hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-05-04 13:15:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

Ruby: Identify safe_constantize

Browse Source
This commit is contained in:
Harry Maclean
2022-10-04 15:44:12 +13:00
parent ca279f4073
commit b389d50943
3 changed files with 10 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
ruby/ql/lib/codeql/ruby/frameworks/ActiveSupport.qll
View File

@@ -24,14 +24,17 @@ module ActiveSupport {
*/
module String {
/**
* A call to `String#constantize`, which tries to find a declared constant with the given name.
* Passing user input to this method may result in instantiation of arbitrary Ruby classes.
* A call to `String#constantize` or `String#safe_constantize`, which
* tries to find a declared constant with the given name.
* Passing user input to this method may result in instantiation of
* arbitrary Ruby classes.
*/
class Constantize extends CodeExecution::Range, DataFlow::CallNode {
// We treat this an `UnknownMethodCall` in order to match every call to `constantize` that isn't overridden.
// We can't (yet) rely on API Graphs or dataflow to tell us that the receiver is a String.
Constantize() {
this.asExpr().getExpr().(UnknownMethodCall).getMethodName() = "constantize"
this.asExpr().getExpr().(UnknownMethodCall).getMethodName() =
["constantize", "safe_constantize"]
}
override DataFlow::Node getCode() { result = this.getReceiver() }