:40:5:40:30 | call to find_by_name | ActiveRecord.rb:5:1:19:3 | User |
-| ActiveRecord.rb:60:7:60:40 | call to find_by | ActiveRecord.rb:5:1:19:3 | User |
-| ActiveRecord.rb:64:5:64:33 | call to find_by | ActiveRecord.rb:5:1:19:3 | User |
-| ActiveRecord.rb:66:5:66:34 | call to find | ActiveRecord.rb:5:1:19:3 | User |
-| ActiveRecord.rb:76:5:76:24 | call to create | ActiveRecord.rb:21:1:25:3 | Admin |
-| ActiveRecord.rb:80:5:80:66 | call to create | ActiveRecord.rb:21:1:25:3 | Admin |
-| ActiveRecord.rb:84:5:84:68 | call to create | ActiveRecord.rb:21:1:25:3 | Admin |
-| ActiveRecord.rb:88:5:88:16 | call to create | ActiveRecord.rb:21:1:25:3 | Admin |
+| ActiveRecord.rb:13:5:13:46 | call to users | ActiveRecord.rb:5:1:32:3 | User |
+| ActiveRecord.rb:16:3:31:5 | self in exec | ActiveRecord.rb:5:1:32:3 | User |
+| ActiveRecord.rb:53:5:53:30 | call to find_by_name | ActiveRecord.rb:5:1:32:3 | User |
+| ActiveRecord.rb:73:7:73:40 | call to find_by | ActiveRecord.rb:5:1:32:3 | User |
+| ActiveRecord.rb:77:5:77:33 | call to find_by | ActiveRecord.rb:5:1:32:3 | User |
+| ActiveRecord.rb:79:5:79:34 | call to find | ActiveRecord.rb:5:1:32:3 | User |
+| ActiveRecord.rb:89:5:89:24 | call to create | ActiveRecord.rb:34:1:38:3 | Admin |
+| ActiveRecord.rb:93:5:93:66 | call to create | ActiveRecord.rb:34:1:38:3 | Admin |
+| ActiveRecord.rb:97:5:97:68 | call to create | ActiveRecord.rb:34:1:38:3 | Admin |
+| ActiveRecord.rb:101:5:101:16 | call to create | ActiveRecord.rb:34:1:38:3 | Admin |
 | associations.rb:19:11:19:20 | call to new | associations.rb:1:1:3:3 | Author |
 | associations.rb:21:9:21:21 | call to posts | associations.rb:5:1:9:3 | Post |
 | associations.rb:21:9:21:28 | call to create | associations.rb:5:1:9:3 | Post |
@@ -312,13 +338,13 @@ activeRecordModelInstantiations
 | associations.rb:53:1:53:13 | call to posts | associations.rb:5:1:9:3 | Post |
 | associations.rb:53:1:53:20 | call to reload | associations.rb:5:1:9:3 | Post |
 persistentWriteAccesses
-| ActiveRecord.rb:76:5:76:24 | call to create | ActiveRecord.rb:76:18:76:23 | call to params |
-| ActiveRecord.rb:80:5:80:66 | call to create | ActiveRecord.rb:80:24:80:36 | ...[...] |
-| ActiveRecord.rb:80:5:80:66 | call to create | ActiveRecord.rb:80:49:80:65 | ...[...] |
-| ActiveRecord.rb:84:5:84:68 | call to create | ActiveRecord.rb:84:25:84:37 | ...[...] |
-| ActiveRecord.rb:84:5:84:68 | call to create | ActiveRecord.rb:84:50:84:66 | ...[...] |
-| ActiveRecord.rb:92:5:92:27 | call to update | ActiveRecord.rb:92:21:92:26 | call to params |
-| ActiveRecord.rb:96:5:96:69 | call to update | ActiveRecord.rb:96:27:96:39 | ...[...] |
-| ActiveRecord.rb:96:5:96:69 | call to update | ActiveRecord.rb:96:52:96:68 | ...[...] |
-| ActiveRecord.rb:100:5:100:71 | call to update | ActiveRecord.rb:100:21:100:70 | call to [] |
+| ActiveRecord.rb:89:5:89:24 | call to create | ActiveRecord.rb:89:18:89:23 | call to params |
+| ActiveRecord.rb:93:5:93:66 | call to create | ActiveRecord.rb:93:24:93:36 | ...[...] |
+| ActiveRecord.rb:93:5:93:66 | call to create | ActiveRecord.rb:93:49:93:65 | ...[...] |
+| ActiveRecord.rb:97:5:97:68 | call to create | ActiveRecord.rb:97:25:97:37 | ...[...] |
+| ActiveRecord.rb:97:5:97:68 | call to create | ActiveRecord.rb:97:50:97:66 | ...[...] |
+| ActiveRecord.rb:105:5:105:27 | call to update | ActiveRecord.rb:105:21:105:26 | call to params |
+| ActiveRecord.rb:109:5:109:69 | call to update | ActiveRecord.rb:109:27:109:39 | ...[...] |
+| ActiveRecord.rb:109:5:109:69 | call to update | ActiveRecord.rb:109:52:109:68 | ...[...] |
+| ActiveRecord.rb:113:5:113:71 | call to update | ActiveRecord.rb:113:21:113:70 | call to [] |
 | associations.rb:31:16:31:22 | ... = ... | associations.rb:31:16:31:22 | author2 |
--- a/ruby/ql/test/library-tests/frameworks/active_record/ActiveRecord.rb
+++ b/ruby/ql/test/library-tests/frameworks/active_record/ActiveRecord.rb
@@ -14,7 +14,20 @@ class User < ApplicationRecord
  end

  def exec(q)
+    connection.create(q)
+    connection.delete(q)
+    connection.exec_query(q)
+    connection.exec_insert(q)
+    connection.exec_delete(q)
+    connection.exec_update(q)
    connection.execute(q)
+    connection.insert(q)
+    connection.select_all(q)
+    connection.select_one(q)
+    connection.select_rows(q)
+    connection.select_value(q)
+    connection.select_values(q)
+    connection.update(q)
  end
 end

--- a/ruby/ql/test/query-tests/security/cwe-089/ActiveRecordInjection.rb
+++ b/ruby/ql/test/query-tests/security/cwe-089/ActiveRecordInjection.rb
@@ -105,6 +105,14 @@ class FooController < ActionController::Base

    User.reorder(params[:direction])

+    User.select('a','b', params[:column])
+    User.reselect('a','b', params[:column])
+    User.order('a ASC', "b #{params[:direction]}")
+    User.reorder('a ASC', "b #{params[:direction]}")
+    User.group('a', params[:column])
+    User.pluck('a', params[:column])
+    User.joins(:a, params[:column])
+
    User.count_by_sql(params[:custom_sql_query])
  end
 end
--- a/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected
+++ b/ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected
@@ -34,35 +34,44 @@ edges
 | ActiveRecordInjection.rb:104:30:104:35 | call to params | ActiveRecordInjection.rb:104:30:104:51 | ...[...] | provenance |  |
 | ActiveRecordInjection.rb:104:30:104:51 | ...[...] | ActiveRecordInjection.rb:104:19:104:54 | "name = '#{...}'" | provenance |  |
 | ActiveRecordInjection.rb:106:18:106:23 | call to params | ActiveRecordInjection.rb:106:18:106:35 | ...[...] | provenance |  |
-| ActiveRecordInjection.rb:108:23:108:28 | call to params | ActiveRecordInjection.rb:108:23:108:47 | ...[...] | provenance |  |
-| ActiveRecordInjection.rb:114:5:114:6 | ps | ActiveRecordInjection.rb:115:11:115:12 | ps | provenance |  |
-| ActiveRecordInjection.rb:114:10:114:15 | call to params | ActiveRecordInjection.rb:114:5:114:6 | ps | provenance |  |
-| ActiveRecordInjection.rb:115:5:115:7 | uid | ActiveRecordInjection.rb:116:5:116:9 | uidEq | provenance |  |
-| ActiveRecordInjection.rb:115:11:115:12 | ps | ActiveRecordInjection.rb:115:11:115:17 | ...[...] | provenance |  |
-| ActiveRecordInjection.rb:115:11:115:17 | ...[...] | ActiveRecordInjection.rb:115:5:115:7 | uid | provenance |  |
-| ActiveRecordInjection.rb:116:5:116:9 | uidEq | ActiveRecordInjection.rb:120:20:120:32 | ... + ... | provenance |  |
-| ActiveRecordInjection.rb:116:5:116:9 | uidEq | ActiveRecordInjection.rb:120:28:120:32 | uidEq | provenance |  |
-| ActiveRecordInjection.rb:120:20:120:32 | ... + ... [element] | ActiveRecordInjection.rb:120:20:120:32 | ... + ... | provenance |  |
-| ActiveRecordInjection.rb:120:28:120:32 | uidEq | ActiveRecordInjection.rb:120:20:120:32 | ... + ... [element] | provenance |  |
-| ActiveRecordInjection.rb:153:21:153:26 | call to params | ActiveRecordInjection.rb:153:21:153:44 | ...[...] | provenance |  |
-| ActiveRecordInjection.rb:153:21:153:26 | call to params | ActiveRecordInjection.rb:153:21:153:44 | ...[...] | provenance |  |
-| ActiveRecordInjection.rb:153:21:153:44 | ...[...] | ActiveRecordInjection.rb:20:22:20:30 | condition | provenance |  |
-| ActiveRecordInjection.rb:167:59:167:64 | call to params | ActiveRecordInjection.rb:167:59:167:74 | ...[...] | provenance |  |
-| ActiveRecordInjection.rb:167:59:167:74 | ...[...] | ActiveRecordInjection.rb:167:27:167:76 | "this is an unsafe annotation:..." | provenance |  |
-| ActiveRecordInjection.rb:178:5:178:13 | my_params | ActiveRecordInjection.rb:179:47:179:55 | my_params | provenance |  |
-| ActiveRecordInjection.rb:178:17:178:32 | call to permitted_params | ActiveRecordInjection.rb:178:5:178:13 | my_params | provenance |  |
-| ActiveRecordInjection.rb:179:5:179:9 | query | ActiveRecordInjection.rb:180:37:180:41 | query | provenance |  |
-| ActiveRecordInjection.rb:179:47:179:55 | my_params | ActiveRecordInjection.rb:179:47:179:65 | ...[...] | provenance |  |
-| ActiveRecordInjection.rb:179:47:179:65 | ...[...] | ActiveRecordInjection.rb:179:5:179:9 | query | provenance |  |
-| ActiveRecordInjection.rb:185:5:185:10 | call to params | ActiveRecordInjection.rb:185:5:185:27 | call to require | provenance |  |
-| ActiveRecordInjection.rb:185:5:185:27 | call to require | ActiveRecordInjection.rb:185:5:185:59 | call to permit | provenance |  |
-| ActiveRecordInjection.rb:185:5:185:59 | call to permit | ActiveRecordInjection.rb:178:17:178:32 | call to permitted_params | provenance |  |
-| ActiveRecordInjection.rb:185:5:185:59 | call to permit | ActiveRecordInjection.rb:189:77:189:92 | call to permitted_params | provenance |  |
-| ActiveRecordInjection.rb:185:5:185:59 | call to permit | ActiveRecordInjection.rb:190:69:190:84 | call to permitted_params | provenance |  |
-| ActiveRecordInjection.rb:189:77:189:92 | call to permitted_params | ActiveRecordInjection.rb:189:77:189:102 | ...[...] | provenance |  |
-| ActiveRecordInjection.rb:189:77:189:102 | ...[...] | ActiveRecordInjection.rb:189:43:189:104 | "SELECT * FROM users WHERE id ..." | provenance |  |
-| ActiveRecordInjection.rb:190:69:190:84 | call to permitted_params | ActiveRecordInjection.rb:190:69:190:94 | ...[...] | provenance |  |
-| ActiveRecordInjection.rb:190:69:190:94 | ...[...] | ActiveRecordInjection.rb:190:35:190:96 | "SELECT * FROM users WHERE id ..." | provenance |  |
+| ActiveRecordInjection.rb:108:26:108:31 | call to params | ActiveRecordInjection.rb:108:26:108:40 | ...[...] | provenance |  |
+| ActiveRecordInjection.rb:109:28:109:33 | call to params | ActiveRecordInjection.rb:109:28:109:42 | ...[...] | provenance |  |
+| ActiveRecordInjection.rb:110:30:110:35 | call to params | ActiveRecordInjection.rb:110:30:110:47 | ...[...] | provenance |  |
+| ActiveRecordInjection.rb:110:30:110:47 | ...[...] | ActiveRecordInjection.rb:110:25:110:49 | "b #{...}" | provenance |  |
+| ActiveRecordInjection.rb:111:32:111:37 | call to params | ActiveRecordInjection.rb:111:32:111:49 | ...[...] | provenance |  |
+| ActiveRecordInjection.rb:111:32:111:49 | ...[...] | ActiveRecordInjection.rb:111:27:111:51 | "b #{...}" | provenance |  |
+| ActiveRecordInjection.rb:112:21:112:26 | call to params | ActiveRecordInjection.rb:112:21:112:35 | ...[...] | provenance |  |
+| ActiveRecordInjection.rb:113:21:113:26 | call to params | ActiveRecordInjection.rb:113:21:113:35 | ...[...] | provenance |  |
+| ActiveRecordInjection.rb:114:20:114:25 | call to params | ActiveRecordInjection.rb:114:20:114:34 | ...[...] | provenance |  |
+| ActiveRecordInjection.rb:116:23:116:28 | call to params | ActiveRecordInjection.rb:116:23:116:47 | ...[...] | provenance |  |
+| ActiveRecordInjection.rb:122:5:122:6 | ps | ActiveRecordInjection.rb:123:11:123:12 | ps | provenance |  |
+| ActiveRecordInjection.rb:122:10:122:15 | call to params | ActiveRecordInjection.rb:122:5:122:6 | ps | provenance |  |
+| ActiveRecordInjection.rb:123:5:123:7 | uid | ActiveRecordInjection.rb:124:5:124:9 | uidEq | provenance |  |
+| ActiveRecordInjection.rb:123:11:123:12 | ps | ActiveRecordInjection.rb:123:11:123:17 | ...[...] | provenance |  |
+| ActiveRecordInjection.rb:123:11:123:17 | ...[...] | ActiveRecordInjection.rb:123:5:123:7 | uid | provenance |  |
+| ActiveRecordInjection.rb:124:5:124:9 | uidEq | ActiveRecordInjection.rb:128:20:128:32 | ... + ... | provenance |  |
+| ActiveRecordInjection.rb:124:5:124:9 | uidEq | ActiveRecordInjection.rb:128:28:128:32 | uidEq | provenance |  |
+| ActiveRecordInjection.rb:128:20:128:32 | ... + ... [element] | ActiveRecordInjection.rb:128:20:128:32 | ... + ... | provenance |  |
+| ActiveRecordInjection.rb:128:28:128:32 | uidEq | ActiveRecordInjection.rb:128:20:128:32 | ... + ... [element] | provenance |  |
+| ActiveRecordInjection.rb:161:21:161:26 | call to params | ActiveRecordInjection.rb:161:21:161:44 | ...[...] | provenance |  |
+| ActiveRecordInjection.rb:161:21:161:26 | call to params | ActiveRecordInjection.rb:161:21:161:44 | ...[...] | provenance |  |
+| ActiveRecordInjection.rb:161:21:161:44 | ...[...] | ActiveRecordInjection.rb:20:22:20:30 | condition | provenance |  |
+| ActiveRecordInjection.rb:175:59:175:64 | call to params | ActiveRecordInjection.rb:175:59:175:74 | ...[...] | provenance |  |
+| ActiveRecordInjection.rb:175:59:175:74 | ...[...] | ActiveRecordInjection.rb:175:27:175:76 | "this is an unsafe annotation:..." | provenance |  |
+| ActiveRecordInjection.rb:186:5:186:13 | my_params | ActiveRecordInjection.rb:187:47:187:55 | my_params | provenance |  |
+| ActiveRecordInjection.rb:186:17:186:32 | call to permitted_params | ActiveRecordInjection.rb:186:5:186:13 | my_params | provenance |  |
+| ActiveRecordInjection.rb:187:5:187:9 | query | ActiveRecordInjection.rb:188:37:188:41 | query | provenance |  |
+| ActiveRecordInjection.rb:187:47:187:55 | my_params | ActiveRecordInjection.rb:187:47:187:65 | ...[...] | provenance |  |
+| ActiveRecordInjection.rb:187:47:187:65 | ...[...] | ActiveRecordInjection.rb:187:5:187:9 | query | provenance |  |
+| ActiveRecordInjection.rb:193:5:193:10 | call to params | ActiveRecordInjection.rb:193:5:193:27 | call to require | provenance |  |
+| ActiveRecordInjection.rb:193:5:193:27 | call to require | ActiveRecordInjection.rb:193:5:193:59 | call to permit | provenance |  |
+| ActiveRecordInjection.rb:193:5:193:59 | call to permit | ActiveRecordInjection.rb:186:17:186:32 | call to permitted_params | provenance |  |
+| ActiveRecordInjection.rb:193:5:193:59 | call to permit | ActiveRecordInjection.rb:197:77:197:92 | call to permitted_params | provenance |  |
+| ActiveRecordInjection.rb:193:5:193:59 | call to permit | ActiveRecordInjection.rb:198:69:198:84 | call to permitted_params | provenance |  |
+| ActiveRecordInjection.rb:197:77:197:92 | call to permitted_params | ActiveRecordInjection.rb:197:77:197:102 | ...[...] | provenance |  |
+| ActiveRecordInjection.rb:197:77:197:102 | ...[...] | ActiveRecordInjection.rb:197:43:197:104 | "SELECT * FROM users WHERE id ..." | provenance |  |
+| ActiveRecordInjection.rb:198:69:198:84 | call to permitted_params | ActiveRecordInjection.rb:198:69:198:94 | ...[...] | provenance |  |
+| ActiveRecordInjection.rb:198:69:198:94 | ...[...] | ActiveRecordInjection.rb:198:35:198:96 | "SELECT * FROM users WHERE id ..." | provenance |  |
 | ArelInjection.rb:4:5:4:8 | name | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | provenance |  |
 | ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:4:12:4:29 | ...[...] | provenance |  |
 | ArelInjection.rb:4:12:4:29 | ...[...] | ArelInjection.rb:4:5:4:8 | name | provenance |  |
@@ -133,38 +142,54 @@ nodes
 | ActiveRecordInjection.rb:104:30:104:51 | ...[...] | semmle.label | ...[...] |
 | ActiveRecordInjection.rb:106:18:106:23 | call to params | semmle.label | call to params |
 | ActiveRecordInjection.rb:106:18:106:35 | ...[...] | semmle.label | ...[...] |
-| ActiveRecordInjection.rb:108:23:108:28 | call to params | semmle.label | call to params |
-| ActiveRecordInjection.rb:108:23:108:47 | ...[...] | semmle.label | ...[...] |
-| ActiveRecordInjection.rb:114:5:114:6 | ps | semmle.label | ps |
-| ActiveRecordInjection.rb:114:10:114:15 | call to params | semmle.label | call to params |
-| ActiveRecordInjection.rb:115:5:115:7 | uid | semmle.label | uid |
-| ActiveRecordInjection.rb:115:11:115:12 | ps | semmle.label | ps |
-| ActiveRecordInjection.rb:115:11:115:17 | ...[...] | semmle.label | ...[...] |
-| ActiveRecordInjection.rb:116:5:116:9 | uidEq | semmle.label | uidEq |
-| ActiveRecordInjection.rb:120:20:120:32 | ... + ... | semmle.label | ... + ... |
-| ActiveRecordInjection.rb:120:20:120:32 | ... + ... [element] | semmle.label | ... + ... [element] |
-| ActiveRecordInjection.rb:120:28:120:32 | uidEq | semmle.label | uidEq |
-| ActiveRecordInjection.rb:153:21:153:26 | call to params | semmle.label | call to params |
-| ActiveRecordInjection.rb:153:21:153:44 | ...[...] | semmle.label | ...[...] |
-| ActiveRecordInjection.rb:153:21:153:44 | ...[...] | semmle.label | ...[...] |
-| ActiveRecordInjection.rb:167:27:167:76 | "this is an unsafe annotation:..." | semmle.label | "this is an unsafe annotation:..." |
-| ActiveRecordInjection.rb:167:59:167:64 | call to params | semmle.label | call to params |
-| ActiveRecordInjection.rb:167:59:167:74 | ...[...] | semmle.label | ...[...] |
-| ActiveRecordInjection.rb:178:5:178:13 | my_params | semmle.label | my_params |
-| ActiveRecordInjection.rb:178:17:178:32 | call to permitted_params | semmle.label | call to permitted_params |
-| ActiveRecordInjection.rb:179:5:179:9 | query | semmle.label | query |
-| ActiveRecordInjection.rb:179:47:179:55 | my_params | semmle.label | my_params |
-| ActiveRecordInjection.rb:179:47:179:65 | ...[...] | semmle.label | ...[...] |
-| ActiveRecordInjection.rb:180:37:180:41 | query | semmle.label | query |
-| ActiveRecordInjection.rb:185:5:185:10 | call to params | semmle.label | call to params |
-| ActiveRecordInjection.rb:185:5:185:27 | call to require | semmle.label | call to require |
-| ActiveRecordInjection.rb:185:5:185:59 | call to permit | semmle.label | call to permit |
-| ActiveRecordInjection.rb:189:43:189:104 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
-| ActiveRecordInjection.rb:189:77:189:92 | call to permitted_params | semmle.label | call to permitted_params |
-| ActiveRecordInjection.rb:189:77:189:102 | ...[...] | semmle.label | ...[...] |
-| ActiveRecordInjection.rb:190:35:190:96 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
-| ActiveRecordInjection.rb:190:69:190:84 | call to permitted_params | semmle.label | call to permitted_params |
-| ActiveRecordInjection.rb:190:69:190:94 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:108:26:108:31 | call to params | semmle.label | call to params |
+| ActiveRecordInjection.rb:108:26:108:40 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:109:28:109:33 | call to params | semmle.label | call to params |
+| ActiveRecordInjection.rb:109:28:109:42 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:110:25:110:49 | "b #{...}" | semmle.label | "b #{...}" |
+| ActiveRecordInjection.rb:110:30:110:35 | call to params | semmle.label | call to params |
+| ActiveRecordInjection.rb:110:30:110:47 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:111:27:111:51 | "b #{...}" | semmle.label | "b #{...}" |
+| ActiveRecordInjection.rb:111:32:111:37 | call to params | semmle.label | call to params |
+| ActiveRecordInjection.rb:111:32:111:49 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:112:21:112:26 | call to params | semmle.label | call to params |
+| ActiveRecordInjection.rb:112:21:112:35 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:113:21:113:26 | call to params | semmle.label | call to params |
+| ActiveRecordInjection.rb:113:21:113:35 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:114:20:114:25 | call to params | semmle.label | call to params |
+| ActiveRecordInjection.rb:114:20:114:34 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:116:23:116:28 | call to params | semmle.label | call to params |
+| ActiveRecordInjection.rb:116:23:116:47 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:122:5:122:6 | ps | semmle.label | ps |
+| ActiveRecordInjection.rb:122:10:122:15 | call to params | semmle.label | call to params |
+| ActiveRecordInjection.rb:123:5:123:7 | uid | semmle.label | uid |
+| ActiveRecordInjection.rb:123:11:123:12 | ps | semmle.label | ps |
+| ActiveRecordInjection.rb:123:11:123:17 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:124:5:124:9 | uidEq | semmle.label | uidEq |
+| ActiveRecordInjection.rb:128:20:128:32 | ... + ... | semmle.label | ... + ... |
+| ActiveRecordInjection.rb:128:20:128:32 | ... + ... [element] | semmle.label | ... + ... [element] |
+| ActiveRecordInjection.rb:128:28:128:32 | uidEq | semmle.label | uidEq |
+| ActiveRecordInjection.rb:161:21:161:26 | call to params | semmle.label | call to params |
+| ActiveRecordInjection.rb:161:21:161:44 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:161:21:161:44 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:175:27:175:76 | "this is an unsafe annotation:..." | semmle.label | "this is an unsafe annotation:..." |
+| ActiveRecordInjection.rb:175:59:175:64 | call to params | semmle.label | call to params |
+| ActiveRecordInjection.rb:175:59:175:74 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:186:5:186:13 | my_params | semmle.label | my_params |
+| ActiveRecordInjection.rb:186:17:186:32 | call to permitted_params | semmle.label | call to permitted_params |
+| ActiveRecordInjection.rb:187:5:187:9 | query | semmle.label | query |
+| ActiveRecordInjection.rb:187:47:187:55 | my_params | semmle.label | my_params |
+| ActiveRecordInjection.rb:187:47:187:65 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:188:37:188:41 | query | semmle.label | query |
+| ActiveRecordInjection.rb:193:5:193:10 | call to params | semmle.label | call to params |
+| ActiveRecordInjection.rb:193:5:193:27 | call to require | semmle.label | call to require |
+| ActiveRecordInjection.rb:193:5:193:59 | call to permit | semmle.label | call to permit |
+| ActiveRecordInjection.rb:197:43:197:104 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
+| ActiveRecordInjection.rb:197:77:197:92 | call to permitted_params | semmle.label | call to permitted_params |
+| ActiveRecordInjection.rb:197:77:197:102 | ...[...] | semmle.label | ...[...] |
+| ActiveRecordInjection.rb:198:35:198:96 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
+| ActiveRecordInjection.rb:198:69:198:84 | call to permitted_params | semmle.label | call to permitted_params |
+| ActiveRecordInjection.rb:198:69:198:94 | ...[...] | semmle.label | ...[...] |
 | ArelInjection.rb:4:5:4:8 | name | semmle.label | name |
 | ArelInjection.rb:4:12:4:17 | call to params | semmle.label | call to params |
 | ArelInjection.rb:4:12:4:29 | ...[...] | semmle.label | ...[...] |
@@ -186,7 +211,7 @@ subpaths
 #select
 | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:70:23:70:28 | call to params | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:70:23:70:28 | call to params | user-provided value |
 | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | ActiveRecordInjection.rb:70:38:70:43 | call to params | ActiveRecordInjection.rb:10:33:10:67 | "name='#{...}' and pass='#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:70:38:70:43 | call to params | user-provided value |
-| ActiveRecordInjection.rb:23:16:23:24 | condition | ActiveRecordInjection.rb:153:21:153:26 | call to params | ActiveRecordInjection.rb:23:16:23:24 | condition | This SQL query depends on a $@. | ActiveRecordInjection.rb:153:21:153:26 | call to params | user-provided value |
+| ActiveRecordInjection.rb:23:16:23:24 | condition | ActiveRecordInjection.rb:161:21:161:26 | call to params | ActiveRecordInjection.rb:23:16:23:24 | condition | This SQL query depends on a $@. | ActiveRecordInjection.rb:161:21:161:26 | call to params | user-provided value |
 | ActiveRecordInjection.rb:35:30:35:44 | ...[...] | ActiveRecordInjection.rb:35:30:35:35 | call to params | ActiveRecordInjection.rb:35:30:35:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:35:30:35:35 | call to params | user-provided value |
 | ActiveRecordInjection.rb:39:18:39:32 | ...[...] | ActiveRecordInjection.rb:39:18:39:23 | call to params | ActiveRecordInjection.rb:39:18:39:32 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:39:18:39:23 | call to params | user-provided value |
 | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | ActiveRecordInjection.rb:43:29:43:34 | call to params | ActiveRecordInjection.rb:43:20:43:42 | "id = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:43:29:43:34 | call to params | user-provided value |
@@ -204,13 +229,20 @@ subpaths
 | ActiveRecordInjection.rb:100:20:100:55 | "name = '#{...}'" | ActiveRecordInjection.rb:100:31:100:36 | call to params | ActiveRecordInjection.rb:100:20:100:55 | "name = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:100:31:100:36 | call to params | user-provided value |
 | ActiveRecordInjection.rb:104:19:104:54 | "name = '#{...}'" | ActiveRecordInjection.rb:104:30:104:35 | call to params | ActiveRecordInjection.rb:104:19:104:54 | "name = '#{...}'" | This SQL query depends on a $@. | ActiveRecordInjection.rb:104:30:104:35 | call to params | user-provided value |
 | ActiveRecordInjection.rb:106:18:106:35 | ...[...] | ActiveRecordInjection.rb:106:18:106:23 | call to params | ActiveRecordInjection.rb:106:18:106:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:106:18:106:23 | call to params | user-provided value |
-| ActiveRecordInjection.rb:108:23:108:47 | ...[...] | ActiveRecordInjection.rb:108:23:108:28 | call to params | ActiveRecordInjection.rb:108:23:108:47 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:108:23:108:28 | call to params | user-provided value |
-| ActiveRecordInjection.rb:120:20:120:32 | ... + ... | ActiveRecordInjection.rb:114:10:114:15 | call to params | ActiveRecordInjection.rb:120:20:120:32 | ... + ... | This SQL query depends on a $@. | ActiveRecordInjection.rb:114:10:114:15 | call to params | user-provided value |
-| ActiveRecordInjection.rb:153:21:153:44 | ...[...] | ActiveRecordInjection.rb:153:21:153:26 | call to params | ActiveRecordInjection.rb:153:21:153:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:153:21:153:26 | call to params | user-provided value |
-| ActiveRecordInjection.rb:167:27:167:76 | "this is an unsafe annotation:..." | ActiveRecordInjection.rb:167:59:167:64 | call to params | ActiveRecordInjection.rb:167:27:167:76 | "this is an unsafe annotation:..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:167:59:167:64 | call to params | user-provided value |
-| ActiveRecordInjection.rb:180:37:180:41 | query | ActiveRecordInjection.rb:185:5:185:10 | call to params | ActiveRecordInjection.rb:180:37:180:41 | query | This SQL query depends on a $@. | ActiveRecordInjection.rb:185:5:185:10 | call to params | user-provided value |
-| ActiveRecordInjection.rb:189:43:189:104 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:185:5:185:10 | call to params | ActiveRecordInjection.rb:189:43:189:104 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:185:5:185:10 | call to params | user-provided value |
-| ActiveRecordInjection.rb:190:35:190:96 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:185:5:185:10 | call to params | ActiveRecordInjection.rb:190:35:190:96 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:185:5:185:10 | call to params | user-provided value |
+| ActiveRecordInjection.rb:108:26:108:40 | ...[...] | ActiveRecordInjection.rb:108:26:108:31 | call to params | ActiveRecordInjection.rb:108:26:108:40 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:108:26:108:31 | call to params | user-provided value |
+| ActiveRecordInjection.rb:109:28:109:42 | ...[...] | ActiveRecordInjection.rb:109:28:109:33 | call to params | ActiveRecordInjection.rb:109:28:109:42 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:109:28:109:33 | call to params | user-provided value |
+| ActiveRecordInjection.rb:110:25:110:49 | "b #{...}" | ActiveRecordInjection.rb:110:30:110:35 | call to params | ActiveRecordInjection.rb:110:25:110:49 | "b #{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:110:30:110:35 | call to params | user-provided value |
+| ActiveRecordInjection.rb:111:27:111:51 | "b #{...}" | ActiveRecordInjection.rb:111:32:111:37 | call to params | ActiveRecordInjection.rb:111:27:111:51 | "b #{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:111:32:111:37 | call to params | user-provided value |
+| ActiveRecordInjection.rb:112:21:112:35 | ...[...] | ActiveRecordInjection.rb:112:21:112:26 | call to params | ActiveRecordInjection.rb:112:21:112:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:112:21:112:26 | call to params | user-provided value |
+| ActiveRecordInjection.rb:113:21:113:35 | ...[...] | ActiveRecordInjection.rb:113:21:113:26 | call to params | ActiveRecordInjection.rb:113:21:113:35 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:113:21:113:26 | call to params | user-provided value |
+| ActiveRecordInjection.rb:114:20:114:34 | ...[...] | ActiveRecordInjection.rb:114:20:114:25 | call to params | ActiveRecordInjection.rb:114:20:114:34 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:114:20:114:25 | call to params | user-provided value |
+| ActiveRecordInjection.rb:116:23:116:47 | ...[...] | ActiveRecordInjection.rb:116:23:116:28 | call to params | ActiveRecordInjection.rb:116:23:116:47 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:116:23:116:28 | call to params | user-provided value |
+| ActiveRecordInjection.rb:128:20:128:32 | ... + ... | ActiveRecordInjection.rb:122:10:122:15 | call to params | ActiveRecordInjection.rb:128:20:128:32 | ... + ... | This SQL query depends on a $@. | ActiveRecordInjection.rb:122:10:122:15 | call to params | user-provided value |
+| ActiveRecordInjection.rb:161:21:161:44 | ...[...] | ActiveRecordInjection.rb:161:21:161:26 | call to params | ActiveRecordInjection.rb:161:21:161:44 | ...[...] | This SQL query depends on a $@. | ActiveRecordInjection.rb:161:21:161:26 | call to params | user-provided value |
+| ActiveRecordInjection.rb:175:27:175:76 | "this is an unsafe annotation:..." | ActiveRecordInjection.rb:175:59:175:64 | call to params | ActiveRecordInjection.rb:175:27:175:76 | "this is an unsafe annotation:..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:175:59:175:64 | call to params | user-provided value |
+| ActiveRecordInjection.rb:188:37:188:41 | query | ActiveRecordInjection.rb:193:5:193:10 | call to params | ActiveRecordInjection.rb:188:37:188:41 | query | This SQL query depends on a $@. | ActiveRecordInjection.rb:193:5:193:10 | call to params | user-provided value |
+| ActiveRecordInjection.rb:197:43:197:104 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:193:5:193:10 | call to params | ActiveRecordInjection.rb:197:43:197:104 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:193:5:193:10 | call to params | user-provided value |
+| ActiveRecordInjection.rb:198:35:198:96 | "SELECT * FROM users WHERE id ..." | ActiveRecordInjection.rb:193:5:193:10 | call to params | ActiveRecordInjection.rb:198:35:198:96 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ActiveRecordInjection.rb:193:5:193:10 | call to params | user-provided value |
 | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value |
 | PgInjection.rb:14:15:14:18 | qry1 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:14:15:14:18 | qry1 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value |
 | PgInjection.rb:15:21:15:24 | qry1 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:15:21:15:24 | qry1 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value |
				`@@ -0,0 +1 @@`
				`//semmle-extractor-options: --javac-args -cp ${testdir}/../../../../../stubs/google-android-9.0.0`