Ruby: Consolidate unsafe deserialization queries

Merge the experimental YAMLUnsafeDeserialization and PlistUnsafeDeserialization queries into the generate UnsafeDeserialization query in the default suite. These queries look for some specific sinks that we now find in the general query. Also apply some small code and comment refactors.
2025-12-17 01:03:14 +01:00 · 2023-05-26 14:48:16 +00:00
parent d727d573d5
commit b8c3cba4ff
16 changed files with 75 additions and 330 deletions
--- a/ruby/ql/lib/codeql/ruby/frameworks/Yaml.qll
+++ b/ruby/ql/lib/codeql/ruby/frameworks/Yaml.qll
@@ -8,36 +8,28 @@ private import codeql.ruby.ApiGraphs

 /**
 * A taint step related to the result of `YAML.parse` calls, or similar.
- *In the following example, this step will propagate taint from
- *`source` to `sink`:
+ * In the following example, this step will propagate taint from
+ * `source` to `sink`:
 *
- *```rb
- *x = source
- *result = YAML.parse(x)
- *sink result.to_ruby # Unsafe call
+ * ```rb
+ * x = source
+ * result = YAML.parse(x)
+ * sink result.to_ruby # Unsafe call
 * ```
 */
 private class YamlParseStep extends AdditionalTaintStep {
  override predicate step(DataFlow::Node pred, DataFlow::Node succ) {
    exists(DataFlow::CallNode yamlParserMethod |
-      yamlParserMethod = yamlNode().getAMethodCall(["parse", "parse_stream"]) and
+      succ = yamlParserMethod.getAMethodCall("to_ruby") and
      (
-        pred = yamlParserMethod.getArgument(0) or
-        pred = yamlParserMethod.getKeywordArgument("yaml")
-      ) and
-      succ = yamlParserMethod.getAMethodCall("to_ruby")
-      or
-      yamlParserMethod = yamlNode().getAMethodCall("parse_file") and
-      (
-        pred = yamlParserMethod.getArgument(0) or
-        pred = yamlParserMethod.getKeywordArgument("filename")
-      ) and
-      succ = yamlParserMethod.getAMethodCall("to_ruby")
+        yamlParserMethod = yamlNode().getAMethodCall(["parse", "parse_stream"]) and
+        pred = [yamlParserMethod.getArgument(0), yamlParserMethod.getKeywordArgument("yaml")]
+        or
+        yamlParserMethod = yamlNode().getAMethodCall("parse_file") and
+        pred = [yamlParserMethod.getArgument(0), yamlParserMethod.getKeywordArgument("filename")]
+      )
    )
  }
 }

-/**
- * YAML/Psych Top level Class member
- */
 private API::Node yamlNode() { result = API::getTopLevelMember(["YAML", "Psych"]) }
--- a/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll
+++ b/ruby/ql/lib/codeql/ruby/security/UnsafeDeserializationCustomizations.qll
@@ -75,14 +75,13 @@ module UnsafeDeserialization {
  }

  /**
-   * An argument in a call to `YAML.unsafe_*` and `YAML.load_stream` , considered sinks
+   * An argument in a call to `YAML.unsafe_*` and `YAML.load_stream` , considered a sink
   * for unsafe deserialization. The `YAML` module is an alias of `Psych` in
   * recent versions of Ruby.
-   * the `this = yamlNode().getAMethodCall("load").getArgument(0)` is safe
-   *  in psych/yaml library after [v4.0.0](https://github.com/ruby/psych/releases/tag/v4.0.0), so it will be removed in future.
   */
  class YamlLoadArgument extends Sink {
    YamlLoadArgument() {
+      // Note: this is safe in psych/yaml >= 4.0.0.
      this = yamlNode().getAMethodCall("load").getArgument(0)
      or
      this =
@@ -94,16 +93,11 @@ module UnsafeDeserialization {
    }
  }

-  /**
-   * YAML/Psych Top level Class member
-   */
  private API::Node yamlNode() { result = API::getTopLevelMember(["YAML", "Psych"]) }

  /**
-   * An argument in a call to `YAML.parse*`, considered sinks
-   * for unsafe deserialization if there is a call to `to_ruby` on returned value of them,
-   * so this need some additional taint steps. The `YAML` module is an alias of `Psych` in
-   * recent versions of Ruby.
+   * An argument in a call to `YAML.parse*`, considered a sink for unsafe deserialization
+   * if there is a call to `to_ruby` on the returned value.
   */
  class YamlParseArgument extends Sink {
    YamlParseArgument() {
@@ -237,7 +231,7 @@ module UnsafeDeserialization {
  }

  /**
-   * An argument in a call to `Plist.parse_xml` where the marshal is `true` (which is
+   * An argument in a call to `Plist.parse_xml` where `marshal` is `true` (which is
   * the default), considered a sink for unsafe deserialization.
   */
  class UnsafePlistParsexmlArgument extends Sink {
@@ -246,10 +240,11 @@ module UnsafeDeserialization {
        plistParseXml = API::getTopLevelMember("Plist").getAMethodCall("parse_xml")
      |
        this = [plistParseXml.getArgument(0), plistParseXml.getKeywordArgument("filename_or_xml")] and
-        plistParseXml.getKeywordArgument("marshal").getConstantValue().isBoolean(true)
-        or
-        this = [plistParseXml.getArgument(0), plistParseXml.getKeywordArgument("filename_or_xml")] and
-        plistParseXml.getNumberOfArguments() = 1
+        (
+          plistParseXml.getKeywordArgument("marshal").getConstantValue().isBoolean(true)
+          or
+          plistParseXml.getNumberOfArguments() = 1
+        )
      )
    }
  }
--- a/ruby/ql/src/experimental/cwe-502/PlistUnsafeDeserialization.qhelp
+++ b/ruby/ql/src/experimental/cwe-502/PlistUnsafeDeserialization.qhelp
@@ -1,24 +0,0 @@
-<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
-<qhelp>
-    <overview>
-        <p>
-            Processing an unvalidated user input can allow an attacker to execute arbitrary code in your application.
-            Unsafe deserializing the malicious serialized xml document through the Plist library, making it possible to execute some code or execute arbitrary code with the help of a complete gadget chain.
-        </p>
-    </overview>
-    <recommendation>
-        <p>
-        This vulnerability in Plist can be prevented by calling <code>Plist.parse_xml FileOrXmlString, marshal: false</code>.
-        </p>
-    </recommendation>
-    <example>
-        <p>In the example below, you can see safe and unsafe Plist dangerous method calls that can be abused by a remote user input. You can use "marshal: false" as an arugument for <code>Plist.parse_xml</code> to use it safe.
-        </p>
-        <sample src="PlistUnsafeDeserialization.rb" />
-    </example>
-    <references>
-    <li>
-    Security considerations from library documentation: <a href="https://github.com/patsplat/plist#label-Security+considerations">patsplat/plist Repository</a>.
-    </li>
-    </references>
-</qhelp>
--- a/ruby/ql/src/experimental/cwe-502/PlistUnsafeDeserialization.ql
+++ b/ruby/ql/src/experimental/cwe-502/PlistUnsafeDeserialization.ql
@@ -1,57 +0,0 @@
-/**
- * @name Unsafe Deserialization of user-controlled data by Plist
- * @description Deserializing user-controlled data may allow attackers to
- *              execute arbitrary code.
- * @kind path-problem
- * @problem.severity warning
- * @security-severity 9.8
- * @precision high
- * @id rb/plist-unsafe-deserialization
- * @tags security
- *       experimental
- *       external/cwe/cwe-502
- */
-
-import codeql.ruby.ApiGraphs
-import codeql.ruby.DataFlow
-import codeql.ruby.TaintTracking
-import codeql.ruby.CFG
-import DataFlow::PathGraph
-import codeql.ruby.security.UnsafeDeserializationCustomizations
-
-abstract class PlistUnsafeSinks extends DataFlow::Node { }
-
-/**
- * An argument in a call to `Plist.parse_xml` where the marshal is `true` (which is
- * the default), considered a sink for unsafe deserialization.
- */
-class UnsafePlistParsexmlArgument extends PlistUnsafeSinks {
-  UnsafePlistParsexmlArgument() {
-    exists(DataFlow::CallNode plistParseXml |
-      plistParseXml = API::getTopLevelMember("Plist").getAMethodCall("parse_xml")
-    |
-      this = [plistParseXml.getArgument(0), plistParseXml.getKeywordArgument("filename_or_xml")] and
-      plistParseXml.getKeywordArgument("marshal").getConstantValue().isBoolean(true)
-      or
-      this = [plistParseXml.getArgument(0), plistParseXml.getKeywordArgument("filename_or_xml")] and
-      plistParseXml.getNumberOfArguments() = 1
-    )
-  }
-}
-
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "PlistUnsafeDeserialization" }
-
-  override predicate isSource(DataFlow::Node source) {
-    // to detect CVE-2021-33575, we should uncomment following line instead of current UnsafeDeserialization::Source
-    // source instanceof DataFlow::LocalSourceNode
-    source instanceof UnsafeDeserialization::Source
-  }
-
-  override predicate isSink(DataFlow::Node sink) { sink instanceof PlistUnsafeSinks }
-}
-
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Unsafe deserialization depends on a $@.", source.getNode(),
-  "potentially untrusted source"
--- a/ruby/ql/src/experimental/cwe-502/PlistUnsafeDeserialization.rb
+++ b/ruby/ql/src/experimental/cwe-502/PlistUnsafeDeserialization.rb
@@ -1,17 +0,0 @@
-require 'plist'
-class UsersController < ActionController::Base
-  def example
-    # not safe
-    config = true
-    result = Plist.parse_xml(params[:yaml_string])
-    result = Plist.parse_xml(params[:yaml_string], marshal: config)
-    result = Plist.parse_xml(params[:yaml_string], marshal: true)
-
-    # safe
-    config = false
-    result = Plist.parse_xml(params[:yaml_string], marshal: false)
-    result = Plist.parse_xml(params[:yaml_string], marshal: config)
-  end
-end
-
-
--- a/ruby/ql/src/experimental/cwe-502/YAMLUnsafeDeserialization.qhelp
+++ b/ruby/ql/src/experimental/cwe-502/YAMLUnsafeDeserialization.qhelp
@@ -1,26 +0,0 @@
-<!DOCTYPE qhelp SYSTEM "qhelp.dtd">
-<qhelp>
-    <overview>
-        <p>
-            Processing an unvalidated user input can allow an attacker to execute arbitrary code in your application.
-            Unsafe deserializing the malicious serialized yaml document through the Psych (YAML) library, making it possible to execute some code or execute arbitrary code with the help of a complete gadget chain.
-        </p>
-    </overview>
-    <recommendation>
-        <p>
-            After Psych(YAML) 4.0.0, the load method is same as safe_load method.
-            This vulnerability can be prevented by using YAML.load (same as <code>YAML.safe_load</code>), <code>YAML.load_file</code> (same as <code>YAML.safe_load_file</code>) instead of <code>YAML.unsafe_*</code> methods.
-            Be careful that <code>YAML.load_stream</code> don't use safe_load method, Also Be careful the <code>to_ruby</code> method of Psych get called on a trusted parsed (<code>YAML.parse*</code>) yaml document.
-        </p>
-    </recommendation>
-    <example>
-        <p>In the example below, you can see safe and unsafe methods get called by a remote user input. You can give correct authorization to users, or you can use safe methods for loading yaml documents.</p>
-        <sample src="YAMLUnsafeDeserialization.rb" />
-    </example>
-    <references>
-    <li>
-    You can read that how unsafe yaml load methods can lead to code executions.
-    <a href="https://devcraft.io/2021/01/07/universal-deserialisation-gadget-for-ruby-2-x-3-x.html">Universal Deserialisation Gadget for Ruby 2.x-3.x </a>.
-    </li>
-    </references>
-</qhelp>
--- a/ruby/ql/src/experimental/cwe-502/YAMLUnsafeDeserialization.ql
+++ b/ruby/ql/src/experimental/cwe-502/YAMLUnsafeDeserialization.ql
@@ -1,88 +0,0 @@
-/**
- * @name Unsafe Deserialization of user-controlled data by YAML
- * @description Deserializing user-controlled data may allow attackers to
- *              execute arbitrary code.
- * @kind path-problem
- * @problem.severity warning
- * @security-severity 9.8
- * @precision high
- * @id rb/YAML-unsafe-deserialization
- * @tags security
- *       experimental
- *       external/cwe/cwe-502
- */
-
-import codeql.ruby.ApiGraphs
-import codeql.ruby.DataFlow
-import codeql.ruby.TaintTracking
-import DataFlow::PathGraph
-import codeql.ruby.security.UnsafeDeserializationCustomizations
-
-abstract class YamlUnsafeSinks extends DataFlow::Node { }
-
-class YamlUnsafeArgument extends YamlUnsafeSinks {
-  YamlUnsafeArgument() {
-    this =
-      API::getTopLevelMember(["YAML", "Psych"])
-          .getAMethodCall(["unsafe_load_file", "unsafe_load", "load_stream"])
-          .getArgument(0)
-    or
-    this =
-      API::getTopLevelMember(["YAML", "Psych"])
-          .getAMethodCall(["unsafe_load", "load_stream"])
-          .getKeywordArgument("yaml")
-    or
-    this =
-      API::getTopLevelMember(["YAML", "Psych"])
-          .getAMethodCall("unsafe_load_file")
-          .getKeywordArgument("filename")
-    or
-    this =
-      API::getTopLevelMember(["YAML", "Psych"])
-          .getAMethodCall(["parse", "parse_stream", "parse_file"])
-          .getAMethodCall("to_ruby")
-  }
-}
-
-class Configuration extends TaintTracking::Configuration {
-  Configuration() { this = "YamlUnsafeDeserialization" }
-
-  override predicate isSource(DataFlow::Node source) {
-    // to detect CVE-2022-32224, we should uncomment following line instead of current UnsafeDeserialization::Source
-    // source instanceof DataFlow::LocalSourceNode
-    source instanceof UnsafeDeserialization::Source
-  }
-
-  override predicate isSink(DataFlow::Node sink) {
-    // after changing the isSource for detecting CVE-2022-32224
-    // uncomment the following line only see the CVE sink not other files similar sinks
-    // sink.getLocation().getFile().toString().matches("%yaml_column%") and
-    sink instanceof YamlUnsafeSinks
-  }
-
-  override predicate isAdditionalTaintStep(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
-    exists(DataFlow::CallNode yaml_parser_methods |
-      yaml_parser_methods =
-        API::getTopLevelMember(["YAML", "Psych"]).getAMethodCall(["parse", "parse_stream"]) and
-      (
-        nodeFrom = yaml_parser_methods.getArgument(0) or
-        nodeFrom = yaml_parser_methods.getKeywordArgument("yaml")
-      ) and
-      nodeTo = yaml_parser_methods.getAMethodCall("to_ruby")
-    )
-    or
-    exists(DataFlow::CallNode yaml_parser_methods |
-      yaml_parser_methods = API::getTopLevelMember(["YAML", "Psych"]).getAMethodCall("parse_file") and
-      (
-        nodeFrom = yaml_parser_methods.getArgument(0) or
-        nodeFrom = yaml_parser_methods.getKeywordArgument("filename")
-      ) and
-      nodeTo = yaml_parser_methods.getAMethodCall("to_ruby")
-    )
-  }
-}
-
-from Configuration config, DataFlow::PathNode source, DataFlow::PathNode sink
-where config.hasFlowPath(source, sink)
-select sink.getNode(), source, sink, "Unsafe deserialization depends on a $@.", source.getNode(),
-  "potentially untrusted source"
--- a/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp
+++ b/ruby/ql/src/queries/security/cwe-502/UnsafeDeserialization.qhelp
@@ -19,14 +19,19 @@ deserialization of arbitrary objects.
 </p>

 <p>
-YAML/Psych recommendation:
-After Psych(YAML) 4.0.0, the load method is same as safe_load method.
-This vulnerability can be prevented by using YAML.load (same as <code>YAML.safe_load</code>), <code>YAML.load_file</code> (same as <code>YAML.safe_load_file</code>) instead of <code>YAML.unsafe_*</code> methods.
-Be careful that <code>YAML.load_stream</code> don't use safe_load method, Also Be careful the <code>to_ruby</code> method of Psych get called on a trusted parsed (<code>YAML.parse*</code>) yaml document.
+If deserializing an untrusted YAML document using the <code>psych</code> gem
+prior to version 4.0.0, the <code>load</code> method is vulnerable. Use
+<code>safe_load</code> instead. With <code>psych</code> version 4.0.0 and later,
+the <code>load</code> is safe. The same applies to <code>load_file</code>.
+<code>load_stream</code> is vulnerable in all versions. The safe versions of these
+methods (<code>safe_load</code> and <code>safe_load_file</code>) are not vulnerable
+in any known version.
 </p>

 <p>
-This vulnerability in Plist can be prevented by calling <code>Plist.parse_xml FileOrXmlString, marshal: false</code>.
+To safely deserialize <a href="https://en.wikipedia.org/wiki/Property_list">Property List</a>
+files using the <code>plist</code> gem, ensure that you pass <code>marshal: false</code>
+when calling <code>Plist.parse_xml</code>.
 </p>
 </recommendation>

@@ -39,13 +44,6 @@ to arbitrary objects, this is inherently unsafe.
 </p>
 <sample src="examples/UnsafeDeserializationBad.rb"/>

-<p>In the example below, you can see safe and unsafe methods get called by a remote user input. You can give correct authorization to users, or you can use safe methods for loading yaml documents.</p>
-<sample src="examples/YAMLUnsafeDeserialization.rb"/>
-
-<p>In the example below, you can see safe and unsafe Plist dangerous method calls that can be abused by a remote user input. You can use "marshal: false" as an arugument for <code>Plist.parse_xml</code> to use it safe.
-</p>
-<sample src="examples/PlistUnsafeDeserialization.rb"/>
-
 <p>
 Using <code>JSON.parse</code> and <code>YAML.safe_load</code> instead, as in the
 following example, removes the vulnerability. Similarly, calling
--- a/ruby/ql/test/query-tests/experimental/Security/cwe-502/PlistUnsafeDeserialization.expected
+++ b/ruby/ql/test/query-tests/experimental/Security/cwe-502/PlistUnsafeDeserialization.expected
@@ -1,12 +0,0 @@
-edges
-| PlistUnsafeDeserialization.rb:5:30:5:35 | call to params :  | PlistUnsafeDeserialization.rb:5:30:5:49 | ...[...] |
-| PlistUnsafeDeserialization.rb:6:30:6:35 | call to params :  | PlistUnsafeDeserialization.rb:6:30:6:49 | ...[...] |
-nodes
-| PlistUnsafeDeserialization.rb:5:30:5:35 | call to params :  | semmle.label | call to params :  |
-| PlistUnsafeDeserialization.rb:5:30:5:49 | ...[...] | semmle.label | ...[...] |
-| PlistUnsafeDeserialization.rb:6:30:6:35 | call to params :  | semmle.label | call to params :  |
-| PlistUnsafeDeserialization.rb:6:30:6:49 | ...[...] | semmle.label | ...[...] |
-subpaths
-#select
-| PlistUnsafeDeserialization.rb:5:30:5:49 | ...[...] | PlistUnsafeDeserialization.rb:5:30:5:35 | call to params :  | PlistUnsafeDeserialization.rb:5:30:5:49 | ...[...] | Unsafe deserialization depends on a $@. | PlistUnsafeDeserialization.rb:5:30:5:35 | call to params | potentially untrusted source |
-| PlistUnsafeDeserialization.rb:6:30:6:49 | ...[...] | PlistUnsafeDeserialization.rb:6:30:6:35 | call to params :  | PlistUnsafeDeserialization.rb:6:30:6:49 | ...[...] | Unsafe deserialization depends on a $@. | PlistUnsafeDeserialization.rb:6:30:6:35 | call to params | potentially untrusted source |
--- a/ruby/ql/test/query-tests/experimental/Security/cwe-502/PlistUnsafeDeserialization.qlref
+++ b/ruby/ql/test/query-tests/experimental/Security/cwe-502/PlistUnsafeDeserialization.qlref
@@ -1 +0,0 @@
-experimental/cwe-502/PlistUnsafeDeserialization.ql
--- a/ruby/ql/test/query-tests/experimental/Security/cwe-502/YAMLUnsafeDeserialization.expected
+++ b/ruby/ql/test/query-tests/experimental/Security/cwe-502/YAMLUnsafeDeserialization.expected
@@ -1,34 +0,0 @@
-edges
-| YAMLUnsafeDeserialization.rb:11:23:11:28 | call to params :  | YAMLUnsafeDeserialization.rb:11:23:11:42 | ...[...] |
-| YAMLUnsafeDeserialization.rb:12:28:12:33 | call to params :  | YAMLUnsafeDeserialization.rb:12:28:12:45 | ...[...] |
-| YAMLUnsafeDeserialization.rb:13:23:13:28 | call to params :  | YAMLUnsafeDeserialization.rb:13:23:13:42 | ...[...] |
-| YAMLUnsafeDeserialization.rb:14:39:14:44 | call to params :  | YAMLUnsafeDeserialization.rb:14:39:14:58 | ...[...] :  |
-| YAMLUnsafeDeserialization.rb:14:39:14:58 | ...[...] :  | YAMLUnsafeDeserialization.rb:15:5:15:24 | call to to_ruby |
-| YAMLUnsafeDeserialization.rb:16:17:16:22 | call to params :  | YAMLUnsafeDeserialization.rb:16:17:16:36 | ...[...] :  |
-| YAMLUnsafeDeserialization.rb:16:17:16:36 | ...[...] :  | YAMLUnsafeDeserialization.rb:16:5:16:45 | call to to_ruby |
-| YAMLUnsafeDeserialization.rb:17:22:17:27 | call to params :  | YAMLUnsafeDeserialization.rb:17:22:17:39 | ...[...] :  |
-| YAMLUnsafeDeserialization.rb:17:22:17:39 | ...[...] :  | YAMLUnsafeDeserialization.rb:17:5:17:48 | call to to_ruby |
-nodes
-| YAMLUnsafeDeserialization.rb:11:23:11:28 | call to params :  | semmle.label | call to params :  |
-| YAMLUnsafeDeserialization.rb:11:23:11:42 | ...[...] | semmle.label | ...[...] |
-| YAMLUnsafeDeserialization.rb:12:28:12:33 | call to params :  | semmle.label | call to params :  |
-| YAMLUnsafeDeserialization.rb:12:28:12:45 | ...[...] | semmle.label | ...[...] |
-| YAMLUnsafeDeserialization.rb:13:23:13:28 | call to params :  | semmle.label | call to params :  |
-| YAMLUnsafeDeserialization.rb:13:23:13:42 | ...[...] | semmle.label | ...[...] |
-| YAMLUnsafeDeserialization.rb:14:39:14:44 | call to params :  | semmle.label | call to params :  |
-| YAMLUnsafeDeserialization.rb:14:39:14:58 | ...[...] :  | semmle.label | ...[...] :  |
-| YAMLUnsafeDeserialization.rb:15:5:15:24 | call to to_ruby | semmle.label | call to to_ruby |
-| YAMLUnsafeDeserialization.rb:16:5:16:45 | call to to_ruby | semmle.label | call to to_ruby |
-| YAMLUnsafeDeserialization.rb:16:17:16:22 | call to params :  | semmle.label | call to params :  |
-| YAMLUnsafeDeserialization.rb:16:17:16:36 | ...[...] :  | semmle.label | ...[...] :  |
-| YAMLUnsafeDeserialization.rb:17:5:17:48 | call to to_ruby | semmle.label | call to to_ruby |
-| YAMLUnsafeDeserialization.rb:17:22:17:27 | call to params :  | semmle.label | call to params :  |
-| YAMLUnsafeDeserialization.rb:17:22:17:39 | ...[...] :  | semmle.label | ...[...] :  |
-subpaths
-#select
-| YAMLUnsafeDeserialization.rb:11:23:11:42 | ...[...] | YAMLUnsafeDeserialization.rb:11:23:11:28 | call to params :  | YAMLUnsafeDeserialization.rb:11:23:11:42 | ...[...] | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:11:23:11:28 | call to params | potentially untrusted source |
-| YAMLUnsafeDeserialization.rb:12:28:12:45 | ...[...] | YAMLUnsafeDeserialization.rb:12:28:12:33 | call to params :  | YAMLUnsafeDeserialization.rb:12:28:12:45 | ...[...] | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:12:28:12:33 | call to params | potentially untrusted source |
-| YAMLUnsafeDeserialization.rb:13:23:13:42 | ...[...] | YAMLUnsafeDeserialization.rb:13:23:13:28 | call to params :  | YAMLUnsafeDeserialization.rb:13:23:13:42 | ...[...] | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:13:23:13:28 | call to params | potentially untrusted source |
-| YAMLUnsafeDeserialization.rb:15:5:15:24 | call to to_ruby | YAMLUnsafeDeserialization.rb:14:39:14:44 | call to params :  | YAMLUnsafeDeserialization.rb:15:5:15:24 | call to to_ruby | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:14:39:14:44 | call to params | potentially untrusted source |
-| YAMLUnsafeDeserialization.rb:16:5:16:45 | call to to_ruby | YAMLUnsafeDeserialization.rb:16:17:16:22 | call to params :  | YAMLUnsafeDeserialization.rb:16:5:16:45 | call to to_ruby | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:16:17:16:22 | call to params | potentially untrusted source |
-| YAMLUnsafeDeserialization.rb:17:5:17:48 | call to to_ruby | YAMLUnsafeDeserialization.rb:17:22:17:27 | call to params :  | YAMLUnsafeDeserialization.rb:17:5:17:48 | call to to_ruby | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:17:22:17:27 | call to params | potentially untrusted source |
--- a/ruby/ql/test/query-tests/experimental/Security/cwe-502/YAMLUnsafeDeserialization.qlref
+++ b/ruby/ql/test/query-tests/experimental/Security/cwe-502/YAMLUnsafeDeserialization.qlref
@@ -1 +0,0 @@
-experimental/cwe-502/YAMLUnsafeDeserialization.ql
--- a/ruby/ql/test/query-tests/experimental/Security/cwe-502/YAMLUnsafeDeserialization.rb
+++ b/ruby/ql/test/query-tests/experimental/Security/cwe-502/YAMLUnsafeDeserialization.rb
@@ -1,22 +0,0 @@
-require 'yaml'
-class UsersController < ActionController::Base
-  def example
-    # safe
-    Psych.load(params[:yaml_string])
-    Psych.load_file(params[:yaml_file])
-    Psych.parse_stream(params[:yaml_string])
-    Psych.parse(params[:yaml_string])
-    Psych.parse_file(params[:yaml_file])
-    # unsafe
-    Psych.unsafe_load(params[:yaml_string])
-    Psych.unsafe_load_file(params[:yaml_file])
-    Psych.load_stream(params[:yaml_string])
-    parse_output = Psych.parse_stream(params[:yaml_string])
-    parse_output.to_ruby
-    Psych.parse(params[:yaml_string]).to_ruby
-    Psych.parse_file(params[:yaml_file]).to_ruby
-
-  end
-end
-
-
--- a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/PlistUnsafeDeserialization.rb
+++ b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/PlistUnsafeDeserialization.rb
--- a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected
+++ b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/UnsafeDeserialization.expected
@@ -1,4 +1,6 @@
 edges
+| PlistUnsafeDeserialization.rb:5:30:5:35 | call to params | PlistUnsafeDeserialization.rb:5:30:5:49 | ...[...] |
+| PlistUnsafeDeserialization.rb:6:30:6:35 | call to params | PlistUnsafeDeserialization.rb:6:30:6:49 | ...[...] |
 | UnsafeDeserialization.rb:10:5:10:19 | serialized_data | UnsafeDeserialization.rb:11:27:11:41 | serialized_data |
 | UnsafeDeserialization.rb:10:23:10:50 | call to decode64 | UnsafeDeserialization.rb:10:5:10:19 | serialized_data |
 | UnsafeDeserialization.rb:10:39:10:44 | call to params | UnsafeDeserialization.rb:10:39:10:50 | ...[...] |
@@ -29,7 +31,21 @@ edges
 | UnsafeDeserialization.rb:87:5:87:13 | yaml_data | UnsafeDeserialization.rb:88:25:88:33 | yaml_data |
 | UnsafeDeserialization.rb:87:17:87:22 | call to params | UnsafeDeserialization.rb:87:17:87:28 | ...[...] |
 | UnsafeDeserialization.rb:87:17:87:28 | ...[...] | UnsafeDeserialization.rb:87:5:87:13 | yaml_data |
+| YAMLUnsafeDeserialization.rb:5:16:5:21 | call to params | YAMLUnsafeDeserialization.rb:5:16:5:35 | ...[...] |
+| YAMLUnsafeDeserialization.rb:11:23:11:28 | call to params | YAMLUnsafeDeserialization.rb:11:23:11:42 | ...[...] |
+| YAMLUnsafeDeserialization.rb:12:28:12:33 | call to params | YAMLUnsafeDeserialization.rb:12:28:12:45 | ...[...] |
+| YAMLUnsafeDeserialization.rb:13:23:13:28 | call to params | YAMLUnsafeDeserialization.rb:13:23:13:42 | ...[...] |
+| YAMLUnsafeDeserialization.rb:14:39:14:44 | call to params | YAMLUnsafeDeserialization.rb:14:39:14:58 | ...[...] |
+| YAMLUnsafeDeserialization.rb:14:39:14:58 | ...[...] | YAMLUnsafeDeserialization.rb:15:5:15:24 | call to to_ruby |
+| YAMLUnsafeDeserialization.rb:16:17:16:22 | call to params | YAMLUnsafeDeserialization.rb:16:17:16:36 | ...[...] |
+| YAMLUnsafeDeserialization.rb:16:17:16:36 | ...[...] | YAMLUnsafeDeserialization.rb:16:5:16:45 | call to to_ruby |
+| YAMLUnsafeDeserialization.rb:17:22:17:27 | call to params | YAMLUnsafeDeserialization.rb:17:22:17:39 | ...[...] |
+| YAMLUnsafeDeserialization.rb:17:22:17:39 | ...[...] | YAMLUnsafeDeserialization.rb:17:5:17:48 | call to to_ruby |
 nodes
+| PlistUnsafeDeserialization.rb:5:30:5:35 | call to params | semmle.label | call to params |
+| PlistUnsafeDeserialization.rb:5:30:5:49 | ...[...] | semmle.label | ...[...] |
+| PlistUnsafeDeserialization.rb:6:30:6:35 | call to params | semmle.label | call to params |
+| PlistUnsafeDeserialization.rb:6:30:6:49 | ...[...] | semmle.label | ...[...] |
 | UnsafeDeserialization.rb:10:5:10:19 | serialized_data | semmle.label | serialized_data |
 | UnsafeDeserialization.rb:10:23:10:50 | call to decode64 | semmle.label | call to decode64 |
 | UnsafeDeserialization.rb:10:39:10:44 | call to params | semmle.label | call to params |
@@ -74,8 +90,27 @@ nodes
 | UnsafeDeserialization.rb:98:24:98:32 | call to read | semmle.label | call to read |
 | UnsafeDeserialization.rb:101:24:101:27 | call to gets | semmle.label | call to gets |
 | UnsafeDeserialization.rb:104:24:104:32 | call to readlines | semmle.label | call to readlines |
+| YAMLUnsafeDeserialization.rb:5:16:5:21 | call to params | semmle.label | call to params |
+| YAMLUnsafeDeserialization.rb:5:16:5:35 | ...[...] | semmle.label | ...[...] |
+| YAMLUnsafeDeserialization.rb:11:23:11:28 | call to params | semmle.label | call to params |
+| YAMLUnsafeDeserialization.rb:11:23:11:42 | ...[...] | semmle.label | ...[...] |
+| YAMLUnsafeDeserialization.rb:12:28:12:33 | call to params | semmle.label | call to params |
+| YAMLUnsafeDeserialization.rb:12:28:12:45 | ...[...] | semmle.label | ...[...] |
+| YAMLUnsafeDeserialization.rb:13:23:13:28 | call to params | semmle.label | call to params |
+| YAMLUnsafeDeserialization.rb:13:23:13:42 | ...[...] | semmle.label | ...[...] |
+| YAMLUnsafeDeserialization.rb:14:39:14:44 | call to params | semmle.label | call to params |
+| YAMLUnsafeDeserialization.rb:14:39:14:58 | ...[...] | semmle.label | ...[...] |
+| YAMLUnsafeDeserialization.rb:15:5:15:24 | call to to_ruby | semmle.label | call to to_ruby |
+| YAMLUnsafeDeserialization.rb:16:5:16:45 | call to to_ruby | semmle.label | call to to_ruby |
+| YAMLUnsafeDeserialization.rb:16:17:16:22 | call to params | semmle.label | call to params |
+| YAMLUnsafeDeserialization.rb:16:17:16:36 | ...[...] | semmle.label | ...[...] |
+| YAMLUnsafeDeserialization.rb:17:5:17:48 | call to to_ruby | semmle.label | call to to_ruby |
+| YAMLUnsafeDeserialization.rb:17:22:17:27 | call to params | semmle.label | call to params |
+| YAMLUnsafeDeserialization.rb:17:22:17:39 | ...[...] | semmle.label | ...[...] |
 subpaths
 #select
+| PlistUnsafeDeserialization.rb:5:30:5:49 | ...[...] | PlistUnsafeDeserialization.rb:5:30:5:35 | call to params | PlistUnsafeDeserialization.rb:5:30:5:49 | ...[...] | Unsafe deserialization depends on a $@. | PlistUnsafeDeserialization.rb:5:30:5:35 | call to params | user-provided value |
+| PlistUnsafeDeserialization.rb:6:30:6:49 | ...[...] | PlistUnsafeDeserialization.rb:6:30:6:35 | call to params | PlistUnsafeDeserialization.rb:6:30:6:49 | ...[...] | Unsafe deserialization depends on a $@. | PlistUnsafeDeserialization.rb:6:30:6:35 | call to params | user-provided value |
 | UnsafeDeserialization.rb:11:27:11:41 | serialized_data | UnsafeDeserialization.rb:10:39:10:44 | call to params | UnsafeDeserialization.rb:11:27:11:41 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:10:39:10:44 | call to params | user-provided value |
 | UnsafeDeserialization.rb:17:30:17:44 | serialized_data | UnsafeDeserialization.rb:16:39:16:44 | call to params | UnsafeDeserialization.rb:17:30:17:44 | serialized_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:16:39:16:44 | call to params | user-provided value |
 | UnsafeDeserialization.rb:23:24:23:32 | json_data | UnsafeDeserialization.rb:22:17:22:22 | call to params | UnsafeDeserialization.rb:23:24:23:32 | json_data | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:22:17:22:22 | call to params | user-provided value |
@@ -91,3 +126,10 @@ subpaths
 | UnsafeDeserialization.rb:98:24:98:32 | call to read | UnsafeDeserialization.rb:98:24:98:32 | call to read | UnsafeDeserialization.rb:98:24:98:32 | call to read | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:98:24:98:32 | call to read | value from stdin |
 | UnsafeDeserialization.rb:101:24:101:27 | call to gets | UnsafeDeserialization.rb:101:24:101:27 | call to gets | UnsafeDeserialization.rb:101:24:101:27 | call to gets | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:101:24:101:27 | call to gets | value from stdin |
 | UnsafeDeserialization.rb:104:24:104:32 | call to readlines | UnsafeDeserialization.rb:104:24:104:32 | call to readlines | UnsafeDeserialization.rb:104:24:104:32 | call to readlines | Unsafe deserialization depends on a $@. | UnsafeDeserialization.rb:104:24:104:32 | call to readlines | value from stdin |
+| YAMLUnsafeDeserialization.rb:5:16:5:35 | ...[...] | YAMLUnsafeDeserialization.rb:5:16:5:21 | call to params | YAMLUnsafeDeserialization.rb:5:16:5:35 | ...[...] | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:5:16:5:21 | call to params | user-provided value |
+| YAMLUnsafeDeserialization.rb:11:23:11:42 | ...[...] | YAMLUnsafeDeserialization.rb:11:23:11:28 | call to params | YAMLUnsafeDeserialization.rb:11:23:11:42 | ...[...] | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:11:23:11:28 | call to params | user-provided value |
+| YAMLUnsafeDeserialization.rb:12:28:12:45 | ...[...] | YAMLUnsafeDeserialization.rb:12:28:12:33 | call to params | YAMLUnsafeDeserialization.rb:12:28:12:45 | ...[...] | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:12:28:12:33 | call to params | user-provided value |
+| YAMLUnsafeDeserialization.rb:13:23:13:42 | ...[...] | YAMLUnsafeDeserialization.rb:13:23:13:28 | call to params | YAMLUnsafeDeserialization.rb:13:23:13:42 | ...[...] | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:13:23:13:28 | call to params | user-provided value |
+| YAMLUnsafeDeserialization.rb:15:5:15:24 | call to to_ruby | YAMLUnsafeDeserialization.rb:14:39:14:44 | call to params | YAMLUnsafeDeserialization.rb:15:5:15:24 | call to to_ruby | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:14:39:14:44 | call to params | user-provided value |
+| YAMLUnsafeDeserialization.rb:16:5:16:45 | call to to_ruby | YAMLUnsafeDeserialization.rb:16:17:16:22 | call to params | YAMLUnsafeDeserialization.rb:16:5:16:45 | call to to_ruby | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:16:17:16:22 | call to params | user-provided value |
+| YAMLUnsafeDeserialization.rb:17:5:17:48 | call to to_ruby | YAMLUnsafeDeserialization.rb:17:22:17:27 | call to params | YAMLUnsafeDeserialization.rb:17:5:17:48 | call to to_ruby | Unsafe deserialization depends on a $@. | YAMLUnsafeDeserialization.rb:17:22:17:27 | call to params | user-provided value |
--- a/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/YAMLUnsafeDeserialization.rb
+++ b/ruby/ql/test/query-tests/security/cwe-502/unsafe-deserialization/YAMLUnsafeDeserialization.rb
				`@@ -1 +0,0 @@`
				`experimental/cwe-502/PlistUnsafeDeserialization.ql`
				`@@ -1 +0,0 @@`
				`experimental/cwe-502/YAMLUnsafeDeserialization.ql`