hohn/codeql
1
0
Fork 0
mirror of https://github.com/github/codeql.git synced 2026-04-24 00:05:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

Grape - detect params calls inside helper methods

Browse Source 
- added unit tests for flow using inline format
- removed grape from Arel tests (temporary)
This commit is contained in:
Chad Bentz
2025-09-16 17:09:18 -04:00
parent ffd32efba2
commit c5e3be2c4c
7 changed files with 216 additions and 134 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
ruby/ql/lib/codeql/ruby/frameworks/Grape.qll
View File

@@ -121,11 +121,18 @@ class GrapeParamsSource extends Http::Server::RequestInputAccess::Range {
*/
private class GrapeParamsCall extends ParamsCallImpl {
GrapeParamsCall() {
// Simplified approach: find params calls that are descendants of Grape API class methods
// Params calls within endpoint blocks
exists(GrapeApiClass api |
this.getMethodName() = "params" and
this.getParent+() = api.getADeclaration()
)
or
// Params calls within helper methods (defined in helpers blocks)
exists(GrapeApiClass api, DataFlow::CallNode helpersCall |
helpersCall = api.getAModuleLevelCall("helpers") and
this.getMethodName() = "params" and
this.getParent+() = helpersCall.getBlock().asExpr().getExpr()
)
}
}
@@ -295,18 +302,31 @@ private class GrapeHelperMethod extends Method {
/**
* Additional taint step to model dataflow from method arguments to parameters
* for Grape helper methods defined in `helpers` blocks.
* and from return values back to call sites for Grape helper methods defined in `helpers` blocks.
* This bridges the gap where standard dataflow doesn't recognize the Grape DSL semantics.
*/
private class GrapeHelperMethodTaintStep extends AdditionalTaintStep {
override predicate step(DataFlow::Node nodeFrom, DataFlow::Node nodeTo) {
// Map arguments to parameters for helper method calls
exists(GrapeHelperMethod helperMethod, MethodCall call, int i |
// Find calls to helper methods from within Grape endpoints
// Find calls to helper methods from within Grape endpoints or other helper methods
call.getMethodName() = helperMethod.getName() and
exists(GrapeEndpoint endpoint | call.getParent+() = endpoint.getBody().asExpr().getExpr()) and
exists(GrapeApiClass api | call.getParent+() = api.getADeclaration()) and
// Map argument to parameter
nodeFrom.asExpr().getExpr() = call.getArgument(i) and
nodeTo.asParameter() = helperMethod.getParameter(i)
)
or
// Model implicit return values: the last expression in a helper method flows to the call site
exists(GrapeHelperMethod helperMethod, MethodCall helperCall, Expr lastExpr |
// Find calls to helper methods from within Grape endpoints or other helper methods
helperCall.getMethodName() = helperMethod.getName() and
exists(GrapeApiClass api | helperCall.getParent+() = api.getADeclaration()) and
// Get the last expression in the helper method (Ruby's implicit return)
lastExpr = helperMethod.getLastStmt() and
// Flow from the last expression in the helper method to the call site
nodeFrom.asExpr().getExpr() = lastExpr and
nodeTo.asExpr().getExpr() = helperCall
)
}
}

77
ruby/ql/test/library-tests/frameworks/grape/Flow.expected Normal file
View File

@@ -0,0 +1,77 @@
models
edges
| app.rb:103:13:103:18 | call to params | app.rb:103:13:103:70 | call to select | provenance | |
| app.rb:103:13:103:70 | call to select | app.rb:149:21:149:31 | call to user_params | provenance | AdditionalTaintStep |
| app.rb:103:13:103:70 | call to select | app.rb:165:21:165:31 | call to user_params | provenance | AdditionalTaintStep |
| app.rb:107:13:107:32 | call to source | app.rb:143:18:143:43 | call to vulnerable_helper | provenance | AdditionalTaintStep |
| app.rb:111:13:111:33 | call to source | app.rb:150:25:150:37 | call to simple_helper | provenance | AdditionalTaintStep |
| app.rb:126:9:126:15 | user_id | app.rb:133:14:133:20 | user_id | provenance | |
| app.rb:126:19:126:24 | call to params | app.rb:126:19:126:34 | ...[...] | provenance | |
| app.rb:126:19:126:34 | ...[...] | app.rb:126:9:126:15 | user_id | provenance | |
| app.rb:127:9:127:16 | route_id | app.rb:134:14:134:21 | route_id | provenance | |
| app.rb:127:20:127:40 | call to route_param | app.rb:127:9:127:16 | route_id | provenance | |
| app.rb:128:9:128:12 | auth | app.rb:135:14:135:17 | auth | provenance | |
| app.rb:128:16:128:22 | call to headers | app.rb:128:16:128:38 | ...[...] | provenance | |
| app.rb:128:16:128:38 | ...[...] | app.rb:128:9:128:12 | auth | provenance | |
| app.rb:129:9:129:15 | session | app.rb:136:14:136:20 | session | provenance | |
| app.rb:129:19:129:25 | call to cookies | app.rb:129:19:129:38 | ...[...] | provenance | |
| app.rb:129:19:129:38 | ...[...] | app.rb:129:9:129:15 | session | provenance | |
| app.rb:143:9:143:14 | result | app.rb:144:14:144:19 | result | provenance | |
| app.rb:143:18:143:43 | call to vulnerable_helper | app.rb:143:9:143:14 | result | provenance | |
| app.rb:149:9:149:17 | user_data | app.rb:151:14:151:22 | user_data | provenance | |
| app.rb:149:21:149:31 | call to user_params | app.rb:149:9:149:17 | user_data | provenance | |
| app.rb:150:9:150:21 | simple_result | app.rb:152:14:152:26 | simple_result | provenance | |
| app.rb:150:25:150:37 | call to simple_helper | app.rb:150:9:150:21 | simple_result | provenance | |
| app.rb:159:13:159:19 | user_id | app.rb:160:18:160:24 | user_id | provenance | |
| app.rb:159:23:159:28 | call to params | app.rb:159:23:159:33 | ...[...] | provenance | |
| app.rb:159:23:159:33 | ...[...] | app.rb:159:13:159:19 | user_id | provenance | |
| app.rb:165:9:165:17 | user_data | app.rb:166:14:166:22 | user_data | provenance | |
| app.rb:165:21:165:31 | call to user_params | app.rb:165:9:165:17 | user_data | provenance | |
nodes
| app.rb:103:13:103:18 | call to params | semmle.label | call to params |
| app.rb:103:13:103:70 | call to select | semmle.label | call to select |
| app.rb:107:13:107:32 | call to source | semmle.label | call to source |
| app.rb:111:13:111:33 | call to source | semmle.label | call to source |
| app.rb:126:9:126:15 | user_id | semmle.label | user_id |
| app.rb:126:19:126:24 | call to params | semmle.label | call to params |
| app.rb:126:19:126:34 | ...[...] | semmle.label | ...[...] |
| app.rb:127:9:127:16 | route_id | semmle.label | route_id |
| app.rb:127:20:127:40 | call to route_param | semmle.label | call to route_param |
| app.rb:128:9:128:12 | auth | semmle.label | auth |
| app.rb:128:16:128:22 | call to headers | semmle.label | call to headers |
| app.rb:128:16:128:38 | ...[...] | semmle.label | ...[...] |
| app.rb:129:9:129:15 | session | semmle.label | session |
| app.rb:129:19:129:25 | call to cookies | semmle.label | call to cookies |
| app.rb:129:19:129:38 | ...[...] | semmle.label | ...[...] |
| app.rb:133:14:133:20 | user_id | semmle.label | user_id |
| app.rb:134:14:134:21 | route_id | semmle.label | route_id |
| app.rb:135:14:135:17 | auth | semmle.label | auth |
| app.rb:136:14:136:20 | session | semmle.label | session |
| app.rb:143:9:143:14 | result | semmle.label | result |
| app.rb:143:18:143:43 | call to vulnerable_helper | semmle.label | call to vulnerable_helper |
| app.rb:144:14:144:19 | result | semmle.label | result |
| app.rb:149:9:149:17 | user_data | semmle.label | user_data |
| app.rb:149:21:149:31 | call to user_params | semmle.label | call to user_params |
| app.rb:150:9:150:21 | simple_result | semmle.label | simple_result |
| app.rb:150:25:150:37 | call to simple_helper | semmle.label | call to simple_helper |
| app.rb:151:14:151:22 | user_data | semmle.label | user_data |
| app.rb:152:14:152:26 | simple_result | semmle.label | simple_result |
| app.rb:159:13:159:19 | user_id | semmle.label | user_id |
| app.rb:159:23:159:28 | call to params | semmle.label | call to params |
| app.rb:159:23:159:33 | ...[...] | semmle.label | ...[...] |
| app.rb:160:18:160:24 | user_id | semmle.label | user_id |
| app.rb:165:9:165:17 | user_data | semmle.label | user_data |
| app.rb:165:21:165:31 | call to user_params | semmle.label | call to user_params |
| app.rb:166:14:166:22 | user_data | semmle.label | user_data |
subpaths
testFailures
#select
| app.rb:133:14:133:20 | user_id | app.rb:126:19:126:24 | call to params | app.rb:133:14:133:20 | user_id | $@ | app.rb:126:19:126:24 | call to params | call to params |
| app.rb:134:14:134:21 | route_id | app.rb:127:20:127:40 | call to route_param | app.rb:134:14:134:21 | route_id | $@ | app.rb:127:20:127:40 | call to route_param | call to route_param |
| app.rb:135:14:135:17 | auth | app.rb:128:16:128:22 | call to headers | app.rb:135:14:135:17 | auth | $@ | app.rb:128:16:128:22 | call to headers | call to headers |
| app.rb:136:14:136:20 | session | app.rb:129:19:129:25 | call to cookies | app.rb:136:14:136:20 | session | $@ | app.rb:129:19:129:25 | call to cookies | call to cookies |
| app.rb:144:14:144:19 | result | app.rb:107:13:107:32 | call to source | app.rb:144:14:144:19 | result | $@ | app.rb:107:13:107:32 | call to source | call to source |
| app.rb:151:14:151:22 | user_data | app.rb:103:13:103:18 | call to params | app.rb:151:14:151:22 | user_data | $@ | app.rb:103:13:103:18 | call to params | call to params |
| app.rb:152:14:152:26 | simple_result | app.rb:111:13:111:33 | call to source | app.rb:152:14:152:26 | simple_result | $@ | app.rb:111:13:111:33 | call to source | call to source |
| app.rb:160:18:160:24 | user_id | app.rb:159:23:159:28 | call to params | app.rb:160:18:160:24 | user_id | $@ | app.rb:159:23:159:28 | call to params | call to params |
| app.rb:166:14:166:22 | user_data | app.rb:103:13:103:18 | call to params | app.rb:166:14:166:22 | user_data | $@ | app.rb:103:13:103:18 | call to params | call to params |

25
ruby/ql/test/library-tests/frameworks/grape/Flow.ql Normal file
View File

@@ -0,0 +1,25 @@
/**
* @kind path-problem
*/
import ruby
import utils.test.InlineFlowTest
import PathGraph
import codeql.ruby.frameworks.Grape
import codeql.ruby.Concepts
module GrapeConfig implements DataFlow::ConfigSig {
predicate isSource(DataFlow::Node source) {
source instanceof Http::Server::RequestInputAccess::Range
or
DefaultFlowConfig::isSource(source)
}
predicate isSink(DataFlow::Node sink) { DefaultFlowConfig::isSink(sink) }
}
import FlowTest<DefaultFlowConfig, GrapeConfig>
from PathNode source, PathNode sink
where flowPath(source, sink)
select sink, source, sink, "$@", source, source.toString()

16
ruby/ql/test/library-tests/frameworks/grape/Grape.expected
View File

@@ -1,6 +1,7 @@
grapeApiClasses
| app.rb:1:1:90:3 | MyAPI |
| app.rb:92:1:96:3 | AdminAPI |
| app.rb:98:1:168:3 | UserAPI |
grapeEndpoints
| app.rb:1:1:90:3 | MyAPI | app.rb:7:3:11:5 | call to get | GET | /hello/:name |
| app.rb:1:1:90:3 | MyAPI | app.rb:17:3:20:5 | call to post | POST | /messages |
@@ -13,6 +14,10 @@ grapeEndpoints
| app.rb:1:1:90:3 | MyAPI | app.rb:78:3:82:5 | call to get | GET | /cookie_test |
| app.rb:1:1:90:3 | MyAPI | app.rb:85:3:89:5 | call to get | GET | /header_test |
| app.rb:92:1:96:3 | AdminAPI | app.rb:93:3:95:5 | call to get | GET | /admin |
| app.rb:98:1:168:3 | UserAPI | app.rb:124:5:138:7 | call to get | GET | /comprehensive_test/:user_id |
| app.rb:98:1:168:3 | UserAPI | app.rb:140:5:145:7 | call to get | GET | /helper_test/:user_id |
| app.rb:98:1:168:3 | UserAPI | app.rb:147:5:153:7 | call to post | POST | /users |
| app.rb:98:1:168:3 | UserAPI | app.rb:164:5:167:7 | call to post | POST | /users |
grapeParams
| app.rb:8:12:8:17 | call to params |
| app.rb:14:3:16:5 | call to params |
@@ -22,19 +27,30 @@ grapeParams
| app.rb:36:5:36:10 | call to params |
| app.rb:60:12:60:17 | call to params |
| app.rb:94:5:94:10 | call to params |
| app.rb:103:13:103:18 | call to params |
| app.rb:126:19:126:24 | call to params |
| app.rb:142:19:142:24 | call to params |
| app.rb:159:23:159:28 | call to params |
grapeHeaders
| app.rb:9:18:9:24 | call to headers |
| app.rb:46:5:46:11 | call to headers |
| app.rb:66:3:69:5 | call to headers |
| app.rb:86:12:86:18 | call to headers |
| app.rb:87:14:87:20 | call to headers |
| app.rb:116:5:118:7 | call to headers |
| app.rb:128:16:128:22 | call to headers |
grapeRequest
| app.rb:25:12:25:18 | call to request |
| app.rb:130:21:130:27 | call to request |
grapeRouteParam
| app.rb:51:15:51:35 | call to route_param |
| app.rb:52:15:52:36 | call to route_param |
| app.rb:57:3:63:5 | call to route_param |
| app.rb:127:20:127:40 | call to route_param |
| app.rb:156:5:162:7 | call to route_param |
grapeCookies
| app.rb:72:3:75:5 | call to cookies |
| app.rb:79:15:79:21 | call to cookies |
| app.rb:80:16:80:22 | call to cookies |
| app.rb:120:5:122:7 | call to cookies |
| app.rb:129:19:129:25 | call to cookies |

74
ruby/ql/test/library-tests/frameworks/grape/app.rb
View File

@@ -93,4 +93,76 @@ class AdminAPI < Grape::API
get '/admin' do
params[:token]
end
end
end
class UserAPI < Grape::API
VALID_PARAMS = %w(name email password password_confirmation)
helpers do
def user_params
params.select{|key,value| VALID_PARAMS.include?(key.to_s)} # Real helper implementation
end
def vulnerable_helper(user_id)
source "paramHelper" # Test parameter passing to helper
end
def simple_helper
source "simpleHelper" # Test simple helper return
end
end
# Headers and cookies blocks for DSL testing
headers do
requires :Authorization, type: String
end
cookies do
requires :session_id, type: String
end
get '/comprehensive_test/:user_id' do
# Test all Grape input sources
user_id = params[:user_id] # params taint source
route_id = route_param(:user_id) # route_param taint source
auth = headers[:Authorization] # headers taint source
session = cookies[:session_id] # cookies taint source
body_data = request.body.read # request taint source
# Test sinks for all sources
sink user_id # $ hasTaintFlow
sink route_id # $ hasTaintFlow
sink auth # $ hasTaintFlow
sink session # $ hasTaintFlow
# Note: request.body.read may not be detected by this flow test config
end
get '/helper_test/:user_id' do
# Test helper method parameter passing dataflow
user_id = params[:user_id]
result = vulnerable_helper(user_id)
sink result # $ hasTaintFlow=paramHelper
end
post '/users' do
# Test helper method return dataflow
user_data = user_params
simple_result = simple_helper
sink user_data # $ hasTaintFlow
sink simple_result # $ hasTaintFlow=simpleHelper
end
# Test route_param block pattern
route_param :id do
get do
# params[:id] should be user input from the path
user_id = params[:id]
sink user_id # $ hasTaintFlow
end
end
post '/users' do
user_data = user_params
sink user_data # $ hasTaintFlow
end
end

64
ruby/ql/test/query-tests/security/cwe-089/ArelInjection.rb
View File

@@ -6,66 +6,4 @@ class PotatoController < ActionController::Base
sql = Arel.sql("SELECT * FROM users WHERE name = #{name}")
sql = Arel::Nodes::SqlLiteral.new("SELECT * FROM users WHERE name = #{name}")
end
end
class PotatoAPI < Grape::API
get '/unsafe_endpoint' do
name = params[:user_name]
# BAD: SQL statement constructed from user input
sql = Arel.sql("SELECT * FROM users WHERE name = #{name}")
sql = Arel::Nodes::SqlLiteral.new("SELECT * FROM users WHERE name = #{name}")
end
end
class SimpleAPI < Grape::API
get '/test' do
x = params[:name]
Arel.sql("SELECT * FROM users WHERE name = #{x}")
end
end
# Test helper method pattern in Grape helpers block
class TestAPI < Grape::API
helpers do
def vulnerable_helper(user_id)
# BAD: SQL statement constructed from user input passed as parameter
Arel.sql("SELECT * FROM users WHERE id = #{user_id}")
end
end
# Headers and cookies blocks for DSL testing
headers do
requires :Authorization, type: String
end
cookies do
requires :session_id, type: String
end
get '/comprehensive_test/:user_id' do
# BAD: Comprehensive test using all Grape input sources in one SQL query
user_id = params[:user_id] # params taint source
route_id = route_param(:user_id) # route_param taint source
auth = headers[:Authorization] # headers taint source
session = cookies[:session_id] # cookies taint source
body_data = request.body.read # request taint source
# All sources flow to SQL injection
Arel.sql("SELECT * FROM users WHERE id = #{user_id} AND route_id = #{route_id} AND auth = #{auth} AND session = #{session} AND data = #{body_data}")
end
get '/helper_test' do
# BAD: Test helper method dataflow
user_id = params[:user_id]
vulnerable_helper(user_id)
end
# Test route_param block pattern
route_param :id do
get do
# BAD: params[:id] should be user input from the path
user_id = params[:id]
Arel.sql("SELECT * FROM users WHERE id = #{user_id}")
end
end
end
end

66
ruby/ql/test/query-tests/security/cwe-089/SqlInjection.expected
View File

@@ -81,32 +81,6 @@ edges
| ArelInjection.rb:4:5:4:8 | name | ArelInjection.rb:7:39:7:80 | "SELECT * FROM users WHERE nam..." | provenance | AdditionalTaintStep |
| ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:4:12:4:29 | ...[...] | provenance | |
| ArelInjection.rb:4:12:4:29 | ...[...] | ArelInjection.rb:4:5:4:8 | name | provenance | |
| ArelInjection.rb:13:5:13:8 | name | ArelInjection.rb:15:20:15:61 | "SELECT * FROM users WHERE nam..." | provenance | AdditionalTaintStep |
| ArelInjection.rb:13:5:13:8 | name | ArelInjection.rb:16:39:16:80 | "SELECT * FROM users WHERE nam..." | provenance | AdditionalTaintStep |
| ArelInjection.rb:13:12:13:17 | call to params | ArelInjection.rb:13:12:13:29 | ...[...] | provenance | |
| ArelInjection.rb:13:12:13:29 | ...[...] | ArelInjection.rb:13:5:13:8 | name | provenance | |
| ArelInjection.rb:22:5:22:5 | x | ArelInjection.rb:23:14:23:52 | "SELECT * FROM users WHERE nam..." | provenance | AdditionalTaintStep |
| ArelInjection.rb:22:9:22:14 | call to params | ArelInjection.rb:22:9:22:21 | ...[...] | provenance | |
| ArelInjection.rb:22:9:22:21 | ...[...] | ArelInjection.rb:22:5:22:5 | x | provenance | |
| ArelInjection.rb:30:29:30:35 | user_id | ArelInjection.rb:32:18:32:60 | "SELECT * FROM users WHERE id ..." | provenance | AdditionalTaintStep |
| ArelInjection.rb:47:7:47:13 | user_id | ArelInjection.rb:54:16:54:153 | "SELECT * FROM users WHERE id ..." | provenance | AdditionalTaintStep |
| ArelInjection.rb:47:17:47:22 | call to params | ArelInjection.rb:47:17:47:32 | ...[...] | provenance | |
| ArelInjection.rb:47:17:47:32 | ...[...] | ArelInjection.rb:47:7:47:13 | user_id | provenance | |
| ArelInjection.rb:48:7:48:14 | route_id | ArelInjection.rb:54:16:54:153 | "SELECT * FROM users WHERE id ..." | provenance | AdditionalTaintStep |
| ArelInjection.rb:48:18:48:38 | call to route_param | ArelInjection.rb:48:7:48:14 | route_id | provenance | |
| ArelInjection.rb:49:7:49:10 | auth | ArelInjection.rb:54:16:54:153 | "SELECT * FROM users WHERE id ..." | provenance | AdditionalTaintStep |
| ArelInjection.rb:49:14:49:20 | call to headers | ArelInjection.rb:49:14:49:36 | ...[...] | provenance | |
| ArelInjection.rb:49:14:49:36 | ...[...] | ArelInjection.rb:49:7:49:10 | auth | provenance | |
| ArelInjection.rb:50:7:50:13 | session | ArelInjection.rb:54:16:54:153 | "SELECT * FROM users WHERE id ..." | provenance | AdditionalTaintStep |
| ArelInjection.rb:50:17:50:23 | call to cookies | ArelInjection.rb:50:17:50:36 | ...[...] | provenance | |
| ArelInjection.rb:50:17:50:36 | ...[...] | ArelInjection.rb:50:7:50:13 | session | provenance | |
| ArelInjection.rb:59:7:59:13 | user_id | ArelInjection.rb:60:25:60:31 | user_id | provenance | |
| ArelInjection.rb:59:17:59:22 | call to params | ArelInjection.rb:59:17:59:32 | ...[...] | provenance | |
| ArelInjection.rb:59:17:59:32 | ...[...] | ArelInjection.rb:59:7:59:13 | user_id | provenance | |
| ArelInjection.rb:60:25:60:31 | user_id | ArelInjection.rb:30:29:30:35 | user_id | provenance | AdditionalTaintStep |
| ArelInjection.rb:67:9:67:15 | user_id | ArelInjection.rb:68:18:68:60 | "SELECT * FROM users WHERE id ..." | provenance | AdditionalTaintStep |
| ArelInjection.rb:67:19:67:24 | call to params | ArelInjection.rb:67:19:67:29 | ...[...] | provenance | |
| ArelInjection.rb:67:19:67:29 | ...[...] | ArelInjection.rb:67:9:67:15 | user_id | provenance | |
| PgInjection.rb:6:5:6:8 | name | PgInjection.rb:13:5:13:8 | qry1 : String | provenance | AdditionalTaintStep |
| PgInjection.rb:6:5:6:8 | name | PgInjection.rb:19:5:19:8 | qry2 : String | provenance | AdditionalTaintStep |
| PgInjection.rb:6:5:6:8 | name | PgInjection.rb:31:5:31:8 | qry3 : String | provenance | AdditionalTaintStep |
@@ -235,37 +209,6 @@ nodes
| ArelInjection.rb:4:12:4:29 | ...[...] | semmle.label | ...[...] |
| ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | semmle.label | "SELECT * FROM users WHERE nam..." |
| ArelInjection.rb:7:39:7:80 | "SELECT * FROM users WHERE nam..." | semmle.label | "SELECT * FROM users WHERE nam..." |
| ArelInjection.rb:13:5:13:8 | name | semmle.label | name |
| ArelInjection.rb:13:12:13:17 | call to params | semmle.label | call to params |
| ArelInjection.rb:13:12:13:29 | ...[...] | semmle.label | ...[...] |
| ArelInjection.rb:15:20:15:61 | "SELECT * FROM users WHERE nam..." | semmle.label | "SELECT * FROM users WHERE nam..." |
| ArelInjection.rb:16:39:16:80 | "SELECT * FROM users WHERE nam..." | semmle.label | "SELECT * FROM users WHERE nam..." |
| ArelInjection.rb:22:5:22:5 | x | semmle.label | x |
| ArelInjection.rb:22:9:22:14 | call to params | semmle.label | call to params |
| ArelInjection.rb:22:9:22:21 | ...[...] | semmle.label | ...[...] |
| ArelInjection.rb:23:14:23:52 | "SELECT * FROM users WHERE nam..." | semmle.label | "SELECT * FROM users WHERE nam..." |
| ArelInjection.rb:30:29:30:35 | user_id | semmle.label | user_id |
| ArelInjection.rb:32:18:32:60 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
| ArelInjection.rb:47:7:47:13 | user_id | semmle.label | user_id |
| ArelInjection.rb:47:17:47:22 | call to params | semmle.label | call to params |
| ArelInjection.rb:47:17:47:32 | ...[...] | semmle.label | ...[...] |
| ArelInjection.rb:48:7:48:14 | route_id | semmle.label | route_id |
| ArelInjection.rb:48:18:48:38 | call to route_param | semmle.label | call to route_param |
| ArelInjection.rb:49:7:49:10 | auth | semmle.label | auth |
| ArelInjection.rb:49:14:49:20 | call to headers | semmle.label | call to headers |
| ArelInjection.rb:49:14:49:36 | ...[...] | semmle.label | ...[...] |
| ArelInjection.rb:50:7:50:13 | session | semmle.label | session |
| ArelInjection.rb:50:17:50:23 | call to cookies | semmle.label | call to cookies |
| ArelInjection.rb:50:17:50:36 | ...[...] | semmle.label | ...[...] |
| ArelInjection.rb:54:16:54:153 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
| ArelInjection.rb:59:7:59:13 | user_id | semmle.label | user_id |
| ArelInjection.rb:59:17:59:22 | call to params | semmle.label | call to params |
| ArelInjection.rb:59:17:59:32 | ...[...] | semmle.label | ...[...] |
| ArelInjection.rb:60:25:60:31 | user_id | semmle.label | user_id |
| ArelInjection.rb:67:9:67:15 | user_id | semmle.label | user_id |
| ArelInjection.rb:67:19:67:24 | call to params | semmle.label | call to params |
| ArelInjection.rb:67:19:67:29 | ...[...] | semmle.label | ...[...] |
| ArelInjection.rb:68:18:68:60 | "SELECT * FROM users WHERE id ..." | semmle.label | "SELECT * FROM users WHERE id ..." |
| PgInjection.rb:6:5:6:8 | name | semmle.label | name |
| PgInjection.rb:6:12:6:17 | call to params | semmle.label | call to params |
| PgInjection.rb:6:12:6:24 | ...[...] | semmle.label | ...[...] |
@@ -323,15 +266,6 @@ subpaths
| ActiveRecordInjection.rb:216:38:216:53 | "role = #{...}" | ActiveRecordInjection.rb:222:29:222:34 | call to params | ActiveRecordInjection.rb:216:38:216:53 | "role = #{...}" | This SQL query depends on a $@. | ActiveRecordInjection.rb:222:29:222:34 | call to params | user-provided value |
| ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:6:20:6:61 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value |
| ArelInjection.rb:7:39:7:80 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:4:12:4:17 | call to params | ArelInjection.rb:7:39:7:80 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:4:12:4:17 | call to params | user-provided value |
| ArelInjection.rb:15:20:15:61 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:13:12:13:17 | call to params | ArelInjection.rb:15:20:15:61 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:13:12:13:17 | call to params | user-provided value |
| ArelInjection.rb:16:39:16:80 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:13:12:13:17 | call to params | ArelInjection.rb:16:39:16:80 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:13:12:13:17 | call to params | user-provided value |
| ArelInjection.rb:23:14:23:52 | "SELECT * FROM users WHERE nam..." | ArelInjection.rb:22:9:22:14 | call to params | ArelInjection.rb:23:14:23:52 | "SELECT * FROM users WHERE nam..." | This SQL query depends on a $@. | ArelInjection.rb:22:9:22:14 | call to params | user-provided value |
| ArelInjection.rb:32:18:32:60 | "SELECT * FROM users WHERE id ..." | ArelInjection.rb:59:17:59:22 | call to params | ArelInjection.rb:32:18:32:60 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ArelInjection.rb:59:17:59:22 | call to params | user-provided value |
| ArelInjection.rb:54:16:54:153 | "SELECT * FROM users WHERE id ..." | ArelInjection.rb:47:17:47:22 | call to params | ArelInjection.rb:54:16:54:153 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ArelInjection.rb:47:17:47:22 | call to params | user-provided value |
| ArelInjection.rb:54:16:54:153 | "SELECT * FROM users WHERE id ..." | ArelInjection.rb:48:18:48:38 | call to route_param | ArelInjection.rb:54:16:54:153 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ArelInjection.rb:48:18:48:38 | call to route_param | user-provided value |
| ArelInjection.rb:54:16:54:153 | "SELECT * FROM users WHERE id ..." | ArelInjection.rb:49:14:49:20 | call to headers | ArelInjection.rb:54:16:54:153 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ArelInjection.rb:49:14:49:20 | call to headers | user-provided value |
| ArelInjection.rb:54:16:54:153 | "SELECT * FROM users WHERE id ..." | ArelInjection.rb:50:17:50:23 | call to cookies | ArelInjection.rb:54:16:54:153 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ArelInjection.rb:50:17:50:23 | call to cookies | user-provided value |
| ArelInjection.rb:68:18:68:60 | "SELECT * FROM users WHERE id ..." | ArelInjection.rb:67:19:67:24 | call to params | ArelInjection.rb:68:18:68:60 | "SELECT * FROM users WHERE id ..." | This SQL query depends on a $@. | ArelInjection.rb:67:19:67:24 | call to params | user-provided value |
| PgInjection.rb:14:15:14:18 | qry1 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:14:15:14:18 | qry1 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value |
| PgInjection.rb:15:21:15:24 | qry1 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:15:21:15:24 | qry1 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value |
| PgInjection.rb:20:22:20:25 | qry2 | PgInjection.rb:6:12:6:17 | call to params | PgInjection.rb:20:22:20:25 | qry2 | This SQL query depends on a $@. | PgInjection.rb:6:12:6:17 | call to params | user-provided value |